HEWLETT PACKARD ENTERPRISE HP 1950-12XGT User guide

HPE OfficeConnect 1950 Switch Series

User Guide

P
Document version: 6W104-20190520

art number: 5998-8111b

© Copyright 2015-2019 Hewlett Packard Enterprise Development LP
The information contained herein is s ubject t o change without notic e. The onl y w arrantie s for He wlett Pac kard

Enterprise products and services are set f ort h i n the express warranty statements accompany i ng such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for techni cal or editorial errors or omissions contained herein.

Confidential computer software. Valid li cense from Hewlett Packa rd Enterprise required for posse ssion, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer S oftware
Documentation, and Te chnical Data for Commercial Items are licen sed to the U.S. Government under vendor’s
standard commercial license.

Links to third-party websites take you out side the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel I nside®, and the Intel Inside logo are trademar ks of Intel Corporation in the
United States and other countries.

Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorpor ated.
Java and Oracle are registered trademarks of O racle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.

Contents

Overview ························································································ 1
Restrictions: Applicable hardware platforms and software versions ············· 1
Logging in to the Web interface ··························································· 2

Restrictions and guidelines ·········································································································· 2

Web browser requirements ···································································································· 2
Default login settings ············································································································ 2

Concurrent login users ········································································································· 3
Logging in to the Web interface for the first time ··············································································· 3
Logging out of the Web interface ··································································································· 4

Using the Web interface ···································································· 5

Types of webpages ···················································································································· 6

Using a feature page ············································································································ 6

Using a table page ··············································································································· 6

Using a configuration page ···································································································· 7
Icons and buttons ······················································································································ 8
Performing basic tasks ················································································································ 9

Saving the configuration ······································································································· 9

Displaying or modifying settings of a table entry ········································································· 9

Rebooting the device ········································································································· 10

Feature navigator ··········································································· 11

Dashboard menu ····················································································································· 11
Device menu ··························································································································· 11
Network menu ························································································································· 12
Resources menu ····················································································································· 16
QoS menu ······························································································································ 17
Security menu ························································································································· 17
PoE menu ······························································································································ 18
Log menu ······························································································································· 18

Device management ······································································· 19

Settings ································································································································· 19

System time sources ·········································································································· 19

Clock synchronization protocols ··························································································· 19

NTP/SNTP operating modes ································································································ 19

NTP/SNTP time source authentication ··················································································· 20
Administrators ························································································································· 20

User account management ·································································································· 21

Role-based access control ·································································································· 21

Password control ··············································································································· 22
HPE OfficeConnect 1950 stacking (IRF) ······················································································· 24

Stack member roles ··········································································································· 25

Stack port ························································································································ 25

Stack physical interfaces ····································································································· 25

Stack domain ID ················································································································ 25

Stack split and stack merge ································································································· 25

Member priority ················································································································· 26

Network services features ································································ 27

Link aggregation ······················································································································ 27

Aggregation group ············································································································· 27

Link aggregation modes ······································································································ 28
Storm control ·························································································································· 31
Port isolation ··························································································································· 31

i

VLAN ···································································································································· 31

Port-based VLANs ············································································································· 31

VLAN interface ················································································································· 32
Voice VLAN ···························································································································· 32

OUI addresses ·················································································································· 32

QoS priority setting mode for voice traffic ················································································ 32

Voice VLAN assignment modes ··························································································· 33

Security mode and normal mode of voice VLANs ····································································· 33
MAC ····································································································································· 33

Types of MAC address entries ····························································································· 33

Aging timer for dynamic MAC address entries ········································································· 34

MAC address learning ········································································································ 34
STP ······································································································································ 34

Spanning tree modes ········································································································· 35

MSTP basic concepts ········································································································· 35

Port roles ························································································································· 35

Port states ······················································································································· 36
LLDP ····································································································································· 36

LLDP agent ······················································································································ 36

Transmitting LLDP frames ··································································································· 36

Receiving LLDP frames ······································································································ 37

LLDP reinitialization delay ··································································································· 37

LLDP trapping ·················································································································· 37

LLDP TLVs ······················································································································ 37

CDP compatibility ·············································································································· 38
DHCP snooping ······················································································································· 38
IP ········································································································································· 39

IP address classes ············································································································ 39

Subnetting and masking ····································································································· 39

IP address configuration methods ························································································· 40

MTU for an interface ·········································································································· 40
ARP ······································································································································ 40

Types of ARP table entries ·································································································· 40

Gratuitous ARP ················································································································· 41

ARP attack protection ········································································································· 41
DNS ······································································································································ 44

Dynamic domain name resolution ························································································· 44

Static domain name resolution ····························································································· 45

DNS proxy ······················································································································· 45

DDNS ····························································································································· 45
IPv6 ······································································································································ 46

IPv6 address formats ········································································································· 46

IPv6 address types ············································································································ 46

EUI-64 address-based interface identifiers ·············································································· 47

IPv6 global unicast address configuration methods ··································································· 47

IPv6 link-local address configuration methods ········································································· 48
ND ········································································································································ 49

Neighbor entries ················································································································ 49

RA messages ··················································································································· 49

