How it Works
Level One
Loading...
IGP-1271
operation manual
506 pgs7.72 Mb0
Quick Installation And Initial Configuration
23 pgs1.21 Mb0
quick start Guide
20 pgs1.05 Mb0
User Manual
5 pgs256.58 Kb0

Level One IGP-1271 operation manual

Download
IGP-1271 GUI User Guide
12-Port L3 Lite Managed Gigabit PoE Industrial Switch
Release A1
2017, Digital Data Communications GmbH, Germany. All rights reserved. All product names are trademarks or registered trademarks of Digital Data companies
i
About This Manual
Copyright
.
Purpose
Audience
CONVENTIONS
WARRANTY
Disclaimer
Copyright © 2017 Digital Data Communications GmbH. All rights reserved. The products and programs described in this User Guide are licensed products of Manufacture Technology, This User Guide contains proprietary information protected by copyright, and this User Guide and all accompanying hardware, software and documentation are copyrighted. No parts of this User Guide may be copied, photocopied, reproduced, translated or reduced to any electronic medium or machine-readable from by any means by electronic or mechanical. Including photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser’s personal use, and without the prior express written permission of Manufacture Technology.
This GUI user guide gives specific information on how to operate and use the management functions of the IGP-1271 via HTTP/HTTPs web browser
The Manual is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Hypertext Transfer Protocol (HTTP).
The following conventions are used throughout this manual to show information.
See the Customer Support/ Warranty booklet included with the product. A copy of the specific warranty terms applicable to your Manufacture products and replacement parts can be obtained from your Manufacture Sales and Service Office authorized dealer.
Manufacture Technology does not warrant that the hardware will work properly in all environments and applications, and marks no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose. Manufacture disclaims liability for any inaccuracies or omissions that may have occurred. Information in this User Guide is subject to change without notice and does not represent a commitment on the part of Manufacture. Manufacture assumes no responsibility for any inaccuracies that may be contained in this User Guide. Manufacture makes no commitment to update or keep current the information in this User Guide, and reserves the righter to make improvements to this User Guide and /or to the products described in this User Guide, at any time without notice.
ii
Table of Contents
ABOUT THIS MANUAL .......................................................................................................................... II
Revision History ........................................................................................................................................ viii
INTRODUCTION ........................................................................................................................................... 1
CHAPTER 1 OPERATION OF WEB-BASED MANAGEMENT .......................................................... 2
CHAPTER 2 SYSTEM CONFIGURATION ............................................................................. 6
2-1 SYSTEM ........................................................................................................................................................... 6
2-1.1 Information ........................................................................................................................................ 6
2-1.2 IP ......................................................................................................................................................... 7
2-1.3 NTP ................................................................................................................................................... 10
2-1.4 Time .................................................................................................................................................. 11
2-1.5 Log .................................................................................................................................................... 14
2-1.6 Digital I/O ........................................................................................................................................ 15
2-1.7 Alarm Notification ........................................................................................................................... 15
2-2 GREEN ETHERNET ........................................................................................................................................... 19
2-2.1 Port Power Savings .......................................................................................................................... 19
2-3 PORTS CONFIGURATION ................................................................................................................................... 21
2-3.1 Ports .................................................................................................................................................. 21
2-3.2 Ports Description ............................................................................................................................. 24
2-4 DHCP .......................................................................................................................................................... 25
2-4.1 Server ................................................................................................................................................ 25
2-4.2 Snooping .......................................................................................................................................... 30
2-4.3 Relay ................................................................................................................................................. 32
2-5 SECURITY ....................................................................................................................................................... 34
2-5.1 Switch ............................................................................................................................................... 34
2-5.2 Network ............................................................................................................................................ 68
2-5.3 AAA ................................................................................................................................................. 103
2-6 AGGREGATION .............................................................................................................................................. 110
2-6.1 Static ............................................................................................................................................... 110
2-6.2 LACP ............................................................................................................................................... 112
2-7 LINK OAM .................................................................................................................................................. 114
2-7.1 Port Settings ................................................................................................................................... 114
2-7.2 Event Settings ................................................................................................................................. 116
2-8 LOOP PROTECTION .................................................................................................................................... 118
2-9 SPANNING TREE ......................................................................................................................................... 120
2-9.1 Bridge Setting ................................................................................................................................. 120
2-9.2 MSTI Mapping ................................................................................................................................ 124
2-9.3 MSTI Priorities ................................................................................................................................ 127
2-9.4 CIST Ports ....................................................................................................................................... 128
2-9.5 MSTI Ports ...................................................................................................................................... 131
2-10 IPMC PROFILE ........................................................................................................................................ 133
2-10.1 Profile Table ................................................................................................................................. 133
2-10.2 Address Entry ............................................................................................................................... 135
2-11MVR ....................................................................................................................................................... 137
2-12 IPMC ..................................................................................................................................................... 141
2-12.1 IGMP Snooping ............................................................................................................................ 141
2-12.2 MLD Snooping ............................................................................................................................. 149
2-13 LLDP ...................................................................................................................................................... 157
2-13.1 LLDP.............................................................................................................................................. 157
2-13.2 LLDP-MED .................................................................................................................................... 162
2-14 POE ........................................................................................................................................................ 171
iv
2- 14.1 Configuration .............................................................................................................................. 172
2- 14.2 Power Delay ................................................................................................................................ 176
2- 14.3 Schedule Profile .......................................................................................................................... 178
2- 14.4 Auto Checking ............................................................................................................................ 179
2- 14.5 Chip Reset Schedule ................................................................................................................... 181
2-15 EPS ........................................................................................................................................................ 182
2-16 MEP....................................................................................................................................................... 185
2-17 ERPS ...................................................................................................................................................... 187
2-18 MAC TABLE ............................................................................................................................................ 189
2-19 VLAN TRANSLATION ............................................................................................................................... 193
2- 19.1 Port to Group Mapping .............................................................................................................. 193
2- 19.2 VID Translation Mapping........................................................................................................... 194
2-20 VLANS ................................................................................................................................................... 196
2-21 PRIVATE VLANS ...................................................................................................................................... 202
2-21.1 Membership ................................................................................................................................. 202
2-21.2 Port Isolation ................................................................................................................................ 204
2-22 VCL ........................................................................................................................................................ 206
2-22.1 MAC-based VLAN ........................................................................................................................ 206
2-22.2 Protocol -based VLAN ................................................................................................................. 209
2-22.3 IP Subnet-based VLAN ................................................................................................................ 214
2-23 VOICE VLAN......................................................................................................................................... 217
2-23.1 Configuration ............................................................................................................................... 217
2-23.2 OUI................................................................................................................................................ 220
2-24 ETHERNET SERVICES ................................................................................................................................. 222
2-24.1 Ports .............................................................................................................................................. 222
2-24.2 L2CP.............................................................................................................................................. 223
2-24.3 Bandwidth Profiles ...................................................................................................................... 225
2-24.4 EVCs .............................................................................................................................................. 227
2-24.5 ECEs .............................................................................................................................................. 230
2-25 QOS ....................................................................................................................................................... 234
2-25.1 Port Classification ....................................................................................................................... 235
2-25.2 Port Policing ................................................................................................................................. 238
2-25.3 Queue Policing ............................................................................................................................ 239
2-25.4 Port Scheduler.............................................................................................................................. 240
2-25.5 Port Shaping ................................................................................................................................ 244
2-25.6 Port Tag Remarking..................................................................................................................... 247
2-25.7 Port DSCP..................................................................................................................................... 250
2-25.8 DSCP-Based QoS ......................................................................................................................... 253
2-25.9 DSCP Translation ......................................................................................................................... 256
2-25.10 DSCP Classification ................................................................................................................... 259
2-25.11 QoS Control List......................................................................................................................... 261
2-25.12 Storm Control ............................................................................................................................ 267
2-26 MIRRORING ............................................................................................................................................ 269
2-27 UPNP ..................................................................................................................................................... 273
2-28 PTP ........................................................................................................................................................ 275
2-29. GVRP .................................................................................................................................................... 278
2-29.1 Global Config ............................................................................................................................... 279
2-29.2 Port Config ................................................................................................................................... 281
2-30. SFLOW ................................................................................................................................................... 282
2-31 UDLD .................................................................................................................................................... 285
2-32 RAPID RING ............................................................................................................................................ 287
2-33 SWITCH2GO ............................................................................................................................................ 288
2-33.1 Switch2go setting ........................................................................................................................ 288
2-33.2 iPush Options ............................................................................................................................... 290
v
2-34 SMTP .................................................................................................................................................... 292
CHAPTER 3. MONITOR ...................................................................................................... 294
3-1 SYSTEM ..................................................................................................................................................... 294
3-1.1 Information .................................................................................................................................... 294
3-1.2 IP Status .......................................................................................................................................... 297
3-1.3 Log .................................................................................................................................................. 300
3-1.4 Detailed Log ................................................................................................................................... 302
3-2 GREEN ETHERNET ...................................................................................................................................... 304
3-2.1 Port Power Savings ........................................................................................................................ 304
3-3 PORTS ....................................................................................................................................................... 305
3-3.1 Traffic Overview ............................................................................................................................. 305
3-3.2 Qos Statistics .................................................................................................................................. 308
3-3.3 QCL Status ...................................................................................................................................... 310
3-3.4 Detailed Statistics .......................................................................................................................... 313
3-3.5 SFP Information ............................................................................................................................. 317
3-3.6 SFP Detail Info ............................................................................................................................... 320
3-4 LINK OAM ................................................................................................................................................ 322
3-4.1 Statistics .......................................................................................................................................... 322
3-4.2 Port Status ...................................................................................................................................... 325
3-4.3 Event Status .................................................................................................................................... 327
3-5 DHCP ...................................................................................................................................................... 330
3-5.1 Server .............................................................................................................................................. 330
3-5.2 Snooping Table .............................................................................................................................. 336
3-5.3 Relay Statistics ............................................................................................................................... 338
3-5.4 Detailed Statistics .......................................................................................................................... 341
3-6 SECURITY .................................................................................................................................................. 344
3-6.1 Access Management Statistics ...................................................................................................... 344
3-6.2 Network .......................................................................................................................................... 345
3-6.3 AAA ................................................................................................................................................. 364
3-6.4 Switch ............................................................................................................................................. 374
3-7 AGGREGATION ........................................................................................................................................... 386
3-7.1 Status .............................................................................................................................................. 386
3-7.2 LACP ............................................................................................................................................... 387
3-8 LOOP PROTECTION .................................................................................................................................... 392
3-9 SPANNING TREE ......................................................................................................................................... 394
3-9.1 Bridge Status .................................................................................................................................. 394
3-9.2 Port Status ...................................................................................................................................... 396
3-9.3 Port Statistics ................................................................................................................................. 398
3-10 MVR ...................................................................................................................................................... 400
3-10.1 Statistics ....................................................................................................................................... 400
3-10.2 MVR Channels Groups ................................................................................................................ 402
3-10.3 MVR SFM Information ................................................................................................................. 404
3-11 IPMC ..................................................................................................................................................... 407
3-11.1 IGMP Snooping ............................................................................................................................ 407
3-11.2 MLD Snooping ............................................................................................................................. 415
3-12 LLDP ...................................................................................................................................................... 423
3-12.1 Neighbour .................................................................................................................................... 423
3-12.2 LLDP-MED Neighbour ................................................................................................................. 426
3-12.3 PoE ................................................................................................................................................ 431
3-12.4 EEE ................................................................................................................................................ 434
3-12.5 Port Statistics ............................................................................................................................... 437
3-13 ETHERNET SERVICES ................................................................................................................................. 439
3-13.1 EVC Statistics ............................................................................................................................... 439
vi
3-14 PTP ........................................................................................................................................................ 441
3-15 POE ........................................................................................................................................................ 443
3-16 MAC TABLE ............................................................................................................................................ 446
3-17 VLANS ................................................................................................................................................... 449
3-17.1 Membership ................................................................................................................................. 449
3-17.2 Port ............................................................................................................................................... 452
3-18 VCL ........................................................................................................................................................ 455
3-18.1 MAC-based VLAN ........................................................................................................................ 455
3-18.2 Protocol-based VLAN .................................................................................................................. 457
3-18.3 IP Subnet-based VLAN ................................................................................................................ 462
3-19 SFLOW .................................................................................................................................................... 464
3-20 UDLD .................................................................................................................................................... 467
CHAPTER 4. DIAGNOSTICS ............................................................................................... 469
4-1 PING ......................................................................................................................................................... 469
4-2 PING6 ....................................................................................................................................................... 472
4-3 VERIPHY .................................................................................................................................................. 474
4-4 TRACEROUTE ............................................................................................................................................. 476
4-5 LINK OAM .................................................................................................................................................. 478
4-5.1 MIB Retrieval .................................................................................................................................. 478
CHAPTER 5. MAINTENANCE ............................................................................. 482
5-1 RESTART DEVICE ........................................................................................................................................ 482
5-2 REBOOT SCHEDULE .................................................................................................................................... 483
5-3 FACTORY DEFAULTS .................................................................................................................................... 485
5-4 FIRMWARE................................................................................................................................................. 486
5-4.1 Firmware upgrade ......................................................................................................................... 486
5-4.2 Firmware Selection ........................................................................................................................ 488
5-5 CONFIGURATION........................................................................................................................................ 490
5-5.1 Save startup-config ....................................................................................................................... 490
5-5.2 Download ....................................................................................................................................... 492
5-5.3 Upload ............................................................................................................................................ 494
5-5.4 Activate ........................................................................................................................................... 496
5-5.5 Delete.............................................................................................................................................. 498
5-6 SERVER REPORT ......................................................................................................................................... 499
vii
Revision History
Release
Date
Revision
Initial Release
01/06/2017
A1
viii
1
INTRODUCTION
Overview
In this User Guide, it will not only tell you how to install and connect your network system but configure and monitor the IGP-1271 through the web by (RJ-45) serial interface and Ethernet ports step-by-step. Many explanations in detail of hardware and software functions are shown as well as the examples of the operation for web-based interface.
