Page 1
...connecting your business
Page 2
LANCOM GS-2124
Page 3
© 2009 LANCOM Systems GmbH, Wuerselen (Germany). All rights reserved.
0634/0409
While the information in this manual has been compiled with great care, it may not be deemed an assurance of product
characteristics. LANCOM Systems shall be liable only to the degree specified in the terms of sale and delivery.
The reproduction and distribution of the documentation and software supplied with this product and the use of its contents
is subject to written authorization from LANCOM Systems. We reserve the right to make any alterations that arise as the
result of technical development.
Windows®, Windows Vista™, Windows NT® and Microsoft® are registered trademarks of Microsoft, Corp.
The LANCOM Systems logo, LCOS and the name LANCOM are registered trademarks of LANCOM Systems GmbH. All other
names or descriptions used may be trademarks or registered trademarks of their owners.
Subject to change without notice. No liability for technical errors or omissions.
Products from LANCOM Systems include software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http:/
/www.openssl.org/).
Products from LANCOM Systems include cryptographic software written by Eric Young (eay@cryptsoft.com
).
Products from LANCOM Systems include software developed by the NetBSD Foundation, Inc. and its contributors.
Products from LANCOM Systems contain the LZMA SDK developed by Igor Pavlov.
LANCOM Systems GmbH
Adenauerstr. 20/B2
52146 Wuerselen
Germany
www.lancom.eu
Wuerselen, April 2009
11
Page 4
LANCOM GS-2124
쮿 Preface
Preface
Thank you for your confidence in us!
LANCOM Switches are ideally suited to small, medium-sized and performance networks in business environments.
The LANCOM GS-2124 switch features 20 Fast-Ethernet and four combo ports
(TP/SFP), it integrates perfectly into LANCOM's Advanced Routing und Forwarding and it supports up to 256 active VLANs. It uses bandwidth control to
prioritize the data traffic according to predefined criteria (e.g. voice data or
certain ports).
The LANCOM Switch can be managed with the clearly structured Webconfig
and is supported by the LANCOM Management Tools (LANconfig and
LANmonitor).
EN
This documentation was created by …
... several members of our staff from a variety of departments in order to
ensure you the best possible support when using your
Should you find any errors, or if you would like to suggest improvements, please do not hesitate to send an e-mail directly to:
info@lancom.eu
Our online services www.lancom.eu are available to you around the
clock if you have any questions on the content in this manual, or if you
require any further support. The area 'Support' will help you with
many answers to frequently asked questions (FAQs). Furthermore, the
knowledgebase offers you a large reserve of information. The latest
drivers, firmware, utilities and documentation are constantly available
for download.
In addition, LANCOM Support is available. For telephone numbers
and contact addresses for LANCOM Support, please refer to the enclosed leaflet or the LANCOM Systems Web site.
LANCOM
product.
3
Page 5
LANCOM GS-2124
쮿 Preface
Information symbols
Very important instructions. Failure to observe these may result in damage.
Important instruction that should be observed.
EN
Additional information that may be helpful but is not essential.
4
Page 6
LANCOM GS-2124
쮿 Contents
Contents
1 Introduction 9
1.1 Key Features in the Device 9
1.2 Just what can your LANCOM Switch do? 10
2 Installation 13
2.1 Package content 13
2.2 System requirements 13
2.3 Status displays and interfaces 14
2.3.1 Connectors, LEDs and buttons on the LANCOM GS-2124
14
2.3.2 Connectors on rear of the LANCOM GS-2124 15
EN
2.4 Mounting and connecting up the LANCOM Switch 15
2.5 Software installation 16
2.5.1 Starting the software setup 16
2.5.2 Which software should I install? 17
3 Configuring and monitoring the LANCOM Switch 18
3.1 Configuration options 18
3.1.1 Starting WEBconfig 18
3.1.2 Starting the Command Line Interface over the network
20
3.1.3 Starting the Command Line Interface over the serial connection 20
3.2 Which configuration does the device use? 21
3.3 Save/Restore 22
3.3.1 Factory Defaults 23
3.3.2 Save Start 23
3.3.3 Save User 24
3.3.4 Restore User 24
3.4 Export/ Import Configuration File 25
3.5 Monitoring the LANCOM Switch with LANmonitor 25
3.5.1 Ethernet port status 25
5
Page 7
LANCOM GS-2124
쮿 Contents
EN
4 Operation of Web- based Management 27
4.1 Web Management Home Overview 28
4.2 System: Basic Config 31
4.2.1 System Information 31
4.3 Account 33
4.3.1 Time 33
4.3.2 IP Configuration 36
4.3.3 Loop Detection 38
4.3.4 Management Policy 39
4.3.5 System Log 42
4.3.6 Virtual Stack 43
4.3.7 System: Port 45
4.3.8 Configuration 46
4.3.9 Port Status 48
4.3.10 Simple Counter 51
4.3.11 Detail Counter 52
4.4 Security: MAC 55
4.4.1 Mac Address Table 55
4.4.2 Static Filter 57
4.4.3 Static Forward 58
4.4.4 MAC Alias 59
4.4.5 MAC Table 60
4.5 Security: VLAN 61
4.5.1 VLAN Mode 61
4.5.2 Tag-based Group 62
4.5.3 Port-based Group 64
4.5.4 Ports 67
4.5.5 Port Isolation 68
4.5.6 Management VLAN 69
4.6 Security: ACL 69
4.6.1 Ports 70
4.6.2 Rate Limiters 71
4.6.3 Access Control List 72
4.6.4 Wizard 87
4.7 Security: IP MAC Binding 88
4.8 Security: DHCP Snooping 90
6
4.8.1 DHCP Snooping State 90
4.8.2 DHCP Snooping Entry 91
Page 8
LANCOM GS-2124
쮿 Contents
4.8.3 DHCP Snooping Client 93
4.9 Security: 802.1x Configuration 94
4.9.1 Server 98
4.9.2 Port Configuration 100
4.9.3 Status 103
4.9.4 Statistics 104
4.10 Security: Mirror 105
4.11 Configuration: GVRP 106
4.11.1 Config 107
4.11.2 Counter 109
4.11.3 Group 111
4.12 Configuration: QoS (Quality of Service) Configuration 112
4.12.1 Ports 113
4.12.2 Qos Control List 114
4.12.3 Rate Limiters 117
4.12.4 Storm Control 118
4.12.5 Wizard 119
4.13 Configuration: Trunk 121
4.13.1 Port 123
4.13.2 Aggregator View 126
4.13.3 Hash Method 127
4.13.4 LACP System Priority 128
4.14 Configuration: STP 128
4.14.1 STP Status 129
4.14.2 Configuration 131
4.14.3 Port 133
EN
4.15 Configuration: MSTP 135
4.16 Configuration: Multicast 143
4.17 Management: Alarm Configuration 147
4.15.1 Status 136
4.15.2 Region Config 136
4.15.3 Instance View 137
4.16.1 IGMP Mode 143
4.16.2 Proxy 144
4.16.3 Snooping 145
4.16.4 IGMP Group Membership 145
4.17.1 Events 147
4.17.2 Email 148
7
Page 9
LANCOM GS-2124
쮿 Contents
4.18 Management: Diagnostics 149
4.18.1 Diag 149
4.18.2 Ping 150
4.19 Management: Maintenance 150
4.19.1 Reset device 150
4.19.2 Firmware upgrade 151
4.20 Management: SNMP 152
EN
4.21 Logout 154
5 Operation of CLI Management 155
5.1 CLI Management 155
5.1.1 Login 155
5.2 Commands of CLI 156
5.2.1 Global Commands of CLI 156
5.2.2 4-2-2. Local Commands of CLI 162
6 Appendix 274
6.1 Performance data and specifications 274
6.2 Connector wiring 275
6.2.1 LAN interface 10/100Base-TX 275
6.3 Declaration of conformity 275
8
Page 10
LANCOM GS-2124
쮿 Chapter 1: Introduction
1Introduction
The LANCOM Switch models LANCOM GS-2124 are managed layer-2 switches
with 20 Gigabit ports (for twisted pair cable – TP) and four Gigabit dual media
ports with TP/SFP, which meets the IEEE 802.3/u/x/z Gigabit, Fast Ethernet and
Ethernet specifications
The switch can be managed through RS-232 serial port via directly connection, or through Ethernet port using Telnet or Web-based management unit,
associated with SNMP agent. With the SNMP agent, the network administrator can logon the switch to monitor, configure and control each port’s activity
in a friendly way.
The overall network management is enhanced and the network efficiency is
also improved to accommodate high bandwidth applications. In addition, the
switch features comprehensive and useful function such as QoS (Quality of
Service), Spanning Tree, VLAN, Port Trunking, Bandwidth Control, Port Security, SNMP/RMON and IGMP Snooping capability via the intelligent software.
It is suitable for both metro-LAN and office application.
EN
10/100/1000 Mbps TP is a standard Ethernet port that meets all IEEE 802.3/
u/x/z Gigabit, Fast Ethernet specifications. 1000 Mbps SFP Fiber transceiver is
a Gigabit Ethernet port that fully complies with all IEEE 802.3z and 1000BaseSX/LX standards.
1000 Mbps Single Fiber WDM (BiDi) transceiver is designed with an optic
Wavelength Division Multiplexing (WDM) technology that transports bi-directional full duplex signal over a single fiber simultaneously.
1.1 Key Features in the Device
쮿 QoS:
Support Quality of Service by the IEEE 802.1P standard. There are two
priority queue and packet transmission schedule using Weighted Round
Robin (WRR). User-defined weight classification of packet priority can be
based on either VLAN tag on packets or user-defined port priority.
쮿 Spanning Tree:
Support IEEE 802.1D, IEEE 802.1w (RSTP: Rapid Spanning Tree Protocol)
standards.
쮿 VLAN:
Support Port-based VLAN and IEEE802.1Q Tag VLAN. Support 256 active
VLANs and VLAN ID 1~4094.
9
Page 11
LANCOM GS-2124
쮿 Chapter 1: Introduction
쮿 Port Trunking:
쮿 Bandwidth Control:
쮿 Port Security:
Support static port trunking and port trunking with IEEE 802.3ad LACP.
Support ingress and egress per port bandwidth control.
Support allowed, denied forwarding and port security with MAC address.
EN
쮿 SNMP/RMON:
SNMP agent and RMON MIB. In the device, SNMP agent is a client software which is operating over SNMP protocol used to receive the command
from SNMP manager (server site) and echo the corresponded data, i.e.
MIB object. Besides, SNMP agent will actively issue TRAP information
when happened.
RMON is the abbreviation of Remote Network Monitoring and is a branch
of the SNMP MIB.
The device supports MIB-2 (RFC 1213), Bridge MIB (RFC 1493), RMON
MIB (RFC 1757)-statistics Group 1,2,3,9, Ethernet-like MIB (RFC 1643),
Ethernet MIB (RFC 1643) and so on.
쮿 IGMP Snooping:
Support IGMP version 2 (RFC 2236): The function IGMP snooping is used
to establish the multicast groups to forward the multicast packet to the
member ports, and, in nature, avoid wasting the bandwidth while IP multicast packets are running over the network.
1.2 Just what can your LANCOM Switch do?
Hardware
Supports 20-port 10/100/1000 Mbps TP ports and auto MDIX function
4 Gigabit dual media ports(TP/SFP)
On-line pluggable fiber transceiver modules
256KB packet buffer and 128KB control memory
Maximal packet length can be up to 1536 bytes
10
LANCOM GS2124
✔
✔
✔
✔
✔
Page 12
LANCOM GS-2124
쮿 Chapter 1: Introduction
LANCOM GS2124
Full-duplex flow control (IEEE802.3x) and half-duplex backpressure
Ssatus LEDs
System: Power
TP Port 1-24: LINK/ACT, SPD
SFP-Ports 21,22,23,24: LINK/ACT, SPD, SFP
PoE support
PoE with 48VDC power through RJ-45 pin 1, 2, 3, 6.
Powered Device(PD) auto detection and classification.
PoE-PSE status and activity LED indicator.
Management
Concisely the status of port and easily port configuration
Per port traffic monitoring counters
Port mirror function
Static trunk function
✔
✔
✔
✔
✔
✔
✔
✔
EN
802.1Q VLAN with 256 entries.
DHCP Broadcasting Suppression to avoid network suspended or
crashed
Trap event while monitored events happened
Default configuration which can be restored to overwrite the current
configuration which is working on via web browser and CLI
5 kinds of QoS, are as follows, MAC Priority, 802.1p Priority, IP TOS
Priority, and DiffServ DSCP Priority.