ND proxy ························································································································· 51
Port mirroring ·························································································································· 52
Static routing ··························································································································· 52
Policy-based routing ················································································································· 52

Policy ······························································································································ 52

PBR and Track ················································································································· 53
IGMP snooping ······················································································································· 53
MLD snooping ························································································································· 53
DHCP ···································································································································· 53

DHCP server ···················································································································· 53

DHCP relay agent ············································································································· 55
HTTP/HTTPS ·························································································································· 56
SSH ······································································································································ 56

ii

FTP ······································································································································ 57
Telnet ···································································································································· 57
NTP ······································································································································ 57
SNMP ··································································································································· 57

MIB ································································································································ 57

SNMP versions ················································································································· 58

SNMP access control ········································································································· 58

Resources features ········································································ 60

ACL ······································································································································ 60

ACL types and match criteria ······························································································· 60

Match order ······················································································································ 60

Rule numbering ················································································································ 61
Time range ····························································································································· 62
SSL ······································································································································ 62
Public key ······························································································································ 62

Managing local key pairs ····································································································· 63

Managing peer public keys ·································································································· 63
PKI ······································································································································· 64

PKI architecture ················································································································ 64

Managing certificates ········································································································· 65
Certificate access control ··········································································································· 66

Certificate access control policies ························································································· 66

Attribute groups ················································································································ 66

QoS features ················································································· 68

QoS policies ··························································································································· 68

Traffic class ······················································································································ 68

Traffic behavior ················································································································· 68

QoS policy ······················································································································· 68

Applying a QoS policy ········································································································ 68
Hardware queuing ···················································································································· 68

SP queuing ······················································································································ 69

WRR queuing ··················································································································· 69

WFQ queuing ··················································································································· 70

Queue scheduling profile ···································································································· 71
Priority mapping ······················································································································ 71

Port priority ······················································································································ 71

Priority map ······················································································································ 72
Rate limit ································································································································ 72

Security features ············································································ 73

Packet filter ···························································································································· 73
IP source guard ······················································································································· 73

Overview ························································································································· 73

Interface-specific static IPv4SG bindings ················································································ 73

802.1X ··································································································································· 73

802.1X architecture ············································································································ 73

802.1X authentication methods ···························································································· 74

Access control methods ······································································································ 74

Port authorization state ······································································································· 74

Periodic online user reauthentication ····················································································· 75

Online user handshake ······································································································· 75

Authentication trigger ········································································································· 75

Auth-Fail VLAN ················································································································· 75

Guest VLAN ····················································································································· 76

Critical VLAN ···················································································································· 76

Mandatory authentication domain ························································································· 77

EAD assistant ··················································································································· 77
MAC authentication ·················································································································· 78

Overview ························································································································· 78

MAC authentication configuration on a port ············································································· 78

iii

Port security ··························································································································· 79

Overview ························································································································· 79

Port security settings ·········································································································· 80

Port security features ········································································································· 82

Secure MAC addresses ······································································································ 83
Portal ···································································································································· 83

Portal authentication server ································································································· 84

Portal Web server ·············································································································· 85

Local portal Web server ······································································································ 86

Portal-free rules ················································································································ 88

Interface policy ················································································································· 88
ISP domains ··························································································································· 89
RADIUS ································································································································· 90

RADIUS protocol ··············································································································· 90

Enhanced RADIUS features ································································································ 91

Log features ·················································································· 92

Log levels ························································································································ 92

Log destinations ················································································································ 92

Configuration examples ··································································· 93

Device maintenance examples ··································································································· 93

System time configuration example ······················································································· 93

Administrators configuration example ···················································································· 93

Stack configuration example ································································································ 94

NTP configuration example ································································································· 96

SNMP configuration example ······························································································· 97
Network services configuration examples ······················································································ 97

Ethernet link aggregation configuration example ······································································ 97

Port isolation configuration example ······················································································ 98

VLAN configuration example ································································································ 99

Voice VLAN configuration example ····················································································· 100

MAC address entry configuration example ············································································ 101

MSTP configuration example ····························································································· 101

LLDP configuration example ······························································································ 103

DHCP snooping configuration example ················································································ 103

Static ARP entry configuration example················································································ 104

Static DNS configuration example ······················································································· 105

Dynamic DNS configuration example ··················································································· 106

DDNS configuration example with www.3322.org ··································································· 107

Static IPv6 address configuration example ············································································ 108

ND configuration example ································································································· 109

Port mirroring configuration example ··················································································· 110

IPv4 static route configuration example ················································································ 111

IPv4 local PBR configuration example·················································································· 112

IGMP snooping configuration example ················································································· 112

MLD snooping configuration example ·················································································· 114

DHCP configuration example ····························································································· 115

Password authentication enabled Stelnet server configuration example ······································ 117
QoS configuration example ······································································································ 118
Security configuration examples ································································································ 119

ACL-based packet filter configuration example ······································································ 119

Static IPv4 source guard configuration example ····································································· 120

802.1X RADIUS authentication configuration example ···························································· 121

802.1X local authentication configuration example ·································································· 123

RADIUS-based MAC authentication configuration example ······················································ 124

RADIUS-based port security configuration example ································································ 126

