Niveo NGSME24G4S
User Manual
24-Port 10/100/1000Base-T + 4-Port 10G SFP+
Full Management Stackable High Power PoE Switch
Version 2.0
FCC/CE Mark Warning
FCC Warning
This Equipment has been tested and found to comply with the limits for a Class-A digital
device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable
protection against harmful interference in a residential installation. This equipment generates,
uses, and can radiate radio frequency energy. It may cause harmful interference to radio
communications if the equipment is not installed and used in accordance with the instructions.
However, there is no guarantee that interference will not occur in a particular installation. If
this equipment does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the
receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
CE Mark Warning
This is a Class-A product. In a domestic environment this product may cause radio
interference in which case the user may be required to take adequate measures.
NGSME24G4S User Manual | 2
Table of Contents
Table of Contents
Before Starting...........................................................................................................................10
Intended Readers ................................................................................................................... 11
Icons for Note, Caution, and Warning .................................................................................. 11
Product Package Contents ....................................................................................................12
Chapter 1: Product Overview .................................................................................................13
1.1. Product Brief Description ...............................................................................................14
1.2. Product Specification .....................................................................................................15
1.3. Hardware Description .....................................................................................................18
1.4. Hardware Installation ......................................................................................................19
Chapter 2: Preparing for Management ..................................................................................20
2.1. Preparation for Serial Console .......................................................................................21
2.2. Preparation for Web Interface ........................................................................................23
2.3. Preparation for Telnet/SSH Interface .............................................................................25
Chapter 3: Web Management .................................................................................................27
3.1. Web Management - Configure ........................................................................................28
3.1.1. Configuration - System ............................................................................................30
3.1.1.1. System - Information .........................................................................................30
3.1.1.2. System - IP .........................................................................................................31
3.1.1.3. System - IPv6 ......................................................................................................32
3.1.1.4. System - NTP ......................................................................................................33
3.1.1.5. System - Time .....................................................................................................34
3.1.1.6. System - Log ......................................................................................................36
3.1.2. Configuration - Power Reduction ............................................................................37
3.1.2.1. Power Reduction - EEE......................................................................................37
3.1.3. Configuration - Ports ................................................................................................38
3.1.4. Configuration - Security ...........................................................................................40
3.1.4.1. Security - Switch - Users ...................................................................................40
3.1.4.2. Security - Switch - Privilege Level ....................................................................42
3.1.4.3. Security - Switch - Authentication Method .......................................................44
3.1.4.4. Security - Switch - SSH ......................................................................................45
3.1.4.5. Security - Switch - HTTPS .................................................................................46
3.1.4.6. Security - Switch - Access Management ..........................................................47
3.1.4.7. Security - Switch - SNMP ...................................................................................48
3.1.4.7.1. Security - Switch - SNMP - System .............................................................48
3.1.4.7.2. Security - Switch - SNMP - Community ......................................................52
NGSME24G4S User Manual | 3
Table of Contents
3.1.4.7.3. Security - Switch - SNMP - User .................................................................53
3.1.4.7.4. Security - Switch - SNMP - Groups .............................................................55
3.1.4.7.5. Security - Switch - SNMP - Views ...............................................................56
3.1.4.7.6. Security - Switch - SNMP - Access .............................................................57
3.1.4.8. Security - Switch - RMON ..................................................................................58
3.1.4.8.1. Security - Switch - RMON - Statistics .........................................................58
3.1.4.8.2. Security - Switch - RMON - History ............................................................59
3.1.4.8.3. Security - Switch - RMON - Alarm ...............................................................60
3.1.4.8.4. Security - Switch - RMON - Event ...............................................................62
3.1.4.9. Security - Network - Limit Control ....................................................................63
3.1.4.10. Security - Network - NAS (Network Access Server) .......................................66
3.1.4.11. Security - Network - ACL ..................................................................................77
3.1.4.11.1. Security - Network - ACL - Ports ...............................................................77
3.1.4.11.2. Security - Network - ACL - Rate Limiter ....................................................79
3.1.4.11.3. Security - Network - ACL - Access Control List .......................................80
3.1.4.12. Security - Network - DHCP ..............................................................................96
3.1.4.12.1. Security - Network - DHCP - Snooping .....................................................96
3.1.4.12.2. Security - Network - DHCP - Relay ............................................................97
3.1.4.13. Security - Network - IP Source Guard .............................................................99
3.1.4.13.1. Security - Network - IP Source Guard - Configuration ............................99
3.1.4.13.2. Security - Network - IP Source Guard - Static Table .............................. 100
3.1.4.14. Security - Network - ARP Inspection ............................................................. 101
3.1.4.14.1. Security - Network - ARP Inspection - Configuration ............................ 101
3.1.4.14.2. Security - Network - ARP Inspection - Static Table ................................ 102
3.1.4.15. Security - AAA ................................................................................................ 103
3.1.5. Configuration - Aggregation .................................................................................. 107
3.1.5.1. Aggregation - Static ......................................................................................... 107
3.1.5.2. Aggregation - LACP ......................................................................................... 109
3.1.6. Configuration - Loop Protection ............................................................................ 111
3.1.7. Configuration - Spanning Tree ............................................................................... 113
3.1.7.1. Spanning Tree - Bridge Settings ..................................................................... 113
3.1.7.2. Spanning Tree - MSTI Mapping ....................................................................... 115
3.1.7.3. Spanning Tree - MSTI Priorities ....................................................................... 117
3.1.7.4. Spanning Tree - CIST Ports ............................................................................. 118
3.1.7.5. Spanning Tree - MSTI Ports ............................................................................. 121
3.1.8. Configuration - MVR ............................................................................................... 123
3.1.9. Configuration - IPMC .............................................................................................. 127
NGSME24G4S User Manual | 4
Table of Contents
3.1.9.1. IPMC - IGMP Snooping .................................................................................... 127
3.1.9.1.1. IPMC - IGMP Snooping - Basic Configuration ......................................... 127
3.1.9.1.2. IPMC - IGMP Snooping - VLAN Configuration ......................................... 129
3.1.9.1.3. IPMC - IGMP Snooping - Port Group Filtering ......................................... 131
3.1.9.2. IPMC - MLD Snooping ...................................................................................... 132
3.1.9.2.1. IPMC - MLD Snooping - Basic Configuration ........................................... 132
3.1.9.2.2. IPMC - MLD Snooping - VLAN Configuration .......................................... 134
3.1.9.2.3. IPMC - MLD Snooping - Port Group Filtering ........................................... 136
3.1.10. Configuration - LLDP ............................................................................................ 137
3.1.10.1. LLDP - LLDP ................................................................................................... 137
3.1.10.2. LLDP - LLDP-MED .......................................................................................... 140
3.1.11. Configuration - PoE .............................................................................................. 147
3.1.12. Configuration - MAC Table ................................................................................... 150
3.1.13. Configuration - VLANs ......................................................................................... 152
3.1.13.1. VLANs - VLAN Membership........................................................................... 152
3.1.13.2. VLANs - Ports ................................................................................................. 154
3.1.14. Configuration - Private VLAN .............................................................................. 156
3.1.14.1. Private VLAN - Port Isolation ..................................................................... 156
3.1.15. Configuration - VCL .............................................................................................. 157
3.1.15.1. VCL - MAC-based VLAN ................................................................................ 157
3.1.15.2. VCL - Port-based VLAN ................................................................................. 159
3.1.15.2.1. VCL - Port-based VLAN - Protocol to Group .......................................... 159
3.1.15.2.2. VCL - Port-based VLAN - Group to VLAN .............................................. 161
3.1.15.3. VCL - IP Subnet-based VLAN ........................................................................ 162
3.1.16. Configuration - Voice VLAN ................................................................................. 164
3.1.16.1. Voice VLAN - Configuration ........................................................................... 164
3.1.16.2. Voice VLAN - OUI ........................................................................................... 166
3.1.17. Configuration - QoS .............................................................................................. 167
3.1.17.1. QoS - Port Classification ............................................................................... 167
3.1.17.2. QoS - Port Policing ........................................................................................ 169
3.1.17.3. QoS - Port Scheduler ..................................................................................... 170
3.1.17.4. QoS - Port Shaping ........................................................................................ 175
3.1.17.5. QoS - Port Tag Remarking ............................................................................. 180
3.1.17.6. QoS - Port DSCP ............................................................................................ 183
3.1.17.7. QoS - DSCP-Based QoS ................................................................................ 185
3.1.17.8. QoS - DSCP Translation ................................................................................. 186
3.1.17.9. QoS - DSCP Classification ............................................................................. 187
NGSME24G4S User Manual | 5
Table of Contents
3.1.17.10. QoS - Storm Control ..................................................................................... 188
3.1.17.11. QoS - WRED .................................................................................................. 189
3.1.18. Configuration - Mirroring ..................................................................................... 191
3.1.19. Configuration - UPnP ........................................................................................... 193
3.1.20. Configuration - Stack............................................................................................ 194
3.1.21. Configuration - sFlow ........................................................................................... 197
3.2. Web Management - Monitor ......................................................................................... 200
3.2.1. Monitor - System .................................................................................................... 200
3.2.1.1. System - Information ....................................................................................... 200
3.2.1.2. System - CPU Load .......................................................................................... 202
3.2.1.3. System - Log .................................................................................................... 203
3.2.1.4. System - Detailed Log ...................................................................................... 204
3.2.2. Monitor - Ports ........................................................................................................ 205
3.2.2.1. Ports - State ...................................................................................................... 205
3.2.2.2. Ports - Traffic Overview ................................................................................... 206
3.2.2.3. Ports - QoS Statistics ....................................................................................... 207
3.2.2.4. Ports - Detailed Statistics ................................................................................ 208
3.2.3. Monitor - Security ................................................................................................... 211
3.2.3.1. Security - Access Management Statistics ...................................................... 211
3.2.3.2. Security - Network............................................................................................ 212
3.2.3.2.1. Security - Network - Port Security - Switch.............................................. 212
3.2.3.2.2. Security - Network - Port Security - Port .................................................. 215
3.2.3.2.3. Security - Network - NAS - Switch ............................................................ 216
3.2.3.2.4. Security - Network - NAS - Port ................................................................ 218
3.2.3.2.5. Security - Network - ACL Status ............................................................... 223
3.2.3.2.6. Security - Network - DHCP - Snooping Statistics .................................... 225
3.2.3.2.7. Security - Network - DHCP - Relay Statistics ........................................... 227
3.2.3.2.8. Security - Network - ARP Inspection ........................................................ 229
3.2.3.3. Security - Network............................................................................................ 233
3.2.3.3.1. Security - AAA - RADIUS Overview .......................................................... 233
3.2.3.3.2. Security - AAA - RADIUS Details ............................................................... 235
3.2.3.4. Security - Switch - RMON ................................................................................ 239
3.2.3.4.1. Security - Switch - RMON - Statistics ....................................................... 239
3.2.3.4.2. Security - Switch - RMON - History .......................................................... 242
3.2.3.4.3. Security - Switch - RMON - Alarm ............................................................. 244
3.2.3.4.4. Security - Switch - RMON - Events ........................................................... 246
3.2.4. Monitor - LACP ....................................................................................................... 247
NGSME24G4S User Manual | 6
Table of Contents
3.2.4.1. LACP - System Status ...................................................................................... 247
3.2.4.2. LACP - Port Status ........................................................................................... 248
3.2.4.3. LACP - Port Statistics ...................................................................................... 249
3.2.5. Monitor - Loop Protection ...................................................................................... 250
3.2.6. Monitor - Spanning Tree ......................................................................................... 251
3.2.6.1. Spanning Tree - Bridge Status ........................................................................ 251
3.2.6.2. Spanning Tree - Port Status ............................................................................. 252
3.2.6.3. Spanning Tree - Port Statistics ........................................................................ 253
3.2.7. Monitor - MVR ......................................................................................................... 254
3.2.7.1. MVR - Statistics ................................................................................................ 254
3.2.7.2. MVR - MVR Channel Groups ........................................................................... 255
3.2.7.3. MVR - MVR SFM Information ........................................................................... 256
3.2.8. Monitor - IPMC ........................................................................................................ 258
3.2.8.1. IPMC - IGMP Snooping .................................................................................... 258
3.2.8.1.1. IPMC - IGMP Snooping - Status ................................................................ 258
3.2.8.1.2. IPMC - IGMP Snooping - Groups Information .......................................... 260
3.2.8.1.3. IPMC - IGMP Snooping - IPv4 SFM Information ....................................... 261
3.2.8.2. IPMC - MLD Snooping ...................................................................................... 263
3.2.8.2.1. IPMC - MLD Snooping - Status ................................................................. 263
3.2.8.2.2. IPMC - MLD Snooping - Groups Information ........................................... 265
3.2.8.2.3. IPMC - MLD Snooping - IPv6 Group Information ..................................... 266
3.2.9. Monitor - LLDP ........................................................................................................ 268
3.2.9.1. LLDP - Neighbours ........................................................................................... 268
3.2.9.2. LLDP - LLDP-MED Neighbours ....................................................................... 270
3.2.9.3. LLDP - PoE ....................................................................................................... 274
3.2.9.4. LLDP - EEE ....................................................................................................... 276
3.2.9.5. LLDP - Port Statistics ....................................................................................... 278
3.2.10. Monitor - PoE ........................................................................................................ 280
3.2.11. Monitor - MAC Table ............................................................................................. 282
3.2.12. Monitor - VLANs ................................................................................................... 284
3.2.12.1. VLANs - VLAN Membership........................................................................... 284
3.2.12.2. VLANs - VLAN Ports ...................................................................................... 286
3.2.13. Monitor - Stack ...................................................................................................... 288
3.2.14. Monitor - VCL ................................................................................................ ........ 290
3.2.14.1. VCL - MAC-based VLAN ................................................................................ 290
3.2.15. Monitor - sFlow ................................................................ ..................................... 291
3.3. Web Management - Diagnostics .................................................................................. 293
NGSME24G4S User Manual | 7
Table of Contents
3.3.1. Diagnostics - Ping .................................................................................................. 293
3.3.2. Diagnostics - Ping6 ................................................................................................ 295
3.3.3. Diagnostics - VeriPHY ............................................................................................ 296
3.4. Web Management - Maintenance ................................................................................. 298
3.4.1. Maintenance - Restart Device ................................................................................ 298
3.4.2. Maintenance - Factory Defaults ............................................................................. 299
3.4.3. Maintenance - Software Upload ............................................................................. 300
3.4.3. Maintenance - Configuration ................................................................................. 301
3.4.3.1. Configuration - Save ........................................................................................ 301
3.4.3.2. Configuration - Load ........................................................................................ 302
Chapter 4: CLI Management ................................................................................................. 303
4.1. CLI Management - Overview ........................................................................................ 304
4.2. CLI Management - System ............................................................................................ 305
4.3. CLI Management - Stack ............................................................................................... 310
4.4. CLI Management - Port ................................................................................................. 311
4.5. CLI Management - MAC ................................................................................................ 314
4.6. CLI Management - VLAN............................................................................................... 315
4.7. CLI Management - PVLAN (Private VLAN)................................................................... 316
4.8. CLI Management - Security .......................................................................................... 317
4.9. CLI Management - STP ................................................................ ................................. 334
4.10. CLI Management - Aggr .............................................................................................. 337
4.11. CLI Management - LACP ............................................................................................. 339
4.12. CLI Management - LLDP ............................................................................................. 342
4.13. CLI Management - LLDPMED ..................................................................................... 343
4.14. CLI Management - EEE ............................................................................................... 347
4.15. CLI Management - POE ............................................................................................... 348
4.16. CLI Management - QoS ............................................................................................... 350
4.17. CLI Management - Mirror ............................................................................................ 353
4.18. CLI Management - Config ........................................................................................... 354
4.19. CLI Management - Firmware ...................................................................................... 355
4.20. CLI Management - UPnP ............................................................................................. 356
4.21. CLI Management - MVR .............................................................................................. 357
4.22. CLI Management - Voice VLAN .................................................................................. 359
4.23. CLI Management - Loop Protect ................................................................................ 361
4.24. CLI Management - IPMC ............................................................................................. 362
4.25. CLI Management - sFlow ............................................................................................ 364
4.26. CLI Management - VCL ............................................................................................... 366
NGSME24G4S User Manual | 8
Table of Contents
Appendix A: Product Safety ................................................................................................... 368
Appendix B: IP Configuration for Your PC ............................................................................ 369
Appendix C: Glossary ............................................................................................................. 372
NGSME24G4S User Manual | 9
Before Starting
In Before Starting:
This section contains introductory information, which includes:
Intended Readers
Icons for Note, Caution, and Warning
Product Package Contents
NGSME24G4S User Manual | 10
Before Starting
A Note icon indicates important information which will guide you to use this
product properly.
