KTI Networks KGS-1064-HP User Manual

KGS-1064-HP

Web Management Interface

User

Software Rev.1.0 or up

s Manual

,

DOC.170505

-1-

TRADEMARKS

Ethernet is a registered trademark of Xerox Corp.

Vitesse Switch Software. Copyright (c) 2002-2009
Vitesse Semiconductor Corporation "Vitesse". All Rights Reserved.
Unpublished rights reserved under the copyright laws of the United States of America, other countries and
international treaties. Permission to use, copy, store and modify, the software and its source code is granted.
Permission to integrate into other products, disclose, transmit and distribute the software in an absolute
machine readable format (e.g. HEX file) is also granted. The software may only be used in products utilizing
the Vitesse switch products.

(C) 2016 KTI Networks Inc. All rights reserved. No part of this documentation may be reproduced in any form
or by any means or used to make any directive work (such as translation or transformation) without permission
from KTI Networks Inc.

-2-

KTI Networks Inc. reserves the right to revise this documentation and to make changes in content from time to
time without obligation on the part of KTI Networks Inc. to provide notification of such revision or change.

For more information, contact:
15F-7, No. 79, Sec. 1, Hsin-Tai-Wu RD
His-chih, New Taipei City, Taiwan
Fax: 886-2-26983873
E-mail: kti@ktinet.com.tw
URL: http://www.ktinet.com.tw/

-3-

Table of Contents

1. Web Management ..................................................................................................................................... 11

1.1 Start Browser Software and Making Connection ............................................................ 11

1.2 Login to the Switch Unit .................................................................................................. 12

1.3 Main Management Menu ................................................................................................ 14

2. Configuration ............................................................................................................................................ 17

2.1 System ........................................................................................................................... 17

2.1.1 Information .................................................................................................................. 17

2.1.2 IP ................................................................................................................................ 18

2.1.2.1 Management VID (MVID) Operation Rules ............................................................... 19

2.1.3 IPv6 ............................................................................................................................. 19

2.1.4 NTP ............................................................................................................................. 21

2.1.5 Time ............................................................................................................................ 22

2.1.6 Log .............................................................................................................................. 24

2.2 Power Reduction ............................................................................................................ 25

2.2.1 EEE ............................................................................................................................. 25

2.3 Thermal Protection ................................................................................................ ......... 27

2.4 Ports .............................................................................................................................. 28

2.5 Security .......................................................................................................................... 30

2.5.1 Switch ......................................................................................................................... 30

2.5.1.1 Users ........................................................................................................................ 30

2.5.1.2 Privilege Level .......................................................................................................... 32

2.5.1.3 Auth Method ............................................................................................................. 34

2.5.1.4 SSH .......................................................................................................................... 35

2.5.1.5 HTTPS ..................................................................................................................... 36

2.5.1.6 Access Management ................................................................................................ 37

2.5.1.7 SNMP ....................................................................................................................... 38

2.5.1.7.1 System .................................................................................................................. 38

2.5.1.7.2 Communities ......................................................................................................... 41

2.5.1.7.3 Users ..................................................................................................................... 42

2.5.1.7.4 Groups .................................................................................................................. 43

2.5.1.7.5 Views .................................................................................................................... 44

-4-

2.5.1.7.6 Access................................................................................................................... 45

2.5.1.8 RMON ...................................................................................................................... 47

2.5.1.8.1 Statistics ................................................................................................................ 47

2.5.1.8.2 History ................................................................................................................... 48

2.5.1.8.3 Alarm ..................................................................................................................... 49

2.5.1.8.4 Event ..................................................................................................................... 51

2.5.2 Network ....................................................................................................................... 52

2.5.2.1 Limit Control ............................................................................................................. 52

2.5.2.2 NAS .......................................................................................................................... 55

2.5.2.3 ACL .......................................................................................................................... 64

2.5.2.3.1 Ports ...................................................................................................................... 64

2.5.2.3.2 Rate Limits ................................................................ ............................................ 66

2.5.2.3.3 Access Control List ................................................................................................ 67

2.5.2.4 DHCP ....................................................................................................................... 69

2.5.2.4.1 Snooping ............................................................................................................... 69

2.5.2.4.2 Relay ..................................................................................................................... 70

2.5.2.5 IP Source Guard ....................................................................................................... 71

2.5.2.5.1 Configuration ................................................................................................ ......... 71

2.5.2.5.2 Static Table ........................................................................................................... 72

2.5.2.6 ARP Inspection......................................................................................................... 73

2.5.2.6.1 Configuration ................................................................................................ ......... 73

2.5.2.6.2 Static Table ........................................................................................................... 74

2.5.3 AAA ............................................................................................................................. 75

2.6 Aggregation .................................................................................................................... 77

2.6.1 Static ........................................................................................................................... 77

2.6.2 LACP ........................................................................................................................... 78

2.7 Loop Protection .............................................................................................................. 79

2.8 Spanning Tree ................................................................................................................ 80

2.8.1 Bridge Settings ............................................................................................................ 81

2.8.2 MSTI Mapping ............................................................................................................. 83

2.8.3 MSTI Priorities ............................................................................................................. 84

2.8.4 CIST Ports................................................................................................................... 85

-5-

2.8.5 MSTI Ports .................................................................................................................. 87

2.9 MVR ............................................................................................................................... 89

2.10 IPMC ............................................................................................................................ 92

2.10.1 IGMP Snooping ................................................................................................ ......... 92

2.10.1.1 Basic Configuration ................................................................................................ 92

2.10.1.2 VLAN Configuration ................................................................................................ 94

2.10.1.3 Port Group Filtering ................................................................................................ 96

2.10.2 MLD Snooping .......................................................................................................... 96

2.10.2.1 Basic Configuration ................................................................................................ 96

2.10.2.2 VLAN Configuration ................................................................................................ 98

2.10.2.3 Port Group Filtering ................................................................................................ 99

2.11 LLDP .......................................................................................................................... 101

2.11.1 LLDP ....................................................................................................................... 101

2.11.2 LLDP-MED .............................................................................................................. 103

2.12 PoE ............................................................................................................................ 109

2.12.1 PoE Redundancy Support ....................................................................................... 111

2.13 MAC Table ................................................................................................................. 113

2.14 VLANs ........................................................................................................................ 114

2.14.1 Abbreviation ............................................................................................................ 114

2.14.2 VLAN Membership .................................................................................................. 115

2.14.3 Ports ........................................................................................................................ 117

2.15 Private VLANs ............................................................................................................ 120

2.15.1 PVLAN Membership ................................................................................................ 120

2.15.2 Port Isolation ........................................................................................................... 121

2.16 Voice VLAN ................................................................................................................ 122

2.16.1 Configuration ........................................................................................................... 122

2.16.2 OUI .......................................................................................................................... 124

2.17 QoS ............................................................................................................................ 125

2.17.1 Port Classification .................................................................................................... 125

2.17.2 Port Policing ............................................................................................................ 127

2.17.3 Scheduler ................................................................................................................ 128

2.17.4 Shaping ................................................................................................................... 128

-6-

2.17.5 Tag Remarking ........................................................................................................ 131

2.17.6 Port DSCP ............................................................................................................... 133

2.17.7 DSCP-Based QoS ................................................................................................... 135

2.17.8 DSCP Translation .................................................................................................... 138

2.17.9 DSCP Classification ................................................................................................ 141

2.17.10 QoS Control List .................................................................................................... 142

2.17.11 Storm Control ........................................................................................................ 144

2.18 Mirroring ..................................................................................................................... 145

2.19 UPnP .......................................................................................................................... 146

2.20 sFlow .......................................................................................................................... 147

2.21 Multi Ring ................................................................................................................... 149

2.22 OPA (Optical Power Alarm) Configuration .................................................................. 152

2.23 ALS (Auto Laser Shutdown) Configuration ................................................................. 153

3. Monitor .................................................................................................................................................... 154

3.1 System ......................................................................................................................... 155

3.1.1 Information ................................................................................................................ 155

3.1.2 CPU Load.................................................................................................................. 156

3.1.3 Log ............................................................................................................................ 157

3.1.4 Detailed Log .............................................................................................................. 158

3.2 Thermal Protection ................................................................................................ ....... 158

3.3 Ports ............................................................................................................................ 159

3.3.1 State .......................................................................................................................... 159

3.3.2 Traffic Overview ........................................................................................................ 160

3.3.3 QoS Statistics ............................................................................................................ 160

3.3.4 QCL Status ................................................................................................................ 161

3.3.5 Detailed Statistics ...................................................................................................... 162

3.4 Security ........................................................................................................................ 164

3.4.1 Access Management Statistics .................................................................................. 164

3.4.2 Network ..................................................................................................................... 164

3.4.2.1 Port Security ........................................................................................................... 164

3.4.2.1.1 Switch.................................................................................................................. 165

3.4.2.1.2 Port ..................................................................................................................... 166

-7-

3.4.2.2 NAS ........................................................................................................................ 167

3.4.2.2.1 Switch.................................................................................................................. 167

3.4.2.2.2 Port ..................................................................................................................... 168

3.4.2.3 ACL Status ............................................................................................................. 168

3.4.2.4 DHCP ..................................................................................................................... 170

3.4.2.4.1 Snooping Statistics .............................................................................................. 170

3.4.2.4.2 Relay ................................................................................................................... 171

3.4.2.5 ARP Inspection....................................................................................................... 172

3.4.2.6 IP Source Guard ..................................................................................................... 172

3.4.3 AAA ........................................................................................................................... 173

3.4.3.1 RADIUS Overview .................................................................................................. 173

3.4.3.2 RADIUS Details ...................................................................................................... 174

3.4.4 Switch-RMON ........................................................................................................... 178

3.4.4.1 Statistics ................................................................................................................. 178

3.4.4.2 History .................................................................................................................... 179

3.4.4.3 Alarm ...................................................................................................................... 180

3.4.4.4 Event ...................................................................................................................... 180

3.5 LACP............................................................................................................................ 182

3.5.1 System Status ........................................................................................................... 182

3.5.2 Port Status ................................................................................................................ 182

3.5.3 Port Statistics ............................................................................................................ 183

3.6 Loop Protection ............................................................................................................ 184

3.7 Spanning Tree .............................................................................................................. 185

3.7.1 Bridge Status ............................................................................................................. 185

3.7.2 Port Status ................................................................................................................ 185

3.7.3 Port Statistics ............................................................................................................ 186

3.8 MVR ............................................................................................................................. 187

3.8.1 Statistics .................................................................................................................... 187

3.8.2 MVR Channel Groups ............................................................................................... 187

3.8.3 MVR SFM Information ............................................................................................... 188

3.9 IPMC ............................................................................................................................ 189

3.9.1 IGMP Snooping ......................................................................................................... 189

-8-

3.9.1.1 Status ..................................................................................................................... 189

3.9.1.2 Groups Information ................................................................................................. 190

3.9.1.3 IPv4 SFM Information ............................................................................................. 190

3.9.2 MLD Snooping .......................................................................................................... 191

3.9.2.1 Status ..................................................................................................................... 191

3.9.2.2 Groups Information ................................................................................................. 192

3.9.2.3 IPv6 SFM Information ............................................................................................. 192

3.10 LLDP .......................................................................................................................... 193

3.10.1 Neighbours .............................................................................................................. 193

3.10.2 LLDP-MED Neighbours ................................ ........................................................... 194

3.10.3 PoE ......................................................................................................................... 197

3.10.4 EEE ......................................................................................................................... 198

3.10.5 Port Statistics ................................................................ .......................................... 199

3.11 PoE ............................................................................................................................ 201

3.12 MAC Table ................................................................................................................. 203

3.13 VLANs ........................................................................................................................ 204

3.13.1 VLAN Membership .................................................................................................. 204

3.13.2 VLAN Ports ............................................................................................................. 205

3.14 sFlow .......................................................................................................................... 207

3.15 Multi Ring Status ........................................................................................................ 209

3.16 Relay Alarm Status ..................................................................................................... 210

4. Diagnostics ............................................................................................................................................. 211

4.1 Ping & Ping6 ................................................................................................................ 211

4.2 VeriPHY ....................................................................................................................... 213

4.3 SFP DDM ..................................................................................................................... 215

5. Maintenance ............................................................................................................................................ 216

5.1 Restart Device .............................................................................................................. 216

5.2 Factory Defaults ........................................................................................................... 217

5.3 Software ....................................................................................................................... 217

5.3.1 Upload ....................................................................................................................... 217

5.3.2 Image Select ............................................................................................................. 218

-9-

5.4 Configuration ................................................................................................................ 219

5.4.1 Save .......................................................................................................................... 219

5.4.2 Upload ....................................................................................................................... 220

Glossary ...................................................................................................................................................... 221

-10-

1. Web Management

The switch features an http server which can serve the management requests coming from any web browser
software over TCP/IP network.