Direct portal authentication configuration example ·································································· 127

Re-DHCP portal authentication configuration example ···························································· 129

Cross-subnet portal authentication configuration example ························································ 132

Direct portal authentication using local portal Web server configuration example ··························· 134

AAA for SSH users by a TACACS server configuration example ··············································· 135

iv

PoE configuration example ······································································································ 137

Network requirements ······································································································ 137

Configuration procedure ··································································································· 137

Appendix A Managing the device from the CLI ··································· 138

display poe pse ··············································································································· 139

initialize ························································································································· 140

ipsetup dhcp ··················································································································· 141

ipsetup ip address ··········································································································· 141

ipsetup ipv6 address ········································································································ 142

ipsetup ipv6 auto ············································································································· 143

password ······················································································································· 144

ping ······························································································································ 144

ping ipv6 ························································································································ 145

poe update ····················································································································· 145

quit ······························································································································· 146

reboot ··························································································································· 146

summary ······················································································································· 147

telnet ···························································································································· 149

telnet ipv6 ······················································································································ 150

transceiver phony-alarm-disable ························································································· 150

upgrade ························································································································· 151

xtd-cli-mode ··················································································································· 153

Document conventions and icons ···················································· 155

Conventions ························································································································· 155
Network topology icons ··········································································································· 156

Support and other resources ·························································· 157

Accessing Hewlett Packard Enterprise Support ············································································ 157
Accessing updates ················································································································· 157

Websites ······················································································································· 158

Customer self repair ········································································································· 158

Remote support ·············································································································· 158

Documentation feedback ·································································································· 158

Index ························································································· 160

v

Overview

This user guide provides the following information:

Information Section

How to log in to the Web interface for the first time. Logging in to the Web interface for the first time
How to use the Web interface. Using the Web interface
What features you can configure from the Web

interface.
How to access the page for a feature or task.

How to use features in typical scenarios. Configuration examples
How to manage the device from the CLI. Appendix A Managing the device from the CL I

This user guide does not include step-by-step configuration procedures, because the webpages are
task oriented by design. A configuration page typically provides links to any pages that are required
to complete the task. Users do not have to navigate to multiple pages. For tasks that require
navigation to multiple pages, this user guide provides configuration examples.

Feature navigator

This user guide also does not provide detailed information about parameters. You can obtain
sufficient online help, feature i nformation, and parameter information from the webpages.

1

Restrictions: Applicable hardware platforms and software versions

Product code HPE description Software version

JG960A HPE OfficeConnect 1950 24G 2SFP+ 2XGT Switch
JG961A HPE OfficeConnect 1950 48G 2SFP+ 2XGT Switch

Release 3111P02
Release 3113P05

JG962A

HPE OfficeConnect 1950 24G 2SFP+ 2XGT
PoE+(370W) Switch

JG963A

JH295A HPE OfficeConnect 1950 12XGT 4SFP+ Switch Release 5103P03

HPE OfficeConnect 1950 48G 2SFP+ 2XGT
PoE+(370W) Switch

1

admin

NOTE:

If the network has a DHCP server, you must use the DHCP assigned IP address to access the
device. For more information, see "Logging in to the Web interface for the first time."

Logging in to the Web interface

Log in to the Web interface through HTTP or HTTPS.

Restrictions and guidelines

To ensure a successful login, verify that your operating system and Web browser meet the
requirements, and follow the guidelines in this section.

Web browser requirements

As a best practice, use one of the following Web browsers to log in:

• Internet Explorer 8 or higher.

• Google Chrome 10 or higher.

• Mozilla Firefox 4 or higher.

• Opera 11.11 or higher.

• Safari 5.1 or higher.

To access the Web interface, you must use the following browser settings:

• Accept the first-party cookies (cookies from the site you are accessing).

• T o ensure co rrect display of webpage contents after sof tware upgrade or downgrade, clear data

cached by the browser before you log in.

• Enable active scripting or JavaScript, depending on the Web browser .

• If you are using a Microsoft Internet Expl orer browser, you must enable the following security

settings:

 Run ActiveX controls and plug-ins.
 Script ActiveX controls marked safe for scripting.

Default login settings

Use the settings in Table 1 for the first login.

Table 1 Default login settings

Item Setting

Device IP (VLAN-interface 1)
IP address mask
Username

See "Logging in to the Web interfac e for the first

time."

Password None
User role network-admin

2

IMPORTANT:

As a best practice,
the first successful login for security purposes.

Concurrent login users

The Web interface allows a maximum of 32 concurrent accesses. If this limit is reached, login
attempts will fail.