A Caution icon indicates either a potential for hardware damage or data
loss, including information that will guide you to avoid these situations.
A Warning icon indicates potentials for property damage and personal
injury.
Intended Readers
This manual provides information regarding to all the aspects and functions needed to install,
configure, use, and maintain the product you’ve purchased.
This manual is intended for technicians who are familiar with in-depth concepts of networking
management and terminologies.
Icons for Note, Caution, and Warning
To install, configure, use, and maintain this product properly, please pay attention when you
see these icons in this manual:
NGSME24G4S User Manual | 11
Before Starting
Product Package Contents
Before starting install this product, please check and verify the contents of the product
package, which should include the following items:
Note: If any item listed in this table above is missing or damaged, please contact your
distributor or retailer as soon as possible.
NGSME24G4S User Manual | 12
Chapter 1:
Product Overview
In Product Overview:
This section will give you an overview of this product, including its feature
functions and hardware/software specifications.
Product Brief Description
Product Specification
Hardware Description
Hardware Installation
NGSME24G4S User Manual | 13
Chapter 1: Product Overview
Product Brief Description
1.1. Product Brief Description
Introduction
This NGSME24G4S switch is 24-port 10/100/1000Base-T and two 10G SFP+ for Stacking
and two 10G SFP+ Open Slot Rack-mount L2+ Full Management Network Switch that is
designed for medium or large network environment to strengthen its network connection. This
NGSME24G4S switch supports 128Gbps non-blocking switch fabric, its 24 gigabit ports and 2
10G uplink ports can transmit and receive data traffic without any lost. The EEE feature
reduces the power consumption when there is no traffic forwarding even port is still
connected. The 10G uplink port design is available and important for high bandwidth uplink
request when cascaded with other switch. This NGSME24G4Sswitch also supports Layer 2+
full management software features. These features are powerful to provide network control,
management, monitor and security feature requests. Including rack-mount brackets, the 19"
size fits into your rack environment. It is a superb choice to boost your network with better
performance and efficiency.
Two 10 Gigabit SFP+ Open Slots
This NGSME24G4S switch equips with two 10G SFP+ open slots as the uplink ports, the 10G
uplink design provides an excellent solution for expanding your network from 1G to 10G. By
10G speed, this product provides high flexibility and high bandwidth connectivity to another
10G switch or the Servers, Workstations and other attached devices which support 10G
interface. The user can also aggregate the 10G ports as Trunk group to enlarge the
bandwidth.
Stacking Features
The NGSME24G4S switch include a stacking feature by using 2 SFP+ ports that allows
multiple switches to operate as a single unit. A single switch in the stack can manages all the
units in the stack and uses a single IP address which allows the user to manage every port in
the stack from this one address. These stacks can include up to 16 switches, or total 384
gigabit ports plus 32 10G ports in total.
Full Layer 2 Management Features
The NGSME24G4S switch includes full Layer 2+ Management features. The software set
includes up to 4K 802.1Q VLAN and advanced Protocol VLAN, Private VLAN,
MVR…features. There are 8 physical queriers Quality of Service, IPv4/v6 Multicast filtering,
Rapid Spanning Tree protocol to avoid network loop, Multiple Spanning Tree Protocol to
integrate VLAN and Spanning Tree, LACP, LLDP; sFlow, port mirroring, cable diagnostic and
advanced Network Security features. It also provides Console CLI for out of band
management and SNMP, Web GUI for in band Management.
NGSME24G4S User Manual | 14
Chapter 1: Product Overview
Interface
10/100/1000 Base RJ45 Ports
24
10G Uplink SFP+ Slot
2
10G Stacking SFP+ Slot
2
Console Port for CLI Management
1
System Performance
Packet Buffer
32Mb
MAC Address Table Size
32K
Switching Capacity
128Gbps
Forwarding Rate
95.2Mpps
PoE Features
IEEE 802.3 af/at
IEEE 802.3 af/at
Number of PSE Ports
24
Max. Power Consumption
500W
External/Internal Power
Internal Power
Power Feeding Detecting Capability on PD
PD Alive Check
PD Classification
Power Management
(per-port)
Enable/Disable PoE Per Port
Priority Setting Per Port
Power Level Setting Per Port
Overloading Protection
L2 Features
Auto-negotiation
Auto MDI/MDIX
Flow Control (duplex)
802.3x (Full)
Back-Pressure (Half)
Spanning Tree
IEEE 802.1D (STP)
IEEE 802.1w (RSTP)
IEEE 802.1s (MSTP)
VLAN
VLAN Group
4K
Tagged Based
Port-based
Link Aggregation
IEEE 802.3ad with LACP
Static Trunk
Max. LACP Link Aggregation Group
12
IGMP Snooping
IGMP Snooping v1/v2/v3
IPv6 MLD Snooping
Querier, Immediate Leave
Storm Control (Broadcast/Multi-cast/Un-known Unicast)
Jumbo Frame Support
10K
Product Specification
1.2. Product Specification
NGSME24G4S User Manual | 15
Chapter 1: Product Overview
QoS Features
Number of priority queue
8 queues/port
Rate Limiting
Ingress
Yes, 1KBps/1pps
Egress
Yes, 1KBps/1pps
DiffServ (RFC2474 Remarking)
Scheduling (WRR, Strict, Hybrid)
CoS
IEEE 802.1p
IP ToS precedence, IP DSCP
Security
Management System User Name/Password Protection
User Privilege
Set user privilege up to 15 Level
Port Security (MAC-based)
IEEE 802.1x Port-based Access Control
ACL (L2/L3/L4)
IP Source Guard
RADIUS (Authentication, Authorization, Accounting)
TACACS+
HTTP & SSL (Secure Web)
SSH v2.0 (Secured Telnet Session)
MAC/IP Filter
Management
Command Line Interface (CLI)
Web Based Management
Telnet
Access Management Filtering
SNMP/WEB/SSH/TELNET
Firmware Upgrade via HTTP
Dual Firmware Images
Configuration Download/Upload
SNMP (v1/v2c/v3)
RMON (1,2,3,&9 groups)
DHCP (Client/Relay/Option82/Snooping)
System Event/Error Log
NTP/LLDP
Cable Diagnostics
IPv6 Configuration
Port Mirroring
One to One or Many to One
Mechanical
Power Input
100~240VAC
Dimension (H*W*D)
44*440*331 mm
LED
Power, 10/100/1000M, PoE, SFP
LCD
LCD for Displaying Stacking ID
Operating Temperature
0~45°C
Operating Humidity
5~90% (non-condensing)
Weight
4.3KG
Certification
CE, FCC Class A
Product Specification
NGSME24G4S User Manual | 16
Chapter 1: Product Overview
Standard
IEEE 802.3 – 10BaseT
IEEE 802.3u - 100BaseTX
IEEE 802.3ab - 1000BaseT
IEEE 802.3z 1000BaseSX/LX
IEEE 802.3af Power over Ethernet (PoE)
IEEE 802.3at Power over Ethernet (PoE+)
IEEE 802.3az - Energy Efficient Ethernet (EEE)
IEEE 802.3x - Flow Control
IEEE 802.1Q - VLAN
IEEE802.1v - Protocol VLAN
IEEE 802.1p - Class of Service
IEEE 802.1D - Spanning Tree
IEEE 802.1w - Rapid Spanning Tree
IEEE 802.1s - Multiple Spanning Tree
IEEE 802.3ad - Link Aggregation Control Protocol (LACP)
IEEE 802.1AB - LLDP (Link Layer Discovery Protocol)
IEEE 802.1X - Access Control
Product Specification
NGSME24G4S User Manual | 17
Chapter 1: Product Overview
LED
Color / Status
Description
No. of LEDs
Power
Amber On
Power on
Power
10/100/1000M
Green On
Link Up
24(1~24)
Green Blinking
Data Activating
SFP
Green On
linked to Power Device
25~26
Green Blinking
Data Activating
25~26
Hardware Description
1.3. Hardware Description
This section mainly describes the hardware of NGSME24G4S switch and gives a physical
and functional overview on the certain switch.
Front Panel
The front panel of the NGSME24G4S switch consists of 24 10/100/1000 Base-TX RJ-45 ports,
2 10G uplink SFP ports, and 2 10G SFP+ stacking ports. The LED Indicators are also located
on the front panel.
LED Indicators
The LED Indicators present real-time information of systematic operation status. The
following table provides description of LED status and their meaning.
Rear Panel
The rear panel of the NGSME24G4S switch contains 2 ventilation fans, a power switch, and
an IEC 60320 plug for power supply.
NGSME24G4S User Manual | 18
Chapter 1: Product Overview
Hardware Installation
1.4. Hardware Installation
To install the NGSME24G4 Sswitch, please place it on a large flat surface with a power
socket close by. This surface should be clean, smooth, and level. Also, please make sure that
there is enough space around the NGSME24G4S switch for RJ45 cable, power cord and
ventilation.
If you’re installing this NGSME24G4S switch on a 19-inch rack, please make sure to use the
rack-mount kit (L brackets) and screws come with the product package. All screws must be
fastened so the rack-mount kit and your product are tightly conjoined before installing it on
your 19-inch rack.
Ethernet cable Request
The wiring cable types are as below:
10 Base-T: 2-pair UTP/STP CAT. 3, 4, 5 cable, EIA/TIA-568 100-ohm (Max. 100m)
100 Base-TX: 2-pair UTP/STP CAT. 5 cable, EIA/TIA-568 100-ohm (Max. 100m)
1000 Base-T: 4-pair UTP/STP CAT. 5 cable, EIA/TIA-568 100-ohm (Max. 100m)
PoE: To delivery power properly, it is recommended to use CAT 5e and CAT 6 cable.
Ethernet cables of higher qualities can reduce the power lost during transmission.
SFP Installation
While install the SFP transceiver, make sure the SFP type of the 2 ends is the same and the
transmission distance, wavelength, fiber cable can meet your request. It is suggested to
purchase the SFP transceiver with the switch provider to avoid any incompatible issue.
The way to connect the SFP transceiver is to Plug in SFP fiber transceiver fist. The SFP
transceiver has 2 plug for fiber cable, one is TX (transmit), the other is RX (receive).
Cross-connect the transmit channel at each end to the receive channel at the opposite end.
For more information regarding to the product safety and maintenance guide, please refer to
Appendix A: Product Safety.
NGSME24G4S User Manual | 19
Chapter 2:
Preparing for Management
In Preparing for Management:
This section will guide your how to manage this product via serial console,
management web page, and Telnet/SSH interface.
The switch provides both out-of-band and in-band managements.
Out-of-band Management: You can configure the switch via RS232 console
cable without having the switch or your PC connecting to a network. Out-of-band
management provides a dedicated and secure way for switch management.
In-Band Management: In-band management allows you to manage your switch
with a web browser (such as Microsoft IE, Mozilla Firefox, or Google Chrome) as
long as your PC and the switch are connected to the same network.
Preparation for Serial Console
Preparation for Web Interface
Preparation for Telnet/SSH Interface
NGSME24G4S User Manual | 20
Chapter 2: Preparing for Management
Preparation for Serial Console
2.1. Preparation for Serial Console
Inside the product package, you can find an RS-232 console cable. Before managing your
switch via out-of-band management, please attach this cable’s RJ45 connector to your
switch’s console port and its RS-232 female connector to your PC’s COM port.
To access this switch’s out-of-band management CLI (Command Line Interface), your PC
must have terminal emulator software such as HyperTerminal or PuTTY installed. Some
operating systems (such as Microsoft Windows XP) have HyperTerminal already installed. If
your PC does not have any terminal emulator software installed, please download and install
a terminal emulator software on your PC.
