Page 1
LevelOne
User Manual
GEP-2651
26-Port Web Smart Gigabit PoE Switch, 24
PoE Outputs, 2 x SFP/RJ45 Combo, 185W
Page 2
i
GEP-2651
User's Manual
26-Port Web Smart Gigabit PoE Switch
Release 6.23
ã 2016, Digital Data Communications GmbH, Germany. All rights reserved. All brand and product names are
trademarks or registered trademarks of Digital Data companies
Revision A1
Page 3
ii
Copyright
About This Manual
Copyright © 2016 Digital Data Communications GmbH. All rights reserved.
The products and programs described in this User’s Manual are licensed products of
Manufacture Technology, This User’s Manual contains proprietary information protected
by copyright, and this User’s Manual and all accompanying hardware, software and
documentation are copyrighted. No parts of this User’s manual may be copied,
photocopied, reproduced, translated or reduced to any electronic medium or machinereadable from by any means by electronic or mechanical. Including photocopying,
recording, or information storage and retrieval systems, for any purpose other than the
purchaser’s personal use, and without the prior express written permission of
Manufacture Technology.
Purpose
Audience
CONVENTIONS
WARRANTY
Disclaimer
FCC Warning
This manual gives specific information on how to operate and use the management
functions of the GEP-2651
The Manual is intended for use by network administrators who are responsible for
operating and maintaining network equipment; consequently, it assumes a basic
working knowledge of general switch functions, the Internet Protocol (IP), and Simple
Network Management Protocol (SNMP).
The following conventions are used throughout this manual to show information.
See the Customer Support/ Warranty booklet included with the product. A copy of the
specific warranty terms applicable to your Manufacture products and replacement
parts can be obtained from your Manufacture Sales and Service Office authorized
dealer.
Manufacture Technology does not warrant that the hardware will work properly in all
environments and applications, and marks no warranty and representation, either
implied or expressed, with respect to the quality, performance, merchantability, or
fitness for a particular purpose. Manufacture disclaims liability for any inaccuracies or
omissions that may have occurred. Information in this User’s Manual is subject to
change without notice and does not represent a commitment on the part of
Manufacture. Manufacture assumes no responsibility for any inaccuracies that may be
contained in this User’s Manual. Manufacture makes no commitment to update or keep
current the information in this User’s Manual, and reserves the righter to make
improvements to this User’s Manual and /or to the products described in this User’s
Manual, at any time without notice.
This equipment has been tested and found to comply with the limits for a Class B
digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to
provide reasonable protection against harmful interference when the equipment is
operated in a commercial environment. This equipment generates, uses, and can
radiate radio frequency energy and, if not installed and used in accordance with the
Instruction manual, may cause harmful interference to radio communications.
FCC Caution
CE mark
Warning
To assure continued compliance (example-use only shielded interface cables when
connection to computer or peripheral devices). Any changes or modifications not
expressly approved by the party responsible for compliance could void the user’s
authority to operate the equipment. This device complies with Part 15 of the FCC Rules.
Operation is subject to the Following two conditions: (1) This device may not cause
harmful interference, and (2) this device must accept any interference received,
including interference that may cause undesired operation.
This is a Class B device, In a domestic environment, this product may cause radio
interference, in which case the user may be required to take adequate measures.
Revision A1
Page 4
iii
NOTE: Emphasizes important information or calls your attention to
related features or instructions.
W
ARNING
:
Alerts you to a potential hazard that could cause
personal injury.
C
AUTION
:
Alerts you to a potential hazard that could cause loss of
data, or damage the system or equipment.
Revision A1
Page 5
iv
Table of Contents
Revision History ............................................................................................................................................. ix
INTRODUCTION
CHAPTER 1 OPERATION OF WEB-BASED MANAGEMENT
CHAPTER 2 SYSTEM CONFIGURATION
2-1 System .................................................................................................................................................. 6
2-1.1 Information ............................................................................................................................................. 6
2-1.2 IP ............................................................................................................................................................. 7
2-1.3 NTP ....................................................................................................................................................... 10
2-1.4 Time ...................................................................................................................................................... 11
2-1.5 Log ........................................................................................................................................................ 14
2-2 Green Ethernet ................................................................................................................................... 14
2-3 Ports Configuration .......................................................................................................................... 18
2-3.1 Ports ...................................................................................................................................................... 18
2-3.2 Ports Description ................................................................................................................................. 20
2-4DHCP .................................................................................................................................................... 21
2-4.1 Server ................................................................................................................................................... 21
2-4.1.1 Mode ............................................................................................................................................. 21
2-4.1.2 Excluded IP .................................................................................................................................. 23
2-4.1.3 Pool ............................................................................................................................................... 24
2-4.2 Snooping .............................................................................................................................................. 26
....................................................................................................................... 1
................ 2
................................................ 6
2-5 Security ............................................................................................................................................... 28
2-5.1 Switch ................................................................................................................................................... 28
2-5.1.1 Users ............................................................................................................................................ 28
2-5.1.2 Privilege Level ............................................................................................................................. 30
2-5.1.3 Authentication Method ................................................................................................................ 32
2-5.1.4 HTTPs .......................................................................................................................................... 33
2-5.1.5 SNMP ........................................................................................................................................... 34
2-5.1.6 RMON ........................................................................................................................................... 48
2-5.2 Network ................................................................................................................................................ 54
2-5.2.1 Limit Control ................................................................................................................................. 54
2-5.2.2 NAS ............................................................................................................................................... 56
2-5.2.3 ACL ............................................................................................................................................... 64
2-5.2.4 IP Source Guard ......................................................................................................................... 70
2-5.2.5 ARP Inspection ............................................................................................................................ 73
2-5.3 AAA ....................................................................................................................................................... 80
2-5.3.1 RADIUS ........................................................................................................................................ 80
2-6 Aggregation ........................................................................................................................................ 83
2-6.1 Static ..................................................................................................................................................... 83
2-6.2 LACP ..................................................................................................................................................... 85
2-7 Loop Protection ................................................................................................................................. 87
2-8 Spanning Tree .................................................................................................................................... 89
2-8.1 Bridge Setting ...................................................................................................................................... 89
2-8.2 MSTI Mapping ..................................................................................................................................... 92
2-8.3 MSTI Priorities ..................................................................................................................................... 94
2-8.4 CIST Ports ............................................................................................................................................ 95
2-8.5 MSTI Ports ........................................................................................................................................... 98
Revision A1
Page 6
v
2-9 IPMC .................................................................................................................................................. 100
2-9.1 IGMP Snooping ................................................................................................................................. 100
2-9.1.1 Basic Configuration .................................................................................................................. 100
2-9.1.2 VLAN Configuration .................................................................................................................. 102
2-10 LLDP ................................................................................................................................................ 104
2-10.1 LLDP Configuration ........................................................................................................................ 104
2-10.2 LLDP-MED Configuration .............................................................................................................. 107
2- 11 PoE ................................................................................................................................................. 113
2- 11. 1 Conf i g uration .................................................................................................................................. 113
2- 11. 2 Powe r Delay ................................................................................................................................... 116
2- 11. 3 Sche d u ling ...................................................................................................................................... 117
3- 11. 4 Aut o Ch e c king ................................................................................................................................ 119
2-12 MAC Table ...................................................................................................................................... 121
2-13 VLANs ............................................................................................................................................. 123
2-14 Private VLANs ................................................................................................................................ 126
2-14.1 VLAN Membership ......................................................................................................................... 126
2-14.2 Port Isolation .................................................................................................................................... 128
2-15 VCL .................................................................................................................................................. 129
2-15.1 MAC-based VLAN .......................................................................................................................... 129
2-15.2 Protocol -based VLAN ................................................................................................................... 131
2-15.2.1 Protocol to Group .................................................................................................................... 131
2-15.2.2 Group to VLAN ........................................................................................................................ 133
2-15.3 IP Subnet-based VLAN .................................................................................................................. 134
2-16 VOICE VLAN ................................................................................................................................... 136
2-16.1 Configuration ................................................................................................................................... 136
2-16.2 OUI .................................................................................................................................................... 137
2-17 QoS .................................................................................................................................................. 138
2-17.1 Port Classification ........................................................................................................................... 139
2-17.2 Port Policing .................................................................................................................................... 141
2-17.3 Port Schedulers .............................................................................................................................. 143
2-17.4 Port Shaping .................................................................................................................................... 146
2-17.5 Port Tag Remarking ........................................................................................................................ 149
2-17.6 Port DSCP ....................................................................................................................................... 152
2-17.7 DSCP-Based QoS .......................................................................................................................... 154
2-17.8 DSCP Translation ........................................................................................................................... 156
2-17.9 DSCP Classification ....................................................................................................................... 158
2-17.10 QoS Control List Configuration ................................................................................................... 160
2-17.11 Storm Control ................................................................................................................................ 164
2-18 Mirror ............................................................................................................................................... 165
2-19 UPnP ................................................................................................................................................ 167
2-20 Switch2go ....................................................................................................................................... 168
2-20.1 Switch2go setting ............................................................................................................................ 168
2-20.2 User Link Management .................................................................................................................. 170
2-20.3 Port Name Service ......................................................................................................................... 171
2-21 SMTP Configuration ...................................................................................................................... 172
CHAPTER 3. MONITOR
3-1 System .............................................................................................................................................. 174
.............................................................................. 174
Revision A1
Page 7
vi
3-1.1 Information ......................................................................................................................................... 174
3-1.2 IP Status ............................................................................................................................................. 177
3-1.3 Log ...................................................................................................................................................... 179
3-1.4 Detailed Log ....................................................................................................................................... 181
3-2 Green Ethernet ................................................................................................................................. 182
3-2.1 Port Power Savings .......................................................................................................................... 182
3-3 Ports .................................................................................................................................................. 183
3-3.1 Traffic Overview ................................................................................................................................. 183
3-3.2 Qos Statistics ..................................................................................................................................... 185
3-3.3 QCL Status ......................................................................................................................................... 186
3-3.4 Detailed Statistics ............................................................................................................................. 188
3-3.5 SFP Information ................................................................................................................................ 190
3-4 DHCP ................................................................................................................................................. 193
3-4.1 Server ............................................................................................................................................. 193
3-4.1.1 Statistics ..................................................................................................................................... 193
3-4.1.2 Binding ........................................................................................................................................ 194
3-4.1.3 Declined IP ................................................................................................................................. 195
3-4.1 Snooping Table .................................................................................................................................. 195
3-4.2 Detailed Statistics ............................................................................................................................. 197
3-5 Security ............................................................................................................................................. 199
3-5.1 Network .............................................................................................................................................. 199
3-5.1.1 Port Security .............................................................................................................................. 199
3-5.1.2 NAS ............................................................................................................................................. 204
3-5.1.3 ACL Status ................................................................................................................................. 209
3-5.1.4 ARP Inspection .......................................................................................................................... 211
3-5.1.5 IP Source Guard ....................................................................................................................... 212
3-5.2 AAA ..................................................................................................................................................... 213
3-5.2.1 RADIUS Overview .................................................................................................................... 213
3-5.2.2 RADIUS Details ......................................................................................................................... 215
3-5.3 Switch ................................................................................................................................................. 219
3-5.3.1 RMON ......................................................................................................................................... 219
3-6 LACP ................................................................................................................................................. 226
3-6.1 System Status ................................................................................................................................... 226
3-6.2 Port Status ......................................................................................................................................... 227
3-6.3 Port Statistics ..................................................................................................................................... 229
3-7 Loop Protection ............................................................................................................................... 230
3-8 Spanning Tree .................................................................................................................................. 231
3-8.1 Bridge Status ..................................................................................................................................... 231
3-8.2 Port Status ......................................................................................................................................... 232
3-8.3 Port Statistics ..................................................................................................................................... 233
3-10 IPMC ................................................................................................................................................ 234
3-10.1 IGMP Snooping ............................................................................................................................... 234
3-10.1.1 Status ....................................................................................................................................... 234
3-10.1.2 Group Information ................................................................................................................... 236
3-11 LLDP ................................................................................................................................................ 238
3-11.1 Neig h b our ......................................................................................................................................... 238
3-11.2 LLDP-MED Neighbour .................................................................................................................... 240
3-11.3 PoE ................................................................................................................................................... 243
3-11.4 EEE ................................................................................................................................................... 245
3-11.5 Port Statis t i cs ................................................................................................................................... 247
3-12 PoE .................................................................................................................................................. 249
Revision A1
Page 8
vii
3-13 MAC Table ...................................................................................................................................... 251
3-14 VLANs ............................................................................................................................................. 253
3-14.1 VLAN Membership ......................................................................................................................... 253
3-14.2 VLAN Port ........................................................................................................................................ 255
3-15 VCL .................................................................................................................................................. 257
3-15.1 MAC-based VLAN .......................................................................................................................... 257
3-15.2 Protocol-based VLAN ..................................................................................................................... 258
3-15.2.1 Protocol to Group .................................................................................................................... 258
3-15.2.2 Group to VLAN ........................................................................................................................ 260
3-15.3 IP Subnet-based VLAN .................................................................................................................. 261
CHAPTER 4. DIAGNOSTICS
4-1 Ping ................................................................................................................................................... 262
4-2 Ping6 ................................................................................................................................................. 264
4-3 VeriPHY ............................................................................................................................................. 266
4-4 Traceroute ........................................................................................................................................ 267
CHAPTER 5. MAINTENANCE
5-1 Restart Device .................................................................................................................................. 268
5-2 Factory Defaults .............................................................................................................................. 269
5-3 Software ............................................................................................................................................ 270
5-3.1 Download ........................................................................................................................................... 270
5-3.2 Software Image Select ..................................................................................................................... 271
5-4 Configuration ................................................................................................................................... 273
5-4.1 Save startup-config ........................................................................................................................... 273
5-4.2 Upload ................................................................................................................................................ 274
5-4.3 Download ........................................................................................................................................... 275
5-4.4 Activate ............................................................................................................................................... 277
5-4.5 Delete ................................................................................................................................................. 278
..................................................................... 262
................................................... 268
CHAPTER 6 DMS-MANAGEMENT
6-1 Information ....................................................................................................................................... 279
6-2 Device List ........................................................................................................................................ 281
CHAPTER 7 DMS-GRAPHIC MONITORING
7-1 Topology View .................................................................................................................................. 282
7-2 Floor View ......................................................................................................................................... 283
7-3 Map View ........................................................................................................................................... 284
CHAPTER 8 DMS-MAUNTENANCE
8-1 Floor Image ...................................................................................................................................... 285
............................................................................. 279
............................................................ 281
.......................................................................... 285
Revision A1
Page 9
viii
8-2 Trouble shooting ............................................................................................................................. 286
8-3 Traffic Chart ...................................................................................................................................... 287
Revision A1
Page 10
ix
Revision History
Release
Date
Revision
V6.23
08/1/2016
A1
Revision A1
Page 11
1
INTRODUCTION
Overview
In this user’s manual, it will not only tell you how to install and connect your network system but
configure and monitor the GEP-2651 through the web by (RJ-45) serial interface and Ethernet ports
step-by-step. Many explanations in detail of hardware and software functions are shown as well as the
examples of the operation for web-based interface.
The GEP-2651 series, the next generation Web managed switches from Manufacture, is a
portfolio of affordable managed switches that provides a reliable infrastructure for your business
network. These switches deliver more intelligent features you need to improve the availability of your
critical business applications, protect your sensitive information, and optimize your network bandwidth
to deliver information and applications more effectively. It provides the ideal combination of affordability
and capabilities for entry level networking includes small business or enterprise application and helps
you create a more efficient, better-connected workforce.