Web Browser

Compatible web browser software with JAVA script support
Microsoft Internet Explorer 4.0 or later

Set IP Address for the System Unit

Before the switch can be managed from web browser software, make sure a unique IP address is configured for
the switch.

1.1 Start Browser Software and Making Connection

Start your browser software and enter the IP address of the switch unit to which you want to connect. The IP
address is used as URL for the browser software to search the device.

URL: http://xxx.xxx.xxx.xxx/

Factory default IP address: 192.168.0.2
Factory default username: admin
Factory default password: 

Note: no password with factory defaults

-11-

1.2 Login to the Switch Unit

When browser software connects to the switch unit successfully, a Login screen is provided for you to login to
the device as the left display below:

“Port State Overview” page is displayed after a successful login.

[Logout] button and [Show Help] button

Check this box to refresh the page automatically. Automatic refresh occurs every 3

seconds.

-12-

Click to refresh the current page.

Port state icons are:

Status Description

RJ-45 port disabled

RJ-45 port link down

RJ-45 port link up

SFP port disabled

SFP port link down

SFP port link in 1G full duplex

SFP port link in 100M full duplex

The switch can accept more than one successful management connection simultaneously.

-13-

1.3 Main Management Menu

Main Menu:

Sub-menus:

Configuration

System Switch information, IP configuration, SNTP setting, and Password setting
Power Reduction EEE power saving configuration
Thermal Protection Thermal protection is used to protect the chip from getting overheated.
Ports Port operation related configuration, frame size, and power saving control
Security Switch & UI authentication configuration, Port access security control
Aggregation Static and LACP port link aggregation related configuration
Loop Protection Configuration for port loop detection and protection
Spanning Tree STP bridge, MSTI and CIST configuration
MVR MVR feature enables multicast traffic forwarding on the Multicast VLANs.
IPMC IGMP and MLD Snooping
LLDP LLDP configuration
PoE Power over Ethernet configuration and power management for PSE ports

-14-

MAC Table MAC address learning settings and static MAC address port configuration
VLANs VLAN groups and VLAN port-related configuration
Private VLANs PVLAN groups and port isolation configuration
Voice VLAN The Voice VLAN feature enables voice traffic forwarding on the Voice VLAN,
QoS QoS port ingress, egress and QCL configuration, Port rate control, QCL wizard
Mirroring Port mirroring settings
UPnP Configuration for UPnP (Universal Plug and Play) feature
sFlow sFlow is an industry standard technology for monitoring switched networks.
Multi Ring Configuration for ring connections between switches
OPA Optical Power Alarm function
ALS Auto Laser Shutdown function (Hardware Ver.E up)

Monitor

System System information and system log information
Thermal Protection Display port temperature and status
Ports Port link status, traffic statistics, QoS statistics
Security Switch & UI authentication, Port access security status
LACP LACP system and port status
Loop Protection Display port configuration and status for loop protection
Spanning Tree Bridge status, Port status and RSTP/STP/MSTP statistics
MVR Display IGMP and MLD snooping status and counters
IPMC IGMP Snooping & MLR snooping groups learned, Router ports, Statistics
LLDP LLDP neighbors information, Port statistics
PoE Display PoE status for all PSE ports
MAC Table Display of MAC address table
VLANs Display VLAN membership and VLAN port status
sFlow Display sFlow receiver status and port sample counters
Multi Ring Status Display all ring group status and port configuration status
Relay Alarm Status Display status of all alarm sources for alarm relay output

Diagnostics

Ping ICMP ping utility
Ping6 Ping utility for IPv6 devices
VeriPHY Copper cable diagnostics for all copper ports
SFP DDM SFP DDM information

Maintenance

-15-

Restart Device Command to reboot the switch
Factory Defaults Command to restore the switch with factory default settings
Software Command to update the switch firmware
Configuration Command to save or upload the system configuration

-16-

2. Configuration

2.1 System

2.1.1 Information

Configuration Description

System Contact The textual identification of the contact person for this managed node, together with

information on how to contact this person. The allowed string length is 0 to 255, and
the allowed content is the ASCII characters from 32 to 126.

System Name An administratively assigned name for this managed node. By convention, this is the

node's fully-qualified domain name. A domain name is a text string drawn from the
alphabet (A-Za-z), digits (0-9), minus sign (-). No space characters are permitted as
part of a name. The first character must be an alpha character. And the first or last
character must not be a minus sign. The allowed string length is 0 to 255.

System Location The physical location of this node(e.g., telephone closet, 3rd floor). The allowed

string length is 0 to 255, and the allowed content is the ASCII characters from 32 to

126.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Note:

1. It is suggested to give each switch unit a system name as an alternative unique identification beside IP

address.

2. The system Name, Contact, and Location settings are also used as SNMP MIBs.

-17-

2.1.2 IP

Configuration Description

DHCP Client Enable the DHCP client by checking this box.
IP Address Provide the IP address of this switch unit.
IP Mask Provide the IP mask of this switch unit.
IP Router Provide the IP address of the default router for this switch unit.
VLAN ID Provide the managed VLAN ID. The allowed range is 1 through 4095.

This setting is also called MVID (Management VID) as abbreviation.

DNS Server Provide the IP address of the DNS Server in dotted decimal notation.
DNS Proxy When DNS proxy is enabled, DUT will relay DNS requests to the current configured

DNS server on DUT, and reply as a DNS resolver to the client device on the network.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.
Renew Click to renew DHCP. This button is only available if DHCP is enabled.

Note:

1. If DHCP fails and the configured IP address is zero, DHCP will retry. If DHCP fails and the configured IP

address is non-zero, DHCP will stop and the configured IP settings will be used. The DHCP client will
announce the configured System Name as hostname to provide DNS lookup.

2. The IP addresses should be in dotted decimal notation.

-18-

2.1.2.1 Management VID (MVID) Operation Rules

Management

Ingress port type

Management

incoming packet type

Conditions for acceptance

by the processor

Replied packets sent

by the processor

Unaware

Untagged

PVID = MVID

Untagged

C-port

Untagged

PVID = MVID

Untagged

C-tag tagged

VID = MVID

Untagged

S-port

Untagged

PVID = MVID

Untagged

S-tag tagged

VID = MVID

Untagged

S-custom-port

Untagged

PVID = MVID

Untagged

S-custom-tag tagged

VID = MVID

Untagged

The MVID setting restricts the ports that are allowed to communicate with the embedded system processor.

The allowed ports are limited in the member ports of the VLAN with MVID. The table below lists the

conditions that a management frame can reach the system process and the replied frame type sent by the system
processor. Refer to Section 2.14 for more configuration information of VLAN.

2.1.3 IPv6

Configuration Description

Auto Configuration DHCP Client Enable IPv6 auto-configuration by checking this box. If system cannot

obtain the stateless address in time, the configured IPv6 settings will be used. The
router may delay responding to a router solicitation for a few seconds, the total time
needed to complete auto-configuration can be significantly longer. Enable the DHCP
client by checking this box.

Address Provide the IPv6 address of this switch. IPv6 address is in 128-bit records represented

as eight fields of up to four hexadecimal digits with a colon separating each field (:).
For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be
used as a shorthand way of representing multiple 16-bit groups of contiguous zeros;
but it can appear only once. It can also represent a legally valid IPv4 address. For

-19-

example, '::192.1.2.34'.
Prefix Provide the IPv6 Prefix of this switch. The allowed range is 1 to 128.
Router Provide the IPv6 gateway address of this switch. IPv6 address is in 128-bit records

represented as eight fields of up to four hexadecimal digits with a colon separating

each field (:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special

syntax that can be used as a shorthand way of representing multiple 16-bit groups of

contiguous zeros; but it can appear only once. It can also represent a legally valid

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.
Renew Click to renew IPv6 AUTOCONF. This button is only available if IPv6 AUTOCONF

is enabled.

IPv4 address. . For example, '::192.1.2.34'.

-20-

2.1.4 NTP

Configuration Description

Mode Indicates the NTP mode operation. Possible modes are:

Enabled: Enable NTP mode operation. When enable NTP mode operation, the agent

forward and to transfer NTP messages between the clients and the server when they

are not on the same subnet domain.

Disabled: Disable NTP mode operation.
Server # Provide the NTP IPv4 or IPv6 address of this switch. IPv6 address is in 128-bit

records represented as eight fields of up to four hexadecimal digits with a colon

separates each field (:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a

special syntax that can be used as a shorthand way of representing multiple 16-bit

groups of contiguous zeros; but it can only appear once. It also used a following

legally IPv4 address. For example, '::192.1.2.34'.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-21-

2.1.5 Time

Configuration Description
Time Zone Indicates the NTP mode operation. Possible modes are:

Acronym User can set the acronym of the time zone. This is a User configurable acronym to

identify the time zone. ( Range : Up to 16 alpha-numeric characters and can contain

'-', '_' or '.')
Daylight Saving Time This is used to set the clock forward or backward according to the configurations set

below for a defined Daylight Saving Time duration. Select 'Disable' to disable the

Daylight Saving Time configuration. Select 'Recurring' and configure the Daylight

Saving Time duration to repeat the configuration every year. Select 'Non-Recurring'

and configure the Daylight Saving Time duration for single time configuration.

( Default : Disabled )

-22-

Start time settings
Month Select the starting month.
Date Select the starting day.
Year Select the starting year number.
Hours Select the starting hour.
Minutes Select the starting minute.
End time settings
Month Select the ending month.
Date Select the ending day.
Year Select the ending year number.
Hours Select the ending hour.
Minutes Select the ending minute.
Offset Enter the number of minutes to add during Daylight Saving Time. (Range: 1 to

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

1440 )

-23-

2.1.6 Log

Configuration Description

Server Mode Indicates the server mode operation. When the mode operation is enabled, the syslog

message will send out to syslog server. The syslog protocol is based on UDP

communication and received on UDP port 514 and the syslog server will not send

acknowledgments back sender since UDP is a connectionless protocol and it does not

provide acknowledgments. The syslog packet will always send out even if the syslog

server does not exist. Possible modes are:
Enabled: Enable server mode operation.

Disabled: Disable server mode operation.
Server Address Indicates the IPv4 host address of syslog server. If the switch provide DNS feature, it

also can be a host name.
Syslog Level Indicates what kind of message will send to syslog server. Possible modes are:

Info: Send information, warnings and errors.

Warning: Send warnings and errors.

Error: Send errors.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-24-

2.2 Power Reduction

2.2.1 EEE

EEE is a power saving option that reduces the power usage when there is low or no traffic utilization.

EEE works by powering down circuits when there is no traffic. When a port gets data to be transmitted all
circuits are powered up. The time it takes to power up the circuits is named wakeup time. The default wakeup
time is 17 us for 1Gbit links and 30 us for other link speeds. EEE devices must agree upon the value of the
wakeup time in order to make sure that both the receiving and transmitting device has all circuits powered up
when traffic is transmitted. The devices can exchange wakeup time information using the LLDP protocol.

For maximizing power savings, the circuit isn't started at once transmit data is ready for a port, but is instead
queued until 3000 bytes of data is ready to be transmitted. For not introducing a large delay in case that data
less then 3000 bytes shall be transmitted, data are always transmitted after 48 us, giving a maximum latency of
48 us + the wakeup time.

If desired it is possible to minimize the latency for specific frames, by mapping the frames to a specific queue
(done with QOS), and then mark the queue as an urgent queue. When an urgent queue gets data to be
transmitted, the circuits will be powered up at once and the latency will be reduced to the wakeup time.
EEE works for ports in auto-negotiation mode, where the port is negotiated to either 1G or 100 Mbit full

-25-

duplex mode.
Ports that are not EEE-capable are grayed out and thus impossible to enable EEE for.