The following section will use HyperTerminal as an example.
1. Run HyperTerminal on your PC.
2. Give a name to the new console connection.
3. Choose the COM port that is connected to the switch.
NGSME24G4S User Manual | 21
Chapter 2: Preparing for Management
Preparation for Serial Console
4. Set the serial port settings as: Baud Rate: 115200, Data Bit: 8, Parity: None, Stop Bit:
1, Row Control: None.
5. The system will prompt you to login the out-of-band management CLI. The default
username/password is admin/admin.
NGSME24G4S User Manual | 22
Chapter 2: Preparing for Management
Preparation for Web Interface
2.2. Preparation for Web Interface
The management web page allows you to use a web browser (such as Microsoft IE, Google
Chrome, or Mozilla Firefox) to configure and monitor the switch from anywhere on the
network.
Before using the web interface to manage your switch, please verify that your switch and your
PC are on the same network. Please follow the steps down below to configure your PC
properly:
1. Verify that the network interface card (NIC) of your PC is operational and properly
installed, and that your operating system supports TCP/IP protocol.
2. Connect your PC with the switch via an RJ45 cable.
3. The default IP address of the switch is 192.168.2.1. The switch and your PC should
locate within the same IP Subnet. Change your PC's IP address to 192.168.2.X, where
X can be any number from 2 to 254. Please make sure that the IP address you’ve
assigned to your PC cannot be the same with the switch.
4. Launch the web browser (IE, Firefox, or Chrome) on your PC.
5. Type 192.168.2.1 (or the IP address of the switch) in the web browser’s URL field, and
press Enter.
NGSME24G4S User Manual | 23
Chapter 2: Preparing for Management
Preparation for Web Interface
6. The web browser will prompt you to sign in. The default username/password for the
configuration web page is admin/admin.
For more information, please refer to Appendix B: IP Configuration for Your PC.
NGSME24G4S User Manual | 24
Chapter 2: Preparing for Management
Preparation for Telnet/SSH Interface
2.3. Preparation for Telnet/SSH Interface
Both telnet and SSH (Secure Shell) are network protocols that provide a text-based
command line interface (CLI) for in-band system management. However, only SSH provides
a secure channel over an un-secured network, where all transmitted data are encrypted.
This switch support both telnet and SSH management CLI. In order to access the switch’s
CLI via telnet or SSH, both your PC and the switch must be in the same network. Before
using the switch’s telnet/SSH management CLI, please set your PC’s network environment
according to the previous chapter (2.2. Preparation for Web Interface).
Telnet interface can be accessed via Microsoft “CMD” command. However, SSH interface
can only be accessed via dedicated SSH terminal simulator. The following section will use
PuTTY as an example to demonstrate how to connect to the switch’s SSH CLI, since both
telnet and SSH uses the same way (though using different terminal simulator software) to
access in-band management CLI.
Access SSH via Putty:
A “PuTTY Configuration” window will pop up after you run PuTTY.
1. Input the IP address of the switch in the “Host Name (or IP address)” field. The default
IP address of the switch if 192.168.2.1.
2. Choose “SSH” on the “Connection type” section, then press “Enter”.
NGSME24G4S User Manual | 25
Chapter 2: Preparing for Management
Preparation for Telnet/SSH Interface
3. If you’re connecting to the switch via SSH for the first time, a “PuTTY Security Alert”
window will pop up. Please press “Yes” to continue. This window won’t pop up if you’re
using telnet to connect to the in-band management CLI.
4. PuTTY will prompt you to login after the telnet/SSH connection is established. The
default username/password is admin/admin.
NGSME24G4S User Manual | 26
Chapter 3:
Web Management
In Web Management:
As mentioned in Chapter 2.2. Preparation for Web Interface, This switch provides
a web-based management interface. You can make all settings and monitor
system status with this management web page.
Configuration/Monitor options included in the management web page can be
divided into the following 4 categories, which will be discussed in detail in this
chapter:
Web Management - Configure
Web Management - Monitor
Web Management - Diagnostic
Web Management - Maintenance
NGSME24G4S User Manual | 27
Chapter 3: Web Management
Web Management - Configure
3.1. Web Management - Configure
In here you can access all the configuration options of the switch. The configuration options
here include:
System: Here you can configure basic system settings such as system information,
switch IP, NTP, system time and log.
Power Reduction: You can enable EEE (Energy Efficient Ethernet) function on each
port to conserve and save power used by the switch.
Ports: You can view the connection status of all the ports on the switch, as well as set
port connection speed, flow control, maximum frame length, and power control mode.
Security: The Security option allows you to make settings that secures both the switch
itself or your network.
Aggregation: Aggregation allows you to combine multiple physical ports into a logical
port, thus allows the transmitting speed exceeding the limit of a single port.
Loop Protection: A network loop might cause broadcast storm and paralyze your entire
network. You can enable loop protection function here to prevent network loop.
Spanning Tree: Spanning Tree Protocol is a network designed to ensure a loop-free
network and provide redundant links that serve as automatic backup paths if an active
link fails. This switch supports STP, RSTP (Rapid STP), and MSTP (Multiple STP).
MVR: MVR stands for Multiple VLAN Registration, a protocol that allows sharing
multicast VLAN information and configuring it dynamically when needed.
IPMC: Here you can set IGMP snooping (for IPv4) or MLD snooping (for IPv6). These
protocols can reduce the network loading while running band-width demanding
applications such as streaming videos by eliminating excessive data transmitting.
LLDP: LLDP stands for Link Layer Discovery Protocol, a protocol that allows the switch
to advertise its identity, capabilities, and neighbors on the network.
PoE: Here you can enable/disable the PoE function on each port or assign the power (in
Watt) for each port.
MAC Table: When a network device is connected to the switch, the switch will keep its
MAC address on the MAC table. This section provides settings for the switch’s MAC
address table.
VLANs: VLAN stands for Virtual LAN, which allows you to separate ports into different
VLAN groups. Only member of the same VLAN group can transmit/receive packets
among each other, while other ports in different VLAN group can’t. Here you can set
port-based VLAN.
Private VLANs: Also known as port isolation. Only the same member in the private
VLAN can communicate with each other.
NGSME24G4S User Manual | 28
Chapter 3: Web Management
Web Management - Configure
VCL: Here you can set MAC-based VLAN, Protocol-based VLAN, and IP Subnet-based
VLAN.
Voice VLAN: Voice VLAN is a specific VLAN for voice communication (such as VoIP
phones) that can ensure the transmission priority of voice traffic and voice quality.
QoS: QoS stands for Quality of Service, which allows you to control the network priority
(which packet gets top priority to transmit and which gets low priority) via IEEE 802.1p or
DSCP.
Mirroring: For purposes such as network diagnostics, you can direct packets
transmitted/received to/from a port (or multiple ports) to a designated port.
UPnP: UPnP stands for Universal Plug and Play, a protocol that allows all the devices
on the same network can discover each other and establishing network services such as
data sharing. You can set UPnP here in this management page.
Stack: Up to 16 switches can be stacked and work as one switch, therefore greatly
reduces the amount of time needed for network maintenance. This management page
allows you to make settings for stacking switches.
sFlow: sFlow is an industry standard technology for monitoring switched networks
through random sampling of packets on switch ports and time-based sampling of port
counters. The sampled packets will be sent to the designated sFlow receiver (host) for
system administrator for analysis.
NGSME24G4S User Manual | 29
Chapter 3: Web Management
System - Information
3.1.1. Configuration - System
3.1.1.1. System - Information
The switch system information is provided here.
System Contact
The textual identification of the contact person for this managed node, together with
information on how to contact this person. The allowed string length is 0 to 255, and the
allowed content is the ASCII characters from 32 to 126.
System Name
You can input an assigned name for this switch. By convention, this is the switch's
fully-qualified domain name. A domain name is a text string drawn from the alphabet (A-Z &
a-z), digits (0-9), minus sign (-). No space characters are permitted as part of a name. The
first character must be an alpha character. And the first or last character must not be a minus
sign. The allowed string length is 0 to 255.
System Location
The physical location of this node(e.g., telephone closet, 3rd floor). The allowed string length
is 0 to 255, and the allowed content is the ASCII characters from 32 to 126.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 30
Chapter 3: Web Management
System - IP
3.1.1.2. System - IP
This page allows you to view and set configurations regarding to the switch’s IP setting. The
left part (Configured) is for changing settings and the right part (Current) displays the current
setting.
DHCP Client
Enable the DHCP client by checking this box. If DHCP fails and the configured IP address is
zero, DHCP will retry. If DHCP server does not respond around 35 seconds and the
configured IP address is not zero, DHCP will stop and the configured IP settings will be used.
The DHCP client will announce the configured System Name as hostname for DNS lookup.
IP Address
Provide the IP address of this switch in dotted decimal notation.
IP Mask
Provide the IP mask of this switch dotted decimal notation.
IP Router
Provide the IP address of the router in dotted decimal notation.
VLAN ID
Provide the managed VLAN ID. The allowed range is 1 to 4095.
DNS Server
Provide the IP address of the DNS Server in dotted decimal notation.
DNS Proxy
When DNS proxy is enabled, DUT will relay DNS requests to the current configured DNS
server on DUT, and reply as a DNS resolver to the client device on the network.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Renew: Click to renew DHCP. This button is only available if DHCP is enabled.
NGSME24G4S User Manual | 31
Chapter 3: Web Management
System - IPv6
3.1.1.3. System - IPv6
This page allows you to view and set configurations regarding to the switch’s IPv6 setting.
The left part (Configured) is for changing settings and the right part (Current) displays the
current setting.
Auto Configuration
Enable IPv6 auto-configuration by checking this box. If system cannot obtain the stateless
address in time, the configured IPv6 settings will be used. The router may delay responding
to a router solicitation for a few seconds, the total time needed to complete auto-configuration
can be significantly longer.
Address
Provide the IPv6 address of this switch. IPv6 address is in 128-bit records represented as
eight fields of up to four hexadecimal digits with a colon separating each field (:). For example,
'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be used as a shorthand
way of representing multiple 16-bit groups of contiguous zeros; but it can appear only once. It
can also represent a legally valid IPv4 address. For example, '::192.1.2.34'.
Prefix
Provide the IPv6 Prefix of this switch. The allowed range is 1 to 128.
Router
Provide the IPv6 gateway address of this switch. IPv6 address is in 128-bit records
represented as eight fields of up to four hexadecimal digits with a colon separating each field
(:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be
used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it
can appear only once. It can also represent a legally valid IPv4 address. . For example,
'::192.1.2.34'.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Renew: Click to renew IPv6 AUTOCONF. This button is only available if IPv6
AUTOCONF is enabled.
NGSME24G4S User Manual | 32
Chapter 3: Web Management
System - NTP
3.1.1.4. System - NTP
NTP stands for Network Time Protocol, which allows switch to perform clock synchronization
with the NTP server.
Mode
You can enable or disable NTP function on this switch:
Enabled: Enable NTP client mode.
Disabled: Disable NTP client mode.
Server 1~5
Provide the IPv4 or IPv6 address of a NTP server. IPv6 address is in 128-bit records
represented as eight fields of up to four hexadecimal digits with a colon separating each field
(:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can be
used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it
can appear only once. It can also represent a legally valid IPv4 address. For example,
'::192.1.2.34'.
Also, you can just input NTP server’s URL here as well.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 33
Chapter 3: Web Management
System - Time
3.1.1.5. System - Time
This page allows you to configure the Time Zone and daylight saving time.
Time Zone Configuration
Time Zone: Lists various Time Zones world wide. Select appropriate Time Zone from
the drop down and click Save to set.
Acronym: User can set the acronym of the time zone. This is a User configurable
acronym to identify the time zone. You can use up to 16 alphanumeric characters and
punctuations such as “-”, “_”, and “.”.
Daylight Saving Time Configuration
When enabled, the switch will set the clock forward or backward according to the
configurations set below for a defined Daylight Saving Time duration.
Disable: Disable the Daylight Saving Time configuration. This is the default setting.
Recurring: The configuration of the daylight saving time duration will be applied every
year.
Non-Recurring: The configuration of the daylight saving time duration will be applied
only once.
NGSME24G4S User Manual | 34
Chapter 3: Web Management
System - Time
Start time settings
Week - Select the starting week number.
Day - Select the starting day.
Month - Select the starting month.
Hours - Select the starting hour.
Minutes - Select the starting minute.
End time settings
Week - Select the ending week number.
Day - Select the ending day.
Month - Select the ending month.
Hours - Select the ending hour.
Minutes - Select the ending minute.
Offset settings
Offset - Enter the number of minutes to add during Daylight Saving Time. (Range: 1 to
1440)
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 35
Chapter 3: Web Management
System - Log
3.1.1.6. System - Log
Configure System Log on this page.
Server Mode
When enabled, the system log message will be sent out to the system log server you set here.
The system log protocol is based on UDP communication and received on UDP port 514 and
the system log server will not send acknowledgments back sender since UDP is a
connectionless protocol and it does not provide acknowledgments. The system log packet will
always send out even if the system log server does not exist. Possible modes are:
Enabled: Enable server mode operation.
Disabled: Disable server mode operation.
Server Address
Indicates the IPv4 host address of system log server. If the switch provide DNS feature, it
also can be a host name.
System log Level
Indicates what kind of message will send to system log server. Possible modes are:
Info: Send information, warnings and errors.
Warning: Send warnings and errors.
Error: Send errors.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 36
Chapter 3: Web Management
Power Reduction - EEE
3.1.2. Configuration - Power Reduction
3.1.2.1. Power Reduction - EEE
EEE (Energy-Efficient Ethernet) is a power saving option that reduces the power usage when
there is low or no traffic utilization by powering down circuits when there is no traffic. When a
port gets data to be transmitted all circuits are powered up. The time it takes to power up the
circuits is named wakeup time. The default wakeup time is 17 us for 1Gbit links and 30 us for
other link speeds.
EEE devices must agree upon the value of the wakeup time in order to make sure that both
the receiving and transmitting device has all circuits powered up when traffic is transmitted.