GEP-2651 Web Managed Switches provide 26 ports in a single device; the specification is
highlighted as follows.
l L2+ features provide better manageability, security, QoS, and performance.
l Support IPv4/IPv6 dual stack management
l Support SNMP v1/v2c/v3
l Support RMON groups 1,2,3,9
l Support IGMP v1/v2/v3 Snooping
l Support RADIUS authentication
l Support IP Source Guard
l Support DHCP Snooping
l Support ACL and QCL for traffic filtering
l Support 802.1d(STP), 802.1w(RSTP) and 802.1s(MSTP)
l Support LACP and static link aggregation
l Support Q-in-Q double tag VLAN
Overview of this user’s manual
l Chapter 1 “Operation of Web-based Management”
l Chapter 2 “System Configuration”
l Chapter 3 “Configuration”
l Chapter 4 “Security”
l Chapter 5 “Maintenance”
Publication date: June, 2015
Revision A1
Page 12
2
IP Address
192.168.1.1
Subnet Mask
255.255.255.0
Default Gateway
192.168.1.254
Username
admin
Password
admin
NOTE:
When you login the Switch WEB/CLI to manager. You must first type the
Username of the admin. Password was blank, so when you type after the
end Username, please press enter. Management page to enter WEB/CLI.
When you login GEP-2651 series switch Web UI management, you can use
both ipv4 ipv6 login to manage
To optimize the display effect, we recommend you use Microsoft IE 6.0
above, Netscape V7.1 above or FireFox V1.00 above and have the
resolution 1024x768. The switch supported neutral web browser interface
Chapter 1 Operation of Web-based
Management
Initial
Configuration
This chapter instructs you how to configure and manage the GEP-2651 through the
web user interface. With this facility, you can easily access and monitor through any
one port of the switch all the status of the switch, including MIBs status, each port
activity, Spanning tree status, port aggregation status, multicast traffic, VLAN and
priority status, even illegal access record and so on.
The default values of the GEP-2651 are listed in the table below:
After the GEP2651 has been finished configuration the it interface, you can browse it.
For instance, type http://192.168.1.1 in the address row in a browser, it will show the
following screen and ask you inputting username and password in order to login and
access authentication.
The default username is “admin” and password is “admin”. For the first time to use,
please enter the default username and password, and then click the <Login> button.
The login process now is completed. In this login menu, you have to input the complete
username and password respectively, the GEP-2651 will not give you a shortcut to
username automatically. This looks inconvenient, but safer.
In the GEP-2651, allowed two or more users using administrator’s identity to manage
this switch, which administrator to do the last setting, it will be an available
configuration to effect the system.
Publication date: June, 2015
Revision A1
Page 13
5
NOTE:
AS GEP-2651 the function enable dhcp, so If you do not have DHCP server
to provide ip addresses to the switch, the Switch default ip 192.168.1.1
Figure 1 The login page
Publication date: June, 2015
Revision A1
Page 14
6
Chapter 2 System Configuration
This chapter describes the entire basic configuration tasks which includes the System Information and
any manage of the Switch (e.g. Time, Account, IP, Syslog and NTP.)
2-1 System
You ca n id en ti fy t he s ys te m by co nf ig ur in g t he co nt ac t i nf or ma ti on , na me , an d lo ca ti on o f the
switch.
2-1.1 Information
The switch system’s contact information is provided here.
Web interface
To c o nf ig u re S ys t em I n fo rm a ti on in t he we b i nt er fa c e:
1. Click Configuration, System, and Information.
2. Write System Contact, System Name, System Location information in this page.
3. Click Apply
Figure 2-1.1: System Information
Parameter description:
l System Contact:
The textual identification of the contact person for this managed node, together with
information on how to contact this person. The allowed string length is 0 to 128, and the
allowed content is the ASCII characters from 32 to 126.
l System name:
An administratively assigned name for this managed node. By convention, this is the
node's fully-qualified domain name. A domain name is a text string drawn from the alphabet
(A-Za-z), digits (0-9), minus sign (-). No space characters are permitted as part of a name.
The first character must be an alpha character. And the first or last character must not be a
minus sign. The allowed string length is 0 to 128.
l System Location:
The physical location of this node(e.g., telephone closet, 3rd floor). The allowed string
length is 0 to 128, and the allowed content is the ASCII characters from 32 to 126.
Revision A1
Page 15
7
2-1.2 IP
The IPv4 address for the switch could be obtained via DHCP Server for VLAN 1. To manually
configure an address, you need to change the switch's default settings to values that are
compatible with your network. You may also need to establish a default gateway between the
switch and management stations that exist on another network segment.
Configure the switch-managed IP information on this page
Configure IP basic settings, control IP interfaces and IP routes.
The maximum number of interfaces supported is 8 and the maximum number of routes is 32.
Web Interface
To configure an IP address in the web interface:
1. Click Configuration, System, IP.
2. Click Add Interface then you can create new Interface on the switch.
3. Click Add Route then you can create new Route on the switch
4. Click Apply
Figure2-1.2: The IP configuration
Parameter description:
IP Configuration
l Mode:
Revision A1
Page 16
8
Configure whether the IP stack should act as a Host or a Router. In Host mode, IP traffic
between interfaces will not be routed. In Router mode traffic is routed between all interfaces.
l DNS Server
This setting controls the DNS name resolution done by the switch. The following modes are
supported:
• From any DHCP interfaces
The first DNS server offered from a DHCP lease to a DHCP-enabled interface will be
used.
• No DNS server
No DNS server will be used.
• Configured
Explicitly provide the IP address of the DNS Server in dotted decimal notation.
• From this DHCP interface
Specify from which DHCP-enabled interface a provided DNS server should be
preferred.
l DNS Proxy
When DNS proxy is enabled, system will relay DNS requests to the currently configured
DNS server, and reply as a DNS resolver to the client devices on the network.
IP Interfaces
l Delete
Select this option to delete an existing IP interface.
l VLAN
The VLAN associated with the IP interface. Only ports in this VLAN will be able to access
the IP interface. This field is only available for input when creating an new interface.
l IPv4 DHCP Enabled
Enable the DHCP client by checking this box. If this option is enabled, the system will
configure the IPv4 address and mask of the interface using the DHCP protocol. The DHCP
client will announce the configured System Name as hostname to provide DNS lookup.
l IPv4 DHCP Fallback Timeout
The number of seconds for trying to obtain a DHCP lease. After this period expires, a
configured IPv4 address will be used as IPv4 interface address. A value of zero disa bles the
fallback mechanism, such that DHCP will keep retrying until a valid lease is obtained. Legal
values are 0 to 4294967295 seconds.
l IPv4 DHCP Current Lease
For DHCP interfaces with an active lease, this column show the current interface address,
as provided by the DHCP server.
l IPv4 Address
The IPv4 address of the interface in dotted decimal notation.
If DHCP is enabled, this field is not used. The field may also be left blank if IPv4 operation
on the interface is not desired.
l IPv4 Mask
The IPv4 network mask, in number of bits (prefix length). Valid values are between 0 and
30 bits for a IPv4 address.
If DHCP is enabled, this field is not used. The field may also be left blank if IPv4 operation
on the interface is not desired.
l IPv6 Address
The IPv6 address of the interface. A IPv6 address is in 128-bit records represented as
eight fields of up to four hexadecimal digits with a colon separating each field (:). For
example, fe80::215:c5ff:fe03:4dc7. The symbol :: is a special syntax that can be used as a
shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can
appear only once. It can also represent a legally valid IPv4 address. For
example, ::192.1.2.34.
The field may be left blank if IPv6 operation on the interface is not desired.
Revision A1
Page 17
9
l IPv6 Mask
The IPv6 network mask, in number of bits (prefix length). Valid values are between 1 and
128 bits for a IPv6 address.
The field may be left blank if IPv6 operation on the interface is not desired.
IP Routes
l Delete
Select this option to delete an existing IP route.
l Network
The destination IP network or host address of this route. Valid format is dotted decimal
notationor a valid IPv6 notation. A default route can use the value 0.0.0.0or IPv6 ::
notation.
l Mask Length
The destination IP network or host mask, in number of bits (prefix length). It defines how
much of a network address that must match, in order to qualify for this route. Valid values
are between 0 and 32 bits respectively 128 for IPv6 routes. Only a default route will have a
mask length of 0 (as it will match anything).
l Gateway
The IP address of the IP gateway. Valid format is dotted decimal notationor a valid IPv6
notation. Gateway and Network must be of the same type.
l Next Hop VLAN (Only for IPv6)
The VLAN ID (VID) of the specific IPv6 interface associated with the gateway.
The given VID ranges from 1 to 4094 and will be effective only when the corresponding
IPv6 interface is valid.
If the IPv6 gateway address is link-local, it must specify the next hop VLAN for the
gateway.
If the IPv6 gateway address is not link-local, system ignores the next hop VLAN for the
gateway.
Buttons
l Add Interface:
Click to add a new IP interface. A maximum of 8 interfaces is supported.
l Add Route:
Click to add a new IP route. A maximum of 32 routes is supported.
l Apply:
Click to save changes.
l Reset:
Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 18
10
2-1.3 NTP
NTP is Network Time Protocol and is used to sync the network time based Greenwich Mean
Time (GMT). If use the NTP mode and select a built-in NTP time server or manually specify an
user-defined NTP server as well as Time Zone, the switch will sync the time in a short after
pressing <Apply> button. Though it synchronizes the time automatically, NTP does not update
the time periodically without user’s processing.
Time Zone is an offset time off GMT. You have to select the time zone first and then perform
time sync via NTP because the switch will combine this time zone offset and updated NTP time
to come out the local time, otherwise, you will not able to get the correct time. The switch
supports configurable time zone from –12 to +13 step 1 hour.
Default Time zone: +8 Hrs.
Web Interface
To configure NTP in the web interface:
1. Click Configuration, System, NTP.
2. Specify the Time parameter in manual parameters.
3. Click Apply.
Figure 2-1.3: The NTP configuration
Parameter description:
l Mode :
Indicates the NTP mode operation. Possible modes are:
Enabled: Enable NTP client mode operation.
Disabled: Disable NTP client mode operation.
l Server 1 to 5 :
Provide the NTP IPv4 or IPv6 address of this switch. IPv6 address is in 128-bit records
represented as eight fields of up to four hexadecimal digits with a colon separating each field
(:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be
used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it
can only appear once. It can also represent a legally valid IPv4 address. For example,
'::192.1.2.34'.
l Buttons
These buttons are displayed on the NTP page:
Apply – Click to save changes.
Revision A1
Page 19
11
Reset - Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 20
11
2-1.4 Time
The switch provides manual and automatic ways to set the system time via NTP. Manual
setting is simple and you just input “Year”, “Month”, “Day”, “Hour” and “Minute” within the valid
value range indicated in each item.
Web Interface
To configure Time in the web interface:
1. Click Configuration, System and Time
2. Specify the Time parameter.
3. Click Apply.
Figure 2-1.4: The time configuration
Publication date: June, 2015
Revision A1
Page 21
12
Parameter description:
Time Configuration
l Clock Source:
There are two modes for configuring how the Clock Source from. Select "Use Local Settings" :
Clock Source from Local Time. Select "Use NTP Server" : Clock Source from NTP Server.
l System Date:
Show the current time of the system. The year of system date limits between 2011 and 2037.
Time Zone Configuration
l Time Zone:
Lists various Time Zones world wide. Select appropriate Time Zone from the drop down
and click Apply to set.
l Acronym:
User can set the acronym of the time zone. This is a User configurable acronym to identify
the time zone. ( Range : Up to 16 characters )
Daylight Saving Time Configuration
l Daylight Saving Time:
This is used to set the clock forward or backward according to the configurations set below
for a defined Daylight Saving Time duration. Select 'Disable' to disable the Daylight Saving
Time configuration. Select 'Recurring' and configure the Daylight Saving Time duration to
repeat the configuration every year. Select 'Non-Recurring' and configure the Daylight
Saving Time duration for single time configuration. ( Default : Disabled ).
Recurring Configuration
l Start time settings:
Week - Select the starting week number.
Revision A1
Page 22
13
Day - Select the starting day.
NOTE: The under “Start Time Settings” and “End Time Settings”
was displayed what you set on the “Start Time Settings” and “End
Time Settings” field information.
Month - Select the starting month.
Hours - Select the starting hour.
Minutes - Select the starting minute.
l End time settings:
Week - Select the ending week number.
Day - Select the ending day.
Month - Select the ending month.
Hours - Select the ending hour.
Minutes - Select the ending minute.
l Offset settings:
Offset - Enter the number of minutes to add during Daylight Saving Time. ( Range: 1 to
1440 )
l Buttons
These buttons are displayed on the NTP page:
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 23
14
2-1.5 Log
The log is a standard for logging program messages . It allows separation of the software that
generates messages from the system that stores them and the software that reports and
analyzes them. It can be used as well a generalized informational, analysis and debugging
messages. It is supported by a wide variety of devices and receivers across multiple platforms.
Web Interface
To configure log configuration in the web interface:
1. Click Configuration, System and log.
2. Specify the syslog parameters include IP Address of Syslog server and Port number.
3. Evoke the Syslog to enable it.
4. Click Apply.
Figure2-1.5: The System Log configuration
Parameter description:
l Server Mode :
Indicate the server mode operation. When the mode operation is enabled, the syslog
message will send out to syslog server. The syslog protocol is based on UDP communication
and received on UDP port 514 and the syslog server will not send acknowledgments back
sender since UDP is a connectionless protocol and it does not provide acknowledgments.
The syslog packet will always send out even if the syslog server does not exist. Possible
modes are:
Enabled: Enable server mode operation.
Disabled: Disable server mode operation.
l Server Address :
Indicates the IPv4 hosts address of syslog server. If the switch provide DNS feature, it also
can be a host name.
l Syslog Level :
Indicates what kind of message will send to syslog server. Possible modes are:
Info: Send information, warnings and errors.
Warning: Send warnings and errors.
Error: Send errors.
l Buttons
These buttons are displayed on the NTP page:
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
2-2 Green Ethernet
EEE is a power saving option that reduces the power usage when there is low or no traffic
utilization.
EEE works by powering down circuits when there is no traffic. When a port gets data to be
transmitted all circuits are powered up. The time it takes to power up the circuits is named
wakeup time. The default wakeup time is 17 us for 1Gbit links and 30 us for other link speeds.
Revision A1
Page 24
15
EEE devices must agree upon the value of the wakeup time in order to make sure that both the
receiving and transmitting device has all circuits powered up when traffic is transmitted. The
devices can exchange wakeup time information using the LLDP protocol.
EEE works for ports in auto-negotiation mode, where the port is negotiated to either 1G or 100
Mbit full duplex mode.
For ports that are not EEE-capable the corresponding EEE checkboxes are grayed out and
thus impossible to enable EEE for.
When a port is powered down for saving power, outgoing traffic is stored in a buffer until the
port is powered up again. Because there are some overhead in turning the port down and up,
more power can be saved if the traffic can be buffered up until a large burst of traffic can be
transmitted. Buffering traffic will give some latency in the traffic.