Built-in web- based management and CLI management, providing a
more convenient UI for the user
Rapid Spanning Tree (802.1w RSTP)
802.1x port security on a VLAN
SNMP access can be disabled and prevent from illegal SNMP access
Ingress, Non-unicast and Egress Bandwidth rating management
The trap event and alarm message can be transferred via e-mail and
mobile phone short message
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
11
Page 13
LANCOM GS-2124
쮿 Chapter 1: Introduction
LANCOM GS2124
EN
Diagnostics to let administrator knowing the hardware status
External loopback test to check if the link is ok
HTTP for firmware upgrade, system log upload and config file import/
export
Remote boot the device through user interface and SNMP
Network time synchronization and daylight saving
120 event log records in the main memory and display on the local
console
Options
LANCOM SFP Transceiver:
Item no. 61556 LANCOM SFP-SX-LC1
Item no. 61557 LANCOM SFP-LX-LC1
✔
✔
✔
✔
✔
✔
✔
12
Page 14
2 Installation
This chapter will assist you to quickly install hardware and software. First,
check the package contents and system requirements. The device can be
installed and configured quickly and easily if all prerequisites are fulfilled.
2.1 Package content
LANCOM GS-2124
쮿 Chapter 2: Installation
Before beginning with the installation, please check that nothing is missing
from your package. Along with the LANCOM Switch the box should contain
the following accessories:
LANCOM
GS-2124
Power cord
19’’ adapter (2 pieces) and mounting materials
Serial configuration cable
LANCOM CD
Printed documentation
Should anything be missing, please take up immediate contact to your dealer
or to the address on the delivery note supplied with your device.
✔
✔
✔
✔
✔
EN
2.2 System requirements
Computers that connect to a LANCOM must meet the following minimum
requirements:
쮿 Operating system that supports TCP/IP, e.g. Windows Vista™,
Windows XP, Windows Millennium Edition (Me), Windows 2000, Windows 98, Linux, BSD Unix, Apple Mac OS, OS/2.
쮿 Access to the LAN via the TCP/IP protocol.
The LANtools also require a Windows operating system. A web browser under any operating system provides access to WEBconfig.
13
Page 15
LANCOM GS-2124
쮿 Chapter 2: Installation
2.3 Status displays and interfaces
EN
2.3.1 Connectors, LEDs and buttons on the LANCOM GS-2124
Meanings of the LEDs
The following section describes the meaning of the LEDs.
Please be aware that LANmonitor shows far more information about
the status of the LANCOM Switch than the LEDs '→ Monitoring the
LANCOM switch with LANmonitor'.
Located on the front of the device are connectors for different cabletypes,
light-emitting diodes (LEDs) that provide information on device status, and
also a button.
r
쐃 TP connectors
SFP connec-
쐇
tors
쐃
쐏
쐂쐆
Connectors for twisted-pair cables.
Connectors for small form-factor pluggable (SFP) cables.
쐇
쐋
쐊
쐋
Serial connector
쐏
Reset
POWER LED
쐄
Connector for serial configuration cable.
Button to re-start the system.
Constant green when power is supplied to the device.
14
Page 16
LANCOM GS-2124
쮿 Chapter 2: Installation
쐂 LINK / ACT LED
Port 1 to 24
10/100/1000
쐆
Mbps LED
SFP (LINK/ACT)
쐊
LED
2.3.2 Connectors on rear of the LANCOM GS-2124
쮿 Constant green when the network connection is established to the con-
nected device.
쮿 Blinks during data transfer.
쮿 Off if no network connection can be established to the connected device.
쮿 Constant green when the 1000 Mbps mode is active.
쮿 Constant orange when the 100 Mbps mode is active.
쮿 Off when the 10 Mbps is active.
EN
쮿 Constant green when the network connection is established to the con-
nected device.
쮿 Blinks during data transfer.
쮿 Off if no network connection can be established to the connected device.
The following connectors are located on the rear of the device.
LANCOM GS-2124
쐃 Connector for the power supply cable.
쐃
2.4 Mounting and connecting up the LANCOM Switch
Installating the LANCOM Switch involves the following steps:
햲 Mounting – The device is designed for mounting in an available 19” unit
in a server cabinet. If necessary fix the rubber pads to the underside of the
device to prevent any scratching to other equipment.
Ensure that the device has sufficient ventilation to prevent damage
햳 LAN connection – Connect the network devices to the ports of the LAN-
from excessive heat build-up.
COM Switch by means of a suitable twisted-pair cable (TP cable). The connectors automatically detect the avalable data transfer speeds and the pin
assignment (autosensing).
15
Page 17
LANCOM GS-2124
쮿 Chapter 2: Installation
EN
Use only standard TP cables of category CAT 5 or better with a maxi-
햴 Configuration via serial ports – In order to configure the LANCOM
햵 Supply power and switch on – Supply power to the device by means of
mum length of 100 m to ensure the best possible transfer of data.
Cross-over cables can be used thanks to the auto-sensing function.
If optical connections are to be used, additional modules can be
purchased as accessories.
Switch directly, connect the serial configuration cable (supplied) to the
COM port of the device. Connect the other end of this cable to an available COM port (RS 232) on a PC. Instructions on carrying out a configuration via the serial interface and on enterning relevant parameters via a
terminal program are available under → 'Starting the Command Line
Interface via serial connection' in the following chapter.
the IEC power cable.
햶 Ready for operation? – After a brief self-test, the power LED lights up
continuously. Green LAN-LINK LEDs show which LAN connectors are
being used for a connection.
2.5 Software installation
The following section describes the installation of the Windows-compatible
system software LANtools, as supplied.
You may skip this section if you use your LANCOM Switch exclusively
2.5.1 Starting the software setup
Place the product CD into your drive. The setup program will start automatically.
with computers running operating systems other than Windows.
If the setup does not start automatically, run AUTORUN.EXE in the
root directory of the LANCOM CD.
16
Page 18
LANCOM GS-2124
쮿 Chapter 2: Installation
In Setup, select Install software. The following selection menus will appear
on screen:
EN
2.5.2 Which software should I install?
쮿 LANconfig is the Windows configuration program for all LANCOM
devices. LANconfig searches for all LANCOM devices in your network.
You can use this to start the Web-based configuration of a LANCOM
Switch.
쮿 With LANmonitor you can use a Windows computer to monitor all of
your LANCOM devices. This program displays all important status information for a LANCOM Switch, such as link status or port PoE state.
쮿 With Documentation you copy the documentation files onto your PC.
Select the appropriate software options and confirm your choice with Next.
The software is installed automatically.
17
Page 19
LANCOM GS-2124
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
3 Configuring and monitoring the LANCOM
Switch
3.1 Configuration options
There are two different methods of configuring the device.
쮿 By means of a graphical user interface or via a browser (WEBconfig). This
EN
option is only available if you have network access to the device's IP
address from your computer.
Instructions for configuring the device with WEBconfig are available in the
chapter "Web-based configuration".
쮿 Text-orientated configuration via a console (Command Line Interface –
CLI): This method of configuration, which requires a program such as Telnet, Hyperterminal, or similar, can be conducted over a network connection or with a direct connection via serial interface (RS-232).
Instructions for configuring the device with CLI are available in the chapter "Command line interface".
3.1.1 Starting WEBconfig
There are two ways of starting the configuration by browser:
쮿 If you know the device's IP address, simply enter this into the address line
in the browser. The factory settings for accessing the device are: User
name "admin", password "admin".
18
Page 20
LANCOM GS-2124
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
쮿 If you do not have the device's IP number, LANconfig can be used to
search for it. To start LANconfig click on Start 왘 Programs 왘 LANCOM
왘 LANconfig.
EN
LANconfig automatically searches for all available devices in your network. Any available LANCOM devices will be displayed in the list, including the LANCOM Switch. Double-click on this entry to start the browser
automatically with the correct IP address.
What is the IP address of my LANCOM Switch?
The current IP address of the LANCOM Switch after being switched on depends on the network
constellation.
Networks with DHCP server – In its factory settings, the LANCOM Switch is set for auto DHCP
mode, meaning that it searches for a DHCP server to assign it an IP address, subnet mask and
gateway address. The assigned IP address can only be determined by using the appropriate
tools or via the DHCP server. If the DHCP server is a LANCOM device, the IP address of the LANCOM Switch can be read out from the DHCP table. If this is the case, the LANCOM Switch can
be accessed from any network computer that receives its IP address from the same DHCP server.
Network without a DHCP server – If no DHCP server is present in the network, the LANCOM
Switch automatically adopts the address "172.23.56.250".
If this is the case, the LANCOM Switch can be accessed from any network computer with its IP
address set to the address range "172.23.56.x".
19
Page 21
LANCOM GS-2124
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
3.1.2 Starting the Command Line Interface over the network
If you know the device's IP address (see section above) and the LANCOM
Switch is accessible from your computer via the network, the you can use the
command line interface via the network.
쐃 To do this, start a console such as Telnet and enter the device's IP address
as the target.
EN
쐇 Log on with user name and password (default: admin, admin).
3.1.3 Starting the Command Line Interface over the serial connection
If you do not know the IP address of the device, you can use the command
line interface via a serial connection.
쐃 Use the serial configuration cable to connect the LANCOM Switch to the
configuration computer (→ "Mounting and connecting up the LANCOM
Switch').
쐇 Start a terminal program on the configuration computer, such as Hyper-
terminal under Windows. Use the following parameters for the connection:
왏 Baud rate: 115200
왏 Stop bits: 1
왏 Data bits: 8
왏 Parity: N
왏 Flow control: None
20
Page 22
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
쐋 Log on with user name and password (default: admin, admin).
3.2 Which configuration does the device use?
The switch supports four different configurations: The start configuration, the
current working configuration, the user configuration and the default configuration.
LANCOM GS-2124
쐃 Start configuration
At the system start, the device takes the parameters from the start configuration and copies these to the working configuration. On shipping, the
start configuration is the same as the default configuration.
To change the start configuration, the altered parameters have to be
쐇 Working configuration:
saved as the start configuration.
This is the currently active configuration in the device. It can be changed
at any time. All changes to the configuration are saved here. Each time
you make changes and press <Apply>, the changes are stored to the working configuration.
The changes to the working configuration are not automatically
adopted for the start configuration. They have to be saved specifically
as the start or user configuration. If you do not save the changes to
your working configuration, they will be lost and the previous start
configuration will be active when you start the system the next time.
EN
쐋 User configuration:
This configuration exists for specific requirements or for making backups.
You can save any state of the working configuration as a user configuration and restore this state later or with the function “Restore user configuration”.
쐏 Default configuration
If the start configuration is defective and the the device is not available via network, you use the serial configuration interface and the
Command Line Interface to reload a functional start configuration.
21
Page 23
LANCOM GS-2124
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
This is the default configuration and it cannot be altered. The web user
interface has the following options to restore the switch to its default
setting.
왏 With the function "restore default configuration included default IP
address" you can reset the switch to the factory default settings
(including the administrator´s password and the auto DHCP setting).
왏 With the function “restore default configuration without changing
EN
current IP address” you can reset the switch to the factory default settings, but without changing the IP address. You can access the switch
at its last IP address.
왏 With the serial configuration interface you can reset the switch to the
factory default setting, without knowing the current administrator´s
password. To do this you have to set up a serial connection to the
device as described in → ’Start Command Line Interface via serial
connection’. In the terminal program, before you enter the username
press CTRL+Z, enter “RESET” as the username and the MAC address
(without blank characters) as the password.
This action starts the reset process and all settings will be reset to the
factory default state, including the administrator´s password and the
auto DHCP setting.
3.3 Save/Restore
The switch supports three copies of configuration, including the default configuration, working configuration and user configuration for your configuration management. All of them are listed and described below respectively.
쮿 Default Configuration:
This is ex-factory setting and cannot be altered. In Web UI, two restore
default functions are offered for the user to restore to the default setting
of the switch. One is the function of "Restore Default Configuration including default IP address", the IP address will restore to default
"192.168.1.1" as you use it. The other is the function of "Restore Default
Configuration without changing current IP address", the IP address will
keep the same one that you had saved before by performing this function.
쮿 Working Configuration:
It is the configuration you are using currently and can be changed any
time. The configurations you are using are saved into this configuration
file. This is updated each time as you press <Apply> button.
22
Page 24
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
쮿 User Configuration:
It is the configuration file for the specified or backup purposes and can be
updated while having confirmed the configuration. You can retrieve it by
performing Restore User Configuration.
3.3.1 Factory Defaults
LANCOM GS-2124
EN
쮿 Restore Default Configuration (includes default IP address)
Restore Default Configuration function can retrieve ex-factory setting to
replace the start configuration. And the IP address of the switch will also
be restored to 192.168.1.1.