Configuration Description

Port The switch port number of the logical EEE port.
Enabled Controls whether EEE is enabled for this switch port.
EEE Urgent Queues Queues set will activate transmission of frames as soon as data is available.

Otherwise the queue will postpone transmission until 3000 bytes are ready to be

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

transmitted.

-26-

2.3 Thermal Protection

This page allows the user to inspect and configure the current setting for controlling thermal protection.
Thermal protection is used to protect the chip from getting overheated. When the temperature exceeds the
configured thermal protection temperature, ports will be turned off in order to decrease the power consumption.
It is possible to arrange the ports with different priorities. Each priority can be given a temperature at which the
corresponding ports shall be turned off.

Configuration Description

Temperature settings for priority groups
Temperature The temperature at which the ports with the corresponding priority will be turned off.

Temperatures between 0 and 255℃ are supported.
Port Priorities The priority the port belongs to. 4 priorities are supported.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-27-

2.4 Ports

Configuration Description

Port The port number associated to this configuration row
Link The current link status is displayed graphically.

Green indicates the link is up and red that it is down.
Speed - Current Provide the current link speed of the port.
Speed - Configured Select any available link speed for the given switch port.

Disabled: disables the switch port operation.

Auto: selects the highest speed that is compatible with a link partner.

10Mbps HDX: selects fixed 10Mbps and half duplex
10Mbps FDX: selects fixed 10Mbps and full duplex

100Mbps HDX: selects fixed 100Mbps and half duplex

100Mbps FDX: selects fixed 100Mbps and full duplex

1Gbps FDX: selects auto-negotiation 1000Mbps and full duplex

Flow Control – Current Rx Whether pause frames on the port are obeyed
Flow Control – Current Tx Whether pause frames on the port are transmitted

-28-

Flow Control – Configured Click to enable flow control for fixed speed settings.

When “Auto” Speed is selected for a port, this selection indicates the flow control

capability that is advertised to the link partner.
Maximum Frame Size Enter the maximum frame size allowed for the switch port, including FCS.

The allowed range is 1518 bytes to 9600 bytes.
Excessive Collision Mode Configure port transmission collision behavior.

Discard: Discard frame after 16 collisions (default).

Restart: Restart back-off algorithm after 16 collisions.

Power Control The configured column allows for changing the power savings mode parameters per

port.

Disabled: All power savings mechanisms are disabled.

ActiPHY: Link down power savings is enabled.

PerfectReach: Link up power savings is enabled.

Enabled: Both link up and link down power savings are enabled.

Link Alarm Port link fault alarm relay configuration
Click to enable relay alarm function for the port

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.
Refresh Click to refresh the page. Any changes made locally will be undone.

-29-

2.5 Security

2.5.1 Switch

2.5.1.1 Users

Configuration Description

User Name The name identifying the user.
Click also to edit a configured user.
Privilege Level The privilege level of the user. The allowed range is 1 to 15. If the privilege level

value is 15, it can access all groups, i.e. that is granted the fully control of the device.

But others value need to refer to each group privilege level. User's privilege should

be same or greater than the group privilege level to have the access of that group. By

default setting, most groups privilege level 5 has the read-only access and privilege

level 10 has the read-write access. And the system maintenance (software upload,

factory defaults and etc.) need user privilege level 15. Generally, the privilege level

15 can be used for an administrator account, privilege level 10 for a standard user

account and privilege level 5 for a guest account.

Add New User Click to configure a new user.

-30-

Configuration Description

User Name A string identifying the user name that this entry should belong to. The allowed string

length is 1 to 31. The valid user name is a combination of letters, numbers and

underscores. The name is for identifying the user.
Password The password of the user

The allowed string length is 0 to 31.
Privilege Level The privilege level of the user. The allowed range is 1 to 15. If the privilege level

value is 15, it can access all groups, i.e. that is granted the fully control of the device.

But others value need to refer to each group privilege level. User's privilege should

be same or greater than the group privilege level to have the access of that group. By

default setting, most group privilege level 5 has the read-only access and privilege

level 10 has the read-write access. And the system maintenance (software upload,

factory defaults and etc.) need user privilege level 15. Generally, the privilege level

15 can be used for an administrator account, privilege level 10 for a standard user

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.
Cancel Click to undo any changes made locally and return to the Users.
Delete User Delete the current user. This button is not available for new configurations.

(Add new user)

account and privilege level 5 for a guest account.

-31-

2.5.1.2 Privilege Level

Configuration Description

Group Name The name identifying the privilege group

In most cases, a privilege level group consists of a single module (e.g. LACP, RSTP

or QoS), but a few of them contains more than one. The following description defines

these privilege level groups in details:

System: Contact, Name, Location, Timezone, Daylight Saving Time, Log.

Security: Authentication, System Access Management, Port (contains Dot1x port,

-32-

MAC based and the MAC Address Limit), ACL, HTTPS, SSH, ARP Inspection, IP

source guard.

IP: Everything except 'ping'.

Port: Everything except 'VeriPHY'.

Diagnostics: 'ping' and 'VeriPHY'.

Maintenance: CLI- System Reboot, System Restore Default, System Password,

Configuration Save, Configuration Load and Firmware Load. Web- Users, Privilege

Levels and everything in Maintenance.

Debug: Only present in CLI.
Privilege Levels Every group has an authorization Privilege level for the following sub groups:

configuration read-only, configuration/execute read-write, status/statistics read-only,

status/statistics read-write (e.g. for clearing of statistics). User Privilege should be

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

same or greater than the authorization Privilege level to have the access to that group.

-33-

2.5.1.3 Auth Method

This page allows you to configure how a user is authenticated when he logs into the switch via one of the
management client interfaces.

Configuration Description

Client The management client for which the configuration below applies.
Authentication Method Authentication Method can be set to one of the following values:

none: authentication is disabled and login is not possible.

local: use the local user database on the switch stack for authentication.

radius: use a remote RADIUS server for authentication.

tacacs+: use a remote TACACS+ server for authentication.

Fallback Enable fallback to local authentication by checking this box.

If none of the configured authentication servers are alive, the local user database is

used for authentication. This is only possible if the Authentication Method is set to a

value other than 'none' or 'local'.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-34-

2.5.1.4 SSH

Configuration Description

Mode Indicates the SSH mode operation. Possible modes are:

Enabled: Enable SSH mode operation.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Disabled: Disable SSH mode operation.

-35-

2.5.1.5 HTTPS

Configuration Description

Mode Indicates the HTTPS mode operation. When the current connection is HTTPS, to

apply HTTPS disabled mode operation will automatically redirect web browser to an

HTTP connection. Possible modes are:

Enabled: Enable HTTPS mode operation.

Disabled: Disable HTTPS mode operation.

Automatic Redirect Indicates the HTTPS redirect mode operation. It is only significant if HTTPS mode

"Enabled" is selected. Automatically redirects web browser to an HTTPS connection

when both HTTPS mode and Automatic Redirect are enabled. Possible modes are:

Enabled: Enable HTTPS redirect mode operation.

Disabled: Disable HTTPS redirect mode operation.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-36-

2.5.1.6 Access Management

Add New Entry

Configure access management table on this page. The maximum number of entries is 16. If the application's
type match any one of the access management entries, it will allow access to the switch.

Configuration Description

Mode Indicates the access management mode operation. Possible modes are:

Enabled: Enable access management mode operation.

Disabled: Disable access management mode operation.

Delete Check to delete the entry. It will be deleted during the next save.
Start IP Address Indicates the start IP address for the access management entry.
End IP Address Indicates the end IP address for the access management entry.
HTTP/HTTPS Indicates that the host can access the switch from HTTP/HTTPS interface if the host

IP address matches the IP address range provided in the entry.
SNMP Indicates that the host can access the switch from SNMP interface if the host IP

address matches the IP address range provided in the entry.
TELNET/SSH Indicates that the host can access the switch from TELNET/SSH interface if the host

IP address matches the IP address range provided in the entry.

Add New Entry Click to add a new access management entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-37-

2.5.1.7 SNMP

2.5.1.7.1 System

System Configuration Description

Mode Indicates the SNMP mode operation. Possible modes are:

Enabled: Enable SNMP mode operation.

Disabled: Disable SNMP mode operation.
Version Indicates the SNMP supported version. Possible versions are:

SNMP v1: Set SNMP supported version 1.

SNMP v2c: Set SNMP supported version 2c.

-38-

SNMP v3: Set SNMP supported version 3.
Read Community Indicates the community read access string to permit access to SNMP agent. The

allowed string length is 0 ~ 255, and the allowed content is the ASCII characters

from 33 to 126.

Note: This field only suits when SNMP version is setting SNMPv1 or SNMPv2c. If

SNMP version is setting SNMPv3, the community string will associated with SNMPv3

communities table. It provides more flexibility to configure security name than a

SNMPv1 or SNMPv2c community string. In addition to community string, a

particular range of source addresses can use to restrict source subnet.

Write Community Indicates the community write-access string to permit access to SNMP agent. The

allowed string length is 0 ~ 255, and the allowed content is the ASCII characters

from 33 to 126.

Note: This field only suits when SNMP mode version setting SNMPv1 or SNMPv2c. If

SNMP version is setting SNMPv3, the community string will associated with SNMPv3

communities table. It provides more flexibility to configure security name than a

SNMPv1 or SNMPv2c community string. In addition to community string, a

particular range of source addresses can use to restrict source subnet.

Engine ID Indicates the SNMPv3 engine ID. The string must contain an even number between

10 and 64 hexadecimal digits, but all-zeros and all-'F's are not allowed. Change of the

Engine ID will clear all original local users.

Trap Configuration Description

Trap Mode Indicates the SNMP trap mode operation. Possible modes are:

Enabled: Enable SNMP trap mode operation.

Disabled: Disable SNMP trap mode operation.

Trap Version Indicates the SNMP trap supported version. Possible versions are:

SNMP v1: Set SNMP trap supported version 1.

SNMP v2c: Set SNMP trap supported version 2c.

SNMP v3: Set SNMP trap supported version 3.
Trap Community Indicates the community access string when send SNMP trap packet. The allowed

string length is 0 ~ 255, and the allowed content is the ASCII characters from 33 to

126.
Trap Destination Address Indicates the SNMP trap destination address.
Trap Destination IPv6 Address Provide the trap destination IPv6 address of this switch. IPv6 address is in 128-bit

records represented as eight fields of up to four hexadecimal digits with a colon
separates each field (:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a
special syntax that can be used as a shorthand way of representing multiple 16-bit

-39-

groups of contiguous zeros; but it can only appear once. It also used a following
legally IPv4 address. For example, '::192.1.2.34'.

Trap Authentication Failure Indicates the SNMP entity is permitted to generate authentication failure traps.

Possible modes are:

Enabled: Enable SNMP trap authentication failure.
Disabled: Disable SNMP trap authentication failure.

Trap Link-up and Link-down Indicates the SNMP trap link-up and link-down mode operation. Possible modes are:

Enabled: Enable SNMP trap link-up and link-down mode operation.
Disabled: Disable SNMP trap link-up and link-down mode operation.

Trap OPA Indicates the SNMP agent is permitted to generate SNMP OPA trap.

Enabled: Enable SNMP OPA trap
Disabled: Disable SNMP OPA trap

Trap Inform Mode Indicates the SNMP trap inform mode operation. Possible modes are:

Enabled: Enable SNMP trap inform mode operation.
Disabled: Disable SNMP trap inform mode operation.

Trap Inform Timeout Indicates the SNMP trap inform timeout (seconds). The allowed range is 0 ~ 2147.
Trap Inform Retry Times Indicates the SNMP trap inform retry times. The allowed range is 0 ~ 255.
Trap Probe Security Engine ID Available for SNMP v3, indicates the SNMP trap probe security engine ID mode of

operation. Possible values are:

Enabled: Enable SNMP trap probe security engine ID mode of operation.
Disabled: Disable SNMP trap probe security engine ID mode of operation.