The devices can exchange wakeup time information using the LLDP protocol.
EEE works for ports in auto-negotiation mode, where the port is negotiated to either 1G or
100 Mbit full duplex modes.
Ports that are not EEE-capable are grayed out and thus impossible to enable EEE.
The EEE port settings relate to the currently selected stack unit, as reflected by the page
header.
Port
The switch port number of the logical EEE port.
Enabled
Controls whether EEE is enabled for this switch port.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 37
Chapter 3: Web Management
Configuration - Ports
3.1.3. Configuration - Ports
This page displays current port configurations. Ports can also be configured here.
The port settings relate to the currently selected stack unit, as reflected by the page header.
Port
This is the logical port number for this row.
Link
The current link state is displayed graphically. Green indicates the link is up and red that it is
down.
Current Link Speed
The current link speed of the port.
Configured Link Speed
Selects any available link speed for the given switch port. Only speeds supported by the
specific port is shown. Possible speeds are:
Disabled - Disables the switch port operation.
Auto - Cu port auto negotiating speed with the link partner and selects the highest
speed that is compatible with the link partner.
10Mbps HDX - Forces the cu port in 10Mbps half duplex mode.
10Mbps FDX - Forces the cu port in 10Mbps full duplex mode.
100Mbps HDX - Forces the cu port in 100Mbps half duplex mode.
100Mbps FDX - Forces the cu port in 100Mbps full duplex mode.
1Gbps FDX - Forces the cu port in 1Gbps full duplex mode.
Flow Control
When Auto Speed is selected on a port, this section indicates the flow control capability that is
advertised to the link partner.
When a fixed-speed setting is selected, that is what is used. The Current Rx column indicates
whether pause frames on the port are obeyed, and the Current Tx column indicates whether
pause frames on the port are transmitted. The Rx and Tx settings are determined by the
result of the last Auto-Negotiation.
NGSME24G4S User Manual | 38
Chapter 3: Web Management
Configuration - Ports
Check the configured column to use flow control. This setting is related to the setting for
Configured Link Speed.
Maximum Frame Size
Enter the maximum frame size allowed for the switch port, including FCS.
Excessive Collision Mode
Configure port transmit collision behavior.
Discard: Discard frame after 16 collisions (default).
Restart: Restart backoff algorithm after 16 collisions.
Power Control
The Usage column shows the current percentage of the power consumption per port. The
Configured column allows for changing the power savings mode parameters per port.
Disabled: All power savings mechanisms disabled.
ActiPHY: Link down power savings enabled.
PerfectReach: Link up power savings enabled.
Enabled: Both link up and link down power savings enabled.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Refresh: Click to refresh the page. Any changes made locally will be undone.
NGSME24G4S User Manual | 39
Chapter 3: Web Management
Security - Switch - Users
3.1.4. Configuration - Security
This section provides settings regarding to the switch’s security functions. Settings
provided here can be divided into 3 categories:
Switch: Here you can make security settings regarding to the switch itself.
Network: Providing security settings regarding to the network.
AAA: Here you can set RADIUS and TACACS+ authentication settings.
3.1.4.1. Security - Switch - Users
This page provides an overview of the current users. Currently the only way to login as
another user on the web server is to close and reopen the browser.
User Name
The name of the user. You can also click on the link to configure user account.
Privilege Level
The privilege level of the user. The allowed range is 1 to 15. If the privilege level value is 15, it
can access all groups, i.e. that is granted the fully control of the device. But others value need
to refer to each group privilege level. User's privilege should be same or greater than the
group privilege level to have the access of that group. By default setting, most groups
privilege level 5 has the read-only access and privilege level 10 has the read-write access.
And the system maintenance (software upload, factory defaults and etc.) need user privilege
level 15. Generally, the privilege level 15 can be used for an administrator account, privilege
level 10 for a standard user account and privilege level 5 for a guest account.
Buttons
Add New User: Click to add a new user.
NGSME24G4S User Manual | 40
Chapter 3: Web Management
Security - Switch - Users
This page configures a user.
User Name
A string identifying the user name that this entry should belong to. The allowed string length is
1 to 31. The valid user name is a combination of letters, numbers and underscores.
Password
The password of the user. The allowed string length is 0 to 31.
Privilege Level
The privilege level of the user. The allowed range is 1 to 15. If the privilege level value is 15, it
can access all groups, i.e. that is granted the fully control of the device. But others value need
to refer to each group privilege level. User's privilege should be same or greater than the
group privilege level to have the access of that group.
By default setting, most groups privilege level 5 has the read-only access and privilege level
10 has the read-write access. And the system maintenance (software upload, factory defaults
and etc.) need user privilege level 15. Generally, the privilege level 15 can be used for an
administrator account, privilege level 10 for a standard user account and privilege level 5 for a
guest account.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Cancel: Click to undo any changes made locally and return to the Users.
Delete User: Delete the current user. Please note that the default user (admin) cannot
be deleted.
NGSME24G4S User Manual | 41
Chapter 3: Web Management
Security - Switch - Privilege Level
3.1.4.2. Security - Switch - Privilege Level
This page provides an overview of the privilege levels.
Group Name
The name identifying the privilege group. In most cases, a privilege level group consists of a
single module (e.g. LACP, RSTP or QoS), but a few of them contains more than one. The
following description defines these privilege level groups in details:
System: Contact, Name, Location, Timezone, Daylight Saving Time, Log.
Security: Authentication, System Access Management, Port (contains Dot1x port,
MAC based and the MAC Address Limit), ACL, HTTPS, SSH, ARP Inspection, IP
source guard.
IP: Everything except 'ping'.
Port: Everything except 'VeriPHY'.
Diagnostics: 'ping' and 'VeriPHY'.
Maintenance: CLI- System Reboot, System Restore Default, System Password,
Configuration Save, Configuration Load and Firmware Load. Web- Users, Privilege
Levels and everything in Maintenance.
NGSME24G4S User Manual | 42
Chapter 3: Web Management
Security - Switch - Privilege Level
Debug: Only present in CLI.
Privilege Levels
Every group has an authorization Privilege level for the following sub groups: configuration
read-only, configuration/execute read-write, status/statistics read-only, status/statistics
read-write (e.g. for clearing of statistics). User Privilege should be same or greater than the
authorization Privilege level to have the access to that group.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 43
Chapter 3: Web Management
Security - Switch - Authentication Method
3.1.4.3. Security - Switch - Authentication Method
This page allows you to configure how a user is authenticated when he logs into the stack via
one of the management client interfaces.
Client
The management client for which the configuration below applies.
Authentication Method
Authentication Method can be set to one of the following values:
None: authentication is disabled and login is not possible.
Local: use the local user database on the stack for authentication.
RADIUS: use a remote RADIUS server for authentication.
TACACS+: use a remote TACACS+ server for authentication.
Fallback
Enable fallback to local authentication by checking this box.
If none of the configured authentication servers are alive, the local user database is used for
authentication.
This is only possible if the Authentication Method is set to a value other than 'none' or 'local'.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 44
Chapter 3: Web Management
Security - Switch - SSH
3.1.4.4. Security - Switch - SSH
Configure SSH on this page.
Mode
Indicates the SSH mode operation. Possible modes are:
Enabled: Enable SSH mode operation.
Disabled: Disable SSH mode operation.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 45
Chapter 3: Web Management
Security - Switch - HTTPS
3.1.4.5. Security - Switch - HTTPS
Configure HTTPS on this page.
Mode
Indicates the HTTPS mode operation. When the current connection is HTTPS, to apply
HTTPS disabled mode operation will automatically redirect web browser to an HTTP
connection. Possible modes are:
Enabled: Enable HTTPS mode operation.
Disabled: Disable HTTPS mode operation.
Automatic Redirect
Indicates the HTTPS redirect mode operation. Automatically redirects web browser to an
HTTPS connection when both HTTPS mode and Automatic Redirect are enabled. Possible
modes are:
Enabled: Enable HTTPS redirect mode operation.
Disabled: Disable HTTPS redirect mode operation.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 46
Chapter 3: Web Management
Security - Switch - Access Management
3.1.4.6. Security - Switch - Access Management
Configure access management table on this page. The maximum number of entries is 16. If
the application's type match any one of the access management entries, it will allow access
to the switch.
Mode
Indicates the access management mode operation. Possible modes are:
Enabled: Enable access management mode operation.
Disabled: Disable access management mode operation.
Delete
Check to delete the entry. It will be deleted during the next save.
Start IP address
Indicates the start IP address for the access management entry.
End IP address
Indicates the end IP address for the access management entry.
HTTP/HTTPS
Indicates that the host can access the switch from HTTP/HTTPS interface if the host IP
address matches the IP address range provided in the entry.
SNMP
Indicates that the host can access the switch from SNMP interface if the host IP address
matches the IP address range provided in the entry.
TELNET/SSH
Indicates that the host can access the switch from TELNET/SSH interface if the host IP
address matches the IP address range provided in the entry.
Buttons
Add New Entry: Click to add a new access management entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 47
Chapter 3: Web Management
Security - Switch - SNMP - System
3.1.4.7. Security - Switch - SNMP
3.1.4.7.1. Security - Switch - SNMP - System
Configure SNMP on this page.
Mode
Indicates the SNMP mode operation. Possible modes are:
Enabled: Enable SNMP mode operation.
Disabled: Disable SNMP mode operation.
Version
Indicates the SNMP supported version. Possible versions are:
SNMP v1: Set SNMP supported version 1.
SNMP v2c: Set SNMP supported version 2c.
SNMP v3: Set SNMP supported version 3.
Read Community
Indicates the community read access string to permit access to SNMP agent. The allowed
string length is 0 to 255, and the allowed content is the ASCII characters from 33 to 126.
The field is applicable only when SNMP version is SNMPv1 or SNMPv2c. If SNMP version
is SNMPv3, the community string will be associated with SNMPv3 communities table. It
provides more flexibility to configure security name than a SNMPv1 or SNMPv2c
community string. In addition to community string, a particular range of source addresses
can be used to restrict source subnet.
Write Community
Indicates the community write access string to permit access to SNMP agent. The allowed
string length is 0 to 255, and the allowed content is the ASCII characters from 33 to 126.
The field is applicable only when SNMP version is SNMPv1 or SNMPv2c. If SNMP version
is SNMPv3, the community string will be associated with SNMPv3 communities table. It
provides more flexibility to configure security name than a SNMPv1 or SNMPv2c
community string. In addition to community string, a particular range of source addresses
can be used to restrict source subnet.
NGSME24G4S User Manual | 48
Chapter 3: Web Management
Security - Switch - SNMP - System
Engine ID
Indicates the SNMPv3 engine ID. The string must contain an even number(in hexadecimal
format) with number of digits between 10 and 64, but all-zeros and all-'F's are not allowed.
Change of the Engine ID will clear all original local users.
SNMP Trap Configuration
Configure SNMP trap on this page.
Trap Mode
Indicates the SNMP trap mode operation. Possible modes are:
Enabled: Enable SNMP trap mode operation.
Disabled: Disable SNMP trap mode operation.
Trap Version
Indicates the SNMP trap supported version. Possible versions are:
SNMP v1: Set SNMP trap supported version 1.
SNMP v2c: Set SNMP trap supported version 2c.
SNMP v3: Set SNMP trap supported version 3.
Trap Community
Indicates the community access string when sending SNMP trap packet. The allowed
string length is 0 to 255, and the allowed content is ASCII characters from 33 to 126.
Trap Destination Address
Indicates the SNMP trap destination address. It allow a valid IP address in dotted decimal
notation ('x.y.z.w').
And it also allow a valid hostname. A valid hostname is a string drawn from the alphabet
(A-Za-z), digits (0-9), dot (.), dash (-). Spaces are not allowed, the first character must be
an alpha character, and the first and last characters must not be a dot or a dash.
NGSME24G4S User Manual | 49
Chapter 3: Web Management
Security - Switch - SNMP - System
Trap Destination IPv6 Address
Indicates the SNMP trap destination IPv6 address. IPv6 address is in 128-bit records
represented as eight fields of up to four hexadecimal digits with a colon separating each
field (:). For example, 'fe80::215:c5ff:fe03:4dc7'. The symbol '::' is a special syntax that can
be used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but
it can appear only once. It can also represent a legally valid IPv4 address. For example,
'::192.1.2.34'.
Trap Authentication Failure
Indicates that the SNMP entity is permitted to generate authentication failure traps.
Possible modes are:
Enabled: Enable SNMP trap authentication failure.
Disabled: Disable SNMP trap authentication failure.
Trap Link-up and Link-down
Indicates the SNMP trap link-up and link-down mode operation. Possible modes are:
Enabled: Enable SNMP trap link-up and link-down mode operation.
Disabled: Disable SNMP trap link-up and link-down mode operation.
Trap Inform Mode
Indicates the SNMP trap inform mode operation. Possible modes are:
Enabled: Enable SNMP trap inform mode operation.
Disabled: Disable SNMP trap inform mode operation.
Trap Inform Timeout (seconds)
Indicates the SNMP trap inform timeout. The allowed range is 0 to 2147.
Trap Inform Retry Times
Indicates the SNMP trap inform retry times. The allowed range is 0 to 255.
Trap Probe Security Engine ID
Indicates the SNMP trap probe security engine ID mode of operation. Possible values are:
Enabled: Enable SNMP trap probe security engine ID mode of operation.
Disabled: Disable SNMP trap probe security engine ID mode of operation.
Trap Security Engine ID
Indicates the SNMP trap security engine ID. SNMPv3 sends traps and informs using USM
for authentication and privacy. A unique engine ID for these traps and informs is needed.
When "Trap Probe Security Engine ID" is enabled, the ID will be probed automatically.
Otherwise, the ID specified in this field is used. The string must contain an even number(in
hexadecimal format) with number of digits between 10 and 64, but all-zeros and all-'F's are
not allowed.