3.3.2 Save Start
쮿 Save As Start Configuration
Save the current configuration as a start configuration file in flash
memory.
23
Page 25
LANCOM GS-2124
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
3.3.3 Save User
EN
쮿 Save As User Configuration
Save the current configuration as a user configuration file in flash
memory.
3.3.4 Restore User
쮿 Restore User Configuration
Restore User Configuration function can retrieve the previous confirmed
working configuration stored in the flash memory to update start configuration. When completing to restore the configuration, the system's start
configuration is updated and will be changed its system settings after
rebooting the system.
24
Page 26
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
3.4 Export/ Import Configuration File
쮿 Config File
With this function, user can back up or reload the configuration files of
Save As Start or Save As User via TFTP.
LANCOM GS-2124
EN
쮿 Parameter:
왏 Export File Path:
Export Start: Export Save As Start's config file stored in the flash.
Export User-Conf: Export Save As User's config file stored in the flash.
왏 Import File Path:
Import Start: Import Save As Start's config file stored in the flash.
Import User- Conf: Import Save As User's config file stored in the flash.
3.5 Monitoring the LANCOM Switch with LANmonitor
The current state of the device and all ports can be monitored using the LEDs
on the front panel. With LANmonitor the devices can be observed from any
workstation without being able to see the LEDs. Besides the status information provided by the LEDs the LANmonitor provides further important information on the ports.
3.5.1 Ethernet port status
LANmonitor displays the current status of all of the device's Ethernet ports.
This includes monitoring of the state as configured by the admin (config state)
and the actual state (link state) of the port. Each port is displayed with two
colored symbols in LANmonitor:
25
Page 27
LANCOM GS-2124
쮿 Chapter 3: Configuring and monitoring the LANCOM Switch
EN
쮿 The left icon shows the config state:
왏 Gray: The port is deactivated in the configuration
왏 Yellow: The port is activated in the configuration
쮿 The right-hand icon shows the link state:
왏 Gray: No active network device is connected to the port
왏 Green: A network device is connected to the port and active
Apart from the status, LANmonitor displays the VLAN ID for each port and the
detected data rate at active ports connected to active network devices.
26
Page 28
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
4 Operation of Web-based Management
This chapter instructs you how to configure and manage the LANCOM GS2124 through the web user interface it supports. With this facility, you can
easily access and monitor through any one port of the switch all the status of
the switch, including MIBs status, each port activity, Spanning tree status,
port aggregation status, multicast traffic, VLAN and priority status, even illegal access record and so on.
The default values of the managed switch are listed in the table below:
LANCOM GS-2124
IP Adress 172.23.56.250
Subnet Mask 255.255.255.0
EN
Default Gateway 172.23.56.254
Default DNS-Server 172.23.56.254
Username admin
Password admin
After the managed switch has been finished configuration in the CLI via the
switch’s serial interface, you can browse it. For instance, type http://
192.168.1.1 in the address row in a browser, it will show the following screen
and ask you to input username and password in order to login and access. The
default username and password are both “admin”. For the first time to use,
please enter the default username and password, then click the <Login> button. The login process now is completed.
In this login menu, you have to input the complete username and password
respectively, the switch will not give you a shortcut to username automatically.
This looks inconvenient, but safer.
In the switch, it supports a simple user management function allowing only
one administrator to configure the system at the same time. If there are two
or more users using administrator’s identity, the switch will allow the only one
who logins first to configure the system. The rest of users, even with administrator’s identity, can only monitor the system. For those who have no administrator’s identity, can only monitor the system. There are only a maximum of
three users able to login simultaneously in the switch.
27
Page 29
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
To optimize the display effect, we recommend you use Microsoft IE 6.0 above,
Netscape V7.1 above or FireFox V1.00 above and have the resolution
1024x768. The switch supported neutral web browser interface.
EN
4.1 Web Management Home Overview
After you login, the switch shows you the system information. This page is
default and tells you the basic information of the system, including “Model
Name”, “System Description”, “Location”, “Contact”, “Device Name”, “System
Up Time”, “Current Time”, “BIOS Version”, “Firmware Version”, “HardwareMechanical Version”, “Serial Number”, “Host IP Address”, “Host MAC
Address”, “Device Port”, “RAM Size” and “Flash Size”. With this information,
you will know the software version used, MAC address, serial number, how
many ports good and so on. This is helpful while malfunctioning.
28
Page 30
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
The Information of Page Layout
On the top side, it shows the front panel of the switch. In the front panel, the
linked ports will display green; as to the ports, which are link off, they will be
dark. For the optional modules, the slot will show only a cover plate if no
module exists and will show a module if a module is present. The image of
module depends on the one you inserted. The same, if disconnected, the port
will show just dark, if linked, green.
In this device, there are clicking functions on the panel provided for the information of the ports. These are very convenient functions for browsing the
information of a single port. When you click on the front panel of the port, an
information window for the port will pop up.
29
Page 31
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
The figure shows the basic information of the clicked port. With this, you’ll see
the information about the port status, traffic status and bandwidth rating for
egress and ingress respectively.
On the right-top corner, there is a pull-down list for Auto Logout. For the sake
of security, we provide auto-logout function to protect you from illegal user as
you are leaving. If you do not choose any selection in Auto Logout list, it
means you turn on the Auto Logout function and the system will be logged
out automatically when no action on the device 3 minutes later. If OFF is chosen, the screen will keep as it is. Default is ON.
On the left side, the main menu tree for web is listed in the page. They are
hierarchical menu. Open the function folder, a sub-menu will be shown. The
functions of each folder are described in its corresponded section respectively.
When clicking it, the function is performed.
30
Page 32
4.2 System: Basic Config
4.2.1 System Information
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
쮿 System Information:
Shows the basic system information.
쮿 Parameter:
왏 Model name:
The model name of this device.
왏 System Description: As it is, this tells what this device is. Here, it is "L2
Plus Managed Switch" .
왏 Location:
Basically, it is the location where this switch is put. User-defined.
왏 Contact:
For easily managing and maintaining device, you may write down the
contact person and phone here for getting help soon. You can configure this parameter through the device’s user interface or SNMP.
왏 Device name:
The name of the switch. User-defined. Default is LANCOM GS-2124.
31
Page 33
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 System up time:
The time accumulated since this switch is powered up. Its format is
day, hour, minute, second.
왏 Current time:
Show the system time of the switch. Its format: day of week, month,
day, hours : minutes : seconds, year. For instance, Tue Apr 20 23:25:58
2005.
EN
왏 BIOS version:
The version of the BIOS in this switch.
왏 Firmware version:
The firmware version in this switch.
왏 Hardware-Mechanical version:
The version of Hardware and Mechanical. The figure before the
hyphen is the version of electronic hardware; the one after the hyphen
is the version of mechanical.
왏 Serial number:
The number is assigned by the manufacturer.
왏 Host IP address:
The IP address of the switch.
왏 Host MAC address:
It is the Ethernet MAC address of the management agent in this
switch.
왏 Device Port:
왏 RAM size:
왏 Flash size:
32
Show all types and numbers of the port in the switch.
The size of the DRAM in this switch.
The size of the flash memory in this switch.
Page 34
4.3 Account
In this function, only administrator can create, modify or delete the username
and password. Administrator can modify other guest identities’ password without confirming the password but it is necessary to modify the administratorequivalent identity. Guest-equivalent identity can modify his password only.
Please note that you must confirm administrator/guest identity in the field of
Authorization in advance before configuring the username and password.
Only one administrator is allowed to exist and unable to be deleted. In addition, up to 4 guest accounts can be created.
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
쮿 The default setting for user account is:
Username: admin
Password: admin
4.3.1 Time
33
Page 35
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
The switch provides manual and automatic ways to set the system time via
NTP. Manual setting is simple and you just input “Year”, “Month”, “Day”,
“Hour”, “Minute” and “Second” within the valid value range indicated in each
item. If you input an invalid value, for example, 61 in minute, the switch will
clamp the figure to 59.
NTP is a well-known protocol used to synchronize the clock of the switch system time over a network. NTP, an internet draft standard formalized in RFC
1305, has been adopted on the system is version 3 protocol. The switch pro-
EN
vides four built-in NTP server IP addresses resided in the Internet and an userdefined NTP server IP address. The time zone is Greenwich-centered which
uses the expression form of GMT+/- xx hours.
쮿 Time
Set the system time by manual input or set it by syncing from Time servers.
The function also supports daylight saving for different area’s time adjustment.
쮿 Parameter:
왏 Current Time:
Shows the current time of the system.
왏 Manual:
This is the function to adjust the time manually. Filling the valid figures
in the fields of Year, Month, Day, Hour, Minute and Second respectively and press <Apply> button, time is adjusted. The valid figures for
the parameter Year, Month, Day, Hour, Minute and Second are
>=2000, 1-12, 1-31, 0-23, 0-59 and 0-59 respectively. Input the
wrong figure and press <Apply> button, the device will reject the time
adjustment request. There is no time zone setting in Manual mode.
Default: Year = 2000, Month = 1, Day = 1, Hour = 0, Minute = 0,
Second = 0
왏 NTP:
NTP is Network Time Protocol and is used to sync the network time
based Greenwich Mean Time (GMT). If use the NTP mode and select a
built-in NTP time server or manually specify an user-defined NTP server as well as Time Zone, the switch will sync the time in a short after
pressing <Apply> button. Though it synchronizes the time automatically, NTP does not update the time periodically without user’s processing.
34
Page 36
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
Time Zone is an offset time off GMT. You have to select the time zone
first and then perform time sync via NTP because the switch will combine this time zone offset and updated NTP time to come out the local
time, otherwise, you will not able to get the correct time. The switch
supports configurable time zone from –12 to +13 step 1 hour.
Default Time zone: +8 Hrs.
왏 Daylight Saving:
Daylight saving is adopted in some countries. If set, it will adjust the
time lag or in advance in unit of hours, according to the starting date
and the ending date. For example, if you set the day light saving to be
1 hour. When the time passes over the starting time, the system time
will be increased one hour after one minute at the time since it passed
over. And when the time passes over the ending time, the system time
will be decreased one hour after one minute at the time since it
passed over.
The switch supports valid configurable day light saving time is –5 ~
+5 step one hour. The zero for this parameter means it need not have
to adjust current time, equivalent to in-act daylight saving. You don’t
have to set the starting/ending date as well. If you set daylight saving
to be non-zero, you have to set the starting/ending date as well;
otherwise, the daylight saving function will not be activated.
Default for Daylight Saving: 0.
The following parameters are configurable for the function Daylight
Saving and described in detail.
EN
Day Light Saving Start :
This is used to set when to start performing the day light saving time.
Mth: Range is 1 ~ 12; Default: 1
Day: Range is 1 ~ 31; Default: 1
Hour: Range is 0 ~ 23; Default: 0
Day Light Saving End: This is used to set when to stop performing the
daylight saving time.
Mth: Range is 1 ~ 12; Default: 1
Day: Range is 1 ~ 31: Default: 1
Hour: Range is 0 ~ 23; Default: 0
35
Page 37
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
4.3.2 IP Configuration
EN
IP configuration is one of the most important configurations in the switch.
Without the proper setting, network manager will not be able to manage or
view the device. The switch supports both manual IP address setting and
automatic IP address setting via DHCP server. When IP address is changed,
you must reboot the switch to have the setting taken effect and use the new
IP to browse for web management and CLI management.
쮿 IP Configuration
Set IP address, subnet mask, default gateway and DNS for the switch.
쮿 Parameter:
왏 DHCP Setting:
DHCP is the abbreviation of Dynamic Host Configuration Protocol.
Here DHCP means a switch to turn ON or OFF the function.
The switch supports DHCP client used to get an IP address automatically if you set this function “Enable”. When enabled, the switch will
issue the request to the DHCP server resided in the network to get an
IP address. If DHCP server is down or does not exist, the switch will
issue the request and show IP address is under requesting, until the
DHCP server is up. Before getting an IP address from DHCP server, the
device will not continue booting procedures. If set this field “Disable”,
you’ll have to input IP address manually. For more details about IP
address and DHCP, please see the Section 2-1-5 “IP Address Assignment” in this manual.
Default: Disable
36
Page 38
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 IP address:
Users can configure the IP settings and fill in new values if users set
the DHCP function “Disable”. Then, click <Apply> button to update.
When DHCP is disabled, Default: 192.168.1.1 If DHCP is enabled, this
field is filled by DHCP server and will not allow user manually set it any
more.
