Linksys SFE2000P, SFE2000 User Manual

SFE2000/SFE2000P Fast Ethernet Switch Reference Guide

December 2007

LINKSYS ONE COMMUNICATIONS SOLUTION

Specifications are subject to change without notice.

Linksys, the Cisco Systems logo, the Linksys Logo, and the Linksys One logo are registered trademarks of Cisco Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners.

Document Revision History

Revision Date Description

1.0 December 2007 Added switch stacking information.

Contents

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Contents

Chapter 1: Getting Started . . . . . . . . . . . . . . . . . . . 1

Starting the Application 1 Understanding the Interface 4

Device Representation 5 Using the Linksys Management Buttons 6 Using Screen and Table Options 7

Adding Device Information 7

Modifying Device Information 7

Deleting Device Information 8 Resetting the Device 9 Logging Off The Device 9

Chapter 2: Managing Device Information . . . . . . . . . . . . . 11

Understanding the Device Zoom View 11 Defining General System Information 12

SFE 2000P System Information 12 Managing Stacks 13 Building Automatically-Configured Stacks 14

Building a New Stack 14

Adding Units to a Running Stack 14 Building Manually-Configured Stacks 14

Building a New Stack 14

Adding Units to a Running Stack 14 Understanding Stack Resiliency 15 Understanding Advanced Stacking 15

Unit IDs 15

Stack Master 15 Stack Backup Master 15 Stack Members 16 Master-Enabled Units 16 Unit ID Allocation 16

Stack Unit Startup Process 17

Master Discovery Process 17 Master Election Process 17 Unit ID Allocation and Duplicate Unit ID Conflict Resolution 18

Configuring Units and Ports 19

Setting the Unit’s Operational Mode 19

Configuring the Stack Master and Unit ID 19

Resetting the Unit to Factory Default Mode 21

Understanding LED Indicators 21 Stack Troubleshooting and Maintenance 21

Replacing a Failed Member Stack Unit in an Operational Stack 21

Replacing a Failed Stack Master Unit in an Operational Stack 23

Contents

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Splitting a Stack 24

The Stack Master and Backup Master Units Remain in a Group 24 The Stack Master or the Backup Master Unit Remains in a Group 24 Neither the Stack Master Unit or the Backup Master Unit Remains in the Group 25

Merging Two Stacks 26 Understanding Stacking Cable Failure 27 Inserting Too Many Units into a Stack 27 Inserting a Standalone Unit into a Running Stack 28 Viewing Device Health 28

Chapter 3: Managing Power-over-Ethernet Devices . . . . . . . . . 31

Defining PoE System Information 31

Chapter 4: Configuring Device Security . . . . . . . . . . . . . . 37

Passwords Management 38

Defining User Authentication 38

Defining Authentication 40

Defining Profiles 40 Mapping Profiles 42 Defining TACACS+ 43 Defining RADIUS 47

Defining Access Method 51

Defining Access Profiles 51 Defining Profile Rules 54

Defining Traffic Control 60

Defining Storm Control 60 Defining Port Security 62

Defining 802.1x 66

Defining 802.1X Properties 67 Defining Port Authentication 68 Defining Multiple Hosts 71 Defining Authenticated Host 74

Defining Access Control 75

Defining MAC Based ACL 75 Defining IP Based ACL 77 Defining ACL Binding 84

Defining DOS Prevention 85

Global Settings 85 Defining Martian Addresses 87

Chapter 5: Configuring Device Interfaces . . . . . . . . . . . . . 89

Defining Port Settings 89 Defining LAG Management 94 Defining LAG Settings 96 Configuring LACP 99

Contents

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Chapter 6: Configuring VLANs . . . . . . . . . . . . . . . . 103

Defining VLAN Properties 104 Defining VLAN Membership 106 Defining Interface Settings 108 Configuring GVRP Settings 111 Protocol Group 114 Protocol Port 116

Chapter 7: Configuring IP Information . . . . . . . . . . . . . 119

Domain Name System 120

Defining DNS Server 120

Host Mapping 122 Configuring Layer 2 124

Configuring IP Addressing: 124

IP Interface 124 ARP 125

Configuring Layer 3 129

Configuring IP Addressing 129

IP Interface 129 ARP Proxy 132 UDP Relay 133 DHCP Relay 136 ARP 137

Defining IP Routing 140

Chapter 8: Defining Address Tables . . . . . . . . . . . . . . 143

Defining Static Addresses 144 Defining Dynamic Addresses 146

Chapter 9: Configuring Multicast Forwarding . . . . . . . . . . 149

IGMP Snooping 149 Defining Multicast Bridging Groups 152 Defining Multicast Forwarding 155

Chapter 10: Configuring Spanning Tree . . . . . . . . . . . . . 157

Defining STP on Interfaces 158 Defining Interface Settings 160 Defining Rapid Spanning Tree 164 Defining Multiple Spanning Tree 168

Defining MSTP Properties 169

Instance to VLAN 170

Instance Settings 170

Interface Settings 171

Chapter 11: Configuring SNMP . . . . . . . . . . . . . . . . 177

SNMP v1 and v2 177

Contents

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

SNMP v3 177 Configuring SNMP Security 178

Defining Engine ID 178 Defining SNMP Views 179 Defining SNMP Users 181 Define SNMP Groups 183 Defining SNMP Communities 185

Defining Trap Management 189

Defining Trap Settings 189 Configuring Station Management 190 Defining SNMP Filter Settings 196

Chapter 12: Configuring Quality of Service . . . . . . . . . . . .199

Defining General Settings 200

Defining CoS 201 Defining Queue 202 Mapping CoS to Queue 204 Mapping DSCP to Queue 205 Configuring Bandwidth 205

Defining Advanced Mode 208

Configuring DSCP Mapping 208 Defining Class Mapping 209 Defining Aggregate Policer 211 Configuring Policy Table 214 Defining Policy Binding 217

Defining QoS Basic Mode 219

Chapter 13: Managing System Files . . . . . . . . . . . . . . .221

File Management Overview 221 Firmware Upgrade 222 Save Configuration 223 Copy Files 224 Active Image 225

Chapter 14: Managing System Logs . . . . . . . . . . . . . . .227

Enabling System Logs 227 Viewing the Device Memory Logs 229

Clearing Message Logs 229 Viewing the Flash Logs 230 Clearing Message Logs 230 Viewing Remote Logs 231

Chapter 15: Configuring System Time . . . . . . . . . . . . . .235

Defining System Time 236

Defining SNTP Settings 238 Defining SNTP Authentication 240

Contents

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Chapter 16: Viewing Statistics . . . . . . . . . . . . . . . . . 243

Viewing Ethernet Statistics 243

Defining Ethernet Interface 243

Resetting Interface Statistics Counters 245

Viewing Etherlike Statistics 245

Resetting Etherlike Statistics Counters 247

Viewing GVRP Statistics 247

Resetting GVRP Statistics Counters 249

Viewing EAP Statistics 249 Managing RMON Statistics 252

Viewing RMON Statistics 253

Resetting RMON Statistics Counters 254

Configuring RMON History 255

Defining RMON History Control 255 Viewing the RMON History Table 258

Configuring RMON Events 259

Defining RMON Events Control 259 Viewing the RMON Events Logs 262

Defining RMON Alarms 263

Chapter 17: Managing Device Diagnostics . . . . . . . . . . . . 269

Viewing Integrated Cable Tests 269

Performing Optical Tests 271

Configuring Port Mirroring 272

Defining CPU Utilization 275

Appendix A: Linksys One Contact Information . . . . . . . . . . 277

Contents

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Contents

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Getting Started

This section provides an introduction to the user interface, and includes the following topics:

• Starting the Application

•

Understanding the Interface

• Using the Linksys Management Buttons

• Using Screen and Table Options

• Resetting the Device

• Logging Off The Device

Starting the Application

This section contains information for starting the Linksys User Interface.