Web Interface
To c o nf ig u re a P o rt P o we r S av in g C on f ig ur at i on i n t he w eb in te r fa ce :
1. Click Configuration, Green Ethernet
2. Evoke to enable or disable the ActiPHY, PerfectReach, EEE and EEE Urgent Queues .
3. Click Apply.
Figure 2-2.1: The Port Power Saving Configuration
Parameter description:
Optimize EEE for
The switch can be set to optimize EEE for either best power saving or least traffic latency.
l Port:
The switch port number of the logical port.
Revision A1
Page 25
16
l ActiPHY :
Link down power savings enabled.
ActiPHY works by lowering the power for a port when there is no link. The port is power up
for short moment in order to determine if cable is inserted.
l PerfectReach :
Cable length power savings enabled.
PerfectReach works by determining the cable length and lowering the power for ports with
short cables.
l EEE :
Controls whether EEE is enabled for this switch port.
For maximizing power savings, the circuit isn't started at once transmit data is ready for a
port, but is instead queued until a burst of data is ready to be transmitted. This will give some
traffic latency.
If desired it is possible to minimize the latency for specific frames, by mapping the frames to
a specific queue (done with QOS), and then mark the queue as an urgent queue. When an
urgent queue gets data to be transmitted, the circuits will be powered up at once and the
latency will be reduced to the wakeup time.
l EEE Urgent Queues :
Queues set will activate transmission of frames as soon as data is available. Otherwise the
queue will postpone transmission until a burst of frames can be transmitted.
Revision A1
Page 26
2-3 Ports Configuration
The section describes to configure the Port detail parameters of the switch. Others you could
using the Port configure to enable or disable the Port of the switch. Monitor the ports content
or status in the function.
2-3.1 Ports
This page displays current port configurations. Ports can also be configured here.
Web Interface
To c o nf ig u re a C u rr en t P or t C on fi g ur at i on i n t he w eb in te r fa ce :
1. Click Configuration, Ports Configuration, and Ports
2. Specify the Speed Configured, Flow Control, Maximum Frame size, Excessive Collision
mode and Power Control.
3. Click Apply.
Figure 2-3.1: The Port Configuration
Parameter description:
l Port :
This is the logical port number for this row.
l Link :
The current link state is displayed graphically. Green indicates the link is up and red that it is
down.
Page 27
19
l Current Link Speed :
Provides the current link speed of the port.
l Configured Link Speed :
Selects any available link speed for the given switch port. Only speeds supported by the
specific port is shown. Possible speeds are:
Disabled - Disables the switch port operation.
Auto - Port auto negotiating speed with the link partner and selects the highest speed that is
compatible with the link partner.
10Mbps HDX - Forces the cu port in 10Mbps half duplex mode.
10Mbps FDX - Forces the cu port in 10Mbps full duplex mode.
100Mbps HDX - Forces the cu port in 100Mbps half duplex mode.
100Mbps FDX - Forces the cu port in 100Mbps full duplex mode.
1Gbps FDX - Forces the port in 1Gbps full duplex
2.5Gbps FDX - Forces the Serdes port in 2.5Gbps full duplex mode.
SFP_Auto_AMS - Automatically determines the speed of the SFP. Note: There is no
standardized way to do SFP auto detect, so here it is done by reading the SFP rom. Due to
the missing standardized way of doing SFP auto detect some SFPs might not be detectable.
The port is set in AMS mode. Cu port is set in Auto mode.
100-FX - SFP port in 100-FX speed. Cu port disabled.
100-FX_AMS - Port in AMS mode. SFP port in 100-FX speed. Cu port in Auto mode.
1000-X - SFP port in 1000-X speed. Cu port disabled.
1000-X_AMS - Port in AMS mode. SFP port in 1000-X speed. Cu port in Auto mode. Ports
in AMS mode with 1000-X speed has Cu port preferred. Ports in AMS mode with 100-FX
speed has fiber port preferred.
l Flow Control :
When Auto Speed is selected on a port, this section indicates the flow control capability that
is advertised to the link partner. When a fixed-speed setting is selected, that is what is used.
The Current Rx column indicates whether pause frames on the port are obeyed, and the
Current Tx column indicates whether pause frames on the port are transmitted. The Rx and
Tx settings are determined by the result of the last Auto-Negotiation.
Check the configured column to use flow control. This setting is related to the setting for
Configured Link Speed.
l Maximum Frame Size :
Enter the maximum frame size allowed for the switch port, including FCS.
l Excessive Collision Mode :
Configure port transmit collision behavior.
Discard: Discard frame after 16 collisions (default).
Restart: Restart backoff algorithm after 16 collisions.
l Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
l Upper right icon (Refresh)
You c an c li ck t he m fo r r ef re sh t he P or t lin k St at us b y ma nu al
Revision A1
Page 28
20
2-3.2 Ports Description
The section describes to configure the Port’s alias or any descriptions for the Port Identity. It
provides user to write down an alphanumeric string describing the full name and version
identification for the system’s hardware type, software version, and networking application
Web Interface
To c o nf ig u re a n P or t D es cr i pt io n i n th e w eb i n te rf ac e :
1. Click Configuration, Port, then Port Description
2. Specify the detail Port alias or description an alphanumeric string describing the full name
and version identification for the system’s hardware type, software version, and networking
application.
3. Click Apply.
Figure 2-3.2: The Port Configuration
Parameter description:
l Port :
This is the logical port number for this row.
l Description :
Enter up to 47 characters to be descriptive name for identifies this port.
l Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 29
21
2-4DHCP
The section describes to configure the DHCP Snooping parameters of the switch. The DHCP
Snooping can prevent attackers from adding their own DHCP servers to the network.
2-4.1 Server
2-4.1.1 Mode
This page configures global mode and VLAN mode to enable/disable DHCP
server per system and per VLAN.
Web Interface
To c o nf ig u re DHCP server mode in the web interface:
1. Click Configuration, DHCP, Server, Mode
2. Select “Enabled” in the Global Mode of DHCP Server Mode Configuration.
3. Add Vlan range.
4. Click Apply.
Figure 2-4.1.1: The DHCP server Mode
Parameter description:
l Mode :
Configure the operation mode per system. Possible modes are:
Enabled: Enable DHCP server per system.
Revision A1
Page 30
22
Disabled: Disable DHCP server pre system.
l VLAN Range :
Indicate the VLAN range in which DHCP server is enabled or disabled. The first VLAN ID must be
smaller than or equal to the second VLAN ID. BUT, if the VLAN range contains only 1 VLAN ID, then
you can just input it into either one of the first and second VLAN ID or both.
On the other hand, if you want to disable existed VLAN range, then you can follow the steps.
1. press “ADD VLAN Range” to add a new VLAN range.
2. input the VLAN range that you want to disable.
3. choose Mode to be Disabled.
4. press Apply to apply the change.
Then, you will see the disabled VLAN range is removed from the DHCP Server mode configuration
page.
l Mode :
Indicate the the operation mode per VLAN. Possible modes are:
Enabled: Enable DHCP server per VLAN.
Disabled: Disable DHCP server pre VLAN.
l Buttons
Add VLAN Range - Click to add a new VLAN range.
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 31
23
2-4.1.2 Excluded IP
This page configures excluded IP addresses. DHCP server will not allocate
these excluded IP addresses to DHCP client.
Web Interface
To c o nf ig u re DHCP server excluded IP in the web interface:
1. Click Configuration, DHCP, Server, Excluded IP
2. Click Add IP Range then you can create new IP Range on the switch.
3. Click Apply.
Figure 2-4.1.2: The DHCP server excluded IP
Parameter description:
l IP Range :
Define the IP range to be excluded IP addresses. The first excluded IP must be smaller than or equal
to the second excluded IP. BUT, if the IP range contains only 1 excluded IP, then you can just input it
to either one of the first and second excluded IP or both.
l Buttons
Add IP Range - Click to add a new excluded IP range.
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 32
24
2-4.1.3 Pool
This page manages DHCP pools. According to the DHCP pool, DHCP server
will allocate IP address and deliver configuration parameters to DHCP client.
Web Interface
To c o nf ig u re D HC P se rv er p oo l i n th e w eb in te rf a ce :
1. Click Configuration, DHCP, Server, Pool
2. Click Add New Pool then you can create new Pool on the switch.
3. Click Apply.
Figure 2-4.1.3: The DHCP server pool
Parameter description:
Pool Setting
Add or delete pools.
Adding a pool and giving a name is to create a new pool with "default" configuration. If you
want to configure all settings including type, IP subnet mask and lease time, you can click
the pool name to go into the configuration page.
l Name :
Configure the pool name that accepts all printable characters, except white space. If you want to
configure the detail settings, you can click the pool name to go into the configuration page.
l Type :
Display which type of the pool is.
Network: the pool defines a pool of IP addresses to service more than one DHCP client.
Host: the pool services for a specific DHCP client identified by client identifier or hardware address.
If "-" is displayed, it means not defined.
l IP :
Revision A1
Page 33
25
Display network number of the DHCP address pool.
If "-" is displayed, it means not defined.
l Subnet Mask :
Display subnet mask of the DHCP address pool.
If "-" is displayed, it means not defined.
l Lease Time :
Display lease time of the pool.
l Buttons
Add New Pool - Click to add a new DHCP pool.
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 34
26
2-4.2 Snooping
DHCP Snooping is used to block intruder on the untrusted ports of the switch
device when it tries to intervene by injecting a bogus DHCP reply packet to a
legitimate conversation between the DHCP client and server.
The section describes to configure the DHCP Snooping parameters of the
switch. The DHCP Snooping can prevent attackers from adding their own
DHCP servers to the network.
Web Interface
To c o nf ig u re DHCP snooping in the web interface:
1. Click Configuration, DHCP, Snooping
2. Select “Enabled” in the Mode of DHCP Snooping Configuration.
3. Select “Trusted” of the specific port in the Mode of Port Mode Configuration.
4. Click Apply.
Figure 2-4.2: The DHCP Snooping Configuration
Parameter description:
l Snooping Mode :
Indicates the DHCP snooping mode operation. Possible modes are:
Enabled: Enable DHCP snooping mode operation. When DHCP snooping mode operation
is enabled, the DHCP request messages will be forwarded to trusted ports and only allow
reply packets from trusted ports.
Disabled: Disable DHCP snooping mode operation.
l Port Mode Configuration
Indicates the DHCP snooping port mode. Possible port modes are:
Trusted: Configures the port as trusted source of the DHCP messages.
Revision A1
Page 35
27
Untrusted: Configures the port as untrusted source of the DHCP messages.
l Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 36
28
2-5 Security
This section shows you to to configure the Port Security settings of the Switch. You can use the
Port Security feature to restrict input to an interface by limiting and identifying MAC addresses.
2-5.1 Switch
2-5.1.1 Users
This page provides an overview of the current users. Currently the only way to login as another
user on the web server is to close and reopen the browser
Web Interface
To c o nf ig u re User in the web interface:
1. Click Configuration, Security, Switch, Users.
2. Click Add new user
3. Specify the User Name parameter.
4. Click Apply.
Figure 2-5.1.1: The Users configuration
Parameter description:
l User Name :
The name identifying the user. This is also a link to Add/Edit User.
l Password
To t yp e t he p as s wo r d. Th e a ll o we d st r in g le n gt h is 0 t o 25 5, an d th e a ll ow ed co n te n t is th e
ASCII characters from 32 to 126.
l Password (again)
Revision A1
Page 37
29
To t y pe t h e pa ss w or d a ga in . Yo u mu s t ty p e th e s am e p as sw o rd a g ai n i n th e f ie ld .
l Privilege Level :
The privilege level of the user. The allowed range is 1 to 15. If the privilege level value is 15,
it can access all groups, i.e. that is granted the fully control of the device. But others value
need to refer to each group privilege level. User's privilege should be same or greater than
the group privilege level to have the access of that group. By default setting, most groups
privilege level 5 has the read-only access and privilege level 10 has the read-write access.
And the system maintenance (software upload, factory defaults and etc.) need user privilege
level 15. Generally, the privilege level 15 can be used for an administrator account, privilege
level 10 for a standard user account and privilege level 5 for a guest account.
l Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
Cancel - Click to undo any changes made locally and return to the Users.
Delete User - Delete the current user. This button is not available for new configurations
(Add new user)
Revision A1
Page 38
30
2-5.1.2 Privilege Level
This page provides an overview of the privilege levels. The switch provides user set Account,
Aggregation, Diagnostics, EEE, GARP, GVRP,IP, IPMC Snooping LACP LLDP LLDP MED MAC
Ta bl e MR P M VR MV R P M ai nt en an ce Mi r ro r in g P OE P or t s P r iv a te VL A Ns Q oS S MT P S NM P
Security Spanning Tree System Trap Event VCL VLANs Voice VLAN Privilege Levels from 1 to
15 .
Web Interface
To c o nf ig u re P ri v il eg e L ev el in t he we b i nt er fa c e:
1. Click SYSTEM, Account, Privilege Level.
2. Specify the Privilege parameter.
3. Click Apply.
Figure2-5.1.2: The Privilege Level configuration
Parameter description:
l Group Name
The name identifying the privilege group. In most cases, a privilege level group consists of
a single module (e.g. LACP, RSTP or QoS), but a few of them contains more than one. The
following description defines these privilege level groups in details:
System: Contact, Name, Location, Timezone, Daylight Saving Time, Log.
Security: Authentication, System Access Management, Port (contains Dot1x port, MAC
based and the MAC Address Limit), ACL, HTTPS, ARP Inspection, IP source guard.
IP: Everything except 'ping'.
Port: Everything except 'VeriPHY'.
Revision A1
Page 39
31
Diagnostics: 'ping' and 'VeriPHY'.
Maintenance: System Restore Default, System Password, Configuration Save,
Configuration Load and Firmware Load. Web- Users, Privilege Levels and everything in
Maintenance.
l Privilege Levels
Every group has an authorization Privilege level for the following sub groups: configuration
read-only, configuration/execute read-write, status/statistics read-only, status/statistics readwrite (e.g. for clearing of statistics). User Privilege should be same or greater than the
authorization Privilege level to have the access to that group.
l Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 40
32
2-5.1.3 Authentication Method
This page shows how to configure a user with authenticated when he logs into the switch via
one of the management client interfaces.
Web Interface
To c o nf ig u re a A ut h en ti ca t io n Me t ho d Configuration in the web interface:
1. Specify the Client (http, htts) which you want to monitor.
2. Specify the Authentication Method (none,local, radius, tacacs+)
3. Checked Fallback.
4. Click Apply.
Figure 2-5.1.3: The Authentication Method Configuration
Parameter description:
l Client :
The management client for which the configuration below applies.
l Authentication Method :
Authentication Method can be set to one of the following values:
• none : authentication is disabled and login is not possible.
• local : use the local user database on the switch for authentication.
• radius : use a remote RADIUS server for authentication.
• tacacs+ : use a remote TACACS + server for authentication.
Methods that involves remote servers are timed out if the remote servers are offline. In this
case the next method is tried. Each method is tried from left to right and continues until a
method either approves or rejects a user. If a remote server is used for primary
authentication it is recommended to configure secondary authentication as 'local'. This will
enable the management client to login via the local user database if none of the configured
authentication servers are alive.
l Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 41
33
2-5.1.4 HTTPs
This section shows you how to use HTTPS to securely access the Switch. HTTPS is a secure
communication protocol that combines authentication and data encryption to provide secure
encrypted communication via the browser.