왏 Subnet mask:
The subnet mask divides the IP address in two parts, one for the network and one for the device. The part of the network denotes the network of the computer. Only computer in the same network are able to
communicate with each other. With devices of other networks can
only be communicate through a router. The part of the device denotes
the single device in a network. The address of the device within a network needs to be unambiguously.
For more information, please also see the Section “IP Address Assignment” in this manual. Default: 255.255.255.0
EN
왏 Default gateway:
Set an IP address for a gateway to handle those packets that do not
meet the routing rules predefined in the device. If a packet does not
meet the criteria for other pre-defined path, it must be forwarded to
a default router on a default path. This means any packet with undefined IP address in the routing table will be sent to this device unconditionally.
37
Page 39
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
Default: 192.168.1.254
왏 DNS:
It is Domain Name System used to serve the translation between IP
address and name address.
The switch supports DNS client function to re-route the mnemonic
name address to DNS server to get its associated IP address for accessing Internet. User can specify a DNS IP address for the switch. With
EN
this, the switch can translate a mnemonic name address into an IP
address.
There are two ways to specify the IP address of DNS. One is fixed
mode, which manually specifies its IP address, the other is dynamic
mode, which is assigned by DHCP server while DHCP is enabled. DNS
can help you easily remember the mnemonic address name with the
meaningful words in it. Default is no assignment of DNS address.
Default: 0.0.0.0
4.3.3 Loop Detection
The loop detection is used to detect the presence of traffic. When switch receives packet's(looping detection frame) MAC address the same as oneself from
port, show Loop detection happens. The port will be locked when it received
the looping detection frames. If you want to resume the locked port, please
find out the looping path and take off the looping path, then select the
resume the locked port and click on "Resume" to turn on the locked ports.
38
Page 40
쮿 Chapter 4: Operation of Web- based Management
쮿 Loop Detection
Display whether switch open Loop detection.
쮿 Parameter:
왏 Port No:
Display the port number. The number is 1 - 24.
왏 Detection Port - Enable:
LANCOM GS-2124
When Port No is chosen, and enable port' s Loop detection, the port
can detect loop happens. When Port-No is chosen, enable port' s
Loop detection, and the port detects loop happen, port will be Locked.
If Loop did not happen, port maintains Unlocked.
왏 Locked Port - Resume:
When Port No is chosen, enable port' s Loop detection, and the port
detects loop happen, the port will be Locked. When choosing Resume,
port locked will be opened and turned into unlocked. If not choosing
Resume, Port maintains locked.
4.3.4 Management Policy
EN
Through the management security configuration, the manager can do the
strict setup to control the switch and limit the user to access this switch.
The following rules are offered for the manager to manage the switch:
쐃 When no lists exists, then it will accept all connections.
쐇 When only “accept lists” exist, then it will deny all connections, excluding
the connection inside of the accepting range.
39
Page 41
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
쐋 When only “deny lists” exist, then it will accept all connections, excluding
the connection inside of the denying range.
EN
쐏 When both “accept and deny” lists exist, then it will deny all connections,
excluding the connection inside of the accepting range.
쐄 When both “accept and deny” lists exist, then it will deny all connections,
excluding the connection inside of the accepting range and NOT inside of
the denying range at the same time.
쮿 Management Security Configuration
The switch offers Management Security Configuration function. With this
function, the manager can easily control the mode that the user connects
to the switch. According to the mode, users can be classified into two
types: Those who are able to connect to the switch (Accept) and those
who are unable to connect to the switch (Deny). Some restrictions also can
40
Page 42
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
be placed on the mode that the user connect to the switch, for example,
we can decide that which VLAN VID is able to be accepted or denied by
the switch, the IP range of the user could be accepted or denied by the
switch, the port that the user is allowed or not allowed to connect with
the switch, or the way of controlling and connecting to the switch via
Http, Telnet or SNMP.
EN
쮿 Parameter:
왏 Name:
A name is composed of any letter (A-Z, a-z) and digit (0-9) with maximal 8 characters.
왏 VID:
The switch supports two kinds of options for managed valid VLAN
VID, including “Any” and “Custom”. Default is “Any”. When you
choose “Custom”, you can fill in VID number. The valid VID range is
1~4094.
왏 IP Range:
The switch supports two kinds of options for managed valid IP Range,
including “Any” and “Custom”. Default is “Any”. In case that” Custom” had been chosen, you can assigned effective IP range. The valid
range is 0.0.0.0~255.255.255.255.
왏 Incoming Port:
The switch supports two kinds of options for managed valid Port
Range, including “Any” and “Custom”. Default is “Any”. You can select
41
Page 43
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
the ports that you would like them to be worked and restricted in the
management security configuration if ”Custom” had been chosen.
왏 Access Type:
The switch supports two kinds of options for managed valid Access
Type, including “Any” and “Custom”. Default is “Any”. “Http”, “Telnet”
and “SNMP” are three ways for the access and managing the switch
in case that” Custom” had been chosen.
EN
왏 Action:
The switch supports two kinds of options for managed valid Action
Type, including “Deny” and “Accept”. Default is “Deny”. When you
choose “Deny” action, you will be restricted and refused to manage
the switch due to the “Access Type” you choose. However, while you
select “Accept” action, you will have the authority to manage the
switch.
왏 Edit/Create:
A new entry of Management Security Configuration can be created
after the parameters as mentioned above had been setup and then
press <Edit/Create> button. Of course, the existed entry also can be
modified by pressing this button.
왏 Delete:
Remove the existed entry of Management Security Configuration from
the management security table.
4.3.5 System Log
The System Log provides information about system logs, including information
when the device was booted, how the ports are operating, when users logged
in, when sessions timed out, as well as other system information.
42
Page 44
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
쮿 System Log
The Trap Log Data is displaying the log items including all SNMP Private
Trap events, SNMP Public traps and user logs occurred in the system. In
the report table, No., Time and Events are three fields contained in each
trap record.
EN
쮿 Parameter:
왏 No:
Display the order number that the trap happened.
Time:
Display the time that the trap happened.
왏 Desc:
Displays a description event recorded in the System Log.
왏 Clear:
Clear log data.
4.3.6 Virtual Stack
쮿 Virtual Stack
Virtual Stack Management(VSM) is the group management function.
Through the proper configuration of this function, switches in the same
LAN will be grouped automatically. And among these switch, one switch
will be a master machine, and the others in this group will become the
slave devices.
VSM offers a simple centralized management function. It is not necessary
to remember the address of all devices, manager is capable of managing
43
Page 45
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
the network with knowing the address of the Master machine. Instead of
SNMP or Telnet UI, VSM is only available in Web UI. While one switch
become the Master, two rows of buttons for group device will appear on
the top of its Web UI. By pressing these buttons, user will be allowed to
connect the Web UI of the devices of the group in the same window without the login of these device.
The most top-left button is only for Master device. The background color
EN
of the button you press will be changed to represent that the device is
under your management.
Note: It will remove the grouping temporarily in case that you login the
switch via the console.
The device of the group will be shown as station address ( the last number
of IP Address) + device name on the button (e.g. 196_LANCOM GS-2124),
otherwise it will show ” ---- “ if no corresponding device exists.
Once the devices join the group successfully, then they are merely able to
be managed via Master device, and user will fail to manage them via telnet/console/web individually.
Up to 16 devices can be grouped for VSM, however, only one Master is
allowed to exist in each group. For Master redundancy, user may
configure more than two devices as Master device, however, the Master
device with the smaller MAC value will be the Master one. All of these 16
devices can become Master device and back up with each other .
쮿 Parameter:
왏 State:
44
It is used for the activation or de-activation of VSM. Default is Enable.
Page 46
왏 Role:
The role that the switch would like to play in virtual stack. Two types
of roles, including master and slave are offered for option. Default is
Master.
왏 Group ID:
It is the group identifier (GID) which signs for VSM. Valid letters are
A-Z, a-z, 0-9, “
racters.
4.3.7 System: Port
This section contains the descriptions of the Port configuration, Port Status,
Simple Counter and Detail Counter for port monitoring and management.
Each of them will be described in detail orderly in the following section.
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
- “ and “_” characters. The maximal length is 15 cha-
EN
45
Page 47
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
4.3.8 Configuration
EN
Port Configuration is applied to change the setting of each port. In this configuration function, you can set/reset the following functions.
쮿 Port Configuration
It is used to set each port’s operation mode. The switch supports 3 parameters for each port. They are State, Speed/Duplex and Flow Control.
쮿 Parameter
왏 Speed/Duplex:
46
Set the speed and duplex of the port. In speed, 10, 100 and
1000 MBit/s baud rate is available for Ethernet at the ports 1-24. If
the media at the SFP-ports 21, 22, 23 and/or 24 is 1Gbps fiber, it is
always 1000Mbps and the duplex is full only. If the media is TP, the
Speed/Duplex is comprised of the combination of speed mode, 10/
Page 48
쮿 Chapter 4: Operation of Web- based Management
100/1000Mbps, and duplex mode, full duplex and half duplex. The
following table summarized the function the media supports.
Media type NWay Speed Duplex
100M TP ON/OFF 10/100M Full/Half
1000M TP ON/OFF 10/100/1000M Full for all, Half for 10/100
LANCOM GS-2124
1000M Fiber ON/OFF 1000M Full
In Auto-negotiation mode, no default value. In Forced mode, default
value depends on your setting.
왏 Flow Control:
There are two modes to choose in flow control, including Symmetric
and Asymmetric. If flow control is set Symmetric, both parties can
send PAUSE frame to the transmitting device(s) if the receiving port is
too busy to handle. When it is set Asymmetric, this will let the receiving port care the PAUSE frame from transmitting device(s), but it
doesn’t send PAUSE frame. This is one-way flow control.
Default: Symmetric.
왏 Maximum Frame:
This module offer 1518~9600 (Bytes) length to make the long
packet.
왏 Excessive Collision Mode:
There are two modes to choose when excessive collision happen in
half-duplex condition as below:
EN
Discard: The "Discard" mode determines whether the MAC drop frames after an excessive collision has occurred. If set, a frame is dropped after excessive collisions. This is IEEE Std 802.3 half-duplex flow
control operation.
Restart: The "Restart" mode determines whether the MAC retransmits
frames after an excessive collision has occurred. If set, a frame is not
dropped after excessive collisions, but the backoff sequence is restarted. This is a violation of IEEE Std 802.3, but is useful in non-dropping
half-duplex flow control operation.
47
Page 49
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
4.3.9 Port Status
EN
The function Port Status gathers the information of all ports’ current status
and reports it by the order of port number, media, link status, port state, AutoNegotiation status, speed/duplex, Rx Pause and Tx Pause. An extra media type
information for the module ports 21, 22, 23 and 24 is also offered.
쮿 Port Status
Report the latest updated status of all ports in this switch. When any one
of the ports in the switch changes its parameter displayed in the page, it
will be automatically refreshed the port current status about every 5
seconds.
쮿 Parameter:
왏 Port No:
Display the port number. The number is 1 – 24.
왏 Media:
Show the media type adopted in all ports. The Ports 21, 22, 23 and
24 are optional modules, which support either fiber or UTP media
with either Gigabit Ethernet (1000Mbps) or 10/100Mbps Fast Ethernet port. They may have different media types and speed. Especially,
48
Page 50
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
fiber port has comprehensive types of connector, distance, fiber mode
and so on. The switch describes the module ports with the following
page.
왏 Link:
Show that if the link on the port is active or not. If the link is connected
to a working-well device, the Link will show the link “Up”; otherwise,
it will show “Down”. This is determined by the hardware on both
devices of the connection.
No default value.
왏 State:
Show that the communication function of the port is “Enabled” or
“Disabled”. When it is enabled, traffic can be transmitted and received via this port. When it is disabled, no traffic can be transferred
through this port. Port State is configured by user.
EN
Default: Enabled.
왏 Auto Nego.:
Show the exchange mode of Ethernet MAC. There are two modes supported in the switch. They are auto-negotiation mode “Enabled” and
forced mode “Disabled”. When in “Enabled” mode, this function will
automatically negotiate by hardware itself and exchange each other
the capability of speed and duplex mode with other site which is linked, and comes out the best communication way. When in “Disabled”
mode, both parties must have the same setting of speed and duplex,
otherwise, both of them will not be linked. In this case, the link result
is “Down”.
Default: Enabled
왏 Speed / Duplex:
Display the speed and duplex of all port. There are three speeds
10Mbps, 100Mbps and 1000Mbps supported for TP media, and the
duplex supported is half duplex and full duplex. If the media is 1Gbps
fiber, it is 1000Mbps supported only. The status of speed/duplex mode
is determined by 1) the negotiation of both local port and link partner
in “Auto Speed” mode or 2) user setting in “Force” mode. The local
port has to be preset its capability.