Trap Security Engine ID Available for SNMP v3, indicates the SNMP trap security engine ID. SNMPv3 sends

traps and informs using USM for authentication and privacy. A unique engine ID for
these traps and informs is needed. When "Trap Probe Security Engine ID" is enabled,
the ID will be probed automatically. Otherwise, the ID specified in this field is used.
The string must contain an even number between 10 and 64 hexadecimal digits, but
all-zeros and all-'F's are not allowed.

Trap Security Name Available for SNMP v3, indicates the SNMP trap security name. SNMPv3 traps and

informs using USM for authentication and privacy. A unique security name is needed
when traps and informs are enabled.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-40-

2.5.1.7.2 Communities

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
Community Indicates the community access string to permit access to SNMPv3 agent. The

allowed string length is 1 to 32, and the allowed content is the ASCII characters from
33 to 126. The community string will treat as security name and map a SNMPv1 or
SNMPv2c community string.

Source IP Indicates the SNMP access source address. A particular range of source addresses can

use to restrict source subnet when combined with source mask.

Source Mask Indicates the SNMP access source address mask.

Add New Entry Click to add a new community entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

-41-

2.5.1.7.3 Users

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
Engine ID An octet string identifying the engine ID that this entry should belong to. The string

must contain an even number between 10 and 64 hexadecimal digits, but all-zeros
and all-'F's are not allowed. The SNMPv3 architecture uses the User-based Security
Model (USM) for message security and the View-based Access Control Model
(VACM) for access control. For the USM entry, the usmUserEngineID and
usmUserName are the entry's keys. In a simple agent, usmUserEngineID is always
that agent's own snmpEngineID value. The value can also take the value of the
snmpEngineID of a remote SNMP engine with which this user can communicate. In
othe words, if user engine ID equal system engine ID then it is local user; otherwize
it's remote user.

User Name A string identifying the user name that this entry should belong to. The allowed string

length is 1 to 32, and the allowed content is the ASCII characters from 33 to 126.

Security Level Indicates the security model that this entry should belong to. Possible security models

are:

NoAuth, NoPriv: None authentication and none privacy.
Auth, NoPriv: Authentication and none privacy.
Auth, Priv: Authentication and privacy.

The value of security level cannot be modified if entry already exists. That means
must first ensure that the value is set correctly.

Authentication Protocol Indicates the authentication protocol that this entry should belong to. Possible

authentication protocols are:

None: None authentication protocol.
MD5: An optional flag to indicate that this user using MD5 authentication protocol.
SHA: An optional flag to indicate that this user using SHA authentication protocol.

The value of security level cannot be modified if entry already exists. That means
must first ensure that the value is set correctly.

Authentication Password A string identifying the authentication pass phrase. For MD5 authentication protocol,

the allowed string length is 8 to 32. For SHA authentication protocol, the allowed

-42-

string length is 8 to 40. The allowed content is the ASCII characters from 33 to 126.

Privacy Protocol Indicates the privacy protocol that this entry should belong to. Possible privacy

protocols are:

None: None privacy protocol.
DES: An optional flag to indicate that this user using DES authentication protocol.

Privacy Password A string identifying the privacy pass phrase. The allowed string length is 8 to 32, and

the allowed content is the ASCII characters from 33 to 126.

Add New Entry Click to add a new entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

2.5.1.7.4 Groups

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
Security Model Indicates the security model that this entry should belong to. Possible security models are:

v1: Reserved for SNMPv1.
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).

Security Name A string identifying the security name that this entry should belong to. The allowed

-43-

string length is 1 to 32, and the allowed content is the ASCII characters from 33 to

126.
Group Name A string identifying the group name that this entry should belong to. The allowed

string length is 1 to 32, and the allowed content is the ASCII characters from 33 to

Add New Entry Click to add a new entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

126.

Click Add New Entry :

2.5.1.7.5 Views

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
View Name A string identifying the view name that this entry should belong to. The allowed

string length is 1 to 32, and the allowed content is the ASCII characters from 33 to

126.
View Type Indicates the view type that this entry should belong to. Possible view types are:

included: An optional flag to indicate that this view sub-tree should be included.

-44-

excluded: An optional flag to indicate that this view sub-tree should be excluded.
General, if a view entry's view type is 'excluded', it should be exist another view entry
which view type is 'included' and it's OID sub-tree overstep the 'excluded' view entry.

OID Subtree The OID defining the root of the sub-tree to add to the named view. The allowed OID

Add New Entry Click to add a new entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

length is 1 to 128. The allowed string content is digital number or asterisk(*).

Click Add New Entry :

2.5.1.7.6 Access

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
Group Name A string identifying the group name that this entry should belong to. The allowed

string length is 1 to 32, and the allowed content is the ASCII characters from 33 to

126.
Security Model Indicates the security model that this entry should belong to. Possible security models are:

any: Accepted any security model (v1|v2c|usm).
v1: Reserved for SNMPv1.
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).

-45-

Security Level Indicates the security model that this entry should belong to. Possible security models are:

NoAuth, NoPriv: None authentication and none privacy.
Auth, NoPriv: Authentication and none privacy.
Auth, Priv: Authentication and privacy.

Read View Name The name of the MIB view defining the MIB objects for which this request may

request the current values. The allowed string length is 1 to 32, and the allowed
content is the ASCII characters from 33 to 126.

Write View Name The name of the MIB view defining the MIB objects for which this request may

potentially SET new values. The allowed string length is 1 to 32, and the allowed
content is the ASCII characters from 33 to 126.

Add New Entry Click to add a new entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

-46-

2.5.1.8 RMON

2.5.1.8.1 Statistics

Configuration Description

Delete Check to delete the RMON entry. It will be deleted during the next save.
ID Indicates the index of the entry. The range is from 1 to 65535.
Data Source Indicates the port ID which wants to be monitored. If in stacking switch, the value

must add 1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is

2005.

Add New Entry Click to add a new entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

-47-

2.5.1.8.2 History

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
ID Indicates the index of the entry. The range is from 1 to 65535.
Data Source Indicates the port ID which wants to be monitored. If in stacking switch, the value

must add 1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is

2005.
Interval Indicates the interval in seconds for sampling the history statistics data. The range is

from 1 to 3600, default value is 1800 seconds.

Buckets Indicates the maximum data entries associated this History control entry stored in

RMON. The range is from 1 to 3600, default value is 50.

Buckets Granted The number of data shall be saved in the RMON.

Add New Entry Click to add a new entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

-48-

2.5.1.8.3 Alarm

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
ID Indicates the index of the entry. The range is from 1 to 65535.
Interval Indicates the interval in seconds for sampling and comparing the rising and falling

threshold. The range is from 1 to 2^31-1.

Variable Indicates the particular variable to be sampled, the possible variables are:

InOctets: The total number of octets received on the interface, including framing
characters.

InUcastPkts: The number of uni-cast packets delivered to a higher-layer protocol.
InNUcastPkts: The number of broad-cast and multi-cast packets delivered to a

higher-layer protocol.
InDiscards: The number of inbound packets that are discarded even the packets are
normal.
InErrors: The number of inbound packets that contained errors preventing them from
being deliverable to a higher-layer protocol.
InUnknownProtos: the number of the inbound packets that were discarded because
of the unknown or un-support protocol.
OutOctets: The number of octets transmitted out of the interface , including framing
characters.

OutUcastPkts: The number of uni-cast packets that request to transmit.
OutNUcastPkts: The number of broad-cast and multi-cast packets that request to

transmit.
OutDiscards: The number of outbound packets that are discarded event the packets is
normal.
OutErrors: The The number of outbound packets that could not be transmitted
because of errors.
OutQLen: The length of the output packet queue (in packets).

Sample Type The method of sampling the selected variable and calculating the value to be

compared against the thresholds, possible sample types are:
Absolute: Get the sample directly.

-49-

Delta: Calculate the difference between samples (default).

Value The value of the statistic during the last sampling period.
Startup Alarm The method of sampling the selected variable and calculating the value to be

compared against the thresholds, possible sample types are:
RisingTrigger alarm when the first value is larger than the rising threshold.
FallingTrigger alarm when the first value is less than the falling threshold.
RisingOrFallingTrigger alarm when the first value is larger than the rising threshold

or less than the falling threshold (default).
Rising Threshold Rising threshold value (-2147483648-2147483647).
Rising Index Rising event index (1-65535).
Falling Threshold Falling threshold value (-2147483648-2147483647)
Falling Index Falling event index (1-65535).

Add New Entry Click to add a new entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

-50-

2.5.1.8.4 Event

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
ID Indicates the index of the entry. The range is from 1 to 65535.
Desc Indicates this event, the string length is from 0 to 127, default is a null string.
Type Indicates the notification of the event, the possible types are:

none: The total number of octets received on the interface, including framing

characters.

log: The number of uni-cast packets delivered to a higher-layer protocol.

snmptrap: The number of broad-cast and multi-cast packets delivered to a

higher-layer protocol.

logandtrap: The number of inbound packets that are discarded even the packets are

normal.
Community Specify the community when trap is sent, the string length is from 0 to 127, the

default is "public".
Event Last Time Indicates the value of sysUpTime at the time this event entry last generated an event.

Add New Entry Click to add a new entry.
Delete Click to cancel the new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

-51-

2.5.2 Network

2.5.2.1 Limit Control

Limit Control allows for limiting the number of users on a given port. A user is identified by a MAC address
and VLAN ID. If Limit Control is enabled on a port, the limit specifies the maximum number of users on the
port. If this number is exceeded, an action is taken. The action can be one of the four different actions as
described below. The Limit Control module utilizes a lower-layer module, Port Security module, which
manages MAC addresses learned on the port. The Limit Control configuration consists of two sections, a
system- and a port-wide.

-52-

Configuration Description
System Configuration

Mode Indicates if Limit Control is globally enabled or disabled on the switch. If globally

disabled, other modules may still use the underlying functionality, but limit checks

and corresponding actions are disabled.
Aging Enabled If checked, secured MAC addresses are subject to aging as discussed under Aging

Period.
Aging Period If Aging Enabled is checked, then the aging period is controlled with this input. If

other modules are using the underlying port security for securing MAC addresses,

they may have other requirements to the aging period. The underlying port security

will use the shorter requested aging period of all modules that use the functionality.

The Aging Period can be set to a number between 10 and 10,000,000 seconds.

To understand why aging may be desired, consider the following scenario: Suppose

an end-host is connected to a 3rd party switch or hub, which in turn is connected to a

port on this switch on which Limit Control is enabled. The end-host will be allowed

to forward if the limit is not exceeded. Now suppose that the end-host logs off or

powers down. If it wasn't for aging, the end-host would still take up resources on this

switch and will be allowed to forward. To overcome this situation, enable aging.

With aging enabled, a timer is started once the end-host gets secured. When the timer

expires, the switch starts looking for frames from the end-host, and if such frames are

not seen within the next Aging Period, the end-host is assumed to be disconnected,

and the corresponding resources are freed on the switch.

Port Configuration

Port The port number to which the configuration below applies.
Mode Controls whether Limit Control is enabled on this port. Both this and the Global

Mode must be set to Enabled for Limit Control to be in effect. Notice that other

modules may still use the underlying port security features without enabling Limit

Control on a given port.
Limit The maximum number of MAC addresses that can be secured on this port. This

number cannot exceed 1024. If the limit is exceeded, the corresponding action is

taken.
Action If Limit is reached, the switch can take one of the following actions:

None: Do not allow more than Limit MAC addresses on the port, but take no further

action.

Trap: If (Limit + 1) MAC addresses are seen on the port, send an SNMP trap. If

Aging is disabled, only one SNMP trap will be sent, but with Aging enabled, new

SNMP traps will be sent every time the limit gets exceeded.

-53-

Shutdown: If (Limit + 1) MAC addresses are seen on the port, shut down the port.

This implies that all secured MAC addresses will be removed from the port, and no

new address will be learned. Even if the link is physically disconnected and

reconnected on the port (by disconnecting the cable), the port will remain shut down.

There are three ways to re-open the port:

1) Boot the stack or elect a new masterthe switch,

2) Disable and re-enable Limit Control on the port or the stackswitch,

3) Click the Reopen button.