Web Interface
To c o nf ig u re a H T TP S C on f ig ur a ti on i n t he w e b in te r fa ce :
1. Select “Enabled” in the Mode of HTTPS Configuration.
2. Select “Enabled” in the Automatic Redirect of HTTPS Configuration.
3. Click Apply.
Figure 2-5.1.4: The HTTPS Configuration
Parameter description:
l Mode :
Indicates the HTTPS mode operation. Possible modes are:
Enabled: Enable HTTPS mode operation.
Disabled: Disable HTTPS mode operation.
l Automatic Redirect :
Indicates the HTTPS redirect mode operation. Automatically redirect web browser to HTTPS
when HTTPS mode is enabled. Possible modes are:
Enabled: Enable HTTPS redirect mode operation.
Disabled: Disable HTTPS redirect mode operation.
Revision A1
Page 42
34
2-5.1.5 SNMP
Any Network Management System (NMS) running the Simple Network Management Protocol
(SNMP) can manage the Managed devices equipped with SNMP agent, provided that the
Management Information Base (MIB) is installed correctly on the managed devices. The SNMP
is a protocol that is used to govern the transfer of information between SNMP manager and
agent and traverses the Object Identity (OID) of the management Information Base (MIB),
described in the form of SMI syntax. SNMP agent is running on the switch to response the
request issued by SNMP manager.
Basically, it is passive except issuing the trap information. The switch supports a switch to turn
on or off the SNMP agent. If you set the field SNMP “Enable”, SNMP agent will be started up.
All supported MIB OIDs, including RMON MIB, can be accessed via SNMP manager. If the field
SNMP is set “Disable”, SNMP agent will be de-activated, the related Community Name, Trap
Host IP Address, Trap and all MIB counters will be ignored.
2-5.1.5.1 System
This section describes how to configure SNMP System on the switch. This function is used to
configure SNMP settings, community name, trap host and public traps as well as the throttle
of SNMP. A SNMP manager must pass the authentication by identifying both community
names, then it can access the MIB information of the target device. So, both parties must have
the same community name. Once completing the setting, click <Apply> button, the setting
takes effect.
Web Interface
To d i sp la y t he c o nf ig ur e S NM P Sy st em in the web interface:
1. Click SNMP, System.
2. Evoke SNMP State to enable or disable the SNMP function.
3. Specify the Engine ID
4. Click Apply.
Figure2-5.1.5.1: The SNMP System Configuration
Parameter description:
l Mode :
Indicates the SNMP mode operation. Possible modes are:
Enabled: Enable SNMP mode operation.
Revision A1
Page 43
35
Disabled: Disable SNMP mode operation.
l Ver sion
Indicates the SNMP supported version. Possible versions are:
SNMP v1: Set SNMP supported version 1.
SNMP v2c: Set SNMP supported version 2c.
SNMP v3: Set SNMP supported version 3.
l Read Community
Indicates the community read access string to permit access to SNMP agent. The allowed
string length is 0 to 255, and the allowed content is the ASCII characters from 33 to 126.
The field is applicable only when SNMP version is SNMPv1 or SNMPv2c. If SNMP version
is SNMPv3, the community string will be associated with SNMPv3 communities table. It
provides more flexibility to configure security name than a SNMPv1 or SNMPv2c community
string. In addition to community string, a particular range of source addresses can be used
to restrict source subnet.
l Write Community
Indicates the community write access string to permit access to SNMP agent. The allowed
string length is 0 to 255, and the allowed content is the ASCII characters from 33 to 126.
The field is applicable only when SNMP version is SNMPv1 or SNMPv2c. If SNMP version
is SNMPv3, the community string will be associated with SNMPv3 communities table. It
provides more flexibility to configure security name than a SNMPv1 or SNMPv2c community
string. In addition to community string, a particular range of source addresses can be used
to restrict source subnet.
l Engine ID
Indicates the SNMPv3 engine ID. The string must contain an even number(in hexadecimal
format) with number of digits between 10 and 64, but all-zeros and all-'F's are not allowed.
Change of the Engine ID will clear all original local users.
Revision A1
Page 44
36
2-5.1.5.2 Trap
Configure SNMP trap on this page.
Global Settings
Configure SNMP trap on this page.
Web Interface
To d i sp la y t he c o nf ig ur e S NM P Tr ap C on fi gu ra t io n i n th e we b i nt e rf ac e:
1. Click Configuration, Switch, SNMP, Trap.
2. Click Add New Entry then you can create new SNMP Trap on the switch.
3. Click Apply
Figure2-5.1.7.2: The SNMP Trap Configuration
Revision A1
Page 45
37
l Tra p Mode
Indicates the trap mode operation. Possible modes are:
Enabled: Enable SNMP trap mode operation.
Disabled: Disable SNMP trap mode operation.
l Tra p Dest ination Confi gurati ons
Configure trap destinations on this page.
l Name
Indicates the trap Configuration's name. Indicates the trap destination's name.
l Enable
Indicates the trap destination mode operation. Possible modes are:
Enabled: Enable SNMP trap mode operation.
Disabled: Disable SNMP trap mode operation.
l Ver sion
Indicates the SNMP trap supported version. Possible versions are:
SNMPv1: Set SNMP trap supported version 1.
SNMPv2c: Set SNMP trap supported version 2c.
SNMPv3: Set SNMP trap supported version 3.
l Tra p Community
Indicates the community access string when sending SNMP trap packet. The allowed string
length is 0 to 255, and the allowed content is ASCII characters from 33 to 126.
l Destination Address
Indicates the SNMP trap destination address. It allow a valid IP address in dotted decimal
notation ('x.y.z.w').
And it also allow a valid hostname. A valid hostname is a string drawn from the alphabet (AZa-z), digits (0-9), dot (.), dash (-). Spaces are not allowed, the first character must be an
alpha character, and the first and last characters must not be a dot or a dash.
Indicates the SNMP trap destination IPv6 address. IPv6 address is in 128-bit records
represented as eight fields of up to four hexadecimal digits with a colon separating each field
(:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be
used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can
appear only once. It can also represent a legally valid IPv4 address. For example,
'::192.1.2.34'.
l Destination port
Indicates the SNMP trap destination port. SNMP Agent will send SNMP message via this port,
the port range is 1~65535.
l Tra p Inform Mode
Indicates the SNMP trap inform mode operation. Possible modes are:
Enabled: Enable SNMP trap inform mode operation.
Disabled: Disable SNMP trap inform mode operation.
l Tra p Inform Ti meout (secon ds)
Indicates the SNMP trap inform timeout. The allowed range is 0 to 2147.
l Tra p Inform Retry Times
Revision A1
Page 46
38
Indicates the SNMP trap inform retry times. The allowed range is 0 to 255.
l Tra p Probe Secu rity Engine I D
Indicates the SNMP trap probe security engine ID mode of operation. Possible values are:
Enabled: Enable SNMP trap probe security engine ID mode of operation.
Disabled: Disable SNMP trap probe security engine ID mode of operation.
l Tra p Secu rity Engine I D
Indicates the SNMP trap security engine ID. SNMPv3 sends traps and informs using USM for
authentication and privacy. A unique engine ID for these traps and informs is needed. When
"Trap Probe Security Engine ID" is enabled, the ID will be probed automatically. Otherwise,
the ID specified in this field is used. The string must contain an even number(in hexadecimal
format) with number of digits between 10 and 64, but all-zeros and all-'F's are not allowed.
l Tra p Secu rity Name
Indicates the SNMP trap security name. SNMPv3 traps and informs using USM for
authentication and privacy. A unique security name is needed when traps and informs are
enabled.
Configure SNMP trap on this page.
l System
Enable/disable that the Interface group's traps. Possible traps are:
Warm Start: Enable/disable Warm Start trap.
Cold Start: Enable/disable Cold Start trap.
l Interface
Indicates that the Interface group's traps. Possible traps are: Indicates that the SNMP entity is
permitted to generate authentication failure traps. Possible modes are:
Link Up: Enable/disable Link up trap.
Link Down: Enable/disable Link down trap.
LLDP: Enable/disable LLDP trap.
l AAA
Indicates that the AAA group's traps. Possible traps are:
Authentication Fail : Enable/disable SNMP trap authentication failure trap.
l Switch
Indicates that the Switch group's traps. Possible traps are:
STP: Enable/disable STP trap.
RMON: Enable/disable RMON trap.
l Private
Indicates the rule for private traps to be sent.
none: no private traps will be sent.
Critical: only critical level traps will be sent.
Warning: warning and critical level traps will be sent.
Info: all levels of traps(info,warning and critical) will be sent.
Revision A1
Page 47
39
2-5.1.5.3 Communities
The function is used to configure SNMPv3 communities. The Community and UserName is
unique. To create a new community account, please check <Add new community> button, and
enter the account information then check <Save>. Max Group Number: 4.
Web Interface
To d i sp la y t he c o nf ig ur e S NM P Co mm un it i es i n t he w eb in te r fa ce :
1. Click SNMP, Communities.
2. Click Add new community.
3. Specify the SNMP communities parameters.
4. Click Apply.
5. If you want to modify or clear the setting then click Reset.
Figure2-5.1.5.3: The SNMPv1/v2 Communities Security Configuration
Parameter description:
l Delete
Check to delete the entry. It will be deleted during the next save.
l Community
Indicates the community access string to permit access to SNMPv3 agent. The allowed string
length is 1 to 32, and the allowed content is ASCII characters from 33 to 126. The community
string will be treated as security name and map a SNMPv1 or SNMPv2c community string.
l Source IP
Indicates the SNMP access source address. A particular range of source addresses can be
used to restrict source subnet when combined with source mask.
l Source Mask
Indicates the SNMP access source address mask
Revision A1
Page 48
40
2-5.1.5.4 Users
The function is used to configure SNMPv3 user. The Entry index key is UserName. To create
a new UserName account, please check <Add new user> button, and enter the user
information then check <Save>. Max Group Number : 10.
Web Interface
To d i sp la y t he c o nf ig ur e S NM P Us er s in t h e we b i nt er f ac e:
1. Click SNMP, Users.
2. Specify the Privilege parameter.
3. Click Apply.
Figure 2-5.1.5.4: The SNMP Users Configuration
Parameter description:
l Delete
Check to delete the entry. It will be deleted during the next save.
l Engine ID
An octet string identifying the engine ID that this entry should belong to. The string must
contain an even number (in hexadecimal format) with number of digits between 10 and 64,
but all-zeros and all-'F's are not allowed. The SNMPv3 architecture uses the User-based
Security Model (USM) for message security and the View-based Access Control Model
(VACM) for access control. For the USM entry, the usmUserEngineID and usmUserName
are the entry's keys. In a simple agent, usmUserEngineID is always that agent's own
snmpEngineID value. The value can also take the value of the snmpEngineID of a remote
SNMP engine with which this user can communicate. In other words, if user engine ID equal
system engine ID then it is local user; otherwise it's remote user.
l User Name
A string identifying the user name t hat this entry should belong to. The allowed string length
is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
l Security Level
Indicates the security model that this entry should belong to. Possible security models are:
NoAuth, NoPriv: No authentication and no privacy.
Revision A1
Page 49
41
Auth, NoPriv: Authentication and no privacy.
Auth, Priv: Authentication and privacy.
The value of security level cannot be modified if entry already exists. That means it must first
be ensured that the value is set correctly.
l Authentication Protocol
Indicates the authentication protocol that this entry should belong to. Possible authentication
protocols are:
None: No authentication protocol.
MD5: An optional flag to indicate that this user uses MD5 authentication protocol.
SHA: An optional flag to indicate that this user uses SHA authentication protocol.
The value of security level cannot be modified if entry already exists. That means must first
ensure that the value is set correctly.
l Authentication Password
A string identifying the authentication password phrase. For MD5 authentication protocol, the
allowed string length is 8 to 32. For SHA authentication protocol, the allowed string length is
8 to 40. The allowed content is ASCII characters from 33 to 126.
l Privacy Protocol
Indicates the privacy protocol that this entry should belong to. Possible privacy protocols are:
None: No privacy protocol.
DES: An optional flag to indicate that this user uses DES authentication protocol.
l Privacy Password
A string identifying the privacy password phrase. The allowed string length is 8 to 3 2, and
the allowed content is ASCII characters from 33 to 126.
Revision A1
Page 50
42
2-5.1.5.5 Group
The function is used to configure SNMPv3 group. The Entry index key are Security Model and
Security Name. To create a new group account, please check <Add new group> button, and
enter the group information then check <Save>. Max Group Number: v1: 2, v2: 2, v3:10.
Web Interface
To d i sp la y t he c o nf ig ur e S NM P Gr ou ps i n t he w eb in te r fa ce :
1. Click SNMP, Groups.
2. Specify the Privilege parameter.
3. Click Apply.
Figure 2-5.1.5.5: The SNMP Groups Configuration
Parameter description:
l Delete
Check to delete the entry. It will be deleted during the next save.
l Security Model
Indicates the security model that this entry should belong to. Possible security models are:
v1: Reserved for SNMPv1.
v2c: Reserved for SNMPv2c.
Revision A1
Page 51
43
usm: User-based Security Model (USM).
l Security Name
A string ident ifying the securit y name that this entry sh ould belo ng to. The allowe d string
length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
l Group Name
A str ing identi fying the gr oup name tha t this entry should belong to. The allowed string length
is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Revision A1
Page 52
44
2-5.1.5.6 Views
The function is used to configure SNMPv3 view. The Entry index keys are OID Subtree and
View Name. To create a new view account, please check <Add new view> button, and enter
the view information then check <Save>. Max Group Number: 28.
Configure SNMPv3 view table on this page. The entry index keys are View Name and OID
Subtree.
Web Interface
To display the configure SNMP views in the web interface:
1. Click SNMP, Views.
2. Click Add new View.
3. Specify the SNMP View parameters.
4. Click Apply.
5. If you want to modify or clear the setting then click Reset.
Figure 2-5.1.5.6: The SNMP Views Configuration
Parameter description:
l Delete
Check to delete the entry. It will be deleted during the next save.
l View Name
A string identif ying the view name that t his entry sho uld belong to . The allow ed string len gth
is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
l View Type
Indicates the view type that this entry should belong to. Possible view types are:
included: An optional flag to indicate that this view subtree should be included.
excluded: An optional flag to indicate that this view subtree should be excluded.
In general, if a view entry's view type is 'excluded', there should be another view entry
existing with view type as 'included' and it's OID subtree should overstep the 'excluded' view
entry.
l OID Subtree
The OID defining the root of the subtree to add to the named view. The allowed OID length
Revision A1
Page 53
45
is 1 to 128. The allowed string content is digital number or asterisk(*).
2-5.1.5.7 Access
The function is used to configure SNMPv3 accesses. The Entry index key are Group Name,
Security Model and Security level. To create a new access account, please check <Add new
access> button, and enter the access information then check <Save>. Max Group Number : 14
Web Interface
To d i sp la y t he c o nf ig ur e S NM P A cc es s i n th e w eb i n te rf ac e :
1. Click SNMP, Accesses.
2. Click Add new Access.
3. Specify the SNMP Access parameters.
4. Click Apply.
5. If you want to modify or clear the setting then click Reset.
.
Figure 2-5.1.5.7: The SNMP Accesses Configuration
Parameter description:
l Delete
Check to delete the entry. It will be deleted during the next save.
l Group Name
A str ing identi fying the gr oup name tha t t his entry sh ould belong to. The all owed stri ng length
is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
l Security Model
Indicates the security model that this entry should belong to. Possible security models are:
any: Any security model accepted(v1|v2c|usm).
v1: Reserved for SNMPv1.