Default: None, depends on the result of the negotiation.
49
Page 51
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 Rx Pause:
The way that the port adopts to process the PAUSE frame. If it shows
“on”, the port will care the PAUSE frame; otherwise, the port will
ignore the PAUSE frame.
Default: None
왏 Tx Pause:
It decides that whether the port transmits the PAUSE frame or not. If
EN
it shows “on”, the port will send PAUSE frame; otherwise, the port will
not send the PAUSE frame.
Default: None.
쮿 Parameter of SFP ports:
왏 Connector Type:
Display the connector type, for instance, UTP, SC, ST, LC and so on.
왏 Fiber Type:
Display the fiber mode, for instance, Multi-Mode, Single-Mode.
왏 Tx Central Wavelength:
Display the fiber optical transmitting central wavelength, for instance,
850nm, 1310nm, 1550nm and so on.
왏 Baud Rate:
Display the maximum baud rate of the fiber module supported, for
instance, 10M, 100M, 1G and so on.
왏 Vendor OUI:
Display the Manufacturer's OUI code which is assigned by IEEE.
왏 Vendor Name:
Display the company name of the module manufacturer.
왏 Vendor P/N:
Display the product name of the naming by module manufacturer.
왏 Vendor Rev (Revision):
Display the module revision.
왏 Vendor SN (Serial Number):
왏 Date Code:
50
Show the serial number assigned by the manufacturer.
Show the date this module was made.
Page 52
쮿 Chapter 4: Operation of Web- based Management
왏 Temperature:
Show the current temperature of module.
왏 Vcc:
Show the working DC voltage of module.
왏 Mon1(Bias) mA:
Show the Bias current of module.
LANCOM GS-2124
왏 Mon2(TX PWR):
Show the transmit power of module.
왏 Mon3(RX PWR):
Show the receiver power of module.
4.3.10 Simple Counter
EN
The function of Simple Counter collects any information and provides the
counting about the traffic of the port, no matter the packet is good or bad.
In the following figure, the window can show all ports’ counter information at
the same time. Each data field has 20-digit long. If the counting is overflowing, the counter will be reset and restart counting. The data is updated every
time interval defined by the user. The valid range is 3 to 10 seconds. The
51
Page 53
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
Refresh Interval is used to set the update frequency. Default update time is 3
seconds.
쮿 Function name: Simple Counter
쮿 Function Description: Display the summary counting of each port’s traffic,
including Tx Byte, Rx Byte, Tx Packet, Rx Packet, Tx Collision and Rx Error
Packet.
EN
쮿 Parameters Description:
왏 Tx Byte: Total transmitted bytes.
왏 Rx Byte: Total received bytes.
왏 Tx Packet: The counting number of the packet transmitted.
왏 Rx Packet: The counting number of the packet received.
왏 Tx Collision: Number of collisions transmitting frames experienced.
왏 Rx Error Packet: Number of bad packets received.
4.3.11 Detail Counter
The function of Detail Counter collects any information and provides the
counting about the traffic of the port, no matter the packet is good or bad.
In the following figure the window can show only one port counter information at the same time. To see another port’s counter, you have to pull down
the list of Select, then you will see the figures displayed about the port you
had chosen.
52
Page 54
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
Each data field has 20-digit long. If the counting is overflow, the counter will
be reset and restart counting. The data is updated every time interval defined
by the user. The valid range is 3 to 10 seconds. The Refresh Interval is used to
set the update frequency. Default update time is 3 seconds.
쮿 Detail Counter
Display the detailed counting number of each port’s traffic. The window
can show all counter information of each port at one time.
쮿 Parameter:
왏 Rx Packets:
The counting number of the packet received.
왏 Rx Octets:
Total received bytes.
왏 Rx Errors:
Number of bad packets received.
왏 Rx Unicast Packets:
Show the counting number of the received unicast packet.
왏 Rx Broadcast Packets:
Show the counting number of the received broadcast packet.
왏 Rx Multicast Packets:
Show the counting number of the received multicast packet.
왏 Rx Pause Packets:
Show the counting number of the received pause packet.
EN
왏 Tx Collisions:
왏 Tx Single Collision:
왏 Tx Multiple Collision:
왏 Tx Drop Packets:
Number of collisions transmitting frames experienced.
Number of frames transmitted that experienced exactly one collision.
Number of frames transmitted that experienced more than one collision.
Number of frames dropped due to excessive collision, late collision, or
frame aging.
53
Page 55
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 Tx Deferred Transmit:
Number of frames delayed to transmission due to the medium is busy.
왏 Tx Late Collision:
Number of times that a collision is detected later than 512 bit-times
into the transmission of a frame.
왏 Tx Excessive Collision:
EN
Number of frames that are not transmitted because the frame experienced 16 transmission attempts.
왏 Packets 64 Octets:
Number of 64-byte frames in good and bad packets received.
왏 Packets 65-127 Octets:
Number of 65 ~ 127-byte frames in good and bad packets received.
왏 Packets 128-255 Octets:
Number of 128 ~ 255-byte frames in good and bad packets received.
왏 Packets 256-511 Octets:
Number of 256 ~ 511-byte frames in good and bad packets received.
왏 Packets 512-1023 Octets:
Number of 512 ~ 1023-byte frames in good and bad packets received.
왏 Packets 1024- 1522 Octets:
Number of 1024-1522- byte frames in good and bad packets received.
왏 Tx Packets:
왏 TX Octets:
왏 Tx Unicast Packets:
왏 Tx Broadcast Packets:
왏 Tx Multicast Packets:
왏 Tx Pause Packets:
54
The counting number of the packet transmitted.
Total transmitted bytes.
Show the counting number of the transmitted unicast packet.
Show the counting number of the transmitted broadcast packet.
Show the counting number of the transmitted multicast packet.
Show the counting number of the transmitted pause packet.
Page 56
쮿 Chapter 4: Operation of Web- based Management
왏 Rx FCS Errors:
Number of bad FSC packets received.
왏 Rx Alignment Errors:
Number of Alignment errors packets received.
왏 Rx Fragments:
Number of short frames (< 64 bytes) with invalid CRC.
LANCOM GS-2124
왏 Rx Jabbers:
Number of long frames(according tomax_length register) with invalid
CRC.
왏 Rx Drop Packets:
Frames dropped due to the lack of receiving buffer.
왏 Rx Undersize Packets:
Number of short frames (<64 Bytes) with valid CRC.
왏 Rx Oversize Packets:
Number of long frames(according to max_length register) with valid
CRC.
4.4 Security: MAC
MAC Table Configuration gathers many functions, including MAC Table Information, MAC Table Maintenance, Static Forward, Static Filter and MAC Alias,
which cannot be categorized to some function type. They are described below.
EN
4.4.1 Mac Address Table
55
Page 57
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
쮿 MAC Address Table Information
This function can allow the user to set up the processing mechanism of
MAC Table. An idle MAC address exceeding MAC Address Age-out Time
will be removed from the MAC Table. The range of Age-out Time is 101000000 seconds, and the setup of this time will have no effect on static
MAC addresses.
In addition, the learning limit of MAC maintenance is able to limit the
EN
amount of MAC that each port can learn.
쮿 Parameter:
왏 Aging Time:
Delete a MAC address idling for a period of time from the MAC Table,
which will not affect static MAC address. Range of MAC Address
Aging Time is 10-1000000 seconds. The default Aging Time is 300
seconds.
왏 Disable automatic aging:
Stop the MAC table aging timer, the learned MAC address will not age
out automatically
왏 Auto:
Enable this port MAC address dynamic learning mechanism.
왏 Disable:
Disable this port MAC address dynamic learning mechanism, only
support static MAC address setting.
왏 Secure:
Disable this port MAC address dynamic learning mechanism and copy
the dynamic learning packets to CPU
왏 Save:
Save MAC Address Table configuration
왏 Reset:
Reset MAC Address Table configuration
56
Page 58
4.4.2 Static Filter
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
쮿 Static Filter
Static Filter is a function that denies the packet forwarding if the packet's
MAC Address is listed in the filtering Static Filter table. User can very easily
maintain the table by filling in MAC Address, VID (VLAN ID) and Alias
fields individually. User also can delete the existed entry by clicking
<Delete> button.
쮿 Parameter:
왏 MAC:
It is a six-byte long Ethernet hardware address and usually expressed
by hex and separated by hyphens. For example,
00 - 40 - C7 - D6 - 00 - 02
왏 VID:
VLAN identifier. This will be filled only when tagged VLAN is applied.
Valid range is 1 ~ 4094.
왏 Alias:
MAC alias name you assign.
57
Page 59
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
4.4.3 Static Forward
EN
쮿 Static Forward
Static Forward is a function that allows the user in the static forward table
to access a specified port of the switch. Static Forward table associated
with a specified port of a switch is set up by manually inputting MAC
address and its alias name.
When a MAC address is assigned to a specific port, all of the switch's traffics sent to this MAC address will be forwarded to this port.
For adding a MAC address entry in the allowed table, you just need to fill
in four parameters: MAC address, associated port, VID and Alias. Just
select the existed MAC address entry you want and click <Delete> button,
you also can remove it.
쮿 Parameter:
왏 MAC:
It is a six-byte long Ethernet hardware address and usually expressed
by hex and separated by hyphens. For example,
00 - 40 - C7 - D6 - 00 - 01
왏 Port No:
왏 VID:
58
Port number of the switch. It is 1 ~24.
VLAN identifier. This will be filled only when tagged VLAN is applied.
Valid range is 1 ~ 4094.
Page 60
왏 Alias:
MAC alias name you assign.
4.4.4 MAC Alias
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
쮿 MAC Alias
MAC Alias function is used to let you assign MAC address a plain English
name. This will help you tell which MAC address belongs to which user in
the illegal access report. At the initial time, it shows all pairs of the existed
alias name and MAC address.
There are three MAC alias functions in this function folder, including MAC
Alias Add, MAC Alias Edit and MAC Alias Delete. You can click <Create/
Edit> button to add/modify a new or an existed alias name for a specified
MAC address, or mark an existed entry to delete it. Alias name must be
composed of A-Z, a-z and 0-9 only and has a maximal length of 15 characters.
쮿 Parameter:
왏 MAC Address:
It is a six-byte long Ethernet hardware address and usually expressed
by hex and separated by hyphens. For example,
00 - 40 - C7 - D6 - 00 - 01
59
Page 61
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 Alias:
MAC alias name you assign.
Note: If there are too many MAC addresses learned in the table, we
recommend you inputting the MAC address and alias name directly.
4.4.5 MAC Table
EN
쮿 Dynamic MAC Table
Display the static or dynamic learning MAC entry and the state for the
selected port.
쮿 Parameter:
왏 Type:
Dynamic or Static.
왏 VLAN:
VLAN identifier. This will be filled only when tagged VLAN is applied.
Valid range is 1 ~ 4094.
왏 MAC address:
Display the MAC address of one entry you selected from the searched
MAC entries table.
왏 Port:
The port that exists in the searched MAC Entry.
왏 Refresh:
Refresh function can help you to see current MAC Table status.
왏 Clear:
60
To clear the selected entry.
Page 62
왏 Previous Page:
Move to the previous page.
왏 Next Page:
Move to the next page.
4.5 Security: VLAN
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
The switch supports Tag-based VLAN (802.1q) and Port-based VLAN. Support
256 active VLANs and VLAN ID 1~4094. VLAN configuration is used to partition your LAN into small ones as your demand. Properly configuring it, you can
gain not only improving security and increasing performance but greatly reducing VLAN management.
4.5.1 VLAN Mode
쮿 VLAN Mode Setting
The VLAN Mode Selection function includes five modes: Port-based, Tagbased, Metro Mode, Double-tag and Disable, you can choose one of them
by pulling down list and selecting an item. Then, click <Apply> button,
the settings will take effect immediately.
EN
쮿 Parameter:
왏 VLAN Mode:
Port-based:
Port-based VLAN is defined by port. Any packet coming in or outgoing from any one port of a port-based VLAN will be accepted.
No filtering criterion applies in port-based VLAN. The only criterion is the physical port you connect to. For example, for a portbased VLAN named PVLAN-1 contains port members Port
1&2&3&4. If you are on the port 1, you can communicate with
port 2&3&4. If you are on the port 5, then you cannot talk to them.
Each port-based VLAN you built up must be assigned a group
61
Page 63
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
name. This switch can support up to maximal 24 port- based VLAN
groups.