NGSME24G4S User Manual | 50
Chapter 3: Web Management
Security - Switch - SNMP - System
Trap Security Name
Indicates the SNMP trap security name. SNMPv3 traps and informs using USM for
authentication and privacy. A unique security name is needed when traps and informs are
enabled.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 51
Chapter 3: Web Management
Security - Switch - SNMP - Community
3.1.4.7.2. Security - Switch - SNMP - Community
Configure SNMPv3 community table on this page. The entry index key is Community.
Delete
Check to delete the entry. It will be deleted during the next save.
Community
Indicates the community access string to permit access to SNMPv3 agent. The allowed
string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126. The
community string will be treated as security name and map a SNMPv1 or SNMPv2c
community string.
Source IP
Indicates the SNMP access source address. A particular range of source addresses can be
used to restrict source subnet when combined with source mask.
Source Mask
Indicates the SNMP access source address mask.
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 52
Chapter 3: Web Management
Security - Switch - SNMP - User
3.1.4.7.3. Security - Switch - SNMP - User
Configure SNMPv3 user table on this page. The entry index keys are Engine ID and User
Name.
Delete
Check to delete the entry. It will be deleted during the next save.
Engine ID
An octet string identifying the engine ID that this entry should belong to. The string must
contain an even number(in hexadecimal format) with number of digits between 10 and 64,
but all-zeros and all-'F's are not allowed. The SNMPv3 architecture uses the User-based
Security Model (USM) for message security and the View-based Access Control Model
(VACM) for access control. For the USM entry, the usmUserEngineID and usmUserName
are the entry's keys. In a simple agent, usmUserEngineID is always that agent's own
snmpEngineID value. The value can also take the value of the snmpEngineID of a remote
SNMP engine with which this user can communicate. In other words, if user engine ID
equal system engine ID then it is local user; otherwise it's remote user.
User Name
A string identifying the user name that this entry should belong to. The allowed string length
is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Security Level
Indicates the security model that this entry should belong to. Possible security models are:
NoAuth, NoPriv: No authentication and no privacy.
Auth, NoPriv: Authentication and no privacy.
Auth, Priv: Authentication and privacy.
The value of security level cannot be modified if entry already exists. That means it must
first be ensured that the value is set correctly.
NGSME24G4S User Manual | 53
Chapter 3: Web Management
Security - Switch - SNMP - User
Authentication Protocol
Indicates the authentication protocol that this entry should belong to. Possible
authentication protocols are:
None: No authentication protocol.
MD5: An optional flag to indicate that this user uses MD5 authentication protocol.
SHA: An optional flag to indicate that this user uses SHA authentication protocol.
The value of security level cannot be modified if entry already exists. That means must first
ensure that the value is set correctly.
Authentication Password
A string identifying the authentication password phrase. For MD5 authentication protocol,
the allowed string length is 8 to 32. For SHA authentication protocol, the allowed string
length is 8 to 40. The allowed content is ASCII characters from 33 to 126.
Privacy Protocol
Indicates the privacy protocol that this entry should belong to. Possible privacy protocols
are:
None: No privacy protocol.
DES: An optional flag to indicate that this user uses DES authentication protocol.
Privacy Password
A string identifying the privacy password phrase. The allowed string length is 8 to 32, and
the allowed content is ASCII characters from 33 to 126.
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 54
Chapter 3: Web Management
Security - Switch - SNMP - Groups
3.1.4.7.4. Security - Switch - SNMP - Groups
Configure SNMPv3 group table on this page.
Delete
Check to delete the entry. It will be deleted during the next save.
Security Model
Indicates the security model that this entry should belong to. Possible security models are:
v1: Reserved for SNMPv1.
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).
Security Name
A string identifying the security name that this entry should belong to. The allowed string
length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Group Name
A string identifying the group name that this entry should belong to. The allowed string
length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 55
Chapter 3: Web Management
Security - Switch - SNMP - Views
3.1.4.7.5. Security - Switch - SNMP - Views
Configure SNMPv3 view table on this page. The entry index keys are View Name and OID
Subtree.
Delete
Check to delete the entry. It will be deleted during the next save.
View Name
A string identifying the view name that this entry should belong to. The allowed string length
is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
View Type
Indicates the view type that this entry should belong to. Possible view types are:
included: An optional flag to indicate that this view subtree should be included.
excluded: An optional flag to indicate that this view subtree should be excluded.
In general, if a view entry's view type is 'excluded', there should be another view entry
existing with view type as 'included' and it's OID subtree should overstep the 'excluded'
view entry.
OID Subtree
The OID defining the root of the subtree to add to the named view. The allowed OID length
is 1 to 128. The allowed string content is digital number or asterisk(*).
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 56
Chapter 3: Web Management
Security - Switch - SNMP - Access
3.1.4.7.6. Security - Switch - SNMP - Access
Configure SNMPv3 access table on this page.
Delete
Check to delete the entry. It will be deleted during the next save.
Group Name
A string identifying the group name that this entry should belong to. The allowed string
length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Security Model
Indicates the security model that this entry should belong to. Possible security models are:
any: Any security model accepted(v1|v2c|usm).
v1: Reserved for SNMPv1.
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).
Security Level
Indicates the security model that this entry should belong to. Possible security models are:
NoAuth, NoPriv: No authentication and no privacy.
Auth, NoPriv: Authentication and no privacy.
Auth, Priv: Authentication and privacy.
Read View Name
The name of the MIB view defining the MIB objects for which this request may request the
current values. The allowed string length is 1 to 32, and the allowed content is ASCII
characters from 33 to 126.
Write View Name
The name of the MIB view defining the MIB objects for which this request may potentially
set new values. The allowed string length is 1 to 32, and the allowed content is ASCII
characters from 33 to 126.
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 57
Chapter 3: Web Management
Security - Switch - RMON - Statistics
3.1.4.8. Security - Switch - RMON
3.1.4.8.1. Security - Switch - RMON - Statistics
Configure RMON Statistics table on this page. The entry index key is ID.
Delete
Check to delete the entry. It will be deleted during the next save.
ID
Indicates the index of the entry. The range is from 1 to 65535.
Data Source
Indicates the port ID which wants to be monitored. If in stacking switch, the value must add
1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2005
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 58
Chapter 3: Web Management
Security - Switch - RMON - History
3.1.4.8.2. Security - Switch - RMON - History
Configure RMON History table on this page. The entry index key is ID.
Delete
Check to delete the entry. It will be deleted during the next save.
ID
Indicates the index of the entry. The range is from 1 to 65535.
Data Source
Indicates the port ID which wants to be monitored. If in stacking switch, the value must add
1000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2005.
Interval
Indicates the interval in seconds for sampling the history statistics data. The range is from 1
to 3600, default value is 1800 seconds.
Buckets
Indicates the maximum data entries associated this History control entry stored in RMON.
The range is from 1 to 3600, default value is 50.
Buckets Granted
The number of data shall be saved in the RMON.
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 59
Chapter 3: Web Management
Security - Switch - RMON - Alarm
3.1.4.8.3. Security - Switch - RMON - Alarm
Configure RMON Alarm table on this page. The entry index key is ID.
Delete
Check to delete the entry. It will be deleted during the next save.
ID
Indicates the index of the entry. The range is from 1 to 65535.
Interval
Indicates the interval in seconds for sampling and comparing the rising and falling
threshold. The range is from 1 to 2^31-1.
Variable
Indicates the particular variable to be sampled, the possible variables are:
InOctets: The total number of octets received on the interface, including framing
characters.
InUcastPkts: The number of uni-cast packets delivered to a higher-layer protocol.
InNUcastPkts: The number of broad-cast and multi-cast packets delivered to a
higher-layer protocol.
InDiscards: The number of inbound packets that are discarded even the packets are
normal.
InErrors: The number of inbound packets that contained errors preventing them from
being deliverable to a higher-layer protocol.
InUnknownProtos: the number of the inbound packets that were discarded because
of the unknown or un-support protocol.
OutOctets: The number of octets transmitted out of the interface , including framing
characters.
OutUcastPkts: The number of uni-cast packets that request to transmit.
OutNUcastPkts: The number of broad-cast and multi-cast packets that request to
transmit.
OutDiscards: The number of outbound packets that are discarded event the packets
are normal.
OutErrors: The The number of outbound packets that could not be transmitted
because of errors.
OutQLen: The length of the output packet queue (in packets).
NGSME24G4S User Manual | 60
Chapter 3: Web Management
Security - Switch - RMON - Alarm
Sample Type
The method of sampling the selected variable and calculating the value to be compared
against the thresholds, possible sample types are:
Absolute: Get the sample directly.
Delta: Calculate the difference between samples (default).
Value
The value of the statistic during the last sampling period.
Startup Alarm
The method of sampling the selected variable and calculating the value to be compared
against the thresholds, possible sample types are:
RisingTrigger alarm when the first value is larger than the rising threshold.
FallingTrigger alarm when the first value is less than the falling threshold.
RisingOrFallingTrigger alarm when the first value is larger than the rising threshold or
less than the falling threshold (default).
Rising Threshold
Rising threshold value (-2147483648-2147483647).
Rising Index
Rising event index (1-65535).
Falling Threshold
Falling threshold value (-2147483648-2147483647)
Falling Index
Falling event index (1-65535).
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 61
Chapter 3: Web Management
Security - Switch - RMON - Event
3.1.4.8.4. Security - Switch - RMON - Event
Configure RMON Event table on this page. The entry index key is ID.
Delete
Check to delete the entry. It will be deleted during the next save.
ID
Indicates the index of the entry. The range is from 1 to 65535.
Desc
Indicates this event, the string length is from 0 to 127, default is a null string.
Type
Indicates the notification of the event, the possible types are:
None: The total number of octets received on the interface, including framing
characters.
Log: The number of uni-cast packets delivered to a higher-layer protocol.
snmptrap: The number of broad-cast and multi-cast packets delivered to a
higher-layer protocol.
logandtrap: The number of inbound packets that are discarded even the packets are
normal.
Community
Specify the community when trap is sent, the string length is from 0 to 127, default is
"public".
Event Last Time
Indicates the value of sysUpTime at the time this event entry last generated an event.
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 62
Chapter 3: Web Management
Security - Network - Limit Control
3.1.4.9. Security - Network - Limit Control
This page allows you to configure the Port Security Limit Control system and port settings.
Limit Control allows for limiting the number of users on a given port. A user is identified by a
MAC address and VLAN ID. If Limit Control is enabled on a port, the limit specifies the
maximum number of users on the port. If this number is exceeded, an action is taken. The
action can be one of the four different actions as described below.
The Limit Control module utilizes a lower-layer module, Port Security module, which
manages MAC addresses learnt on the port.
The Limit Control configuration consists of two sections, a system- and a port-wide.
System Configuration
Mode
Indicates if Limit Control is globally enabled or disabled on the stack. If globally disabled,
other modules may still use the underlying functionality, but limit checks and corresponding
actions are disabled.
NGSME24G4S User Manual | 63
Chapter 3: Web Management
Security - Network - Limit Control
Aging Enabled
If checked, secured MAC addresses are subject to aging as discussed under Aging Period .
Aging Period
If Aging Enabled is checked, then the aging period is controlled with this input. If other
modules are using the underlying port security for securing MAC addresses, they may have
other requirements to the aging period. The underlying port security will use the shorter
requested aging period of all modules that use the functionality.
The Aging Period can be set to a number between 10 and 10,000,000 seconds.
To understand why aging may be desired, consider the following scenario: Suppose an
end-host is connected to a 3rd party switch or hub, which in turn is connected to a port on this
switch on which Limit Control is enabled. The end-host will be allowed to forward if the limit is
not exceeded. Now suppose that the end-host logs off or powers down. If it wasn't for aging,
the end-host would still take up resources on this switch and will be allowed to forward. To
overcome this situation, enable aging. With aging enabled, a timer is started once the
end-host gets secured. When the timer expires, the switch starts looking for frames from the
end-host, and if such frames are not seen within the next Aging Period, the end-host is
assumed to be disconnected, and the corresponding resources are freed on the switch.
Port Configuration
The table has one row for each port on the selected switch in the stack and a number of
columns, which are:
Port
The port number to which the configuration below applies.
Mode
Controls whether Limit Control is enabled on this port. Both this and the Global Mode must be
set to Enabled for Limit Control to be in effect. Notice that other modules may still use the
underlying port security features without enabling Limit Control on a given port.
Limit
The maximum number of MAC addresses that can be secured on this port. This number
cannot exceed 1024. If the limit is exceeded, the corresponding action is taken.
The stack is "born" with a total number of MAC addresses from which all ports draw
whenever a new MAC address is seen on a Port Security-enabled port. Since all ports draw
from the same pool, it may happen that a configured maximum cannot be granted, if the
remaining ports have already used all available MAC addresses.
NGSME24G4S User Manual | 64
Chapter 3: Web Management
Security - Network - Limit Control
Action
If Limit is reached, the switch can take one of the following actions:
None: Do not allow more than Limit MAC addresses on the port, but take no further
action.
Trap: If Limit + 1 MAC addresses is seen on the port, send an SNMP trap. If Aging is
disabled, only one SNMP trap will be sent, but with Aging enabled, new SNMP traps
will be sent every time the limit gets exceeded.
Shutdown: If Limit + 1 MAC addresses is seen on the port, shut down the port. This
implies that all secured MAC addresses will be removed from the port, and no new
address will be learned. Even if the link is physically disconnected and reconnected on
the port (by disconnecting the cable), the port will remain shut down. There are three
ways to re-open the port:
1. Boot the stack or elect a new master,
2. Disable and re-enable Limit Control on the port or the stack,
3. Click the Reopen button.
Trap & Shutdown: If Limit + 1 MAC addresses is seen on the port, both the "Trap" and
the "Shutdown" actions described above will be taken.
State
This column shows the current state of the port as seen from the Limit Control's point of view.
The state takes one of four values:
Disabled: Limit Control is either globally disabled or disabled on the port.
Ready: The limit is not yet reached. This can be shown for all actions.
Limit Reached: Indicates that the limit is reached on this port. This state can only be
shown if Action is set to None or Trap.
Shutdown: Indicates that the port is shut down by the Limit Control module. This state
can only be shown if Action is set to Shutdown or Trap & Shutdown.
Re-open Button
If a port is shutdown by this module, you may reopen it by clicking this button, which will only
be enabled if this is the case. For other methods, refer to Shutdown in the Action section.