Revision A1
Page 54
46
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).
l Security Level
Indicates the security model that this entry should belong to. Possible security models are:
NoAuth, NoPriv: No authentication and no privacy.
Auth, NoPriv: Authentication and no privacy.
Auth, Priv: Authentication and privacy.
l Read View Name
The name of the MIB view defining the MIB objects for which this request may request the
current values. The allowed string length is 1 to 32, and the allowed content is ASCII
characters from 33 to 126.
l Write View Name
The name of the MIB view defining the MIB objects for which this request may potentially set
new values. The allowed string length is 1 to 32, and the allowed content is ASCII characters
from 33 to 126.
Revision A1
Page 55
47
2-5.1.5.8 Trap Event Severity
This page displays current trap event severity configurations. Trap event severity can also be
configured here.
Web Interface
To d i sp la y t he c o nf ig ur e T ra p E ve nt S e rv er i ty i n t he w eb in te r fa ce :
1. Click SNMP, Trap Event Severity.
2. Scroll to select the Group name and Severity Level
3. Click the Apply to save the setting
4. If you want to cancel the setting then you need to click the Reset button. It will revert to
previously saved values
.
Figure 2-5.1.5.8: The Trap Event Severity Configuration
Parameter description:
l Group Name :
The name identifying the severity group.
l Severity Level :
Every group has an severity level. The following level types are supported:
<0> Information: Information messages.
<1> Warning: Warning conditions.
<2> Error: Error conditions.
Revision A1
Page 56
48
2-5.1.6 RMON
An RMON implementation typically operates in a client/server model. Monitoring devices
contain RMON software agents that collect information and analyze packets. These probes act
as servers and the Network Management applications that communicate with them act as
clients.
2-5.1.6.1 Statistics
Configure RMON Statistics table on this page. The entry index key is ID.
Web Interface
To d i sp la y t he c o nf ig ur e R MO N c o nf ig u ra ti on in t he we b i nt er fa c e:
1. Click RMON, Statistics.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
Figure 2-5.1.6.1: The RMON Statics Configuration
Parameter description:
These parameters are displayed on the RMON Statistics Configuration page:
l Delete
Check to delete the entry. It will be deleted during the next save.
l ID
Indicates the index of the entry. The range is from 1 to 65535.
l Data Source
Indicates the port ID which wants to be monitored. If in stacking switch, the value must add
1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2005
l Interval
Indicates the interval in seconds for sampling the history statistics data. The range is from 1 to
3600, default value is 1800 seconds.
l Buckets
Indicates the maximum data entries associated this History control entry stored in RMON.
The range is from 1 to 3600, default value is 50.
Revision A1
Page 57
49
l Buckets Granted
The number of data shall be saved in the RMON.
Revision A1
Page 58
50
2-5.1.6.2 History
Configure RMON History table on this page. The entry index key is ID.
Web Interface
To d i sp la y t he configure RMON History in the web interface:
1. Click RMON, History.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
Figure 2-5.1.6.2: The RMON History Configuration
Parameter description:
These parameters are displayed on the RMON History Configuration page:
l Delete
Check to delete the entry. It will be deleted during the next save.
l ID
Indicates the index of the entry. The range is from 1 to 65535.
l Data Source
Indicates the port ID which wants to be monitored. If in stacking switch, the value must add
1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2005
l Interval
Indicates the interval in seconds for sampling the history statistics data. The range is from 1
to 3600, default value is 1800 seconds.
l Buckets
Indicates the maximum data entries associated this History control entry stored in RMON.
The range is from 1 to 3600, default value is 50.
l Buckets Granted
The number of data shall be saved in the RMON.
Revision A1
Page 59
51
2-5.1.8.3 Alarm
Configure RMON Alarm table on this page. The entry index key is ID.
Web Interface
To d i sp la y t he c o nf ig ur e R MO N A la rm in t h e we b i nt er f ac e:
1. Click RMON, Alarm.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
Figure 2-5.1.8.3: The RMON Alarm Configuration
Parameter description:
These parameters are displayed on the RMON Alarm Configuration page:
l Delete
Check to delete the entry. It will be deleted during the next save.
l ID
Indicates the index of the entry. The range is from 1 to 65535.
l Interval
Indicates the interval in seconds for sampling and comparing the rising and falling
threshold. The range is from 1 to 2^31-1.
l Var iable
Indicates the particular variable to be sampled, the possible variables are:
InOctets:
The total number of octets received on the interface, including framing characters.
InUcastPkts:
The number of uni-cast packets delivered to a higher-layer protocol.
InNUcastPkts:
The number of broad-cast and multi-cast packets delivered to a higher-layer protocol.
InDiscards:
The number of inbound packets that are discarded even the packets are normal.
InErrors:
The number of inbound packets that contained errors preventing them from being deliverable
to a higher-layer protocol.
InUnknownProtos:
the number of the inbound packets that were discarded because of the unknown or un-
Revision A1
Page 60
52
support protocol.
OutOctets:
The number of octets transmitted out of the interface , including framing characters.
OutUcastPkts:
The number of uni-cast packets that request to transmit.
OutNUcastPkts:
The number of broad-cast and multi-cast packets that request to transmit.
OutDiscards:
The number of outbound packets that are discarded event the packets is normal.
OutErrors:
The The number of outbound packets that could not be transmitted because of errors.
OutQLen:
The length of the output packet queue (in packets).
l Sample Type
The method of sampling the selected variable and calculating the value to be compared
against the thresholds, possible sample types are:
Absolute: Get the sample directly.
Delta: Calculate the difference between samples (default).
l Val ue
The value of the statistic during the last sampling period.
l Startup Alarm
The method of sampling the selected variable and calculating the value to be compared
against the thresholds, possible sample types are:
RisingTrigger alarm when the first value is larger than the rising threshold.
FallingTrigger alarm when the first value is less than the falling threshold.
RisingOrFallingTrigger alarm when the first value is larger than the rising threshold or
less than the falling threshold (default).
l Rising Threshold
Rising threshold value (-2147483648-2147483647).
l Rising Index
Rising event index (1-65535).
l Falling Threshold
Falling threshold value (-2147483648-2147483647)
l Falling Index
Falling event index (1-65535).
Revision A1
Page 61
53
2-5.1.6.4 Event
Configure RMON Event table on this page. The entry index key is ID.
Web Interface
To d i sp la y t he c o nf ig ur e R MO N E v en t i n th e w eb i n te rf ac e :
1. Click RMON, Event.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
Figure 2-5.1.6.4: The RMON Event Configuration
Parameter description:
These parameters are displayed on the RMON History Configuration page:
l Delete
Check to delete the entry. It will be deleted during the next save.
l ID
Indicates the index of the entry. The range is from 1 to 65535.
l Desc
Indicates this event, the string length is from 0 to 127, default is a null string.
l Type
Indicates the notification of the event, the possible types are:
none: No SNMP log is created, no SNMP trap is sent.
log: Create SNMP log entry when the event is triggered.
snmptrap: Send SNMP trap when the event is triggered.
logandtrap: Create SNMP log entry and sent SNMP trap when the event is triggered.
l Community
Specify the community when trap is sent, the string length is from 0 to 127, default is "public".
l Event Last Time
Indicates the value of sysUpTime at the time this event entry last generated an event.
Revision A1
Page 62
54
2-5.2 Network
2-5.2.1 Limit Control
This section shows you to to configure the Port Security settings of the Switch. You can use
the Port Security feature to restrict input to an interface by limiting and identifying MAC
addresses.
Web Interface
To c o nf ig u re a C o nf ig u ra ti o n of Limit Control in the web interface:
1. Select “Enabled” in the Mode of System Configuration.
2. Checked Aging Enabled.
3. Set Aging Period (Default is 3600 seconds).
To c o nf ig u re a P o rt C o nf ig ur a ti on of Limit Control in the web interface:
1. Select “Enabled” in the Mode of Port Configuration.
2. Specify the maximum number of MAC addresses in the Limit of Port Configuration.
3. Set Ation (Trap, Shutdown, Trap & Shutdown)
4. Click Apply.
Figure 2-5.2.1: The Port Security Limit Control Configuration
Revision A1
Page 63
55
Parameter description:
System Configuration
l Mode :
Indicates if Limit Control is globally enabled or disabled on the switch. If globally disabled,
other modules may still use the underlying functionality, but limit checks and corresponding
actions are disabled.
l Aging Enabled :
If checked, secured MAC addresses are subject to aging as discussed under Aging Period .
l Aging Period :
If Aging Enabled is checked, then the aging period is controlled with this input. If other
modules are using the underlying port security for securing MAC addresses, they may have
other requirements to the aging period. The underlying port security will use the shorter
requested aging period of all modules that use the functionality.
The Aging Period can be set to a number between 10 and 10,000,000 seconds.
To u n de r st a nd wh y a gi ng m a y b e de si re d, co n si d er t h e fo ll ow in g s ce n ar i o: S u pp o se a n en d host is connected to a 3rd party switch or hub, which in turn is connected to a port on this
switch on which Limit Control is enabled. The end-host will be allowed to forward if the limit
is not exceeded. Now suppose that the end-host logs off or powers down. If it wasn't for
aging, the end-host would still take up resources on this switch and will be allowed to forward.
To o ve r co m e t hi s s it ua t io n, e n ab l e a g in g . W i th a g in g e na b le d , a t i me r is s ta rt ed o nc e t he
end-host gets secured. When the timer expires, the switch starts looking for frames from the
end-host, and if such frames are not seen within the next Aging Period, the end-host is
assumed to be disconnected, and the corresponding resources are freed on the switch.
Port Configuration
The table has one row for each port on the selected switch and a number of columns, which
are:
l Port :
The port number to which the configuration below applies.
l Mode :
Controls whether Limit Control is enabled on this port. Both this and the Global Mode must
be set to Enabled for Limit Control to be in effect. Notice that other modules may still use the
underlying port security features without enabling Limit Control on a given port.
l Limit :
The maximum number of MAC addresses that can be secured on this port. This number
cannot exceed 1024. If the limit is exceeded, the corresponding action is taken.
The switch is "born" with a total number of MAC addresses from which all ports draw
whenever a new MAC address is seen on a Port Security-enabled port. Since all ports draw
from the same pool, it may happen that a configured maximum cannot be granted, if the
remaining ports have already used all available MAC addresses.
l Action :
If Limit is reached, the switch can take one of the following actions:
None: Do not allow more than Limit MAC addresses on the port, but take no further action.
Trap: If Limit + 1 MAC addresses is seen on the port, send an SNMP trap. If Aging is disabled,
only one SNMP trap will be sent, but with Aging enabled, new SNMP traps will be sent every
time the limit gets exceeded.
Shutdown: If Limit + 1 MAC addresses is seen on the port, shut down the port. This implies
that all secured MAC addresses will be removed from the port, and no new address will be
learned. Even if the link is physically disconnected and reconnected on the port (by
disconnecting the cable), the port will remain shut down. There are three ways to re-open
the port:
Revision A1
Page 64
56
1) Boot the switch,
NOTE: That clicking the reopen button causes the page to be
refreshed, so non-committed changes will be lost
2) Disable and re-enable Limit Control on the port or the switch,
3) Click the Reopen button.
Trap & Shu tdown: If Limit + 1 MAC addresses is seen on the port, both the "Trap" and the
"Shutdown" actions described above will be taken.
l State :
This column shows the current state of the port as seen from the Limit Control's point of view.
The state takes one of four values:
Disabled: Limit Control is either globally disabled or disabled on the port.
Ready: The limit is not yet reached. This can be shown for all actions.
Limit Reached: Indicates that the limit is reached on this port. This state can only be shown
if Action is set to None or Trap.
Shutdown: Indicates that the port is shut down by the Limit Control module. This state can
only be shown if Action is set to Shutdown or Trap & Shutdown.
l Re-open Button :
If a port is shutdown by this module, you may reopen it by clicking this button, which will only
be enabled if this is the case. For other methods, refer to Shutdown in the Action section.
l Upper right icon (Refresh):
You c an c li ck t he m fo r r ef re sh t he P or t Sec ur it y in fo rm at io n b y ma nu al .
l Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
2-5.2.2 NAS
The section describes to configure the NAS parameters of the switch. The NAS server can be
employed to connect users to a variety of resources including Internet access, conference calls,
printing documents on shared printers, or by simply logging on to the Internet.
Web Interface
To c o nf ig u re a N e tw or k A cc es s S er v er i n t he w eb in te r fa ce :
1. Select “Enabled” in the Mode of Netwrok Access Server Configuration.
2. Checked Reauthentication Enabled.
3. Set Reauthentication Period (Default is 3600 seconds).
4. Set EAPOL Timeout (Default is 30 seconds).
5. Set Aging Peroid (Default is 300 seconds).
6. Set Hold Time (Default is 10 seconds).
7. Checked RADIUS-Assigned QoS Enabled.
8. Checked RADIUS-Assigned VLAN Enabled.
9. Checked Guest VLAN Enabled.
10. Specify Guest VLAN ID.
11. Specify Max. Reauth. Count.
12. Checked Allow Guest VLAN if EAPOL Seen.
13. Click Apply.
Figure 2-5.2.2: The Network Access Server Configuration
Revision A1
Page 65
57
Parameter description:
l Mode :
Indicates if NAS is globally enabled or disabled on the switch. If globally disabled, all ports
are allowed forwarding of frames.
l Reauthentication Enabled :
If checked, successfully authenticated supplicants/clients are reauthenticated after the
interval specified by the Reauthentication Period. Reauthentication for 802.1X-enabled ports
can be used to detect if a new device is plugged into a switch port or if a supplicant is no
longer attached.
For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has
changed. It does not involve communication between the switch and the client, and therefore
doesn't imply that a client is still present on a port (see Aging Period below).
l Reauthentication Period :
Determines the period, in seconds, after which a connected client must be reauthenticated.
This is only active if the Reauthentication Enabled checkbox is checked. Valid values are in
the range 1 to 3600 seconds.
l EAPOL Timeout :
Determines the time for retransmission of Request Identity EAPOL frames.
Revision A1
Page 66
58
Valid v a lue s ar e in t h e range 1 to 2 5 5 seco n d s. This h as no e ffect f o r MAC-based ports.
l Aging Period :
This setting applies to the following modes, i.e. modes using the Port Security functionality
to secure MAC addresses:
• Single 802.1X
• Multi 802.1X
• MAC-Based Auth.
When the NAS module uses the Port Security module to secure MAC addresses, the Port
Security module needs to check for activity on the MAC address in question at regular
intervals and free resources if no activity is seen within a given period of time. This parameter
controls exactly this period and can be set to a number between 10 and 1000000 seconds.
If reauthentication is enabled and the port is in an 802.1X-based mode, this is not so critical,
since supplicants that are no longer attached to the port will get removed upon the next
reauthentication, which will fail. But if reauthentication is not enabled, the only way to free
resources is by aging the entries.
For ports in MAC-based Auth. mode, reauthentication doesn't cause direct communication
between the switch and the client, so this will not detect whether the client is still attached or
not, and the only way to free any resources is to age the entry.
l Hold Time :
This setting applies to the following modes, i.e. modes using the Port Security functionality
to secure MAC addresses:
• Single 802.1X
• Multi 802.1X
• MAC-Based Auth.
If a client is denied access - either because the RADIUS server denies the client access or
because the RADIUS server request times out (according to the timeout specified on the
"Configuration→Security→AAA" page) - the client is put on hold in the Unauthorized state.
