LevelOne GEL-2670 User Manual

Download

Page 1

GEL-2670

24 GE + 2 GE SFP L2 Managed Switch

User Manual

Ver. 1.0

Page 2

Page 3

ANAGEMENT

UIDE

GEL-2670 L2 MANAGED SWITCH

Layer 2 Gigabit Ethernet Switch with 24 10/100/1000BASE-T Ports (RJ-45) and 2 Gigabit SFP Ports

E012013-KS-R01

Page 4

Page 5

ABOUT THIS GUIDE

PURPOSE This guide gives specific information on how to operate and use the

management functions of the switch.

AUDIENCE The guide is intended for use by network administrators who are

responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).

CONVENTIONS The following conventions are used throughout this guide to show

information:

OTE

Emphasizes important information or calls your attention to related

features or instructions.

AUTION

damage the system or equipment.

ARNING

Alerts you to a potential hazard that could cause loss of data, or

Alerts you to a potential hazard that could cause personal injury.

RELATED PUBLICATIONS The following publication details the hardware features of the switch,

including the physical and performance-related characteristics, and how to install the switch:

The Installation Guide

Also, as part of the switch’s software, there is an online web-based help that describes all management related features.

REVISION HISTORY This section summarizes the changes in each revision of this guide.

JANUARY 2013 REVISION

This is the first version of this guide. This guide is valid for software release v1.0.0.0.

