LevelOne
User Manual
GSW-4876
48 GE + 2 GE SFP Web Smart Switch
Ver. 1.0
MANAGEMENT GUIDE
GSW-4876 WEB SMART SWITCH
Layer 2 Gigabit Ethernet Switch
with 48 10/100/1000BASE-T Ports (RJ-45) and 2 Gigabit Combination (RJ-45/SFP) Ports
GSW-4876
E082012/ST-R01
PURPOSE This guide gives specific information on how to operate and use the management functions of the switch.
AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
CONVENTIONS The following conventions are used throughout this guide to show information:
NOTE: Emphasizes important information or calls your attention to related features or instructions.
CAUTION: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
WARNING: Alerts you to a potential hazard that could cause personal injury.
RELATED PUBLICATIONS The following publication details the hardware features of the switch, including the physical and performance-related characteristics, and how to install the switch:
The Installation Guide
Also, as part of the switch’s software, there is an online web-based help that describes all management related features.
REVISION HISTORY This section summarizes the changes in each revision of this guide.
AUGUST 2012 REVISION
This is the first version of this guide. This guide is valid for software release v1.0.0.1.
– 5 –
ABOUT THIS GUIDE
– 6 –
ABOUT THIS GUIDE |
5 |
CONTENTS |
7 |
FIGURES |
13 |
TABLES |
19 |
SECTION I |
GETTING STARTED |
21 |
1 |
INTRODUCTION |
23 |
|
Key Features |
23 |
|
Description of Software Features |
24 |
|
System Defaults |
28 |
2 |
INITIAL SWITCH CONFIGURATION |
31 |
SECTION II |
WEB CONFIGURATION |
33 |
3 USING THE WEB INTERFACE |
35 |
|
|
Navigating the Web Browser Interface |
35 |
|
Home Page |
35 |
|
Configuration Options |
36 |
|
Panel Display |
36 |
|
Main Menu |
36 |
4 |
CONFIGURING THE SWITCH |
45 |
|
Configuring System Information |
45 |
|
Setting an IP Address |
46 |
|
Setting an IPv4 Address |
46 |
|
Setting an IPv6 Address |
48 |
|
Configuring NTP Service |
50 |
|
Configuring the Time Zone and Daylight Savings Time |
51 |
|
Configuring Remote Log Messages |
53 |
– 7 –
CONTENTS
Configuring Power Reduction |
55 |
Reducing Power to Idle Queue Circuits |
55 |
Configuring Port Connections |
56 |
Configuring Security |
58 |
Configuring User Accounts |
58 |
Configuring User Privilege Levels |
60 |
Configuring The Authentication Method For Management Access |
62 |
Configuring SSH |
65 |
Configuring HTTPS |
66 |
Filtering IP Addresses for Management Access |
67 |
Using Simple Network Management Protocol |
68 |
Remote Monitoring |
79 |
Configuring Port Limit Controls |
84 |
Configuring Authentication Through Network Access Servers |
87 |
Filtering Traffic with Access Control Lists |
98 |
Configuring DHCP Snooping |
108 |
Configuring DHCP Relay and Option 82 Information |
111 |
Configuring IP Source Guard |
112 |
Configuring ARP Inspection |
116 |
Specifying Authentication Servers |
119 |
Creating Trunk Groups |
121 |
Configuring Static Trunks |
122 |
Configuring LACP |
124 |
Configuring the Spanning Tree Algorithm |
126 |
Configuring Global Settings for STA |
128 |
Configuring Multiple Spanning Trees |
132 |
Configuring Spanning Tree Bridge Priorities |
134 |
Configuring |
|
STP/RSTP/CIST Interfaces |
135 |
Configuring MIST Interfaces |
138 |
Multicast VLAN Registration |
139 |
Configuring General MVR Settings |
140 |
Configuring MVR Channel Settings |
143 |
IGMP Snooping |
144 |
Configuring Global and Port-Related Settings for IGMP Snooping |
145 |
Configuring VLAN Settings for IGMP Snooping and Query |
148 |
Configuring IGMP Filtering |
150 |
– 8 –
CONTENTS
MLD Snooping |
151 |
Configuring Global and Port-Related Settings for MLD Snooping |
151 |
Configuring VLAN Settings for MLD Snooping and Query |
154 |
Configuring MLD Filtering |
157 |
Link Layer Discovery Protocol |
157 |
Configuring LLDP Timing and TLVs |
158 |
Configuring LLDP-MED TLVs |
161 |
Configuring the MAC Address Table |
166 |
IEEE 802.1Q VLANs |