The hold timer does not count during an on-going authentication.
In MAC-based Auth. mode, the The switch will ignore new frames coming from the client
during the hold time.
The Hold Time can be set to a number between 10 and 1000000 seconds.
l RADIUS-Assigned QoS Enabled :
RADIUS-assigned QoS provides a means to centrally control the traffic class to which traffic
coming from a successfully authenticated supplicant is assigned on the switch. The RADIUS
server must be configured to transmit special RADIUS attributes to take advantage of this
feature (see RADIUS-Assigned QoS Enabled below for a detailed description)
The "RADIUS-Assigned QoS Enabled" checkbox provides a quick way to globally
enable/disable RADIUS-server assigned QoS Class functionality. When checked, the
individual ports' ditto setting determine whether RADIUS-assigned QoS Class is enabled on
that port. When unchecked, RADIUS-server assigned QoS Class is disabled on all ports.
l RADIUS-Assigned VLAN Enabled :
RADIUS-assigned VLAN provides a means to centrally control the VLAN on which a
successfully authenticated supplicant is placed on the switch. Incoming traffic will be
classified to and switched on the RADIUS-assigned VLAN. The RADIUS server must be
configured to transmit special RADIUS attributes to take advantage of this feature (see
RADIUS-Assigned VLAN Enabled below for a detailed description).
The "RADIUS-Assigned VLAN Enabled" checkbox provides a quick way to globally
enable/disable RADIUS-server assigned VLAN functionality. When checked, the individual
ports' ditto setting determine whether RADIUS-assigned VLAN is enabled on that port. When
unchecked, RADIUS-server assigned VLAN is disabled on all ports.
l Guest VLAN Enabled :
A Gu est VLAN is a special VLAN - typically with limited network access - on which 802.1Xunaware clients are placed after a network administrator-defined timeout. The switch follows
Revision A1
Page 67
59
a set of rules for entering and leaving the Guest VLAN as listed below.
The "Guest VLAN Enabled" checkbox provides a quick way to globally enable/disable Guest
VLAN functionality. When checked, the individual ports' ditto setting determines whether the
port can be moved into Guest VLAN. When unchecked, the ability to move to the Guest
VLAN is disabled on all ports.
l Guest VLAN ID :
This is the value that a port's Port VLAN ID is set to if a port is moved into the Guest VLAN.
It is only changeable if the Guest VLAN option is globally enabled.
Valid v a lue s ar e in t h e range [1; 40 9 5].
l Max. Reauth. Count :
The number of times the switch transmits an EAPOL Request Identity frame without
response before considering entering the Guest VLAN is adjusted with this setting. The value
can only be changed if the Guest VLAN option is globally enabled.
Valid v a lue s ar e in t h e range [1; 25 5 ].
l Allow Guest VLAN if EAPOL Seen :
The switch remembers if an EAPOL frame has been received on the port for the life-time of
the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this
option is enabled or disabled. If disabled (unchecked; default), the switch will only enter the
Guest VLAN if an EAPOL frame has not been received on the port for the life-time of the
port. If enabled (checked), the switch will consider entering the Guest VLAN even if an
EAPOL frame has been received on the port for the life-time of the port.
The value can only be changed if the Guest VLAN option is globally enabled.
l Port Configuration :
The table has one row for each port on the selected switch and a number of columns, which
are:
l Port :
The port number for which the configuration below applies.
l Admin State :
If NAS is globally enabled, this selection controls the port's authentication mode. The
following modes are available:
l Force Authorized :
In this mode, the switch will send one EAPOL Success frame when the port link comes up,
and any client on the port will be allowed network access without authentication.
l Force Unauthorized :
In this mode, the switch will send one EAPOL Failure frame when the port link comes up,
and any client on the port will be disallowed network access.
l Port-based 802.1X :
In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the
RADIUS server is the authentication server. The authenticator acts as the man-in-the-middle,
forwarding requests and responses between the supplicant and the authentication server.
Frames sent between the supplicant and the switch are special 802.1X frames, known as
EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748).
Frames sent between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the switch's IP
address, name, and the supplicant's port number on the switch. EAP is very flexible, in that
it allows for different authentication methods, like MD5-Challenge, PEAP, and TLS. The
important thing is that the authenticator (the switch) doesn't need to know which
authentication method the supplicant and the authentication server are using, or how many
information exchange frames are needed for a particular method. The switch simply
encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS) and
forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a
Revision A1
Page 68
60
success or failure indication. Besides forwarding this decision to the supplicant, the switch
NOTE: Suppose two backend servers are enabled and that the
server timeout is configured to X seconds (using the AAA
configuration page), and suppose that the first server in the list is
currently down (but not considered dead).
Now, if the supplicant retransmits EAPOL Start frames at a rate faster
than X seconds, then it will never get authenticated, because the
switch will cancel on-going backend authentication server requests
whenever it receives a new EAPOL Start frame from the supplicant.
And since the server hasn't yet failed (because the X seconds haven't
expired), the same server will be contacted upon the next backend
authentication server request from the switch. This scenario will loop
forever. Therefore, the server timeout should be smaller than the
supplicant's EAPOL Start frame retransmission rate.
uses it to open up or block traffic on the switch port connected to the supplicant
l Single 802.1X :
In port-based 802.1X authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other clients connected to the
port (for instance through a hub) to piggy-back on the successfully authenticated client and
get network access even though they really aren't authenticated. To overcome this security
breach, use the Single 802.1X variant. Single 802.1X is really not an IEEE standard, but
features many of the same characteristics as does port-based 802.1X. In Single 802.1X, at
most one supplicant can get authenticated on the port at a time. Normal EAPOL frames are
used in the communication between the supplicant and the switch. If more than one
supplicant is connected to a port, the one that comes first when the port's link comes up will
be the first one considered. If that supplicant doesn't provide valid credentials within a certain
amount of time, another supplicant will get a chance. Once a supplicant is successfully
authenticated, only that supplicant will be allowed access. This is the most secure of all the
supported modes. In this mode, the Port Security module is used to secure a supplicant's
MAC address once successfully authenticated.
l Multi 802.1X :
In port-based 802.1X authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other clients connected to the
port (for instance through a hub) to piggy-back on the successfully authenticated client and
get network access even though they really aren't authenticated. To overcome this security
breach, use the Multi 802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the same characteristics
as does port-based 802.1X. Multi 802.1X is - like Single 802.1X - not an IEEE standard, but
a variant that features many of the same characteristics. In Multi 802.1X, one or more
supplicants can get authenticated on the same port at the same time. Each supplicant is
authenticated individually and secured in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination
MAC address for EAPOL frames sent from the switch towards the supplicant, since that
would cause all supplicants attached to the port to reply to requests sent from the switch.
Instead, the switch uses the supplicant's MAC address, which is obtained from the first
l MAC-based Auth.:
EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to this
is when no supplicants are attached. In this case, the switch sends EAPOL Request Identity
frames using the BPDU multicast MAC address as destination - to wake up any supplicants
that might be on the port.
The maximum number of supplicants that can be attached to a port can be limited using the
Port Security Limit Control functionality.
Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a bestpractices method adopted by the industry. In MAC-based authentication, users are called
clients, and the switch acts as the supplicant on behalf of clients. The initial frame (any kind
Revision A1
Page 69
61
of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC
address as both username and password in the subsequent EAP exchange with the RADIUS
server. The 6-byte MAC address is converted to a string on the following form "xx-xx-xx-xxxx-xx", that is, a dash (-) is used as separator between the lower-cased hexadecimal digits.
The switch only supports the MD5-Challenge authentication method, so the RADIUS server
must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication,
which in turn causes the switch to open up or block traffic for that particular client, using the
Port Security module. Only then will frames from the client be forwarded on the switch. There
are no EAPOL frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several clients
can be connected to the same port (e.g. through a 3rd party switch or a hub) and still require
individual authentication, and that the clients don't need special supplicant software to
authenticate. The advantage of MAC-based authentication over 802.1X-based
authentication is that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users - equipment whose
MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge
method is supported. The maximum number of clients that can be attached to a port can be
limited using the Port Security Limit Control functionality.
l RADIUS-Assigned QoS Enabled :
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given
port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept
packet transmitted by the RADIUS server when a supplicant is successfully authenticated.
If present and valid, traffic received on the supplicant's port will be classified to the given
QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries
a QoS Class or it's invalid, or the supplicant is otherwise no longer present on the port, the
port's QoS Class is immediately reverted to the original QoS Class (which may be changed
by the administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
• Single 802.1X
RADIUS attributes used in identifying a QoS Class:
Refer to the written documentation for a description of the RADIUS attributes needed in order
to successfully identify a QoS Class. The User-Priority-Ta bl e at tr ib u te de fi n ed in RFC4675
forms the basis for identifying the QoS Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be valid, it
must follow this rule:
• All 8 octets in the attribute's value must be identical and consist of ASCII characters in the
range '0' - '3', which translates into the desired QoS Class in the range [0; 3].
l RADIUS-Assigned VLAN Enabled :
When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given
port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet
transmitted by the RADIUS server when a supplicant is successfully authenticated. If present
and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be set to be
a member of that VLAN ID, and the port will be forced into VLAN unaware mode. Once
assigned, all traffic arriving on the port will be classified and switched on the RADIUSassigned VLAN ID.
If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID
or it's invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN
ID is immediately reverted to the original VLAN ID (which may be changed by the
administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
• Single 802.1X
Revision A1
Page 70
62
For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN Membership
and VLAN Port" pages. These pages show which modules have (temporarily) overridden the
current Port VLAN configuration.
RADIUS attributes used in identifying a VLAN ID:
RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an
Access-Accept packet. The following criteria are used:
• The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes must all
be present at least once in the Access-Accept packet.
• The switch looks for the first set of these attributes that have the same Tag value and fulfil
the following requirements (if Tag == 0 is used, the Tunnel-Private-Group-ID does not need
to include a Tag):
- Val u e of Tu nnel-Medium-Type must be set to "IEEE -802" (ordinal 6).
- Val u e of Tu nnel-Type must be set t o "VLAN" (ordinal 1 3).
- Valu e of Tun n e l-Private-Group-ID must be a string of ASCII chars in the range '0' - '9',
which is interpreted as a decimal string representing the VLAN ID. Leading '0's are discarded.
The final value must be in the range [1; 4095].
l Guest VLAN Enabled :
When Guest VLAN is both globally enabled and enabled (checked) for a given port, the
switch considers moving the port into the Guest VLAN according to the rules outlined below.
This option is only available for EAPOL-based modes, i.e.:
• Port-based 802.1X
• Single 802.1X
• Multi 802.1X
For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN Membership
and VLAN Port" pages. These pages show which modules have (temporarily) overridden the
current Port VLAN configuration.
Guest VLAN Operation:
When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL
Request Identity frames. If the number of transmissions of such frames exceeds Max.
Reauth. Count and no EAPOL frames have been received in the meanwhile, the switch
considers entering the Guest VLAN. The interval between transmission of EAPOL Request
Identity frames is configured with EAPOL Timeout. If Allow Guest VLAN if EAPOL Seen is
enabled, the port will now be placed in the Guest VLAN. If disabled, the switch will first check
its history to see if an EAPOL frame has previously been received on the port (this history is
cleared if the port link goes down or the port's Admin State is changed), and if not, the port
will be placed in the Guest VLAN. Otherwise it will not move to the Guest VLAN, but continue
transmitting EAPOL Request Identity frames at the rate given by EAPOL Timeout.
Once in the Guest VLAN, the port is considered authenticated, and all attached clients on
the port are allowed access on this VLAN. The switch will not transmit an EAPOL Success
frame when entering the Guest VLAN.
While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such
frame is received, the switch immediately takes the port out of the Guest VLAN and starts
authenticating the supplicant according to the port mode. If an EAPOL frame is received, the
port will never be able to go back into the Guest VLAN if the "Allow Guest VLAN if EAPOL
Seen" is disabled.
l Port State :
The current state of the port. It can undertake one of the following values:
Globally Disabled: NAS is globally disabled.
Link Down: NAS is globally enabled, but there is no link on the port.
Authorized: The port is in Force Authorized or a single-supplicant mode and the supplicant
is authorized.
Unauthorized: The port is in Force Unauthorized or a single-supplicant mode and the
supplicant is not successfully authorized by the RADIUS server.
Revision A1
Page 71
63
X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are authorized
and Y are unauthorized.
l Restart :
Two buttons are available for each row. The buttons are only enabled when aut hentic ation
is globally enabled and the port's Admin State is in an EAPOL-based or MAC-based mode.
Clicking these buttons will not cause settings changed on the page to take effect.
Reauthenticate: Schedules a reauthentication whenever the quiet-period of the port runs out
(EAPOL-based authentication). For MAC-based authentication, reauthentication will be
attempted immediately.
The button only has effect for successfully authenticated clients on the port and will not cause
the clients to get temporarily unauthorized.
Reinitialize: Forces a reinitialization of the clients on the port and thereby a reauthentication
immediately. The clients will transfer to the unauthorized state while the reauthentication is
in progress.
l Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
l Upper right icon (Refresh):
You c an c li ck t he m fo r r ef re sh t he N AS C on fi gur at io n by m an ua l.
Revision A1
Page 72
64
2-5.2.3 ACL
The Series switch access control list (ACL) is probably the most commonly used object in the
IOS. It is used for packet filtering but also for selecting types of traffic to be analyzed, forwarded,
or influenced in some way. The ACLs are divided into Ether Types. IPv4, ARP protocol, MAC
and VLAN parameters etc. Here we will just go over the standard and extended access lists for
TCP/IP. As you create ACEs for ingress classification, you can assign a policy for each port,
the policy number is 1-8, however, each policy can be applied to any port. This makes it very
easy to determine what type of ACL policy you will be working with.
2-5.2.3.1 Ports
The section describes how to configure the ACL parameters (ACE) of the each switch port.
These parameters will affect frames received on a port unless the frame matches a specific
ACE
Web Interface
To configure the ACL Ports Configuration in the web interface:
1. Click Configuration, ACL, then Ports
2. To s c ro ll th e sp e ci fi c p ar am e te r v al ue t o s el e ct t he c o rr ec t v al ue fo r p or t A C L se tt in g.
3. Click the save to save the setting
4. If you want to cancel the setting then you need to click the reset button. It will revert to
previously saved values.
5. After you configure complete then you could see the Counter of the port. Then you could
click refresh to update the counter or Clear the information.
Figure 2-5.2.3.1: The ACL Ports Configuration
Parameter description:
l Port :
The logical port for the settings contained in the same row.
l Policy ID :
Select the policy to apply to this port. The allowed values are 1 through 8. The default value
is 1.
l Action :
Select whether forwarding is permitted ("Permit") or denied ("Deny"). The default value is
"Permit".
Revision A1
Page 73
65
l Rate Limiter ID :
Select which rate limiter to apply on this port. The allowed values are Disabled or the values
1 through 16. The default value is "Disabled".
l Port Redirect :
Select which port frames are redirected on. The allowed values are Disabled or a specific
port number and it can't be set when action is permitted. The default value is "Disabled".
l Mirror :
Specify the mirror operation of this port. The allowed values are:
Enabled: Frames received on the port are mirrored.
Disabled: Frames received on the port are not mirrored.
The default value is "Disabled".
l Logging :
Specify the logging operation of this port. The allowed values are:
Enabled: Frames received on the port are stored in the System Log.