– 5 –

Page 6

BOUT THIS GUIDE

– 6 –

Page 7

CONTENTS

ABOUT THIS GUIDE 5

ONTENTS 7

IGURES 13

ABLES 19

SECTION I GETTING STARTED 21

1INTRODUCTION 23

Key Features 23

Description of Software Features 24

System Defaults 28

2INITIAL SWITCH CONFIGURATION 31

SECTION II

SECTION III WEB CONFIGURATION 33

3USING THE WEB INTERFACE 35

Navigating the Web Browser Interface 35

Home Page 35

Configuration Options 36

Panel Display 36

Main Menu 36

4CONFIGURING THE SWITCH 47

Configuring System Information 47

Setting an IP Address 48

Setting an IPv4 Address 48

Setting an IPv6 Address 49

Configuring NTP Service 52

– 7 –

Page 8

ONTENTS

Configuring the Time Zone and Daylight Savings Time 53

Configuring Remote Log Messages 56

Configuring Power Reduction 57

Reducing Power to Idle Queue Circuits 57

Configuring Port Connections 58

Configuring Security 61

Configuring User Accounts 62

Configuring User Privilege Levels 63

Configuring The Authentication Method For Management Access 65

Configuring SSH 67

Configuring HTTPS 68

Filtering IP Addresses for Management Access 70

Using Simple Network Management Protocol 71

Remote Monitoring 82

Configuring Port Limit Controls 87

Configuring Authentication Through Network Access Servers 90

Filtering Traffic with Access Control Lists 101

Configuring DHCP Snooping 112

Configuring DHCP Relay and Option 82 Information 115

Configuring IP Source Guard 116

Configuring ARP Inspection 120

Specifying Authentication Servers 123

Creating Trunk Groups 125

Configuring Static Trunks 126

Configuring LACP 128

Configuring Loop Protection 130

Configuring the Spanning Tree Algorithm 132

Configuring Global Settings for STA 134

Configuring Multiple Spanning Trees 138

Configuring Spanning Tree Bridge Priorities 140

Configuring STP/RSTP/CIST Interfaces 141

Configuring MSTI Interfaces 144

Multicast VLAN Registration 145

Configuring General MVR Settings 146

Configuring MVR Channel Settings 149

IGMP Snooping 151

– 8 –

Page 9

ONTENTS

Configuring Global and Port-Related Settings for IGMP Snooping 151

Configuring VLAN Settings for IGMP Snooping and Query 154

Configuring IGMP Filtering 156

MLD Snooping 157

Configuring Global and Port-Related Settings for MLD Snooping 157

Configuring VLAN Settings for MLD Snooping and Query 160

Configuring MLD Filtering 162

Link Layer Discovery Protocol 163

Configuring LLDP Timing and TLVs 163

Configuring LLDP-MED TLVs 166

Configuring the MAC Address Table 172

IEEE 802.1Q VLANs 174

Assigning Ports to VLANs 175

Configuring VLAN Attributes for Port Members 176

Configuring Private VLANs 179

Using Port Isolation 181

Configuring MAC-based VLANs 181

Protocol VLANs 183

Configuring Protocol VLAN Groups 183

Mapping Protocol Groups to Ports 185

Configuring IP Subnet-based VLANs 186

Managing VoIP Traffic 187

Configuring VoIP Traffic 188

Configuring Telephony OUI 190

Quality of Service 191

Configuring Port Classification 192

Configuring Port Policiers 194

Configuring Egress Port Scheduler 196

Configuring Egress Port Shaper 198

Configuring Port Remarking Mode 199

Configuring Port DSCP Translation and Rewriting 202

Configuring DSCP-based QoS Ingress Classification 204

Configuring DSCP Translation 205

Configuring DSCP Classification 206

Configuring QoS Control Lists 207

Configuring Storm Control 211

– 9 –

Page 10

ONTENTS

Configuring Local Port Mirroring 213

Configuring Remote Port Mirroring 214

Configuring UPnP 220

Configuring sFlow 221

5MONITORING THE SWITCH 225

Displaying Basic Information About the System 225

Displaying System Information 225

Displaying CPU Utilization 226

Displaying Log Messages 227

Displaying Log Details 229

Displaying Information About Ports 229

Displaying Port Status On the Front Panel 229

Displaying an Overview of Port Statistics 230

Displaying QoS Statistics 231

Displaying QCL Status 231

Displaying Detailed Port Statistics 233

Displaying Information About Security Settings 236

Displaying Access Management Statistics 236

Displaying Information About Switch Settings for Port Security 237

Displaying Information About Learned MAC Addresses 239

Displaying Port Status for Authentication Services 240

Displaying Port State for 802.1X / Remote Authentication Service 241

Displaying ACL Status 242

Displaying Statistics for DHCP Snooping 243

Displaying DHCP Relay Statistics 245

Displaying MAC Address Bindings for ARP Packets 246

Displaying Entries in the IP Source Guard Table 247

Displaying Information on Authentication Servers 248

Displaying a List of Authentication Servers 248

Displaying Statistics for Configured Authentication Servers 249

Displaying Information on RMON 253

Displaying RMON Statistics 253

Displaying RMON Historical Samples 254

Displaying RMON Alarm Settings 255

Displaying RMON Event Settings 256

Displaying Information on LACP 257

– 10 –

Page 11

ONTENTS

Displaying an Overview of LACP Groups 257

Displaying LACP Port Status 257

Displaying LACP Port Statistics 258

Displaying Information on Loop Protection 259

Displaying Information on the Spanning Tree 260

Displaying Bridge Status for STA 260

Displaying Port Status for STA 263

Displaying Port Statistics for STA 263

Displaying MVR Information 264

Displaying MVR Statistics 264

Displaying MVR Group Information 265

Displaying MVR SFM Information 266

Showing IGMP Snooping Information 267

Showing IGMP Snooping Status 267

Showing IGMP Snooping Group Information 268

Showing IPv4 SFM Information 269

Showing MLD Snooping Information 270

Showing MLD Snooping Status 270

Showing MLD Snooping Group Information 271

Showing IPv6 SFM Information 272

Displaying LLDP Information 273

Displaying LLDP Neighbor Information 273

Displaying LLDP-MED Neighbor Information 274

Displaying LLDP Neighbor EEE Information 277

Displaying LLDP Port Statistics 278

Displaying the MAC Address Table 280

Displaying Information About VLANs 281

VLAN Membership 281

VLAN Port Status 282

Displaying Information About MAC-based VLANs 283

Displaying Information About Flow Sampling 284

6PERFORMING BASIC DIAGNOSTICS 287

Pinging an IPv4 or IPv6 Address 287

7PERFORMING SYSTEM MAINTENANCE 289

Restarting the Switch 289

Restoring Factory Defaults 290

– 11 –

Page 12

ONTENTS

Upgrading Firmware 290

Activating the Alternate Image 291

Managing Configuration Files 292

Saving Configuration Settings 292

Restoring Configuration Settings 292

SECTION IV APPENDICES 295

ASOFTWARE SPECIFICATIONS 297

Software Features 297

Management Features 298

Standards 299

Management Information Bases 300

BTROUBLESHOOTING 301

Problems Accessing the Management Interface 301

Using System Logs 302

CLICENSE INFORMATION 303

The GNU General Public License 303

GLOSSARY 307

NDEX 315

– 12 –

Page 13

FIGURES

Figure 1: Home Page 35

Figure 2: Front Panel Indicators 36

Figure 3: System Information Configuration 47

Figure 4: IP Configuration 49

Figure 5: IPv6 Configuration 51

Figure 6: NTP Configuration 52

Figure 7: Time Zone and Daylight Savings Time Configuration 55

Figure 8: Configuring Settings for Remote Logging of Error Messages 56

Figure 9: Configuring EEE Power Reduction 58

Figure 10: Port Configuration 61

Figure 11: Showing User Accounts 63

Figure 12: Configuring User Accounts 63

Figure 13: Configuring Privilege Levels 65

Figure 14: Authentication Server Operation 66

Figure 15: Authentication Method for Management Access 67

Figure 16: SSH Configuration 68

Figure 17: HTTPS Configuration 70

Figure 18: Access Management Configuration 71

Figure 19: SNMP System Configuration 76

Figure 20: SNMPv3 Community Configuration 77

Figure 21: SNMPv3 User Configuration 79

Figure 22: SNMPv3 Group Configuration 80

Figure 23: SNMPv3 View Configuration 81

Figure 24: SNMPv3 Access Configuration 82

Figure 25: RMON Statistics Configuration 83

Figure 26: RMON History Configuration 84

Figure 27: RMON Alarm Configuration 86

Figure 28: RMON Event Configuration 87

Figure 29: Port Limit Control Configuration 90

Figure 30: Using Port Security 91

Figure 31: Network Access Server Configuration 101

– 13 –

Page 14

IGURES

Figure 32: ACL Port Configuration 103

Figure 33: ACL Rate Limiter Configuration 104

Figure 34: Access Control List Configuration 112

Figure 35: DHCP Snooping Configuration 114

Figure 36: DHCP Relay Configuration 116

Figure 37: Configuring Global and Port-based Settings for IP Source Guard 118

Figure 38: Configuring Static Bindings for IP Source Guard 119

Figure 39: Configuring Global and Port Settings for ARP Inspection 121

Figure 40: Configuring Static Bindings for ARP Inspection 122

Figure 41: Authentication Configuration 124

Figure 42: Static Trunk Configuration 128

Figure 43: LACP Port Configuration 130

Figure 44: Loop Protection Configuration 132

Figure 45: STP Root Ports and Designated Ports 133

Figure 46: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree 133

Figure 47: CIST, CST. and IST Spanning Trees 134

Figure 48: STA Bridge Configuration 137

Figure 49: Adding a VLAN to an MST Instance 139

Figure 50: Configuring STA Bridge Priorities 140

Figure 51: STP/RSTP/CIST Port Configuration 144

Figure 52: MSTI Port Configuration 145

Figure 53: MVR Concept 146

Figure 54: Configuring General MVR Settings 149

Figure 55: Configuring MVR Channel Settings 150

Figure 56: Configuring Global and Port-related Settings for IGMP Snooping 154

Figure 57: Configuring VLAN Settings for IGMP Snooping and Query 156

Figure 58: IGMP Snooping Port Group Filtering Configuration 157

Figure 59: Configuring Global and Port-related Settings for MLD Snooping 160

Figure 60: Configuring VLAN Settings for MLD Snooping and Query 162

Figure 61: MLD Snooping Port Group Filtering Configuration 163

Figure 62: LLDP Configuration 166

Figure 63: LLDP-MED Configuration 172

Figure 64: MAC Address Table Configuration 174

Figure 65: VLAN Membership Configuration 176

Figure 66: VLAN Port Configuration 179

Figure 67: Private VLAN Membership Configuration 180

– 14 –

Page 15

IGURES

Figure 68: Port Isolation Configuration 181

Figure 69: Configuring MAC-Based VLANs 182

Figure 70: Configuring Protocol VLANs 184

Figure 71: Assigning Ports to Protocol VLANs 186

Figure 72: Assigning Ports to an IP Subnet-based VLAN 187

Figure 73: Configuring Global and Port Settings for a Voice VLAN 190

Figure 74: Configuring an OUI Telephony List 191

Figure 75: Configuring Ingress Port QoS Classification 193

Figure 76: Configuring Ingress Port Tag Classification 194

Figure 77: Configuring Ingress Port Policing 195

Figure 78: Displaying Egress Port Schedulers 197

Figure 79: Configuring Egress Port Schedulers and Shapers 198

Figure 80: Displaying Egress Port Shapers 199

Figure 81: Displaying Port Tag Remarking Mode 201

Figure 82: Configuring Port Tag Remarking Mode 202

Figure 83: Configuring Port DSCP Translation and Rewriting 203

Figure 84: Configuring DSCP-based QoS Ingress Classification 205

Figure 85: Configuring DSCP Translation and Re-mapping 206

Figure 86: Mapping DSCP to CoS/DPL Values 207

Figure 87: QoS Control List Configuration 211

Figure 88: Storm Control Configuration 212

Figure 89: Mirror Configuration 214

Figure 90: Configuring Remote Port Mirroring 215

Figure 91: Mirror Configuration (Source) 217

Figure 92: Mirror Configuration (Intermediate) 218

Figure 93: Mirror Configuration (Destination) 219

Figure 94: UPnP Configuration 221

Figure 95: sFlow Configuration 224

Figure 96: System Information 226

Figure 97: CPU Load 227

Figure 98: System Log Information 228

Figure 99: Detailed System Log Information 229

Figure 100: Port State Overview 229

Figure 101: Port Statistics Overview 230

Figure 102: Queueing Counters 231

Figure 103: QoS Control List Status 232

– 15 –

Page 16

IGURES

Figure 104: Detailed Port Statistics 235

Figure 105: Access Management Statistics 236

Figure 106: Port Security Switch Status 238

Figure 107: Port Security Port Status 239

Figure 108: Network Access Server Switch Status 241

Figure 109: NAS Statistics for Specified Port 242

Figure 110: ACL Status 243

Figure 111: DHCP Snooping Statistics 245

Figure 112: DHCP Relay Statistics 246

Figure 113: Dynamic ARP Inspection Table 247

Figure 114: Dynamic IP Source Guard Table 247

Figure 115: RADIUS Overview 249

Figure 116: RADIUS Details 252

Figure 117: RMON Statistics 254

Figure 118: RMON History Overview 255

Figure 119: RMON Alarm Overview 256

Figure 120: RMON Event Overview 256

Figure 121: LACP System Status 257

Figure 122: LACP Port Status 258

Figure 123: LACP Port Statistics 259

Figure 124: Loop Protection Status 260

Figure 125: Spanning Tree Bridge Status 262

Figure 126: Spanning Tree Detailed Bridge Status 262

Figure 127: Spanning Tree Port Status 263

Figure 128: Spanning Tree Port Statistics 264

Figure 129: MVR Statistics 265

Figure 130: MVR Group Information 266

Figure 131: MVR SFM Information 267

Figure 132: IGMP Snooping Status 268

Figure 133: IGMP Snooping Group Information 269

Figure 134: IPv4 SFM Information 270

Figure 135: MLD Snooping Status 271

Figure 136: MLD Snooping Group Information 272

Figure 137: IPv6 SFM Information 273

Figure 138: LLDP Neighbor Information 274

Figure 139: LLDP-MED Neighbor Information 277

– 16 –

Page 17

IGURES

Figure 140: LLDP Neighbor EEE Information 278

Figure 141: LLDP Port Statistics 279

Figure 142: MAC Address Table 280

Figure 143: Showing VLAN Members 282

Figure 144: Showing VLAN Port Status 283

Figure 145: Showing MAC-based VLAN Membership Status 284

Figure 146: Showing sFlow Statistics 286

Figure 147: ICMP Ping 288

Figure 148: ICMP Ping Results 288

Figure 149: ICMP V6 Ping 288

Figure 150: ICMP V6 Results 288

Figure 151: Restart Device 289

Figure 152: Factory Defaults 290

Figure 153: Software Upload 291

Figure 154: Software Image Selection 291

Figure 155: Configuration Save 292

Figure 156: Configuration Upload 293

– 17 –

Page 18

IGURES

– 18 –

Page 19

TABLES

Table 1: Key Features 23

Table 2: System Defaults 28

Table 3: Web Page Configuration Buttons 36

Table 4: Main Menu 36

Table 5: HTTPS System Support 69

Table 6: SNMP Security Models and Levels 72

Table 7: Dynamic QoS Profiles 94

Table 8: QCE Modification Buttons 106

Table 9: Recommended STA Path Cost Range 141

Table 10: Recommended STA Path Costs 142

Table 11: Default STA Path Costs 142

Table 12: QCE Modification Buttons 208

Table 13: System Capabilities 273

Table 14: Troubleshooting Chart 301

– 19 –

Page 20

ABLES

– 20 –

Page 21

ECTION

GETTING STARTED

This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.

This section includes these chapters:

◆ "Introduction" on page 23

◆ "Initial Switch Configuration" on page 31

– 21 –

Page 22

ECTION

| Getting Started

– 22 –

Page 23

1 INTRODUCTION

This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.

KEY FEATURES

Table 1: Key Features

Feature Description

Configuration Backup and Restore

Backup to management station using Web

Authentication Telnet, Web – user name/password, RADIUS, TACACS+

Web – HTTPS Teln e t – SSH SNMP v1/2c - Community strings SNMP version 3 – MD5 or SHA password Port – IEEE 802.1X, MAC address filtering

General Security Measures

Access Control Lists Supports up to 256 rules

DHCP Client

DNS Client and Proxy service

Port Configuration Speed, duplex mode, flow control, MTU, response to excessive

Rate Limiting Input rate limiting per port (manual setting or ACL)

Port Mirroring 1 sessions, up to 10 source port to one analysis port per session

Port Trunking Supports up to 5 trunks – static or dynamic trunking (LACP)

Congestion Control Throttling for broadcast, multicast, unknown unicast storms

Address Table 8K MAC addresses in the forwarding table, 1000 static MAC

IP Version 4 and 6 Supports IPv4 and IPv6 addressing, management, and QoS

Private VLANs Port Authentication Port Security DHCP Snooping (with Option 82 relay information) IP Source Guard

collisions, power saving mode

addresses, 1K L2 IGMP multicast groups and 128 MVR groups

IEEE 802.1D Bridge Supports dynamic data switching and addresses learning

Store-and-Forward Switching

Supported to ensure wire-speed switching while eliminating bad frames

– 23 –

Page 24

HAPTER

Description of Software Features

| Introduction

Table 1: Key Features (Continued)

Feature Description

Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and

Virtual LANs Up to 4K using IEEE 802.1Q, port-based, protocol-based, private

Multiple Spanning Trees (MSTP)

VLANs, and voice VLANs, and QinQ tunnel

Traffic Prioritization Queue mode and CoS configured by Ethernet type, VLAN ID, TCP/

Qualify of Service Supports Differentiated Services (DiffServ), and DSCP remarking

Link Layer Discovery Protocol

Multicast Filtering Supports IGMP snooping and query, MLD snooping, and Multicast

DESCRIPTION OF SOFTWARE FEATURES

The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Storm suppression prevents broadcast, multicast, and unknown unicast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications.

Some of the management features are briefly described below.

UDP port, DSCP, ToS bit, VLAN tag priority, or port

Used to discover basic information about neighboring devices

VLAN Registration

CONFIGURATION

BACKUP AND

RESTORE

You can save the current configuration settings to a file on the management station (using the web interface) or a TFTP server (using the console interface through Telnet), and later download this file to restore the switch configuration settings.

AUTHENTICATION This switch authenticates management access via a web browser. User

names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).

Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access, and MAC address filtering for port access.

– 24 –

Page 25

HAPTER

Description of Software Features

| Introduction

ACCESS CONTROL

LISTS

ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP on specific port.

PORT CONFIGURATION You can manually configure the speed and duplex mode, and flow control

used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard (now incorporated in IEEE 802.3-2002).

RATE LIMITING This feature controls the maximum rate for traffic transmitted or received

on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.

PORT MIRRORING The switch can unobtrusively mirror traffic from any port to a monitor port.

You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.

PORT TRUNKING Ports can be combined into an aggregate connection. Trunks can be

manually set up or dynamically configured using Link Aggregation Control Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 5 trunks.

STORM CONTROL Broadcast, multicast and unknown unicast storm suppression prevents

traffic from overwhelming the network.When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.

STATIC ADDRESSES A static address can be assigned to a specific interface on this switch.

Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will

– 25 –

Page 26

HAPTER

Description of Software Features

| Introduction

be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.

IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging. The address table

facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.

STORE-AND-FORWARD

SWITCHING

SPANNING TREE

ALGORITHM

The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth.

To avoid dropping frames on congested ports, the switch provides 8 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks.

The switch supports these spanning tree protocols:

◆ Spanning Tree Protocol (STP, IEEE 802.1D) – Supported by using the

STP backward compatible mode provided by RSTP. STP provides loop detection. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.

◆ Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol

reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE

802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.

◆ Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is

a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).

– 26 –

Page 27

HAPTER

Description of Software Features

| Introduction

VIRTUAL LANS The switch supports up to 4096 VLANs. A Virtual LAN is a collection of

network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can:

◆ Eliminate broadcast storms which severely degrade performance in a

flat network.

◆ Simplify network management for node changes/moves by remotely

configuring VLAN membership for any port, rather than having to manually change the network connection.

◆ Provide data security by restricting all traffic to the originating VLAN.

◆ Use private VLANs to restrict traffic to pass only between data ports

and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.

IEEE 802.1Q

TUNNELING (QINQ)

TRAFFIC

PRIORITIZATION

◆ Use protocol VLANs to restrict traffic to specified interfaces based on

protocol type.

This feature is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. This is accomplished by inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network.

This switch prioritizes each packet based on the required level of service, using four priority queues with strict or Weighted Round Robin queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can provide independent priorities for delay-sensitive data and best-effort data.

This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.

be used to

– 27 –

Page 28

HAPTER

System Defaults

| Introduction

QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management

mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.

MULTICAST FILTERING Specific multicast traffic can be assigned to its own VLAN to ensure that it

does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration for IPv4 traffic, and MLD Snooping for IPv6 traffic. It also supports Multicast VLAN Registration (MVR) which allows common multicast traffic, such as television channels, to be transmitted across a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, while preserving security and data isolation for normal traffic.

SYSTEM DEFAULTS

The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file.

The following table lists some of the basic system defaults.

Table 2: System Defaults

Function Parameter Default

Authentication User Name “admin”

Password “admin”

RADIUS Authentication Disabled

TACACS+ Authentication Disabled

802.1X Port Authentication Disabled

HTTPS Enabled

SSH Enabled

Port Security Disabled

IP Filtering Disabled

Web Management HTTP Server Enabled

HTTP Port Number 80

HTTP Secure Server Disabled

HTTP Secure Server Redirect Disabled

– 28 –

Page 29

HAPTER

Table 2: System Defaults (Continued)

Function Parameter Default

SNMP SNMP Agent Disabled

| Introduction

System Defaults

Community Strings “public” (read only)

Traps Global: disabled

SNMP V3 View: default_view

Port Configuration Admin Status Enabled

Auto-negotiation Enabled

Flow Control Disabled

Rate Limiting Input and output limits Disabled

Port Trunking Static Trunks None

LACP (all ports) Disabled

Storm Protection Status Broadcast: Enabled (1 kpps)

Spanning Tree Algorithm Status Enabled, RSTP

Edge Ports Enabled

Address Table Aging Time 300 seconds

Virtual LANs Default VLAN 1

PVID 1

Acceptable Frame Type All

“private” (read/write)

Authentication traps: enabled Link-up-down events: enabled

Group: default_rw_group

Multicast: disabled Unknown unicast: disabled

(Defaults: RSTP standard)

Ingress Filtering Disabled

Switchport Mode (Egress Mode) Access

Traffic Prioritization Ingress Port Priority 0

Queue Mode Strict

Weighted Round Robin Queue: 0 1 2 3 4 5 6 7

Weight: Disabled in strict mode

Ethernet Type Disabled

VLAN ID Disabled

VLAN Priority Tag Disabled

ToS P r i o rit y Di s a b l ed

IP DSCP Priority Disabled

TCP/UDP Port Priority Disabled

LLDP Status Enabled

– 29 –

Page 30

HAPTER

| Introduction

System Defaults

Table 2: System Defaults (Continued)

Function Parameter Default

IP Settings Management. VLAN VLAN 1

IP Address 192.168.1.1

Subnet Mask 255.255.255.0

Default Gateway 0.0.0.0

DHCP Client: Disabled

DNS Proxy service: Disabled

Multicast Filtering IGMP Snooping Snooping: Disabled

MLD Snooping Disabled

Multicast VLAN Registration Disabled

System Log (console only)

NTP Clock Synchronization Disabled

Status Disabled

Messages Logged to Flash All levels

Snooping: Disabled

Querier: Disabled

– 30 –

Page 31

2 INITIAL SWITCH CONFIGURATION

This chapter includes information on connecting to the switch and basic configuration procedures.

To make use of the management features of your switch, you must first configure it with an IP address that is compatible with the network in which it is being installed. This should be done before you permanently install the switch in the network.

Follow this procedure:

1. Place the switch close to the PC that you intend to use for configuration.

It helps if you can see the front panel of the switch while working on your PC.

2. Connect the Ethernet port of your PC to any port on the front panel of

the switch. Connect power to the switch and verify that you have a link by checking the front-panel LEDs.

3. Check that your PC has an IP address on the same subnet as the

switch. The default IP address of the switch is 192.168.1.1 and the subnet mask is 255.255.255.0, so the PC and switch are on the same subnet if they both have addresses that start 192.168.1.x. If the PC and switch are not on the same subnet, you must manually set the PC’s IP address to 192.168.1.x (where “x” is any number from 1 to 254, except 10).

4. Open your web browser and enter the address http://192.168.1.1. If

your PC is properly configured, you will see the login page of the switch. If you do not see the login page, repeat step 3.

5. Enter “admin” for the user name and password, and then click on the

6. From the menu, click System, and then IP. To request an address from

a local DHCP Server, mark the DHCP Client check box. To configure a static address, enter the new IP Address, IP Mask, and other optional parameters for the switch, and then click on the Save button.

If you need to configure an IPv6 address, select IPv6 from the System menu, and either submit a request for an address from a local DHCPv6 server by marking the Auto Configuration check box, or configure a static address by filling in the parameters for an address, network prefix length, and gateway router.

No other configuration changes are required at this stage, but it is recommended that you change the administrator’s password before

– 31 –

Page 32

HAPTER

| Initial Switch Configuration

logging out. To change the password, click Security and then Users. Select “admin” from the User Configuration list, fill in the Password fields, and then click Save.

– 32 –

Page 33

ECTION

WEB CONFIGURATION

This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.

This section includes these chapters:

◆ "Using the Web Interface" on page 35

III

◆ "Configuring the Switch" on page 47

◆ "Monitoring the Switch" on page 225

◆ "Performing Basic Diagnostics" on page 287

◆ "Performing System Maintenance" on page 289

– 33 –

Page 34

ECTION

| Web Configuration

– 34 –

Page 35

3 USING THE WEB INTERFACE

This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0, Mozilla Firefox

2.0.0.0, or more recent versions).

NAVIGATING THE WEB BROWSER INTERFACE

To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”

HOME PAGE When your web browser connects with the switch’s web agent, the home

page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and an image of the front panel on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics.

Figure 1: Home Page

– 35 –

Page 36

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

CONFIGURATION

OPTIONS

Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Save button to confirm the new setting. The following table summarizes the web page configuration buttons.

Table 3: Web Page Configuration Buttons

Button Action

Save Sets specified values to the system.

Reset Cancels specified values and restores current values prior to pressing

“Save.”

Logs out of the management interface.

Displays help for the selected page.