Logging in to the Web interface for the first time

change the login information and assign a cc ess permissions immediately after

By default, HTTP and HTTPS are enabled.
To log in to the Web interface:

1. Use an Ethernet cable to connect the configuration ter m inal to an Ethernet port on the device.

2. Identify the IP address and mask of the device.

 If the device is not connected to the network, or no DHCP server e xi sts on the network, the

device uses the default IP address an d mask. The default mas k is 255.255. 0.0. The defa ult
IP address is 169.254.xxx.xxx, where xxx.xxx depends on the last two bytes of the MAC
address. Find the MAC address label on the device and use the following rules to determine
the last two bytes for the IP addre ss:

Last two bytes of the MAC
address

All 0s 0.1
All Fs 255.1
Not all 0s or all Fs Decimal values of the last two bytes of the MAC address

Last two bytes for the IP address

For example:

MAC address IP address

08004E080000 169.254.0.1
08004E08FFFF 169.254.255.1

08004E082A3F

 If a DHCP server is available, the device obtains an IP address from the server. To identify

the address, log in to the device through the console port , and then execute the summary
command. The following is the sample output:

<Sysname> summary
Select menu option: Summary
IP Method: DHCP
IP address: 10.153.96.86
Subnet mask: 255.255.255.0
Default gateway: 0.0.0.0

For more information about console login, see the getting started guide for the device.

3. Assign the login host an IP address in the same subnet as the device.

4. Open the browser, and then enter login informatio n:

169.254.42.63 (The decimal value of 2A is 42. The
value of 3F is 63.)

3

IMPORTANT:

•

•

•

hen you log out of the Web i nterfa ce.

To prevent the loss of configuration when the device reboots, you m ust save the configuration.

a. In the address bar, enter the IP address of the device.

− HTTP access—Enter the address in the http://ip-address:port or ip-address:port
format.

− HTTPS access—Enter the address in the https://ip-address:port format.

The ip-address argument represents the IP address of the device. The port argument
represents the HTTP or HTTPS service port. The default port number is 80 for HTTP and
443 for HTTPS. You do not need to enter the port number if you have not changed the
service port setting.

b. On the login page, enter the default username (admin) and the verification code.

You do not need to enter a password at the fi rst logi n.

c. Click Login.

5. Change the login information:

 To change the password of the login user (admin at the first login), click the Admin icon

.

 To add ne w user accounts and a ssign access permis sions to dif ferent users, s elect Device >

Maintenance > Administrators.

Logging out of the Web interface

For security purposes, log out of the Web interface immediately after you finish your tasks.
You cannot log out by closing the browser.
The device does not automatically save the configuration w

1. Use one of the following methods to save the curre nt configuration.

 Click the Save icon in the left corner.
 Select Device > Maintenance > Configuration to access the configuration management

page.

2. Click Logout in the upper-left corner of the Web interface.

4

1) Banner and auxiliary area

2) Navigation tree

3) Content pane

(

1

)

(2)

(3)

Using the Web interface

The Web interface contains the following areas:

Area Description

Contains the following items:

• Basic information, including the Hewlett Packard Enterprise logo,
device name, and information about the current login user.

• Basic management icons:

(1) Banner and auxiliary area

 Admin icon —Click this icon to change the login

password.

 Logout icon —Click this icon to log out.
 Save icon —Click this icon to save the configurat i on.

(2) Navigation tree Organizes feature menus in a tree.

Displays information and provides an area for you to configure features.
Depending on the content in this pane, the webpages include the following

types:

(3) Content pane

• Feature page—Contains functions or featur es that a feature module
can provide (see "Using a featur e page").

• Table page—Displays entries in a table (see "Using a table page").

• Configuration page—Contains parameters for you to configure a

feature or function (see "Using a configuration page").

Figure 1 Web interface layout

5

Types of webpages

Webpages include feature, table, and configuration pages. This section provides basic information
about these pages. For more information about using the icons and butt ons on the pages, see "Icons

and buttons."

Using a feature page

As shown in Figure 2, a feature page contains info rmation about a feature module, i ncluding its table
entry statistics, features, and functions. From a feature page, you c an configure features prov ided by
a feature module.

Figure 2 Sample feature page

Using a table page

As shown in Figure 3, a table page displays entries in a tabl e. To sort entries by a field in ascending
or descending order, click the field. For example, click MAC Address to sort entries by MAC
address.

6

Figure 3 Sample table page

Using a configuration page

As shown in Figure 4, one configuration page contains all parameters for a configuration task. If a
parameter must be configured on another page, the conf iguration page ty pically provides a link. You
do not need to navigate to the destination page.

For example, you must use an ACL when you configure a packet filter . If no ACLs are available when
you perform the task, you can click the Add icon to create an ACL. In this situation, you do not

need to navigate to the ACL management page.

7

Counter icon

Status control icon

Search icons

Figure 4 Sample configuration page

Icons and buttons

Table 2 describes icons and buttons you can use to configure and manage the d evice.

Table 2 Icons and buttons

Icon/button

Help icons

Navigation icon

Icon/button
name

Help Obtain help information for a feature.

Hint Obtain help information for a funct ion or parameter.

Counter Identify the total number of table entries.

Next

Status control

Task

Access the lower-level page to display information or
configure settings.

Control the enable status of the featur e.

• If ON is displayed, the feature is enabled. To disable
the feature, click the button.

• If OFF is displayed, the feature is disabled. To enable
the feature, click the button.

Search

Enter a search expression in the search box, and then click
this icon to perform a basic search.

8

icon

Icon/button

Entry management
icons

Advanced settings

Icon/button
name

Advanced search

Refresh Refresh t able entries manually.

Add

Detail

Delete

Bulk-delete

Field selector Select fields to be displayed.