Note that clicking the reopen button causes the page to be refreshed, so non-committed
changes will be lost.
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 65
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
3.1.4.10. Security - Network - NAS (Network Access Server)
This page allows you to configure the IEEE 802.1X and MAC-based authentication system
and port settings.
The IEEE 802.1X standard defines a port-based access control procedure that prevents
unauthorized access to a network by requiring users to first submit credentials for
authentication. One or more central servers, the backend servers, determine whether the
user is allowed access to the network. These backend (RADIUS) servers are configured on
the "Configuration→Security→AAA" page. The IEEE802.1X standard defines port-based
operation, but non-standard variants overcome security limitations as shall be explored
below.
MAC-based authentication allows for authentication of more than one user on the same port,
and doesn't require the user to have special 802.1X supplicant software installed on his
system. The switch uses the user's MAC address to authenticate against the backend server.
Intruders can create counterfeit MAC addresses, which makes MAC-based authentication
less secure than 802.1X authentication.
The NAS configuration consists of two sections, a system- and a port-wide.
System Configuration
Mode
Indicates if NAS is globally enabled or disabled on the stack. If globally disabled, all ports are
allowed forwarding of frames.
Re-authentication Enabled
If checked, successfully authenticated supplicants/clients are re-authenticated after the
interval specified by the Re-authentication Period. Re-authentication for 802.1X-enabled
ports can be used to detect if a new device is plugged into a switch port or if a supplicant is no
longer attached.
NGSME24G4S User Manual | 66
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
For MAC-based ports, re-authentication is only useful if the RADIUS server configuration has
changed. It does not involve communication between the switch and the client, and therefore
doesn't imply that a client is still present on a port (see Aging Period below).
Re-authentication Period
Determines the period, in seconds, after which a connected client must be re-authenticated.
This is only active if the Re-authentication Enabled checkbox is checked. Valid values are in
the range 1 to 3600 seconds.
EAPOL Timeout
Determines the time for retransmission of Request Identity EAPOL frames.
Valid values are in the range 1 to 65535 seconds. This has no effect for MAC-based ports.
Aging Period
This setting applies to the following modes, i.e. modes using the Port Security functionality to
secure MAC addresses:
Single 802.1X
Multi 802.1X
MAC-Based Auth.
When the NAS module uses the Port Security module to secure MAC addresses, the Port
Security module needs to check for activity on the MAC address in question at regular
intervals and free resources if no activity is seen within a given period of time. This parameter
controls exactly this period and can be set to a number between 10 and 1000000 seconds.
If re-authentication is enabled and the port is in an 802.1X-based mode, this is not so critical,
since supplicants that are no longer attached to the port will get removed upon the next
re-authentication, which will fail. But if re-authentication is not enabled, the only way to free
resources is by aging the entries.
For ports in MAC-based Auth. mode, re-authentication doesn't cause direct communication
between the switch and the client, so this will not detect whether the client is still attached or
not, and the only way to free any resources is to age the entry.
Hold Time
This setting applies to the following modes, i.e. modes using the Port Security functionality to
secure MAC addresses:
Single 802.1X
Multi 802.1X
MAC-Based Auth.
If a client is denied access - either because the RADIUS server denies the client access or
because the RADIUS server request times out (according to the timeout specified on the
NGSME24G4S User Manual | 67
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
"Configuration→Security→AAA" page) - the client is put on hold in the Unauthorized state.
The hold timer does not count during an on-going authentication.
In MAC-based Auth. mode, the switch will ignore new frames coming from the client during
the hold time.
The Hold Time can be set to a number between 10 and 1000000 seconds.
RADIUS-Assigned QoS Enabled
RADIUS-assigned QoS provides a means to centrally control the traffic class to which traffic
coming from a successfully authenticated supplicant is assigned on the switch. The RADIUS
server must be configured to transmit special RADIUS attributes to take advantage of this
feature (see RADIUS-Assigned QoS Enabled below for a detailed description).
The "RADIUS-Assigned QoS Enabled" checkbox provides a quick way to globally
enable/disable RADIUS-server assigned QoS Class functionality. When checked, the
individual ports' ditto setting determine whether RADIUS-assigned QoS Class is enabled on
that port. When unchecked, RADIUS-server assigned QoS Class is disabled on all ports.
RADIUS-Assigned VLAN Enabled
RADIUS-assigned VLAN provides a means to centrally control the VLAN on which a
successfully authenticated supplicant is placed on the switch. Incoming traffic will be
classified to and switched on the RADIUS-assigned VLAN. The RADIUS server must be
configured to transmit special RADIUS attributes to take advantage of this feature (see
RADIUS-Assigned VLAN Enabled below for a detailed description).
The "RADIUS-Assigned VLAN Enabled" checkbox provides a quick way to globally
enable/disable RADIUS-server assigned VLAN functionality. When checked, the individual
ports' ditto setting determine whether RADIUS-assigned VLAN is enabled on that port. When
unchecked, RADIUS-server assigned VLAN is disabled on all ports.
Guest VLAN Enabled
A Guest VLAN is a special VLAN - typically with limited network access - on which
802.1X-unaware clients are placed after a network administrator-defined timeout. The switch
follows a set of rules for entering and leaving the Guest VLAN as listed below.
The "Guest VLAN Enabled" checkbox provides a quick way to globally enable/disable Guest
VLAN functionality. When checked, the individual ports' ditto setting determines whether the
port can be moved into Guest VLAN. When unchecked, the ability to move to the Guest
VLAN is disabled on all ports.
NGSME24G4S User Manual | 68
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
Guest VLAN ID
This is the value that a port's Port VLAN ID is set to if a port is moved into the Guest VLAN. It
is only changeable if the Guest VLAN option is globally enabled.
Valid values are in the range [1; 4095].
Max. Reauth. Count
The number of times the switch transmits an EAPOL Request Identity frame without response
before considering entering the Guest VLAN is adjusted with this setting. The value can only
be changed if the Guest VLAN option is globally enabled.
Valid values are in the range [1; 255].
Allow Guest VLAN if EAPOL Seen
The switch remembers if an EAPOL frame has been received on the port for the life-time of
the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this
option is enabled or disabled. If disabled (unchecked; default), the switch will only enter the
Guest VLAN if an EAPOL frame has not been received on the port for the life-time of the port.
If enabled (checked), the switch will consider entering the Guest VLAN even if an EAPOL
frame has been received on the port for the life-time of the port.
The value can only be changed if the Guest VLAN option is globally enabled.
NGSME24G4S User Manual | 69
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
Port Configuration
The table has one row for each port on the selected switch in the stack and a number of
columns, which are:
Port
The port number for which the configuration below applies.
Admin State
If NAS is globally enabled, this selection controls the port's authentication mode. The
following modes are available:
Force Authorized
In this mode, the switch will send one EAPOL Success frame when the port link comes up,
and any client on the port will be allowed network access without authentication.
Force Unauthorized
In this mode, the switch will send one EAPOL Failure frame when the port link comes up, and
any client on the port will be disallowed network access.
Port-based 802.1X
In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the
RADIUS server is the authentication server. The authenticator acts as the man-in-the-middle,
forwarding requests and responses between the supplicant and the authentication server.
NGSME24G4S User Manual | 70
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
Frames sent between the supplicant and the switch are special 802.1X frames, known as
EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748).
Frames sent between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the switch's IP
address, name, and the supplicant's port number on the switch. EAP is very flexible, in that it
allows for different authentication methods, like MD5-Challenge, PEAP, and TLS. The
important thing is that the authenticator (the switch) doesn't need to know which
authentication method the supplicant and the authentication server are using, or how many
information exchange frames are needed for a particular method. The switch simply
encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS) and
forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a
success or failure indication. Besides forwarding this decision to the supplicant, the switch
uses it to open up or block traffic on the switch port connected to the supplicant.
Note: Suppose two backend servers are enabled and that the server timeout is configured to
X seconds (using the AAA configuration page), and suppose that the first server in the list is
currently down (but not considered dead). Now, if the supplicant retransmits EAPOL Start
frames at a rate faster than X seconds, then it will never get authenticated, because the
switch will cancel on-going backend authentication server requests whenever it receives a
new EAPOL Start frame from the supplicant. And since the server hasn't yet failed (because
the X seconds haven't expired), the same server will be contacted upon the next backend
authentication server request from the switch. This scenario will loop forever. Therefore, the
server timeout should be smaller than the supplicant's EAPOL Start frame retransmission
rate.
Single 802.1X
In port-based 802.1X authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other clients connected to the
port (for instance through a hub) to piggy-back on the successfully authenticated client and
get network access even though they really aren't authenticated. To overcome this security
breach, use the Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same characteristics
as does port-based 802.1X. In Single 802.1X, at most one supplicant can get authenticated
on the port at a time. Normal EAPOL frames are used in the communication between the
supplicant and the switch. If more than one supplicant is connected to a port, the one that
comes first when the port's link comes up will be the first one considered. If that supplicant
NGSME24G4S User Manual | 71
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
doesn't provide valid credentials within a certain amount of time, another supplicant will get a
chance. Once a supplicant is successfully authenticated, only that supplicant will be allowed
access. This is the most secure of all the supported modes. In this mode, the Port Security
module is used to secure a supplicant's MAC address once successfully authenticated.
Multi 802.1X
Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that features many
of the same characteristics. In Multi 802.1X, one or more supplicants can get authenticated
on the same port at the same time. Each supplicant is authenticated individually and secured
in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination MAC
address for EAPOL frames sent from the switch towards the supplicant, since that would
cause all supplicants attached to the port to reply to requests sent from the switch. Instead,
the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start
or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no
supplicants are attached. In this case, the switch sends EAPOL Request Identity frames
using the BPDU multicast MAC address as destination - to wake up any supplicants that
might be on the port.
The maximum number of supplicants that can be attached to a port can be limited using the
Port Security Limit Control functionality.
MAC-based Auth.
Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a
best-practices method adopted by the industry. In MAC-based authentication, users are
called clients, and the switch acts as the supplicant on behalf of clients. The initial frame (any
kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC
address as both username and password in the subsequent EAP exchange with the RADIUS
server. The 6-byte MAC address is converted to a string on the following form
"xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-cased
hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so
the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication,
which in turn causes the switch to open up or block traffic for that particular client, using the
Port Security module. Only then will frames from the client be forwarded on the switch. There
are no EAPOL frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
NGSME24G4S User Manual | 72
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
The advantage of MAC-based authentication over 802.1X-based authentication is that the
clients don't need special supplicant software to authenticate. The disadvantage is that MAC
addresses can be spoofed by malicious users - equipment whose MAC address is a valid
RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported.
The maximum number of clients that can be attached to a port can be limited using the Port
Security Limit Control functionality.
RADIUS-Assigned QoS Enabled
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given
port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet
transmitted by the RADIUS server when a supplicant is successfully authenticated. If present
and valid, traffic received on the supplicant's port will be classified to the given QoS Class. If
(re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class
or it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS
Class is immediately reverted to the original QoS Class (which may be changed by the
administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
Port-based 802.1X
Single 802.1X
RADIUS attributes used in identifying a QoS Class:
The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS
Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be valid, it
must follow this rule:
All 8 octets in the attribute's value must be identical and consist of ASCII characters in
the range '0' - '7', which translates into the desired QoS Class in the range [0; 7].
RADIUS-Assigned VLAN Enabled
When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given
port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet
transmitted by the RADIUS server when a supplicant is successfully authenticated. If present
and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be set to be a
member of that VLAN ID, and the port will be forced into VLAN unaware mode. Once
assigned, all traffic arriving on the port will be classified and switched on the
RADIUS-assigned VLAN ID.
NGSME24G4S User Manual | 73
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID
or it's invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID
is immediately reverted to the original VLAN ID (which may be changed by the administrator
in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
Port-based 802.1X
Single 802.1X
For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN Membership and
VLAN Port" pages. These pages show which modules have (temporarily) overridden the
current Port VLAN configuration.
RADIUS attributes used in identifying a VLAN ID:
RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an
Access-Accept packet. The following criteria are used:
The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes must
all be present at least once in the Access-Accept packet.
The switch looks for the first set of these attributes that have the same Tag value and
fulfil the following requirements (if Tag == 0 is used, the Tunnel-Private-Group-ID does
not need to include a Tag):
Value of Tunnel-Medium-Type must be set to "IEEE-802" (ordinal 6).
Value of Tunnel-Type must be set to "VLAN" (ordinal 13).
Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range '0'
- '9', which is interpreted as a decimal string representing the VLAN ID. Leading
'0's are discarded. The final value must be in the range [1; 4095].
Guest VLAN Enabled
When Guest VLAN is both globally enabled and enabled (checked) for a given port, the
switch considers moving the port into the Guest VLAN according to the rules outlined below.
This option is only available for EAPOL-based modes, i.e.:
Port-based 802.1X
Single 802.1X
Multi 802.1X
For trouble-shooting VLAN assignments, use the "Monitor→VLANs→VLAN Membership and
VLAN Port" pages. These pages show which modules have (temporarily) overridden the
current Port VLAN configuration.
NGSME24G4S User Manual | 74
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
Guest VLAN Operation:
When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL
Request Identity frames. If the number of transmissions of such frames exceeds Max. Reauth.
Count and no EAPOL frames have been received in the meanwhile, the switch considers
entering the Guest VLAN. The interval between transmission of EAPOL Request Identity
frames is configured with EAPOL Timeout. If Allow Guest VLAN if EAPOL Seen is enabled,
the port will now be placed in the Guest VLAN. If disabled, the switch will first check its history
to see if an EAPOL frame has previously been received on the port (this history is cleared if
the port link goes down or the port's Admin State is changed), and if not, the port will be
placed in the Guest VLAN. Otherwise it will not move to the Guest VLAN, but continue
transmitting EAPOL Request Identity frames at the rate given by EAPOL Timeout.
Once in the Guest VLAN, the port is considered authenticated, and all attached clients on the
port are allowed access on this VLAN. The switch will not transmit an EAPOL Success frame
when entering the Guest VLAN.