PANEL DISPLAY The web agent displays an image of the switch’s ports. The refresh mode is

disabled by default. Click Auto-refresh to refresh the data displayed on the screen approximately once every 5 seconds, or click Refresh to refresh the screen right now. Clicking on the image of a port opens the Detailed Statistics page as described on page 233.

Figure 2: Front Panel Indicators

MAIN MENU Using the onboard web agent, you can define system parameters, manage

and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.

Table 4: Main Menu

Menu Description Page

Basic Configuration

System 47

Information Configures system contact, name and location 47

IP Configures IPv4 and SNTP settings 48

IPv6 Configures IPv6 and SNTP settings 49

NTP Enables NTP, and configures a list of NTP servers 52

Time Configures the time zone and daylight savings time 53

Log Configures the logging of messages to a remote logging

process, specifies the remote log server, and limits the type of system log messages sent

– 36 –

Page 37

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Ports Configures port connection settings 58

Aggregation 125

Static Specifies ports to group into static trunks 126

LACP Allows ports to dynamically join trunks 128

Spanning Tree 132

Bridge Settings Configures global bridge settings for STP, RSTP and MSTP;

MSTI Mapping Maps VLANs to a specific MSTP instance 138

MSTI Priorities Configures the priority for the CIST and each MSTII 140

CIST Ports Configures interface settings for STA 141

MSTI Ports Configures interface settings for an MST instance 144

MAC Table Configures address aging, dynamic learning, and static

VLANs Virtual LANs 174

also configures edge port settings for BPDU filtering, BPDU guard, and port error recovery

addresses

134

172

VLAN Membership Configures VLAN groups 175

Ports Specifies default PVID and VLAN attributes 176

Mirroring & RSPAN Sets source and target ports for local or remote mirroring 213

Advanced Configuration

System

Power Reduction 57

Ports

Security 61

Information Configures system contact, name and location 47

IP Configures IPv4 and SNTP settings 48

IPv6 Configures IPv6 and SNTP settings 49

NTP Enables NTP, and configures a list of NTP servers 52

Time Configures the time zone and daylight savings time 53

Log Configures the logging of messages to a remote logging

EEE Configures Energy Efficient Ethernet for specified queues,

process, specifies the remote log server, and limits the type of system log messages sent

and specifies urgent queues which are to transmit data after maximum latency expires regardless queue length

Configures port connection settings 58

Switch 61

Users Configures user names, passwords, and access levels 62

Privilege Levels Configures privilege level for specific functions 63

Auth Method Configures authentication method for management access

SSH Configures the Secure Shell server 67

via local database, RADIUS or TACACS+

– 37 –

Page 38

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

HTTPS Configures secure HTTP settings 68

Access Management

SNMP Simple Network Management Protocol 71

System Configures read-only and read/write community strings for

Communities Configures community strings 76

Users Configures SNMP v3 users on this switch 77

Groups Configures SNMP v3 groups 79

Views Configures SNMP v3 views 80

Access Assigns security model, security level, and read/write views

RMON Remote Monitoring 82

Statistics Enables collection of statistics on a physical interface 82

History Periodically samples statistics on a physical interface 83

Alarm Sets threshold bounds for a monitored variable 84

Event Creates a response for an alarm 86

Network

Limit Control Configures port security limit controls, including secure

Sets IP addresses of clients allowed management access via HTTP/HTTPS, and SNMP, and Telnet/SSH

SNMP v1/v2c, engine ID for SNMP v3, and trap parameters

to SNMP groups

address aging; and per port security, including maximum allowed MAC addresses, and response for security breach

NAS Configures global and port settings for IEEE 802.1X 90

ACL Access Control Lists 101

Ports Assigns ACL, rate limiter, and other parameters to ports 101

Rate Limiters Configures rate limit policies 103

Access Control List

DHCP Dynamic Host Configuration Protocol

Snooping Enables DHCP snooping globally; and sets the trust mode for

Relay Configures DHCP relay information status and policy 115

IP Source Guard Filters IP traffic based on static entries in the IP Source

Configuration Enables IP source guard and sets the maximum number of

Static Table Adds a static addresses to the source-guard binding table 118

ARP Inspection Address Resolution Protocol Inspection 120

Configuration Enables inspection globally, and per port 121

Static Table Adds static entries based on port, VLAN ID, and source MAC

Configures ACLs based on frame type, destination MAC type, VLAN ID, VLAN priority tag; and the action to take for matching packets

each port

Guard table, or dynamic entries in the DHCP Snooping table

clients that can learned dynamically

address and IP address in ARP request packets

104

112

116

122

– 38 –

Page 39

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

AAA Configures RADIUS authentication server, RADIUS

accounting server, and TACACS+ authentication server settings

Aggregation

Static Specifies ports to group into static trunks 126

LACP Allows ports to dynamically join trunks 128

Loop Protection Detects general loopback conditions caused by hardware

problems or faulty protocol settings

Spanning Tree

Bridge Settings Configures global bridge settings for STP, RSTP and MSTP;

also configures edge port settings for BPDU filtering, BPDU guard, and port error recovery

MSTI Mapping Maps VLANs to a specific MSTP instance 138

MSTI Priorities Configures the priority for the CIST and each MSTII 140

CIST Ports Configures interface settings for STA 141

MSTI Ports Configures interface settings for an MST instance 144

123

125

130

132

134

MVR Configures Multicast VLAN Registration, including global

status, MVR VLAN, port mode, and immediate leave

145

IPMC IP Multicast

IGMP Snooping Internet Group Management Protocol Snooping 151

Basic Configuration

VLAN Configuration

Port Group

Configures global and port settings for multicast filtering 151

Configures IGMP snooping per VLAN interface 154

Configures multicast groups to be filtered on specified port 156

Filtering

MLD Snooping Multicast Listener Discovery Snooping 157

Basic

Configures global and port settings for multicast filtering 157

Configuration

VLAN Configuration

Port Group Filtering

Configures MLD snooping per VLAN interface 160

Configures multicast groups to be filtered on specified port 162

LLDP Link Layer Discovery Protocol 163

LLDP Configures global LLDP timing parameters, and port-specific

TLV attributes

LLDP-MED Configures LLDP-MED attributes, including device location,

163

166

emergency call server, and network policy discovery

MAC Table

VLANs

Configures address aging, dynamic learning, and static addresses

172

Virtual LANs 174

VLAN Membership Configures VLAN groups 175

Ports Specifies default PVID and VLAN attributes 176

Private VLANs

– 39 –

Page 40

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

PVLAN Membership

Port Isolation Prevents communications between designated ports within

VCL VLAN Control List

MAC-based VLAN Maps traffic with specified source MAC address to a VLAN 181

Protocol-based VLAN

Protocol to Group

Group to VLAN Maps a protocol group to a VLAN for specified ports 185

IP Subnet-based VLAN

Voice VLAN 187

Configuration Configures global settings, including status, voice VLAN ID,

Configures PVLAN groups 179

the same private VLAN

Creates a protocol group, specifying supported protocols 183

Maps traffic for a specified IP subnet to a VLAN 186

VLAN aging time, and traffic priority; also configures port settings, including the way in which a port is added to the Voice VLAN, and blocking non-VoIP addresses

181

183

188

OUI Maps the OUI in the source MAC address of ingress packets

QoS 191

Port Classification Configures default traffic class, drop priority, user priority,

Port Policing Controls the bandwidth provided for frames entering the

Port Scheduler Provides overview of QoS Egress Port Schedulers, including

Port Shaping Provides overview of QoS Egress Port Shapers, including the

Port Tag Remarking

Port DSCP Configures ingress translation and classification settings and

DSCP-Based QoS Configures DSCP-based QoS ingress classification settings 204

DSCP Translation Configures DSCP translation for ingress traffic or DSCP re-

to the VoIP device manufacturer

drop eligible indicator, classification mode for tagged frames, and DSCP-based QoS classification

ingress queue of specified ports.

the queue mode and weight; also configures egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper

rate for each queue and port; also configures egress queue mode, queue shaper (rate and access to excess bandwidth), and port shaper

Provides overview of QoS Egress Port Tag Remarking; also sets the remarking mode (classified PCP/DEI values, default PCP/DEI values, or mapped versions of QoS class and drop priority)

egress re-writing of DSCP values

mapping for egress traffic

190

192

194

196

198

199

202

205

DSCP Classification

QoS Control List Configures QoS policies for handling ingress packets based

Storm Control Sets limits for broadcast, multicast, and unknown unicast

Maps DSCP values to a QoS class and drop precedence level 206

on Ethernet type, VLAN ID, TCP/UDP port, DSCP, ToS, or VLAN priority tag

traffic

– 40 –

207

211

Page 41

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Mirroring & RSPAN

UPnP Enables UPNP and defines timeout values 220

Sets source and target ports for local or remote mirroring 213

sFlow Samples traffic flows, and forwards data to designated

Monitor 225

System 225

Information Displays basic system description, switch’s MAC address,

CPU Load Displays graphic scale of CPU utilization 226

Log Displays logged messages based on severity 227

Detailed Log Displays detailed information on each logged message 229

Ports 229

State Displays a graphic image of the front panel indicating active

Traffic Overview Shows basic Ethernet port statistics 230

QoS Statistics Shows the number of packets entering and leaving the

QCL Status Shows the status of QoS Control List entries 231

Detailed Statistics Shows detailed Ethernet port statistics 233

Security 236

Access Management Statistics

Network

Port Security

collector

system time, and software version

port connections

egress queues

Displays the number of packets used to manage the switch via HTTP, HTTPS, and SNMP, Telnet, and SSH

221

225

229

231

236

Switch Shows information about MAC address learning for each

Port Shows the entries authorized by port security services,

NAS Shows global and port settings for IEEE 802.1X

Switch Shows port status for authentication services, including

Port Displays authentication statistics for the selected port –

ACL Status Shows the status for different security modules which use

DHCP Dynamic Host Configuration Protocol

Snooping Statistics

port, including the software module requesting port security services, the service state, the current number of learned addresses, and the maximum number of secure addresses allowed

including MAC address, VLAN ID, the service state, time added to table, age, and hold state

802.1X security state, last source address used for authentication, and last ID

either for 802.1X protocol or for the remote authentication server depending on the authentication method

ACL filtering, including ingress port, frame type, and forwarding action

Shows statistics for various types of DHCP protocol packets 243

– 41 –

237

239

240

241

242

Page 42

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Relay Statistics

ARP Inspection Displays entries in the ARP inspection table, sorted first by

Displays server and client statistics for packets affected by the relay information policy

port, then VLAN ID, MAC address, and finally IP address

245

246

IP Source Guard Displays entries in the IP Source Guard table, sorted first by

AAA Authentication, Authorization and Accounting 248

RADIUS Overview

RADIUS Details Displays the traffic and status associated with each

Switch

RMON Remote Monitoring 253

Statistics Shows sampled data for each entry in the statistics group 253

History Shows sampled data for each entry in the history group 254

Alarm Shows all configured alarms 255

Event Shows all logged events 256

LACP Link Aggregation Control Protocol 257

System Status Displays administration key and associated local ports for

Port Status Displays administration key, LAG ID, partner ID, and partner

Port Statistics Displays statistics for LACP protocol messages 258

Loop Protection Displays settings, current status, and time of last detected

Spanning Tree 260

Bridge Status Displays global bridge and port settings for STA 260

port, then VLAN ID, MAC address, and finally IP address

Displays status of configured RADIUS authentication and accounting servers

configured RADIUS server

each partner

ports for each local port

loop

247

248

249

257

259

Port Status Displays STA role, state, and uptime for each port 263

Port Statistics Displays statistics for RSTP, STP and TCN protocol packets 263

MVR Multicast VLAN Registration 264

Statistics Shows statistics for IGMP protocol messages used by MVR 264

MVR Channel Groups

MVR SFM Information

IPMC IP Multicast

IGMP Snooping 267

Status Displays statistics related to IGMP packets passed upstream

Group Information

Shows information about the interfaces associated with multicast groups assigned to the MVR VLAN

Displays MVR Source-Filtered Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny)

to the IGMP Querier or downstream to multicast clients

Displays active IGMP groups 268

– 42 –

265

266

267

Page 43

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

IPv4 SFM Information

MLD Snooping Multicast Listener Discovery Snooping 270

Status Displays MLD querier status and protocol statistics 270

Group Information

Displays IGMP Source-Filtered Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny)

Displays active MLD groups 271

269

IPv6 SFM Information

LLDP Link Layer Discovery Protocol 273

Neighbors Displays LLDP information about a remote device connected

LLDP-MED Neighbors

EEE Displays Energy Efficient Ethernet information advertised

Port Statistics Displays statistics for all connected remote devices, and

MAC Table Displays dynamic and static address entries associated with

VLANs Virtual LANs 281

VLAN Membership Shows the current port members for all VLANs configured by

VLAN Port Shows the VLAN attributes of port members for all VLANs

VCL VLAN Control List

MAC-based VLAN Displays MAC address to VLAN map entries 283

sFlow Displays information on sampled traffic, including the owner,

Diagnostics 287

Displays MLD Source-Filtered Multicast information including group, filtering mode (include or exclude), source address, and type (allow or deny)

to a port on this switch

Displays information about a remote device connected to a port on this switch which is advertising LLDP-MED TLVs, including network connectivity device, endpoint device, capabilities, application type, and policy

through LLDP messages

statistics for LLDP protocol packets crossing each port

the CPU and each port

a selected software module

configured by a selected software module which uses VLAN management, including PVID, VLAN aware, ingress filtering, frame type, egress filtering, and PVID

receiver address, remaining sampling time, and statistics for UDP control packets and sampled traffic

272

273

274

277

278

280

281

282

284

Ping Tests specified path using IPv4 ping 287

Ping6 Tests specified path using IPv6 ping 287

Maintenance 289

Restart Device Restarts the switch 289

Factory Defaults Restores factory default settings 290

Software

Upload Updates software on the switch with a file specified on the

Image Select Displays information about the active and alternate (backup)

management station

firmware images in the switch, and allows you to revert to the alternate image

– 43 –

290

291

Page 44

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Configuration Displays information about the active and alternate (backup)

Save Saves or views the switch’s current configuration in XML

Upload Uploads a saved configuration file to the switch 292

firmware images in the switch, and allows you to revert to the alternate image

format. Select Save to save the XML configuration file to local storage or select View to open the XML file with your web browser.