Task

Click this icon, and then enter a combi nation of criteria to
perform an advanced search.

• Add a new entry.

• Confirm the addition of an entry and continue to add an

additional entry.

Display or modify settings of an entry.
This icon appears at the end of an entry when you hover

over the entry.
Delete an entry.

This icon appears at the end of an entry when you hover
over the entry.

Select one or multiple entries, and then click this icon to
delete the selected entries.

Advanced settings Access the configuration page to configure settings.

Performing basic tasks

This section describes the basic tasks that must be frequently performed when you configure or
manage the device.

Saving the configuration

Typically, settings take effect immediately after you create them. However, the system does not
automatically save the settings to the configuration file. They are lost when the device reboots.

To prevent settings from being lost, use one of the following methods to sav e the configuration:

• Click the Save icon in the left corner.

• Select Device > Maintenance > Configuration to access the configuration management

page.

Displaying or modifying settings of a table entry

1. Hover over the entry.

2. Click the Detail icon at the end of the entry.

9

Rebooting the device

Reboot is required for some settings (for exam pl e, the stack setup) to take effect.
To reboot the device:

1. Save the configuration.

2. Select Device > Maintenance > Reboot.

3. On the reboot page, click the reboot button.

10

NOTE:

In the navigator tables, a menu is in boldface if it has submenus.

Feature navigator

Menu items and icons available to you depend on the user roles you have. By default, you can use
any user roles to display information. To configure features, you must have the network-admin user
role.

This chapter describes all menus available for the network-admin user role. The top-level menu
includes Dashboard, Device, Network, Resources, QoS, Security, PoE, and Log. For each top
menu, a navigator table is provided. Use the navigator tables to navigate to the pages for the tasks
you want to perform.

For example:

• To change the default device name, select Device > Maintenance > Settings from the
navigation tree.

• To delete an IPv4 ACL, sel ect Resources > ACL > IPv4 from the navigation tree.

Dashboard menu

The dashboard menu provides an overview of t he sy stem and its running status, including:

• System logs.

• System utilization.

• System info.

This menu does not contain submenus.

Device menu

Use Table 3 to navigate to the tasks you can perform from the Device menu.

Table 3 Device menu navigator

Menus Tasks

Maintenance

Settings

Administrators

• Configure basic device settings, including the device name, location,
and contact.

• Configure the system time settings. You can manually set the system
time, or configure the device to obtain the UTC time from a trusted time
source and calculate the system time.

• Create, modify, or delete user roles.

• Create, modify, or delete user accounts.

• Assign user roles to administrators for access control.

• Manage passwords.

11

Menus Tasks

• Save the running configuration.

• Import configuration and export the running configuration. This task is

Configuration

File System

Upgrade

not supported in Release 3111P02.

• Display the running configuration.

• Restore the factory-default configuration.

• Display storage medium information.

• Display file and folder information.

• Delete files.

• Download and upload files

• Upgrade software images.

• Display software image lists, incl uding:

 Current software images.
 Main and backup startup software images.

Diagnostics

Reboot Reboot the device.

About

Virtualization

IRF

Network menu

Use Table 4 to navigate to the tasks you can perform from the Network menu.

Collect diagnostic information used for system diagnostics and
troubleshooting.

Display basic device information, including:

• Device name.

• Serial number.

• Version information.

• Electronic label.

• Legal statement.

• Configure the following settings to set up an HPE OfficeConnect 1950

stack:

 Member ID.
 Priority.
 Domain ID.
 Stack port bindings.

• Display the stack topology.

Table 4 Network menu navigator

Menus Tasks

Probe

Ping

Tracert

Interfaces

• Test the connectivity to a device in an IPv4 network.

• Test the connectivity to a device in an IPv6 network.

• IPv4 Tracert.

• IPv6 Tracert.

12

Menus Tasks

• Display interfaces and their attributes, including:

 Interface status.
 IP address.

Interfaces

 Speed and duplex mode.
 Interface description.

• Change interface settings.

• Delete logical interfaces.

Link Aggregation Create, modify, or delete Layer 2 aggregation groups.

• Set the statistics polling interval.

Storm Constrain

• Set storm control parameters.

• Display storm control informati on.

Isolation

Links

VLAN

• Create isolation groups.

• Modify isolation groups.

• Configure port-based VLANs.

• Create VLAN-interfaces.

• Assign ports to voice VLANs.

• Set the port mode to manual or automatic.

Voice VLAN

• Set the voice VLAN mode to normal or security.

• Configure the QoS settings for voice packets.

• Add OUI addresses.

• Create or delete static MAC entries, dynamic MAC entries, and

MAC

blackhole MAC entries.

• Display existing MAC entries.

• Enable or disable STP globally.

• Enable or disable STP on interfaces.

STP

• Configure the STP operating mode as STP, RSTP, PVST, or MSTP.

• Configure instance priorities.

• Configure MST regions.

• Enable or disable LLDP.

LLDP

• Modify the LLDP operating mode.

• Modify the interface mode.

• Configure LLDP to advertise the specified TLVs.

• Configure a port as a trusted or untrusted port.

• Record and back up DHCP snooping entries.