The IGP-1271, the next generation Web managed switches from Manufacture, is a portfolio of affordable managed switches that provides a reliable infrastructure for your business network. These switches deliver more intelligent features you need to improve the availability of your critical busin ess applications, protect your sensitive information, and optimize your network bandwidth to deliver information and applications more effectively. It provides the ideal combination of affordability and capabilities for entry level networking includes small business or enterprise application and helps you create a more efficient, better-connected workforce.
IGP-1271 Industrial L3 Lite Managed Gigabit PoE Switch provide 12 ports in a single device; the specification is highlighted as follows.
L3 Lite features provide better manageability, security, QoS, and performance.
Support IPv4/IPv6 dual stack management
Support SSH/SSL secured management
Support SNMP v1/v2c/v3
Support RMON groups 1,2,3,9
Support sFlow
Support IGMP v1/v2/v3 Snooping
Support MLD v1/v2 Snooping
Support RADIUS and TACACS+ authentication
Support IP Source Guard
Support DHCP Relay (Option 82)
Support DHCP Snooping
Support ACL and QCL for traffic filtering
Support 802.1d(STP), 802.1w(RSTP) and 802.1s(MSTP)
Support LACP and static link aggregation
Support Q-in-Q double tag VLAN
Support GVRP dynamic VLAN
Overview of this User Guide
Chapter 1 “Operation of Web-based Management”
Chapter 2 “System Configuration”
Chapter 3 “Configuration”
Chapter 4 “Security”
Chapter 5 “Maintenance”
Revision A1
2
IP Address
192.168.1.1
Subnet Mask
255.255.255.0
Default Gateway
192.168.1.254
Username
admin
Password
admin
NOTE:
When you login the Switch WEB page to manage. You must first type the Username of the admin. Password was admin., so when you type after the end Username, please press enter. Management page to enter WEB.
When you login IGP-1271 series switch Web UI management, you can use both ipv4 ipv6 login to manage
To optimize the display effect, we recommend you use Microsoft IE 6.0 above, Netscape V7.1 above or Firefox V1.00 above and have the resolution 1024x768. The switch supported neutral web browser interface
Chapter 1 Operation of Web-based Management
Initial Configuration
This chapter instructs you how to configure and manage the IGP-1271 through the web user interface. With this facility, you can easily access and monitor through any one port of the switch all the status of the switch, including MIBs status, each port activity, Spanning tree status, port aggregation status, multicast traffic, VLAN and priority status, even illegal access record and so on.
The default values of the IGP-1271 are listed in the table below:
After the IGP-1271 has been finished configuration it interface, you can browse it. For instance, type http://192.168.1.1 in the address row in a browser, it will show the following screen and ask you inputting username and password in order to login and access authentication.
The default username is “admin” and password is admin. For the first time to use, please enter the default username and password, and then click the <Login> button. The login process now is completed. In this login menu, you have to input the complete username and password respectively, the IGP-1271 will not give you a
shortcut to username automatically. This looks inconvenient, but safer.
In the IGP-1271, allowed two or more users using administrator’s identity to manage this switch, which administrator to do the last setting, it will be an available configuration to effect the system.
Revision A1
5
NOTE:
AS IGP-1271 the function enable dhcp, so If you do not have DHCP server to provide ip addresses to the switch, the Switch default ip 192.168.1.1
Figure 1 The login page
Revision A1
Chapter 2 System Configuration
This chapter describes the entire basic configuration tasks which includes the System Information and any manage of the Switch (e.g. Time, Account, IP, Syslog and NTP.)
2-1 System
You can identify the system by configuring the contact information, name, and location of the switch.
2-1.1 Information
The switch system’s contact information is provided here.
Web interface
To configure System Information in the web interface:
1. Click Configuration, System, and Information.
2. Write System Contact, System Name, System Location information in this page.
3. Click Apply
Figure 2-1.1: System Information
Parameter description: System Contact:
The textual identification of the contact person for this managed node, together with information on how to contact this person. The allowed string length is 0 to 128, and the allowed content is the ASCII characters from 32 to 126.
System name:
An administratively assigned name for this managed node. By convention, this is the node's fully-qualified domain name. A domain name is a text string drawn from the alphabet (A-Za-z), digits (0-9), minus sign (-). No space characters are permitted as part of a name. The first character must be an alpha character. And the first or last character must not be a minus sign. The allowed string length is 0 to 255.
System Location:
The physical location of this node(e.g., telephone closet, 3rd floor). The allowed string length is 0 to 128, and the allowed content is the ASCII characters from 32 to 126.
6
6
Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved values.
Revision A1
2-1.2 IP
The IPv4 address for the switch could be obtained via DHCP Server for VLAN 1. To manually configure an address, you need to change the switch's default settings to values that are compatible with your network. You may also need to establish a default gateway between the switch and management stations that exist on another network segment.
Configure the switch-managed IP information on this page
Configure IP basic settings, control IP interfaces and IP routes.
The maximum number of interfaces supported is 8 and the maximum number of routes is 32.
Web Interface
To configure an IP address in the web interface:
1. Click Configuration, System, IP.
2. Click Add Interface then you can create new Interface on the switch.
3. Click Add Route then you can create new Route on the switch
4. Click Apply
Figure2-1.2: The IP configuration
7
Parameter description:
IP Configuration Mode:
Configure whether the IP stack should act as a Host or a Router. In Host mode, IP traffic between interfaces will not be routed. In Router mode traffic is routed between all interfaces.
DNS Server
This setting controls the DNS name resolution done by the switch.
There are four servers available for configuration, and the index of the server presents the preference (less index has higher priority) in doing DNS name resolution.
System selects the active DNS server from configuration in turn, if the preferred server does not respond in five attempts.
The following modes are supported:
From any DHCP interfaces
The first DNS server offered from a DHCPv4 lease to a DHCPv4-enabled interface will be used..
No DNS server
No DNS server will be used.
Configured IPv4
Explicitly provide the valid IPv4 unicast address of the DNS Server in dotted decimal
notation.
Make sure the configured DNS server could be reachable (e.g. via PING) for activating DNS service.
From this DHCPv4 interface
Specify from which DHCPv4-enabled interface a provided DNS server should be preferred.
Configured IPv6
Explicitly provide the valid IPv6 unicast (except linklocal) address of the DNS Server. Make sure the configured DNS server could be reachable (e.g. via PING6) for activating DNS service.
From this DHCPv6 interface
Specify from which DHCPv6-enabled interface a provided DNS server should be preferred.
From any DHCPv6 interfaces
The first DNS server offered from a DHCPv6 lease to a DHCPv6-enabled interface will be used.
DNS Proxy
When DNS proxy is enabled, system will relay DNS requests to the currently configured DNS server, and reply as a DNS resolver to the client devices on the network.
Only IPv4 DNS proxy is now supported.
IP Interfaces
Delete
Select this option to delete an existing IP interface.
VLAN
The VLAN associated with the IP interface. Only ports in this VLAN will be able to access the IP
8
interface. This field is only available for input when creating a new interface.
IPv4 DHCP Enabled
Enable the DHCPv4 client by checking this box. If this option is enabled, the system will configure the IPv4 address and mask of the interface using the DHCPv4 protocol. The DHCPv4 client will announce the configured System Name as hostname to provide DNS lookup.
IPv4 DHCP Fallback Timeout
The number of seconds for trying to obtain a DHCP lease. After this period expires, a configured IPv4 address will be used as IPv4 interface address. A value of zero disables the fallback mechanism, such that DHCP will keep retrying until a valid lease is obtained. Legal values are 0 to 4294967295 seconds.
IPv4 DHCP Current Lease
For DHCP interfaces with an active lease, this column show the current interface address, as provided by the DHCP server.
IPv4 Address
The IPv4 address of the interface in dotted decimal notation. If DHCP is enabled, this field configures the fallback address. The field may be left blank if IPv4 operation on the interface is not desired - or no DHCP fallback address is desired.
IPv4 Mask
The IPv4 network mask, in number of bits (prefix length). Valid values are between 0 and 30 bits for a IPv4 address. If DHCP is enabled, this field configures the fallback address network mask. The field may be left blank if IPv4 operation on the interface is not desired - or no DHCP fallback address is desired.
DHCPv6 Enable
Enable the DHCPv6 client by checking this box. If this option is enabled, the system will configure the IPv6 address of the interface using the DHCPv6 protocol.
DHCPv6 Rapid Commit
Enable the DHCPv6 Rapid-Commit option by checking this box. If this option is enabled, the DHCPv6 client terminates the waiting process as soon as a Reply message with a Rapid Commit option is received. This option is only manageable when DHCPv6 client is enabled.
DHCPv6 Current Lease
For DHCPv6 interface with an active lease, this column shows the interface address provided by the DHCPv6 server.
IPv6 Address
The IPv6 address of the interface. A IPv6 address is in 128-bit records represented as eight fields of up to four hexadecimal digits with a colon separating each field (:). For example,fe80::215:c5ff:fe03:4dc7. The symbol :: is a special syntax that can be used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can appear only once. System accepts the valid IPv6 unicast address only, except IPv4-Compatible address and IPv4-Mapped address. The field may be left blank if IPv6 operation on the interface is not desired.
IPv6 Mask
The IPv6 network mask, in number of bits (prefix length). Valid values are between 1 and 128 bits for a IPv6 address. The field may be left blank if IPv6 operation on the interface is not desired.
Resolving IPv6 DAD
The link-local address is formed from an interface identifier based on the hardware address which
9
is supposed to be uniquely assigned. Once the DAD (Duplicate Address Detection) detects the address duplication, the operation on the interface SHOULD be disabled. At this moment, manual intervention is required to resolve the address duplication. For example, check whether the loop occurs in the VLAN or there is indeed other device occupying the same hardware address as the device in the VLAN. After making sure the specific link-local address is unique on the IPv6 link in use, delete and then add the specific IPv6 interface to restart the IPv6 operations on this interface.
IP Routes Delete
Select this option to delete an existing IP route.
Network
The destination IP network or host address of this route. Valid format is dotted decimal notationor a valid IPv6 notation. A default route can use the value 0.0.0.0or IPv6 :: notation.
Mask Length
The destination IP network or host mask, in number of bits (prefix length). It defines how much of a network address that must match, in order to qualify for this route. Valid values are between 0 and 32 bits respectively 128 for IPv6 routes. Only a default route will have a mask length of 0 (as it will match anything).
Gateway
The IP address of the IP gateway. Valid format is dotted decimal notationor a valid IPv6 notation. Gateway and Network must be of the same type.
Next Hop VLAN (Only for IPv6)
The VLAN ID (VID) of the specific IPv6 interface associated with the gateway.
The given VID ranges from 1 to 4095 and will be effective only when the corresponding IPv6 interface is valid.
If the IPv6 gateway address is link-local, it must specify the next hop VLAN for the gateway.
If the IPv6 gateway address is not link-local, system ignores the next hop VLAN for the
gateway.
Buttons Add Interface:
Click to add a new IP interface. A maximum of 8 interfaces is supported.
Add Route:
Click to add a new IP route. A maximum of 32 routes is supported.
Apply:
Click to save changes.
Reset:
2-1.3 NTP
NTP is Network Time Protocol and is used to sync the network time based Greenwich Mean Time (GMT). If use the NTP mode and select a built-in NTP time server or manually specify an user-defined NTP server as well as Time Zone, the switch will sync the time in a short after pressing <Apply> button. Though it synchronizes the time automatically, NTP does not update the time periodically without user’s processing.