292

– 44 –

Page 45

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

Table 4: Main Menu (Continued)

Menu Description Page

Configuration 292

Save Saves configuration settings to a file on the management

Upload Restores configuration settings from a file on the

1. The Basic Configuration menu is a subset of Advanced Configuration. The following configuration chapter is therefore structured on the Advanced Configuration menu.

2. These menus are repeated from the Basic Configuration folder.

station

management station

292

– 45 –

Page 46

HAPTER

| Using the Web Interface

Navigating the Web Browser Interface

– 46 –

Page 47

4 CONFIGURING THE SWITCH

This chapter describes all of the basic configuration tasks.

CONFIGURING SYSTEM INFORMATION

Use the System Information Configuration page to identify the system by configuring contact information, system name, and the location of the switch.

PATH

Basic/Advanced Configuration, System, Information

PARAMETERS

These parameters are displayed:

◆ System Contact – Administrator responsible for the system.

(Maximum length: 255 characters)

◆ System Name – Name assigned to the switch system.

(Maximum length: 255 characters)

◆ System Location – Specifies the system location.

(Maximum length: 255 characters)

WEB INTERFACE

To configure System Information:

1. Click Configuration, System, Information.

2. Specify the contact information for the system administrator, as well as

the name and location of the switch.Click Save.

Figure 3: System Information Configuration

– 47 –

Page 48

HAPTER

Setting an IP Address

| Configuring the Switch

SETTING AN IP ADDRESS

This section describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.

SETTING AN IPV4

DDRESS

Use the IP Configuration page to configure an IPv4 address for the switch. The IP address for the switch is obtained via DHCP by default for VLAN 1. To manually configure an address, you need to change the switch's default settings to values that are compatible with your network. You may also need to a establish a default gateway between the switch and management stations that exist on another network segment.

OTE

An IPv4 address for this switch is obtained via DHCP by default. If the switch does not receive a response from a DHCP server, it will default to the IP address 192.168.2.10 and subnet mask 255.255.255.0.

You can manually configure a specific IP address, or direct the device to obtain an address from a DHCP server. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything other than this format will not be accepted by the CLI program.

PATH

Basic/Advanced Configuration, System, IP

PARAMETERS

These parameters are displayed:

IP Configuration

◆ DHCP Client – Specifies whether IP functionality is enabled via

Dynamic Host Configuration Protocol (DHCP). If DHCP is enabled, IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP values can include the IP address, subnet mask, and default gateway. (Default: Enabled)

◆ IP Address – Address of the VLAN specified in the VLAN ID field. This

should be the VLAN to which the management station is attached. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 192.168.2.10)

◆ IP Mask – This mask identifies the host address bits used for routing

to specific subnets. (Default: 255.255.255.0)

– 48 –

Page 49

HAPTER

| Configuring the Switch

Setting an IP Address

◆ IP Router – IP address of the gateway router between the switch and

management stations that exist on other network segments.

◆ VLAN ID – ID of the configured VLAN. By default, all ports on the

switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. (Range: 1-4095; Default: 1)

◆ DNS Server – A Domain Name Server to which client requests for

mapping host names to IP addresses are forwarded.

IP DNS Proxy Configuration

◆ DNS Proxy – If enabled, the switch maintains a local database based

on previous responses to DNS queries forwarded on behalf of attached clients. If the required information is not in the local database, the switch forwards the DNS query to a DNS server, stores the response in its local cache for future reference, and passes the response back to the client.

WEB INTERFACE

To configure an IP address:

1. Click Configuration, System, IP.

2. Specify the IPv4 settings, and enable DNS proxy service if required.

3. Click Save.

Figure 4: IP Configuration

SETTING AN IPV6

DDRESS

Use the IPv6 Configuration page to configure an IPv6 address for management access to the switch.

– 49 –

Page 50

HAPTER

Setting an IP Address

| Configuring the Switch

IPv6 includes two distinct address types - link-local unicast and global unicast. A link-local address makes the switch accessible over IPv6 for all devices attached to the same local subnet. Management traffic using this kind of address cannot be passed by any router outside of the subnet. A link-local address is easy to set up, and may be useful for simple networks or basic troubleshooting tasks. However, to connect to a larger network with multiple segments, the switch must be configured with a global unicast address. A link-local address must be manually configured, but a global unicast address can either be manually configured or dynamically assigned.

PATH

Basic/Advanced Configuration, System, IPv6

USAGE GUIDELINES

◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6

Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.

◆ When configuring a link-local address, note that the prefix length is

fixed at 64 bits, and the host portion of the default address is based on the modified EUI-64 (Extended Universal Identifier) form of the interface identifier (i.e., the physical MAC address). You can manually configure a link-local address by entering the full address with the network prefix FE80.

◆ To connect to a larger network with multiple subnets, you must

configure a global unicast address. There are several alternatives to configuring this address type:

■

The global unicast address can be automatically configured by taking the network prefix from router advertisements observed on the local interface, and using the modified EUI-64 form of the interface identifier to automatically create the host portion of the address. This option can be selected by enabling the Auto Configuration option.

■

You can also manually configure the global unicast address by entering the full address and prefix length.

◆ The management VLAN to which the IPv6 address is assigned must be

specified on the IP Configuration page. See "Setting an IPv4 Address"

on page 48.

PARAMETERS

These parameters are displayed:

◆ Auto Configuration – Enables stateless autoconfiguration of IPv6

addresses on an interface and enables IPv6 functionality on the interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages, and the host portion is automatically generated using the modified EUI-64 form of the interface identifier; i.e., the switch's MAC address. (Default: Disabled)

– 50 –

Page 51

HAPTER

| Configuring the Switch

Setting an IP Address

◆ Address – Manually configures a global unicast address by specifying

the full address and network prefix length (in the Prefix field). (Default: ::192.168.2.10)

◆ Prefix – Defines the prefix length as a decimal value indicating how

many contiguous bits (starting at the left) of the address comprise the prefix; i.e., the network portion of the address. (Default: 96 bits)

Note that the default prefix length of 96 bits specifies that the first six colon-separated values comprise the network portion of the address.

◆ Router – Sets the IPv6 address of the default next hop router.

An IPv6 default gateway must be defined if the management station is located in a different IPv6 segment.

An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.

WEB INTERFACE

To configure an IPv6 address:

1. Click Configuration, System, IPv6.

2. Specify the IPv6 settings. The information shown below provides a

example of how to manually configure an IPv6 address.

3. Click Save.

Figure 5: IPv6 Configuration

– 51 –

Page 52

HAPTER

Configuring NTP Service

| Configuring the Switch

CONFIGURING NTP SERVICE

Use the NTP Configuration page to specify the Network Time Protocol (NTP) servers to query for the current time. NTP allows the switch to set its internal clock based on periodic updates from an NTP time server. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.

When the NTP client is enabled, the switch periodically sends a request for a time update to a configured time server. You can configure up to five time server IP addresses. The switch will attempt to poll each server in the configured sequence.

PATH

Basic/Advanced Configuration, System, NTP

PARAMETERS

These parameters are displayed:

◆ Mode – Enables or disables NTP client requests.

◆ Server – Sets the IPv4 or IPv6 address for up to five time servers. The

switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence. The polling interval is fixed at 15 minutes.

WEB INTERFACE

To configure the NTP servers:

1. Click Configuration, System, NTP.

2. Enter the IP address of up to five time servers.

3. Click Save.

Figure 6: NTP Configuration

– 52 –

Page 53

HAPTER

Configuring the Time Zone and Daylight Savings Time

CONFIGURING THE TIME ZONE AND DAYLIGHT SAVINGS TIME

Use the Time Zone and Daylight Savings Time page to set the time zone and Daylight Savings Time.

Time Zone – NTP/SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. You can choose one of the 80 predefined time zone definitions, or your can manually configure the parameters for your local time zone.

Daylight Savings Time – In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Daylight Savings Time or Summer Time. Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.

| Configuring the Switch

PATH

Basic/Advanced Configuration, System, Time

PARAMETERS

These parameters are displayed:

Time Zone Configuration

◆ Time Zone – A drop-down box provides access to the 80 predefined

time zone configurations. Each choice indicates it’s offset from UTC and lists at least one major city or location covered by the time zone.

◆ Acronym – Sets the acronym of the time zone. (Range: Up to 16

alphanumeric characters, as well as the symbols ‘-’, ‘_’ or ‘.’)

Daylight Saving Time Configuration

◆ Mode – Selects one of the following configuration modes.

■

Disabled – Daylight Savings Time is not used.

■

Recurring – Sets the start, end, and offset times of summer time for the switch on a recurring basis. This mode sets the summertime zone relative to the currently configured time zone.

■

From – Start time for summer-time.

■

To – End time for summer-time.

■

Offset – The number of minutes to add during Daylight Saving Time. (Range: 1-1440)

– 53 –

Page 54

HAPTER

Configuring the Time Zone and Daylight Savings Time

| Configuring the Switch

■

Non-Recurring – Sets the start, end, and offset times of summer time for the switch on a one-time basis.

■

From – Start time for summer-time.

■

To – End time for summer-time.

■

Offset – The number of minutes to add during Daylight Saving Time. (Range: 1-1440)

WEB INTERFACE

To set the time zone or Daylight Savings Time:

1. Click Configuration, System, Time.

2. Select one of the predefined time zones.

3. Select the Daylight Savings Time mode, and then set the start, end and

offset times.

4. Click Save.

– 54 –

Page 55

HAPTER

| Configuring the Switch

Configuring the Time Zone and Daylight Savings Time

Figure 7: Time Zone and Daylight Savings Time Configuration

– 55 –

Page 56

HAPTER

Configuring Remote Log Messages

| Configuring the Switch

CONFIGURING REMOTE LOG MESSAGES

Use the System Log Configuration page to send log messages to syslog servers or other management stations. You can also limit the event messages sent to specified types.

PATH

Basic/Advanced Configuration, System, Log

COMMAND USAGE

When remote logging is enabled, system log messages are sent to the designated server. The syslog protocol is basedon UDP and received on UDP port 514. UDP is a connectionless protocol and does not provide acknowledgments. The syslog packet will always be sent out even if the syslog server does not exist.

PARAMETERS

These parameters are displayed:

◆ Server Mode – Enables/disables the logging of debug or error

messages to the remote logging process. (Default: Disabled)

◆ Server Address – Specifies the IPv4 address or alias of a remote

server which will be sent syslog messages.

◆ Syslog Level – Limits log messages that are sent to the remote syslog

server for the specified types. Messages options include the following:

■

Info – Send informations, warnings and errors. (Default setting)

■

Warning – Send warnings and errors.

■

Error – Send errors.

WEB INTERFACE

To configure the logging of error messages to remote servers:

1. Click Configuration, System, Log.

2. Enable remote logging, enter the IP address of the remote server, and

specify the type of syslog messages to send.

3. Click Apply.

Figure 8: Configuring Settings for Remote Logging of Error Messages

– 56 –

Page 57

CONFIGURING POWER REDUCTION

The switch provides a power saving method that can power down the circuitry for port queues when not in use.

HAPTER

| Configuring the Switch

Configuring Power Reduction

REDUCING POWER TO

IDLE QUEUE CIRCUITS

Use the EEE Configuration page to configure Energy Efficient Ethernet (EEE) for specified queues, and to specify urgent queues which are to transmit data after maximum latency expires regardless of queue length.

PATH

Advanced Configuration, Power Reduction, EEE

COMMAND USAGE

◆ EEE works by powering down circuits when there is no traffic. When a

port gets data to be transmitted all relevant circuits are powered up. The time it takes to power up the circuits is call the wakeup time. The default wakeup time is 17 µs for 1 Gbps links and 30 µs for other link speeds. EEE devices must agree upon the value of the wakeup time in order to make sure that both the receiving and transmitting devices have all circuits powered up when traffic is transmitted. The devices can exchange information about the device wakeup time using LLDP protocol.

To maximize power savings, the circuit is not started as soon as data is ready to be transmitted from a port, but instead waits until 3000 bytes of data is queued at the port. To avoid introducing a large delay when the queued data is less then 3000 bytes, data is always transmitted after 48 µs, giving a maximum latency of 48 µs plus the wakeup time.

◆ If required, it is possible to minimize the latency for specific frames by

mapping the frames to a specific queue (EEE Urgent Queues). When an urgent queue gets data to be transmitted, the circuits will be powered up at once and the latency will be reduced to the wakeup time.

PARAMETERS

These parameters are displayed:

◆ Port – Port identifier.

◆ EEE Enabled – Enables or disables EEE for the specified port.

◆ EEE Urgent Queues – Specifies which are to transmit data after the

maximum latency expires regardless queue length.

WEB INTERFACE

To configure the power reduction for idle queue circuits:

1. Click Configuration, Power Reduction, EEE.

2. Select the circuits which will use EEE.

– 57 –

Page 58

HAPTER

Configuring Port Connections

| Configuring the Switch

3. If required, also specify urgent queues which will be powered up once

data is queued and the default wakeup time has passed.

4. Click Save.

Figure 9: Configuring EEE Power Reduction

CONFIGURING PORT CONNECTIONS

Use the Port Configuration page to configure the connection parameters for each port. This page includes options for enabling auto-negotiation or manually setting the speed and duplex mode, enabling flow control, setting the maximum frame size, specifying the response to excessive collisions, or enabling power saving mode.

PATH

Basic/Advanced Configuration, Ports

– 58 –

Page 59

HAPTER

| Configuring the Switch

Configuring Port Connections

PARAMETERS

These parameters are displayed:

◆ Link – Indicates if the link is up or down.

◆ Speed – Sets the port speed and duplex mode using auto-negotiation

or manual selection. The following options are supported:

■

Disabled - Disables the interface. You can disable an interface due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also disable an interface for security reasons.

■

Auto - Enables auto-negotiation. When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities.

■

1Gbps FDX - Supports 1 Gbps full-duplex operation

■

100Mbps FDX - Supports 100 Mbps full-duplex operation

■

100Mbps HDX - Supports 100 Mbps half-duplex operation

■

10Mbps FDX - Supports 10 Mbps full-duplex operation

■

10Mbps HDX - Supports 10 Mbps half-duplex operation

(Default: Autonegotiation enabled; Advertised capabilities for RJ-45: 1000BASE-T - 10half, 10full, 100half, 100full, 1000full; SFP: 1000BASE-SX/LX/LH - 1000full)

OTE

The 1000BASE-T standard does not support forced mode. Autonegotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.