Disabled: Frames received on the port are not logged.
The default value is "Disabled". Please note that the System Log memory size and logging
rate is limited.
l Shutdown :
Specify the port shut down operation of this port. The allowed values are:
Enabled: If a frame is received on the port, the port will be disabled.
Disabled: Port shut down is disabled.
The default value is "Disabled".
l State :
Specify the port state of this port. The allowed values are:
Enabled: To reopen ports by changing the volatile port configuration of the ACL user module.
Disabled: To c l os e po r ts b y c ha ng i ng t h e vo la t il e po r t co nf i gu ra t io n of th e A C L us er m od u le .
The default value is "Enabled"
l Counter :
Counts the number of frames that match this ACE.
l Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
l Upper right icon (Refresh, clear)
You c an c li ck t he m fo r r ef re sh t he AC L Po rt C on fi gu rat io n or c le ar t hem b y ma nu al .
Revision A1
Page 74
66
2-5.2.3.2 Rate Limiters
The section describes how to configure the switch’s ACL Rate Limiter parameters. The Rate
Limiter Level from 1 to 16 that allow user to set rate limiter value and units with pps or kbps.
Web Interface
To configure ACL Rate Limiter in the web interface:
1. Click Configuration, ACL, then Rate Limiter
2. To specific the Rate field and the range from 0 to 3276700.
3. To s c ro ll th e Un i t wi t h pp s o r kb ps
4. Click the Apply to save the setting
5. If you want to cancel the setting then you need to click the reset button. It will revert to
previously saved values.
Figure 2-5.2.3.2: The ACL Rate Limiter Configuration
Parameter description:
l Rate Limiter ID :
The rate limiter ID for the settings contained in the same row.
l Rate
The allowed values are: 0-3276700 in pps or 0, 100, 200, 300, ..., 1000000 in kbps.
l Unit :
Specify the rate unit. The allowed values are:
pps: packets per second.
kbps: Kbits per second.
l Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
2-5.2.3.3 Access Control List
The section describes how to configure Access Control List rule. An Access Control List (ACL)
is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or
Revision A1
Page 75
67
other more specific criteria. This switch tests ingress packets against the conditions in an ACL
one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon
as it matches a deny rule. If no rules match, the frame is accepted. Other actions can also be
invoked when a matching packet is found, including rate limiting, copying matching packets to
another port or to the system log, or shutting down a port.
This page shows the Access Control List (ACL), which is made up of the ACEs defined on this
switch. Each row describes the ACE that is defined. The maximum number of ACEs is 256 on
each switch. Click on the lowest plus sign to add a new ACE to the list. The reserved ACEs
used for internal protocol, cannot be edited or deleted, the order sequence cannot be changed
the priority is highest
Web Interface
To configure Access Control List in the web interface:
1. Click Configuration, ACL, then Configuration
2. Click the button to add a new ACL, or use the other ACL
modification buttons to specify the editing action (i.e., edit, delete, or
moving the relative position of entry in the list)
3. To specific the parameter of the ACE
4. Click the save to save the setting
5. If you want to cancel the setting then you need to click the reset button.
It will revert to previously saved values.
6. When editing an entry on the ACE Configuration page, note that the
Items displayed depend on various selections, such as Frame Type and IP Protocol Type.
Specify the relevant criteria to be matched for this rule,
and set the actions to take when a rule is matched (such as Rate Limiter,
Port Copy, Logging, and Shutdown).
Figure 2-5.2.3.3: The ACL Rate Limiter Configuration
Parameter description:
l Ingress Port :
Revision A1
Page 76
68
Indicates the ingress port of the ACE. Possible values are:
Any: The ACE will match any ingress port.
Policy: The ACE will match ingress ports with a specific policy.
Port: The ACE will match a specific ingress port.
l Policy / Bitmask :
Indicates the policy number and bitmask of the ACE.
l Frame Type :
Indicates the frame type of the ACE. Possible values are:
Any: The ACE will match any frame type.
EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based ACE
will not get matched by IP and ARP frames.
ARP: The ACE will match ARP/RARP frames.
IPv4: The ACE will match all IPv4 frames.
IPv4/ICMP: The ACE will match IPv4 frames with ICMP protocol.
IPv4/UDP: The ACE will match IPv4 frames with UDP protocol.
IPv4/TCP: The ACE will match IPv4 frames with TCP protocol.
IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP. IPv6: The ACE
will match all IPv6 standard frames.
l Action :
Indicates the forwarding action of the ACE.
Permit: Frames matching the ACE may be forwarded and learned.
Deny: Frames matching the ACE are dropped.
Filter: Frames matching the ACE are filtered.
l Rate Limiter :
Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. When Disabled
is displayed, the rate limiter operation is disabled.
l Port Copy :
Indicates the port copy operation of the ACE. Frames matching the ACE are copied to the
port number. The allowed values are Disabled or a specific port number. When Disabled is
displayed, the port copy operation is disabled.
l Mirror :
Specify the mirror operation of this port. The allowed values are:
Enabled: Frames received on the port are mirrored.
Disabled: Frames received on the port are not mirrored.
The default value is "Disabled".
l Logging :
Indicates the logging operation of the ACE. Possible values are:
Enabled: Frames matching the ACE are stored in the System Log.
Disabled: Frames matching the ACE are not logged.
Please note that the System Log memory size and logging rate is limited.
l Shutdown :
Indicates the port shut down operation of the ACE. Possible values are:
Enabled: If a frame matches the ACE, the ingress port will be disabled.
Disabled: Port shut down is disabled for the ACE.
Revision A1
Page 77
69
l Counter :
The counter indicates the number of times the ACE was hit by a frame.
Modification Buttons
You can modify each ACE (Access Control Entry) in the table using the following buttons:
: Inserts a new ACE before the current row.
: Edits the ACE row.
: Moves the ACE up the list.
: Moves the ACE down the list.
: Deletes the ACE.
: The lowest plus sign adds a new entry at the bottom of the ACE listings.
MAC Parameter:
l SMAC Filter
(Only displayed when the frame type is Ethernet Type or ARP.)
Specify the source MAC filter for this ACE.
Any: No SMAC filter is specified. (SMAC filter status is "don't-care".)
Specific: If you want to filter a specific source MAC address with this ACE, choose this value.
A field fo r entering an SMAC value appears.
l SMAC Value
When "Specific" is selected for the SMAC filter, you can enter a specific source MAC address.
The legal format is "xx-xx-xx-xx-xx-xx" or "xx.xx.xx.xx.xx.xx" or "xxxxxxxxxxxx" (x is a
hexadecimal digit). A frame that hits this ACE matches this SMAC value.
l DMAC Filter
Specify the destination MAC filter for this ACE.
Any: No DMAC filter is specified. (DMAC filter status is "don't-care".)
MC: Frame must be multicast.
BC: Frame must be broadcast.
UC: Frame must be unicast.
Specific: If you want to filter a specific destination MAC address with this ACE, choose this
value. A field for entering a DMAC value appears.
l DMAC Value
When "Specific" is selected for the DMAC filter, you can enter a specific destination MAC
address. The legal format is "xx-xx-xx-xx-xx-xx" or "xx.xx.xx.xx.xx.xx" or "xxxxxxxxxxxx" (x
is a hexadecimal digit). A frame that hits this ACE matches this DMAC value.
l Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
l Auto-refresh:
To e v ok e t he a ut o -refresh to refresh the information automatically.
l Upper right icon (Refresh, clear, Remove All)
You can cli ck the m f or ref re sh th e AC L c on fi gur at io n or cl ea r th em by ma nu al . O th er s re mo ve
all to clean up all ACL configurations on the table.
Revision A1
Page 78
70
2-5.2.4 IP Source Guard
The section describes to configure the IP Source Guard detail parameters of the switch. You
could use the IP Source Guard configure to enable or disable with the Port of the switch.
2-5.2.4.1 Configuration
This section describes how to configure IP Source Guard setting including:
Mode (Enabled and Disabled)
Maximum Dynamic Clients (0, 1, 2, Unlimited)
Web Interface
To c o nf ig u re a n I P S ou r ce G u ar d C on fi g ur at i on i n t he w eb interface:
1. Select “Enabled” in the Mode of IP Source Guard Configuration.
2. Select “Enabled” of the specific port in the Mode of Port Mode Configuration.
3. Select Maximum Dynamic Clients (0, 1, 2, Unlimited) of the specific port in the Mode of Port
Mode Configuration.
4. Click Apply.
Figure 2-5.2.4. 1: The IP Source Guard Configuration
Parameter description:
l Mode of IP Source Guard Configuration :
Enable the Global IP Source Guard or disable the Global IP Source Guard. All configured
ACEs will be lost when the mode is enabled.
l Port Mode Configuration :
Specify IP Source Guard is enabled on which ports. Only when both Global Mode and Port
Mode on a given port are enabled, IP Source Guard is enabled on this given port.
Revision A1
Page 79
71
l Max Dynamic Clients :
Specify the maximum number of dynamic clients that can be learned on given port. This
value can be 0, 1, 2 or unlimited. If the port mode is enabled and the value of max dynamic
client is equal to 0, it means only allow the IP packets forwarding that are matched in static
entries on the specific port.
Revision A1
Page 80
72
2-5.2.4.2 Static Table
The section describes to configure the Static IP Source Guard Table parameters of the switch.
You c ou ld u se t he S ta ti c I P S ou rc e Gu ar d Tab le c on fi gu re t o man ag e th e en tr ie s.
Web Interface
To c o nf ig u re a Static IP Source Guard Table Configuration in the web interface:
1. Click “Add new entry”.
2. Specify the Port, VLAN ID, IP Address, and MAC address in the entry.
3. Click Apply.
Figure 2-4.2.5.2: The Static IP Source Guard Table
Parameter description:
l Delete :
Check to delete the entry. It will be deleted during the next save.
l Port :
The logical port for the settings.
l VLAN ID :
The vlan id for the settings.
l IP Address :
Allowed Source IP address.
l MAC address :
Allowed Source MAC address.
l Adding new entry :
Click to add a new entry to the Static IP Source Guard table. Specify the Port, VLAN ID, IP
address, and IP Mask for the new entry. Click "Save".
l Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 81
73
2-5.2.5 ARP Inspection
The section describes to configure the ARP Inspection parameters of the switch. You could
use the ARP Inspection configure to manage the ARP table.
2-5.2.5.1 Configuration
This section describes how to configure ARP Inspection setting including:
Mode (Enabled and Disabled)
Port (Enabled and Disabled)
Web Interface
To c o nf ig u re a n AR P I n sp e ct io n C on f ig ur at i on i n t he w eb in te r fa ce :
1. Select “Enabled” in the Mode of ARP Inspection Configuration.
2. Select “Enabled” of the specific port in the Mode of Port Mode Configuration.
3. Click Apply.
Figure 2-5.2.5.1: The ARP Inspection Configuration
Parameter description:
l Mode of ARP Inspection Configuration :
Enable the Global ARP Inspection or disable the Global ARP Inspection.
l Port Mode Configuration :
Specify ARP Inspection is enabled on which ports. Only when both Global Mode and Port
Mode on a given port are enabled, ARP Inspection is enabled on this given port. Possible
modes are:
Enabled: Enable ARP Inspection operation.
Disabled: Disable ARP Inspection operation.
If you want to inspect the VLAN configuration, you have to enable the setting of "Check
VLAN". The default setting of "Check VLAN" is disabled. When the setting of "Check
Revision A1
Page 82
74
VLAN" is disabled, the log type of ARP Inspection will refer to the port setting. And the
setting of "Check VLAN" is enabled, the log type of ARP Inspection will refer to the VLAN
setting. Possible setting of "Check VLAN" are:
Enabled: Enable check VLAN operation.
Disabled: Disable check VLAN operation.
Only the Global Mode and Port Mode on a given port are enabled, and the setting of
"Check VLAN" is disabled, the log type of ARP Inspection will refer to the port setting.
There are four log types and possible types are:
None: Log nothing.
Deny: Log denied entries.
Permit: Log permitted entries.
ALL: Log all entries.
l Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 83
75
2-5.2.5.2 Navigating the VLAN Configuration
Each page shows up to 9999 entries from the VLAN table, default being 20, selected through
the "entries per page" input field. When first visited, the web page will show the first 20 entries
from the beginning of the VLAN Table. The first displayed will be the one with the lowest
VLAN ID found in the VLAN Table.
The "VLAN" input fields allow the user to select the starting point in the VLAN Table. Clicking
the button will update the displayed table starting from that or the closest next VLAN Table
match. The will use the next entry of the currently displayed VLAN entry as a basis for the
next lookup. When the end is reached the warning message is shown in the displayed table.
Use the button to start over.
Web Interface
To c o nf ig u re a V L AN M o de Co nf i gu ra ti o n in t h e we b interface:
1. Click “Add new entry”.
2. Specify the VLAN ID, Log Type
3. Click Apply.
Figure 2-5.2.5.2: The VLAN Mode Configuration
Parameter description:
l VLAN Mode Configuration
Specify ARP Inspection is enabled on which VLANs. First, you have to enable the port
setting on Port mode configuration web page. Only when both Global Mode and Port Mode
on a given port are enabled, ARP Inspection is enabled on this given port. Second, you can
Revision A1
Page 84
76
specify which VLAN will be inspected on VLAN mode configuration web page. The log type
also can be configured on per VLAN setting.
Possible types are:
None: Log nothing.
Deny: Log denied entries.
Permit: Log permitted entries.
ALL: Log all entries.
l Buttons
Add New Entry: Click to add a new VLAN to the ARP Inspection VLAN table.
Apply: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 85
77
2-5.2.5.3 Static Table
The section describes to configure the Static ARP Inspection Table parameters of the switch.
You c ou ld u se t he S ta ti c A RP I ns pe ct io n Ta bl e co nf ig ur e to m an age t he ARP en tr ie s.
Web Interface
To c o nf ig u re a S t at ic A RP In s pe c ti on Tab l e C on fi gu r at io n i n th e w eb in te rf a ce :
1. Click “Add new entry”.
2. Specify the Port, VLAN ID, IP Address, and MAC address in the entry.
3. Click Apply.
Figure 2-5.2.5.3: The Static ARP Inspection Table
Parameter description:
l Delete :
Check to delete the entry. It will be deleted during the next save.
l Port :
The logical port for the settings.
l VLAN ID :
The vlan id for the settings.
l MAC Address :
Allowed Source MAC address in ARP request packets.
l IP Address :
Allowed Source IP address in ARP request packets.
l Adding new entry :
Click to add a new entry to the Static ARP Inspection table. Specify the Port, VLAN ID, MAC
address, and IP address for the new entry. Click "Save".
l Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 86
78
2-5.2.5.4 Dynamic Table
Entries in the Dynamic ARP Inspection Table are shown on this page. The Dynamic ARP
Inspection Table contains up to 1024 entries, and is sorted first by port, then by VLAN ID, then
by MAC address, and then by IP address.
Navigating the ARP Inspection Table
Each page shows up to 99 entries from the Dynamic ARP Inspection table, default being 20,
selected through the "entries per page" input field. When first visited, the web page will show
the first 20 entries from the beginning of the Dynamic ARP Inspection Table.
The "Start from port address", "VLAN", "MAC address" and "IP address" input fields allow the
user to select the starting point in the Dynamic ARP Inspection Table. Clicking the button will
update the displayed table starting from that or the closest next Dynamic ARP Inspection
Ta bl e m at c h. I n a dd it i on , th e t wo i n pu t f ie ld s w il l - upon a button click - assume the value of
the first displayed entry, allowing for continuous refresh with the same start address.