Chapter

Note By default, the IP address of the device is assigned dynamically. The IP address can be changed.

It is recommended to configure the IP address statically, if the system is in stack mode, in order to prevent the user from disconnecting from the network in the event of master switchover.

To open the User Interface:

1. Open a web browser.

2. Enter the device’s IP address in the address bar and press Enter. An Appendix 1, "Enter Network Password Page" opens:

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Enter Network Password Page

3. Enter a user name and password. The default user name is “admin.” with a default password, and can be configured without entering a password. Passwords are both case sensitive and alpha-numeric.

4. Click Login The Embedded Web System Home Page opens:

Note If you have logged in automatically via the Service Router user interface, the Tree and Device

views appear and allow you to navigate through the various areas of the web interface. However, the following page will appear within the frame provided by the Service Router user interface.

The device is not configured

Chapter 1:

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Embedded Web System Home Page

Chapter

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Understanding the Interface

The following table lists the interface components with their corresponding numbers:

Interface Components

Component Description

Tree View The Tree View provides easy navigation through the configurable device

features.The main branches expand to provide the subfeatures.

2 Device View The device view provides information about device ports, current

configuration and status, table information, and feature components.The device view also displays other device information and dialog boxes for configuring parameters.

3 Table Area The Table area enables navigating through the different device features.

Click the tabs to view all the components under a specific feature.

4 EWS Information The EWS information tabs provide access to the online help, contains

information about the EWS.

Linksys User Interface Components

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

This section provides the following additional information:

•

Device Representation — Provides an explanation of the Linksys user interface buttons, including both

management buttons and task icons.

•

Using the Linksys Management Buttons — Provides instructions for adding, modifying, and deleting device

parameters.

Device Representation

The Linksys home page displays a graphical representation of the device:

Device Representation

The Linksys home page contains a graphical SFE2000 and SFE2000P front panel illustration.

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Using the Linksys Management Buttons

Device Management buttons and icons provide an easy method of configuring device information, and include the following:

Device Management Buttons

Button Name Button Description

Apply Applies changes to the device.

Clear All Counters Clears statistic counters

Clear Logs Clears log files

Add Opens an Add page

Delete Removes entries from tables

Reset the settings of Selected Port to Default

Test Now Performs cable tests.

Resets the settlings of a selected port to the default settings

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Using Screen and Table Options

Linksys contains screens and tables for configuring devices. This section contains the following topics:

• Appendix 1, "Adding Device Information"

• Appendix 1, "Modifying Device Information"

• Appendix 1, "Deleting Device Information"

Adding Device Information

User defined information can be added to specific EWS pages, by opening a new Add page. To add information to tables or EWS pages:

1. Open an EWS page.

2. Click the Add button. An add page opens, for example, the Add SNTP Server Page:

Add SNTP Server

3. Define the fields.

4. Click Apply. The configuration information is saved, and the device is updated.

Modifying Device Information

1. Open the EWS page.

2. Select a table entry.

3. Click the Edit Button. A Modify page opens, for example, the Interface priority Page opens:

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Edit Interface Priority

4. Define the fields.

5. Click Apply. The fields are modified, and the information is saved to the device.

Deleting Device Information

1. Open the EWS page.

2. Select a table row.

3. Check the Remove checkbox.

4. Click the Delete button. The information is deleted, and the device is updated.

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Resetting the Device

The Reset page enables the device to be reset from a remote location. Save all changes to the Running Configuration file before resetting the device. This prevents the current device configuration from being lost. To reset the device:

1. Click System > General > Reset. The Reset page opens.

Reset Page

2. Click the Reset button. resetting the entire stack. If the master unit is reset, the device is reset, and a prompt for a user name and password is displayed.

3. Enter a user name and password to reconnect to the Web Interface, if the stack is not part of a full Linksys One system. If the stack is part of a Linksys One system, login is automatically done from the Service Router.

Each unit can be reset individually. Resetting the stack master results in

Logging Off The Device

1. Click . The system logs off. The Embedded Web System Home Page closes.

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Chapter 1:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Managing Device Information

This section provides information for defining both basic and advanced system information. This section contains the following topics:

• Understanding the Device Zoom View

• Defining General System Information

• Managing Stacks

Understanding the Device Zoom View

The Zoom Page is the main window used for viewing the devices either in stand-alone mode or operating in a stack. To open the Zoom Page:

1. Click the System > System Management > Zoom. The Zoom Page opens:

Zoom Page

The Zoom Page contains the following port indicators:

•

Green — Indicates the port is currently operating.

• Red — indicates the port is not currently operating.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Defining General System Information

SFE 2000P System Information

The System Information page contains parameters for configuring general device information.

SFE 2000P System Information Page

The System Information page contains the following fields:

• Model Name — Displays the user defined user name.

• System Name — Displays the user configured name of the system. Configured in the Network page.

• System Location — Defines the location where the system is currently running. The field range is up-to 0-160 Characters.

• System Contact — Defines the name of the contact person.The field range is up to 0-160 Characters.

• System Object ID— Displays the vendor’s authoritative identification of the network management subsystem contained in the entity.

• System Up Time — Displays the amount of time that has elapsed since the last device reset. The system time is displayed in the following format: Days, Hours, Minutes and Seconds. For example: 41 days, 2 hours, 22 minutes and 15 seconds.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

• Base MAC Address — Displays the device MAC address. If the system is in stack mode, the Base MAC Address of the master unit is displayed.

• Hardware Version — Displays the hardware version number. If the system is in stack mode, the hardware version of the master unit is displayed.

• Software Version — Displays the software version number. If the system is in stack mode, the version of the master unit is displayed.

• Boot Version — Indicates the system boot version currently running on the device. If the system is in stack mode, the version of the master unit is displayed.

• Switch Operation Mode After Reset — Indicates the mode the device operates in after the system is reset. A switch may operate in one of two modes: stack or standalone. Either mode is selected by the user during software boot or in the web interface’s System Information page. The new mode takes effect after the unit is reset. The factory default is stack mode. The possible field values are:

– Standalone — Indicates the device operates as a Standalone device after the system is reset.