While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such
frame is received, the switch immediately takes the port out of the Guest VLAN and starts
authenticating the supplicant according to the port mode. If an EAPOL frame is received, the
port will never be able to go back into the Guest VLAN if the "Allow Guest VLAN if EAPOL
Seen" is disabled.
Port State
The current state of the port. It can undertake one of the following values:
Globally Disabled: NAS is globally disabled.
Link Down: NAS is globally enabled, but there is no link on the port.
Authorized: The port is in Force Authorized or a single-supplicant mode and the
supplicant is authorized.
Unauthorized: The port is in Force Unauthorized or a single-supplicant mode and the
supplicant is not successfully authorized by the RADIUS server.
X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are
authorized and Y are unauthorized.
Restart
Two buttons are available for each row. The buttons are only enabled when authentication is
globally enabled and the port's Admin State is in an EAPOL-based or MAC-based mode.
Clicking these buttons will not cause settings changed on the page to take effect.
NGSME24G4S User Manual | 75
Chapter 3: Web Management
Security - Network - NAS (Network Access Server)
Re-authenticate: Schedules a re-authentication whenever the quiet-period of the port
runs out (EAPOL-based authentication). For MAC-based authentication,
re-authentication will be attempted immediately.
The button only has effect for successfully authenticated clients on the port and will not
cause the clients to get temporarily unauthorized.
Reinitialize: Forces a reinitialization of the clients on the port and thereby a
re-authentication immediately. The clients will transfer to the unauthorized state while
the re-authentication is in progress.
Buttons
Add New Entry: Click to add a new community entry.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
NGSME24G4S User Manual | 76
Chapter 3: Web Management
Security - Network - ACL - Ports
3.1.4.11. Security - Network - ACL
3.1.4.11.1. Security - Network - ACL - Ports
Configure the ACL parameters (ACE) of each switch port. These parameters will affect
frames received on a port unless the frame matches a specific ACE.
The settings relate to the currently selected stack unit, as reflected by the page header.
Port
The logical port for the settings contained in the same row.
Policy ID
Select the policy to apply to this port. The allowed values are 0 through 255. The default
value is 0.
Action
Select whether forwarding is permitted ("Permit") or denied ("Deny"). The default value is
"Permit".
Rate Limiter ID
Select which rate limiter to apply on this port. The allowed values are Disabled or the
values 1 through 16. The default value is "Disabled".
Port Redirect
Select which port frames are redirected on. The allowed values are Disabled or a specific
port number and it can't be set when action is permitted. The default value is "Disabled".
NGSME24G4S User Manual | 77
Chapter 3: Web Management
Security - Network - ACL - Ports
Logging
Specify the logging operation of this port. The allowed values are:
Enabled: Frames received on the port are stored in the System Log.
Disabled: Frames received on the port are not logged.
The default value is "Disabled". Please note that the System Log memory size and logging
rate is limited.
Shutdown
Specify the port shut down operation of this port. The allowed values are:
Enabled: If a frame is received on the port, the port will be disabled.
Disabled: Port shut down is disabled.
The default value is "Disabled".
State
Specify the port state of this port. The allowed values are:
Enabled: To reopen ports by changing the volatile port configuration of the ACL user
module.
Disabled: To close ports by changing the volatile port configuration of the ACL user
module.
The default value is "Enabled".
Counter
Counts the number of frames that match this ACE.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
Refresh: Click to refresh the page; any changes made locally will be undone.
Clear: Click to clear the counters.
NGSME24G4S User Manual | 78
Chapter 3: Web Management
Security - Network - ACL - Rate Limiter
3.1.4.11.2. Security - Network - ACL - Rate Limiter
Configure the rate limiter for the ACL of the switch.
Rate Limiter ID
The rate limiter ID for the settings contained in the same row.
Rate
The allowed values are: 0-131071 in pps
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 79
Chapter 3: Web Management
Security - Network - ACL - Access Control List
3.1.4.11.3. Security - Network - ACL - Access Control List
This page shows the Access Control List (ACL), which is made up of the ACEs defined on
this switch. Each row describes the ACE that is defined. The maximum number of ACEs is
512 on each switch.
Click on the lowest plus sign to add a new ACE to the list. The reserved ACEs used for
internal protocol, cannot be edited or deleted, the order sequence cannot be changed and
the priority is highest.
Notice: the ACE won't apply to any stacking or none existing port.
Ingress Port
Indicates the ingress port of the ACE. Possible values are:
All: The ACE will match all ingress port.
Port: The ACE will match a specific ingress port.
Policy / Bitmask
Indicates the policy number and bitmask of the ACE.
Frame Type
Indicates the frame type of the ACE. Possible values are:
Any: The ACE will match any frame type.
EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based
ACE will not get matched by IP and ARP frames.
ARP: The ACE will match ARP/RARP frames.
IPv4: The ACE will match all IPv4 frames.
IPv4/ICMP: The ACE will match IPv4 frames with ICMP protocol.
IPv4/UDP: The ACE will match IPv4 frames with UDP protocol.
IPv4/TCP: The ACE will match IPv4 frames with TCP protocol.
IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP.
IPv6: The ACE will match all IPv6 standard frames.
Action
Indicates the forwarding action of the ACE.
Permit: Frames matching the ACE may be forwarded and learned.
Deny: Frames matching the ACE are dropped.
Rate Limiter
Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. When Disabled
is displayed, the rate limiter operation is disabled.
NGSME24G4S User Manual | 80
Chapter 3: Web Management
Security - Network - ACL - Access Control List
Port Redirect
Indicates the port redirect operation of the ACE. Frames matching the ACE are redirected
to the port number. The allowed values are Disabled or a specific port number. When
Disabled is displayed, the port redirect operation is disabled.
Counter
The counter indicates the number of times the ACE was hit by a frame.
Modification Buttons
You can modify each ACE (Access Control Entry) in the table using the following buttons:
: Inserts a new ACE before the current row.
: Edits the ACE row.
: Moves the ACE up the list.
: Moves the ACE down the list.
: Deletes the ACE.
: The lowest plus sign adds a new entry at the bottom of the ACE listings.
Buttons
Auto-refresh: Check this box to refresh the page automatically. Automatic refresh
occurs every 3 seconds.
Refresh: Click to refresh the page; any changes made locally will be undone.
Clear: Click to clear the counters.
Remove All: Click to remove all ACEs.
NGSME24G4S User Manual | 81
Chapter 3: Web Management
Security - Network - ACL - Access Control List
Configure an ACE (Access Control Entry) on this page.
An ACE consists of several parameters. These parameters vary according to the frame
type that you select. First select the ingress port for the ACE, and then select the frame
type. Different parameter options are displayed depending on the frame type selected.
A frame that hits this ACE matches the configuration that is defined here.
Ingress Port
Select the ingress port for which this ACE applies.
All: The ACE applies to all port.
Port n: The ACE applies to this port number, where n is the number of the switch
port.
Policy Filter
Specify the policy number filter for this ACE.
Any: No policy filter is specified. (policy filter status is "don't-care".)
Specific: If you want to filter a specific policy with this ACE, choose this value. Two
field for entering an policy value and bitmask appears.
Policy Value
When "Specific" is selected for the policy filter, you can enter a specific policy value. The
allowed range is 0 to 255.
Policy Bitmask
When "Specific" is selected for the policy filter, you can enter a specific policy bitmask. The
allowed range is 0x0 to 0xff.
Switch
Select the switch to which this ACE applies.
Any: The ACE applies to any port.
Switch n: The ACE applies to this switch number, where n is the number of the
switch.
NGSME24G4S User Manual | 82
Chapter 3: Web Management
Security - Network - ACL - Access Control List
Frame Type
Select the frame type for this ACE. These frame types are mutually exclusive.
Any: Any frame can match this ACE.
Ethernet Type: Only Ethernet Type frames can match this ACE. The IEEE 802.3
describes the value of Length/Type Field specifications to be greater than or equal to
1536 decimal (equal to 0600 hexadecimal).
ARP: Only ARP frames can match this ACE. Notice the ARP frames won't match the
ACE with ethernet type.
IPv4: Only IPv4 frames can match this ACE. Notice the IPv4 frames won't match the
ACE with ethernet type.
IPv6: Only IPv6 frames can match this ACE. Notice the IPv6 frames won't match the
ACE with Ethernet type.
Action
Specify the action to take with a frame that hits this ACE.
Permit: The frame that hits this ACE is granted permission for the ACE operation.
Deny: The frame that hits this ACE is dropped.
Rate Limiter
Specify the rate limiter in number of base units. The allowed range is 1 to 16. Disabled
indicates that the rate limiter operation is disabled.
Port Redirect
Frames that hit the ACE are redirected to the port number specified here. The allowed
range is the same as the switch port number range. Disabled indicates that the port redirect
operation is disabled and the specific port number of 'Port Redirect' can't be set when
action is permitted.
Logging
Specify the logging operation of the ACE. The allowed values are:
Enabled: Frames matching the ACE are stored in the System Log.
Disabled: Frames matching the ACE are not logged.
Please note that the System Log memory size and logging rate is limited.
Shutdown
Specify the port shut down operation of the ACE. The allowed values are:
Enabled: If a frame matches the ACE, the ingress port will be disabled.
Disabled: Port shut down is disabled for the ACE.
Counter
The counter indicates the number of times the ACE was hit by a frame.
NGSME24G4S User Manual | 83
Chapter 3: Web Management
Security - Network - ACL - Access Control List
MAC Parameters
SMAC Filter
(Only displayed when the frame type is Ethernet Type or ARP.)
Specify the source MAC filter for this ACE.
Any: No SMAC filter is specified. (SMAC filter status is "don't-care".)
Specific: If you want to filter a specific source MAC address with this ACE, choose
this value. A field for entering an SMAC value appears.
SMAC Value
When "Specific" is selected for the SMAC filter, you can enter a specific source MAC
address. The legal format is "xx-xx-xx-xx-xx-xx" or "xx.xx.xx.xx.xx.xx" or "xxxxxxxxxxxx" (x
is a hexadecimal digit). A frame that hits this ACE matches this SMAC value.
DMAC Filter
Specify the destination MAC filter for this ACE.
Any: No DMAC filter is specified. (DMAC filter status is "don't-care".)
MC: Frame must be multicast.
BC: Frame must be broadcast.
UC: Frame must be unicast.
Specific: If you want to filter a specific destination MAC address with this ACE,
choose this value. A field for entering a DMAC value appears.
DMAC Value
When "Specific" is selected for the DMAC filter, you can enter a specific destination MAC
address. The legal format is "xx-xx-xx-xx-xx-xx" or "xx.xx.xx.xx.xx.xx" or "xxxxxxxxxxxx" (x
is a hexadecimal digit). A frame that hits this ACE matches this DMAC value.
NGSME24G4S User Manual | 84
Chapter 3: Web Management
Security - Network - ACL - Access Control List
VLAN Parameters
VLAN ID Filter
Specify the VLAN ID filter for this ACE.
Any: No VLAN ID filter is specified. (VLAN ID filter status is "don't-care".)
Specific: If you want to filter a specific VLAN ID with this ACE, choose this value. A
field for entering a VLAN ID number appears.
VLAN ID
When "Specific" is selected for the VLAN ID filter, you can enter a specific VLAN ID number.
The allowed range is 1 to 4095. A frame that hits this ACE matches this VLAN ID value.
Tag Priority
Specify the tag priority for this ACE. A frame that hits this ACE matches this tag priority. The
allowed number range is 0 to 7. The value Any means that no tag priority is specified (tag
priority is "don't-care".)
NGSME24G4S User Manual | 85
Chapter 3: Web Management
Security - Network - ACL - Access Control List
ARP Parameters
The ARP parameters can be configured when Frame Type "ARP" is selected.
ARP/RARP
Specify the available ARP/RARP opcode (OP) flag for this ACE.
Any: No ARP/RARP OP flag is specified. (OP is "don't-care".)
ARP: Frame must have ARP opcode set to ARP.
RARP: Frame must have RARP opcode set to RARP.
Other: Frame has unknown ARP/RARP Opcode flag.
Request/Reply
Specify the available Request/Reply opcode (OP) flag for this ACE.
Any: No Request/Reply OP flag is specified. (OP is "don't-care".)
Request: Frame must have ARP Request or RARP Request OP flag set.
Reply: Frame must have ARP Reply or RARP Reply OP flag.
Sender IP Filter
Specify the sender IP filter for this ACE.
Any: No sender IP filter is specified. (Sender IP filter is "don't-care".)
Host: Sender IP filter is set to Host. Specify the sender IP address in the SIP Address
field that appears.
Network: Sender IP filter is set to Network. Specify the sender IP address and
sender IP mask in the SIP Address and SIP Mask fields that appear.
Sender IP Address
When "Host" or "Network" is selected for the sender IP filter, you can enter a specific
sender IP address in dotted decimal notation.
Sender IP Mask
When "Network" is selected for the sender IP filter, you can enter a specific sender IP mask
in dotted decimal notation.
NGSME24G4S User Manual | 86
Chapter 3: Web Management
Security - Network - ACL - Access Control List
Target IP Filter
Specify the target IP filter for this specific ACE.
Any: No target IP filter is specified. (Target IP filter is "don't-care".)
Host: Target IP filter is set to Host. Specify the target IP address in the Target IP
Address field that appears. Network: Target IP filter is set to Network. Specify the
target IP address and target IP mask in the Target IP Address and Target IP Mask
fields that appear.
Target IP Address
When "Host" or "Network" is selected for the target IP filter, you can enter a specific target
IP address in dotted decimal notation.
Target IP Mask
When "Network" is selected for the target IP filter, you can enter a specific target IP mask in
dotted decimal notation.
ARP Sender MAC Match
Specify whether frames can hit the action according to their sender hardware address field
(SHA) settings.
0: ARP frames where SHA is not equal to the SMAC address.
1: ARP frames where SHA is equal to the SMAC address.
Any: Any value is allowed ("don't-care").
RARP Target MAC Match
Specify whether frames can hit the action according to their target hardware address field
(THA) settings.
0: RARP frames where THA is not equal to the target MAC address.
1: RARP frames where THA is equal to the target MAC address.