Trap & Shutdown: If Limit + 1 MAC addresses is seen on the port, both the "Trap"

and the "Shutdown" actions described above will be taken.
State This column shows the current state of the port as seen from the Limit Control's point

of view. The state takes one of four values:

Disabled: Limit Control is either globally disabled or disabled on the port.

Ready: The limit is not yet reached. This can be shown for all actions.

Limit Reached: Indicates that the limit is reached on this port. This state can only be

shown if Action is set to None or Trap.

Shutdown: Indicates that the port is shut down by the Limit Control module. This

state can only be shown if Action is set to Shutdown or Trap & Shutdown.

Reopen If a port is shutdown by this module, you may reopen it by clicking this button, which

will only be enabled if this is the case. For other methods, refer to Shutdown in the

Action section.

Note that clicking the reopen button causes the page to be refreshed, so

non-committed changes will be lost.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-54-

2.5.2.2 NAS

System Configuration Description

Mode Indicates if NAS is globally enabled or disabled on the switch stack. If globally

disabled, all ports are allowed forwarding of frames.
Reauthentication Enabled If checked, successfully authenticated supplicants/clients are reauthenticated after the

interval specified by the Reauthentication Period. Reauthentication for

802.1X-enabled ports can be used to detect if a new device is plugged into a switch

port or if a supplicant is no longer attached. For MAC-based ports, reauthentication is

only useful if the RADIUS server configuration has changed. It does not involve

communication between the switch and the client, and therefore doesn't imply that a

-55-

client is still present on a port (see Age Period below).
Reauthentication Period Determines the period, in seconds, after which a connected client must be

reauthenticated. This is only active if the Reauthentication Enabled checkbox is

checked. Valid values are in the range 1 to 3600 seconds.
EAPOL Timeout Determines the time between retransmission of Request Identity EAPOL frames.

Valid values are in the range 1 to 255 seconds. This has no effect for MAC-based

ports.
Age Period This setting applies to the following modes, i.e. modes using the Port Security

functionality to secure MAC addresses:

• Single 802.1X

• Multi 802.1X

• MAC-Based Auth.

When the NAS module uses the Port Security module to secure MAC addresses, the

Port Security module needs to check for activity on the MAC address in question at

regular intervals and free resources if no activity is seen within a given period of time.

This parameter controls exactly this period and can be set to a number between 10

and 1000000 seconds.

If reauthentication is enabled and the port is in a 802.1X-based mode, this is not so

criticial, since supplicants that are no longer attached to the port will get removed

upon the next reauthentication, which will fail. But if reauthentication is not enabled,

the only way to free resources is by aging the entries.

For ports in MAC-based Auth. mode, reauthentication doesn't cause direct

communication between the switch and the client, so this will not detect whether the

client is still attached or not, and the only way to free any resources is to age the

entry.
Hold Time This setting applies to the following modes, i.e. modes using the Port Security

functionality to secure MAC addresses:

• Single 802.1X

• Multi 802.1X

• MAC-Based Auth.

If a client is denied access - either because the RADIUS server denies the client

access or because the RADIUS server request times out (according to the timeout

specified on the "Configuration→Security→AAA" page) - the client is put on hold in

the Un-authorized state. The hold timer does not count during an on-going

authentication. In MAC-based Auth. mode, the The switch will ignore new frames

coming from the client during the hold time. The Hold Time can be set to a number

between 10 and 1000000 seconds.

-56-

RADIUS-Assigned QoS Enabled
RADIUS-assigned QoS provides a means to centrally control the traffic class to

which traffic coming from a successfully authenticated supplicant is assigned on the

switch. The RADIUS server must be configured to transmit special RADIUS

attributes to take advantage of this feature (see RADIUS-Assigned QoS Enabled

below for a detailed description). The "RADIUS-Assigned QoS Enabled" checkbox

provides a quick way to globally enable/disable RADIUS-server assigned QoS Class

functionality. When checked, the individual ports' ditto setting determines whether

RADIUS-assigned QoS Class is enabled for that port. When unchecked,

RADIUS-server assigned QoS Class is disabled for all ports.
RADIUS-Assigned VLAN Enabled
RADIUS-assigned VLAN provides a means to centrally control the VLAN on which

a successfully authenticated supplicant is placed on the switch. Incoming traffic will

be classified to and switched on the RADIUS-assigned VLAN. The RADIUS server

must be configured to transmit special RADIUS attributes to take advantage of this

feature (see RADIUS-Assigned VLAN Enabled below for a detailed description).

The "RADIUS-Assigned VLAN Enabled" checkbox provides a quick way to globally

enable/disable RADIUS-server assigned VLAN functionality. When checked, the

individual ports' ditto setting determines whether RADIUS-assigned VLAN is

enabled for that port. When unchecked, RADIUS-server assigned VLAN is disabled

for all ports.
Guest VLAN Enabled A Guest VLAN is a special VLAN - typically with limited network access - on which

802.1X-unaware clients are placed after a network administrator-defined timeout.

The switch follows a set of rules for entering and leaving the Guest VLAN as listed

below. The "Guest VLAN Enabled" checkbox provides a quick way to globally

enable/disable Guest VLAN functionality. When checked, the individual ports' ditto

setting determines whether the port can be moved into Guest VLAN. When

unchecked, the ability to move to the Guest VLAN is disabled for all ports.
Guest VLAN ID This is the value that a port's Port VLAN ID is set to if a port is moved into the Guest

VLAN. It is only changeable if the Guest VLAN option is globally enabled.

Valid values are in the range [1: 4095].
Max. Reauth. Count The number of times that the switch transmits an EAPOL Request Identity frame

without response before considering entering the Guest VLAN is adjusted with this

setting. The value can only be changed if the Guest VLAN option is globally enabled.

Valid values are in the range [1: 255].
Allow Guest VLAN if EAPOL Seen
The switch remembers if an EAPOL frame has been received on the port for the

-57-

life-time of the port. Once the switch considers whether to enter the Guest VLAN, it

will first check if this option is enabled or disabled. If disabled (unchecked; default),

the switch will only enter the Guest VLAN if an EAPOL frame has not been received

on the port for the life-time of the port. If enabled (checked), the switch will consider

entering the Guest VLAN even if an EAPOL frame has been received on the port for

the life-time of the port. The value can only be changed if the Guest VLAN option is

Port Configuration Description

globally enabled.

Port The port number for which the configuration below applies.
Admin State If NAS is globally enabled, this selection controls the port's authentication mode. The

following modes are available:

Force Authorized: In this mode, the switch will send one EAPOL Success frame

when the port link comes up, and any client on the port will be allowed network

access without authentication.
Force Unauthorized: In this mode, the switch will send one EAPOL Failure frame

when the port link comes up, and any client on the port will be disallowed network

access.
Port-based 802.1X: In the 802.1X-world, the user is called the supplicant, the switch

is the authenticator, and the RADIUS server is the authentication server. The

authenticator acts as the man-in-the-middle, forwarding requests and responses

between the supplicant and the authentication server. Frames sent between the

supplicant and the switch are special 802.1X frames, known as EAPOL (EAP Over

LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent

between the switch and the RADIUS server are RADIUS packets. RADIUS packets

also encapsulate EAP PDUs together with other attributes like the switch's IP address,

name, and the supplicant's port number on the switch. EAP is very flexible, in that it

allows for different authentication methods, like MD5-Challenge, PEAP, and TLS.

The important thing is that the authenticator (the switch) doesn't need to know which

authentication method the supplicant and the authentication server are using, or how

-58-

many information exchange frames are needed for a particular method. The switch

simply encapsulates the EAP part of the frame into the relevant type (EAPOL or

RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet

containing a success or failure indication. Besides forwarding this decision to the

supplicant, the switch uses it to open up or block traffic on the switch port connected

to the supplicant.

Note: Suppose two backend servers are enabled and that the server timeout is

configured to X seconds (using the AAA configuration page), and suppose that the

first server in the list is currently down (but not considered dead). Now, if the

supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it

will never get authenticated, because the switch will cancel on-going backend

authentication server requests whenever it receives a new EAPOL Start frame from

the supplicant. And since the server hasn't yet failed (because the X seconds haven't

expired), the same server will be contacted upon the next backend authentication

server request from the switch. This scenario will loop forever. Therefore, the server

timeout should be smaller than the supplicant's EAPOL Start frame retransmission

rate.
Single 802.1X: In port-based 802.1X authentication, once a supplicant is successfully

authenticated on a port, the whole port is opened for network traffic. This allows

other clients connected to the port (for instance through a hub) to piggy-back on the

successfully authenticated client and get network access even though they really

aren't authenticated. To overcome this security breach, use the Single 802.1X variant.

Single 802.1X is really not an IEEE standard, but features many of the same

characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant

can get authenticated on the port at a time. Normal EAPOL frames are used in the

communication between the supplicant and the switch. If more than one supplicant is

connected to a port, the one that comes first when the port's link comes up will be the

first one considered. If that supplicant doesn't provide valid credentials within a

certain amount of time, another supplicant will get a chance. Once a supplicant is

successfully authenticated, only that supplicant will be allowed access. This is the

most secure of all the supported modes. In this mode, the Port Security module is

used to secure a supplicant's MAC address once successfully authenticated.
Multi 802.1X: In port-based 802.1X authentication, once a supplicant is successfully

authenticated on a port, the whole port is opened for network traffic. This allows

other clients connected to the port (for instance through a hub) to piggy-back on the

successfully authenticated client and get network access even though they really

-59-

aren't authenticated. To overcome this security breach, use the Multi 802.1X variant.

Multi 802.1X is really not an IEEE standard, but features many of the same

characteristics as does port-based 802.1X. Multi 802.1X is - like Single 802.1X - not

an IEEE standard, but a variant that features many of the same characteristics. In

Multi 802.1X, one or more supplicants can get authenticated on the same port at the

same time. Each supplicant is authenticated individually and secured in the MAC

table using the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as

destination MAC address for EAPOL frames sent from the switch towards the

supplicant, since that would cause all supplicants attached to the port to reply to

requests sent from the switch. Instead, the switch uses the supplicant's MAC address,

which is obtained from the first EAPOL Start or EAPOL Response Identity frame

sent by the supplicant. An exception to this is when no supplicants are attached. In

this case, the switch sends EAPOL Request Identity frames using the BPDU

multicast MAC address as destination - to wake up any supplicants that might be on

the port.

The maximum number of supplicants that can be attached to a port can be limited

using the Port Security Limit Control functionality.
MAC-based Auth.: Unlike port-based 802.1X, MAC-based authentication is not a

standard, but merely a best-practices method adopted by the industry. In MAC-based

authentication, users are called clients, and the switch acts as the supplicant on behalf

of clients. The initial frame (any kind of frame) sent by a client is snooped by the

switch, which in turn uses the client's MAC address as both username and password

in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address

is converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-)

is used as separator between the lower-cased hexadecimal digits. The switch only

supports the MD5-Challenge authentication method, so the RADIUS server must be

configured accordingly.

When authentication is complete, the RADIUS server sends a success or failure

indication, which in turn causes the switch to open up or block traffic for that

particular client, using the Port Security module. Only then will frames from the

client be forwarded on the switch. There are no EAPOL frames involved in this

authentication, and therefore, MAC-based Authentication has nothing to do with the

802.1X standard.

The advantage of MAC-based authentication over port-based 802.1X is that several

clients can be connected to the same port (e.g. through a 3rd party switch or a hub)

and still require individual authentication, and that the clients don't need special

-60-

supplicant software to authenticate. The advantage of MAC-based authentication

over 802.1X-based authentication is that the clients don't need special supplicant

software to authenticate. The disadvantage is that MAC addresses can be spoofed by

malicious users - equipment whose MAC address is a valid RADIUS user can be

used by anyone. Also, only the MD5-Challenge method is supported. The maximum

number of clients that can be attached to a port can be limited using the Port Security

Limit Control functionality.
RADIUS-Assigned QoS Enabled
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) for a

given port, the switch reacts to QoS Class information carried in the RADIUS

Access-Accept packet transmitted by the RADIUS server when a supplicant is

successfully authenticated. If present and valid, traffic received on the supplicant's

port will be classified to the given QoS Class. If (re-)authentication fails or the

RADIUS Access-Accept packet no longer carries a QoS Class or it's invalid, or the

supplicant is otherwise no longer present on the port, the port's QoS Class is

immediately reverted to the original QoS Class (which may be changed by the

administrator in the meanwhile without affecting the RADIUS-assigned).