A switch operating in standalone mode runs as an independent, single unit. All ports of a standalone switch operate as normal Ethernet links. A standalone switch does not participate in a stack even if physically connected to a stack.

– Stack — Indicates the device operates as a Stacked unit after the system is reset. A switch

operating in stack mode is not an independent unit, but a member of an organized group of switches known as a stack. A stack consists of one Stack Master control switch, one Master Backup switch and up to six Stack Member switches. In some cases, a unit in stack mode that is not connected to any other units may operate as a “stack–of-one.”

2. Define the relevant fields.

3. Click Apply. The system information is defined, and the device is updated.

Managing Stacks

Stacking allows you to build a switch with many more ports than would be available in a single unit. The stack is managed by one of the units (called the Stack Master) and all of the other units serve as ports only.

You can build stacks by building a new stack from a group of switches, or adding new units to an existing stack. Stacks can be automatically or manually configured.

NOTE: Two ports of each unit in a stack mode (ports 12 and 24 on GE units, and ports G1 and G2 on FE units) are reserved for stacking links, and cannot be used for regular network connections.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Building Automatically-Configured Stacks

Building a New Stack

The easiest way to build a stack is to use a group of switches, each of which is in factory default mode:

NOTE: If the units to be used in building the new stack have been used previously, we recommend that you reset them to the factory default by holding the reset button for at least 10 seconds before using them.

1. Connect the units physically through the stacking ports, using standard Ethernet cables.

2. Power the units on. After a short interval the stack becomes operational, with one of the units selected as the Stack Master. The unit selected as Stack Master is indicated by a lit green “MST” LED on its front panel. If a serial console connection is desired, the serial cable should be connected to the console port of the unit serving as the Stack Master.

Adding Units to a Running Stack

1. Reset the units that will be added by restoring them to the factory default mode. Connect the units physically to the stack.

2. Power the units on. After a short interval, they will become members of the stack.

Building Manually-Configured Stacks

You can manually configure stacks, including choosing a specific unit as the Stack Master. You must assign a unique Unit ID (from 1 to 8) to each stack member.

Building a New Stack

1. Reset all relevant units to by restoring them to the factory default mode.

2. Connect the units physically through the stacking ports, using standard Ethernet cables.

3. Assign each unit its desired number, making sure no duplicates exist, and reset the stack.

Adding Units to a Running Stack

1. Reset the units to be added by restoring them to the factory default mode.

2. Connect the units physically to the stack.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

3. Power the units on. After a short interval, they will become stack members, but will have automatically-assigned Unit IDs. Assign each such unit its desired Unit ID (using the Stack Management Interface through the console port, by Telnet, or by using the graphical user interface (GUI).

4. Reset the units to make this assignment permanent.

NOTE: We recommended that if you manually assign a Unit ID to one unit, you manually assign Unit IDs to all units. Using a mix of both system-assigned and manuallyassigned IDs in your network can impact system performance.

The unit that is assigned the Unit ID 1 is the Stack Master, and its front panel “MST” LED lights green. The unit assigned the Unit ID 2 is the Backup Master.

Understanding Stack Resiliency

Stacks can be configured in ring or chain topologies. We recommend configuring the stack in ring topology, due to the high resiliency in case of unit failure or stacking links failure.

Additionally, if a redundant power supply is present, we recommend connecting the Stack Master and Backup Master units to the redundant power supply.

Understanding Advanced Stacking

To understand advanced stacking, you must understand Unit IDs and how they are allocated, and the stack unit startup process.

Unit IDs

Each unit in a stack has an assigned unique Unit ID number. The following sections describe the Unit IDs and their characteristics.

Stack Master

The unit assigned the Unit ID number 1 serves as the Stack Master. All other units are stack members. The Stack Master provides a single point of control, configuration and management for the entire stack, and stores the configuration for all stack members. (Members do not store any configuration information.)

Stack Backup Master

The unit assigned the Unit ID number 2 is a special stack member that serves as the stack Backup Master. A stack Backup Master assumes the role of Stack Master for the remaining stack members if the stack Master fails or is disconnected.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

The Stack Master stores a copy of the active configuration on the Backup Master. This copy is used only if the Backup Master assumes the role of Stack Master.

NOTE: Only the configuration file is copied. Any dynamically-filled tables (for example, learned addresses) are not copied from the Stack Master to the Backup Master. If the Backup Master assumes the role of Stack Master, it builds its own dynamic tables.

Stack Members

The units assigned the Unit IDs 3 through 8 are called stack members. A stack member operates only as a member of the stack under the direction of an operational Stack Master (or a Backup Master that has assumed the Stack Master role). Stack members are not directly manageable and configurable, and must be managed through the Stack Master. They do not contain any meaningful configuration information, including their own configuration. If an operational Stack Master is not present and reachable, these units are not functional.

Master-Enabled Units

Units that are assigned a Unit ID number of 1 or 2 are called master-enabled units. Only master-enabled units participate in the Master Election process (see below) when they are initialized, are inserted into a new stack, or lose connectivity with the existing Stack Master. Only master-enabled units participate in the Master Election process and can become the Stack Master or Backup Master. (Units that are assigned a Unit ID of 3 through 8 can only become a Stack Master or a Backup Master if they are manually configured by the system administrator or if they are reset to the factory default mode.)

Unit ID Allocation

Units are shipped from the factory without an assigned Unit ID, and must be assigned a unique Unit ID before they can operate as part of a stack. Unit ID numbers are assigned to units in one of two ways:

• Unit ID numbers are assigned by the system administrator, and can be changed only manually by the system administrator.

• Unit ID numbers are allocated to a stack member unit by the Stack Master during system initialization.

A unit that was assigned a Unit ID will usually keep this number even after it is rebooted. The Stack Master may reallocate Unit IDs during system initialization to resolve duplicate Unit ID conflicts (see below). Manually assigned Unit IDs cannot be changed by the Stack Master, even if there is a conflict.

Unit ID assignment or change takes effect only during system initialization and does not take place during system runtime. Units of a stack do not have to be numbered in sequence, and can be interconnected as long as each unit has a unique ID and at least one unit of the stack serves as Stack Master.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Stack Unit Startup Process

When a unit in stack mode is initialized (powered up or rebooted), it goes through the following steps:

1. The Master Discovery and Master Election processes.

2. Unit ID allocation by the Stack Master (including duplicate Unit ID conflict resolution).

3. Unit and port configuration by the Stack Master.

Master Discovery Process

When a unit in stack mode initializes, its behavior depends on its Unit ID (if one is configured):

• If the unit does not have a current Unit ID (that is, the unit is in factory default mode) and if there is a Stack Master, the unit is allocated a Unit ID number from the Stack Master. If there is no Stack Master, then the unit participates in the Master Election process, and may be chosen as the new Stack Master or Backup Master.