Click to undo any changes made locally and revert to previously saved values.
10
Time Zone is an offset time off GMT. You have to select the time zone first and then perform time sync via NTP because the switch will combine this time zone offset and updated NTP time to come out the local time, otherwise, you will not able to get the correct time. The switch supports configurable time zone from –12 to +13 step 1 hour.
Default Time zone: +8 Hrs.
Web Interface
To configure NTP in the web interface:
1. Click Configuration, System, NTP.
2. Specify the Time parameter in manual parameters.
3. Click Apply.
Figure 2-1.3: The NTP configuration
Parameter description: Mode :
Indicates the NTP mode operation. Possible modes are:
Enabled: Enable NTP client mode operation.
Disabled: Disable NTP client mode operation.
Server 1 to 5 :
Provide the IPv4 or IPv6 address of a NTP server. IPv6 address is in 128-bit records represented as eight fields of up to four hexadecimal digits with a colon separating each field (:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can appear only once. It can also represent a legally valid IPv4 address. For example, '::192.1.2.34'. In addition, it can also accept a domain name address.
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
11
11
2-1.4 Time
The switch provides manual and automatic ways to set the system time via NTP. Manual setting is simple and you just input “Year”, “Month”, “Day”, “Hour” and “Minute” within the valid value range indicated in each item.
Web Interface
To configure Time in the web interface:
1. Click Configuration, System and Time
2. Specify the Time parameter.
3. Click Apply.
Figure 2-1.4: The time configuration
Revision A1
Parameter description:
Time Configuration
Clock Source:
There are two modes for configuring how the Clock Source from. Select "Use Local Settings" : Clock Source from Local Time. Select "Use NTP Server" : Clock Source from NTP Server.
System Date:
Show the current time of the system. The year of system date limits between 2011 and 2037.
Time Zone Configuration
Time Zone:
Lists various Time Zones worldwide. Select appropriate Time Zone from the drop down and click Apply to set.
Acronym:
User can set the acronym of the time zone. This is a User configurable acronym to identify the time zone. (Range: Up to 16 characters)
Daylight Saving Time Configuration
Daylight Saving Time:
This is used to set the clock forward or backward according to the configurations set below for a defined Daylight Saving Time duration. Select 'Disable' to disable the Daylight Saving Time configuration. Select 'Recurring' and configure the Daylight Saving Time duration to repeat the configuration every year. Select 'Non-Recurring' and configure the Daylight
12
Saving Time duration for single time configuration. (Default: Disabled).
NOTE: The under “Start Time Settings” and “End Time Settings” was
displayed what you set on the “Start Time Settings” and “End Time Settings” field information.
Recurring Configuration
Start time settings:
Week - Select the starting week number.
Day - Select the starting day.
Month - Select the starting month.
Hours - Select the starting hour.
Minutes - Select the starting minute.
End time settings:
Week - Select the ending week number.
Day - Select the ending day.
Month - Select the ending month.
Hours - Select the ending hour.
Minutes - Select the ending minute.
Offset settings:
Offset - Enter the number of minutes to add during Daylight Saving Time. (Range: 1 to 1440)
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
13
2-1.5 Log
The log is a standard for logging program messages . It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It can be used as well a generalized informational, analysis and debugging messages. It is supported by a wide variety of devices and receivers across multiple platforms.
Web Interface
To configure log configuration in the web interface:
1. Click Configuration, System and log.
2. Specify the syslog parameters include IP Address of Syslog server and Port number.
3. Evoke the Syslog to enable it.
4. Click Apply.
Figure2-1.5: The System Log configuration
Parameter description: Server Mode :
Indicate the server mode operation. When the mode operation is enabled, the syslog message will send out to syslog server. The syslog protocol is based on UDP communication and received on UDP port 514 and the syslog server will not send acknowledgments back sender since UDP is a connectionless protocol and it does not provide acknowledgments. The syslog packet will always send out even if the syslog server does not exist. Possible modes are:
Enabled: Enable server mode operation.
Disabled: Disable server mode operation.
Server Address :
Indicates the IPv4 hosts address of syslog server. If the switch provide DNS feature, it also can be a host name.
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
14
2-1.6 Digital I/O
Configure the normal modes of digital input/output (DI/DO).
Web Interface
To configure Digital I/O configuration in the web interface:
1. Click Configuration, System and Digital I/O.
2. Specify the Digital I/O Normal Mode..
3. Click Apply.
Figure2-1.6: The Digital I/O Configuration
Parameter description: DI Normal Mode
Set the normal mode of the digital input(DI). You can set it to High or Low.
DO Normal Mode
Set the normal mode of the digital output(DO). You can set it to Open or Close.
Buttons
Apply – Click to save changes.
2-1.7 Alarm Notification
2-1.7.1 Trap Event Severity
This page displays current trap event severity configurations. Trap event severity can also be configured here.
Web Interface
To configure Trap Event Severity in the web interface:
1. Click Configuration, System, Alarm Notification and Trap Event Severity.
2. Specify the Group Name, Severity Level, Syslog, Trap, SMIP, Switch2go and Digital out.
3. Click Apply.
Figure 2-1.7.1: The Trap Event Severity
15
Parameter description: Group Name
The name identifying the severity group.
Severity Level
Every group has an severity level. The following level types are supported: <0> Emergency: System is unusable. <1> Alert: Action must be taken immediately. <2> Critical: Critical conditions. <3> Error: Error conditions. <4> Warning: Warning conditions. <5> Notice: Normal but significant conditions. <6> Information: Information messages. <7> Debug: Debug-level messages.
Syslog
Enable - Select this Group Name in Syslog.
Trap
Enable - Select this Group Name in Trap.
SMTP
Enable - Select this Group Name in SMTP.
Switch2go
Enable - Select this Group Name in Push Notification.
Digital out
Enable - Select this Group Name in Digital Out.
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
2-1.7.2 Port Event Setting
This page is for configuring the port events.
Web Interface
16
To configure Trap Event Severity in the web interface:
1. Click Configuration, System, Alarm Notification and Port Event Setting.
2. Specify the Traffic and Action.
3. Click Apply.
Figure 2-7.1.2: The Port Event Setting
Parameter description: Active
To active the event handler of this port.
Port
This is the logical port number for this row.
Link On
Event is triggered when link on.
Link Off
Event is triggered when link off.
Traffic Overload
Event is triggered when the traffic is overload.
Traffic Rx-Threshold
Event is triggered when Rx reach this threshold.
Traffic Duration
Event is triggered when the traffic duration reach this value.
Action Syslog
Enable this port for Syslog.
Action Trap
Enable this port for Trap.
Action SMTP
Enable this port for SMTP.
Action Switch2go
Enable this port for Switch2go iPush.
Action Digital Out
17
Enable this port for Digital Out.
Severity
Every port has a severity level. The following level types are supported: <0> Emergency: System is unusable. <1> Alert: Action must be taken immediately. <2> Critical: Critical conditions. <3> Error: Error conditions. <4> Warning: Warning conditions. <5> Notice: Normal but significant conditions. <6> Information: Information messages. <7> Debug: Debug-level messages.
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
18
2-2 Green Ethernet
2-2.1 Port Power Savings
This page allows the user to configure the port power savings features.
EEE is a power saving option that reduces the power usage when there is low or no traffic utilization.
EEE works by powering down circuits when there is no traffic. When a port gets data to be transmitted all circuits are powered up. The time it takes to power up the circuits is named wakeup time. The default wakeup time is 17 us for 1Gbit links and 30 us for other link speeds. EEE devices must agree upon the value of the wakeup time in order to make sure that both the receiving and transmitting device has all circuits powered up when traffic is transmitted. The devices can exchange wakeup time information using the LLDP protocol.
EEE works for ports in auto-negotiation mode, where the port is negotiated to either 1G or 100 Mbit full duplex mode.
For ports that are not EEE-capable the corresponding EEE checkboxes are grayed out and thus impossible to enable EEE for.
When a port is powered down for saving power, outgoing traffic is stored in a buffer until the port is powered up again. Because there are some overhead in turning the port down and up, more power can be saved if the traffic can be buffered up until a large burst of traffic can be transmitted. Buffering traffic will give some latency in the traffic.
Web Interface
To configure a Port Power Saving Configuration in the web interface:
1. Click Configuration, Green Ethernet and Port Power Savings
2. Evoke to enable or disable the ActiPHY, PerfectReach, EEE and EEE Urgent Queues.
3. Click Apply.
Figure 2-2.1: The Port Power Saving Configuration
Parameter description:
19
Optimize EEE for
The switch can be set to optimize EEE for either best power saving or least traffic latency.
Port:
The switch port number of the logical port.
ActiPHY :
Link down power savings enabled.
ActiPHY works by lowering the power for a port when there is no link. The port is power up for short moment in order to determine if cable is inserted.
PerfectReach :
Cable length power savings enabled.
PerfectReach works by determining the cable length and lowering the power for ports with short cables.
EEE :
Controls whether EEE is enabled for this switch port.
For maximizing power savings, the circuit isn't started at once transmit data is ready for a port, but is instead queued until a burst of data is ready to be transmitted. This will give some traffic latency.
If desired it is possible to minimize the latency for specific frames, by mapping the frames to a specific queue (done with QOS), and then mark the queue as an urgent queue. When an urgent queue gets data to be transmitted, the circuits will be powered up at once and the latency will be reduced to the wakeup time.
EEE Urgent Queues
Queues set will activate transmission of frames as soon as data is available. Otherwise the Squeue will postpone transmission until a burst of frames can be transmitted.
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved values.
20
2-3 Ports Configuration
2-3.1 Ports
This page displays current port configurations. Ports can also be configured here.
Web Interface
To configure a Current Port Configuration in the web interface:
1. Click Configuration, Ports Configuration, and Ports
2. Specify the Speed Configured, Flow Control, Maximum Frame size, Excessive
Collision mode and Power Control.
3. Click Apply.
Figure 2-3.1: The Port Configuration
Parameter description:
21
Port :
This is the logical port number for this row.
Link :
The current link state is displayed graphically. Green indicates the link is up and red
that it is down.
Current Link Speed :
Provides the current link speed of the port.
Configured Link Speed :
Selects any available link speed for the given switch port. Only speeds supported by
the specific port is shown. Possible speeds are:
Disabled - Disables the switch port operation.
Auto - Port auto negotiating speed with the link partner and selects the highest
speed that is compatible with the link partner.
10Mbps HDX - Forces the cu port in 10Mbps half-duplex mode.
10Mbps FDX - Forces the cu port in 10Mbps full duplex mode.
100Mbps HDX - Forces the cu port in 100Mbps half-duplex mode.
100Mbps FDX - Forces the cu port in 100Mbps full duplex mode.
1Gbps FDX - Forces the port in 1Gbps full duplex
2.5Gbps FDX - Forces the Serdes port in 2.5Gbps full duplex mode.
SFP_Auto_AMS - Automatically determines the speed of the SFP. Note: There is no
standardized way to do SFP auto detect, so here it is done by reading the SFP rom.
Due to the missing standardized way of doing SFP auto detect some SFPs might not
be detectable. The port is set in AMS mode. Cu port is set in Auto mode.
100-FX - SFP port in 100-FX speed. Cu port disabled.
1000-X - SFP port in 1000-X speed. Cu port disabled.
Ports in AMS mode with 1000-X speed has Cu port preferred.
Ports in AMS mode with 1000-X speed has fiber port preferred.
Ports in AMS mode with 100-FX speed has fiber port preferred.
22
Advertise Duplex
When duplex is set as auto i.e auto negotiation, the port will only advertise the
specified duplex as either Fdx or Hdx to the link partner. By default port will
advertise all the supported duplexes if the Duplex is Auto.
Advertise Speed
When Speed is set as auto i.e auto negotiation, the port will only advertise the
specified speeds (10M100M 1G) to the link partner. By default port will advertise all
the supported speeds if speed is set as Auto.
Flow Control :
When Auto Speed is selected on a port, this section indicates the flow control capability
that is advertised to the link partner.
When a fixed-speed setting is selected, that is what is used. The Current Rx column
indicates whether pause frames on the port are obeyed, and the Current Tx column
indicates whether pause frames on the port are transmitted. The Rx and Tx settings are
determined by the result of the last Auto Negotiation.
Check the configured column to use flow control. This setting is related to the setting for
Configured Link Speed.
NOTICE: The 100FX standard doesn't support Auto Negotiation, so when in 100FX mode
the flow control capabilities will always be shown as "disabled".Maximum Frame Size :
Enter the maximum frame size allowed for the switch port, including FCS.