Tag-based:
Tag-based VLAN identifies its member by VID. This is quite different from port-based VLAN. If there are any more rules in ingress
filtering list or egress filtering list, the packet will be screened with
more filtering criteria to determine if it can be forwarded. The
EN
switch supports supplement of 802.1q. For more details, please
see the section VLAN in Chapter 3.
Each tag-based VLAN you built up must be assigned VLAN name
and VLAN ID. Valid VLAN ID is 1-4094. User can create total up
to 4094 Tag VLAN groups.
4.5.2 Tag-based Group
62
쮿 Tag-based Group Configuration
It shows the information of existed Tag-based VLAN Groups, You can also
easily create, edit and delete a Tag-based VLAN group by pressing
<Add>, <Edit> and <Delete> function buttons. User can add a new VLAN
group by inputting a new VLAN name and VLAN ID.
쮿 Parameter:
왏 VLAN Name:
The name defined by administrator is associated with a VLAN group.
Valid letters are A-Z, a-z, 0-9, " - " and "_" characters. The maximal
length is 15 characters.
왏 VLAN ID:
VLAN identifier. Each tag-based VLAN group has a unique VID. It
appears only in tag-based and Double-tag mode.
Page 64
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 IGMP Proxy:
IGMP proxy enables the switch to issue IGMP host messages on
behalf of hosts that the system discovered through standard IGMP
interfaces. The system acts as a proxy for its hosts. This switch can be
set IGMP function "Enable" or "Disable" by VLAN group. If the VLAN
group IGMP proxy is disabled, the switch will stop the exchange of
IGMP messages in the VLAN group members. If the VLAN group IGMP
proxy is enabled, the switch will support the exchange of IGMP messages in the VLAN group members and follow up IGMP proxy router
port configuration, which connects to a router closer to the root of the
tree. This interface is the upstream interface. The router on the
upstream interface should be running IGMP. You enable IGMP on the
interfaces that connect the system to its hosts that are farther away
from the root of the tree. These interfaces are known as downstream
interfaces. Please refer to 3-15-1 for detail IGMP Proxy function
description.
EN
왏 Member Port:
This is used to enable or disable if a port is a member of the new
added VLAN, "Enable" means it is a member of the VLAN. Just tick the
check box ( ) beside the port x to enable it.
왏 Add new VLAN:
Please click on <Add new VLAN> to create a new Tag-based VLAN.
Input the VLAN name as well as VID, configure the SYM-VLAN function and choose the member by ticking the check box beside the port
No., then, press the <Apply> button to have the setting taken effect.
왏 Delete Group:
Just press the <Delete> button to remove the selected group entry
from the Tag-based group table.
Note: If you need to use PVLAN ( Private VLAN) have a look at the section
“Port Isolation”
63
Page 65
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
4.5.3 Port-based Group
EN
쮿 Port-based Group Configuration
Function Description: It shows the information of the existed Port-based
VLAN Groups. You can easily create, edit and delete a Port-based VLAN
group by pressing <Add>, <Edit> and <Delete> function buttons. User
can add a new VLAN group by inputting a new VLAN name.
쮿 Parameter:
왏 VLAN Name:
The name defined by administrator is associated with a VLAN group.
Valid letters are A-Z, a-z, 0-9, “
- “ and “_” characters. The maximal
length is 15 characters.
64
Page 66
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 Member Port:
This is used to enable or disable if a port is a member of the new
added VLAN, “Enable” means it is a member of the VLAN. Just tick the
check box beside the port x to enable it.
EN
왏 Add a new VLAN:
Create a new Port-based VLAN. Input the VLAN name and choose the
member by ticking the check box beside the port No., then, press the
<Apply> button to have the setting taken effect.
65
Page 67
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 Delete Group:
Just press the <Delete> button to remove the selected group entry
from the Port-based group table.
EN
66
Page 68
4.5.4 Ports
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
쮿 VLAN Port Configuration
In VLAN Tag Rule Setting, user can input VID number to each port. The
range of VID number is from 1 to 4094. User also can choose ingress filtering rules to each port. There are two ingress filtering rules which can
be applied to the switch. The Ingress Filtering Rule 1 is "forward only
packets with VID matching this port's configured VID". The Ingress Filtering Rule 2 is "drop untagged frame". You can also select the Role of each
port as Access, Trunk, or Hybrid.
쮿 Parameter:
왏 Port 1- 24:
왏 VLAN Aware:
Port number.
Based on IEEE 802.1Q VLAN tag to forward packet
67
Page 69
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 Ingress Filtering:
Discard other VLAN group packets, only forward this port joined VLAN
group packets
왏 Frame Type:
All: Forward all tagged and untagged packets
Tagged: Forward tagged packets only and discard untagged packets
EN
왏 PVID:
This PVID range will be 1-4094. Before you set a number x as PVID,
you have to create a Tag-based VLAN with VID x. For example, if port
x receives an untagged packet, the switch will apply the PVID (assume
as VID y) of port x to tag this packet, the packet then will be forwarded
as the tagged packet with VID y.
왏 Role:
This is an egress rule of the port. Here you can choose Access, Trunk
or Hybrid. Trunk means the outgoing packets must carry VLAN tag
header. Access means the outgoing packets carry no VLAN tag header. If packets have double VLAN tags, one will be dropped and the
other will still be left. As to Hybrid, it is similar to Trunk, and both of
them will tag-out. When the port is set to Hybrid, its packets will be
untagged out if the VID of the outgoing packets with tag is the same
as the one in the field of Untag VID of this port.
왏 Untag VID:
Valid range is 1~4094. It works only when Role is set to Hybrid.
4.5.5 Port Isolation
If you need to use PVLAN ( Private VLAN) function on Switch you need to do
the following:
쐃 Create a VLAN as primary VLAN and the VLAN ID is 2 and evoke the Pri-
vate VLAN to enable Private VLAN service.
68
Page 70
쐇 Assign port member to the VLAN2
쐋 You need to assign these ports for member of port isolation.
쐏 Press the "Save" to complete the PVLAN configuration process.
4.5.6 Management VLAN
쮿 Management VLAN
To assign a specific VLAN for management purpose.
쮿 Parameter:
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
왏 VID:
Specific Management VLAN ID.
4.6 Security: ACL
The LANCOM GS-2124 switch access control list (ACL) is probably the most
commonly used object in the IOS. It is used for packet filtering but also for
selecting types of traffic to be analyzed, forwarded, or influenced in some way.
The ACLs are divided into EtherTypes. IPv4, ARP protocol, MAC and VLAN
parameters etc. Here we will just go over the standard and extended access
lists for TCP/IP. As you create ACEs for ingress classification, you can assign a
policy for each port, the policy number is 1-8, however, each policy can be
applied to any port. This makes it very easy to determine what type of ACL
policy you will be working with.
69
Page 71
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
4.6.1 Ports
EN
70
쮿 ACL Port Configuration
The switch ACL function support up to 128 Access Control Entries (ACEs),
using the shared 128 ACEs for ingress classification. You can create an
ACE and assign this ACE for each port with <Any> or assign this ACE for
a policy or assign this ACE for a port. There are 8 policies, each port can
select one of policy, then decides which of the following actions would
take according to the packet's IPv4, EtherType, ARP Protocol, MAC Parameters and VLAN parameters:
왏 Packet Deny or Permit
왏 Rate Limiter (Unit: pps)
왏 Port Copy (1 - 24)
쮿 Parameter:
왏 Port #:
Port number: 1~24
Page 72
쮿 Chapter 4: Operation of Web- based Management
왏 Policy ID:
Policy ID range:1~8
왏 Action:
Permit or Deny forwarding the met ACL packets
왏 Rate Limiter ID:
Disabled: Disable Rate Limitation
LANCOM GS-2124
Rate Limiter ID Range: 1~16. To select one of rate limiter ID for this
port, it will limit met ACL packets by rate limiter ID configuration.
왏 Port Copy:
Disabled: Disable to copy the met ACL packets to specific port.
Port number: 1~24. Copy the met ACL packets to the selected port.
왏 Counter:
The counter will increase from initial value 0, when this port received
one of the met ACL packet the counter value will increase +1
4.6.2 Rate Limiters
EN
쮿 ACL Rate Limiter Configuration
There are 16 rate limiter ID. You can assign one of the limiter ID for each
port. The rate limit configuration unit is Packet Per Second (pps).
71
Page 73
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
쮿 Parameter:
왏 Rate Limiter ID:
ID Range: 1~16
왏 Rate(pps):
1 / 2 / 4 / 8 / 16 / 32 / 64 / 128 / 256 / 512 / 1K / 2K / 4K / 8K / 16K /
32K / 64K / 128K / 256K / 512K / 1024K
EN
4.6.3 Access Control List
쮿 ACL Rate Limiter Configuration
The switch ACL function support up to 128 Access Control Entries (ACEs),
using the shared 128 ACEs for ingress classification. You can create an
ACE and assign this ACE for each port with <Any> or assign this ACE for
a policy or assign this ACE for a port. There are 8 policies, each port can
select one of policy, then decides which of the Permit/Deny, Rate Limitation and Port Copy actions would take according to the ACL configuration
packet's IPv4, EtherType, ARP Protocol, MAC Parameters and VLAN parameters.
쮿 Parameter description:
왏 Ingress Port:
72
Configurable Range: Any / Policy 1-8 / Port 1-24
Any: Apply this ACE rule for each port ingress classification
Policy 1-8: Apply this ACE rule for specific policy
Port 1-24: Apply this ACE rule for specific port ingress classification
Page 74
쮿 Parameter:
왏 Frame Type:
Range: Any / Ethernet Type / ARP / IPv4
Any: It is including all frame type
Ethernet Type: It is including all Ethernet frame type
ARP: It is including all ARP protocol frame type
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
IPv4: It is including all IPv4 protocol frame type
쮿 ACE Configuration
The switch ACL function support up to 128 Access Control Entries (ACEs),
using the shared 128 ACEs for ingress classification. You can create an
ACE and assign this ACE for each port with <Any> or assign this ACE for
a policy or assign this ACE for a port. There are 8 policies, each port can
select one of policy, then decides which of the Permit/Deny, Rate Limitation and Port Copy actions would take according to the ACL configuration
packet's IPv4, EtherType, ARP Protocol, MAC Parameters and VLAN parameters.
쮿 Parameter:
왏 Ingress Port:
Range: Any / Policy 1-8 / Port 1-24
Any: Apply this ACE rule for each port ingress classification
Policy 1-8: Apply this ACE rule for specific policy
Port 1-24: Apply this ACE rule for specific port ingress classification
EN
왏 IP Protocol Filter:
Range: Any / Ethernet Type / ARP / IPv4
Any: It is including all frame type
Ethernet Type: It is including all Ethernet frame type
ARP: It is including all ARP protocol frame type
IPv4: It is including all IPv4 protocol frame type
73
Page 75
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 MAC Parameters: (When Frame Type = Any)
DMAC Filter: Range: Any / MC / BC / UC
Any: It is including all destination MAC address
MC: It is including all Multicast MAC address
BC: It is including all Broadcast MAC address
UC: It is including all Unicast MAC address
EN
왏 MAC Parameters: (When Frame Type = Ethernet Type)
SMAC Filter:
Range: Any / Specific
Any: It is including all source MAC address
Specific: It is according to SMAC Value specific the source MAC
address
DMAC Filter:
Range: Any / MC / BC / UC / Specific
Any: It is including all destination MAC address
MC: It is including all Multicast MAC address
BC: It is including all Broadcast MAC address
UC: It is including all Unicast MAC address
Specific: It is according to DMAC Value specific the destination
MAC address
74
Page 76
쮿 Chapter 4: Operation of Web- based Management
왏 MAC Parameters: (When Frame Type = ARP)
SMAC Filter:
Range: Any / Specific
Any: It is including all source MAC address
Specific: It is according to SMAC Value specific the source MAC
address
LANCOM GS-2124
DMAC Filter:
Range: Any / MC / BC / UC
Any: It is including all destination MAC address
MC: It is including all Multicast MAC address
BC: It is including all Broadcast MAC address
UC: It is including all Unicast MAC address
왏 MAC Parameters: (When Frame Type = IPv4)
DMAC Filter:
Range: Any / MC / BC / UC
Any: It is including all destination MAC address
MC: It is including all Multicast MAC address
BC: It is including all Broadcast MAC address
UC: It is including all Unicast MAC address
왏 Ether Type Parameters: (When Frame Type = Ethernet Type)
EN
EtherType Filter:
Range: Any / Specific
Any: It is including all Ethernet frame type
Specific: It is according to specific Ethernet Type Value.