• If the unit’s current Unit ID is 1 or 2 (that was previously allocated, even if used in a different stack), then the unit participates in the Master Election process.

• If the unit has a current Unit ID (that was previously allocated, even if used in a different stack), the unit tries to act according to its Unit ID number in the new stack. For example, if the unit’s current Unit ID is 3 through 8, it will try to connect to the running Stack Master, and will not proceed to the next stage until contact with the Stack Master is made. These units will not participate in the Master Election process, and if no Stack Master is present, the units are effectively shut down.

The Stack Master and all other stack units carry out a continuous process of Master Discovery by frequently exchanging stack control messages. This allows units to know if another unit fails or becomes unreachable.

Master Election Process

When units in stacking mode initialize, one of the units is elected as the Stack Master. If a unit in the stack was set to “Force Master” by the system administrator, that unit is elected as the Stack Master. Only master-enabled stack units (for example, those with the Unit ID of 1 or 2) can be configured as “Force Master.”

If the stack contains units whose unique Unit ID is 1 or 2, then one of these two units will be the Stack Master. It does not matter if the Unit ID was originally assigned automatically or manually. These units are called master-enabled units. If there is only one master-enabled unit, it will be elected as the Stack Master (even if its Unit ID is 2).

If there are two master-enabled units, the two units decide which of them is the Master by checking which one has been running for a longer time (in intervals of 10 minutes). The unit that has been running for the longer time will be the Stack Master. If they have been running for the same amount of time, the unit with the Unit ID of 1 will be the Stack Master. If both units have been running for the same amount of time and both units have the same Unit ID, the unit with a lower MAC (hardware) address will be selected as the Stack Master.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

If the stack contains one or more units without a current Unit ID (the units are in factory default mode), then one of these units will be the Stack Master. The unit selected to be the Stack Master is the one running for the longest time (in intervals of 10 minutes), or, if all units are running for the same amount of time, the one with the lowest MAC (hardware) address.

The Master Election process ensures that the stack has a Stack Master. The Stack Master has the Unit ID of 1 and the Backup Master, if it exists, has the Unit ID of 2. Alternatively, the Stack Master has the Unit ID of 2 and the Backup Master, if it exists, has the unit ID of 1.

If a master-enabled unit is added to a stack and powered on, when it comes up it invokes the Master Election process, even though the rest of the stack already has an elected master. Because the unit is new, it loses the election and joins as a stack member or Backup Master.

Unit ID Allocation and Duplicate Unit ID Conflict Resolution

After a Stack Master is elected, it allocates Unit IDs to units that do not have a currently assigned Unit ID (units that are in factory default mode). The Stack Master also attempts to resolve all cases of units with duplicate Unit IDs. The Stack Master changes the Unit IDs of units that have a duplicate current Unit ID, provided that there are available, unused Unit IDs. In a merged stack, if the Stack Master unit remains as the Stack Master, units that were in its group will keep their unit IDs. Members of other groups are renumbered.

If the conflict occurs after the units reboot, the conflict is resolved as follows:

• If both duplicate units are in auto (self ordering) mode, then the unit ID with the lower MAC (hardware) address will keep its unit ID. The other unit is assigned a new unit ID.

• If one of the duplicates is in auto (self ordering) mode, and the other unit is in manual mode, then the manual mode unit will keep its ID and the other is assigned a new unit ID.

• If both duplicate units are in manual mode, then both of them are shut down.

If the Stack Master is able to allocate a unique Unit ID to each unit, then all units can operate as a stack. If the Stack Master is unable to allocate a Unit ID to a unit, that unit is effectively shut down and will not participate in the stack. For example, units with a conflicting manually-set Unit ID number are shut down because the Stack Master cannot override the system administrator’s assignment and resolve the conflict.

If there are more units than the maximum number allowed in a stack, and the incoming units are already in factory default mode (they do not have unit ID assigned), then a Stack Master is elected following the Master Discovery and Master Election processes. All other units remain shut down.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Occasionally, due to a race condition during the boot process, some of the units might be connected and join the stack. If the incoming units already have a unit ID, then none of them will join the stack and all are left in shutdown mode because there is no way for the Stack Master to determine their Unit ID preference.

NOTE: If a unit is shut down, its stacking links are inactive. If the stacking units are connected in a chain topology, the shutdown of one unit breaks the chain and can cause other units to be shut down if they have no active link to the Stack Master unit.

Configuring Units and Ports

After the Master Discovery and Master Election processes, each unit in the stack has a unique Unit ID, one of the units is the Stack Master, and one of the units may serve as the Backup Master. The Stack Master then configures each of the member units and its ports according to the configuration file present on the Stack Master. If the stack has a Backup Master, the configuration file is copied to the Backup Master.

After all the units and ports are configured, the stack enters normal operational mode. If a change is made to the system configuration, the change is stored by the Stack Master and is copied to the Backup Master if one exists.

You can use the command-line interface (CLI) or GUI to configure the stack units.

Setting the Unit’s Operational Mode

Use the GUI to set the unit’s operational mode to standalone or stack. This configuration takes effect after the next reboot.

Configuring the Stack Master and Unit ID

The Stack Management Page allows network managers to either reset the entire stack or a specific device. Device configuration changes that are not saved before the device is reset are not saved. If the Stack Master is reset, the entire stack is reset.

To open the Stack Management Page:

Click System > System Management > Stack Management. The Stack Management Page opens:

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Stack Management Page

The Stack Management Page contains the following fields:

• Master Election — Indicates the method of electing the Stack Master device. The possible values are:

– Automatically — The master is selected automatically by software.

– Force Master — The unit is forced to be master of the stack. Note that only units with the

Unit ID of 1 or 2 can be the stack master.

• Stacking Ports After Reset — Allows the user to decide what cable type is in use. The possible values are:

– Combo Ports — Indicates that the combo port is used as the stacking port.

– Copper Ports — Indicates that the copper port is used as the stacking port.

• Unit No.— Displays the current Stacking Master.

• Unit No. After Reset — Indicates the stacking member elected Stacking Master after the device is reset.

2. Define the relevant fields.

3. Click Apply. Stack management is defined, and the device is updated.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Resetting the Unit to Factory Default Mode

To reset the unit to the factory default settings, press the front panel RESET button (see Figure 3.) The unit is set to Stack mode with a Unit ID of 0.

Understanding LED Indicators

Each unit contains a Master LED indicator and eight unit LEDs. The LED status definitions are shown in the table below.

LED Mode Color Description

Master Solid Green The switch is the Stack Master.

Off N/A The switch is not the Stack Master or the switch is

not stacked.

ID n Solid Green The switch is Unit ID n.

Off N/A The switch is not Unit ID n or the switch is not

stacked.

All ports Solid Red The switch is powered on, but not operational.

Stack Troubleshooting and Maintenance

Replacing a Failed Member Stack Unit in an Operational Stack

If a unit that is not the Stack Master fails in an operational stack, the Stack Master discovers that the unit is no longer responding during the Master Discovery process. The Stack Master directs all other stack members to route unit-to-unit traffic around the failed unit using the ring topology of the stacking connections. Concurrently, the Stack Master notifies the system administrator of the failure by sending SYSLOG messages and SNMP traps.