◆ Flow Control – Flow control can eliminate frame loss by “blocking”

traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for halfduplex operation and IEEE 802.3-2005 (formally IEEE 802.3x) for fullduplex operation. (Default: Disabled)

When auto-negotiation is used, this parameter indicates the flow control capability advertised to the link partner. When the speed and duplex mode are manually set, the Current Rx field indicates whether pause frames are obeyed by this port, and the Current Tx field indicates if pause frames are transmitted from this port.

Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.

◆ Maximum Frame Size – Sets the maximum transfer unit for traffic

crossing the switch. Packets exceeding the maximum frame size are dropped. (Range: 9600-1518 bytes; Default: 9600 bytes)

– 59 –

Page 60

HAPTER

Configuring Port Connections

| Configuring the Switch

◆ Excessive Collision Mode – Sets the response to take when excessive

transmit collisions are detected on a port.

■

Discard - Discards a frame after 16 collisions (default).

■

Restart - Restarts the backoff algorithm after 16 collisions.

◆ Power Control – Adjusts the power provided to ports based on the

length of the cable used to connect to other devices. Only sufficient power is used to maintain connection requirements.

IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can significantly reduce power used for cable lengths of 20 meters or less, and continue to ensure signal integrity.

The following options are supported:

■

Disabled – All power savings mechanisms disabled (default).

■

Enabled – Both link up and link down power savings enabled.

■

ActiPHY – Link down power savings enabled.

■

PerfectReach – Link up power savings enabled.

WEB INTERFACE

To configure port connection settings:

1. Click Configuration, Ports.

2. Make any required changes to the connection settings.

3. Click Save.

– 60 –

Page 61

Figure 10: Port Configuration

HAPTER

| Configuring the Switch

Configuring Security

CONFIGURING SECURITY

You can configure this switch to authenticate users logging into the system for management access or to control client access to the data ports.

Management Access Security (Switch menu) – Management access to the switch can be controlled through local authentication of user names and passwords stored on the switch, or remote authentication of users via a RADIUS or TACACS+ server. Additional authentication methods includes Secure Shell (SSH), Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), static configuration of client addresses, and SNMP.

General Security Measures (Network menu) – This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch. These include limiting the number of users accessing a port. The addresses assigned to DHCP clients can also be carefully controlled using static or dynamic bindings with DHCP Snooping and IP Source Guard commands. ARP Inspection can also be used to validate the MAC address

– 61 –

Page 62

HAPTER

Configuring Security

| Configuring the Switch

bindings for ARP packets, providing protection against ARP traffic with invalid MAC to IP address bindings, which forms the basis for “man-in-themiddle” attacks.

CONFIGURING USER

ACCOUNTS

Use the User Configuration page to control management access to the switch based on manually configured user names and passwords.

PATH

Advanced Configuration, Security, Switch, Users

COMMAND USAGE

◆ The default guest name is “guest” with the password “guest.” The

default administrator name is “admin” with the password “admin.”

◆ The guest only has read access for most configuration parameters.

However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.

◆ The administrator has a privilege level of 15, with access to all process

groups and full control over the device. If the privilege level is set to any other value, the system will refer to each group privilege level. The user's privilege should be same or greater than the group privilege level to have the access of a group. By default, most of the group privilege levels are set to 5 which provides read-only access and privilege level 10 which also provides read/write access. To perform system maintenance (software upload, factory defaults, etc.) the user’s privilege level should be set to 15. Generally, the privilege level 15 can be used for an administrator account, privilege level 10 for a standard user account, and privilege level 5 for a guest account.

PARAMETERS

These parameters are displayed:

◆ User Name – The name of the user.

(Maximum length: 8 characters; maximum number of users: 16)

◆ Password – Specifies the user password.

(Range: 0-8 characters plain text, case sensitive)

◆ Password (again) – Re-type the string entered in the previous field to

ensure no errors were made. The switch will not change the password if these two fields do not match.

◆ Privilege Level – Specifies the user level. (Options: 1 - 15)

Access to specific functions are controlled through the Privilege Levels configuration page (see page 63). The default settings provide four access levels:

■

1 – Read access of port status and statistics.

■

5 – Read access of all system functions except for maintenance and debugging

– 62 –

Page 63

HAPTER

■

10 – read and write access of all system functions except for

| Configuring the Switch

maintenance and debugging

■

15 – read and write access of all system functions including maintenance and debugging.

WEB INTERFACE

To show user accounts:

1. Click Advanced Configuration, Security, Switch, Users.

Figure 11: Showing User Accounts

To configure a user account:

Configuring Security

CONFIGURING USER

PRIVILEGE LEVELS

1. Click Advanced Configuration, Security, Switch, Users.

2. Click “Add new user.”

3. Enter the user name, password, and privilege level.

4. Click Save.

Figure 12: Configuring User Accounts

Use the Privilege Levels page to set the privilege level required to read or configure specific software modules or system settings.

PATH

Advanced Configuration, Security, Switch, Privilege Levels

PARAMETERS

These parameters are displayed:

– 63 –

Page 64

HAPTER

| Configuring the Switch

Configuring Security

◆ Group Name – The name identifying a privilege group. In most cases,

a privilege group consists of a single module (e.g., LACP, RSTP or QoS), but a few groups contains more than one module. The following describes the groups which contain multiple modules or access to various system settings:

■

System: Contact, Name, Location, Timezone, Log.

■

Security: Authentication, System Access Management, Port (contains Dot1x port, MAC based and the MAC Address Limit), ACL, HTTPS, SSH, ARP Inspection, and IP source guard.

■

IP: Everything except for ping.

■

Port: Everything

■

Diagnostics

■

Maintenance: CLI - System Reboot, System Restore Default, System Password, Configuration Save, Configuration Load and Firmware Load. Web - Users, Privilege Levels and everything in Maintenance.

■

Debug: Only present in CLI.

◆ Privilege levels – Every privilege level group can be configured to

access the following modules or system settings: Configuration Readonly, Configuration/Execute Read-write, Status/Statistics Read-only, and Status/Statistics Read-write (e.g., clearing statistics).

The default settings provide four access levels:

■

1 – Read access of port status and statistics.

■

5 – Read access of all system functions except for maintenance and debugging

■

10 – read and write access of all system functions except for maintenance and debugging

■

15 – read and write access of all system functions including maintenance and debugging.

WEB INTERFACE

To configure privilege levels:

1. Click Advanced Configuration, Security, Switch, Privilege Levels.

2. Set the required privilege level for any software module or functional

group.

3. Click Save.

– 64 –

Page 65

Figure 13: Configuring Privilege Levels

HAPTER

| Configuring the Switch

Configuring Security

CONFIGURING THE

AUTHENTICATION

METHOD FOR

MANAGEMENT ACCESS

Use the Authentication Method Configuration page to specify the authentication method for controlling management access through the console, Telnet, SSH or HTTP/HTTPS. Access can be based on the (local) user name and password configured on the switch, or can be controlled with a RADIUS or TACACS+ remote access authentication server. Note that the RADIUS servers used to authenticate client access for IEEE 802.1X port authentication are also configured on this page (see page 90).

Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are logon authentication protocols that use software running on a central server to control access to RADIUS-aware or TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch.

– 65 –

Page 66

Web

RADIUS/ TACACS+ server

1. Client attempts management access.

2. Switch contacts authentication server.

3.Authentication server challenges client.

4. Client responds with proper password or key.

5.Authentication server approves access.

6. Switch grants management access.

HAPTER

Configuring Security

| Configuring the Switch

Figure 14: Authentication Server Operation

PATH

Advanced Configuration, Security, Switch, Auth Method

USAGE GUIDELINES

◆ The switch supports the following authentication services:

■

Authorization of users that access the Telnet, SSH, the web, or console management interfaces on the switch.

■

Accounting for users that access the Telnet, SSH, the web, or console management interfaces on the switch.

■

Accounting for IEEE 802.1X authenticated users that access the network through the switch. This accounting can be used to provide reports, auditing, and billing for services that users have accessed.

◆ By default, management access is always checked against the

authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication method and the corresponding parameters for the remote authentication protocol on the Network Access Server Configuration page. Local and remote logon authentication can be used to control management access via Telnet, SSH, a web browser, or the console interface.

◆ When using RADIUS or TACACS+ logon authentication, the user name

and password must be configured on the authentication server. The encryption methods used for the authentication process must also be configured or negotiated between the authentication server and logon client. This switch can pass authentication messages between the server and client that have been encrypted using MD5 (Message-Digest

5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer Security).

– 66 –

Page 67

HAPTER

OTE

This guide assumes that RADIUS and TACACS+ servers have already

| Configuring the Switch

Configuring Security

been configured to support AAA. The configuration of RADIUS and TACACS+ server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS and TACACS+ server software.

PARAMETERS

These parameters are displayed:

◆ Client – Specifies how the administrator is authenticated when logging

into the switch via Telnet, SSH, or a web browser.

◆ Authentication Method – Selects the authentication method.

(Options: None, Local, RADIUS, TACACS+; Default: Local)

Selecting the option “None” disables access through the specified management interface.

◆ Fallback – Uses the local user database for authentication if none of

the configured authentication servers are alive. This is only possible if the Authentication Method is set to something else than “none” or “local.”

WEB INTERFACE

To configure authentication for management access:

1. Click Advanced Configuration, Security, Switch, Auth Method.

2. Configure the authentication method for management client types, and

specify whether or not to fallback to local authentication if no remote authentication server is available.

3. Click Save.

Figure 15: Authentication Method for Management Access

CONFIGURING SSH Use the SSH Configuration page to configure access to the Secure Shell

(SSH) management interface. SSH provides remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication. SSH also encrypts all data transfers passing between the switch and SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered.

– 67 –

Page 68

HAPTER

Configuring Security

| Configuring the Switch

PATH

Advanced Configuration, Security, Switch, SSH

USAGE GUIDELINES

◆ You need to install an SSH client on the management station to access

the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0 clients.

◆ SSH service on this switch only supports password authentication. The

password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Auth Method menu (page 65).

To use SSH with password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.

◆ The SSH service on the switch supports up to four client sessions. The

maximum number of client sessions includes both current Telnet sessions and SSH sessions.

PARAMETERS

These parameters are displayed:

◆ Mode - Allows you to enable/disable SSH service on the switch.

(Default: Enabled)

WEB INTERFACE

To c on f i g ur e S S H :

1. Click Advanced Configuration, Security, Switch, SSH.

2. Enable SSH if required.

3. Click Save.

Figure 16: SSH Configuration

CONFIGURING HTTPS Use the HTTPS Configuration page to enable the Secure Hypertext Transfer

Protocol (HTTPS) over the Secure Socket Layer (SSL). HTTPS provides secure access (i.e., an encrypted connection) to the switch's web interface.

PATH

Advanced Configuration, Security, Switch, HTTPS

– 68 –

Page 69

HAPTER

| Configuring the Switch

Configuring Security

USAGE GUIDELINES

◆ If you enable HTTPS, you must indicate this in the URL that you specify

in your browser: https://device[:port-number]

◆ When you start HTTPS, the connection is established in this way:

■

The client authenticates the server using the server's digital certificate.

■

The client and server negotiate a set of security protocols to use for the connection.

■

The client and server generate session keys for encrypting and decrypting data.

■

The client and server establish a secure encrypted connection.

A padlock icon should appear in the status bar for Internet Explorer

5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above.

◆ The following web browsers and operating systems currently support

HTTPS:

Table 5: HTTPS System Support

Web Browser Operating System

Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a),

Netscape 6.2 or later Windows 98,Windows NT (with service pack 6a),

Mozilla Firefox 2.0.0.0 or later Windows 2000, Windows XP, Windows Vista, Linux

Windows 2000, Windows XP, Windows Vista, Windows 7

Windows 2000, Windows XP, Windows Vista, Solaris 2.6

PARAMETERS

These parameters are displayed:

◆ Mode - Enables HTTPS service on the switch. (Default: Enabled)

◆ Automatic Redirect - Sets the HTTPS redirect mode operation. When

enabled, management access to the HTTP web interface for the switch are automatically redirected to HTTPS. (Default: Disabled)

WEB INTERFACE

To c on f i g ur e H TTP S:

1. Click Advanced Configuration, HTTPS.

2. Enable HTTPS if required and set the Automatic Redirect mode.

3. Click Save.

– 69 –

Page 70

HAPTER

Configuring Security

| Configuring the Switch

Figure 17: HTTPS Configuration

FILTERING IP

ADDRESSES FOR

MANAGEMENT ACCESS

Use the Access Management Configuration page to create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, or SNMP, or Telnet.

The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses. If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection.

PATH

Advanced Configuration, Security, Switch, Access Management

PARAMETERS

These parameters are displayed:

◆ Mode – Enables or disables filtering of management access based on

configured IP addresses. (Default: Disabled)

◆ Start IP Address – The starting address of a range.

◆ End IP Address – The ending address of a range.

◆ HTTP/HTTPS – Filters IP addresses for access to the web interface

over standard HTTP, or over HTTPS which uses the Secure Socket Layer (SSL) protocol to provide an encrypted connection.

◆ SNMP – Filters IP addresses for access through SNMP.

◆ TELNET/SSH – Filters IP addresses for access through Telnet, or

through Secure Shell which provides authentication and encryption.

WEB INTERFACE

To configure addresses allowed access to management interfaces on the switch:

1. Click Advanced Configuration, Security, Switch, Access Management.

2. Set the Mode to Enabled.

3. Click “Add new entry.”

4. Enter the start and end of an address range.

– 70 –

Page 71

HAPTER

| Configuring the Switch

Configuring Security

5. Mark the protocols to restrict based on the specified address range. The

following example shows how to restrict management access for all protocols to a specific address range.

6. Click Save.

Figure 18: Access Management Configuration

USING SIMPLE

NETWORK

MANAGEMENT

PROTOCOL

Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.

Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.

The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.

Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.