This option is only available for single-client modes, i.e.

• Port-based 802.1X

• Single 802.1X

RADIUS attributes used in identifying a QoS Class:

Refer to the written documentation for a description of the RADIUS attributes needed

in order to successfully identify a QoS Class. The User-Priority-Table attribute

defined in RFC4675 forms the basis for identifying the QoS Class in an

Access-Accept packet.

Only the first occurrence of the attribute in the packet will be considered, and to be

valid, it must follow this rule:

• All 8 octets in the attribute's value must be identical and consist of ASCII

characters in the range '0' - '3', which translates into the desired QoS Class in the

range [0; 3].
RADIUS-Assigned VLAN Enabled
When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for

a given port, the switch reacts to VLAN ID information carried in the RADIUS

Access-Accept packet transmitted by the RADIUS server when a supplicant is

successfully authenticated. If present and valid, the port's Port VLAN ID will be

changed to this VLAN ID, the port will be set to be a member of that VLAN ID, and

the port will be forced into VLAN unaware mode. Once assigned, all traffic arriving

-61-

on the port will be classified and switched on the RADIUS-assigned VLAN ID.

If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a

VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the port,

the port's VLAN ID is immediately reverted to the original VLAN ID (which may be

changed by the administrator in the meanwhile without affecting the

RADIUS-assigned).

This option is only available for single-client modes, i.e.

• Port-based 802.1X

• Single 802.1X

For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN

Membership and VLAN Port" pages. These pages show that which modules have

(temporarily) overridden the current Port VLAN configuration.

RADIUS attributes used in identifying a VLAN ID:

RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN

ID in an Access-Accept packet. The following criteria are used:

• The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes

must all be present at least once in the Access-Accept packet.

• The switch looks for the first set of these attributes that have the same Tag value

and fulfill the following requirements (if Tag == 0 is used, the

Tunnel-Private-Group-ID does not need to include a Tag):

- Value of Tunnel-Medium-Type must be set to "IEEE-802" (ordinal 6).

- Value of Tunnel-Type must be set to "VLAN" (ordinal 13).

- Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range

'0' - '9', which is interpreted as a decimal string representing the VLAN ID. Leading

'0's are discarded. The final value must be in the range [1; 4095].
Guest VLAN Enabled When Guest VLAN is both globally enabled and enabled (checked) for a given port,

the switch considers moving the port into the Guest VLAN according to the rules

outlined below.

This option is only available for EAPOL-based modes, i.e.:

• Port-based 802.1X

• Single 802.1X

• Multi 802.1X

For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN

Membership and VLAN Port" pages. These pages show that which modules have

(temporarily) overridden the current Port VLAN configuration.

Guest VLAN Operation:

When a Guest VLAN enabled port's link comes up, the switch starts transmitting

-62-

EAPOL Request Identity frames. If the number of transmissions of such frames

exceeds Max. Reauth. Count and no EAPOL frames have been received in the

meanwhile, the switch considers entering the Guest VLAN. The interval between

transmissions of EAPOL Request Identity frames is configured with EAPOL

Timeout. If Allow Guest VLAN if EAPOL Seen is enabled, the port will now be

placed in the Guest VLAN. If disabled, the switch will first check its history to see if

an EAPOL frame has previously been received on the port (this history is cleared if

the port link goes down or the port's Admin State is changed), and if not, the port will

be placed in the Guest VLAN. Otherwise it will not move to the Guest VLAN, but

continue transmitting EAPOL Request Identity frames at the rate given by EAPOL

Timeout.

Once in the Guest VLAN, the port is considered authenticated, and all attached

clients on the port are allowed access on this VLAN. The switch will not transmit an

EAPOL Success frame when entering the Guest VLAN.

While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if

one such frame is received, the switch immediately takes the port out of the Guest

VLAN and starts authenticating the supplicant according to the port mode. If an

EAPOL frame is received, the port will never be able to go back into the Guest

VLAN if the "Allow Guest VLAN if EAPOL Seen" is disabled.
Port State The current state of the port. It can undertake one of the following values:

Globally Disabled: NAS is globally disabled.

Link Down: NAS is globally enabled, but there is no link on the port.

Authorized: The port is in Force Authorized or a single-supplicant mode and the

supplicant is authorized.

Unauthorized: The port is in Force Unauthorized or a single-supplicant mode and the

supplicant is not successfully authorized by the RADIUS server.

X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are

authorized and Y are unauthorized.
Restart Two buttons are available for each row. The buttons are only enabled when

authentication is globally enabled and the port's Admin State is in an EAPOL-based

or MAC-based mode.

Clicking these buttons will not cause settings changed on the page to take effect.

Reauthenticate : Schedules a reauthentication to whenever the quiet-period of the
port runs out (EAPOL-based authentication). For MAC-based authentication,
reauthentication will be attempted immediately.
The button only has effect for successfully authenticated clients on the port and will
not cause the clients to get temporarily unauthorized.

-63-

Reintialize : Forces a reinitialization of the clients on the port and thereby a
reauthentication immediately. The clients will transfer to the unauthorized state while

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

the reauthentication is in progress.

2.5.2.3 ACL

2.5.2.3.1 Ports

Configuration Description

-64-

Port The logical port for the settings contained in the same row.
Policy ID Select the policy to apply to this port. The allowed values are 0 through 255. The

default value is 0.

Action Select whether forwarding is permitted ("Permit") or denied ("Deny"). The default

value is "Permit".

Rate Limiter ID Select which rate limiter to apply on this port. The allowed values are Disabled or the

values 1 through 16. The default value is "Disabled".

Port Redirect Select which port frames are copied to. The allowed values are Disabled or a specific

port number. The default value is "Disabled".

Mirror Specify the mirror operation of this port. The allowed values are:

Enabled: Frames received on the port are mirrored.
Disabled: Frames received on the port are not mirrored.

The default value is "Disabled".

Logging Specify the logging operation of this port. The allowed values are:

Enabled: Frames received on the port are stored in the System Log.
Disabled: Frames received on the port are not logged.
The default value is "Disabled".
Please note that the System Log memory size and logging rate is limited.

Shutdown Specify the port shut down operation of this port. The allowed values are:

Enabled: If a frame is received on the port, the port will be disabled.
Disabled: Port shut down is disabled.

The default value is "Disabled".

State Specify the port state of this port. The allowed values are:

Enabled: To reopen ports by changing the volatile port configuration of the ACL user
module.
Disabled: To close ports by changing the volatile port configuration of the ACL user
module.
The default value is "Enabled".

Counter Counts the number of frames that match this ACE.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.
Refresh Click to refresh the page; any changes made locally will be undone.
Clear Click to clear the counters.

-65-

2.5.2.3.2 Rate Limits

Configuration Description

Rate Limiter ID The rate limiter ID for the settings contained in the same row.
Rate The allowed values are: 0-3276700 in pps or 0, 100, 200, 300, ..., 1000000 in kbps.
Unit Specify the rate unit. The allowed values are:

pps: packets per second.
kbps: Kbits per second.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-66-

2.5.2.3.3 Access Control List

Configuration Description

Ingress Port Indicates the ingress port of the ACE. Possible values are:

All: The ACE will match all ingress port.
Port: The ACE will match a specific ingress port.

Policy/Bitmask Indicates the policy number and bitmask of the ACE.
Frame Type Indicates the frame type of the ACE. Possible values are:

Any: The ACE will match any frame type.
EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based

ACE will not get matched by IP and ARP frames.

ARP: The ACE will match ARP/RARP frames.
IPv4: The ACE will match all IPv4 frames.
IPv4/ICMP: The ACE will match IPv4 frames with ICMP protocol.
IPv4/UDP: The ACE will match IPv4 frames with UDP protocol.
IPv4/TCP: The ACE will match IPv4 frames with TCP protocol.
IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP.

IPv6: The ACE will match all IPv6 standard frames.
Action Indicates the forwarding action of the ACE.

Permit: Frames matching the ACE may be forwarded and learned.
Deny: Frames matching the ACE are dropped.

Rate Limiter Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. When Disabled is

displayed, the rate limiter operation is disabled.

Port Redirect Indicates the port redirect operation of the ACE. Frames matching the ACE are redirected to

the port number. The allowed values are Disabled or a specific port number. When Disabled
is displayed, the port redirect operation is disabled.

Mirror Specify the mirror operation of this port. Frames matching the ACE are mirrored to the

destination mirror port. The allowed values are:

Enabled: Frames received on the port are mirrored.
Disabled: Frames received on the port are not mirrored.

The default value is "Disabled".

Counter The counter indicates the number of times the ACE was hit by a frame.

ACE modification buttons:

(+) Inserts a new ACE before the current row.

-67-

(e) Edits the ACE.
() Moves the ACE up the list.
() Moves the ACE down the list.
(X) Deletes the ACE.
(+) The lowest plus sign adds a new entry at the bottom of the list of ACL.

Check this box to refresh the page automatically. Automatic refresh occurs every 3

seconds.

Refresh Click to refresh the page; any changes made locally will be undone.
Clear Click to clear the counters.
Remove All Click to remove all ACEs.

Click (+) to add one ACE entry:

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.
Cancel Click to return to the previous page.

-68-

2.5.2.4 DHCP

2.5.2.4.1 Snooping

Configuration Description

Snooping Mode Indicates the DHCP snooping mode operation. Possible modes are:

Enabled: Enable DHCP snooping mode operation. When enable DHCP snooping
mode operation, the request DHCP messages will be forwarded to trusted ports and
only allowed reply packets from trusted ports.
Disabled: Disable DHCP snooping mode operation.

Port Mode Indicates the DHCP snooping port mode. Possible port modes are:

Trusted: Configures the port as trusted sources of the DHCP message.
Untrusted: Configures the port as un-trusted sources of the DHCP message.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-69-

2.5.2.4.2 Relay

Configuration Description

Relay Mode Indicates the DHCP relay mode operation. Possible modes are:

Enabled: Enable DHCP relay mode operation. When enable DHCP relay mode
operation, the agent forward and to transfer DHCP messages between the clients and
the server when they are not on the same subnet domain. And the DHCP broadcast
message won't flood for security considered.
Disabled: Disable DHCP relay mode operation.

Relay Server Indicates the DHCP relay server IP address. A DHCP relay agent is used to forward

and to transfer DHCP messages between the clients and the server when they are not
on the same subnet domain.

Relay Information Mode Indicates the DHCP relay information mode option operation. Possible modes are:

Enabled: Enable DHCP relay information mode operation. When enable DHCP relay
information mode operation, the agent insert specific information (option 82) into a
DHCP message when forwarding to DHCP server and remove it from a DHCP
message when transferring to DHCP client. It only works under DHCP relay
operation mode enabled.
Disabled: Disable DHCP relay information mode operation.

Relay Information Policy Indicates the DHCP relay information option policy. When enable DHCP relay

information mode operation, if agent receives a DHCP message that already contains
relay agent information. It will enforce the policy. And it only works under DHCP
relay information operation mode enabled. Possible policies are:
Replace: Replace the original relay information when receive a DHCP message that
already contains it.
Keep: Keep the original relay information when receive a DHCP message that
already contains it.
Drop: Drop the package when receive a DHCP message that already contains relay

-70-

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

information.

2.5.2.5 IP Source Guard

2.5.2.5.1 Configuration

Configuration Description

Mode of IP Source Guard Configuration
Enable the Global IP Source Guard or disable the Global IP Source Guard. All

configured ACEs will be lost when the mode is enabled.

Port Mode Configuration Specify IP Source Guard is enabled on which ports. Only when both Global Mode

-71-

and Port Mode on a given port are enabled, IP Source Guard is enabled on this given
port.

Max Dynamic Clients Specify the maximum number of dynamic clients can be learned on given ports. This

value can be 0, 1, 2 and unlimited. If the port mode is enabled and the value of max
dynamic client is equal 0, it means only allow the IP packets forwarding that are

Translate dynamic to static

Click to translate all dynamic entries to static entries.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

matched in static entries on the specific port.