PFC
When PFC (802.1Qbb Priority Flow Control) is enabled on a port then flow control
on a priority level is enabled. Through the Priority field, range (one or more) of
priorities can be configured, e.g. '0-3,7' which equals '0,1,2,3,7'. PFC is not
supported through auto negotiation. PFC and Flowcontrol cannot both be enabled
on the same port.
Maximum Frame Size
Enter the maximum frame size allowed for the switch port, including FCS. The
rangeis 1518-9600 bytes.
Excessive Collision Mode :
Configure port transmit collision behavior.
23
Discard: Discard frame after 16 collisions (default).
Restart: Restart backoff algorithm after 16 collisions.
Frame Length Check
Configures if frames with incorrect frame length in the EtherType/Length field shall
be dropped. An Ethernet frame contains a field EtherType which can be used to
indicate the frame payload size (in bytes) for values of 1535 and below. If the
EtherType/Length field is above 1535, it indicates that the field is used as an
EtherType (indicating which protocol is encapsulated in the payload of the frame). If
"frame length check" is enabled, frames with payload size less than 1536 bytes are
dropped, if the EtherType/Length field doesn't match the actually payload length. If
"frame length check" is disabled, frames are not dropped due to frame length
mismatch. Note: No drop counters count frames dropped due to frame length
mismatch
Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved
values.
Upper left icon (Refresh)
You can click them for refresh the Port link Status by manual
2-3.2 Ports Description
This page displays current port description.
Web Interface
To configure a Port Description in the web interface:
1. Click Configuration, Port, then Port Description
2. Specify the detail Port alias or description an alphanumeric string describing the
full name and version identification for the system’s hardware type, software
version, and networking application.
3. Click Apply.
Figure 2-3.2: The Port Configuration
24
Parameter description:
Port :
This is the logical port number for this row.
Description :
Enter up to 47 characters to be descriptive name for identifies this port.
Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved
values.
2-4 DHCP
The section describes to configure the DHCP Snooping parameters of the switch. The
DHCP Snooping can prevent attackers from adding their own DHCP servers to the
network.
2-4.1 Server
2-4.1.1 Mode
This page configures global mode and VLAN mode to enable/disable DHCP server per system and per VLAN.
25
Web Interface
To configure DHCP server mode in the web interface:
4. Click Configuration, DHCP, Server, Mode
5. Select “Enabled” in the Global Mode of DHCP Server Mode Configuration.
6. Add Vlan range.
7. Click Apply.
Figure 2-4.1.1: The DHCP server Mode
Parameter description:
Mode :
26
Configure the operation mode per system. Possible modes are:
Enable: Enable DHCP server per system.
Disable: Disable DHCP server pre system.
VLAN Range :
Indicate the VLAN range in which DHCP server is enabled or disabled. The first VLAN ID must
be smaller than or equal to the second VLAN ID. BUT, if the VLAN range contains only 1
VLAN ID, then you can just input it into either one of the first and second VLAN ID or both.
On the other hand, if you want to disable existed VLAN range, then you can follow the steps.
1. press “ADD VLAN Range” to add a new VLAN range.
2. Input the VLAN range that you want to disable.
3. Choose Mode to be disabled.
4. Press “Apply” to apply the change.
Then, you will see the disabled VLAN range is removed from the DHCP Server mode
configuration page.
Mode :
Indicate the operation mode per VLAN. Possible modes are:
Enable: Enable DHCP server per VLAN.
Disable: Disable DHCP server pre VLAN.
Buttons
Add VLAN Range - Click to add a new VLAN range.
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved
2-4.1.2 Excluded IP
This page configures excluded IP addresses. DHCP server will not
values.
allocate these excluded IP addresses to DHCP client.
Web Interface
27
To configure DHCP server excluded IP in the web interface:
1. Click Configuration, DHCP, Server, Excluded IP
2. Click Add IP Range then you can create new IP Range on the switch.
3. Click Apply.
Figure 2-4.1.2: The DHCP server excluded IP
Parameter description:
IP Range :
Define the IP range to be excluded IP addresses. The first excluded IP must be smaller than or
equal to the second excluded IP. BUT, if the IP range contains only 1 excluded IP, then you can
just input it to either one of the first and second excluded IP or both.
Buttons
Add IP Range - Click to add a new excluded IP range.
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved
values.
28
2-4.1.3 Pool
This page manages DHCP pools. According to the DHCP pool, DHCP server will allocate IP address and deliver configuration parameters to DHCP client.
Web Interface
To configure DHCP server pool in the web interface:
1. Click Configuration, DHCP, Server, Pool
2. Click Add New Pool then you can create new Pool on the switch.
3. Click Apply.
Figure 2-4.1.3: The DHCP server pool
Parameter description:
Pool Setting
Add or delete pools.
29
Adding a pool and giving a name is to create a new pool with "default"
configuration. If you want to configure all settings including type, IP subnet mask
and lease time, you can click the pool name to go into the configuration page.
Name :
Configure the pool name that accepts all printable characters, except white space. If you want
to configure the detail settings, you can click the pool name to go into the configuration
page.
Type :
Display which type of the pool is.
Network: the pool defines a pool of IP addresses to service more than one DHCP client.
Host: the pool services for a specific DHCP client identified by client identifier or hardware
address.
If "-" is displayed, it means not defined.
IP :
Display network number of the DHCP address pool.
If "-" is displayed, it means not defined.
Subnet Mask :
Display subnet mask of the DHCP address pool.
If "-" is displayed, it means not defined.
Lease Time :
Display lease time of the pool.
Buttons
Add New Pool - Click to add a new DHCP pool.
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved
2-4.2 Snooping
values.
30
DHCP Snooping is used to block intruder on the untrusted ports of the switch device when it tries to intervene by injecting a bogus DHCP reply packet to a legitimate conversation between the DHCP client and server.
The section describes to configure the DHCP Snooping parameters of the switch. The DHCP Snooping can prevent attackers from adding their own DHCP servers to the network.
Web Interface
To configure DHCP snooping in the web interface:
1. Click Configuration, DHCP, Snooping
2. Select “Enabled” in the Mode of DHCP Snooping Configuration.
3. Select “Trusted” of the specific port in the Mode of Port Mode Configuration.
4. Click Apply.
Figure 2-4.2: The DHCP Snooping Configuration
Parameter description:
Snooping Mode :
Indicates the DHCP snooping mode operation. Possible modes are:
Enabled: Enable DHCP snooping mode operation. When DHCP snooping mode
operation is enabled, the DHCP request messages will be forwarded to trusted
ports and only allow reply packets from trusted ports.
31
Disabled: Disable DHCP snooping mode operation.
Port Mode Configuration
Indicates the DHCP snooping port mode. Possible port modes are:
Trusted: Configures the port as trusted source of the DHCP messages.
Untrusted: Configures the port as untrusted source of the DHCP messages.
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved
values.
2-4.3 Relay
A DHCP relay agent is used to forward and to transfer DHCP messages between the clients and the server when they are not in the same subnet domain. It stores the incoming interface IP address in the GIADDR field of the DHCP packet. The DHCP server can use the value of GIADDR field to determine the assigned subnet. For such condition, please make sure the switch configuration of VLAN interface IP address and PVID(Port VLAN ID) correctly.
Web Interface
To configure DHCP Relay in the web interface:
1. Click Configuration, DHCP, Relay
2. Specify the Relay Mode, Relay server, Relay Information Mode, Relay Information
police.
3. Click Apply.
Figure 2-4.3: The DHCP Relay Configuration
32
Parameter description:
Relay Mode :
Indicates the DHCP relay mode operation.
Possible modes are:
Enabled: Enable DHCP relay mode operation. When DHCP relay mode operation is
enabled, the agent forwards and transfers DHCP messages between the clients and
the server when they are not in the same subnet domain. And the DHCP broadcast
message won't be flooded for security considerations.
Disabled: Disable DHCP relay mode operation.
Relay Server
Indicates the DHCP relay server IP address.
Relay Information Mode
Indicates the DHCP relay information mode option operation. The option 82 circuit
ID format as "[vlan_id][module_id][port_no]". The first four characters represent the
VLAN ID, the fifth and sixth characters are the module ID(in standalone device it
always equal 0, in stackable device it means switch ID), and the last two characters
are the port number. For example, "00030108" means the DHCP message receive
form VLAN ID 3, switch ID 1, port No 8. And the option 82 remote ID value is equal
the switch MAC address.
Possible modes are:
Enabled: Enable DHCP relay information mode operation. When DHCP relay
information mode operation is enabled, the agent inserts specific information
(option 82) into a DHCP message when forwarding to DHCP server and removes it
33
from a DHCP message when transferring to DHCP client. It only works when DHCP
relay operation mode is enabled.
Disabled: Disable DHCP relay information mode operation.
Relay Information Policy :
Indicates the DHCP relay information option policy. When DHCP relay information
mode operation is enabled, if the agent receives a DHCP message that already
contains relay agent information it will enforce the policy. The 'Replace' policy is
invalid when relay information mode is disabled. Possible policies are:
Replace: Replace the original relay information when a DHCP message that already
contains it is received.
Keep: Keep the original relay information when a DHCP message that already
contains it is received.
Drop: Drop the package when a DHCP message that already contains relay
information is received.
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved
2-5 Security
This section shows you to configure the Port Security settings of the Switch. You can
use the Port Security feature to restrict input to an interface by limiting and identifying
MAC addresses.
2-5.1 Switch
2-5.1.1 Users
values.
This page provides an overview of the current users. Currently the only way to login as another user on the web server is to close and reopen the browser
34
Web Interface
To configure User in the web interface:
1. Click Configuration, Security, Switch, Users.
2. Click Add new user
3. Specify the User Name parameter.
4. Click Apply.
Figure 2-5.1.1: The Users configuration
Parameter description:
User Name The name identifying the user. This is also a link to Add/Edit User.Password
The password of the user. The allowed string length is 0 to 31. Any printable characters including space is accepted.
Privilege Level
The privilege level of the user. The allowed range is 0 to 15. If the privilege level value is 15, it can access all groups, i.e. that is granted the fully control of the device. But others value need to refer to each group privilege level. User's privilege should be same or greater than the group privilege level to have the access of that group. By default setting, most groups privilege level 5 has the read-only access and privilege level 10 has the read-write access. And the system maintenance (software upload, factory defaults and etc.) need user privilege level 15. Generally, the privilege level 15 can be used for an administrator account, privilege level 10 for a standard user account and privilege level 5 for a guest account.
35
Buttons
Add New User: Click to add a new user.
2-5.1.2 Privilege Level
This page provides an overview of the privilege levels.
Web Interface
To configure Privilege Level in the web interface:
1. Click SYSTEM, Account, Privilege Level.
2. Specify the Privilege parameter.
3. Click Apply.
Figure2-5.1.2: The Privilege Level configuration
Parameter description:
Group Name
36
The name identifying the privilege group. In most cases, a privilege level group
consists of a single module (e.g. LACP, RSTP or QoS), but a few of them contains
more than one. The following description defines these privilege level groups in
details:
System: Contact, Name, Location, Timezone, Daylight Saving Time, Log.
Security: Authentication, System Access Management, Port (contains Dot1x port,
MAC based and the MAC Address Limit), ACL, HTTPS, SSH, ARP Inspection, IP
source guard.
IP: Everything except 'ping'.
Port: Everything except 'VeriPHY'.
Diagnostics: 'ping' and 'VeriPHY'.
Maintenance: CLI- System Reboot, System Restore Default, System Password,
Configuration Save, Configuration Load and Firmware Load. Web- Users, Privilege
Levels and everything in Maintenance.
Debug: Only present in CLI.
Privilege Levels
Every group has an authorization Privilege level for the following sub groups:
configuration read-only, configuration/execute read-write, status/statistics
read-only, and status/statistics read-write (e.g. for clearing of statistics). User
Privilege should be same or greater than the authorization Privilege level to have
the access to that group.
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved
values.
2-5.1.3 Authentication Method
This page shows how to configure a user with authenticated when he logs into the
switch via one of the management client interfaces.
37
Web Interface
To configure a Authentication Method Configuration in the web interface:
1. Specify the Client (console, telent, ssh, web) which you want to monitor.
2. Specify the Authentication Method (none,local, radius, tacacs+)
3. Checked Fallback.
4. Click Apply.
Figure 2-5.1.3: The Authentication Method Configuration
Parameter description:
Client :
The management client for which the configuration below applies.
Authentication Method :
38
Authentication Method can be set to one of the following values:
none : authentication is disabled and login is not possible. local : use the local user database on the switch for authentication. radius : use a remote RADIUS server for authentication. tacacs+ : use a remote TACACS+ server for authentication.