The SNMPv3 security structure consists of security models, with each model having it's own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to “groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all

– 71 –

Page 72

HAPTER

| Configuring the Switch

Configuring Security

MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.

Table 6: SNMP Security Models and Levels

Model Level Community String Group Read View Write View Security

v1 noAuth

NoPriv

public default_ro_group default_view none Community string only

private default_rw_group default_view default_view Community string only

v1 noAuth

v2c noAuth

v3 noAuth

v3 Auth

v3 Auth Priv user defined user defined user defined user defined Provides user authentication

NoPriv

user defined user defined user defined user defined Community string only

public default_ro_group default_view none Community string only

private default_rw_group default_view default_view Community string only

user defined user defined user defined user defined Community string only

user defined default_rw_group default_view default_view A user name match only

user defined user defined user defined user defined Provides user authentication

OTE

The predefined default groups and view can be deleted from the

via MD5 or SHA algorithms

via MD5 or SHA algorithms and data privacy using DES 56-bit encryption

system. You can then define customized groups and views for the SNMP clients that require access.

CONFIGURING SNMP SYSTEM AND TRAP SETTINGS

Use the SNMP System Configuration page to configure basic settings and traps for SNMP. To manage the switch through SNMP, you must first enable the protocol and configure the basic access parameters. To issue trap messages, the trap function must also be enabled and the destination host specified.

PATH

Advanced Configuration, Security, Switch, SNMP, System

PARAMETERS

These parameters are displayed:

SNMP System Configuration

◆ Mode - Enables or disables SNMP service. (Default: Disabled)

– 72 –

Page 73

HAPTER

| Configuring the Switch

Configuring Security

◆ Version - Specifies the SNMP version to use. (Options: SNMP v1,

SNMP v2c, SNMP v3; Default: SNMP v2c)

◆ Read Community - The community used for read-only access to the

SNMP agent. (Range: 0-255 characters, ASCII characters 33-126 only; Default: public)

This parameter only applies to SNMPv1 and SNMPv2c. SNMPv3 uses the User-based Security Model (USM) for authentication and privacy. This community string is associated with SNMPv1 or SNMPv2 clients in the SNMPv3 Communities table (page 76).

◆ Write Community - The community used for read/write access to the

SNMP agent. (Range: 0-255 characters, ASCII characters 33-126 only; Default: private)

◆ Engine ID - The SNMPv3 engine ID. (Range: 10-64 hex digits,

excluding a string of all 0’s or all F’s; Default: 800007e5017f000001)

An SNMPv3 engine is an independent SNMP agent that resides on the switch. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.

A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all local SNMP users will be cleared. You will need to reconfigure all existing users.

SNMP Trap Configuration

◆ Trap Mode - Enables or disables SNMP traps. (Default: Disabled)

You should enable SNMP traps so that key events are reported by this switch to your management station. Traps indicating status changes can be issued by the switch to the specified trap manager by sending authentication failure messages and other trap messages.

◆ Trap Version - Indicates if the target user is running SNMP v1, v2c, or

v3. (Default: SNMP v1)

◆ Trap Community - Specifies the community access string to use when

sending SNMP trap packets. (Range: 0-255 characters, ASCII characters 33-126 only; Default: public)

◆ Trap Destination Address - IPv4 address of the management station

to receive notification messages.

◆ Trap Destination IPv6 Address - IPv6 address of the management

station to receive notification messages. An IPv6 address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using

– 73 –

Page 74

HAPTER

Configuring Security

| Configuring the Switch

8 colon-separated 16-bit hexadecimal values. One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields.

◆ Trap Authentication Failure - Issues a notification message to

specified IP trap managers whenever authentication of an SNMP request fails. (Default: Enabled)

◆ Trap Link-up and Link-down - Issues a notification message

whenever a port link is established or broken. (Default: Enabled)

◆ Trap Inform Mode - Enables or disables sending notifications as

inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used)

The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt. Informs can be used to ensure that critical information is received by the host. However, note that informs consume more system resources because they must be kept in memory until a response is received. Informs also add to network traffic. You should consider these effects when deciding whether to issue notifications as traps or informs.

◆ Trap Inform Timeout - The number of seconds to wait for an

acknowledgment before resending an inform message. (Range: 0-2147 seconds; Default: 1 second)

◆ Trap Inform Retry Times - The maximum number of times to resend

an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 5)

◆ Trap Probe Security Engine ID (SNMPv3) - Specifies whether or not

to use the engine ID of the SNMP trap probe in trap and inform messages. (Default: Enabled)

◆ Trap Security Engine ID (SNMPv3) - Indicates the SNMP trap security

engine ID. SNMPv3 sends traps and informs using USM for authentication and privacy. A unique engine ID for these traps and informs is needed. When “Trap Probe Security Engine ID” is enabled, the ID will be probed automatically. Otherwise, the ID specified in this field is used. (Range: 10-64 hex digits, excluding a string of all 0’s or all F’s)

OTE

The Trap Probe Security Engine ID must be disabled before an engine ID can be manually entered in this field.

◆ Trap Security Name (SNMPv3) - Indicates the SNMP trap security

name. SNMPv3 traps and informs use USM for authentication and privacy. A unique security name is needed when SNMPv3 traps or informs are enabled.

– 74 –

Page 75

HAPTER

OTE

To select a name from this field, first enter an SNMPv3 user with the

| Configuring the Switch

Configuring Security

same Trap Security Engine ID in the SNMPv3 Users Configuration menu (see "Configuring SNMPv3 Users" on page 77).

WEB INTERFACE

To configure SNMP system and trap settings:

1. Click Advanced Configuration, Security, Switch, SNMP, System.

2. In the SNMP System Configuration table, set the Mode to Enabled to

enable SNMP service on the switch, specify the SNMP version to use, change the community access strings if required, and set the engine ID if SNMP version 3 is used.

3. In the SNMP Trap Configuration table, enable the Trap Mode to allow

the switch to send SNMP traps. Specify the trap version, trap community, and IP address of the management station that will receive trap messages either as an IPv4 or IPv6 address. Select the trap types to issue, and set the trap inform settings for SNMP v2c or v3 clients. For SNMP v3 clients, configure the security engine ID and security name used in v3 trap and inform messages.

4. Click Save.

– 75 –

Page 76

HAPTER

Configuring Security

| Configuring the Switch

Figure 19: SNMP System Configuration

SETTING SNMPV3 COMMUNITY ACCESS STRINGS

Use the SNMPv3 Community Configuration page to set community access strings. All community strings used to authorize access by SNMP v1 and v2c clients should be listed in the SNMPv3 Communities Configuration table. For security reasons, you should consider removing the default strings.

PATH

Advanced Configuration, Security, Switch, SNMP, Communities

PARAMETERS

These parameters are displayed:

◆ Community - Specifies the community strings which allow access to

the SNMP agent. (Range: 1-32 characters, ASCII characters 33-126 only; Default: public, private)

For SNMPv3, these strings are treated as a Security Name, and are mapped as an SNMPv1 or SNMPv2 community string in the SNMPv3 Groups Configuration table (see "Configuring SNMPv3 Groups" on

page 79).

– 76 –

Page 77

HAPTER

| Configuring the Switch

Configuring Security

◆ Source IP - Specifies the source address of an SNMP client.

◆ Source Mask - Specifies the address mask for the SNMP client.

WEB INTERFACE

To configure SNMP community access strings:

1. Click Advanced Configuration, Security, Switch, SNMP, Communities.

2. Set the IP address and mask for the default community strings.

Otherwise, you should consider deleting these strings for security reasons.

3. Add any new community strings required for SNMPv1 or v2 clients that

need to access the switch, along with the source address and address mask for each client.

4. Click Save.

Figure 20: SNMPv3 Community Configuration

CONFIGURING SNMPV3 USERS

Use the SNMPv3 User Configuration page to define a unique name and remote engine ID for each SNMPv3 user. Users must be configured with a specific security level, and the types of authentication and privacy protocols to use.

OTE

Any user assigned through this page is associated with the group assigned to the USM Security Model on the SNMPv3 Groups Configuration page (page 79), and the views assigned to that group in the SNMPv3 Access Configuration page (page 81).

PATH

Advanced Configuration, Security, Switch, SNMP, Users

PARAMETERS

These parameters are displayed:

◆ Engine ID - The engine identifier for the SNMP agent on the remote

device where the user resides. (Range: 10-64 hex digits, excluding a string of all 0’s or all F’s)

– 77 –

Page 78

HAPTER

Configuring Security

| Configuring the Switch

To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.

SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent's SNMP engine ID before you can send proxy requests or informs to it. (See "Configuring

SNMP System and Trap Settings" on page 72.)

◆ User Name - The name of user connecting to the SNMP agent.

(Range: 1-32 characters, ASCII characters 33-126 only)

◆ Security Level - The security level assigned to the user:

■

NoAuth, NoPriv - There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.)

■

Auth, NoPriv - SNMP communications use authentication, but the data is not encrypted.

■

Auth, Priv - SNMP communications use both authentication and encryption.

◆ Authentication Protocol - The method used for user authentication.

(Options: None, MD5, SHA; Default: MD5)

◆ Authentication Password - A plain text string identifying the

authentication pass phrase. (Range: 1-32 characters for MD5, 8-40 characters for SHA)

◆ Privacy Protocol - The encryption algorithm use for data privacy; only

56-bit DES is currently available. (Options: None, DES; Default: DES)

◆ Privacy Password - A string identifying the privacy pass phrase.

(Range: 8-40 characters, ASCII characters 33-126 only)

WEB INTERFACE

To configure SNMPv3 users:

1. Click Advanced Configuration, Security, Switch, SNMP, Users.

2. Click “Add new user” to configure a user name.

3. Enter a remote Engine ID of up to 64 hexadecimal characters

4. Define the user name, security level, authentication and privacy

settings.

5. Click Save.

– 78 –

Page 79

HAPTER

Figure 21: SNMPv3 User Configuration

| Configuring the Switch

Configuring Security

CONFIGURING SNMPV3 GROUPS

Use the SNMPv3 Group Configuration page to configure SNMPv3 groups. An SNMPv3 group defines the access policy for assigned users, restricting them to specific read and write views as defined on the SNMPv3 Access Configuration page (page 81). You can use the pre-defined default groups, or create a new group and the views authorized for that group.

PATH

Advanced Configuration, Security, Switch, SNMP, Groups

PARAMETERS

These parameters are displayed:

◆ Security Model - The user security model. (Options: SNMP v1, v2c, or

the User-based Security Model – usm).

◆ Security Name - The name of a user connecting to the SNMP agent.

(Range: 1-32 characters, ASCII characters 33-126 only)

The options displayed for this parameter depend on the selected Security Model. For SNMP v1 and v2c, the switch displays the names configured on the SNMPv3 Communities Configuration menu (see

page 76). For USM (or SNMPv3), the switch displays the names

configured with the local engine ID in the SNMPv3 Users Configuration menu (see page 77). To modify an entry for USM, the current entry must first be deleted.

◆ Group Name - The name of the SNMP group. (Range: 1-32 characters,

ASCII characters 33-126 only)

WEB INTERFACE

To configure SNMPv3 groups:

1. Click Advanced Configuration, Security, Switch, SNMP, Groups.

2. Click “Add new group” to set up a new group.

3. Select a security model.

4. Select the security name. For SNMP v1 and v2c, the security names

displayed are based on the those configured in the SNMPv3 Communities menu. For USM, the security names displayed are based on the those configured in the SNMPv3 Users Configuration menu.

– 79 –

Page 80

HAPTER

Configuring Security

| Configuring the Switch

5. Enter a group name. Note that the views assigned to a group must be

specified on the SNMP Accesses Configuration menu (see page 81).

6. Click Save.

Figure 22: SNMPv3 Group Configuration

CONFIGURING SNMPV3 VIEWS

Use the SNMPv3 View Configuration page to define views which restrict user access to specified portions of the MIB tree. The predefined view “default_view” includes access to the entire MIB tree.

CLI REFERENCES

"SNMP Commands" on page 330

PARAMETERS

These parameters are displayed:

◆ View Name - The name of the SNMP view. (Range: 1-32 characters,

ASCII characters 33-126 only)

◆ View Type - Indicates if the object identifier of a branch within the MIB

tree is included or excluded from the SNMP view. Generally, if the view type of an entry is “excluded,” another entry of view type “included” should exist and its OID subtree should overlap the “excluded” view entry.

◆ OID Subtree - Object identifiers of branches within the MIB tree. Note

that the first character must be a period (.). Wild cards can be used to mask a specific portion of the OID string using an asterisk. (Length: 1-128)

WEB INTERFACE

To configure SNMPv3 views:

1. Click Advanced Configuration, Security, Switch, SNMP, Views.

2. Click “Add new view” to set up a new view.

3. Enter the view name, view type, and OID subtree.

4. Click Save.

– 80 –

Page 81

HAPTER

Figure 23: SNMPv3 View Configuration

| Configuring the Switch

Configuring Security

CONFIGURING SNMPV3 GROUP ACCESS RIGHTS

Use the SNMPv3 Access Configuration page to assign portions of the MIB tree to which each SNMPv3 group is granted access. You can assign more than one view to a group to specify access to different portions of the MIB tree.

PATH

Advanced Configuration, Security, Switch, SNMP, Access

PARAMETERS

These parameters are displayed:

◆ Group Name - The name of the SNMP group. (Range: 1-32 characters,

ASCII characters 33-126 only)

◆ Security Model - The user security model. (Options: any, v1, v2c, or

the User-based Security Model – usm; Default: any)

◆ Security Level - The security level assigned to the group:

■

NoAuth, NoPriv - There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.)

■

Auth, NoPriv - SNMP communications use authentication, but the data is not encrypted.

■

Auth, Priv - SNMP communications use both authentication and encryption.

◆ Read View Name - The configured view for read access. (Range: 1-32

characters, ASCII characters 33-126 only)

◆ Write View Name - The configured view for write access.