2.5.2.5.2 Static Table

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
Port The logical port for the settings
VLAN ID The VLAN ID for the settings
IP Address Allowed Source IP address
MAC Address Allowed MAC address

Add new entry Click to add a new entry to the Static IP Source Guard table.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

-72-

2.5.2.6 ARP Inspection

2.5.2.6.1 Configuration

Configuration Description

ARP Inspection Mode Enable the Global ARP Inspection or disable the Global ARP Inspection.
Port Mode Specify ARP Inspection is enabled on which ports. Only when both Global Mode and

Port Mode on a given port are enabled, ARP Inspection is enabled on this given port.

Translate dynamic to static

Click to translate all dynamic entries to static entries.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-73-

2.5.2.6.2 Static Table

Configuration Description

Delete Check to delete the entry. It will be deleted during the next save.
Port The logical port for the settings
VLAN ID The VLAN ID for the settings
MAC Address Allowed MAC address
IP Address Allowed Source IP address

Add new entry Click to add a new entry.
Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Entry :

-74-

2.5.3 AAA

Common Server Description

Timeout The Timeout, which can be set to a number between 3 and 3600 seconds, is the

maximum time to wait for a reply from a server. If the server does not reply within
this timeframe, we will consider it to be dead and continue with the next enabled
server (if any).

RADIUS servers are using the UDP protocol, which is unreliable by design. In order

-75-

to cope with lost frames, the timeout interval is divided into 3 subintervals of equal
length. If a reply is not received within the subinterval, the request is transmitted
again. This algorithm causes the RADIUS server to be queried up to 3 times before it
is considered to be dead.

Dead Time The Dead Time, which can be set to a number between 0 and 3600 seconds, is the

period during which the switch will not send new requests to a server that has failed
to respond to a previous request. This will stop the switch from continually trying to
contact a server that it has already determined as dead. Setting the Dead Time to a
value greater than 0 (zero) will enable this feature, but only if more than one server

RADIUS Authentication Server Configuration

has been configured.

# The RADIUS authentication server number for which the configuration applies
Enabled Enable the server by checking this box.
IP Address(Hostname) The IP address of the server expressed in dotted decimal notation.
Port The UDP port to use on the server. If the port is set to zero (0), the default port (1812)

is used for the server.

Secret The secret - up to 29 characters long - shared between the server and the switch unit.

RADIUS Accounting Server Configuration

# The RADIUS accounting server number for which the configuration applies
Enabled Enable the server by checking this box.
IP Address(Hostname) The IP address of the server expressed in dotted decimal notation.
Port The UDP port to use on the server. If the port is set to zero (0), the default port (1812)

is used for the server.

Secret The secret - up to 29 characters long - shared between the server and the switch unit.

TACACS+ Authentication Server Configuration

# The TACACS+ authentication server number for which the configuration applies
Enabled Enable the server by checking this box.
IP Address(Hostname) The IP address of the server expressed in dotted decimal notation.
Port The UDP port to use on the server. If the port is set to zero (0), the default port (1812)

is used for the server.

Secret The secret - up to 29 characters long - shared between the server and the switch unit.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-76-

2.6 Aggregation

The Port Link Aggregation function can combine multiple physical switched ports, called “Aggregation
Group” into one logical port. It allows making connection between two switches using more than one physical
links to increase the connection bandwidth between two switches. Two aggregation modes, “Static” and
“LACP” are supported.

2.6.1 Static

Hash Code Configuration Description

Source MAC Address The Source MAC address can be used to calculate the destination port for the frame.

Check to enable the use of the Source MAC address, or uncheck to disable. By
default, Source MAC Address is enabled.

Destination MAC Address The Destination MAC Address can be used to calculate the destination port for the

frame. Check to enable the use of the Destination MAC Address, or uncheck to
disable. By default, Destination MAC Address is disabled.

IP Address The IP address can be used to calculate the destination port for the frame. Check to

enable the use of the IP Address, or uncheck to disable. By default, IP Address is
enabled.

-77-

TCP/UDP Port Number The TCP/UDP port number can be used to calculate the destination port for the frame.

Check to enable the use of the TCP/UDP Port Number, or uncheck to disable. By

Aggregation Group Configuration

default, TCP/UDP Port Number is enabled.

Group ID Indicates the group ID for the settings contained in the same row. Group ID

“Normal” indicates there is no aggregation. Only one group ID is valid per port.

Port Members Each switch port is listed for each group ID. Select a radio button to include a port in

an aggregation, or clear the radio button to remove the port from the aggregation. By
default, no ports belong to any aggregation group. Only full duplex ports can join an
aggregation and ports must be in the same speed in each group.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

2.6.2 LACP

Configuration Description

Port The port number for which the associated row configuration applies
LACP Enabled Controls whether LACP is enabled on this switch port. LACP will form an

aggregation when 2 or more ports are connected to the same partner.

Key The Key value incurred by the port, range 1- 65535.

Auto: set the key as appropriate by the physical link speed, 10Mb = 1, 100Mb = 2, 1Gb = 3.

-78-

Specific: a user-defined value can be entered. Ports with the same Key value can
participate in the same aggregation group, while ports with different keys cannot.

Role The Role shows the LACP activity status. The “Active” will transmit LACP packets each

second while “Passive” will wait for a LACP packet from a link partner (speak if spoken to).

Timeout The Timeout controls the period between BPDU transmissions. Fast will transmit

LACP packets each second, while Slow will wait for 30 seconds before sending a
LACP packet.

Prio The Prio controls the priority of the port. If the LACP partner wants to form a larger

group than is supported by this device then this parameter will control which ports
will be active and which ports will be in a backup role. Lower number means greater

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

priority.

2.7 Loop Protection

-79-

Configuration Description

Enable Loop Protection Controls whether loop protections is enabled (as a whole).
Transmission Time The interval between each loop protection PDU sent on each port. valid values are 1 to 10

seconds.

Shutdown Time The period (in seconds) for which a port will be kept disabled in the event of a loop is detected

(and the port action shuts down the port). Valid values are 0 to 604800 seconds (7 days). A
value of zero will keep a port disabled (until next device restart).

Port The switch port number of the port
Enable Controls whether loop protection is enabled on this switch port.
Action Configures the action performed when a loop is detected on a port. Valid values are

Shutdown Port, Shutdown Port and Log or Log Only.

Tx Mode Controls whether the port is actively generating loop protection PDU's, or whether it

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

is just passively looking for looped PDU's.

2.8 Spanning Tree

This section is used to set configuration for supporting Spanning Tree protocols including STP, RSTP, and

MSTP.

-80-

2.8.1 Bridge Settings

Basic Configuration Description

Protocol Version The STP protocol version setting

Valid values: STP, RSTP, MSTP

Bridge Priority Controls the bridge priority. Lower numeric values have better priority. The bridge

priority plus the MSTI instance number, concatenated with the 6-byte MAC address
of the switch forms a Bridge Identifier.
For MSTP operation, this is the priority of the CIST. Otherwise, this is the priority of
the STP/RSTP bridge.

Forward Delay The delay used by STP Bridges to transition Root and Designated Ports to

Forwarding (used in STP compatible mode).
Valid values: 4 ~ 30 seconds

Max Age The maximum age of the information transmitted by the Bridge when it is the Root

Bridge
Valid values: 6 ~ 40 seconds (Max Age must be <= (FwdDelay-1)*2)

Maximum Hop Count It defines how many bridges a root bridge can distribute its BPDU information. This

defines the initial value of remaining Hops for MSTI information generated at the
boundary of an MSTI region.

Transmit Hold Count The number of BPDU’s a bridge port can send per second. When exceeded,

transmission of the next BPDU will be delayed.

-81-

Advanced Configuration

Valid values: 1 ~ 10 BPDU’s per second

Edge Port BPDU Filtering Check to configure a port explicitly as Edge will transmit and receive BPDUs
Edge Port BPDU Guard Control whether a port explicitly configured as Edge will disable itself upon reception

of a BPDU. The port will enter the error-disabled state, and will be removed from the
active topology.

Port Error Recovery Control whether a port in the error-disabled state automatically will be enabled after

a certain time. If recovery is not enabled, ports have to be disabled and re-enabled for
normal STP operation. The condition is also cleared by a system reboot.

Port Error Recovery Timeout The time that has to pass before a port in the error-disabled state can be enabled.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Valid values: 30 ~ 86400 seconds (24 hours)

-82-

2.8.2 MSTI Mapping

Configuration Description

Configuration Name The name identifying the VLAN to MSTI mapping

Bridges must share the name and revision (see below), as well as the VLAN-to-MSTI
mapping configuration in order to share spanning trees for MSTI’s. (Intra-region)
The name is at most 32 characters.

Configuration Revision The revision of the MSTI configuration named above. This must be an integer

between 0 ~ 65535.

MSTI Mapping

MSTI The bridge instance

The CIST is not available for explicit mapping, as it will receive the VLANs not
explicitly mapped.

-83-

VLANs Mapped The list of VLAN’s mapped to the MSTI. The VLANs must be separated with

comma and/or space. A VLAN can only be mapped to one MSTI. An unused MSTI

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

should just be left empty. (i.e. not having any VLANs mapped to it.)

2.8.3 MSTI Priorities

Configuration Description

MSTI The bridge instance.

The CIST is the default instance, which is always active.

Priority Controls the bridge priority. Lower numerical values have better priority. The bridge

priority plus the MSTI instance number, concatenated with the 6-byte MAC address
of the switch forms a Bridge Identifier.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-84-

2.8.4 CIST Ports

Configuration Description

Port The switch port number of the logical STP port.
STP Enabled Controls whether STP is enabled on this switch port.
Path Cost Controls the path cost incurred by the port. The Auto setting will set the path cost as

appropriate by the physical link speed, using the 802.1D recommended values. Using
the Specific setting, a user-defined value can be entered. The path cost is used when
establishing the active topology of the network. Lower path cost ports are chosen as
forwarding ports in favor of higher path cost ports.
Valid values: 1 to 200000000

Priority Controls the port priority. This can be used to control priority of ports having

identical port cost. (See above).

AdminEdge Controls whether the operEdge flag should start as being set or cleared. (The initial

operEdge state when a port is initialized).

operEdge: Operational flag describing whether the port is connecting directly to edge

devices. (No Bridges attached). Transitioning to the forwarding state is faster for
edge ports (having operEdge true) than for other ports.

AutoEdge Controls whether the bridge should enable automatic edge detection on the bridge

port. This allows operEdge to be derived from whether BPDU’s are received on the

-85-

port or not.

Restricted-Role If enabled, causes the port not to be selected as Root Port for the CIST or any MSTI,

even if it has the best spanning tree priority vector. Such a port will be selected as an
Alternate Port after the Root Port has been selected. If set, it can cause lack of
spanning tree connectivity. It can be set by a network administrator to prevent bridges
external to a core region of the network influencing the spanning tree active topology,
possibly because those bridges are not under the full control of the administrator.
This feature is also know as Root Guard.

Restricted TCN If enabled, causes the port not to propagate received topology change notifications

and topology changes to other ports. If set it can cause temporary loss of connectivity
after changes in a spanning trees active topology as a result of persistent incorrectly
learned station location information. It is set by a network administrator to prevent
bridges external to a core region of the network, causing address flushing in that
region, possibly because those bridges are not under the full control of the
administrator or is the physical link state for the attached LANs transitions
frequently.

BPDU Guard If enabled, causes the port to disable itself upon receiving valid BPDU’s. Contrary to

the similar bridge setting, the port Edge status does not affect this setting.

A port entering error-disabled state due to this setting is subject to the bridge Port

Error Recovery setting as well.

Point2Point Controls whether the port connects to a point-to-point LAN rather than a shared

medium. This can be automatically determined, or forced either true or false.
Transition to the forwarding state is faster for point-to-point LANs than for shared
media.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Note: This configuration applies to physical and Link Aggregation ports.

-86-

2.8.5 MSTI Ports

A MSTI port is a virtual port, which is instantiated separately for each active CIST (physical) port for each
MSTI instance configured and applicable for the port. The MSTI instance must be selected before displaying
actual MSTI port configuration options. This page contains MSTI port settings for physical and aggregated
ports.