• Configure the following features for DHCP snooping ports:

 MAC address check.

DHCP Snooping

 DHCP-REQUEST check.
 DHCP packet rate limit.
 Max DHCP snooping entries.

• Enable support for Option 82. If Option 82 is enabled, you can configure
the handling strategy, the padding format, and the padding contents for
Option 82.

IP

IP

• Configure the method to obtain an IP address (DHCP or static).

• Configure the IP address or MTU of an interfac e.

• Create a loopback interface.

13

Menus Tasks

• Manage dynamic ARP entries and static ARP entries.

ARP

DNS

• Configure ARP proxy.

• Configure gratuitous ARP .

• Configure ARP attack protection.

• Configure IPv4 static domain name resolut ion.

• Configure IPv4 dynamic domain name resolution.

• Configure the DNS proxy.

• Configure IPv4 domain name suffixes.

Dynamic DNS

IPv6

IPv6

ND

DNS

• Manage dynamic DNS policies.

• Configure an interface to be associat ed with the dynamic DNS policy.

• Configure the method to obtain an IPv6 address (manual assignment,

dynamic assignment, or auto generati on).

• Configure the IPv6 address of an interface.

• Create a loopback interface.

• Manage dynamic ND entries and static ND entries.

• Configure the aging time for stale ND entries.

• Minimize link-local ND entries.

• Configure hop limit.

• Configure RA prefix attributes, including:

 Address prefix.
 Prefix length.
 Valid lifetime.
 Preferred lifetime.

• Configure RA settings for an interface, including:

 RA message suppression.
 Maximum and minimum intervals for sending RA messages.
 Hop limit.
 M-flag.
 O-flag.
 Router lifetime.
 NS retransmission interval.
 Router preference.
 Neighbor reachable time.

• Enable common and local ND proxy on an interface.

• Configure ND rules for the interface.

• Configure static and dynamic IPv 6 domain name resolution.

• Configure the IPv6 DNS proxy.

• Configure IPv6 domain name suffixes.

Mirroring

Port Mirroring

Routing

Routing Table

• Configure local mirroring groups.

• Configure remote mirroring groups.

Display IPv4 and IPv6 routing table information, including brief routin g table
information and route statistics.

14

Menus Tasks

Static Routing

Policy-Based Routing

Multicast

IGMP Snooping

MLD Snooping

Service

DHCP

HTTP/HTTPS

SSH (not available in
Release 3111P02)

FTP

• Display IPv4 and IPv6 static route ent ries.

• Create, modify, and delete IPv4 and IPv6 static route entries.

• Create, modify, and delete IPv4 and IPv6 policies.

• Configure interface PBR.

• Configure local PBR.

• Configure IGMP snooping functions, including:

 Enable dropping unknown mul ticast data.
 Configure the IGMP snooping querier.
 Enable fast-leave processing.
 Set the maximum number of multicas t groups on a port.

• Configure MLD snooping functions, including:

 Enable dropping unknown IPv 6 m ul ticast data.
 Configure the MLD snooping querier.
 Enable fast-leave processing.
 Set the maximum number of IPv6 multi c ast groups on a port.

• Configure DHCP server functions, including:

 Configure DHCP services.
 Configure the interface to operate in the DHCP server mode.
 Configure DHCP address pools.
 Configure the IP address conflict detection.

• Configure DHCP relay agent functions, including:

 Configure DHCP services.
 Configure the DHCP relay agent mode
 Configure the IP address of the DHCP server

• Configure settings for DHCP relay entry, include:

 Recording of DHCP relay entries.
 Periodic refreshing of DHCP relay entr i es .
 Interval for refreshing DHCP relay ent r i es .

• Enable or disable HTTP service.

• Enable or disable HTTPS service.

• Set the Web connection idle timeout.

• Set the HTTP service port number.

• Set the HTTPS service port number.

• Specify Web access control ACLs.

• Enable the Stelnet, SFTP, and SCP services.

• Set the DSCP in packets sent by the device.

• Filter SSH clients by using an ACL.

• Set the SFTP connection idle timeout time.

• Enable or disable FTP service.

• Set the DSCP value for the device to use for outgoing FTP packets.

• Specify the FTP access control ACL.

• Set the FTP connection idle timeout.

15

Public key

NOTE:

You can create ACLs from ACL pages or during th e process of configuring a featu re that uses ACLs.
However, to modify or delete an ACL, you must access the ACL menu.

Menus Tasks

Telnet

NTP Configure the device to use the local cloc k as the reference clock.

SNMP

Resources menu

The Resources menu contains common resources that can be used by multiple features. For
example, you can use an ACL both in a p acket filter to filter traffic and in a QoS pol icy to match traf fic.

Use Table 5 to navigate to the tasks you can perform from the Resources menu.

Table 5 Resources menu navigator

• Enable or disable Telnet service.

• Set the DSCP values for the device to use for outgoing IPv4 or IPv6

Telnet packets.

• Specify Telnet access control ACLs.

• Enable SNMP.

• Configure SNMP parameters such as version, community name, group,

and users.

• Configure the notification sendi ng function.