Methods that involves remote servers are timed out if the remote servers are offline.
In this case the next method is tried. Each method is tried from left to right and
continues until a method either approves or rejects a user. If a remote server is used
for primary authentication it is recommended to configure secondary
authentication as 'local'. This will enable the management client to login via the
local user database if none of the configured authentication servers are alive.
Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved
values.
2-5.1.4 SSH
This section shows you to use SSH (Secure SHell) to securely access the Switch. SSH is
a secure communication protocol that combines authentication and data encryption
to provide secure encrypted communication.
Web Interface
To configure a SSH Configuration in the web interface:
1. Select “Enabled” in the Mode of SSH Configuration.
2. Click Apply.
Figure 2-5.1.4: The SSH Configuration
39
Parameter description:
Mode :
Indicates the SSH mode operation. Possible modes are:
Enabled: Enable SSH mode operation.
Disabled: Disable SSH mode operation.
Buttons:
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved
values.
40
2-5.1.5 HTTPs
This section shows you how to use HTTPS to securely access the Switch. HTTPS is a
secure communication protocol that combines authentication and data encryption to
provide secure encrypted communication via the browser.
Web Interface
To configure a HTTPS Configuration in the web interface:
1. Select “Enabled” in the Mode of HTTPS Configuration.
2. Select “Enabled” in the Automatic Redirect of HTTPS Configuration.
3. Click Apply.
Figure 2-5.1.5: The HTTPS Configuration
Parameter description:
Mode :
Indicates the HTTPS mode operation. Possible modes are:
Enabled: Enable HTTPS mode operation.
Disabled: Disable HTTPS mode operation.
Automatic Redirect :
Indicates the HTTPS redirect mode operation. Automatically redirect web browser
to HTTPS when HTTPS mode is enabled. Possible modes are:
Enabled: Enable HTTPS redirect mode operation.
Disabled: Disable HTTPS redirect mode operation.
41
42
2-5.1.6 Access Management
This section shows you to configure access management table of the Switch including
HTTP/HTTPS, SNMP, and TELNET/SSH. You can manage the Switch over an Ethernet
LAN, or over the Internet.
Web Interface
To configure an Access Management Configuration in the web interface:
1. Select “Enabled” in the Mode of Access Management Configuration.
2. Click “Add new entry”.
3. Specify the Start IP Address, End IP Address.
4. Checked Access Management method (HTTP/HTTPS, SNMP, and TELNET/SSH) in
the entry.
5. Click Apply.
Figure 2-5.1.6: The Access Management Configuration
Parameter description:
43
Mode :
Indicates the access management mode operation. Possible modes are:
Enabled: Enable access management mode operation.
Disabled: Disable access management mode operation.
VLAN ID :
Indicates the VLAN ID for the access management entry.
Delete :
Check to delete the entry. It will be deleted during the next save.
Start IP address :
Indicates the start IP address for the access management entry.
End IP address :
Indicates the end IP address for the access management entry.
HTTP/HTTPS :
Indicates that the host can access the switch from HTTP/HTTPS interface if the host
IP address matches the IP address range provided in the entry.
SNMP :
Indicates that the host can access the switch from SNMP interface if the host IP
address matches the IP address range provided in the entry.
TELNET/SSH :
Indicates that the host can access the switch from TELNET/SSH interface if the host
IP address matches the IP address range provided in the entry.
Buttons:
Add New Entry – Click to add a new access management entry.
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved
values.
44
2-5.1.7 SNMP
Any Network Management System (NMS) running the Simple Network Management
Protocol (SNMP) can manage the Managed devices equipped with SNMP agent,
provided that the Management Information Base (MIB) is installed correctly on the
managed devices. The SNMP is a protocol that is used to govern the transfer of
information between SNMP manager and agent and traverses the Object Identity (OID)
of the management Information Base (MIB), described in the form of SMI syntax.
SNMP agent is running on the switch to response the request issued by SNMP
manager.
Basically, it is passive except issuing the trap information. The switch supports a switch
to turn on or off the SNMP agent. If you set the field SNMP “Enable”, SNMP agent will
be started up. All supported MIB OIDs, including RMON MIB, can be accessed via
SNMP manager. If the field SNMP is set “Disable”, SNMP agent will be de-activated,
the related Community Name, Trap Host IP Address, Trap and all MIB counters will be
ignored.
2-5.1.7.1 System
This section describes how to configure SNMP System on the switch. This function is used to configure SNMP settings, community name, trap host and public traps as well as the throttle of SNMP. A SNMP manager must pass the authentication by identifying both community names, then it can access the MIB information of the target device. So, both parties must have the same community name. Once completing the setting, click <Apply> button, the setting takes effect.
Web Interface
To display the configure SNMP System in the web interface:
1. Click SNMP, System.
2. Evoke SNMP State to enable or disable the SNMP function.
3. Specify the Engine ID
4. Click Apply.
Figure2-5.1.7.1: The SNMP System Configuration
45
Parameter description:
Mode :
Indicates the SNMP mode operation. Possible modes are:
Enabled: Enable SNMP mode operation.
Disabled: Disable SNMP mode operation.
Version
Indicates the SNMP supported version. Possible versions are:
SNMP v1: Set SNMP supported version 1.
SNMP v2c: Set SNMP supported version 2c.
SNMP v3: Set SNMP supported version 3.
Read Community
Indicates the community read access string to permit access to SNMP agent. The
allowed string length is 0 to 255, and the allowed content is the ASCII characters
from 33 to 126.
The field is applicable only when SNMP version is SNMPv1 or SNMPv2c. If SNMP
version is SNMPv3, the community string will be associated with SNMPv3
communities table. It provides more flexibility to configure security name than a
SNMPv1 or SNMPv2c community string. In addition to community string, a
particular range of source addresses can be used to restrict source subnet.
Write Community
46
Indicates the community write access string to permit access to SNMP agent. The
allowed string length is 0 to 255, and the allowed content is the ASCII characters
from 33 to 126.
The field is applicable only when SNMP version is SNMPv1 or SNMPv2c. If SNMP
version is SNMPv3, the community string will be associated with SNMPv3
communities table. It provides more flexibility to configure security name than a
SNMPv1 or SNMPv2c community string. In addition to community string, a
particular range of source addresses can be used to restrict source subnet.
Engine ID
Indicates the SNMPv3 engine ID. The string must contain an even number(in
hexadecimal format) with number of digits between 10 and 64, but all-zeros and
all-'F's are not allowed. Change of the Engine ID will clear all original local users.
2-5.1.7.2 Trap
Configure SNMP trap on this page.
Global Settings
Configure SNMP trap on this page.
Web Interface
To display the configure SNMP Trap Configuration in the web interface:
1. Click Configuration, Switch, SNMP, Trap.
2. Click Add New Entry then you can create new SNMP Trap on the switch.
3. Click Apply
Figure2-5.1.7.2: The SNMP Trap Configuration
47
Trap Mode
Indicates the trap mode operation. Possible modes are:
Enabled: Enable SNMP trap mode operation.
Disabled: Disable SNMP trap mode operation.
Trap Destination Configurations
Configure trap destinations on this page.
Name
Indicates the trap Configuration's name. Indicates the trap destination's name.
48
Enable
Indicates the trap destination mode operation. Possible modes are:
Enabled: Enable SNMP trap mode operation.
Disabled: Disable SNMP trap mode operation.
Version
Indicates the SNMP trap supported version. Possible versions are:
SNMPv1: Set SNMP trap supported version 1.
SNMPv2c: Set SNMP trap supported version 2c.
SNMPv3: Set SNMP trap supported version 3.
Trap Community
Indicates the community access string when sending SNMP trap packet. The allowed
string length is 0 to 255, and the allowed content is ASCII characters from 33 to 126.
Destination Address
Indicates the SNMP trap destination address. It allow a valid IP address in dotted
decimal notation ('x.y.z.w').
And it also allow a valid hostname. A valid hostname is a string drawn from the
alphabet (A-Za-z), digits (0-9), dot (.), dash (-). Spaces are not allowed, the first
character must be an alpha character, and the first and last characters must not be a
dot or a dash.
Indicates the SNMP trap destination IPv6 address. IPv6 address is in 128-bit records
represented as eight fields of up to four hexadecimal digits with a colon separating
each field (:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax
that can be used as a shorthand way of representing multiple 16-bit groups of
contiguous zeros; but it can appear only once. It can also represent a legally valid IPv4
address. For example, '::192.1.2.34'.
Destination port
Indicates the SNMP trap destination port. SNMP Agent will send SNMP message via
this port, the port range is 1~65535.
Trap Inform Mode
Indicates the SNMP trap inform mode operation. Possible modes are:
Enabled: Enable SNMP trap inform mode operation.
Disabled: Disable SNMP trap inform mode operation.
49
Trap Inform Timeout (seconds)
Indicates the SNMP trap inform timeout. The allowed range is 0 to 2147.
Trap Inform Retry Times
Indicates the SNMP trap inform retry times. The allowed range is 0 to 255.
Trap Probe Security Engine ID
Indicates the SNMP trap probe security engine ID mode of operation. Possible values
are:
Enabled: Enable SNMP trap probe security engine ID mode of operation.
Disabled: Disable SNMP trap probe security engine ID mode of operation.
Trap Security Engine ID
Indicates the SNMP trap security engine ID. SNMPv3 sends traps and informs using
USM for authentication and privacy. A unique engine ID for these traps and informs is
needed. When "Trap Probe Security Engine ID" is enabled, the ID will be probed
automatically. Otherwise, the ID specified in this field is used. The string must contain
an even number (in hexadecimal format) with number of digits between 10 and 64, but
all-zeros and all-'F's are not allowed.
Trap Security Name
Indicates the SNMP trap security name. SNMPv3 traps and informs using USM for
authentication and privacy. A unique security name is needed when traps and informs
are enabled.
50
2-5.1.7.3 Communities
The function is used to configure SNMPv3 communities. The Community and UserName is unique. To create a new community account, please check <Add new community> button, and enter the account information then check <Save>. Max Group Number: 4.
Web Interface
To display the configure SNMP Communities in the web interface:
1. Click SNMP, Communities.
2. Click Add new community.
3. Specify the SNMP communities parameters.
4. Click Apply.
5. If you want to modify or clear the setting then click Reset.
Figure2-5.1.7.3: The SNMPv1/v2 Communities Security Configuration
Parameter description:
Delete
51
Check to delete the entry. It will be deleted during the next save.
Community
Indicates the community access string to permit access to SNMPv3 agent. The
allowed string length is 1 to 32, and the allowed content is ASCII characters from 33
to 126. The community string will be treated as security name and map a SNMPv1
or SNMPv2c community string.
Source IP
Indicates the SNMP access source address. A particular range of source addresses
can be used to restrict source subnet when combined with source mask.
Source Mask
Indicates the SNMP access source address mask
2-5.1.7.4 Users
The function is used to configure SNMPv3 user. The Entry index key is UserName. To create a new UserName account, please check <Add new user> button, and enter the user information then check <Save>. Max Group Number: 10.
Web Interface
To display the configure SNMP Users in the web interface:
1. Click SNMP, Users.
2. Specify the Privilege parameter.
3. Click Apply.
Figure 2-5.1.7.4: The SNMP Users Configuration
52
Parameter description:
Delete
Check to delete the entry. It will be deleted during the next save.
Engine ID
An octet string identifying the engine ID that this entry should belong to. The string
must contain an even number (in hexadecimal format) with number of digits
between 10 and 64, but all-zeros and all-'F's are not allowed. The SNMPv3
architecture uses the User-based Security Model (USM) for message security and
the View-based Access Control Model (VACM) for access control. For the USM entry,
the usmUserEngineID and usmUserName are the entry's keys. In a simple agent,
usmUserEngineID is always that agent's own snmpEngineID value. The value can
also take the value of the snmpEngineID of a remote SNMP engine with which this
user can communicate. In other words, if user engine ID equal system engine ID
then it is local user; otherwise it's remote user.
User Name
A string identifying the user name that this entry should belong to. The allowed
string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Security Level
Indicates the security model that this entry should belong to. Possible security
models are:
NoAuth, NoPriv: No authentication and no privacy.
Auth, NoPriv: Authentication and no privacy.
Auth, Priv: Authentication and privacy.
53
The value of security level cannot be modified if entry already exists. That means it
must first be ensured that the value is set correctly.
Authentication Protocol
Indicates the authentication protocol that this entry should belong to. Possible
authentication protocols are:
None: No authentication protocol.
MD5: An optional flag to indicate that this user uses MD5 authentication protocol.
SHA: An optional flag to indicate that this user uses SHA authentication protocol.
The value of security level cannot be modified if entry already exists. That means
must first ensure that the value is set correctly.