Because all traffic has been routed around the failed unit, when it is disconnected from the stack, the stack continues to run as long as all other stacking connections are left intact.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

When a new unit is inserted in the stack and powered on, the following occurs:

1. The incoming unit, which is in stack mode, performs the Master Discovery process, and may participate in the Master Election process.

• If the incoming unit has a Unit ID of 1 or 2 (it is a master-enabled unit) it initiates the Master

Election process. However, because the running Stack Master has a longer runtime, the current Stack Master retains its position and the incoming unit does not become the new Stack Master.

• If the incoming unit has a Unit ID of 3 through 8, it attempts to become a member unit of the

stack, subject to control by the already running Stack Master, and the Master Election process does not occur.

2. The Stack Master performs Unit ID allocation and the conflict resolution process.

• If the incoming unit did not have an assigned Unit ID (that is, it is in factory default mode), it is

assigned the lowest available Unit ID by the Stack Master. We recommend that you use the automatically-assigned unit ID mode because it provides better resiliency to the stack.

• If the incoming unit already has an assigned Unit ID, and that Unit ID is unused in the current

stack, the incoming unit keeps its assigned Unit ID and the Stack Master applies any configuration relevant to that Unit ID to the incoming unit.

• If the incoming unit already has an assigned Unit ID, and that Unit ID conflicts with a unit ID in

the current stack, the Stack Master allocates a new Unit ID to the incoming unit, giving it the lowest available Unit ID. However, if the incoming unit has a manually assigned Unit ID, the Stack Master cannot change it. If the incoming unit cannot be assigned an available Unit ID, then it is shut down and is not joined to the stack.

3. The Stack Master performs unit and port configuration for the incoming unit.

• Any configuration information that is relevant to the number assigned to the incoming unit is

applied by the Stack Master. For example, if the incoming unit is assigned the same Unit ID of the unit it replaced, then when possible, it receives the same configuration as the failed unit.

• If the incoming unit is identical to the replaced unit, the entire configuration of the replaced unit

is applied to the incoming unit and the stack returns to the state it was in before unit failure.

If the incoming unit is not identical to the unit that failed, the Stack Master applies the configuration in the following manner:

• If a 24-port unit replaces a failed 48-port unit, the ports of the incoming unit are configured

according to the configuration of the first 24 ports of the failed unit.

NOTE: The configuration of all 48 ports of the failed unit is kept in memory, even though the first 24 are currently applied. If, in the future, a 48 port unit is inserted and assigned the same Unit ID, it is configured the same as the original failed 48-port unit.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

• If a 48-port unit replaces a 24-port unit, then the first 24 ports of the incoming unit are configured according to configuration of the ports of the failed unit. The remaining ports of the incoming are configured according to the default settings.

• If the units have uplink ports, then the first uplink port of the incoming unit is configured according to the configuration of the first uplink port of the failed unit.

Replacing a Failed Stack Master Unit in an Operational Stack

When the Stack Master unit fails, the stack Backup Master, using the Master Discovery process, discovers that the Stack Master unit no longer responds. The Backup Master takes over as the Stack Master. The Backup Master (now the Stack Master) directs all other stack members to route unit-to-unit traffic around the failed unit using the ring topology of the stacking connections. Concurrently, the Backup Master notifies the system administrator of the failure by sending SYSLOG messages and SNMP traps.

Because all traffic has been routed around the failed unit, when it is disconnected from the stack, the stack continues to run as long as all other stacking connections are left intact.

When a new unit is inserted in the stack and powered on, the following occurs:

1. The incoming unit, which is in stack mode, performs the Master Discovery process, and may participate in the Master Election process.

• If the incoming unit has a Unit ID of 1 or 2 (it is a master-enabled unit) it initiates the Master

Election process. However, because the running stack Backup Master has a longer runtime (if it has been running for more than 10 minutes) it remains the Stack Master and the incoming unit does not become the new Stack Master. This can cause an incoming unit with a Unit ID of 1 to serve as the stack Backup Master, while the current unit with the Unit ID of 2 remains the active Stack Master.

2. The Stack Master performs Unit ID allocation and the conflict resolution process.

• If the incoming unit did not have an assigned Unit ID (that is, it is in factory default mode), it is

assigned the lowest available Unit ID by the Stack Master. We recommend that you use the automatically-assigned unit ID mode because it provides better resiliency to the stack.

• If the incoming unit already has an assigned Unit ID, and that Unit ID is unused in the current

stack, the incoming unit keeps its assigned Unit ID and the Stack Master applies any configuration relevant to that Unit ID to the incoming unit.

• If the incoming unit already has an assigned Unit ID, and that Unit ID conflicts with a unit ID in

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

3. The Stack Master performs unit and port configuration for the incoming unit.

• Any configuration information that is relevant to the number assigned to the incoming unit is applied by the Stack Master. For example, if the incoming unit is assigned the same Unit ID of the unit it replaced, then when possible, it receives the same configuration as the failed unit.

• If the incoming unit is identical to the replaced unit, the entire configuration of the replaced unit is applied to the incoming unit and the stack returns to the state it was in before unit failure.

Splitting a Stack

A working stack can be split into two groups, either by failure of a stacking link connecting two units in the stack, or by a failed unit in a chain topology that causes disconnection between two units in the stack. In this case, each group is considered as an independent running stack configuration. For each group, there are three scenarios.

The Stack Master and Backup Master Units Remain in a Group

In this scenario, the Stack Master routes around the missing units. The Master Discovery, Master Election and Unit ID Allocation & Duplicate Unit ID Conflict Resolution processes occur with the following results:

• Any configuration information contained in the Stack Master that is relevant to the units which remained in the split group remains unchanged.

• Topology information (the information for each unit on how to send traffic to any other unit in the stack) managed by the Stack Master includes only units that are reachable (connected) following the split.

• The split stack continues to work as it previously did, but with fewer units.

• No unit ID changes are performed in each of the split stacks.

• The Stack Master notifies the system administrator of the removed units and ports that belong to

the unreachable units by sending SYSLOG messages and SNMP traps. They are reported as “not present.”

The Stack Master or the Backup Master Unit Remains in a Group

If the Stack Master unit remains in the group, the scenario described in “Replacing a Failed Member Stack Unit in an Operational Stack” applies. If the Backup Master unit remains in the group, the scenario described in “Replacing a Failed Stack Master Unit in an Operational Stack” applies.

NOTE: If the stack is split in two groups, one with the Stack Master and one with the Backup Master, both groups will function.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

The Master Discovery, Master Election and Unit ID Allocation & Duplicate Unit ID Conflict Resolution processes occur with the following results:

• If the Stack Master unit remains in the split stack, the Stack Master discovers (using the Master Discovery process) that the Master Backup unit no longer responds. The Stack Master notifies the system administrator (using SYSLOG messages and SNMP traps) of the removed units and ports that belong to the unreachable units and they are reported as “not present.”