168 |
Assigning Ports to VLANs |
169 |
Configuring VLAN Attributes for Port Members |
170 |
Using Port Isolation |
173 |
Configuring MAC-based VLANs |
173 |
Protocol VLANs |
175 |
Configuring Protocol VLAN Groups |
175 |
Mapping Protocol Groups to Ports |
177 |
Configuring IP Subnet-based VLANs |
178 |
Managing VoIP Traffic |
179 |
Configuring VoIP Traffic |
180 |
Configuring Telephony OUI |
182 |
Quality of Service |
183 |
Configuring Port Classification |
184 |
Configuring Port Policiers |
185 |
Configuring Egress Port Scheduler |
186 |
Configuring Egress Port Shaper |
188 |
Configuring Port Remarking Mode |
189 |
Configuring Port DSCP Translation and Rewriting |
192 |
Configuring DSCP-based QoS Ingress Classification |
193 |
Configuring DSCP Translation |
194 |
Configuring DSCP Classification |
195 |
Configuring QoS Control Lists |
196 |
Configuring Storm Control |
200 |
Configuring Random Early Detection |
201 |
Using Congestion Management |
203 |
Configuring Local Port Mirroring |
204 |
Configuring Remote Port Mirroring |
205 |
– 9 –
CONTENTS
Configuring UPnP |
210 |
Configuring sFlow |
211 |
5 MONITORING THE SWITCH |
215 |
Displaying Basic Information About the System |
215 |
Displaying System Information |
215 |
Displaying CPU Utilization |
216 |
Displaying Log Messages |
217 |
Displaying Log Details |
219 |
Displaying Information About Ports |
219 |
Displaying Port Status On the Front Panel |
219 |
Displaying an Overview of Port Statistics |
220 |
Displaying QoS Statistics |
220 |
Displaying QCL Status |
221 |
Displaying Detailed Port Statistics |
222 |
Displaying Information About Security Settings |
225 |
Displaying Access Management Statistics |
225 |
Displaying Information About Switch Settings for Port Security |
226 |
Displaying Information About Learned MAC Addresses |
228 |
Displaying Port Status for Authentication Services |
229 |
Displaying Port Statistics for 802.1X or Remote Authentication Service |
|
230 |
|
Displaying ACL Status |
234 |
Displaying Statistics for DHCP Snooping |
236 |
Displaying DHCP Relay Statistics |
237 |
Displaying MAC Address Bindings for ARP Packets |
238 |
Displaying Entries in the IP Source Guard Table |
239 |
Displaying Information on Authentication Servers |
240 |
Displaying a List of Authentication Servers |
240 |
Displaying Statistics for Configured Authentication Servers |
241 |
Displaying Information on RMON |
245 |
Displaying RMON Statistics |
245 |
Displaying RMON Historical Samples |
246 |
Displaying RMON Alarm Settings |
247 |
Displaying RMON Event Settings |
248 |
Displaying Information on LACP |
249 |
Displaying an Overview of LACP Groups |
249 |
Displaying LACP Port Status |
249 |
– 10 –
|
|
CONTENTS |
|
|
|
|
Displaying LACP Port Statistics |
250 |
|
Displaying Information on the Spanning Tree |
251 |
|
Displaying Bridge Status for STA |
251 |
|
Displaying Port Status for STA |
254 |
|
Displaying Port Statistics for STA |
255 |
|
Displaying MVR Information |
256 |
|
Displaying MVR Statistics |
256 |
|
Displaying MVR Group Information |
257 |
|
Displaying MVR SFM Information |
258 |
|
Showing IGMP Snooping Information |
259 |
|
Showing IGMP Snooping Status |
259 |
|
Showing IGMP Snooping Group Information |
260 |
|
Showing IPv4 SFM Information |
261 |
|
Showing MLD Snooping Information |
262 |
|
Showing MLD Snooping Status |
262 |
|
Showing MLD Snooping Group Information |
263 |
|
Showing IPv6 SFM Information |
264 |
|
Displaying LLDP Information |
265 |
|
Displaying LLDP Neighbor Information |
265 |
|
Displaying LLDP-MED Neighbor Information |
266 |
|
Displaying LLDP Neighbor EEE Information |
268 |
|
Displaying LLDP Port Statistics |
270 |
|
Displaying the MAC Address Table |
271 |
|
Displaying Information About VLANs |
272 |
|
VLAN Membership |
272 |
|
VLAN Port Status |
273 |
|
Displaying Information About MAC-based VLANs |
275 |
|
Displaying Information About Flow Sampling |
276 |
6 |
PERFORMING BASIC DIAGNOSTICS |