Menus Tasks

ACLs

IPv4

IPv6

Ethernet Create, modify, or delete an Ethernet frame header ACL.

Time Range

Time Range

SSL

SSL

Public key

PKI

PKI

Certificate Access Control

• Create, modify, or delete an IPv4 basic ACL.

• Create, modify, or delete an IPv4 advanced ACL.

• Create, modify, or delete an IPv6 basic ACL.

• Create, modify, or delete an IPv6 advanced ACL.

• Create, modify, or delete an SSL client policy.

• Create, modify, or delete an SSL server policy.

• Manage local asymmetric key pairs.

• Manage peer host public keys.

• Manage CA and local certificates.

• Create, modify, or delete a PKI domain or PKI entity.

• Create, modify, or delete a certificate access control policy.

• Create, modify, or delete a certificate attribute group.

16

QoS

Packet Filter

QoS menu

Use Table 6 to navigate to the tasks you can perform from the QoS menu.

Table 6 QoS menu navigator

Menus

QoS Policies

Hardware Queuing Modify hardware queuing configuration.

Priority Mapping

Rate Limit Create, modify, or delete rate limit.

Tasks

Security menu

Use Table 7 to navigate to the tasks you can perform from the Security menu.

Table 7 Security menu navigator

• Create, modify, or delete interface QoS policies.

• Create, modify, or delete VLAN QoS policies.

• Create, modify, or delete global QoS policies.

• Configure the port priority.

• Configure the priority trust mode for a port.

• Configure priority maps:

 Apply and reset the 802.1p-to-local priority map.
 Apply and reset the DSCP-to-802.1p pr iority map.
 Apply and reset the DSCP-to-DSCP priorit y map.

Menus Tasks

• Create, modify, or delete a packet filter for an interface, a VLAN, or the

Packet Filter

IP Source Guard Configure an interface-specific static IPv4 source guard binding.

Access Control

802.1X

MAC Authentication

Port Security

system.

• Configure the default action for t he packet filter.

• Enable or disable 802.1X.

• Configure the 802.1X authentication method.

• Configure the port access control met hod.

• Configure the port authorization state.

• Configure the authentication ISP domain on a por t.

• Enable or disable MAC authentication.

• Configure the username format.

• Configure the MAC authentication IS P domain.

• Enable or disable port security

• Configure the port security mode.

• Configure the intrusion protection action.

• Configure the NTK mode.

• Configure secure MAC aging mode.

17

Authentication

Menus Tasks

• Configure a portal authentication server.

• Configure a portal Web server.

Portal

ISP Domains Conf igure ISP domains.

• Configure a local portal Web server.

• Create portal-free rules.

• Create interface policies.

RADIUS Configure RADIUS schemes.
TACACS Configure TACACS schemes.
Local Users Configure local users.

PoE menu

Use Table 8 to navigate to the tasks you can perform from the PoE menu.

Table 8 PoE menu navigator

Menus Tasks

PoE

Log menu

Use Table 9 to navigate to the tasks you can perform from the Log menu.

• Configure the maximum PoE power and power alarm threshold for the
device.

• Enable or disable PoE on an interface.

• Configure the maximum PoE power, power supply priority, PD

description, and fault descript ion for an interface.

Table 9 Log menu navigator

Menus Tasks

Log

System Log

Settings

• Display log information.

• Query, collect, and delete log information.

• Enable or disable log output to the log buffer, and configure the

• Configure the address and port number of log hosts.

maximum number of logs in the log buffer.

18

Device management

Settings

Access the Settings page to change the device name, location, and system time.

System time sources

Correct system time is essential to network managem ent and communic ation. Configur e the system
time correctly before you run the device on the network.

The device can use the manually set system time, or obtain the UTC time fr om a time source on the
network and calculate the system time.

• When using the locally set system time, the device uses the clock signals generated by its
built-in crystal oscillator to maintain the system time.

• If you change the time zone or daylight saving settings without changing the date or time, the
device adjusts the system time based on the new settings.

• After obtaining the UTC time from a time source, the dev i ce uses the UTC time and the time
zone and daylight saving settings to calculate the system time. Then, the device periodically
synchronizes the UTC time and recalculates the sy st em time.

• If you change the time zone or daylight saving settings, the device recalculates the system time.

The system time calculated by using the UTC time from a time source is more precise.
Make sure the time zone and daylight saving setting are the same as the parameters of the place

where the device resides.
If the system time does not change accordingly when the daylight saving period ends, refresh the

Web interface.

Clock synchronization protocols

The device supports the following clock synchronization protocols:

• NTP—Network Time Protocol. NTP is typically used in large networks to dynamically
synchronize time among network devices. It provides higher clock accuracy than manual
system time configuration.

• SNTP—Simple NTP, a simpler implementation of NTP. SNTP uses the same packet formats
and exchange procedures as NTP. However, SNTP simplifies the clock synchronization
procedure. Compared with NTP, SNTP uses less resources and implements clock
synchronization in shorter time, but it is not as accurate as NTP.

NTP/SNTP operating modes

NTP supports two operating modes: client/server mode and symmetric active/passive mode. The
device can act only as a client in client/server mode or the active peer in symmetr ic active/passive
mode.