Configuration Description

MSTI Select an MSTI for pop-up configuration.

Get Click to pop-up configuration page.

-87-

Click Get :

Configuration Description (Example with MSTI1)

Port The switch port number of the corresponding STP CIST (and MSTI) port.
Path Cost Controls the path cost incurred by the port. The Auto setting will set the path cost as

appropriate by the physical link speed, using the 802.1D recommended values. Using
the Specific setting, a user-defined value can be entered. The path cost is used when
establishing the active topology of the network. Lower path cost ports are chosen as
forwarding ports in favor of higher path cost ports.
Valid values: 1 ~ 200000000

Priority Controls the port priority. This can be used to control priority of ports having

identical port cost. (See above).

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-88-

2.9 MVR

The MVR feature enables multicast traffic forwarding on the Multicast VLANs. In a multicast television
application, a PC or a network television or a set-top box can receive the multicast stream. Multiple set-top
boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver
port. When a subscriber selects a channel, the set-top box or PC sends an IGMP/MLD report message to
Switch A to join the appropriate multicast group address. Uplink ports that send and receive multicast data to
and from the multicast VLAN are called MVR source ports. It is allowed to create at maximum 8 MVR
VLANs with corresponding channel settings for each Multicast VLAN. There will be totally at maximum 256
group addresses for channel settings.

Configuration Description (Example with MSTI1)

MVR Mode Enable/Disable the Global MVR.

The Unregistered Flooding control depends on the current configuration in
IGMP/MLD Snooping. It is suggested to enable Unregistered Flooding control when

-89-

the MVR group table is full.

Delete Check to delete the entry. The designated entry will be deleted during the next save.
MVR VID Specify the Multicast VLAN ID.

Be Caution: MVR source ports are not recommended to be overlapped with
management VLAN ports.

MVR Name MVR Name is an optional attribute to indicate the name of the specific MVR VLAN.

Maximum length of the MVR VLAN Name string is 32. MVR VLAN Name can
only contain alphabets or numbers. When the optional MVR VLAN name is given, it
should contain at least one alphabet. MVR VLAN name can be edited for the existing
MVR VLAN entries or it can be added to the new entries.

Mode Specify the MVR mode of operation. In Dynamic mode, MVR allows dynamic MVR

membership reports on source ports. In Compatible mode, MVR membership reports
are forbidden on source ports. The default is Dynamic mode.

Tagging Specify whether the traversed IGMP/MLD control frames will be sent as Untagged

or Tagged with MVR VID. The default is Tagged.

Priority Specify how the traversed IGMP/MLD control frames will be sent in prioritized

manner. The default Priority is 0.

LLQI Define the maximum time to wait for IGMP/MLD report memberships on a receiver

port before removing the port from multicast group membership. The value is in units
of tenths of a second. The range is from 0 to 31744. The default LLQI is 5 tenths or
one-half second.

Interface Channel Setting
When the MVR VLAN is created, click the Edit symbol to expand the corresponding

multicast channel settings for the specific MVR VLAN. Summary about the Interface
Channel Setting (of the MVR VLAN) will be shown besides the Edit symbol.

Port The logical port for the settings
Port Role Configure an MVR port of the designated MVR VLAN as one of the following roles.

Inactive: The designated port does not participate MVR operations.
Source: Configure uplink ports that receive and send multicast data as source ports.

Subscribers cannot be directly connected to source ports.
Receiver: Configure a port as a receiver port if it is a subscriber port and should only
receive multicast data. It does not receive data unless it becomes a member of the
multicast group by issuing IGMP/MLD messages.

Be Caution: MVR source ports are not recommended to be overlapped with
management VLAN ports.

Select the port role by clicking the Role symbol to switch the setting.
I: indicates Inactive; S: indicates Source; R indicates Receiver

-90-

The default Role is Inactive.

Immediate Leave Enable the fast leave on the port.

Add New MVR VLAN

Click to add a new entry.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New MVR VLAN :

-91-

2.10 IPMC

2.10.1 IGMP Snooping

2.10.1.1 Basic Configuration

Configuration Description (Example with MSTI1)

Snooping Enabled Enable the Global IGMP Snooping.

-92-

Unregistered IPMCv4 Flooding Enabled
Enable unregistered IPMCv4 traffic flooding.

The flooding control takes effect only when IGMP Snooping is enabled.
When IGMP Snooping is disabled, unregistered IPMCv4 traffic flooding is always
active in spite of this setting.

IGMP SSM Range SSM (Source-Specific Multicast) Range allows the SSM-aware hosts and routers run

the SSM service model for the groups in the address range.

Leave Proxy Enabled Enable IGMP Leave Proxy. This feature can be used to avoid forwarding unnecessary

leave messages to the router side.

Proxy Enabled Enable IGMP Proxy. This feature can be used to avoid forwarding unnecessary join

and leave messages to the router side.

Router Port Specify which ports act as router ports. A router port is a port on the Ethernet switch

that leads towards the Layer 3 multicast device or IGMP querier.
If an aggregation member port is selected as a router port, the whole aggregation will
act as a router port.

Fast Leave Enable the fast leave on the port.
Throttling Enable to limit the number of multicast groups to which a switch port can belong.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

-93-

2.10.1.2 VLAN Configuration

Each page shows up to 99 entries from the VLAN table, default being 20, selected through the "entries per
page" input field. When first visited, the web page will show the first 20 entries from the beginning of the
VLAN Table. The first displayed will be the one with the lowest VLAN ID found in the VLAN Table.

Configuration Description (Example with MSTI1)

Delete Check to delete the entry. The designated entry will be deleted during the next save.
VLAN ID The VLAN ID of the entry.
IGMP Snooping Enabled
Enable the per-VLAN IGMP Snooping. Up to 32 VLANs can be selected for IGMP

Snooping.

IGMP Querier Enable the IGMP Querier in the VLAN.
Compatibility Compatibility is maintained by hosts and routers taking appropriate actions

depending on the versions of IGMP operating on hosts and routers within a network.
The allowed selection is IGMP-Auto, Forced IGMPv1, Forced IGMPv2, Forced
IGMPv3, default compatibility value is IGMP-Auto.

RV Robustness Variable. The Robustness Variable allows tuning for the expected packet

loss on a network. The allowed range is 1 to 255, default robustness variable value is

2.

QI Query Interval. The Query Interval is the interval between General Queries sent by

the Querier. The allowed range is 1 to 31744 seconds, default query interval is 125
seconds.

QRI Query Response Interval. The Maximum Response Delay used to calculate the

Maximum Response Code inserted into the periodic General Queries. The allowed
range is 0 to 31744 in tenths of seconds, default query response interval is 100 in
tenths of seconds (10 seconds).

LLQI (LMQI for IGMP) Last Member Query Interval. The Last Member Query Time is the time value

represented by the Last Member Query Interval, multiplied by the Last Member
Query Count. The allowed range is 0 to 31744 in tenths of seconds, default last
member query interval is 10 in tenths of seconds (1 second).

URI Unsolicited Report Interval. The Unsolicited Report Interval is the time between

-94-

repetitions of a host's initial report of membership in a group. The allowed range is 0
to 31744 seconds, default unsolicited report interval is 1 second.

Refresh Refreshes the displayed table starting from the "VLAN" input fields.
|<< Updates the table starting from the first entry in the VLAN Table, i.e. the entry with

the lowest VLAN ID.

>> Updates the table, starting with the entry after the last entry currently displayed.
Add New IGMP VLAN

Click to add new IGMP VLAN. Specify the VID and configure the new entry. Click

"Save". The specific IGMP VLAN starts working after the corresponding static
VLAN is also created.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New IGMP VLAN :

-95-

2.10.1.3 Port Group Filtering

Configuration Description (Example with MSTI1)

Delete Check to delete the entry. It will be deleted during the next save.
Port The logical port for the settings.
Filtering Groups The IP Multicast Group that will be filtered.

Add New Filtering Group

Click to add a new entry to the Group Filtering table. Specify the Port, and Filtering

Group of the new entry. Click "Save".

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Filtering Group :

2.10.2 MLD Snooping

2.10.2.1 Basic Configuration

-96-

Configuration Description (Example with MSTI1)

Snooping Enabled Enable the Global MLD Snooping.
Unregistered IPMCv6 Flooding Enabled
Enable unregistered IPMCv6 traffic flooding.

The flooding control takes effect only when MLD Snooping is enabled.
When MLD Snooping is disabled, unregistered IPMCv6 traffic flooding is always
active in spite of this setting.

MLD SSM Range SSM (Source-Specific Multicast) Range allows the SSM-aware hosts and routers run

the SSM service model for the groups in the address range.

Leave Proxy Enabled Enable MLD Leave Proxy. This feature can be used to avoid forwarding unnecessary

leave messages to the router side.

Proxy Enabled Enable MLD Proxy. This feature can be used to avoid forwarding unnecessary join

and leave messages to the router side.

Router Port Specify which ports act as router ports. A router port is a port on the Ethernet switch

that leads towards the Layer 3 multicast device or MLD querier.

-97-

If an aggregation member port is selected as a router port, the whole aggregation will
act as a router port.

Fast Leave Enable the fast leave on the port.
Throttling Enable to limit the number of multicast groups to which a switch port can belong.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

2.10.2.2 VLAN Configuration

Each page shows up to 99 entries from the VLAN table, default being 20, selected through the "entries per
page" input field. When first visited, the web page will show the first 20 entries from the beginning of the
VLAN Table. The first displayed will be the one with the lowest VLAN ID found in the VLAN Table.

Configuration Description (Example with MSTI1)

Delete Check to delete the entry. The designated entry will be deleted during the next save.
VLAN ID The VLAN ID of the entry.
MLD Snooping Enabled
Enable the per-VLAN MLD Snooping. Up to 32 VLANs can be selected for MLD

Snooping.

MLD Querier Enable the MLD Querier in the VLAN.
Compatibility Compatibility is maintained by hosts and routers taking appropriate actions

depending on the versions of MLD operating on hosts and routers within a network.
The allowed selection is MLD-Auto, Forced MLDv1, Forced MLDv2, default
compatibility value is MLD-Auto.

RV Robustness Variable. The Robustness Variable allows tuning for the expected packet

loss on a network. The allowed range is 1 to 255, default robustness variable value is

2.

QI Query Interval. The Query Interval is the interval between General Queries sent by

the Querier. The allowed range is 1 to 31744 seconds, default query interval is 125
seconds.

QRI Query Response Interval. The Maximum Response Delay used to calculate the

-98-

Maximum Response Code inserted into the periodic General Queries. The allowed
range is 0 to 31744 in tenths of seconds, default query response interval is 100 in
tenths of seconds (10 seconds).

LLQI Last Member Query Interval. The Last Member Query Time is the time value

represented by the Last Member Query Interval, multiplied by the Last Member
Query Count. The allowed range is 0 to 31744 in tenths of seconds, default last
member query interval is 10 in tenths of seconds (1 second).

URI Unsolicited Report Interval. The Unsolicited Report Interval is the time between

repetitions of a host's initial report of membership in a group. The allowed range is 0
to 31744 seconds, default unsolicited report interval is 1 second.

Refresh Refreshes the displayed table starting from the "VLAN" input fields.
|<< Updates the table starting from the first entry in the VLAN Table, i.e. the entry with

the lowest VLAN ID.

>> Updates the table, starting with the entry after the last entry currently displayed.
Add New MLD VLAN

Click to add new MLD VLAN. Specify the VID and configure the new entry. Click

"Save". The specific MLD VLAN starts working after the corresponding static
VLAN is also created.

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New MLD VLAN :

2.10.2.3 Port Group Filtering

Configuration Description (Example with MSTI1)

Delete Check to delete the entry. It will be deleted during the next save.
Port The logical port for the settings.

-99-

Filtering Groups The IP Multicast Group that will be filtered.

Add New Filtering Group

Click to add a new entry to the Group Filtering table. Specify the Port, and Filtering

Group of the new entry. Click "Save".

Save Click to save the changes.
Reset Click to undo any changes made locally and revert to previously saved values.

Click Add New Filtering Group :

-100-