279 |
|
Pinging an IPv4 or IPv6 Address |
279 |
|
Running Cable Diagnostics |
281 |
7 |
PERFORMING SYSTEM MAINTENANCE |
283 |
|
Restarting the Switch |
283 |
|
Restoring Factory Defaults |
284 |
|
Upgrading Firmware |
284 |
|
Activating the Alternate Image |
285 |
– 11 –
CONTENTS
|
Managing Configuration Files |
286 |
|
Saving Configuration Settings |
286 |
|
Restoring Configuration Settings |
287 |
|
|
|
SECTION III |
APPENDICES |
289 |
A |
SOFTWARE SPECIFICATIONS |
291 |
|
Software Features |
291 |
|
Management Features |
292 |
|
Standards |
293 |
|
Management Information Bases |
293 |
B |
TROUBLESHOOTING |
295 |
|
Problems Accessing the Management Interface |
295 |
|
Using System Logs |
296 |
C |
LICENSE INFORMATION |
297 |
|
The GNU General Public License |
297 |
|
GLOSSARY |
301 |
|
INDEX |
309 |
– 12 –
Figure 1: |
Home Page |
35 |
Figure 2: |
Front Panel Indicators |
36 |
Figure 3: |
System Information Configuration |
45 |
Figure 4: |
IP Configuration |
47 |
Figure 5: |
IPv6 Configuration |
49 |
Figure 6: |
NTP Configuration |
50 |
Figure 7: |
Time Zone and Daylight Savings Time Configuration |
53 |
Figure 8: |
Configuring Settings for Remote Logging of Error Messages |
54 |
Figure 9: |
Configuring EEE Power Reduction |
56 |
Figure 10: |
Port Configuration |
58 |
Figure 11: |
Showing User Accounts |
60 |
Figure 12: |
Configuring User Accounts |
60 |
Figure 13: |
Configuring Privilege Levels |
62 |
Figure 14: |
Authentication Server Operation |
63 |
Figure 15: |
Authentication Method for Management Access |
64 |
Figure 16: |
SSH Configuration |
65 |
Figure 17: |
HTTPS Configuration |
67 |
Figure 18: |
Access Management Configuration |
68 |
Figure 19: |
SNMP System Configuration |
73 |
Figure 20: |
SNMPv3 Community Configuration |
74 |
Figure 21: |
SNMPv3 User Configuration |
76 |
Figure 22: |
SNMPv3 Group Configuration |
77 |
Figure 23: |
SNMPv3 View Configuration |
78 |
Figure 24: |
SNMPv3 Access Configuration |
79 |
Figure 25: |
RMON Statistics Configuration |
80 |
Figure 26: |
RMON History Configuration |
81 |
Figure 27: |
RMON Alarm Configuration |
83 |
Figure 28: |
RMON Event Configuration |
84 |
Figure 29: |
Port Security Limit Control Configuration |
87 |
Figure 30: |
Using Port Security |
87 |
Figure 31: |
Network Access Server Configuration |
98 |
– 13 –
FIGURES
Figure 32: ACL Port Configuration |
100 |
|
Figure 33: ACL Rate Limiter Configuration |
101 |
|
Figure 34: Access Control List Configuration |
108 |
|
Figure 35: DHCP Snooping Configuration |
110 |
|
Figure 36: DHCP Relay Configuration |
112 |
|
Figure 37: Configuring Global and Port-based Settings for IP Source Guard |
114 |
|
Figure 38: Configuring Static Bindings for IP Source Guard |
115 |
|
Figure 39: Configuring Global and Port Settings for ARP Inspection |
117 |
|
Figure 40: Configuring Static Bindings for ARP Inspection |
118 |
|
Figure 41: |
Authentication Configuration |
120 |
Figure 42: Static Trunk Configuration |
124 |
|
Figure 43: LACP Port Configuration |
126 |
|
Figure 44: STP Root Ports and Designated Ports |
127 |
|
Figure 45: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree |
127 |
|
Figure 46: Common Internal Spanning Tree, Common Spanning Tree, Internal |
|
|
|
Spanning Tree |
128 |
Figure 47: STA Bridge Configuration |
131 |
|
Figure 48: Adding a VLAN to an MST Instance |
133 |
|
Figure 49: Configuring STA Bridge Priorities |
134 |
|
Figure 50: STP/RSTP/CIST Port Configuration |
138 |
|
Figure 51: MSTI Port Configuration |
139 |
|
Figure 52: |
MVR Concept |
140 |
Figure 53: Configuring General MVR Settings |
143 |
|
Figure 54: Configuring MVR Channel Settings |
144 |
|
Figure 55: Configuring Global and Port-related Settings for IGMP Snooping |
148 |
|
Figure 56: Configuring VLAN Settings for IGMP Snooping and Query |
150 |
|
Figure 57: IGMP Snooping Port Group Filtering Configuration |
151 |
|
Figure 58: Configuring Global and Port-related Settings for MLD Snooping |
154 |
|