Any: Any value is allowed ("don't-care").
IP/Ethernet Length
Specify whether frames can hit the action according to their ARP/RARP hardware address
length (HLN) and protocol address length (PLN) settings.
0: ARP/RARP frames where the HLN is not equal to Ethernet (0x06) or the (PLN) is
not equal to IPv4 (0x04).
1: ARP/RARP frames where the HLN is equal to Ethernet (0x06) and the (PLN) is
equal to IPv4 (0x04).
Any: Any value is allowed ("don't-care").
NGSME24G4S User Manual | 87
Chapter 3: Web Management
Security - Network - ACL - Access Control List
IP
Specify whether frames can hit the action according to their ARP/RARP hardware address
space (HRD) settings.
0: ARP/RARP frames where the HLD is not equal to Ethernet (1).
1: ARP/RARP frames where the HLD is equal to Ethernet (1).
Any: Any value is allowed ("don't-care").
Ethernet
Specify whether frames can hit the action according to their ARP/RARP protocol address
space (PRO) settings.
0: ARP/RARP frames where the PRO is not equal to IP (0x800).
1: ARP/RARP frames where the PRO is equal to IP (0x800).
Any: Any value is allowed ("don't-care").
NGSME24G4S User Manual | 88
Chapter 3: Web Management
Security - Network - ACL - Access Control List
IP Parameters
The IP parameters can be configured when Frame Type "IPv4" is selected.
IP Protocol Filter
Specify the IP protocol filter for this ACE.
Any: No IP protocol filter is specified ("don't-care").
Specific: If you want to filter a specific IP protocol filter with this ACE, choose this
value. A field for entering an IP protocol filter appears.
ICMP: Select ICMP to filter IPv4 ICMP protocol frames. Extra fields for defining ICMP
parameters will appear. These fields are explained later in this help file.
UDP: Select UDP to filter IPv4 UDP protocol frames. Extra fields for defining UDP
parameters will appear. These fields are explained later in this help file.
TCP: Select TCP to filter IPv4 TCP protocol frames. Extra fields for defining TCP
parameters will appear. These fields are explained later in this help file.
IP Protocol Value
When "Specific" is selected for the IP protocol value, you can enter a specific value. The
allowed range is 0 to 255. A frame that hits this ACE matches this IP protocol value.
IP TTL
Specify the Time-to-Live settings for this ACE.
zero: IPv4 frames with a Time-to-Live field greater than zero must not be able to
match this entry.
non-zero: IPv4 frames with a Time-to-Live field greater than zero must be able to
match this entry.
Any: Any value is allowed ("don't-care").
IP Fragment
Specify the fragment offset settings for this ACE. This involves the settings for the More
Fragments (MF) bit and the Fragment Offset (FRAG OFFSET) field for an IPv4 frame.
No: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero
NGSME24G4S User Manual | 89
Chapter 3: Web Management
Security - Network - ACL - Access Control List
must not be able to match this entry.
Yes: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than
zero must be able to match this entry.
Any: Any value is allowed ("don't-care").
IP Option
Specify the options flag setting for this ACE.
No: IPv4 frames where the options flag is set must not be able to match this entry.
Yes: IPv4 frames where the options flag is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
SIP Filter
Specify the source IP filter for this ACE.
Any: No source IP filter is specified. (Source IP filter is "don't-care".)
Host: Source IP filter is set to Host. Specify the source IP address in the SIP Address
field that appears.
Network: Source IP filter is set to Network. Specify the source IP address and source
IP mask in the SIP Address and SIP Mask fields that appear.
SIP Address
When "Host" or "Network" is selected for the source IP filter, you can enter a specific SIP
address in dotted decimal notation.
SIP Mask
When "Network" is selected for the source IP filter, you can enter a specific SIP mask in
dotted decimal notation.
DIP Filter
Specify the destination IP filter for this ACE.
Any: No destination IP filter is specified. (Destination IP filter is "don't-care".)
Host: Destination IP filter is set to Host. Specify the destination IP address in the DIP
Address field that appears.
Network: Destination IP filter is set to Network. Specify the destination IP address
and destination IP mask in the DIP Address and DIP Mask fields that appear.
DIP Address
When "Host" or "Network" is selected for the destination IP filter, you can enter a specific
DIP address in dotted decimal notation.
DIP Mask
When "Network" is selected for the destination IP filter, you can enter a specific DIP mask
in dotted decimal notation.
NGSME24G4S User Manual | 90
Chapter 3: Web Management
Security - Network - ACL - Access Control List
ICMP Parameters
ICMP Type Filter
Specify the ICMP filter for this ACE.
Any: No ICMP filter is specified (ICMP filter status is "don't-care").
Specific: If you want to filter a specific ICMP filter with this ACE, you can enter a
specific ICMP value. A field for entering an ICMP value appears.
ICMP Type Value
When "Specific" is selected for the ICMP filter, you can enter a specific ICMP value. The
allowed range is 0 to 255. A frame that hits this ACE matches this ICMP value.
ICMP Code Filter
Specify the ICMP code filter for this ACE.
Any: No ICMP code filter is specified (ICMP code filter status is "don't-care").
Specific: If you want to filter a specific ICMP code filter with this ACE, you can enter
a specific ICMP code value. A field for entering an ICMP code value appears.
ICMP Code Value
When "Specific" is selected for the ICMP code filter, you can enter a specific ICMP code
value. The allowed range is 0 to 255. A frame that hits this ACE matches this ICMP code
value.
NGSME24G4S User Manual | 91
Chapter 3: Web Management
Security - Network - ACL - Access Control List
TCP/UDP Parameters
TCP/UDP Source Filter
Specify the TCP/UDP source filter for this ACE.
Any: No TCP/UDP source filter is specified (TCP/UDP source filter status is
"don't-care").
Specific: If you want to filter a specific TCP/UDP source filter with this ACE, you can
enter a specific TCP/UDP source value. A field for entering a TCP/UDP source value
appears.
Range: If you want to filter a specific TCP/UDP source range filter with this ACE, you
can enter a specific TCP/UDP source range value. A field for entering a TCP/UDP
source value appears.
TCP/UDP Source No.
When "Specific" is selected for the TCP/UDP source filter, you can enter a specific
TCP/UDP source value. The allowed range is 0 to 65535. A frame that hits this ACE
matches this TCP/UDP source value.
TCP/UDP Source Range
When "Range" is selected for the TCP/UDP source filter, you can enter a specific
TCP/UDP source range value. The allowed range is 0 to 65535. A frame that hits this ACE
matches this TCP/UDP source value.
TCP/UDP Destination Filter
Specify the TCP/UDP destination filter for this ACE.
Any: No TCP/UDP destination filter is specified (TCP/UDP destination filter status is
"don't-care").
NGSME24G4S User Manual | 92
Chapter 3: Web Management
Security - Network - ACL - Access Control List
Specific: If you want to filter a specific TCP/UDP destination filter with this ACE, you
can enter a specific TCP/UDP destination value. A field for entering a TCP/UDP
destination value appears.
Range: If you want to filter a specific range TCP/UDP destination filter with this ACE,
you can enter a specific TCP/UDP destination range value. A field for entering a
TCP/UDP destination value appears.
TCP/UDP Destination Number
When "Specific" is selected for the TCP/UDP destination filter, you can enter a specific
TCP/UDP destination value. The allowed range is 0 to 65535. A frame that hits this ACE
matches this TCP/UDP destination value.
TCP/UDP Destination Range
When "Range" is selected for the TCP/UDP destination filter, you can enter a specific
TCP/UDP destination range value. The allowed range is 0 to 65535. A frame that hits this
ACE matches this TCP/UDP destination value.
TCP FIN
Specify the TCP "No more data from sender" (FIN) value for this ACE.
0: TCP frames where the FIN field is set must not be able to match this entry.
1: TCP frames where the FIN field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
TCP SYN
Specify the TCP "Synchronize sequence numbers" (SYN) value for this ACE.
0: TCP frames where the SYN field is set must not be able to match this entry.
1: TCP frames where the SYN field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
TCP RST
Specify the TCP "Reset the connection" (RST) value for this ACE.
0: TCP frames where the RST field is set must not be able to match this entry.
1: TCP frames where the RST field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
TCP PSH
Specify the TCP "Push Function" (PSH) value for this ACE.
0: TCP frames where the PSH field is set must not be able to match this entry.
1: TCP frames where the PSH field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
NGSME24G4S User Manual | 93
Chapter 3: Web Management
Security - Network - ACL - Access Control List
TCP ACK
Specify the TCP "Acknowledgment field significant" (ACK) value for this ACE.
0: TCP frames where the ACK field is set must not be able to match this entry.
1: TCP frames where the ACK field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
TCP URG
Specify the TCP "Urgent Pointer field significant" (URG) value for this ACE.
0: TCP frames where the URG field is set must not be able to match this entry.
1: TCP frames where the URG field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
NGSME24G4S User Manual | 94
Chapter 3: Web Management
Security - Network - ACL - Access Control List
Ethernet Type Parameters
The Ethernet Type parameters can be configured when Frame Type "Ethernet Type" is
selected.
EtherType Filter
Specify the Ethernet type filter for this ACE.
Any: No EtherType filter is specified (EtherType filter status is "don't-care").
Specific: If you want to filter a specific EtherType filter with this ACE, you can enter a
specific EtherType value. A field for entering a EtherType value appears.
Ethernet Type Value
When "Specific" is selected for the EtherType filter, you can enter a specific EtherType
value. The allowed range is 0x600 to 0xFFFF but excluding 0x800(IPv4), 0x806(ARP) and
0x86DD(IPv6). A frame that hits this ACE matches this EtherType value.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
Cancel: Return to the previous page.
NGSME24G4S User Manual | 95
Chapter 3: Web Management
Security - Network - DHCP - Snooping
3.1.4.12. Security - Network - DHCP
3.1.4.12.1. Security - Network - DHCP - Snooping
Configure DHCP Snooping on this page.
Snooping Mode
Indicates the DHCP snooping mode operation. Possible modes are:
Enabled: Enable DHCP snooping mode operation. When DHCP snooping mode
operation is enabled, the DHCP request messages will be forwarded to trusted ports
and only allow reply packets from trusted ports.
Disabled: Disable DHCP snooping mode operation.
Port Mode Configuration
Indicates the DHCP snooping port mode. Possible port modes are:
Trusted: Configures the port as trusted source of the DHCP messages.
Untrusted: Configures the port as untrusted source of the DHCP messages.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 96
Chapter 3: Web Management
Security - Network - DHCP - Relay
3.1.4.12.2. Security - Network - DHCP - Relay
Configure DHCP Relay on this page.
Relay Mode
Indicates the DHCP relay mode operation. Possible modes are:
Enabled: Enable DHCP relay mode operation. When DHCP relay mode operation is
enabled, the agent forwards and transfers DHCP messages between the clients and
the server when they are not in the same subnet domain. And the DHCP broadcast
message won't be flooded for security considerations.
Disabled: Disable DHCP relay mode operation.
Relay Server
Indicates the DHCP relay server IP address. A DHCP relay agent is used to forward and to
transfer DHCP messages between the clients and the server when they are not in the
same subnet domain.
Relay Information Mode
Indicates the DHCP relay information mode option operation. The option 82 circuit ID
format as "[vlan_id][module_id][port_no]". The first four characters represent the VLAN ID,
the fifth and sixth characters are the module ID(in standalone device it always equal 0, in
stackable device it means switch ID). ), and the last two characters are the port number.
For example, "00030108" means the DHCP message receive form VLAN ID 3, switch ID 1,
port No 8. And the option 82 remote ID value is equal the switch MAC address.
Possible modes are:
Enabled: Enable DHCP relay information mode operation. When DHCP relay
information mode operation is enabled, the agent inserts specific information (option
82) into a DHCP message when forwarding to DHCP server and removes it from a
DHCP message when transferring to DHCP client. It only works when DHCP relay
operation mode is enabled.
Disabled: Disable DHCP relay information mode operation.
NGSME24G4S User Manual | 97
Chapter 3: Web Management
Security - Network - DHCP - Relay
Relay Information Policy
Indicates the DHCP relay information option policy. When DHCP relay information mode
operation is enabled, if agent receives a DHCP message that already contains relay agent
information it will enforce the policy. The 'Replace' option is invalid when relay information
mode is disabled. Possible policies are:
Replace: Replace the original relay information when a DHCP message that already
contains it is received.
Keep: Keep the original relay information when a DHCP message that already
contains it is received.
Drop: Drop the package when a DHCP message that already contains relay
information is received.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 98
Chapter 3: Web Management
Security - Network - IP Source Guard - Configuration
3.1.4.13. Security - Network - IP Source Guard
3.1.4.13.1. Security - Network - IP Source Guard - Configuration
This page provides IP Source Guard related configuration.
Mode of IP Source Guard Configuration
Enable the Global IP Source Guard or disable the Global IP Source Guard. All configured
ACEs will be lost when the mode is enabled.
Port Mode Configuration
Specify IP Source Guard is enabled on which ports. Only when both Global Mode and Port
Mode on a given port are enabled, IP Source Guard is enabled on this given port.
Max Dynamic Clients
Specify the maximum number of dynamic clients that can be learned on given port. This
value can be 0, 1, 2 or unlimited. If the port mode is enabled and the value of max dynamic
client is equal to 0, it means only allow the IP packets forwarding that are matched in static
entries on the specific port.
Buttons
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
Translate Dynamic to Static: Click to translate all dynamic entries to static entries.
NGSME24G4S User Manual | 99
Chapter 3: Web Management
Security - Network - IP Source Guard - Static Table
3.1.4.13.2. Security - Network - IP Source Guard - Static Table
Delete
Check to delete the entry. It will be deleted during the next save.
Port
The logical port for the settings.
VLAN ID
The vlan id for the settings.
IP Address
Allowed Source IP address.
IP Mask
It can be used for calculating the allowed network with IP address.
Buttons
Add New Entry: Click to add a new entry to the Static IP Source Guard table.
Save: Click to save changes.
Reset: Click to undo any changes made locally and revert to previously saved
values.
NGSME24G4S User Manual | 100
Loading...