SNTP supports only the client/server mode. The device can act only as a client.

19

Table 10 NTP/SNTP operating modes

Mode Operating process Principle Application scenario

1. A client sends a clock

synchronization message to
the NTP servers.

2. Upon receiving the
message, the servers
automatically operate in
server mode and send a

Client/server

Symmetric
active/passive

reply.

3. If the client is synchronized
to multiple time servers, it
selects an optimal clock and
synchronizes its local clock
to the optimal reference
source.

You can configure multiple time
servers for a client.

This operating mode requires
that you specify the IP address of
the NTP server on the client.

1. A symmetric active peer
periodically sends clock
synchronization messages
to a symmetric passive
peer.

2. The symmetric passive peer
automatically operates in
symmetric passive mode
and sends a reply.

3. If the symmetric active peer
can be synchronized to
multiple time servers, it
selects an optimal clock and
synchronizes its local clock
to the optimal reference
source.

You must specify the IP address
of the symmetric passive peer on
the symmetric active peer.

A client can synchronize
to a server, but a server
cannot synchronize to a
client.

A symmetric active peer
and a symmetric
passive peer can be
synchronized to each
other. If both of them are
synchronized, the peer
with a higher stratum is
synchronized to the
peer with a lower
stratum.

This mode is intended for
scenarios where devices
of a higher stratum
synchronize to devices
with a lower stratum.

This mode is most often
used between servers
with the same stratum to
operate as a backup for
one another. If a server
fails to communicate with
all the servers of a lower
stratum, the server can
still synchronize to the
servers of the same
stratum.

NTP/SNTP time source authentication

The time source authentication function enables the device to authenticate the received NTP or
SNTP packets. This feature ensures that the device obtains the correct GMT.

Administrators

An administrator configures and manages the device from the following aspects:

• User account management—Manages user account i nformat ion a nd att ribute s ( for ex ample,
username and password).

• Role-based access control—Manages user access permissions by user role.

• Password control—Manages user passwords and controls user login status based on

predefined policies.

20

IMPORTANT:

The security
supported on the current Web interface, so do not assign the security-audit user role to any users.

The service type of an administrator can be SSH, Telnet, FTP, HTTP, HTTPS, PAD, or terminal. A
terminal user can access the device through the console, Aux, or Async port.

User account management

A user account on the device manages attributes for users who log in to the device with the same
username. The attributes include the username, password, services, and password control
parameters.

Role-based access control

Assign users user roles to control the users' access to functions and system resources. Assigning
permissions to a user role includes the following:

• Defines a set of rules to determine accessible or i naccessible functions for the user role.

• Configures resource access policies to s pecify which interfaces and VLANs are accessible to

the user role.

To configure a function related to a resource (an interface or VLAN), a user role must have access to
both the function and the resource.

Resource access policies

Resource access policies control access of user roles to syst em resources and include the following
types:

• Interface policy—Controls access to interfaces.

• VLAN policy—Controls access to VLANs.

You can perform the following tasks on an accessible interface, VLAN:

• Create or remove the interface or VLAN.

• Configure attributes for the interface or VLA N.

• Apply the interface or VLAN to other parameters.

Predefined user roles

The system provides predefined user roles. These user roles have access to all system resources
(interfaces and VLANs). Their access permissions differ.

If the predefined user roles cannot meet t he access requirements, you can define new user roles to
control the access permissions for users.

-audit user role has access only to securit y log menus. Security log menus are not

Assigning user roles

Depending on the authentication method, user role assignment has the following methods:

• Local authorization—If the user passes local authorization, the device assigns the user roles
specified in the local user account.

• Remote authorization—If the user passes remote authorization, the remote AAA server
assigns the user roles specified on the server.

A user who fails to obtain a user role is logged out of the device.
If multiple user roles are assigned to a user, the user can use the collection of functions and

resources accessible to all the user roles.

21

Password control

Password control allows you to implement the following features:

• Manage login and super password setup, ex pi rat i ons, and updates for device management
users.

• Control user login status based on predefined policies.

Local users are divided into device management users and network access users. This feature
applies only to device management users.

Minimum password length

You can define the minimum length of user passwords. If a user enters a password that is shorter
than the minimum length, the system rejects the password.

Password composition policy

A password can be a combination of characters from the following types:

• Uppercase letters A to Z.

• Lowercase letters a to z.

• Digits 0 to 9.

• Special characters. See Table 11.

Table 11 Special characters

Character name Symbol Character name Symbol

Ampersand sign & Apostrophe '
Asterisk * At sign @
Back quote ` Back slash \
Blank space N/A Caret ^
Colon : Comma ,
Dollar sign $ Dot .
Equal sign = Exclamation point !
Left angle bracket < Left brace {
Left bracket [ Left parenthesis (

Minus sign - Percent sign %
Plus sign + Pound sign #
Quotation marks " Right angle bracket >
Right brace } Right brac k et ]
Right parenthesis ) Semi-colon ;
Slash / Tilde ~
Underscore _ Vertical bar |

Depending on the system's security requirements, you can set the minimum number of character
types a password must contain and the minimum number of characters for each type, as shown in

Table 12.

22