Ethernet Type Value:
The Ethernet Type Range: 0x600-0xFFFF
75
Page 77
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 ARP Parameters: (When Frame Type = ARP)
ARP/RARP:
Range: Any / ARP / RARP / Other
Any: Including all ARP/RARP protocol frame types
ARP: Including all ARP protocol frame types
RARP: Including all RARP frame types
EN
Other: Including other frame types except ARP/RARP protocol
Request/Reply:
Range: Any / Request / Reply
Any: Including all ARP/RARP Request and Reply
Request: Including all ARP/RARP request frames
Reply: Including all ARP/RARP reply frames
Sender IP Filter:
Range: Any / Host / Network
Any: Including all sender IP address
Host: Only one specific sender host IP address
Network: A specific IP subnet segment under the sender IP mask
Sender IP Address: Default: 192.168.1.1
Sender IP Mask: Default: 255.255.255.0
Target IP Filter:
76
Range: Any / Host / Network
Any: Including all target IP address
Host: Only one specific target host IP address
Network: A specific IP subnet segment under the target IP mask
Target IP Address: Default: 192.168.1.254
Target IP Mask: Default: 255.255.255.0
ARP SMAC Match:
Range: Any / 0 / 1
Any: Both 0 and 1
0: The ingress ARP frames where the source MAC address is not
Page 78
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
equal SMAC under MAC parameter setting
1: The ingress ARP frames where the source MAC address is equal
SMAC address under MAC parameter setting
RARP DMAC Match:
Range: Any / 0 / 1
Any: Both 0 and 1
0: The ingress RARP frames where the Destination MAC address
is not equal DMAC address under MAC parameter setting
1: The ingress RARP frames where the Destination MAC address
is equal DMAC address under MAC parameter setting
IP/Ethernet Length:
Range: Any / 0 / 1
Any: Both 0 and 1
0: The ingress ARP/PARP frames where the Hardware size is not
equal "0x6" or the Protocol size is not equal "0x4"
1: The ingress ARP/PARP frames where the Hardware size is equal
"0x6" and the Protocol size is "0x4"
IP:
Range: Any / 0 / 1
Any: Both 0 and 1
0: The ingress ARP/PARP frames where Protocol type is not equal
"0x800"
EN
1: The ingress ARP/PARP frames where Protocol type is equal
"0x800"
Ethernet:
Range: Any / 0 / 1
Any: Both 0 and 1
0: The ingress ARP/PARP frames where Hardware type is not
equal "0x100"
1: The ingress ARP/PARP frames where Hardware type is equal
"0x100"
77
Page 79
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 IP Parameters: (When Frame Type = IPv4 and IP Protocol Filter = Any)
IPTTL: (Time To Live)
How many routers a datagram can pass through. Each router
decrements this value by 1 until it reaches 0 when the datagram
is discarded. This keeps misrouted datagrams from remaining on
the Internet forever
Range: Any / Non-zero / Zero
EN
Any: Including all conditions for IPTTL
Non-Zero: Including IPTTL is Non-Zero
Zero: Including IPTTL is zero
IP Fragment: (IP Fragmentation Flag)
Controls datagram fragmentation together with the identification
field. The flags indicate whether the datagram may be fragmen-
78
Page 80
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
ted, whether the datagram is fragmented, and whether the current fragment is the final one.
Range: Any / Yes / No
Any: Including all IP fragment case
Yes: The ingress frame is fragmented packet
No: The ingress frames is not fragmented packet
IP Option:
A list of optional specifications for security restrictions, route
recording, and source routing. Not every datagram specifies an
options field.
Range: Any / Yes / No
Any: Including all IP option case
Yes: The ingress frame is specified IP options
No: The ingress frame is not specified IP options
SIP Filter: (SIP Source IP Address)
Range: Any / Host / Network
Any: Including all source IP address
Host: Only one specific source host IP address
Network: A specific IP subnet segment under the source IP mask
SIP Address: Default: 192.168.1.1
SIP Mask: Default: 255.255.255.0
EN
DIP Filter: (DIP Destination IP Address)
Range: Any / Host / Network
Any: Including all destination IP address
Host: Only one specific destination host IP address
Network: A specific IP subnet segment under the destination IP
mask
DIP Address: Default: 192.168.1.254
DIP Mask: Default: 255.255.255.0
79
Page 81
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 IP Parameters: (Frame Type = IPv4 and IP Protocol Filter = ICMP)
ICMP Type Filter:
Range: Any / Specific
Any: Including all types of ICMP type values
Specific: According to following ICMP type value setting for
ingress classification
EN
ICMP Type Value: Range: 0-255
ICMP Code Filter:
Range: Any / Specific
Any: Including all of ICMP code values
Specific: According to following ICMP code value setting for
ingress classification
ICMP Code Value: Range: 0-255
80
Page 82
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 IP Parameters: (Frame Type = IPv4 and IP Protocol Filter = UDP)
Source Port Filter:
Range: Any / Specific / Range
Any: Including all UDP source ports
Specific: According to following Source Port No. setting for ingress
classification.
Range: According to following Source Port Range setting for
ingress classification.
Source Port No.: Range: 0-65535
Source Port Range.: Range: 0-65535
Dest. Port Filter:
Range: Any / Specific / Range
Any: Including all UDP destination ports
Specific: According to following Dest. Port No. setting for ingress
classification
Range: According to following Dest. Port Range setting for ingress
classification
Dest. Port No.: (Destination Port Number)
Range: 0-65535
Dest. Port Range.: (Destination Port Range)
Range: 0-65535
EN
81
Page 83
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 IP Parameters: (Frame Type = IPv4 and IP Protocol Filter = TCP)
Source Port Filter:
Range: Any / Specific / Range
Any: Including all TCP source ports
Specific: According to following Source Port No. setting for ingress
classification
EN
Range: According to following Source Port Range setting for
ingress classification
Source Port No.: Range: 0-65535
Source Port Range.: Range: 0-65535
Dest. Port Filter:
Range: Any / Specific / Range
Any: Including all TCP destination ports
Specific: According to following Dest. Port No. setting for ingress
classification
Range: According to following Dest. Port Range setting for ingress
classification
Dest. Port No.: Range: 0-65535
Dest. Port Range.: Range: 0-65535
TCP FIN:
TCP Control Bit FIN: Means No more data from sender
82
Range: Any / 0 / 1
Any: Including all TCP FIN case
0: The TCP control bit FIN is 0
1: The TCP control bit FIN is 1
TCP SYN:
TCP Control Bit SYN: Means Synchronize sequence numbers
Range: Any / 0 / 1
Any: Including all TCP SYN case
0: The TCP control bit SYN is 0
1: The TCP control bit SYN is 1
Page 84
쮿 Chapter 4: Operation of Web- based Management
TCP RST:
TCP Control Bit RST: Means Reset the connection
Range: Any / 0 / 1
Any: Including all TCP RST case
0: The TCP control bit RST is 0
1: The TCP control bit RST is 1
LANCOM GS-2124
TCP PSH:
TCP Control Bit PSH: Means Push Function
Range: Any / 0 / 1
Any: Including all TCP PSH case
0: The TCP control bit PSH is 0
1: The TCP control bit PSH is 1
TCP ACK:
TCP Control Bit ACK: Means Acknowledgment field significant
Range: Any / 0 / 1
Any: Including all TCP ACK case
0: The TCP control bit ACK is 0
1: The TCP control bit ACK is 1
TCP URG:
TCP Control Bit URG: Means Urgent Pointer field significant
EN
Range: Any / 0 / 1
Any: Including all TCP URG case
0: The TCP control bit URG is 0
1: The TCP control bit URG is 1
IP Protocol Value:
The IP Protocol Value is TCP options may occupy space at the end
of the TCP header and are a multiple of 8 bits in length. Currently
defined options include (kind indicated in octal):
0 - End of option list
1 - No-Operation
83
Page 85
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
Range: Any / 0 / 1
Any: Including all IP protocol value case
0: The IP protocol value is 0
1: The IP protocol value is 1
왏 IP Parameters: (Frame Type = IPv4 and IP Protocol Filter = Other)
IP Protocol Value: Default: 255
EN
IPTTL: (Time To Live)
How many routers a datagram can pass through. Each router
decrements this value by 1 until it reaches 0 when the datagram
is discarded. This keeps misrouted datagrams from remaining on
the Internet forever
Range: Any / Non-zero / Zero
Any: Including all conditions for IPTTL
Non-Zero: Including IPTTL is Non-Zero
Zero: Including IPTTL is zero
IP Fragment: (IP Fragmentation Flag)
Controls datagram fragmentation together with the identification
field. The flags indicate whether the datagram may be fragmen-
84
Page 86
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
ed, whether the datagram is fragmented, and whether the current
fragment is the final one.
Range: Any / Yes / No
Any: Including all IP fragment case
Yes: The ingress frame is fragmented packet
No: The ingress frames is not fragmented packet
IP Option:
A list of optional specifications for security restrictions, route
recording, and source routing. Not every datagram specifies an
options field.
Range: Any / Yes / No
Any: Including all IP option case
Yes: The ingress frame is specified IP options
No: The ingress frame is not specified IP options
SIP Filter: (SIP Source IP Address)
Range: Any / Host / Network
Any: Including all source IP address
Host: Only one specific source host IP address
Network: A specific IP subnet segment under the source IP mask
SIP Address: Default: 192.168.1.1
SIP Mask: Default: 255.255.255.0
EN
DIP Filter: (DIP Destination IP Address)
Range: Any / Host / Network
Any: Including all destination IP address
Host: Only one specific destination host IP address
Network: A specific IP subnet segment under the destination IP
mask
DIP Address: Default: 192.168.1.254
DIP Mask: Default: 255.255.255.0
85
Page 87
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 VLAN Parameters:
VLAN ID Filter:
Range: Any / Specific
Any: Including all VLAN IDs
Specific: According to following VLAN ID and Tag Priority setting
for ingress classification
EN
VLAN ID:
Range: 1-4094
Tag Priority:
Range: Any / 0-7
Any: Including all Tag Priority values
0-7: The Tag Priority Value is one of number (0-7)
Action Parameters:
When the ingress frame meet above ACL ingress classification rule you
can do the following actions:
Action:
Range: Permit / Deny
Permit: Permit the met ACL ingress classification rule packets forwarding to other ports on the switch
Deny:Discard the met ACL ingress classification rule packets
Rate Limiter:
86
Range: Disabled / 1-16
Disable: Disable Rate Limiter function
1-16: Apply the Rate Limiter Number setting for met ACL ingress
rule packtes
Port Copy:
Range: Disabled / 1-24
Disable: Disable the Port Copy function
1-24: The packets will be copied to the selected port when they
met ACL ingress rule.
Page 88
4.6.4 Wizard
쮿 Wizard
The wizard function is provide 4 type of typical application for user easy
to configure their application with ACL function.
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
쮿 Parameter:
왏 Please select an Action:
Set up Policy Rules / Set up Port Policies / Set up Typical Network
Application Rules / Set up Source MAC and Source IP Binding
왏 Next:
Click on <Next> to confirm current setting and go to next step automatically.
왏 Cancel:
Cancel current setting back to top layer in the ACL wizard function
왏 Back:
Click on <Back> to back to previous step
왏 Wizard Again:
Click on <Wizard Again> the UI will back to top layer in the wizard
function
왏 Finish:
Click in <Finish> to finish the ACL Wizard setting, it will according the
selection items to change the related parameters, then you have to
click on <Apply> to confirm the all changed parameters setting.
87
Page 89
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
쮿 Parameter:
왏 Common Server:
DHCP / DNS / FTP / HTTP / IMAP / NFS / POP3 / SAMBA / SMTP / TELNET / TFTP
왏 Instant Messaging:
Google Talk / MSN Messenger / Yahoo Messenger
EN
왏 User Definition:
Ethernet Type / UDP Port / TCP Port
왏 Others:
TCP Port / ICMP / Multicast IP Stream / NetBIOS / Ping Request / Ping
Reply / SNMP / SNMP Traps
왏 Ingress Port:
Any / Policy1-8 / Port1-24
왏 Action:
Permit / Deny
왏 Rate Limiter ID:
Disabled / 1-16
쮿 Parameter:
왏 Port #:
1-24
왏 Binding Enabled:
왏 Source MAC Address:
왏 Source IP Address:
4.7 Security: IP MAC Binding
The IP network layer uses a four-byte address. The Ethernet link layer uses a
six-byte MAC address. Binding these two address types together allows the
transmission of data between the layers. The primary purpose of IP-MAC binding is to restrict the access to a switch to a number of authorized users. Only
88
Use the switch ACL function to support IP/MAC Binding function, the
maximum is up to 128 entries.
xx-xx-xx-xx-xx-xx (For example: 00-40-c7-00-00-01)
xxx.xxx.xxx.xxx (For example: 192.168.1.100)
Page 90
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
the authorized client can access the Switch's port by checking the pair of IPMAC. Addresses and port number with the pre-configured database. If an
unauthorized user tries to access an IP-MAC binding enabled port, the system
will block the access by dropping its packet.