Authentication Password
A string identifying the authentication password phrase. For MD5 authentication
protocol, the allowed string length is 8 to 32. For SHA authentication protocol, the
allowed string length is 8 to 40. The allowed content is ASCII characters from 33 to
126.
Privacy Protocol
Indicates the privacy protocol that this entry should belong to. Possible privacy
protocols are:
None: No privacy protocol.
DES: An optional flag to indicate that this user uses DES authentication protocol.
Privacy Password
A string identifying the privacy password phrase. The allowed string length is 8 to
32, and the allowed content is ASCII characters from 33 to 126.
54
2-5.1.7.5 Group
The function is used to configure SNMPv3 group. The Entry index key are Security Model and Security Name. To create a new group account, please check <Add new group> button, and enter the group information then check <Save>. Max Group Number: v1: 2, v2: 2, v3:10.
Web Interface
To display the configure SNMP Groups in the web interface:
1. Click SNMP, Groups.
2. Specify the Privilege parameter.
3. Click Apply.
Figure 2-5.1.7.5: The SNMP Groups Configuration
55
Parameter description:
Delete
Check to delete the entry. It will be deleted during the next save.
Security Model
Indicates the security model that this entry should belong to. Possible security
models are:
v1: Reserved for SNMPv1.
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).
Security Name
A string identifying the security name that this entry should belong to. The allowed
string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Group Name
A string identifying the group name that this entry should belong to. The allowed
string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
56
2-5.1.7.6 Views
The function is used to configure SNMPv3 view. The Entry index keys are OID Subtree
and View Name. To create a new view account, please check <Add new view> button,
and enter the view information then check <Save>. Max Group Number: 28.
Configure SNMPv3 view table on this page. The entry index keys are View Name and
OID Subtree.
Web Interface
To display the configure SNMP views in the web interface:
1. Click SNMP, Views.
2. Click Add new View.
3. Specify the SNMP View parameters.
4. Click Apply.
5. If you want to modify or clear the setting then click Reset.
Figure 2-5.1.7.6: The SNMP Views Configuration
Parameter description:
57
Delete
Check to delete the entry. It will be deleted during the next save.
View Name
A string identifying the view name that this entry should belong to. The allowed
string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
View Type
Indicates the view type that this entry should belong to. Possible view types are:
Included: An optional flag to indicate that this view subtree should be included.
Excluded: An optional flag to indicate that this view subtree should be excluded.
In general, if a view entry's view type is 'excluded', there should be another view
entry existing with view type as 'included' and it's OID subtree should overstep the
'excluded' view entry.
OID Subtree
The OID defining the root of the subtree to add to the named view. The allowed OID
length is 1 to 128. The allowed string content is digital number or asterisk(*).
2-5.1.7.7 Access
The function is used to configure SNMPv3 accesses. The Entry index key are Group
Name, Security Model and Security level. To create a new access account, please check
<Add new access> button, and enter the access information then check <Save>. Max
Group Number : 14
Web Interface
To display the configure SNMP Access in the web interface:
1. Click SNMP, Accesses.
2. Click Add new Access.
3. Specify the SNMP Access parameters.
4. Click Apply.
5. If you want to modify or clear the setting then click Reset.
.
58
Figure 2-5.1.7.7: The SNMP Accesses Configuration
Parameter description:
Delete
Check to delete the entry. It will be deleted during the next save.
Group Name
A string identifying the group name that this entry should belong to. The allowed
string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Security Model
Indicates the security model that this entry should belong to. Possible security
models are:
Any: Any security model accepted(v1|v2c|usm).
v1: Reserved for SNMPv1.
59
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).
Security Level
Indicates the security model that this entry should belong to. Possible security
models are:
NoAuth, NoPriv: No authentication and no privacy.
Auth, NoPriv: Authentication and no privacy.
Auth, Priv: Authentication and privacy.
Read View Name
The name of the MIB view defining the MIB objects for which this request may
request the current values. The allowed string length is 1 to 32, and the allowed
content is ASCII characters from 33 to 126.
Write View Name
The name of the MIB view defining the MIB objects for which this request may
potentially set new values. The allowed string length is 1 to 32, and the allowed
content is ASCII characters from 33 to 126.
2-5.1.8 RMON
An RMON implementation typically operates in a client/server model. Monitoring
devices contain RMON software agents that collect information and analyze packets.
These probes act as servers and the Network Management applications that
communicate with them act as clients.
2-5.1.8.1 Statistics
Configure RMON Statistics table on this page. The entry index key is ID.
Web Interface
To display the configure RMON configuration in the web interface:
60
1. Click RMON, Statistics.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
Figure 2-5.1.8.1: The RMON Statics Configuration
Parameter description:
These parameters are displayed on the RMON Statistics Configuration page:
Delete
Check to delete the entry. It will be deleted during the next save.
ID
Indicates the index of the entry. The range is from 1 to 65535.
Data Source
Indicates the port ID which wants to be monitored. If in stacking switch, the value must
add 1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2005
Interval
61
Indicates the interval in seconds for sampling the history statistics data. The range is
from 1 to 3600, default value is 1800 seconds.
Buckets
Indicates the maximum data entries associated this History control entry stored in
RMON. The range is from 1 to 3600, default value is 50.
Buckets Granted
The number of data shall be saved in the RMON.
2-5.1.8.2 History
Configure RMON History table on this page. The entry index key is ID.
Web Interface
To display the configure RMON History in the web interface:
1. Click RMON, History.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
Figure 2-5.1.8.2: The RMON History Configuration
62
Parameter description:
These parameters are displayed on the RMON History Configuration page:
Delete
Check to delete the entry. It will be deleted during the next save.
ID
Indicates the index of the entry. The range is from 1 to 65535.
Data Source
Indicates the port ID which wants to be monitored. If in stacking switch, the value
must add 1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is
2005
Interval
Indicates the interval in seconds for sampling the history statistics data. The range is
from 1 to 3600, default value is 1800 seconds.
Buckets
Indicates the maximum data entries associated this History control entry stored in
RMON. The range is from 1 to 3600, default value is 50.
Buckets Granted
The number of data shall be saved in the RMON.
2-5.1.8.3 Alarm
Configure RMON Alarm table on this page. The entry index key is ID.
63
Web Interface
To display the configure RMON Alarm in the web interface:
1. Click RMON, Alarm.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
Figure 2-5.1.8.3: The RMON Alarm Configuration
Parameter description:
These parameters are displayed on the RMON Alarm Configuration page:
Delete
Check to delete the entry. It will be deleted during the next save.
ID
Indicates the index of the entry. The range is from 1 to 65535.
Interval
64
Indicates the interval in seconds for sampling and comparing the rising and falling
threshold. The range is from 1 to 2^31-1.
Variable
Indicates the particular variable to be sampled, the possible variables are:
InOctets:
The total number of octets received on the interface, including framing characters.
InUcastPkts:
The number of uni-cast packets delivered to a higher-layer protocol.
InNUcastPkts:
The number of broad-cast and multi-cast packets delivered to a higher-layer
protocol.
InDiscards:
The number of inbound packets that are discarded even the packets are normal.
InErrors:
The number of inbound packets that contained errors preventing them from being
deliverable to a higher-layer protocol.
InUnknownProtos:
the number of the inbound packets that were discarded because of the unknown or
un-support protocol.
OutOctets:
The number of octets transmitted out of the interface , including framing characters.
OutUcastPkts:
The number of uni-cast packets that request to transmit.
OutNUcastPkts:
The number of broad-cast and multi-cast packets that request to transmit.
OutDiscards:
The number of outbound packets that are discarded event the packets is normal.
OutErrors:
The The number of outbound packets that could not be transmitted because of
errors.
OutQLen:
65
The length of the output packet queue (in packets).
Sample Type
The method of sampling the selected variable and calculating the value to be
compared against the thresholds, possible sample types are:
Absolute: Get the sample directly.
Delta: Calculate the difference between samples (default).
Value
The value of the statistic during the last sampling period.
Startup Alarm
The method of sampling the selected variable and calculating the value to be
compared against the thresholds, possible sample types are:
RisingTrigger alarm when the first value is larger than the rising threshold.
FallingTrigger alarm when the first value is less than the falling threshold.
RisingOrFallingTrigger alarm when the first value is larger than the rising threshold
or less than the falling threshold (default).
Rising Threshold
Rising threshold value (-2147483648-2147483647).
Rising Index
Rising event index (1-65535).
Falling Threshold
Falling threshold value (-2147483648-2147483647)
Falling Index
Falling event index (1-65535).
2-5.1.8.4 Event
Configure RMON Event table on this page. The entry index key is ID.
66
Web Interface
To display the configure RMON Event in the web interface:
1. Click RMON, Event.
2. Click Add New Entry.
3. Specify the ID parameters.
4. Click Apply.
Figure 2-5.1.8.4: The RMON Event Configuration
Parameter description:
These parameters are displayed on the RMON History Configuration page:
Delete
Check to delete the entry. It will be deleted during the next save.
ID
Indicates the index of the entry. The range is from 1 to 65535.
Desc
Indicates this event, the string length is from 0 to 127, default is a null string.
Type
67
Indicates the notification of the event, the possible types are:
None: No SNMP log is created, no SNMP trap is sent.
Log: Create SNMP log entry when the event is triggered.
Snmp trap: Send SNMP trap when the event is triggered.
Log and trap: Create SNMP log entry and sent SNMP trap when the event is
triggered.
Community
Specify the community when trap is sent, the string length is from 0 to 127, default
is "public".
Event Last Time
Indicates the value of sysUpTime at the time this event entry last generated an
event.
2-5.2 Network
2-5.2.1 Limit Control
This section shows you to configure the Port Security settings of the Switch. You can
use the Port Security feature to restrict input to an interface by limiting and identifying
MAC addresses.
Web Interface
To configure a Configuration of Limit Control in the web interface:
1. Select “Enabled” in the Mode of System Configuration.
2. Checked Aging Enabled.
3. Set Aging Period (Default is 3600 seconds).
To configure a Port Configuration of Limit Control in the web interface:
1. Select “Enabled” in the Mode of Port Configuration.
68
2. Specify the maximum number of MAC addresses in the Limit of Port Configuration.
3. Set Action (Trap, Shutdown, Trap & Shutdown)
4. Click Apply.
Figure 2-5.2.1: The Port Security Limit Control Configuration
Parameter description:
System Configuration
Mode :
Indicates if Limit Control is globally enabled or disabled on the switch. If globally
disabled, other modules may still use the underlying functionality, but limit checks
and corresponding actions are disabled.
Aging Enabled :
If checked, secured MAC addresses are subject to aging as discussed under Aging
69
Period.
Aging Period :
If Aging Enabled is checked, then the aging period is controlled with this input. If
other modules are using the underlying port security for securing MAC addresses,
they may have other requirements to the aging period. The underlying port security
will use the shorter requested aging period of all modules that use the functionality.
The Aging Period can be set to a number between 10 and 10,000,000 seconds.
To understand why aging may be desired, consider the following scenario: Suppose
an end-host is connected to a 3rd party switch or hub, which in turn is connected to
a port on this switch on which Limit Control is enabled. The end-host will be
allowed to forward if the limit is not exceeded. Now suppose that the end-host logs
off or powers down. If it wasn't for aging, the end-host would still take up resources
on this switch and will be allowed to forward. To overcome this situation, enable
aging. With aging enabled, a timer is started once the end-host gets secured. When
the timer expires, the switch starts looking for frames from the end-host, and if such
frames are not seen within the next Aging Period, the end-host is assumed to be
disconnected, and the corresponding resources are freed on the switch.
Port Configuration
The table has one row for each port on the selected switch and a number of
columns, which are:
Port :
The port number to which the configuration below applies.
Mode :
Controls whether Limit Control is enabled on this port. Both this and the Global
Mode must be set to Enabled for Limit Control to be in effect. Notice that other
modules may still use the underlying port security features without enabling Limit
Control on a given port.
Action :
If Limit is reached, the switch can take one of the following actions:
None: Do not allow more than Limit MAC addresses on the port, but take no
further action.
Trap: If Limit + 1 MAC addresses is seen on the port, send an SNMP trap. If Aging is
70
disabled, only one SNMP trap will be sent, but with Aging enabled, new SNMP traps
NOTE: That clicking the reopen button causes the page to be
refreshed, so non-committed changes will be lost
will be sent every time the limit gets exceeded.
Shutdown: If Limit + 1 MAC addresses is seen on the port, shut down the port. This
implies that all secured MAC addresses will be removed from the port, and no new
address will be learned. Even if the link is physically disconnected and reconnected
on the port (by disconnecting the cable), the port will remain shut down. There are
three ways to re-open the port:
Trap & Shutdown: If Limit + 1 MAC addresses is seen on the port, both the "Trap"
and the "Shutdown" actions described above will be taken.