The will use the last entry of the currently displayed table as a basis for the next lookup.
When the end is reached the text "No more entries" is shown in the displayed table. Use the
button to start over.
Web Interface
To c o nf ig u re a D y na mi c A RP In sp ec ti on Tab l e C on fi gu r at io n i n th e w eb in te rf a ce :
Figure 2-5.2.5.4: The Dynamic ARP Inspection Table
Parameter description:
ARP Inspection Table Columns
l Port
Switch Port Number for which the entries are displayed.
l VLAN ID
VLAN-ID in which the ARP traffic is permitted.
l MAC Address
User MAC address of the entry.
l IP Address
User IP address of the entry.
l Tra nslate to sta tic
Select the checkbox to translate the entry to static entry.
l Buttons:
Apply – Click to save changes.
Revision A1
Page 87
79
Reset- Click to undo any changes made locally and revert to previously saved values.
Auto-refresh:
Check this box to refresh the page automatically. Automatic refresh occurs every 3 seconds.
Refresh:
Refreshes the displayed table starting from the input fields.
Save:
Click to save changes.
Reset:
Click to undo any changes made locally and revert to previously saved values.
<<:
Updates the table starting from the first entry in the Dynamic ARP Inspection Table.
>>:
Updates the table, starting with the entry after the last entry currently displayed
Revision A1
Page 88
80
2-5.3 AAA
This section shows you to use an AAA (Authentication, Authorization, Accounting) server to
provide access control to your network. The AAA server can be a TACACS+ or RADIUS server
to create and manage objects that contain settings for using AAA servers.
2-5.3.1 RADIUS
Web Interface
To c o nf ig u re a C o mm o n Co n fi gu r at io n o f A A A, R A DI US in t h e we b i nt er f ac e:
Figure 2-5.3.1: The RADIUS Authentication Server Configuration
Parameter description:
Global Configuration
These setting are common for all of the RADIUS servers.
l Timeout
Timeout is the number of seconds, in the range 1 to 1000, to wait for a reply from a RADIUS
server before retransmitting the request.
Revision A1
Page 89
81
l Retransmit
Retransmit is the number of times, in the range 1 to 1000, a RADIUS request is retransmitted
to a server that is not responding. If the server has not responded after the last retransmit it
is considered to be dead.
l Deadtime
Deadtime, which can be set to a number between 0 to 1440 minutes, is the period during
which the switch will not send new requests to a server that has failed to respond to a
previous request. This will stop the switch from continually trying to contact a server that it
has already determined as dead.
Setting the Deadtime to a value greater than 0 (zero) will enable this feature, but only if more
than one server has been configured.
l Key
The secret key - up to 63 characters long - shared between the RADIUS server and the
switch.
l NAS-IP-Address (Attribute 4)
The IPv4 address to be used as attribute 4 in RADIUS Access-Request packets. If this field
is left blank, the IP address of the outgoing interface is used.
l NAS-IPv6-Address (Attribute 95)
The IPv6 address to be used as attribute 95 in RADIUS Access-Request packets. If this field
is left blank, the IP address of the outgoing interface is used.
l NAS-Identifier (Attribute 32)
The identifier - up to 255 characters long - to be used as attribute 32 in RADIUS AccessRequest packets. If this field is left blank, the NAS-Identifier is not included in the packet.
Server Configuration
The table has one row for each RADIUS server and a number of columns, which are:
l Delete
To de l et e a R AD I US s er v er en t ry, ch ec k t hi s b ox . T he en tr y w i ll b e d el e te d d u ri ng t he ne x t
Save.
l Hostname
The IP address or hostname of the RADIUS server.
l Auth Port
The UDP port to use on the RADIUS server for authentication.
l Acct Port
The UDP port to use on the RADIUS server for accounting.
l Timeout
This optional setting overrides the global timeout value. Leaving it blank will use the global
timeout value.
l Retransmit
This optional setting overrides the global retransmit value. Leaving it blank will use the global
retransmit value.
l Key
This optional setting overrides the global key. Leaving it blank will use the global key.
Adding a New Server
Click to add a new RADIUS server. An empty row is added to the table, and the RADIUS
server can be configured as needed. Up to 5 servers are supported.
The button can be used to undo the addition of the new server.
Revision A1
Page 90
82
Buttons
l Apply:
Click to save changes.
l Reset:
Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 91
83
2-6 Aggregation
The Aggregation is used to configure the settings of Link Aggregation. You can bundle more
than one port with the same speed, full duplex and the same MAC to be a single logical port,
thus the logical port aggregates the bandwidth of these ports. This means you can apply your
current Ethernet equipment’s to build the bandwidth aggregation. For example, if there are
three Fast Ethernet ports aggregated in a logical port, then this logical port has bandwidth three
times as high as a single Fast Ethernet port has.
2-6.1 Static
Ports using Static Trunk as their trunk method can choose their unique Static GroupID to form
a logic “trunked port”. The benefit of using Static Trunk method is that a port can immediately
become a member of a trunk group without any handshaking with its peer port. This is also a
disadvantage because the peer ports of your static trunk group may not know that they should
be aggregate together to form a “logic trunked port”. Using Static Trunk on both end of a link is
strongly recommended. Please also note that low speed links will stay in “not ready” state when
using static trunk to aggregate with high speed links.
Web Interface
To configure the Trunk Aggregation Hash mode and Aggregation Group in the web interface:
1. Click Configuration, Aggregation, Static and then Aggregation Mode Configuration.
2. Evoke to enable or disable the aggregation mode function.
Evoke Aggregation Group ID and Port members
3. Click the save to save the setting
4. If you want to cancel the setting then you need to click the reset button. It
will revert to previously saved values.
Figure 2-6.1: The Aggregation Mode Configuration
Revision A1
Page 92
84
Parameter description:
Hash Code Contributors
l Source MAC Address :
The Source MAC address can be used to calculate the destination port for the frame. Check
to enable the use of the Source MAC address, or uncheck to disable. By default, Source
MAC Address is enabled.
l Destination MAC Address :
The Destination MAC Address can be used to calculate the destination port for the frame.
Check to enable the use of the Destination MAC Address, or uncheck to disable. By default,
Destination MAC Address is disabled.
l IP Address :
The IP address can be used to calculate the destination port for the frame. Check to enable
the use of the IP Address, or uncheck to disable. By default, IP Address is enabled.
l TCP/UDP Port Number :
The TCP/UDP port number can be used to calculate the destination port for the frame. Check
to enable the use of the TCP/UDP Port Number, or uncheck to disable. By default, TCP/UDP
Port Number is enabled.
Aggregation Group Configuration
l Group ID :
Indicates the group ID for the settings contained in the same row. Group ID "Normal"
indicates there is no aggregation. Only one group ID is valid per port.
l Port Members :
Each switch port is listed for each group ID. Select a radio button to include a port in an
aggregation, or clear the radio button to remove the port from the aggregation. By default,
no ports belong to any aggregation group. Only full duplex ports can join an aggregation and
ports must be in the same speed in each group.
l Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 93
85
2-6.2 LACP
This page allows the user to inspect the current LACP port configurations, and possibly change
them as well An LACP trunk group with more than one ready member-ports is a “real trunked”
group. An LACP trunk group with only one or less than one ready member-ports is not a “real
trunked” group.
Web Interface
To configure the Trunk Aggregation LACP parameters in the web interface:
1. Click Configuration, LACP, Configuration
2. Evoke to enable or disable the LACP on the port of the switch.
Scroll the Key parameter with Auto or Specific Default is Auto.
3. Scroll the Role with Active or Passive. Default is Active
4. Click the save to save the setting
5. If you want to cancel the setting then you need to click the reset button.
It will revert to previously saved values
Figure 2-6.2: The LACP Port Configuration
Revision A1
Page 94
86
Parameter description:
l Port :
The switch port number.
l LACP Enabled
Controls whether LACP is enabled on this switch port. LACP will form an aggregation when
2 or more ports are connected to the same partner.
l Key
The Key value incurred by the port, range 1-65535 . The Auto setting will set the key as
appropriate by the physical link speed, 10Mb = 1, 100Mb = 2, 1Gb = 3. Using the Specific
setting, a user-defined value can be entered. Ports with the same Key value can participate
in the same aggregation group, while ports with different keys cannot.
l Role
The Role shows the LACP activity status. The Active will transmit LACP packets each second,
while Passive will wait for a LACP packet from a partner (speak if spoken to).
l Timeout
The Timeout controls the period between BPDU transmissions. Fast will transmit LACP
packets each second, while Slow will wait for 30 seconds before sending a LACP packet.
l Prio
The Prio controls the priority of the port. If the LACP partner wants to form a larger group
than is supported by this device then this parameter will control which ports will be active
and which ports will be in a backup role. Lower number means greater priority.
l Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 95
87
2-7 Loop Protection
The loop Protection is used to detect the presence of traffic. When switch receives packet’s
(looping detection frame) MAC address the same as oneself from port, show Loop Protection
happens. The port will be locked when it received the looping Proection frames. If you want to
resume the locked port, please find out the looping path and take off the looping path, then
select the resume the locked port and click on “Resume” to turn on the locked ports.
Web Interface
To c o nf ig u re t he Lo op Pr ot e ct io n parameters in the web interface:
1. Click Configuration, Loop Protection.
2. Evoke to select enable or disable the port loop Protection
3. Click the save to save the setting
4. If you want to cancel the setting then you need to click the Reset button. It will revert to
previously saved values
Figure 2-7: The Loop Protection Configuration.
Revision A1
Page 96
88
Parameter description:
l Enable Loop Protection:
Controls whether loop protections is enabled (as a whole).
l Tra nsmiss ion Time:
The interval between each loop protection PDU sent on each port. valid values are 1 to 10
seconds.
l Shutdown Time:
The period (in seconds) for which a port will be kept disabled in the event of a loop is detected
(and the port action shuts down the port). Valid v alues are 0 to 6 04800 second s (7 d ays). A
value of zero will keep a port disabled (until next device restart).
l Port No:
The switch port number of the port.
l Enable :
Controls whether loop protection is enabled on this switch port
l Action:
Configures the action performed when a loop is detected on a port. Valid values are Shutdown Port,
Shutdown Port and Log or Log Only.
l Tx Mode :
Controls whether the port is actively generating loop protection PDU's, or whether it is just passively
looking for looped PDU's.
l Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 97
89
2-8 Spanning Tree
The Spanning Tree Protocol (STP) can be used to detect and disable network loops, and to
provide backup links between switches, bridges or routers. This allows the switch to interact
with other bridging devices (that is, an STP-compliant switch, bridge or router) in your network
to ensure that only one route exists between any two stations on the network, and provide
backup links which automatically take over when a primary link goes down.
STP - STP uses a distributed algorithm to select a bridging device (STP- compliant switch,
bridge or router) that serves as the root of the spanning tree network. It selects a root port on
each bridging device (except for the root device) which incurs the lowest path cost when
forwarding a packet from that device to the root device. Then it selects a designated bridging
device from each LAN which incurs the lowest path cost when forwarding a packet from that
LAN to the root device. All ports connected to designated bridging devices are assigned as
designated ports. After determining the lowest cost spanning tree, it enables all root ports and
designated ports, and disables all other ports. Network packets are therefore only forwarded
between root ports and designated ports, eliminating any possible network loops.
Once a stable network topology has been established, all bridges listen for Hello BPDUs
(Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello
BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root
Bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the
network to reestablish a valid network topology.
2-8.1 Bridge Setting
The section describes that how to configure the Spanning Tree Bridge and STP System settings.
It allows you to configure STP System settings are used by all STP Bridge instance in the switch.
Web Interface
To c o nf ig u re t he Sp an n in g Tr ee Br id ge Se tt i ng s p ar am et e rs i n t he w e b in t er fa ce :
1. Click Configuration, Spanning Tree, Bridge Settings
2. Scroll to select the parameters and write down available value of parameters in blank field
in Basic Settings
3. Evoke to enable or disable the parameters and write down available value of parameters
in blank field in Advanced settings
4. Click the apply to save the setting
5. If you want to cancel the setting then you need to click the Reset button. It will revert to
previously saved values
Revision A1
Page 98
90
Figure 2-8.1: The STP Bridge Configuration
Parameter description:
Basic Settings
l Protocol Version :
The STP protocol version setting. Valid values are STP, RSTP and MSTP.
l Bridge Priority :
Controls the bridge priority. Lower numeric values have better priority. The bridge priority
plus the MSTI instance number, concatenated with the 6-byte MAC address of the switch
forms a Bridge Identifier. For MSTP operation, this is the priority of the CIST. Otherwise, this
is the priority of the STP/RSTP bridge.
l Forward Delay :
The delay used by STP Bridges to transit Root and Designated Ports to Forwarding (used in
STP compatible mode). Valid values are in the range 4 to 30 seconds.
l Max Age :
The maximum age of the information transmitted by the Bridge when it is the Root Bridge.
Valid v a lue s ar e in t h e range 6 to 40 seconds, and MaxAge must be <= (FwdDelay-1)*2.
l Maximum Hop Count :
This defines the initial value of remaining Hops for MSTI information generated at the
boundary of an MSTI region. It defines how many bridges a root bridge can distribute its
BPDU information to. Valid values are in the range 6 to 40 hops.
l Tra nsmit Hold Count :
The number of BPDU's a bridge port can send per second. When exceeded, transmission
of the next BPDU will be delayed. Valid values are in the range 1 to 10 BPDU's per second.
Revision A1
Page 99
91
Advanced Settings
l Edge Port BPDU Filtering :
Control whether a port explicitly configured as Edge will transmit and receive BPDUs.
l Edge Port BPDU Guard :
Control whether a port explicitly configured as Edge will disable itself upon reception of a
BPDU. The port will enter the error-disabled state, and will be removed from the active
topology.
l Port Error Recovery :
Control whether a port in the error-disabled state automatically will be enabled after a certain
time. If recovery is not enabled, ports have to be disabled and re-enabled for normal STP
operation. The condition is also cleared by a system reboot.
l Port Error Recovery Timeout :
The time to pass before a port in the error-disabled state can be enabled. Valid values are
between 30 and 86400 seconds (24 hours).
l Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
Page 100
92
2-8.2 MSTI Mapping
When you implement an Spanning Tree protocol on the switch that the bridge instance. The
CIST is not available for explicit mapping, as it will receive the VLANs not explicitly mapped.
Due to the reason that you need to set the list of VLANs mapped to the MSTI. The VLANs must
be separated with comma and/or space. A VLAN can only be mapped to one MSTI. An unused
MSTI should just be left empty. (I.e. not having any VLANs mapped to it.)
This section describes it allows the user to inspect the current STP MSTI bridge instance priority
configurations, and possibly change them as well.
Web Interface
To c o nf ig u re t he Sp an n in g Tr ee MS TI Ma pp i ng p a ra me t er s i n th e w eb i n te rf ac e :
1. Click Configuration, Spanning Tree, MSTI Mapping
2. Specify the configuration identification parameters in the field. Specify the VLANs Mapped
blank field.
3. Click the save to save the setting
4. If you want to cancel the setting then you need to click the Reset button. It will revert to
previously saved values
Figure 2-8.2: The MSTI Configuration
Parameter description:
Configuration Identification
l Configuration Name :
The name identifying the VLAN to MSTI mapping. Bridges must share the name and revision
Revision A1
Loading...