EN
쮿 IP MAC Binding Configuration
The switch has client and server two classes of IP-MAC Binding table. The
maximum number of IP-MAC binding client table is 512 entries. The
maximum number of IP-MAC Binding server table is 64 entries. The creation of authorized users can be manually. The function is global, this
means a user can enable or disable the function for all ports on the switch.
쮿 Parameters:
왏 State:
Disabled / Enabled
왏 Time Interval:
Range: 10 / 20 / 30. Time interval is for ARP echo, the switch will
according to server table entries to send ARP echo.
왏 Server/Client:
The maximum number of IP-MAC binding client table is 512 entries.
The maximum number of IP-MAC Binding server table is 64 entries.
89
Page 91
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
왏 MAC:
Six-byte MAC Address: xx-xx-xx-xx-xx-xx (For example: 00-40-c700-00-01)
왏 IP:
Four-byte IP Address: xxx.xxx.xxx.xxx (For example: 192.168.1.100)
왏 Port No:
EN
Port no.: 1-24
왏 VID:
VLAN ID: 1-4094
왏 Add:
Input MAC, IP, Port and VID, then click on <Add> to create a new
entry into the IP MAC Binding table
왏 Delete:
Select one of entry from the table, then click on <Delete> to delete
this entry.
4.8 Security: DHCP Snooping
4.8.1 DHCP Snooping State
90
Page 92
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
쮿 DHCP Snooping State
The addresses assigned to DHCP clients on unsecure ports can be carefully
controlled using the dynamic bindings registered with DHCP Snooping.
DHCP snooping allows a switch to protect a network from rogue DHCP
servers or other devices which send port-related information to a DHCP
server. This information can be useful in tracking an IP address back to a
physical port.
쮿 Parameter:
왏 DHCP Snooping state:
The parameter which set to disabled or enabled the DHCP snooping
function on the switch, the default is Disabled.
Note: To click " Apply" when you finish the configuration.
4.8.2 DHCP Snooping Entry
EN
쮿 DHCP Snooping Entry
DHCP snooping Entry allows a switch to add the an trust DHCP server and
2 trust port to build the DHCP snooping available entry. This information
can be useful in tracking an IP address back to a physical port and enable
or disable the DHCP Option 82.
91
Page 93
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
쮿 Parameter:
왏 VID:
When DHCP snooping is enabled, and enabled on the specified VLAN,
DHCP packet filtering will be performed on any un-trusted ports
within the VLAN. It set a available VLAN ID to enable the DHCP snooping on VLAN interface.
왏 Trust Port 1:
EN
If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, all DHCP packets are forwarded
for a trusted por. It set a trust port 1. available port from 0 to 24. 0 is
disabled.
왏 Trust port 2:
It set a trust port 2. available port from 0 to 24. 0 is disabled.
왏 Trust VID:
It set a trust VLAN ID. available VID from 1 to 4094.
왏 Server IP:
It set a trust DHCP Server IP address for DHCP Snooping.
왏 Option 82:
It set the DHCP Option 82 function on the switch, default is Disable.
왏 Action:
It set the switch when received a client DHCP request packet then
action for filtering. available action: keep/ drop / replace.
Note: Filtering rules are implemented as follows:
왏 If the DHCP snooping is disabled, all DHCP packets are forwarded.
왏 If DHCP snooping is enabled and also enabled on the VLAN where the
왏 If DHCP snooping is enabled and also enabled on the VLAN where the
92
DHCP packet is received, all DHCP packets are forwarded for a trusted
port.
DHCP packet is received, but the port is not trusted, it is processed as
follows:
If the DHCP packet is a reply packet from a DHCP server, the packet is
dropped.
If the DHCP packet is from a client, such as a DISCOVER, REQUEST
INFORM, DECLINE or RELEASE message, the packet is forwarded if
MAC address verification is disabled. However, if MAC address verifi-
Page 94
cation is enabled, then the packet will only be forwarded if the client's
hardware address stored in the DHCP packet is the same as the source
MAC address in the Ethernet header.
If the DHCP packet is not a recognizable type, it is dropped.
왏 If a DHCP packet from a client passes the filtering criteria above, it will
only be forwarded to trusted ports in the same VLAN.
왏 If a DHCP packet is from server is received on a trusted port, it will be
forwarded to both trusted and un-trusted ports in the same VLAN.
4.8.3 DHCP Snooping Client
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
EN
쮿 DHCP Snooping Client
To show the DHCP snooping client.
쮿 Parameter:
왏 MAC:
To show the DHCP snooping client's MAC address.
왏 VID:
To show the DHCP snooping client's VLAN ID.
왏 Port:
To show the DHCP snooping client's port.
왏 IP:
To show the DHCP snooping client's IP address.
왏 Lease:
To show the DHCP snooping client's lease.
93
Page 95
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
4.9 Security: 802.1x Configuration
802.1x port-based network access control provides a method to restrict users
to access network resources via authenticating user’s information. This restricts users from gaining access to the network resources through a 802.1xenabled port without authentication. If a user wishes to touch the network
through a port under 802.1x control, he (she) must firstly input his (her)
account name for authentication and waits for gaining authorization before
EN
sending or receiving any packets from a 802.1x-enabled port.
Before the devices or end stations can access the network resources through
the ports under 802.1x control, the devices or end stations connected to a
controlled port send the authentication request to the authenticator, the
authenticator pass the request to the authentication server to authenticate
and verify, and the server tell the authenticator if the request get the grant of
authorization for the ports.
According to IEEE802.1x, there are three components implemented. They are
Authenticator, Supplicant and Authentication server.
쮿 Supplicant:
It is an entity being authenticated by an authenticator. It is used to communicate with the Authenticator PAE (Port Access Entity) by exchanging
the authentication message when the Authenticator PAE request to it.
쮿 Authenticator:
An entity facilitates the authentication of the supplicant entity. It controls
the state of the port, authorized or unauthorized, according to the result
of authentication message exchanged between it and a supplicant PAE.
The authenticator may request the supplicant to re-authenticate itself at
94
Page 96
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
a configured time period. Once start re-authenticating the supplicant, the
controlled port keeps in the authorized state until re-authentication fails.
A port acting as an authenticator is thought to be two logical ports, a controlled port and an uncontrolled port. A controlled port can only pass the
packets when the authenticator PAE is authorized, and otherwise, an
uncontrolled port will unconditionally pass the packets with PAE group
MAC address, which has the value of 01-80-c2-00-00-03 and will not be
forwarded by MAC bridge, at any time.
쮿 Authentication server:
A device provides authentication service, through EAP, to an authenticator by using authentication credentials supplied by the supplicant to
determine if the supplicant is authorized to access the network resource.
The overview of operation flow for the following figure is quite simple. When
Supplicant PAE issues a request to Authenticator PAE, Authenticator and Supplicant exchanges authentication message. Then, Authenticator passes the
request to RADIUS server to verify. Finally, RADIUS server replies if the request
is granted or denied.
EN
While in the authentication process, the message packets, encapsulated by
Extensible Authentication Protocol over LAN (EAPOL), are exchanged between
an authenticator PAE and a supplicant PAE. The Authenticator exchanges the
message to authentication server using EAP encapsulation. Before successfully authenticating, the supplicant can only touch the authenticator to perform authentication message exchange or access the network from the
uncontrolled port.
95
Page 97
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
In this figure is the typical configuration, a single supplicant, an authenticator
and an authentication server. B and C is in the internal network, D is Authentication server running RADIUS, switch at the central location acts Authenticator connecting to PC A and A is a PC outside the controlled port, running
Supplicant PAE. In this case, PC A wants to access the services on device B and
C, first, it must exchange the authentication message with the authenticator
on the port it connected via EAPOL packet. The authenticator transfers the
supplicant’s credentials to Authentication server for verification. If success,
EN
the authentication server will notice the authenticator the grant. PC A, then,
is allowed to access B and C via the switch. If there are two switches directly
connected together instead of single one, for the link connecting two switches, it may have to act two port roles at the end of the link: authenticator
and supplicant, because the traffic is bi-directional.
The figure shows the procedure of 802.1x authentication. There are steps for
the login based on 802.1x port access control management. The protocol
used in the right side is EAPOL and the left side is EAP.
쐃 At the initial stage, the supplicant A is unauthenticated and a port on
switch acting as an authenticator is in unauthorized state. So the access
is blocked in this stage.
쐇 Initiating a session. Either authenticator or supplicant can initiate the
message exchange. If supplicant initiates the process, it sends EAPOLstart packet to the authenticator PAE and authenticator will immediately
respond EAP-Request/Identity packet.
96
Page 98
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
쐋 The authenticator always periodically sends EAP-Request/Identity to the
supplicant for requesting the identity it wants to be authenticated.
쐏 If the authenticator doesn’t send EAP-Request/Identity, the supplicant will
initiate EAPOL-Start the process by sending to the authenticator.
쐄 And next, the Supplicant replies an EAP-Response/Identity to the authen-
ticator. The authenticator will embed the user ID into Radius-AccessRequest command and send it to the authentication server for confirming
its identity.
쐂 After receiving the Radius-Access-Request, the authentication server
sends Radius-Access-Challenge to the supplicant for asking for inputting
user password via the authenticator PAE.
쐆 The supplicant will convert user password into the credential information,
perhaps, in MD5 format and replies an EAP-Response with this credential
information as well as the specified authentication algorithm (MD5 or
OTP) to Authentication server via the authenticator PAE. As per the value
of the type field in message PDU, the authentication server knows which
algorithm should be applied to authenticate the credential information,
EAP-MD5 (Message Digest 5) or EAP-OTP (One Time Password) or other
else algorithm.
EN
쐊 If user ID and password is correct, the authentication server will send a
Radius-Access-Accept to the authenticator. If not correct, the authentication server will send a Radius-Access-Reject.
쐎 When the authenticator PAE receives a Radius-Access-Accept, it will send
an EAP-Success to the supplicant. At this time, the supplicant is authorized and the port connected to the supplicant and under 802.1x control is
in the authorized state. The supplicant and other devices connected to this
port can access the network. If the authenticator receives a RadiusAccess-Reject, it will send an EAP-Failure to the supplicant. This means
the supplicant is failed to authenticate. The port it connected is in the
unauthorized state, the supplicant and the devices connected to this port
won’t be allowed to access the network.
쐅 When the supplicant issue an EAP-Logoff message to Authentication ser-
ver, the port you are using is set to be unauthorized.
Only MultiHost 802.1X is the type of authentication supported in the switch.
In this mode, for the devices connected to this port, once a supplicant is
97
Page 99
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
authorized, the devices connected to this port can access the network
resource through this port.
802.1x Port-based Network Access Control function supported by the switch
is little bit complex, for it just support basic Multihost mode, which can distinguish the device’s MAC address and its VID. The following table is the summary of the combination of the authentication status and the port status
versus the status of port mode, set in 802.1x Port mode, port control state, set
in 802.1x port setting. Here Entry Authorized means MAC entry is authorized.
EN
Port Mode Port Control Authentication Port Status
Disable Don’t Care Don’t Care Port Uncontrolled
Multihost Auto Successful Port Authorized
Multihost Auto Failure Port Unauthorized
Multihost ForceUnauthorized Don’t Care Port Unauthorized
Multihost ForceAuthorized Don’t Care Port Authorized
4.9.1 Server
쮿 802.1X Server Configuration
This function is used to configure the global parameters for RADIUS
authentication in 802.1X port security application.
98
Page 100
쮿 Parameter:
왏 Authentication Server
Server IP Server:
Server IP address for authentication.
Default: 192.168.1.1
UDP Port:
LANCOM GS-2124
쮿 Chapter 4: Operation of Web- based Management
Default port number is 1812.
Secret Key:
The secret key between authentication server and authenticator. It is
a string with the length 1 - 31 characters. The character string may
contain upper case, lower case and 0-9. It is character sense. It is not
allowed for putting a blank between any two characters.
Default: Radius
왏 Accounting Server
Server IP Server:
Server IP address for authentication.
Default: 192.168.1.1
UDP Port:
Default port number is 1812.
Secret Key:
The secret key between authentication server and authenticator.
It is a string with the length 1 - 31 characters. The character string
may contain upper case, lower case and 0- 9. It is character sense.
It is not allowed for putting a blank between any two characters.
EN
Default: Radius
99
Loading...