(Range: 1-32 characters, ASCII characters 33-126 only)

WEB INTERFACE

To configure SNMPv3 group access rights:

1. Click Advanced Configuration, Security, Switch, SNMP, Access.

2. Click Add New Access to create a new entry.

3. Specify the group name, security settings, read view, and write view.

4. Click Save.

– 81 –

Page 82

HAPTER

Configuring Security

| Configuring the Switch

Figure 24: SNMPv3 Access Configuration

REMOTE MONITORING Remote Monitoring allows a remote device to collect information or

respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance. If an event is triggered, it can automatically notify the network administrator of a failure and provide historical information about the event. If it cannot connect to the management agent, it will continue to perform any specified tasks and pass data back to the management station the next time it is contacted.

The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol. However, if the switch encounters a critical event, it can automatically send a trap message to the management agent which can then respond to the event if so configured.

CONFIGURING RMON STATISTICAL SAMPLES

Use the RMON Statistics Configuration page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates.

PATH

Advanced Configuration, Security, RMON, Statistics

COMMAND USAGE

◆ If statistics collection is already enabled on an interface, the entry must

be deleted before any changes can be made.

◆ The information collected for each entry includes: drop events, input

octets, packets, broadcast packets, multicast packets, CRC alignment errors, undersize packets, oversize packets, fragments, jabbers, collisions, and frames of various sizes.

PARAMETERS

The following parameters are displayed:

◆ ID - Index to this entry. (Range: 1-65535)

– 82 –

Page 83

HAPTER

| Configuring the Switch

Configuring Security

◆ Data Source – Port identifier.

WEB INTERFACE

To enable regular sampling of statistics on a port:

1. Click Advanced Configuration, Security, Switch, RMON, Statistics.

2. Click Add New Entry.

3. Enter the index identifier and port number.

4. Click Save.

Figure 25: RMON Statistics Configuration

CONFIGURING RMON HISTORY SAMPLES

Use the RMON History Configuration page to collect statistics on a physical interface to monitor network utilization, packet types, and errors. A historical record of activity can be used to track down intermittent problems. The record can be used to establish normal baseline activity, which may reveal problems associated with high traffic levels, broadcast storms, or other unusual events. It can also be used to predict network growth and plan for expansion before your network becomes too overloaded.

PATH

Advanced Configuration, Security, RMON, History

COMMAND USAGE

The information collected for each sample includes: drop events, input octets, packets, broadcast packets, multicast packets, CRC alignment errors, undersize packets, oversize packets, fragments, jabbers, collisions, and network utilization.

PARAMETERS

The following parameters are displayed:

◆ ID - Index to this entry. (Range: 1-65535)

◆ Data Source – Port identifier.

◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800

seconds)

– 83 –

Page 84

HAPTER

Configuring Security

| Configuring the Switch

◆ Buckets - The number of buckets requested for this entry.

(Range: 1-3600; Default: 50)

◆ Buckets Granted - The number of buckets granted.

WEB INTERFACE

To periodically sample statistics on a port:

1. Click Advanced Configuration, Security, Switch, RMON, History.

2. Click Add New Entry.

3. Enter the index identifier, port number, sampling interval, and

maximum number of buckets requested.

4. Click Save.

Figure 26: RMON History Configuration

CONFIGURING RMON ALARMS

Use the RMON Alarm Configuration page to define specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval). Alarms can be set to respond to rising or falling thresholds. However, note that after an alarm is triggered it will not be triggered again until the statistical value crosses the opposite bounding threshold and then back across the trigger threshold.

PATH

Advanced Configuration, Security, RMON, Alarm

PARAMETERS

The following parameters are displayed:

◆ ID – Index to this entry. (Range: 1-65535)

◆ Interval – The polling interval. (Range: 1-2^31 seconds)

◆ Variable – The object identifier of the MIB variable to be sampled.

Only variables of the type ifEntry.n.n may be sampled.

Note that ifEntry.n uniquely defines the MIB variable, and ifEntry.n.n defines the MIB variable, plus the ifIndex. For example,

1.3.6.1.2.1.2.2.1.1.10.1 denotes ifInOctets, plus the ifIndex of 1.

– 84 –

Page 85

HAPTER

| Configuring the Switch

Configuring Security

Possible variables (ifEntry.n, where n = 10-21) include: InOctets, InUcastPkts, InNUcastPkts, InDiscards, InErrors, InUnknownProtos, OutOctets, OutUcastPkts, OutNUcastPkts, OutDiscards, OutErrors, and OutQLen.

◆ Sample Type – Tests for absolute or relative changes in the specified

variable.

■

Absolute – The variable is compared directly to the thresholds at the end of the sampling period.

■

Delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.

◆ Value – The value of the statistic during the last sampling period.

◆ Startup Alarm – The method of sampling the selected variable and

calculating the value to be compared against the thresholds. Possible sample types include:

■

Rising – Trigger alarm when the first value is larger than the rising threshold.

■

Falling – Trigger alarm when the first value is less than the falling threshold.

■

Rising or Falling – Trigger alarm when the first value is larger than the rising threshold or less than the falling threshold (default).

◆ Rising Threshold – If the current value is greater than the rising

threshold, and the last sample value was less than this threshold, then an alarm will be generated. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. (Range: -2147483647 to

2147483647)

◆ Rising Index – The index of the event to use if an alarm is triggered

by monitored variables crossing above the rising threshold. If there is no corresponding entry in the event control table, then no event will be generated. (Range: 1-65535)

◆ Falling Threshold – If the current value is less than the falling

threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. (Range: -2147483647 to 2147483647)

◆ Falling Index – The index of the event to use if an alarm is triggered

by monitored variables crossing below the falling threshold. If there is no corresponding entry in the event control table, then no event will be generated. (Range: 1-65535)

– 85 –

Page 86

HAPTER

Configuring Security

| Configuring the Switch

WEB INTERFACE

To configure an RMON alarm:

1. Click Advanced Configuration, Security, Switch, RMON, Alarm.

2. Click Add New Entry.

3. Enter an index number, the polling interval, the MIB object to be polled

(etherStatsEntry.n.n), the sample type, the alarm startup type, the thresholds, and the event to trigger.

4. Click Save.

Figure 27: RMON Alarm Configuration

CONFIGURING RMON EVENTS

Use the RMON Event Configuration page to set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.

PATH

Advanced Configuration, Security, RMON, Event

PARAMETERS

The following parameters are displayed:

◆ ID – Index to this entry. (Range: 1-65535)

◆ Desc – A comment that describes this event. (Range: 0-127

characters)

◆ Type – Specifies the type of event to initiate:

■

none – No event is generated.

■

log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration settings for event logging (see "Configuring Remote Log Messages"

on page 56).

■

snmptrap – Sends a trap message to all configured trap managers (see "Configuring SNMP System and Trap Settings" on page 72).

logandtrap – Logs the event and sends a trap message.

– 86 –

Page 87

HAPTER

◆ Community – A password-like community string sent with the trap

operation to SNMP v1 and v2c hosts.

Although the community string can be set on this configuration page, it is recommended that it be defined on the SNMP trap configuration page (see "Setting SNMPv3 Community Access Strings" on page 76) prior to configuring it here. (Range: 0-127 characters)

◆ Last Event Time – The value of sysUpTime when an event was last

generated for this entry.

| Configuring the Switch

Configuring Security

WEB INTERFACE

To configure an RMON event:

1. Click Advanced Configuration, Security, Switch, RMON, Event.

2. Click Add New Entry.

3. Enter an index number, a brief description of the event, the type of

event to initiate, and the community string to send with trap messages.

CONFIGURING PORT

LIMIT CONTROLS

4. Click Save.

Figure 28: RMON Event Configuration

Use the Port Security Limit Control Configuration page to limit the number of users accessing a given port. A user is identified by a MAC address and VLAN ID. If Limit Control is enabled on a port, the maximum number of users on the port is restricted to the specified limit. If this number is exceeded, the switch makes the specified response.

PATH

Advanced Configuration, Security, Network, Limit Control

PARAMETERS

The following parameters are displayed:

System Configuration

◆ Mode – Enables or disables Limit Control is globally on the switch. If

globally disabled, other modules may still use the underlying functionality, but limit checks and corresponding actions are disabled.

◆ Aging Enabled – If enabled, secured MAC addresses are subject to

aging as discussed under Aging Period.

– 87 –

Page 88

HAPTER

Configuring Security

| Configuring the Switch

With aging enabled, a timer is started once the end-host gets secured. When the timer expires, the switch starts looking for frames from the end-host, and if such frames are not seen within the next Aging Period, the end-host is assumed to be disconnected, and the corresponding resources are freed on the switch.

◆ Aging Period – If Aging Enabled is checked, then the aging period is

controlled with this parameter. If other modules are using the underlying port security for securing MAC addresses, they may have other requirements for the aging period. The underlying port security will use the shortest requested aging period of all modules that use this functionality. (Range: 10-10,000,000 seconds; Default: 3600 seconds)

Port Configuration

◆ Port – Port identifier.

◆ Mode – Controls whether Limit Control is enabled on this port. Both

this and the global Mode must be set to Enabled for Limit Control to be in effect. Notice that other modules may still use the underlying port security features without enabling Limit Control on a given port.

◆ Limit – The maximum number of MAC addresses that can be secured

on this port. This number cannot exceed 1024. If the limit is exceeded, the corresponding action is taken.

The switch is “initialized” with a total number of MAC addresses from which all ports draw whenever a new MAC address is seen on a Port Security-enabled port. Since all ports draw from the same pool, it may happen that a configured maximum cannot be granted if the remaining ports have already used all available MAC addresses.

◆ Action – If Limit is reached, the switch can take one of the following

actions:

■

None: Do not allow more than the specified Limit of MAC addresses on the port, but take no further action.

■

Trap: If Limit + 1 MAC addresses is seen on the port, send an SNMP trap. If Aging is disabled, only one SNMP trap will be sent, but with Aging enabled, new SNMP traps will be sent every time the limit is exceeded.

■

Shutdown: If Limit + 1 MAC addresses is seen on the port, shut down the port. This implies that all secured MAC addresses will be removed from the port, and no new addresses will be learned. Even if the link is physically disconnected and reconnected on the port (by disconnecting the cable), the port will remain shut down. There are three ways to re-open the port:

■

Boot the switch,

■

Disable and re-enable Limit Control on the port or the switch,

■

Click the Reopen button.

– 88 –

Page 89

HAPTER

■

Trap & Shutdown: If Limit + 1 MAC addresses is seen on the port,

| Configuring the Switch

Configuring Security

both the “Trap” and the “Shutdown” actions described above will be taken.

◆ State – This column shows the current state of the port as seen from

the Limit Control's point of view. The state takes one of four values:

■

Disabled: Limit Control is either globally disabled or disabled on the port.

■

Ready: The limit is not yet reached. This can be shown for all Actions.

■

Limit Reached: Indicates that the limit is reached on this port. This state can only be shown if Action is set to None or Trap.

■

Shutdown: Indicates that the port is shut down by the Limit Control module. This state can only be shown if Action is set to Shutdown or Trap & Shutdown.

◆ Re-open – If a port is shut down by this module, you may reopen it by

clicking this button, which will only be enabled if this is the case. For other methods, refer to Shutdown in the Action section.

Note, that clicking the Reopen button causes the page to be refreshed, so non-committed changes will be lost.

WEB INTERFACE

To configure port limit controls:

1. Click Advanced Configuration, Security, Network, Limit Control.

2. Set the system configuration parameters to globally enable or disable

limit controls, and configure address aging as required.

3. Set limit controls for any port, including status, maximum number of

addresses allowed, and the response to a violation.

4. Click Save.

– 89 –

Page 90

HAPTER

Configuring Security

| Configuring the Switch

Figure 29: Port Limit Control Configuration

CONFIGURING

AUTHENTICATION

THROUGH NETWORK

ACCESS SERVERS

Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.

Use the Network Access Server Configuration page to configure IEEE

802.1X port-based and MAC-based authentication settings. The 802.1X standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.

– 90 –

Page 91

802.1x client

RADIUS server

1. Client attempts to access a switch port.

2. Switch sends client an identity request.

3. Client sends back identity information.

4. Switch forwards this to authentication server.

5. Authentication server challenges client.

6. Client responds with proper credentials.

7. Authentication server approves access.

8. Switch grants client access to this port.

HAPTER

Figure 30: Using Port Security

| Configuring the Switch

Configuring Security

This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. These backend servers are configured on the AAA menu (see

page 123).

When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server. The encryption method used by IEEE 802.1X to pass authentication messages can be MD5 (Message-Digest 5), TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). However, note that the only encryption method supported by MAC-Based authentication is MD5. The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked.

The operation of 802.1X on the switch requires the following:

◆ The switch must have an IP address assigned (see page 48).

◆ RADIUS authentication must be enabled on the switch and the IP

address of the RADIUS server specified. Backend RADIUS servers are configured on the Authentication Configuration page (see page 123).

– 91 –

Page 92

HAPTER

Configuring Security

| Configuring the Switch

◆ 802.1X / MAC-based authentication must be enabled globally for the

switch.

◆ The Admin State for each switch port that requires client authentication

must be set to 802.1X or MAC-based.

◆ When using 802.1X authentication:

■

Each client that needs to be authenticated must have dot1x client software installed and properly configured.

■

When using 802.1X authentication, the RADIUS server and 802.1X client must support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.)

■

The RADIUS server and client also have to support the same EAP authentication type - MD5, PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows 7, Windows Vista, Windows XP, and in Windows 2000 with Service Pack 4. To support these encryption methods in Windows 95 and 98, you can use the AEGIS dot1x client or other comparable client software.)

MAC-based authentication allows for authentication of more than one user on the same port, and does not require the user to have special 802.1X software installed on his system. The switch uses the client's MAC address to authenticate against the backend server. However, note that intruders can create counterfeit MAC addresses, which makes MAC-based authentication less secure than 802.1X authentication.

PATH

Advanced Configuration, Security, Network, NAS

USAGE GUIDELINES

When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section.

PARAMETERS

These parameters are displayed:

System Configuration

◆ Mode - Indicates if 802.1X and MAC-based authentication are globally

enabled or disabled on the switch. If globally disabled, all ports are allowed to forward frames.

◆ Reauthentication Enabled - Sets clients to be re-authenticated after

an interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled)

For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has changed. It does not involve communication

– 92 –

Page 93

HAPTER

| Configuring the Switch

Configuring Security

between the switch and the client, and therefore does not imply that a client is still present on a port (see Age Period below).