• If the Backup Master unit remains in the split stack, the Backup Master determines this as a case of Stack Master failure and takes over and manages the remaining units as a stack while keeping its previous Unit ID number. Because the Backup Master was not acting as a master prior to the split, it initiates a topology database and ports learning process. Traffic might be halted for a short period of time until synchronization (unit and port configuration) is completed. New units discovered by the Backup Master notify the system administrator (using SYSLOG messages and SNMP traps).

• The partial stacks both continue to work as they did previously, but with fewer units.

• No unit ID changes are performed in each of the partial stacks.

• If each part of the stack has a Stack Master (for example, one contains the original Stack Master, and one contains the Backup Master), and are operating as two separate stacks, both Stack Masters contain the same configuration and use the same IP address.

CAUTION: If both Stack Masters use the same IP Address, problems can occur on the network, because users cannot connect to one of the stacks through its IP address.

Neither the Stack Master Unit or the Backup Master Unit Remains in the Group

This scenario is the same as that of a failed Stack Master where no Backup Master is available. The following concepts apply:

• Units whose ID numbers are 3 through 8 in this part of the original stack will not renumber themselves, and will remain shut down until a master-enabled unit is connected and begins to operate as the Stack Master. The Master Discovery process discovers that the Stack Master has failed.

• In this group, the units lose connection with the Stack Master. Since they began as a running stack and none of them are in factory default mode, renumbering does not occur, and even a reset of the units will not affect unit ID assignment, because units can be renumbered only by a Stack Master.

• No unit ID changes are performed in each one of the two groups.

Chapter 2:

NOTE: None of the units in either group will renumber

themselves.

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Merging Two Stacks

To merge two working stacks and create one stack, first decide if you will merge the stacks while the incoming units are powered off during insertion, or if both stacks will be running when merged.

If the incoming units are powered off, follow the procedures described in “Building a New Stack” in the “Building Automatically-Configured Stacks” or “Building Manually-Configured Stacks” sections. Repeat the process for each unit inserted into the stack.

If both stacks to be merged are running (for example, you are connecting the stacking cables of two stacks), the following occurs:

• If each of the joined stacks has a Stack Master unit, both Stack Master units perform the Master Discovery process and participate in the Master Election process. One of the Stack Master units is selected as the Stack Master unit for the merged stack. The criteria for choosing the Stack Master are as follows:

– Force Master: If Force Master is enabled, the unit that is configured as the forced unit is

selected as the Stack Master.

– System Up Time: Up time is measured by quantities of 10-minute intervals. If the number of

10 minute intervals is higher for one of the units, this unit is selected as the Stack Master.

– Lowest Unit ID: If both units have the same up time (measured in intervals of 10 minutes),

the unit with the lowest unit ID is selected as the Stack Master.

– Lowest MAC: If both Master unit ID numbers are equal, the unit with the Lower MAC

address is chosen as the Stack Master.

The Stack Master unit that loses its “mastership” in the Master Election process is renumbered if the unit ID was dynamically allocated. The new Stack Master allocates it a new number and configures it as a stack member or a Backup Master. It will be shut down if the unit ID was manually allocated. We recommend that the administrator configure the unit to receive an auto-assigned Unit ID before reconnecting it to the stack.

NOTE: There will never be two units with the same Unit ID at the end of the merge.

When two stacks are combined, all of the configuration information for one of the stacks is lost. Only the surviving Stack Master (after the discovery and election processes are complete) maintains its configuration information.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

We recommend that when combining two stacks, you reset the switches in one stack to factory default mode and then add the switches as described in “Adding Units to a Running Stack” in the “Building Automatically-Configured Stacks” section.

• If one of the merged stacks had neither a Stack Master unit nor a Backup Master unit, then units belonging to this group are inserted into the stack as described in “Replacing a Failed Member Stack Unit in an Operational Stack.” The Master either connects the running units to the stack using the current Unit ID numbers or renumbers them.

NOTE: Any time two stacks are combined into one stack, there is no way to maintain the configuration for both sets of switches. All dynamic information of the units that belong to the portion of the stack that was not re-elected to be the Stack Master is relearned.

Understanding Stacking Cable Failure

If the stacking connection cables fail and cause a stack split, the scenario described in “Merging Two Stacks” applies. This occurs only if the stack uses a chain topology. Single stacking cable failure will not cause a stack split if a ring topology is used.

Inserting Too Many Units into a Stack

If you try to insert too many units into a stack, when all units (existing and newly inserted) are powered on at the same time, the following occurs:

1. A Stack Master is elected following the Master Discovery and Master Election processes.

2. All other units are shut down.

NOTE: Occasionally, due to a race condition during the boot process, some of the units might be connected and join the stack.

When a running group of units is added to an existing stack and each one of the stack groups has an elected Stack Master, and the total of existing units and inserted units exceeds the maximum allowed number of units (8) in a stack:

• The Master Detection and Master Election processes determine the Stack Master out of one of the two combined stacking groups.

• When switches are added to a running stack, the Unit ID Allocation and Duplicate ID conflict resolution processes detect an error if too many switches are present in the stack, and no changes are made to units that originally belonged to the group managed by the newly-elected Stack Master. The original switches retain their ID assignments and configurations. The units that originally belonged to the group managed by the Stack Master that lost its “mastership” are shut down.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Inserting a Standalone Unit into a Running Stack

If a unit is in standalone mode, it will not participate in the Master Discovery process (it will not look for a Stack Master and will not respond to master queries). As a result, it will not join the stack but will continue to run as a standalone unit. The ports that are connected to the other units’ stacking links will not pass any traffic, and the Stack Master will consider them as failed stacking links and route all traffic around them.

Viewing Device Health

The Health Page displays physical device information, including information about the device’s power and ventilation sources.

1. Click System > System Management > Health. The Health Page opens:

Health Page

The Health Page contains the following fields:

• Unit No. — Indicates the unit number for which the device information is displayed.

• Power Supply Status — The power supply status. Power supply 1 is displayed as PS1 in the interface, while the redundant power supply is displayed as RPS.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

• Fan Status — The fan status. The device has five fans. Each fan is denoted as fan plus the fan number in the interface. The possible field values are:

– OK — The fan is operating normally.

– Fail — The fan is not operating normally.

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Chapter 2:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Managing Power-over-Ethernet Devices

Power-over-Ethernet (PoE) provides power to devices over existing LAN cabling, without updating or modifying the network infrastructure. Power-over-Ethernet removes the necessity of placing network devices next to power sources.

Power-over-Ethernet can be used in the following applications:

• IP Phones

• Wireless Access Points

•IP Gateways

•PDAs

• Audio and video remote monitoring

Powered Devices are devices which receive power from the device power supplies, for example IP phones. Powered Devices are connected to the device via Ethernet ports. Guard Band protects the device from exceeding the maximum power level. For example, if 400W is maximum power level, and the Guard Band is 20W, if the total system power consumption exceeds 380W no additional PoE components can be added. The accumulated PoE components power consumption is rounded down for display purposes, therefore remove value after decimal point.