Figure 59: Configuring VLAN Settings for MLD Snooping and Query |
156 |
|
Figure 60: MLD Snooping Port Group Filtering Configuration |
157 |
|
Figure 61: |
LLDP Configuration |
160 |
Figure 62: |
LLDP-MED Configuration |
166 |
Figure 63: MAC Address Table Configuration |
168 |
|
Figure 64: VLAN Membership Configuration |
170 |
|
Figure 65: VLAN Port Configuration |
172 |
|
Figure 66: Port Isolation Configuration |
173 |
|
Figure 67: |
Configuring MAC-Based VLANs |
174 |
– 14 –
|
|
FIGURES |
|
|
|
Figure 68: |
Configuring Protocol VLANs |
176 |
Figure 69: |
Assigning Ports to Protocol VLANs |
178 |
Figure 70: |
Assigning Ports to an IP Subnet-based VLAN |
179 |
Figure 71: |
Configuring Global and Port Settings for a Voice VLAN |
182 |
Figure 72: |
Configuring an OUI Telephony List |
183 |
Figure 73: |
Configuring Ingress Port QoS Classification |
184 |
Figure 74: |
Configuring Ingress Port Policing |
185 |
Figure 75: |
Displaying Egress Port Schedulers |
187 |
Figure 76: |
Configuring Egress Port Schedulers and Shapers |
188 |
Figure 77: |
Displaying Egress Port Shapers |
189 |
Figure 78: |
Displaying Port Tag Remarking Mode |
190 |
Figure 79: |
Configuring Port Tag Remarking Mode |
191 |
Figure 80: |
Configuring Port DSCP Translation and Rewriting |
193 |
Figure 81: |
Configuring DSCP-based QoS Ingress Classification |
194 |
Figure 82: |
Configuring DSCP Translation and Re-mapping |
195 |
Figure 83: |
Mapping DSCP to CoS Values |
196 |
Figure 84: |
QoS Control List Configuration |
200 |
Figure 85: |
Storm Control Configuration |
201 |
Figure 86: |
WRED Drop Probability |
202 |
Figure 87: |
Weighted Random Early Detection Configuration |
203 |
Figure 88: |
Congestion Management |
204 |
Figure 89: |
Mirror Configuration |
205 |
Figure 90: |
Configuring Remote Port Mirroring |
206 |
Figure 91: |
Mirror Configuration (Source) |
208 |
Figure 92: |
Mirror Configuration (Intermediate) |
209 |
Figure 93: |
Mirror Configuration (Destination) |
209 |
Figure 94: |
UPnP Configuration |
211 |
Figure 95: |
sFlow Configuration |
214 |
Figure 96: |
System Information |
216 |
Figure 97: |
CPU Load |
217 |
Figure 98: |
System Log Information |
218 |
Figure 99: |
Detailed System Log Information |
219 |
Figure 100: |
Port State Overview |
219 |
Figure 101: |
Port Statistics Overview |
220 |
Figure 102: |
Queueing Counters |
221 |
Figure 103: |
QoS Control List Status |
222 |
– 15 –
FIGURES
Figure 104: Detailed Port Statistics |
224 |
|
Figure 105: Access Management Statistics |
225 |
|
Figure 106: Port Security Switch Status |
227 |
|
Figure 107: Port Security Port Status |
228 |
|
Figure 108: Network Access Server Switch Status |
230 |
|
Figure 109: NAS Statistics for Specified Port |
234 |
|
Figure 110: |
ACL Status |
235 |
Figure 111: DHCP Snooping Statistics |
237 |
|
Figure 112: DHCP Relay Statistics |
238 |
|
Figure 113: Dynamic ARP Inspection Table |
239 |
|
Figure 114: Dynamic IP Source Guard Table |
239 |
|
Figure 115: |
RADIUS Overview |
240 |
Figure 116: |
RADIUS Details |
244 |
Figure 117: |
RMON Statistics |
246 |
Figure 118: RMON History Overview |
247 |
|
Figure 119: RMON Alarm Overview |
248 |
|
Figure 120: RMON Event Overview |
248 |
|
Figure 121: LACP System Status |
249 |
|
Figure 122: LACP Port Status |
250 |
|
Figure 123: LACP Port Statistics |
251 |
|
Figure 124: Spanning Tree Bridge Status |
253 |
|
Figure 125: Spanning Tree Detailed Bridge Status |
254 |
|
Figure 126: Spanning Tree Port Status |
255 |
|
Figure 127: Spanning Tree Port Statistics |
256 |
|
Figure 128: |
MVR Statistics |
257 |
Figure 129: MVR Group Information |
258 |
|
Figure 130: MVR SFM Information |
258 |
|
Figure 131: IGMP Snooping Status |
260 |
|
Figure 132: IGMP Snooping Group Information |
260 |
|
Figure 133: IPv4 SFM Information |
261 |
|
Figure 134: MLD Snooping Status |
263 |
|
Figure 135: MLD Snooping Group Information |
263 |
|
Figure 136: IPv6 SFM Information |
264 |
|
Figure 137: LLDP Neighbor Information |
266 |
|
Figure 138: LLDP-MED Neighbor Information |
268 |
|
Figure 139: |
LLDP Neighbor EEE Information |
269 |
– 16 –
|
|
FIGURES |
|
|
|
Figure 140: LLDP Port Statistics (no header) |
271 |
|
Figure 141: MAC Address Table |
272 |
|
Figure 142: Showing VLAN Members |
273 |
|
Figure 143: Showing VLAN Port Status |
274 |
|
Figure 144: Showing MAC-based VLAN Membership Status |
275 |
|
Figure 145: Showing sFlow Statistics |
277 |
|
Figure 146: |
ICMP Ping |
280 |
Figure 147: VeriPHY Cable Diagnostics |
281 |
|
Figure 148: |
Restart Device |
283 |
Figure 149: |
Factory Defaults |
284 |
Figure 150: |
Software Upload |
285 |
Figure 151: Software Image Selection |
285 |
|
Figure 152: |
Configuration Save |
286 |
Figure 153: |
Configuration Upload |
287 |
– 17 –
FIGURES
– 18 –
Table 1: |
Key Features |
23 |
Table 2: |
System Defaults |
28 |
Table 3: |
Web Page Configuration Buttons |
36 |
Table 4: |
Main Menu |
36 |
Table 5: |
HTTPS System Support |
66 |
Table 6: |
SNMP Security Models and Levels |
69 |
Table 7: |
Dynamic QoS Profiles |
91 |
Table 8: |
QCE Modification Buttons |
102 |
Table 9: |
Recommended STA Path Cost Range |
135 |
Table 10: |
Recommended STA Path Costs |
136 |
Table 11: |
Default STA Path Costs |
136 |
Table 12: |
QCE Modification Buttons |
197 |
Table 13: |
System Capabilities |
265 |
Table 14: |
Troubleshooting Chart |
295 |
– 19 –
TABLES
– 20 –
SECTION I
This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
This section includes these chapters:
"Introduction" on page 23
"Initial Switch Configuration" on page 31
– 21 –
SECTION I | Getting Started
– 22 –
This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Table 1: Key Features
Feature |
Description |
|
|
Configuration Backup |
Backup to management station using Web |
and Restore |
|
Authentication |
Telnet, Web – user name/password, RADIUS, TACACS+ |
|
Web – HTTPS |
|
Telnet – SSH |
|
SNMP v1/2c - Community strings |
|
SNMP version 3 – MD5 or SHA password |
|
Port – IEEE 802.1X, MAC address filtering |
General Security
Measures
Private VLANs
Port Authentication Port Security
DHCP Snooping (with Option 82 relay information) IP Source Guard
Access Control Lists |
Supports up to 256 rules |
DHCP |
Client |
DNS |
Client and Proxy service |
Port Configuration |
Speed, duplex mode, flow control, MTU, response to excessive |
|
collisions, power saving mode |
Rate Limiting |
Input rate limiting per port (manual setting or ACL) |
Port Mirroring |
1 sessions, up to 10 source port to one analysis port per session |
Port Trunking |
Supports up to 5 trunks – static or dynamic trunking (LACP) |
Congestion Control |
Throttling for broadcast, multicast, unknown unicast storms |
Address Table |
8K MAC addresses in the forwarding table, 1000 static MAC |
|
addresses, 1K L2 IGMP multicast groups and 128 MVR groups |
IP Version 4 and 6 |
Supports IPv4 and IPv6 addressing, management, and QoS |
IEEE 802.1D Bridge |
Supports dynamic data switching and addresses learning |
Store-and-Forward |
Supported to ensure wire-speed switching while eliminating bad |
Switching |
frames |
– 23 –
CHAPTER 1 | Introduction
Table 1: Key Features (Continued)
Feature |
Description |
|
|
Spanning Tree Algorithm |
Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and |
|
Multiple Spanning Trees (MSTP) |
Virtual LANs |
Up to 4K using IEEE 802.1Q, port-based, protocol-based, private |
|
VLANs, and voice VLANs, and QinQ tunnel |
Traffic Prioritization |
Queue mode and CoS configured by Ethernet type, VLAN ID, TCP/ |
|
UDP port, DSCP, ToS bit, VLAN tag priority, or port |
Qualify of Service |
Supports Differentiated Services (DiffServ), and DSCP remarking |
Link Layer Discovery |
Used to discover basic information about neighboring devices |
Protocol |
|
Multicast Filtering |
Supports IGMP snooping and query, MLD snooping, and Multicast |
|
VLAN Registration |
|
|
DESCRIPTION OF SOFTWARE FEATURES
CONFIGURATION
BACKUP AND
RESTORE
AUTHENTICATION
The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Storm suppression prevents broadcast, multicast, and unknown unicast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications.
Some of the management features are briefly described below.
You can save the current configuration settings to a file on the management station (using the web interface) or a TFTP server (using the console interface through Telnet), and later download this file to restore the switch configuration settings.
This switch authenticates management access via a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/Telnet/web management access, and MAC address filtering for port access.
– 24 –
CHAPTER 1 | Introduction
Description of Software Features
ACCESS CONTROL
LISTS
ACLs provide packet filtering for IP frames (based on protocol, TCP/UDP port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast or multicast, or based on VLAN ID or VLAN tag priority). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP on specific port.
PORT CONFIGURATION You can manually configure the speed and duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard (now incorporated in IEEE 802.3-2002).
RATE LIMITING This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
PORT MIRRORING The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.
PORT TRUNKING Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using Link Aggregation Control Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 5 trunks.
STORM CONTROL Broadcast, multicast and unknown unicast storm suppression prevents traffic from overwhelming the network.When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.
STATIC ADDRESSES A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will
– 25 –
CHAPTER 1 | Introduction
Description of Software Features
be ignored and will not be written to the address table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.
IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 16K addresses.
STORE-AND-FORWARD
SWITCHING
SPANNING TREE
ALGORITHM
The switch copies each frame into its memory before forwarding them to another port. This ensures that all frames are a standard Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth.
To avoid dropping frames on congested ports, the switch provides 8 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks.
The switch supports these spanning tree protocols:
Spanning Tree Protocol (STP, IEEE 802.1D) – Supported by using the STP backward compatible mode provided by RSTP. STP provides loop detection. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network.
This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.
Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices.
Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP).
– 26 –
CHAPTER 1 | Introduction
Description of Software Features
VIRTUAL LANS
IEEE 802.1Q
TUNNELING (QINQ)
The switch supports up to 4096 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard. Members of VLAN groups can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can:
Eliminate broadcast storms which severely degrade performance in a flat network.
Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection.
Provide data security by restricting all traffic to the originating VLAN.
Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.
Use protocol VLANs to restrict traffic to specified interfaces based on protocol type.
This feature is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. This is accomplished by inserting Service Provider VLAN (SPVLAN) tags into the customer’s frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network.
TRAFFIC
PRIORITIZATION
This switch prioritizes each packet based on the required level of service, using four priority queues with strict or Weighted Round Robin queuing. It uses IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can be used to provide independent priorities for delay-sensitive data and best-effort data.
This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.
– 27 –
CHAPTER 1 | Introduction
QUALITY OF SERVICE Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, DSCP values, or VLAN lists. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
MULTICAST FILTERING Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration for IPv4 traffic, and MLD Snooping for IPv6 traffic. It also supports Multicast VLAN Registration (MVR) which allows common multicast traffic, such as television channels, to be transmitted across a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, while preserving security and data isolation for normal traffic.
SYSTEM DEFAULTS
The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file.
The following table lists some of the basic system defaults.
Table 2: System Defaults
Function |
Parameter |
Default |
|
|
|
Authentication |
User Name |
“admin” |
|
Password |
“admin” |
|
RADIUS Authentication |
Disabled |
|
TACACS+ Authentication |
Disabled |
|
802.1X Port Authentication |
Disabled |
|
HTTPS |
Enabled |
|
SSH |
Enabled |
|
Port Security |
Disabled |
|
IP Filtering |
Disabled |
Web Management |
HTTP Server |
Enabled |
|
HTTP Port Number |
80 |
|
HTTP Secure Server |
Disabled |
|
HTTP Secure Server Redirect |
Disabled |
– 28 –
|
|
|
CHAPTER 1 | Introduction |
|
|
|
|
System Defaults |
|
|
Table 2: System Defaults (Continued) |
|
|
|
|
|
|
|
|
|
Function |
Parameter |
Default |
|
|
|
|
|
|
|
SNMP |
SNMP Agent |
Disabled |
|
|
|
Community Strings |
“public” (read only) |
|
|
|
|
“private” (read/write) |
|
|
|
Traps |
Global: disabled |
|
|
|
|
Authentication traps: enabled |
|
|
|
|
Link-up-down events: enabled |
|
|
|
SNMP V3 |
View: default_view |
|
|
|
|
Group: default_rw_group |
|
|
Port Configuration |
Admin Status |
Enabled |
|
|
|
Auto-negotiation |
Enabled |
|
|
|
Flow Control |
Disabled |
|
|
Rate Limiting |
Input and output limits |
Disabled |
|
|
Port Trunking |
Static Trunks |
None |
|
|
|
LACP (all ports) |
Disabled |
|
|
Storm Protection |
Status |
Broadcast: Enabled (1 kpps) |
|
|
|
|
Multicast: disabled |
|
|
|
|
Unknown unicast: disabled |
|
|
Spanning Tree Algorithm |
Status |
Enabled, RSTP |
|
|
|
|
(Defaults: RSTP standard) |
|
|
|
Edge Ports |
Enabled |
|
|
Address Table |
Aging Time |
300 seconds |
|
|
Virtual LANs |
Default VLAN |
1 |
|
|
|
PVID |
1 |
|
|
|
Acceptable Frame Type |
All |
|
|
|
Ingress Filtering |
Disabled |
|
|
|
Switchport Mode (Egress Mode) |
Access |
|
|
Traffic Prioritization |
Ingress Port Priority |
0 |
|
|
|
Queue Mode |
Strict |
|
|
|
Weighted Round Robin |
Queue: 0 1 2 3 4 5 6 7 |
|
|
|
|
Weight: Disabled in strict mode |
|
|
|
Ethernet Type |
Disabled |
|
|
|
VLAN ID |
Disabled |
|
|
|
VLAN Priority Tag |
Disabled |
|
|
|
ToS Priority |
Disabled |
|
|
|
IP DSCP Priority |
Disabled |
|
|
|
TCP/UDP Port Priority |
Disabled |
|
|
LLDP |
Status |
Enabled |
– 29 –
CHAPTER 1 | Introduction
System Defaults
Table 2: System Defaults (Continued)
Function |
Parameter |
Default |
|
|
|
IP Settings |
Management. VLAN |
VLAN 1 |
|
IP Address |
192.168.1.1 |
|
Subnet Mask |
255.255.255.0 |
|
Default Gateway |
0.0.0.0 |
|
DHCP |
Client: Disabled |
|
|
Snooping: Disabled |
|
DNS |
Proxy service: Disabled |
Multicast Filtering |
IGMP Snooping |
Snooping: Disabled |
|
|
Querier: Disabled |
|
MLD Snooping |
Disabled |
|
Multicast VLAN Registration |
Disabled |
System Log |
Status |
Disabled |
NTP |
Clock Synchronization |
Disabled |
|
|
|
– 30 –