State :
1) Boot the switch,
2) Disable and re-enable Limit Control on the port or the switch,
3) Click the Reopen button.
This column shows the current state of the port as seen from the Limit Control's
point of view. The state takes one of four values:
Disabled: Limit Control is either globally disabled or disabled on the port.
Ready: The limit is not yet reached. This can be shown for all actions.
Limit Reached: Indicates that the limit is reached on this port. This state can only
be shown if Action is set to none or Trap.
Shutdown: Indicates that the port is shut down by the Limit Control module. This
state can only be shown if Action is set to shut down or Trap & Shutdown.
Re-open Button :
If a port is shut down by this module, you may reopen it by clicking this button,
which will only be enabled if this is the case. For other methods, refer to shut down
in the Action section.
Upper right icon (Refresh):
71
You can click them for refresh the Port Security information by manual.
Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved
2-5.2.2 NAS
The section describes to configure the NAS parameters of the switch. The NAS server
can be employed to connect users to a variety of resources including Internet access,
conference calls, printing documents on shared printers, or by simply logging on to
the Internet.
values.
Web Interface
To configure a Network Access Server in the web interface:
1. Select “Enabled” in the Mode of Network Access Server Configuration.
2. Checked Reauthentication Enabled.
3. Set Reauthentication Period (Default is 3600 seconds).
4. Set EAPOL Timeout (Default is 30 seconds).
5. Set Aging Period (Default is 300 seconds).
6. Set Hold Time (Default is 10 seconds).
7. Checked RADIUS-Assigned QoS Enabled.
8. Checked RADIUS-Assigned VLAN Enabled.
9. Checked Guest VLAN Enabled.
10. Specify Guest VLAN ID.
11. Specify Max. Reauth. Count.
12. Checked Allow Guest VLAN if EAPOL Seen.
13. Click Apply.
Figure 2-5.2.2: The Network Access Server Configuration
72
Parameter description:
Mode :
Indicates if NAS is globally enabled or disabled on the switch. If globally disabled, all
ports are allowed forwarding of frames.
Reauthentication Enabled :
If checked, successfully authenticated supplicants/clients are reauthenticated after
the interval specified by the Reauthentication Period. Reauthentication for
802.1X-enabled ports can be used to detect if a new device is plugged into a switch
port or if a supplicant is no longer attached.
For MAC-based ports, reauthentication is only useful if the RADIUS server
configuration has changed. It does not involve communication between the switch
and the client, and therefore doesn't imply that a client is still present on a port (see
Aging Period below).
73
Reauthentication Period :
Determines the period, in seconds, after which a connected client must be
reauthenticated. This is only active if the Reauthentication Enabled checkbox is
checked. Valid values are in the range 1 to 3600 seconds.
EAPOL Timeout :
Determines the time for retransmission of Request Identity EAPOL frames.
Valid values are in the range 1 to 255 seconds. This has no effect for MAC-based
ports.
Aging Period :
This setting applies to the following modes, i.e. modes using the Port Security
functionality to secure MAC addresses:
• Single 802.1X
• Multi 802.1X
• MAC-Based Auth.
When the NAS module uses the Port Security module to secure MAC addresses, the
Port Security module needs to check for activity on the MAC address in question at
regular intervals and free resources if no activity is seen within a given period of
time. This parameter controls exactly this period and can be set to a number
between 10 and 1000000 seconds.
If reauthentication is enabled and the port is in an 802.1X-based mode, this is not
so critical, since supplicants that are no longer attached to the port will get removed
upon the next re-authentication, which will fail. But if re-authentication is not
enabled, the only way to free resources is by aging the entries.
For ports in MAC-based Auth. mode, reauthentication doesn't cause direct
communication between the switch and the client, so this will not detect whether
the client is still attached or not, and the only way to free any resources is to age the
entry.
Hold Time :
This setting applies to the following modes, i.e. modes using the Port Security
functionality to secure MAC addresses:
• Single 802.1X
74
• Multi 802.1X
• MAC-Based Auth.
If a client is denied access - either because the RADIUS server denies the client
access or because the RADIUS server request times out (according to the timeout
specified on the "Configuration→Security→AAA" page) - the client is put on hold in
the Un-authorized state. The hold timer does not count during an on-going
authentication.
In MAC-based Auth. mode, the switch will ignore new frames coming from the
client during the hold time.
The Hold Time can be set to a number between 10 and 1000000 seconds.
Port Configuration :
The table has one row for each port on the selected switch and a number of
columns, which are:
Port :
The port number for which the configuration below applies.
Admin State :
If NAS is globally enabled, this selection controls the port's authentication mode.
The following modes are available:
Force Authorized :
In this mode, the switch will send one EAPOL Success frame when the port link
comes up, and any client on the port will be allowed network access without
authentication.
Force Unauthorized :
In this mode, the switch will send one EAPOL Failure frame when the port link
comes up, and any client on the port will be disallowed network access.
Port-based 802.1X :
In the 802.1X-world, the user is called the supplicant, the switch is the authenticator,
and the RADIUS server is the authentication server. The authenticator acts as the
man-in-the-middle, forwarding requests and responses between the supplicant and
the authentication server. Frames sent between the supplicant and the switch are
75
special 802.1X frames, known as EAPOL (EAP Over LANs) frames. EAPOL frames
NOTE: Suppose two backend servers are enabled and that the
server timeout is configured to X seconds (using the AAA
configuration page), and suppose that the first server in the list
is currently down (but not considered dead).
Now, if the supplicant retransmits EAPOL Start frames at a rate
faster than X seconds, then it will never get authenticated,
because the switch will cancel on-going backend authentication
server requests whenever it receives a new EAPOL Start frame
from the supplicant.
And since the server hasn't yet failed (because the X seconds
haven't expired), the same server will be contacted upon the
next backend authentication server request from the switch. This
scenario will loop forever. Therefore, the server timeout should
be smaller than the supplicant's EAPOL Start frame retransmission rate.
encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the RADIUS
server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together
with other attributes like the switch's IP address, name, and the supplicant's port
number on the switch. EAP is very flexible, in that it allows for different
authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing is
that the authenticator (the switch) doesn't need to know which authentication
method the supplicant and the authentication server are using, or how many
information exchange frames are needed for a particular method. The switch simply
encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS)
and forwards it.
When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port
connected to the supplicant
Single 802.1X :
76
In port-based 802.1X authentication, once a supplicant is successfully authenticated
on a port, the whole port is opened for network traffic. This allows other clients
connected to the port (for instance through a hub) to piggy-back on the
successfully authenticated client and get network access even though they really
aren't authenticated. To overcome this security breach, use the Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant
can get authenticated on the port at a time. Normal EAPOL frames are used in the
communication between the supplicant and the switch. If more than one supplicant
is connected to a port, the one that comes first when the port's link comes up will
be the first one considered. If that supplicant doesn't provide valid credentials
within a certain amount of time, another supplicant will get a chance. Once a
supplicant is successfully authenticated, only that supplicant will be allowed access.
This is the most secure of all the supported modes. In this mode, the Port Security
module is used to secure a supplicant's MAC address once successfully
authenticated.
Multi 802.1X :
In port-based 802.1X authentication, once a supplicant is successfully authenticated
on a port, the whole port is opened for network traffic. This allows other clients
connected to the port (for instance through a hub) to piggy-back on the
successfully authenticated client and get network access even though they really
aren't authenticated. To overcome this security breach, use the Multi 802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. Multi 802.1X is - like Single 802.1X - not
an IEEE standard, but a variant that features many of the same characteristics. In
Multi 802.1X, one or more supplicants can get authenticated on the same port at
the same time. Each supplicant is authenticated individually and secured in the MAC
table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards the
supplicant, since that would cause all supplicants attached to the port to reply to
requests sent from the switch. Instead, the switch uses the supplicant's MAC address,
which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent
by the supplicant. An exception to this is when no supplicants are attached. In this
case, the switch sends EAPOL Request Identity frames using the BPDU multicast
MAC address as destination - to wake up any supplicants that might be on the port.
77
The maximum number of supplicants that can be attached to a port can be limited
using the Port Security Limit Control functionality.
MAC-based Auth.:
Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely
a best-practices method adopted by the industry. In MAC-based authentication,
users are called clients, and the switch acts as the supplicant on behalf of clients.
The initial frame (any kind of frame) sent by a client is snooped by the switch, which
in turn uses the client's MAC address as both username and password in the
subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is
converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is
used as separator between the lower-cased hexadecimal digits. The switch only
supports the MD5-Challenge authentication method, so the RADIUS server must be
configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that
particular client, using the Port Security module. Only then will frames from the
client be forwarded on the switch. There are no EAPOL frames involved in this
authentication, and therefore, MAC-based Authentication has nothing to do with
the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several
clients can be connected to the same port (e.g. through a 3rd party switch or a hub)
and still require individual authentication, and that the clients don't need special
supplicant software to authenticate. The advantage of MAC-based authentication
over 802.1X-based authentication is that the clients don't need special supplicant
software to authenticate. The disadvantage is that MAC addresses can be spoofed
by malicious users - equipment whose MAC address is a valid RADIUS user can be
used by anyone. Also, only the MD5-Challenge method is supported. The maximum
number of clients that can be attached to a port can be limited using the Port
Security Limit Control functionality.
RADIUS-Assigned QoS Enabled :
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a
given port, the switch reacts to QoS Class information carried in the RADIUS
Access-Accept packet transmitted by the RADIUS server when a supplicant is
successfully authenticated. If present and valid, traffic received on the supplicant's
port will be classified to the given QoS Class. If (re-)authentication fails or the
78
RADIUS Access-Accept packet no longer carries a QoS Class or it's invalid, or the
supplicant is otherwise no longer present on the port, the port's QoS Class is
immediately reverted to the original QoS Class (which may be changed by the
administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
• Single 802.1X
RADIUS attributes used in identifying a QoS Class:
Refer to the written documentation for a description of the RADIUS attributes
needed in order to successfully identify a QoS Class. The User-Priority-Table
attribute defined in RFC4675 forms the basis for identifying the QoS Class in an
Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be
valid, it must follow this rule:
• All 8 octets in the attribute's value must be identical and consist of ASCII
characters in the range '0' - '3', which translates into the desired QoS Class in the
range [0; 3].
RADIUS-Assigned VLAN Enabled :
When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a
given port, the switch reacts to VLAN ID information carried in the RADIUS
Access-Accept packet transmitted by the RADIUS server when a supplicant is
successfully authenticated. If present and valid, the port's Port VLAN ID will be
changed to this VLAN ID, the port will be set to be a member of that VLAN ID, and
the port will be forced into VLAN unaware mode. Once assigned, all traffic arriving
on the port will be classified and switched on the RADIUS-assigned VLAN ID.
If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a
VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the port,
the port's VLAN ID is immediately reverted to the original VLAN ID (which may be
changed by the administrator in the meanwhile without affecting the
RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
79
• Single 802.1X
For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN
Membership and VLAN Port" pages. These pages show which modules have
(temporarily) overridden the current Port VLAN configuration.
RADIUS attributes used in identifying a VLAN ID:
RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN
ID in an Access-Accept packet. The following criteria are used:
• The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes
must all be present at least once in the Access-Accept packet.
• The switch looks for the first set of these attributes that have the same Tag value
and fulfil the following requirements (if Tag == 0 is used, the
Tunnel-Private-Group-ID does not need to include a Tag):
- Value of Tunnel-Medium-Type must be set to "IEEE-802" (ordinal 6).
- Value of Tunnel-Type must be set to "VLAN" (ordinal 13).
- Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range '0'
- '9', which is interpreted as a decimal string representing the VLAN ID. Leading '0's
are discarded. The final value must be in the range [1; 4095].
Guest VLAN Enabled :
When Guest VLAN is both globally enabled and enabled (checked) for a given port,
the switch considers moving the port into the Guest VLAN according to the rules
outlined below.
This option is only available for EAPOL-based modes, i.e.:
• Port-based 802.1X
• Single 802.1X
• Multi 802.1X
For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN
Membership and VLAN Port" pages. These pages show which modules have
(temporarily) overridden the current Port VLAN configuration.
Guest VLAN Operation:
When a Guest VLAN enabled port's link comes up, the switch starts transmitting
80
EAPOL Request Identity frames. If the number of transmissions of such frames
exceeds Max. Reauth. Count and no EAPOL frames have been received in the
meanwhile, the switch considers entering the Guest VLAN. The interval between
transmissions of EAPOL Request Identity frames is configured with EAPOL Timeout.