◆ Reauthentication Period - Sets the time period after which a

connected client must be re-authenticated. (Range: 1-3600 seconds; Default: 3600 seconds)

◆ EAPOL Timeout - Sets the time the switch waits for a supplicant

response during an authentication session before retransmitting a Request Identify EAPOL packet. (Range: 1-255 seconds; Default: 30 seconds)

◆ Aging Period - The period used to calculate when to age out a client

allowed access to the switch through Single 802.1X, Multi 802.1X, and MAC-based authentication as described below. (Range: 10-1000000 seconds; Default: 300 seconds)

When the NAS module uses the Port Security module to secure MAC addresses, the Port Security module needs to check for activity on the MAC address in question at regular intervals and free resources if no activity is seen within the given age period.

If reauthentication is enabled and the port is in a 802.1X-based mode, this is not so critical, since supplicants that are no longer attached to the port will get removed upon the next reauthentication, which will fail. But if reauthentication is not enabled, the only way to free resources is by aging the entries.

For ports in MAC-based Auth. mode, reauthentication does not cause direct communication between the switch and the client, so this will not detect whether the client is still attached or not, and the only way to free any resources is to age the entry.

◆ Hold Time - The time after an EAP Failure indication or RADIUS

timeout that a client is not allowed access. This setting applies to ports running Single 802.1X, Multi 802.1X, or MAC-based authentication. (Range: 10-1000000 seconds; Default: 10 seconds)

If the RADIUS server denies a client access, or a RADIUS server request times out (according to the timeout specified on the AAA menu on page 123), the client is put on hold in the Unauthorized state. In this state, the hold timer does not count down during an on-going authentication.

In MAC-based Authentication mode, the switch will ignore new frames coming from the client during the hold time.

◆ RADIUS-Assigned QoS Enabled - RADIUS-assigned QoS provides a

means to centrally control the traffic class to which traffic coming from a successfully authenticated supplicant is assigned on the switch. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature.

The RADIUS-Assigned QoS Enabled checkbox provides a quick way to globally enable/disable RADIUS-server assigned QoS Class functionality. When checked, the individual port settings determine

– 93 –

Page 94

HAPTER

Configuring Security

| Configuring the Switch

whether RADIUS-assigned QoS Class is enabled for that port. When unchecked, RADIUS-server assigned QoS Class is disabled for all ports.

When RADIUS-Assigned QoS is both globally enabled and enabled for a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, traffic received on the supplicant’s port will be classified to the given QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS Class is immediately reverted to the original QoS Class (which may be changed by the administrator in the meanwhile without affecting the RADIUSassigned setting).

This option is only available for single-client modes, i.e. port-based

802.1X and Single 802.1X.

RADIUS Attributes Used in Identifying a QoS Class

The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet.

Only the first occurrence of the attribute in the packet will be considered. To be valid, all 8 octets in the attribute's value must be identical and consist of ASCII characters in the range '0' - '3', which translates into the desired QoS Class in the range 0-3.

QoS assignments to be applied to a switch port for an authenticated user may be configured on the RADIUS server as described below:

■

The “Filter-ID” attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information:

Table 7: Dynamic QoS Profiles

Profile Attribute Syntax Example

DiffServ service-policy-in=policy-map-name service-policy-in=p1

Rate Limit rate-limit-input=rate rate-limit-input=100

802.1p switchport-priority-default=value switchport-priority-default=2

■

Multiple profiles can be specified in the Filter-ID attribute by using a

(in units of Kbps)

semicolon to separate each profile.

For example, the attribute “service-policy-in=pp1;rate-limitinput=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps.

■

If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used.

For example, if the attribute is “service-policy-in=p1;service-policyin=p2”, then the switch applies only the DiffServ profile “p1.”

Any unsupported profiles in the Filter-ID attribute are ignored.

– 94 –

Page 95

HAPTER

| Configuring the Switch

Configuring Security

For example, if the attribute is “map-ip-dscp=2:3;service-policyin=p1,” then the switch ignores the “map-ip-dscp” profile.

■

When authentication is successful, the dynamic QoS information may not be passed from the RADIUS server due to one of the following conditions (authentication result remains unchanged):

■

The Filter-ID attribute cannot be found to carry the user profile.

■

The Filter-ID attribute is empty.

■

The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (can not recognize the whole Filter-ID attribute).

■

Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur:

■

Illegal characters found in a profile value (for example, a nondigital character in an 802.1p profile value).

■

Failure to configure the received profiles on the authenticated port.

■

When the last user logs off on a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port.

■

When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.

■

While a port has an assigned dynamic QoS profile, any manual QoS configuration changes only take effect after all users have logged off the port.

◆ RADIUS-Assigned VLAN Enabled - RADIUS-assigned VLAN provides

a means to centrally control the VLAN on which a successfully authenticated supplicant is placed on the switch. Incoming traffic will be classified to and switched on the RADIUS-assigned VLAN. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature.

The “RADIUS-Assigned VLAN Enabled” checkbox provides a quick way to globally enable/disable RADIUS-server assigned VLAN functionality. When checked, the individual port settings determine whether RADIUSassigned VLAN is enabled for that port. When unchecked, RADIUSserver assigned VLAN is disabled for all ports.

When RADIUS-Assigned VLAN is both globally enabled and enabled for a given port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be set to be a member of that VLAN ID, and the port will be forced into VLANunaware mode. Once assigned, all traffic arriving on the port will be classified and switched on the RADIUS-assigned VLAN ID.

– 95 –

Page 96

HAPTER

Configuring Security

| Configuring the Switch

If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned setting).

This option is only available for single-client modes, i.e. port-based

802.1X and Single 802.1X.

OTE

For trouble-shooting VLAN assignments, use the Monitor > VLANs > VLAN Membership and VLAN Port pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.

RADIUS Attributes Used in Identifying a VLAN ID

RFC 2868 and RFC 3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following criteria are used:

■

The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-GroupID attributes must all be present at least once in the Access-Accept packet.

■

The switch looks for the first set of these attributes that have the same Tag value and fulfil the following requirements (if Tag == 0 is used, the Tunnel-Private-Group-ID does not need to include a Tag):

■

Value of Tunnel-Medium-Type must be set to “IEEE-802” (ordinal

6).

■

Value of Tunnel-Type must be set to “VLAN” (ordinal 13).

■

Value of Tunnel-Private-Group-ID must be a string of ASCII characters in the range 0-9, which is interpreted as a decimal string representing the VLAN ID. Leading '0's are discarded. The final value must be in the range 1-4095.

◆ Guest VLAN Enabled - A Guest VLAN is a special VLAN - typically with

limited network access - on which 802.1X-unaware clients are placed after a network administrator-defined timeout. The switch follows a set of rules for entering and leaving the Guest VLAN as listed below.

The “Guest VLAN Enabled” checkbox provides a quick way to globally enable/disable Guest VLAN functionality. When checked, the individual port settings determine whether the port can be moved into Guest VLAN. When unchecked, the ability to move to the Guest VLAN is disabled for all ports.

When Guest VLAN is both globally enabled and enabled for a given port, the switch considers moving the port into the Guest VLAN according to the rules outlined below. This option is only available for EAPOL-based modes, i.e. Port-based 802.1X, Single 802.1X, and Multi

802.1X

The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,3u” where “u” indicates an untagged VLAN and “t” a tagged VLAN.

– 96 –

Page 97

HAPTER

OTE

For trouble-shooting VLAN assignments, use the Monitor > VLANs >

| Configuring the Switch

Configuring Security

VLAN Membership and VLAN Port pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.

Guest VLAN Operation

When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL Request Identity frames. If the number of transmissions of such frames exceeds Max. Reauth. Count and no EAPOL frames have been received in the meanwhile, the switch considers entering the Guest VLAN. The interval between transmission of EAPOL Request Identity frames is configured with EAPOL Timeout. If Allow Guest VLAN if EAPOL Seen is enabled, the port will now be placed in the Guest VLAN. If disabled, the switch will first check its history to see if an EAPOL frame has previously been received on the port (this history is cleared if the port link goes down or the port's Admin State is changed), and if not, the port will be placed in the Guest VLAN. Otherwise it will not move to the Guest VLAN, but continue transmitting EAPOL Request Identity frames at the rate given by EAPOL Timeout.

Once in the Guest VLAN, the port is considered authenticated, and all attached clients on the port are allowed access on this VLAN. The switch will not transmit an EAPOL Success frame after entering the Guest VLAN.

While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such frame is received, the switch immediately takes the port out of the Guest VLAN and starts authenticating the supplicant according to the port mode. If an EAPOL frame is received, the port will never be able to go back into the Guest VLAN if the “Allow Guest VLAN if EAPOL Seen” is disabled.

◆ Guest VLAN ID - This is the value that a port's Port VLAN ID is set to if

a port is moved into the Guest VLAN. It is only changeable if the Guest VLAN option is globally enabled. (Range: 1-4095)

◆ Max. Reauth. Count - The number of times that the switch transmits

an EAPOL Request Identity frame without receiving a response before adding a port to the Guest VLAN. The value can only be changed if the Guest VLAN option is globally enabled. (Range: 1-255)

◆ Allow Guest VLAN if EAPOL Seen - The switch remembers if an

EAPOL frame has been received on the port for the lifetime of the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option is enabled or disabled. If disabled (the default), the switch will only enter the Guest VLAN if an EAPOL frame has not been received on the port for the lifetime of the port. If enabled, the switch will consider entering the Guest VLAN even if an EAPOL frame has been received on the port for the lifetime of the port. The value can only be changed if the Guest VLAN option is globally enabled.

Port Configuration

◆ Port – Port identifier.

– 97 –

Page 98

HAPTER

Configuring Security

| Configuring the Switch

◆ Admin State - If NAS is globally enabled, this selection controls the

port's authentication mode. The following modes are available:

■

Force Authorized - The switch sends one EAPOL Success frame when the port link comes up. This forces the port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.)

■

Force Unauthorized - The switch will send one EAPOL Failure frame when the port link comes up. This forces the port to deny access to all clients, either dot1x-aware or otherwise.

■

Port-based 802.1X - Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1xaware will be denied access.

■

Single 802.1X - At most one supplicant can get authenticated on the port at a time. If more than one supplicant is connected to a port, the one that comes first when the port's link comes up will be the first one considered. If that supplicant doesn't provide valid credentials within a certain amount of time, another supplicant will get a chance. Once a supplicant is successfully authenticated, only that supplicant will be allowed access. This is the most secure of all the supported modes. In this mode, the Port Security module is used to secure a supplicant's MAC address once successfully authenticated.

■

Multi 802.1X - One or more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and secured in the MAC table using the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as the destination MAC address for EAPOL frames sent from the switch towards the supplicant, since that would cause all supplicants attached to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL Request Identity frames using the BPDU multicast MAC address as the destination - to wake up any supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality.

■

MAC-based Auth. - Enables MAC-based authentication on the port. The switch does not transmit or accept EAPOL frames on the port. Flooded frames and broadcast traffic will be transmitted on the port, whether or not clients are authenticated on the port, whereas unicast traffic from an unsuccessfully authenticated client will be dropped. Clients that are not (or not yet) successfully authenticated will not be allowed to transmit frames of any kind.

The switch acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address as both user name and

– 98 –

Page 99

HAPTER

| Configuring the Switch

Configuring Security

password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly.

When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open up or block traffic for that particular client, using the Port Security module. Only then will frames from the client be forwarded on the switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with the

802.1X standard.

The advantage of MAC-based authentication over port-based

802.1X is that several clients can be connected to the same port (e.g. through a 3rd party switch or a hub) and still require individual authentication, and that the clients don't need special supplicant software to authenticate. The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don't need special supplicant software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users - equipment whose MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum number of clients that can be attached to a port can be limited using the Port Security Limit Control functionality.

Further Guidelines for Port Admin State

■

Port Admin state can only be set to Force-Authorized for ports participating in the Spanning Tree algorithm (see page 141).

■

When 802.1X authentication is enabled on a port, the MAC address learning function for this interface is disabled, and the addresses dynamically learned on this port are removed from the common address table.

■

Authenticated MAC addresses are stored as dynamic entries in the switch's secure MAC address table. Configured static MAC addresses are added to the secure address table when seen on a switch port (see page 172). Static addresses are treated as authenticated without sending a request to a RADIUS server.

■

When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored.

◆ RADIUS-Assigned QoS Enabled - Enables or disables this feature for

a given port. Refer to the description of this feature under the System Configuration section.

◆ RADIUS-Assigned VLAN Enabled - Enables or disables this feature

for a given port. Refer to the description of this feature under the System Configuration section.

– 99 –

Page 100

HAPTER

Configuring Security

| Configuring the Switch

◆ Guest VLAN Enabled - Enables or disables this feature for a given

port. Refer to the description of this feature under the System Configure section.

◆ Port State - The current state of the port:

■

Globally Disabled - 802.1X and MAC-based authentication are globally disabled. (This is the default state.)

■

Link Down - 802.1X or MAC-based authentication is enabled, but there is no link on the port.

■

Authorized - The port is in Force Authorized mode, or a singlesupplicant mode and the supplicant is authorized.

■

Unauthorized - The port is in Force Unauthorized mode, or a single-supplicant mode and the supplicant is not successfully authorized by the RADIUS server.

■

X Auth/Y Unauth - The port is in a multi-supplicant mode. X clients are currently authorized and Y are unauthorized.

◆ Restart - Restarts client authentication using one of the methods

described below. Note that the restart buttons are only enabled when the switch’s authentication mode is globally enabled (under System Configuration) and the port's Admin State is an EAPOL-based or MACBased mode. Clicking these buttons will not cause settings changed on the page to take effect.

■

Reauthenticate - Schedules reauthentication to whenever the quiet-period of the port runs out (EAPOL-based authentication). For MAC-based authentication, reauthentication will be attempted immediately. The button only has effect for successfully authenticated clients on the port and will not cause the clients to get temporarily unauthorized.

■

Reinitialize - Forces a reinitialization of the clients on the port and thereby a reauthentication immediately. The clients will transfer to the unauthorized state while the reauthentication is in progress.

WEB INTERFACE

To configure 802.1X Port Security:

1. Click Advanced Configuration, Security, Network, NAS.

2. Modify the required attributes.

3. Click Save.

– 100 –