NOTE: Due to hardware limitations, the power

measurement accuracy is 4%.

Defining PoE System Information

The PoE Settings Page contains system PoE information for enabling PoE on the device, monitoring the current power usage, and enabling PoE traps.

1. Click Bridging > Port Management > PoE Settings. The PoE Settings Page opens:

Chapter 3:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

PoE Settings Page

The PoE Settings Page displays the currently configured PoE ports and contains the following information:

• Port — Displays the selected port’s number.

• Admin Status — Indicates whether PoE is enabled or disabled on the port. The possible values are:

– Enable — Enables PoE on the port. This is the default setting.

– Disable — Disables PoE on the port.

• Priority — Indicates the PoE ports’ priority. The possible values are: Critical, High and Low. The default is Low.

• Power Allocation (3000-15400 milliwatts) — Indicates the power allocated to the port. The range is 3000-15400 milliwatts.

• Mode — Indicates if the port is enabled to work on PoE. The possible field values are:

– On — Indicates the device is delivering power to the interface.

– Off — Indicates the device is not delivering power to the interface.

– Tes t Fa il — Indicates the powered device test has failed. For example, a port could not be

enabled and cannot be used to deliver power to the powered device.

– Testing — Indicates the powered device is being tested. For example, a powered device is

tested to confirm it is receiving power from the power supply.

Chapter 3:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

– Searching — Indicates that the device is currently searching for a powered device.

Searching is the default PoE operational status.

– Fault — Indicates that the device has detected a fault on the powered device. For example,

the powered device memory could not be read.

• Power Consumption (milliwatts) — Indicates the amount of power assigned to the powered device connected to the selected interface. Devices are classified by the powered device, and the classification information used. The field values are represented in Watts. The possible field values are:

– 0.44 – 12.95 — Indicates that the port is assigned a power consumption level of .44 to 12.95

Watts.

– 0.44 – 3.8 — Indicates that the port is assigned a power consumption level of .44 to 3.8

Watts.

– 3.84 – 6.49 — Indicates that the port is assigned a power consumption level of 3.84 to 6.49

Watts.

– 6.49 – 12.95 — Indicates that the port is assigned a power consumption level of 6.49 to

12.95 Watts.

2. Click the Edit button. The Edit PoE Settings Page opens:

Edit PoE Settings Page

The Edit PoE Settings Page contains the following fields:

• Port — Indicates the specific interface for which PoE parameters are defined, and assigned to the powered interface connected to the selected port.

• Enable PoE — Enables or disables PoE on the port. The possible values are:

– Enable — Enables PoE on the port. This is the default setting.

– Disable — Disables PoE on the port.

• Power Priority Level — Determines the port priority if the power supply is low. The port power priority is used if the power supply is low. The field default is low. For example, if the power supply

Chapter 3:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

is running at 99% usage, and port 1 is prioritized as high, but port 3 is prioritized as low, port 1 is prioritized to receive power, and port 3 may be denied power. The possible field values are:

– Low — Defines the PoE priority level as low. This is the default level.

– High — Defines the PoE priority level as high.

– Critical — Defines the PoE priority level as Critical. This is the highest PoE priority level.

• Power Consumption — Indicates the amount of power assigned to the powered device connected to the selected interface. Devices are classified by the powered device, and the classification information used. The field values are represented in Watts. The possible field values are:

– 0.44 – 12.95 — Indicates that the port is assigned a power consumption level of 0.44 to

12.95 Watts.

– 0.44 – 3.8 — Indicates that the port is assigned a power consumption level of 0.44 to 3.8

Watts.

– 3.84 – 6.49 — Indicates that the port is assigned a power consumption level of 3.84 to 6.49

Watts.

– 6.49 – 12.95 — Indicates that the port is assigned a power consumption level of 6.49 to

12.95 Watts.

• Overload Counter — Indicates the total power overload occurrences.

• Short Counter — Indicates the total power shortage occurrences.

• Denied Counter — Indicates times the powered device was denied power.

• Absent Counter — Indicates the times the power supply was stopped to the powered device because the powered device was no longer detected.

• Invalid Signature Counter — Indicate the times an invalid signature was received. Signatures are the means by which the powered device identifies itself to the PSE. Signature are generated during powered device detection, classification, or maintenance.

• Power Allocation (milliwatts) — Indicates the power allocated to the port. The range is 300015400 milliwatts.

• Mode — Indicates if the port is enabled to work on PoE. The possible field values are:

– On — Indicates the device is delivering power to the interface.

– Off — Indicates the device is not delivering power to the interface.

– Tes t Fa il — Indicates the powered device test has failed. For example, a port could not be

enabled and cannot be used to deliver power to the powered device.

– Testing — Indicates the powered device is being tested. For example, a powered device is

tested to confirm it is receiving power from the power supply.

Chapter 3:

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

– Searching — Indicates that the device is currently searching for a powered device.

Searching is the default PoE operational status.

– Fault — Indicates that the device has detected a fault on the powered device. For example,

the powered device memory could not be read.

3. Define the relevant fields.

4. Click Apply. The PoE Settings are defined, and the device is updated.

Chapter

Chapter 3:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Chapter 3:

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Configuring Device Security

The Security Suite contains the following sections:

• Passwords Management

• Defining Authentication

• Defining Access Method

• Defining Traffic Control

• Defining 802.1x

• Defining Access Control

• Defining DOS Prevention

Chapter

Chapter 4:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Passwords Management

The Passwords Management section contains the following screens:

• Defining User Authentication

Note By default, a single user name is defined, “admin,” with no password. An additional user name/

password is configured for use in the Linksys One system.

Defining User Authentication

1. Click Security Suite > Passwords Management > User Authentication. The User Authentication Page Opens:

User Authentication Page

The User Authentication Page contains the following fields:

• User Name — Displays the user name.

2. Click the Add button. The Add Local User Page opens:

Chapter 4:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Add Local User Page

The Add Local User Page contains the following fields:

• User Name — Displays the user name.

• Password — Specifies the new password. The is not displayed. As it entered an “*” corresponding to each character is displayed in the field. (Range: 1-159 characters)

• Confirm Password — Confirms the new password. The password entered into this field must be exactly the same as the password entered in the Password field.

Modifying the Local User Settings

1. Click Security Suite > Passwords Management > User Authentication. The User Authentication Page Opens:

2. Click the Edit Button. The Local User Settings Page opens:

Local User Settings Page

The Local User Settings Page contains the following fields:

• User Name — Displays the user name.

• Password — Specifies the new password. The password is not displayed. As it entered an “*” corresponding to each character is displayed in the field. (Range: 1-159 characters)

• Confirm Password — Confirms the new password. The password entered into this field must be exactly the same as the password entered in the Password field.