If Allow Guest VLAN if EAPOL Seen is enabled, the port will now be placed in the
Guest VLAN. If disabled, the switch will first check its history to see if an EAPOL
frame has previously been received on the port (this history is cleared if the port
link goes down or the port's Admin State is changed), and if not, the port will be
placed in the Guest VLAN. Otherwise it will not move to the Guest VLAN, but
continue transmitting EAPOL Request Identity frames at the rate given by EAPOL
Timeout.
Once in the Guest VLAN, the port is considered authenticated, and all attached
clients on the port are allowed access on this VLAN. The switch will not transmit an
EAPOL Success frame when entering the Guest VLAN.
While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one
such frame is received, the switch immediately takes the port out of the Guest VLAN
and starts authenticating the supplicant according to the port mode. If an EAPOL
frame is received, the port will never be able to go back into the Guest VLAN if the
"Allow Guest VLAN if EAPOL Seen" is disabled.
Port State :
The current state of the port. It can undertake one of the following values:
Globally Disabled: NAS is globally disabled.
Link Down: NAS is globally enabled, but there is no link on the port.
Authorized: The port is in Force Authorized or a single-supplicant mode and the
supplicant is authorized.
Unauthorized: The port is in Force Unauthorized or a single-supplicant mode and
the supplicant is not successfully authorized by the RADIUS server.
X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are
authorized and Y are unauthorized.
Restart :
Two buttons are available for each row. The buttons are only enabled when
authentication is globally enabled and the port's Admin State is in an EAPOL-based
or MAC-based mode.
81
Clicking these buttons will not cause settings changed on the page to take effect.
Re-authenticate: Schedules a re-authentication whenever the quiet-period of the
port runs out (EAPOL-based authentication). For MAC-based authentication,
re-authentication will be attempted immediately.
The button only has effect for successfully authenticated clients on the port and will
not cause the clients to get temporarily unauthorized.
Reinitialize: Forces a re-initialization of the clients on the port and thereby a
re-authentication immediately. The clients will transfer to the unauthorized state
while the re-authentication is in progress.
Buttons:
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved
values.
Upper right icon (Refresh):
You can click them for refresh the NAS Configuration by manual.
2-5.2.3 ACL
The IGP-1271 Series switch access control list (ACL) is probably the most commonly
used object in the IOS. It is used for packet filtering but also for selecting types of
traffic to be analyzed, forwarded, or influenced in some way. The ACLs are divided into
Ether Types. IPv4, ARP protocol, MAC and VLAN parameters etc. Here we will just go
over the standard and extended access lists for TCP/IP. As you create ACEs for ingress
classification, you can assign a policy for each port, the policy number is 1-8, and
however, each policy can be applied to any port. This makes it very easy to determine
what type of ACL policy you will be working with.
2-5.2.3.1 Ports
The section describes how to configure the ACL parameters (ACE) of the each switch
port. These parameters will affect frames received on a port unless the frame matches
a specific ACE
82
Web Interface
To configure the ACL Ports Configuration in the web interface:
1. Click Configuration, ACL, then Ports
2. To scroll the specific parameter value to select the correct value for port ACL
setting.
3. Click the save to save the setting
4. If you want to cancel the setting then you need to click the reset button. It will
revert to previously saved values.
5. After you configure complete then you could see the Counter of the port. Then
you could click refresh to update the counter or Clear the information.
Figure 2-5.2.3.1: The ACL Ports Configuration
Parameter description:
Port :
The logical port for the settings contained in the same row.
Policy ID :
Select the policy to apply to this port. The allowed values are 1 through 8. The
default value is 1.
Action :
83
Select whether forwarding is permitted ("Permit") or denied ("Deny"). The default
value is "Permit".
Rate Limiter ID :
Select which rate limiter to apply on this port. The allowed values are Disabled or
the values 1 through 16. The default value is "Disabled".
Port Redirect :
Select which port frames are redirected on. The allowed values are Disabled or a
specific port number and it can't be set when action is permitted. The default value
is "Disabled".
Logging :
Specify the logging operation of this port. The allowed values are:
Enabled: Frames received on the port are stored in the System Log.
Disabled: Frames received on the port are not logged.
The default value is "Disabled". Please note that the System Log memory size and
logging rate is limited.
Shutdown :
Specify the port shut down operation of this port. The allowed values are:
Enabled: If a frame is received on the port, the port will be disabled.
Disabled: Port shut down is disabled.
The default value is "Disabled".
State :
Specify the port state of this port. The allowed values are:
Enabled: To reopen ports by changing the volatile port configuration of the ACL
user module.
Disabled: To close ports by changing the volatile port configuration of the ACL user
module.
The default value is "Enabled"
Counter :
84
Counts the number of frames that match this ACE.
Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved
values.
Upper right icon (Refresh, clear)
You can click them for refresh the ACL Port Configuration or clear them by manual.
85
2-5.2.3.2 Rate Limiters
The section describes how to configure the switch’s ACL Rate Limiter parameters. The
Rate Limiter Level from 1 to 16 that allow user to set rate limiter value and units with
pps or kbps.
Web Interface
To configure ACL Rate Limiter in the web interface:
1. Click Configuration, ACL, then Rate Limiter
2. To specific the Rate field and the range from 0 to 3276700.
3. To scroll the Unit with pps or kbps
4. Click the Apply to save the setting
5. If you want to cancel the setting then you need to click the reset button. It will
revert to previously saved values.
Figure 2-5.2.3.2: The ACL Rate Limiter Configuration
Parameter description:
Rate Limiter ID :
Rate
The rate limiter ID for the settings contained in the same row.
The allowed values are: 0-3276700 in pps or 0, 100, 200, 300, ..., 1000000 in kbps.
86
Buttons
Apply – Click to save changes.
Reset - Click to undo any changes made locally and revert to previously saved
values.
2-5.2.3.3 Access Control List
The section describes how to configure Access Control List rule. An Access Control List
(ACL) is a sequential list of permit or deny conditions that apply to IP addresses, MAC
addresses, or other more specific criteria. This switch tests ingress packets against the
conditions in an ACL one by one. A packet will be accepted as soon as it matches a
permit rule, or dropped as soon as it matches a deny rule. If no rules match, the frame
is accepted. Other actions can also be invoked when a matching packet is found,
including rate limiting, copying matching packets to another port or to the system log,
or shutting down a port.
This page shows the Access Control List (ACL), which is made up of the ACEs defined
on this switch. Each row describes the ACE that is defined. The maximum number of
ACEs is 256 on each switch. Click on the lowest plus sign to add a new ACE to the list.
The reserved ACEs used for internal protocol, cannot be edited or deleted, the order
sequence cannot be changed the priority is highest
Web Interface
To configure Access Control List in the web interface:
1. Click Configuration, ACL, then Configuration
2. Click the button to add a new ACL, or use the other ACL
modification buttons to specify the editing action (i.e., edit, delete, or
moving the relative position of entry in the list)
3. To specific the parameter of the ACE
4. Click the save to save the setting
5. If you want to cancel the setting then you need to click the reset button.
It will revert to previously saved values.
6. When editing an entry on the ACE Configuration page, note that the
Items displayed depend on various selections, such as Frame Type and IP Protocol
Type. Specify the relevant criteria to be matched for this rule,
and set the actions to take when a rule is matched (such as Rate Limiter,
87
Port Copy, Logging, and Shutdown).
Figure 2-5.2.3.3: The ACL Rate Limiter Configuration
Parameter description:
Ingress Port :
Indicates the ingress port of the ACE. Possible values are:
Any: The ACE will match any ingress port.
Policy: The ACE will match ingress ports with a specific policy.
Port: The ACE will match a specific ingress port.
Policy / Bitmask :
Indicates the policy number and bitmask of the ACE.
Frame Type :
Indicates the frame type of the ACE. Possible values are:
88
Any: The ACE will match any frame type.
EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based
ACE will not get matched by IP and ARP frames.
ARP: The ACE will match ARP/RARP frames.
IPv4: The ACE will match all IPv4 frames.
IPv4/ICMP: The ACE will match IPv4 frames with ICMP protocol.
IPv4/UDP: The ACE will match IPv4 frames with UDP protocol.
IPv4/TCP: The ACE will match IPv4 frames with TCP protocol.
IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP. IPv6:
The ACE will match all IPv6 standard frames.
Action :
Indicates the forwarding action of the ACE.
Permit: Frames matching the ACE may be forwarded and learned.
Deny: Frames matching the ACE are dropped.
Filter: Frames matching the ACE are filtered.
Rate Limiter :
Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. When
Disabled is displayed, the rate limiter operation is disabled.
Port Copy :
Indicates the port copy operation of the ACE. Frames matching the ACE are copied
to the port number. The allowed values are Disabled or a specific port number.
When Disabled is displayed, the port copy operation is disabled.
Logging :
Indicates the logging operation of the ACE. Possible values are:
Enabled: Frames matching the ACE are stored in the System Log.
Disabled: Frames matching the ACE are not logged.
Please note that the System Log memory size and logging rate is limited.
89
Shutdown :
Indicates the port shut down operation of the ACE. Possible values are:
Enabled: If a frame matches the ACE, the ingress port will be disabled.
Disabled: Port shut down is disabled for the ACE.
Counter :
The counter indicates the number of times the ACE was hit by a frame.
Modification Buttons
You can modify each ACE (Access Control Entry) in the table using the following
buttons:
: Inserts a new ACE before the current row.
: Edits the ACE row.
: Moves the ACE up the list.
: Moves the ACE down the list.
: Deletes the ACE.
: The lowest plus sign adds a new entry at the bottom of the ACE listings.
MAC Parameter:
SMAC Filter
(Only displayed when the frame type is Ethernet Type or ARP.)
Specify the source MAC filter for this ACE.
Any: No SMAC filter is specified. (SMAC filter status is "don't-care".)
Specific: If you want to filter a specific source MAC address with this ACE, choose
this value. A field for entering an SMAC value appears.
SMAC Value
When "Specific" is selected for the SMAC filter, you can enter a specific source MAC
address. The legal format is "xx-xx-xx-xx-xx-xx" or "xx.xx.xx.xx.xx.xx" or
"xxxxxxxxxxxx" (x is a hexadecimal digit). A frame that hits this ACE matches this
SMAC value.
90
DMAC Filter
Specify the destination MAC filter for this ACE.
Any: No DMAC filter is specified. (DMAC filter status is "don't-care".)
MC: Frame must be multicast.
BC: Frame must be broadcast.
UC: Frame must be unicast.
Specific: If you want to filter a specific destination MAC address with this ACE,
choose this value. A field for entering a DMAC value appears.
DMAC Value
When "Specific" is selected for the DMAC filter, you can enter a specific destination
MAC address. The legal format is "xx-xx-xx-xx-xx-xx" or "xx.xx.xx.xx.xx.xx" or
"xxxxxxxxxxxx" (x is a hexadecimal digit). A frame that hits this ACE matches this
DMAC value.
Buttons
Apply – Click to save changes.
Reset- Click to undo any changes made locally and revert to previously saved
values.
Auto-refresh:
To evoke the auto-refresh to refresh the information automatically.
Upper right icon (Refresh, clear, Remove All)
You can click them for refresh the ACL configuration or clear them by manual.
Others remove all to clean up all ACL configurations on the table.
91
2-5.2.4 IP Source Guard
The section describes to configure the IP Source Guard detail parameters of the switch.
You could use the IP Source Guard configure to enable or disable with the Port of the
switch.
2-5.2.4.1 Configuration
This section describes how to configure IP Source Guard setting including
Mode (Enabled and Disabled)
Maximum Dynamic Clients (0, 1, 2, Unlimited)
Web Interface
To configure an IP Source Guard Configuration in the web interface:
1. Select “Enabled” in the Mode of IP Source Guard Configuration.
2. Select “Enabled” of the specific port in the Mode of Port Mode Configuration.
3. Select Maximum Dynamic Clients (0, 1, 2, Unlimited) of the specific port in the
Mode of Port Mode Configuration.
4. Click Apply.
Figure 2-5.2.4.1: The IP Source Guard Configuration
Parameter description:
92
Mode of IP Source Guard Configuration :
Enable the Global IP Source Guard or disable the Global IP Source Guard. All
configured ACEs will be lost when the mode is enabled.
Port Mode Configuration :
Specify IP Source Guard is enabled on which ports. Only when both Global Mode
and Port Mode on a given port are enabled, IP Source Guard is enabled on this
given port.
Max Dynamic Clients :
Specify the maximum number of dynamic clients that can be learned on given port.
This value can be 0, 1, 2 or unlimited. If the port mode is enabled and the value of
max dynamic client is equal to 0, it means only allow the IP packets forwarding that
are matched in static entries on the specific port.
93
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use