3. Define the relevant fields.

4. Click Apply. The local user settings are modified, and the device is updated.

Chapter 4:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Defining Authentication

The Authentication section contains the following pages:

• Defining Profiles

• Mapping Profiles

• Defining TACACS+

• Defining RADIUS

Defining Profiles

1. Click Security Suite > Authentication > Profiles. The Profiles Page opens:

Profiles Page

The Profiles Page contains the following fields:

• Profile Name — Displays the Profile name defined for the Login Table.

• Methods — Specifies the authentication method used for port authentication. The possible field values are:

– Local — Authenticates the user at the device level. The device checks the user name and

password for authentication.

– RADIUS — Authenticates the user at the RADIUS server.

– TACACS+ — Authenticates the user at the TACACS+ server.

Chapter 4:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

– None — Indicates that no authentication method is used to authenticate the port.

2. Click the Add button. The Add Authentication Profile Page opens:

Add Authentication Profile Page

The Add Authentication Profile Page contains the following fields:

• Profile Name — Displays the Authentication profile name.

• Authentication Method — Defines the user authentication methods. The order of the authentication methods indicates the order in which authentication is attempted. For example, if the authentication method order is RADIUS, Local, the system first attempts to authenticate the user on a RADIUS server. If there is no available RADIUS server, then authentication is attempted on the local data base. Note that if the RADIUS server is available, but authentication fails, then the user is denied access. The possible field values are:

– Local — Authenticates the user at the device level. The device checks the user name and

password for authentication.

– RADIUS — Authenticates the user at the RADIUS server.

– TACACS+ — Authenticates the user at the TACACS+ server.

– None — Indicates that no authentication method is used to authenticate the port.

Modify the Authentication Profile

1. Click Security Suite > Authentication > Profiles. The Profiles Page opens:

2. Click the Edit Button. The Edit Authentication Profile Page opens:

Edit Authentication Profile Page

The Edit Authentication Profile Page contains the following fields:

Chapter 4:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

• Profile Name — Displays the Authentication profile name.

• Authentication Methods — Defines the user authentication methods. The possible field values are:

– Local — Authenticates the user at the device level. The device checks the user name and

password for authentication.

– RADIUS — Authenticates the user at the RADIUS server.

– TACACS+ — Authenticates the user at the TACACS+ server.

3. Define the relevant fields.

4. Click Apply. The authentication profile is defined, and the device is updated.

Mapping Profiles

1. Click Security Management > Security Suite > Authentication. The Mapping Profiles Page opens:

Mapping Profiles Page

The Mapping Profiles Page contains the following fields:

• Console — Indicates that Authentication profiles are used to authenticate console users.

• Te ln et — Indicates that Authentication profiles are used to authenticate Telnet users

• Secure Telnet (SSH) — Indicates that Authentication profiles are used to authenticate Secure Shell (SSH) users. SSH provides clients secure and encrypted remote connections to a device.

• Secure HTTP — Configures the device Secure HTTP settings.

Chapter 4:

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Optional Methods — Lists available authentication methods.

– RADIUS — Remote Authorization Dial-In User Service (RADIUS) servers provide

additional security for networks.

– TACACS+ — Terminal Access Controller Access Control System (TACACS+) provides

centralized security user access validation.

– None — Indicates that no authentication method is used to authenticate the port.

Selected Methods — Selects authentication methods from the methods offered in the Optional methods area.

• HTTP — Configures the device HTTP settings.

Optional Methods — Lists available authentication methods.

– RADIUS — Remote Authorization Dial-In User Service (RADIUS) servers provide

additional security for networks.

Chapter

– TACACS+ — Terminal Access Controller Access Control System (TACACS+) provides

centralized security user access validation.

– None — Indicates that no authentication method is used to authenticate the port.

Selected Methods — Selects authentication methods from the methods offered in the Optional methods area.

– None — Indicates that the authentication method is localized.

2. Define the relevant fields.

3. Click Apply. Mapping Profiles is defined, and the device is updated.

Defining TACACS+

The devices provide Terminal Access Controller Access Control System (TACACS+) client support. TACACS+ provides centralized security for validation of users accessing the device. TACACS+ provides a centralized user management system, while still retaining consistency with RADIUS and other authentication processes. TACACS+ provides the following services:

• Authentication — Provides authentication during login and via user names and user-defined passwords.

• Authorization — Performed at login. Once the authentication session is completed, an authorization session starts using the authenticated user name. The TACACS server checks the user privileges.

The TACACS+ protocol ensures network integrity through encrypted protocol exchanges between the device and TACACS+ server. To define TACACS+:

1. Click Security Management > Security Suite > Authentication. The TACACS+ Page opens:

Chapter 4:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

TACACS+ Page

The TACACS+ Page contains the following fields:

• Source IP Address — Displays the device source IP address used for the TACACS+ session between the device and the TACACS+ server.

• Key String — Defines the authentication and encryption key for TACACS+ server. The key must match the encryption key used on the TACACS+ server.

• Timeout for Reply — Displays the amount of time that passes before the connection between the device and the TACACS+ server times out. The field range is 1-30 seconds.

• Host IP Address — Displays the TACACS+ Server IP address.

• Priority — Displays the order in which the TACACS+ servers are used. The default is 0.

• Authentication Port — Displays the port number through which the TACACS+ session occurs. The default is port 49.

• Single Connection — Maintains a single open connection between the device and the TACACS+ server when selected

• Status — Displays the connection status between the device and the TACACS+ server. The possible field values are:

– Connected — There is currently a connection between the device and the TACACS+ server.

– Not Connected — There is not currently a connection between the device and the

TACACS+ server.

2. Click The Add button. The Add TACACS+ Server Page opens:

Chapter 4:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

Add TACACS+ Server Page

The Add TACACS+ Server Page contains the following fields:

• Host IP Address — Displays the TACACS+ Server IP address.

• Priority — Displays the order in which the TACACS+ servers are used. The default is 0.

• Source IP Address — Displays the device source IP address used for the TACACS+ session between the device and the TACACS+ server.

• Key String — Defines the authentication and encryption key for TACACS+ server. The key must match the encryption key used on the TACACS+ server.

• Authentication Port — Displays the port number through which the TACACS+ session occurs. The default is port 49.

• Timeout for Reply — Displays the amount of time that passes before the connection between the device and the TACACS+ server times out. The field range is 1-30 seconds.

• Single Connection — Maintains a single open connection between the device and the TACACS+ server when selected

• Use Default — Uses the device default configuration.

3. Add a TACACS+ server.

4. Click Apply. The TACACS+ server is added, and the device is updated.

Modifying TACACS+ Settings

1. Click Security Management > Security Suite > Authentication. The TACACS+ Page opens:

2. Click the Edit Button. The TACACS+ Settings Page opens:

Chapter 4:

Chapter

SFE2000/SFE2000P Gigabit Ethernet Switch Reference Guide

TACACS+ Settings Page

The TACACS+ Settings Page contains the following fields: