COVER
DS410F
Industrial 10-port Full Gigabit L2 Managed Fiber/Ethernet Switch
Nov.23.2018 V.1.0
WOM ASIA Co., Ltd
1F., No.185-3, Kewang Rd., Longtan Dist., Taoyuan 325, Taiwan
2
WoMaster
DS410F Industrial 10-port Full Gigabit L2 Managed Fiber/Ethernet Switch
User Manual
Copyright Notice
© WoMaster. All rights reserved.
About This Manual
This user manual is intended to guide a professional installer to install and to configure the DS410F switch.
It includes procedures to assist you in avoiding unforeseen problems.
NOTE:
Only qualified and trained personnel should be involved with installation, inspection, and repairs of this
switch.
Disclaimer
WoMaster reserves the right to make changes to this Manual or to the product hardware at any time without notice.
Information provided here is intended to be accurate and reliable. However, it might not cover all details and
variations in the equipment and does not claim to provide for every possible contingency met in the process of
installation, operation, or maintenance. Should further information be required or should particular problem arise
which are not covered sufficiently for the user’s purposes, the matter should be referred to WoMaster. Users must be
aware that updates and amendments will be made from time to time to add new information and/or correct possible
unintentional technical or typographical mistakes. It is the user’s responsibility to determine whether there have
been any such updates or amendments of the Manual. WoMaster assumes no responsibility for its use by the third
parties.
WoMaster Online Technical Services
At WoMaster, you can use the online service forms to request the support. The submitted forms are stored in server
for WoMaster team member to assign tasks and monitor the status of your service. Please feel free to write
to help@womaster.eu
if you encounter any problems.
3
TABLE OF CONTENTS
COVER ....................................................................................................................................................................... 1
TABLE OF CONTENTS ................................................................................................................................................. 3
1. INTRODUCTION ..................................................................................................................................................... 5
1.1 OVERVIEW ...................................................................................................................................................... 5
1.2 MAJOR FEATURES ........................................................................................................................................... 6
2. HARDWARE INSTALLATION.................................................................................................................................... 7
2.1HARDWARE DIMENSION .................................................................................................................................. 7
2.2WIRING THE POWER INPUTS............................................................................................................................ 9
2.3WIRING THE ALARM RE L AY OUTPUT (DO) ...................................................................................................... 10
2.4WIRING THE DIGI TAL INPUT (DI) .................................................................................................................... 11
2.5CONNECTING THE GROUDING SCREW ........................................................................................................... 12
2.6 DIN RAIL MOUNTING .................................................................................................................................... 12
3. DEVICE INTERFACE MANAGEMENT ..................................................................................................................... 13
3.1 CONFIGURATION .......................................................................................................................................... 22
3.1.1 SYSTEM ................................................................................................................................................. 22
3.1.2 GREEN ETHERNET .................................................................................................................................. 28
3.1.3 THERMAL PROTECTION ......................................................................................................................... 30
3.1.4 PORTS ................................................................................................................................................... 31
3.1.5 SECURITY .............................................................................................................................................. 33
3.1.6 AGGREGATION ...................................................................................................................................... 63
3.1.7 LOOP PROTECTION................................................................................................................................ 67
3.1.8 SPANNING TREE .................................................................................................................................... 68
3.1.9 IPMC ..................................................................................................................................................... 71
3.1.10 LLDP .................................................................................................................................................... 73
3.1.11 MAC TABLE ......................................................................................................................................... 75
3.1.12 VLAN ................................................................................................................................................... 77
3.1.13 PRIVATE VLANS ................................................................................................................................... 82
3.1.14 QoS ..................................................................................................................................................... 83
3.1.14.1 QOS CLASSIFICATION ....................................................................................................................................... 84
3.1.14.2 POLICERS ........................................................................................................................................................ 84
3.1.14.3 SHAPERS ......................................................................................................................................................... 84
3.1.14.4 SCHEDULING ALGORITHM ................................................................................................................................ 84
3.1.14.5 WEIGHTED RANDOM EARLY DETECTION (WRED) ................................................................................................ 84
3.1.14.6 STORM POLICING ............................................................................................................................................ 85
4
3.1.14.7 INGRESS MAP .................................................................................................................................................. 85
3.1.14.8 EGRESS MAP ................................................................................................................................................... 85
3.1.15 MIRRORING ...................................................................................................................................... 113
3.2 MONITOR ................................................................................................................................................... 116
3.2.1 SYSTEM ............................................................................................................................................... 116
3.2.2 GREEN ETHERNET ................................................................................................................................ 123
3.2.3 THERMAL PROTECTION ....................................................................................................................... 124
3.2.4 PORTS ................................................................................................................................................. 125
3.2.5 SECURITY ............................................................................................................................................ 130
3.2.6 AGGREGATION .................................................................................................................................... 131
3.2.7 LOOP PROTECTION.............................................................................................................................. 132
3.2.8 SPANNING TREE .................................................................................................................................. 133
3.2.9 IPMC ................................................................................................................................................... 137
3.2.10 LLDP .................................................................................................................................................. 139
3.2.11 MAC ADDRESS .................................................................................................................................. 145
3.2.12 VLANS ............................................................................................................................................... 146
3.3 DIAGNOSTICS .............................................................................................................................................. 149
3.3.1 PING (IPv4) .......................................................................................................................................... 149
3.3.2 TRACEROUTE (IPv4)............................................................................................................................. 151
3.3.3 VeryPHY .............................................................................................................................................. 153
3.4 MAINTANANCE ........................................................................................................................................... 153
3.4.1 RESTART .............................................................................................................................................. 154
3.4.2 FACTORY DEFAULT .............................................................................................................................. 154
3.4.3 SOFTWARE .......................................................................................................................................... 155
3.4.4 CONFIGURATION ................................................................................................................................ 156
3.5 FRONT PANEL .............................................................................................................................................. 159
5
1. INTRODUCTION
1.1 OVERVIEW
DS410F/DS410 series is designed for industrial environments requiring high quality fiber communication such as
industrial automation, road traffic control, etc. DS410F provides 10-port full-gigabit Ethernet including 6-port SFP,
2-port SFP/RJ45 combo and 2-port RJ45 (up to 8-port SFP); while DS410 provides 6-port RJ45, 2-port SFP/RJ45 combo
and 2-port SFP for multi-port Giga copper requirement. Full Gigabit capability and rugged industrial design ensures
system high performance and reliability in harsh environments, that has excellent heat dissipation design for
operating in -40~75
DS410F/DS410 offer contemporary management and security functions. For the best traffic control, the switch
o
C environments. For convenient traffic control and zero packet loss data transmission,
management side features have been utilized: LACP, VLAN, QinQ, QoS, IGMP snooping v2,
In order to uplink connection, the DS410F provides 2 RJ45/SFP Gigabit Ethernet combo ports that can prioritize
stream, such as video and also optimize VoIP. Gigabit Ethernet combo ports provides high speed uplink connection to
higher level backbone switches with Ring Network Redundancy technology ensures the reliability of high-quality
video transfer. High flexibility of cable types and distances for system integrators and DDM (Digital Diagnostic
Monitoring) type SFP transceivers also equipped the switch for diagnosing transmission problem through
maintenance and debugging of the signal quality.
WoMaster managed switch is designed to provide faster, secure, and more stable network. One advantage that
makes it a powerful switch is that it supports network redundancy protocols/technologies such as Rapid Spanning
Tree Protocol (RSTP)
-40~75°C wide operating temperature range, - all these features guarantee stable performance of the switch for
surveillance data transmission under vibration and shock in rolling stocks, traffic control systems and other harsh
environments.
This managed switch also can be smartly configured by WoMaster advanced management utility, Web Browser,
SNMP, Telnet and RS-232 local console with its command like interface.
Excellent security features also provided, such as DHCP client, DHCP server with IP and MAC binding, 802.1X Port
Based Network Access Control, SSH for Telnet security, IP Access table, port security and many other security features.
. IEC 61000-6-2 / 61000-6-4 Heavy Industrial EMC certified design, rugged enclosure and
and etc.
All of these features in order to ensure the secure data communication.
The IP31-design aluminum case further strengthens the ability in harsh industrial environment. The event warning is
notified to the network administrator via e-mail, system log, or by relay output. The Industrial Managed Gigabit
Ethernet Switch has also passed CE/ FCC certifications to help ensure safe and reliable data transmission for industrial
applications.
6
1.2 MAJOR FEATURES
Below are the major features of DS410F Series Switch:
- 10-port Full Gigabit Ethernet, including 6 100/1000M SFP ports, 2 100/1000M SFP/RJ45 combo ports,
and 2 RJ45 ports
- High flexibility of cable types and distances for system integrators
- DDM function for high quality fiber connectivity monitoring
- 4K MAC address table
- Stores and forwards with non-blocking switch fabric
- Advanced Management Features: Flow Control, Port Trunk/802.3ad LACP, VLAN, Private VLAN, Shared VLAN,
Class of Service, Traffic Prioritize, Rate Control, Port Mirror, IGMP Snooping v2, Port classification, Port policing,
Port scheduler, Port shaping, QoS control list, WRED, Port Security, ACL, Loop Protection.
- Advanced Security System: IEEE 802.1X/RADIUS, Management IP, Management VLAN, SSL
- Redundancy Technology: Rapid Spanning Tree Protocol (RSTP)
- Various configuration paths, including Web GUI, CLI, and SNMP
- LLDP topology control
- 10~60V wide power range design with redundant
-
power input NEMA-TS2 compliance for wayside traffic control assemblies
- Excellent heat dissipation design for operating in -40~75 ゚ C environments
- High level EMC protection exceeding traffic control and heavy industrial standards’ requirements
- IEC 61000-6-2/4 Heavy Industrial Environment
- EN50121-4 railway trackside EMC Compliance
- IP31 ingress protection
7
2. HARDWARE INSTALLATION
This chapter introduces hardware, and contains information on installation and configuration procedures.
2.1 HARDWARE DIMENSION
Dimensions of DS410F/DS410: 65 x 155 x 120 (W x H x D) / without DIN Rail Clip
8
Front Panel Layout
Below is the front panel from DS410F Series switches, for DS410F is included 6 ports 100/1000M SFP, 2 ports
100/1000M SFP/RJ45 Combo, 2 ports 10/100/1000M RJ45, and for DS410, it is included 6 ports 10/100/1000M SFP, 2
ports 100/1000M SFP/RJ45 Combo, 2 ports 100/1000M RJ45, System LED, USB for configuration/firmware
management, RJ-45 diagnostic console, 2 x 4-pin terminal block connector (4 pin for power inputs, 2 pin for digital
input and 2 pin for alarm relay output) and 1 chassis grounding screw. On the rear side of switch there is DIN rail clip
attached.
DS410F/DS410
9
2.2 WIRING THE POWER INPUTS
urn off AC power input source before connecting the Power to the terminal block
Power Input port in the switch provides 2 sets of power input connections (P1 and P2) on the terminal block. x
On the picture below is the power connector.
Wiring the Power Input
1. Insert the positive and negative wires into the V+ and V- contact on the terminal block connector.
2. Tighten the wire-clamp screws to prevent the power wires from being loosened.
3. Connect the power wires to suitable AC/DC Switching type power supply. The input DC voltage should be in
the range of 10VDC to DC 60V DC.
WARNING: T
connectors, for safety purpose. Don not turn-on the source of AC/DC power before all of the
connections were well established.
10
2.3 WIRING THE ALARM RELAY OUTPUT (DO)
The relay output contacts are located on the front panel of the switch. The relay output consists of the 2-pin
terminal block connector that used to detect user-configured events. The two wires attached to the fault contacts
form a close circuit when a user-configured event is triggered. If a user-configured event does not occur, the fault
circuit remains opened. The fault conditions such as power failure, Ethernet port link break or other pre-defined
events which can be configured in the switch. Screw the DO wire tightly after digital output wire is connected.
NOTE: The relay contact only supports 0.5 A current, DC 24V. Do not apply voltage and current higher
than the specifications.
11
2.4 WIRING THE DIGITAL INPUT (DI)
The Digital Input accepts one external DC type signal input that consists of two contacts on the terminal block
connector on the switch’s top panel. And can be configured to send alert message through Ethernet when the signal
is changed. The signal may trigger and generated by external power switch, such as door open trigger switch for
control cabinet. The switch’s Digital Input accepts DC signal and can receive Digital High Level input DC 11V~30V and
Digital Low Level input DC 0V~10V.
Here are the steps to wire the Digital Input:
STEP 1: Insert the negative and positive wires into the -/+ terminals, respectively.
STEP 2: To keep the wires from pulling loose, tighten the wire-clamp screws on the front of the terminal block
connector.
STEP 3: Insert the terminal block connector prongs into the terminal block receptor, which is located on the switch’s
top panel.
2.5 CONNECTING THE GROUDING SCREW
Grounding screw is located on the front side of the switch. Grounding Screw helps limit the effects of noise due to
electromagnetic interference (EMI) such as lighting or surge protection. Run the ground connection from the ground
screw to the grounding surface prior to connecting devices. And tighten and wire to chassis grounding for better
durability.
2.6 DIN RAIL MOUNTING
The EN50022 DIN-Rail plate should already attached at the back panel of the switch screwed tightly. If you need to
reattach the DIN-Rail attachment plate to the switch, make sure the plate is situated towards the top, as shown by the
following figures.
To mount the switch on DIN Rail track, do the following instruction:
1. Insert the top side of DIN Rail track into the slot of DIN Rail clip.
2. Lightly clip the bottom of DIN-Rail to the track and make sure it attached well.
3. To remove the switch from the track, reverse the steps.
12
3. DEVICE INTERFACE MANAGEMENT
To access the management interface, WoMaster has several ways access mode through a network; they are web
management and console management. Web interface management is the most common way and the easiest way
to manage a network, through web interface management, a switch interface offering status information and a
subset of switch commands through a standard web browser. If the network is down, another alternative to access
the management interface can be used. The alternative way is by using console and telnet management which is
offer configuration way through CLI Interface. WoMaster also provide excellent alternative by configure the switch
via RS232 console cable if user doesn’t attach user admin PC to the network, or if user loses network connection to
Managed Switch. This manual describes the procedures for Web Interface and how to configure and monitor the
managed switch only. For the CLI management interface please refers to the CLI Command User Manual.
PREPARATION FOR WEB INTERFACE MANAGEMENT
WoMaster provides Web interface management that allows user through standard web-browser such as Microsoft
Internet Explorer, or Mozilla, or Google Chrome, to access and configure the switch management on the network.
1. Plug the DC power to the switch and connect switch to computer.
2. Make sure that the switch default IP address is 192.168.10.1.
3. Check that PC has an IP address on the same subnet as the switch. For example, the PC and the switch
are on the same subnet if they both have addresses that start 192.168.1.x (Ex: 192.168.10.2). The subnet
mask is 255.255.255.0.
4. Open command prompt and ping 192.168.10.1 to verify that the switch is reachable.
5. Launch the web browser (Internet Explorer or Mozilla Firefox or Google Chrome) on the PC.
6. Type http://192.168.10.1
will appear.
7. Type user name and the password. Default user name: admin and password: admin. Then click Login.
(or the IP address of the switch). And then press Enter and a pop up login page
13
PREPARATION FOR SERIAL CONSOLE
Attach RJ-45 to RS-232 DB-9 console cable to PC’s COM port; connect RJ45 connector to the Console port of the
WoMaster Managed Switch.
1. Go to Start -> Program -> Accessories -> Communication -> Hyper Terminal
2. Give a name to the new console connection.
3. Choose the COM name
4. Select correct serial settings. The serial settings of WoMaster Managed switches are as below:
Baud Rate: 115200 / Parity: None / Data Bit: 8 / Stop Bit: 1
5. After connected, switch login screen can be seen.
6. Login the switch. The default username: admin; password: admin.
SSH (Secure Shell)
WoMaster managed SWITCH also supports SSH console. User can remotely connect to the switch by command line
interface. The SSH connection can secure all the configuration commands user sent to the switch.
SSH is a client/server architecture while the switch is the SSH server. When user wants to make SSH connection with
the switch, user should download the SSH client tool first.
SSH Client
There are many free, sharewares, trials or charged SSH clients user can find on the internet, e.g., PuTTY is a free and
popular Telnet/SSH client. We’ll use this tool to demonstrate how to login by SSH. (PuTTY copyright 1997-2016
Simon Tatham).
Download PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
1. Open SSH Client/PuTTY
14
In the Session configuration, choose the Serial protocol then enter the Serial line and Speed. For the serial
line, please check the device manager to make sure the serial line name. The speed should be 115200. Then
click on Open to start the SSH session console.
2. After it user can see the CLI command screen is pop-up
3. Type the Switch Login name and its Password. The default settings are admin / admin.
4. All the commands user sees in Putty are the same as the CLI commands user sees via RS232 console.
The next chapter will introduce in detail how to use command line to configure some features in the switch.
15
# ?
For either type of connection, access to the command line interface is generally referred to as an EXEC session. There
are some different command modes. Each command mode has its own access ability, available command lines and
uses different command lines to enter and exit.
Privileged EXEC mode: In this mode, the system allows User to view current configuration, reset default, reload
SWITCH, show system information, save configuration and enter the global configuration mode. Type exit to leave
and press ? to see the command list.
clear Clear
configure Enter configuration mode
copy Copy from source to destination
delete Delete one file in flash: file system
dir Directory of all files in flash: file system
disable Turn off privileged commands
do To run exec commands in the configuration mode
dot1x IEEE Standard for port-based Network Access Control
enable Turn on privileged commands
exit Exit from EXEC mode
firmware Firmware upgrade/swap
help Description of the interactive help system
ip IPv4 commands
logout Exit from EXEC mode
more Display file
no Delete trace hunt string
ping Send ICMP echo messages
platform Platform configuration
reload Reload system.
send Send a message to other tty lines
show Display statistics counters.
terminal Set terminal line parameters
time System time
traceroute Send IP Traceroute messages
veriphy VeriPHY keyword
16
# configure terminal
Global Configuration Mode: Type configure terminal in privileged EXEC mode. Then User can enter the Global
Configuration mode. In Global Configuration mode, User can configure all the features that the system provides. Type
exit to leave and press ? to see the command list.
The command lists of global configuration mode.
(config)# ?
aaa Authentication, Authorization and Accounting
access Access management
access-list Access list
aggregation Aggregation mode
banner Define a banner
default Set a command to its defaults
do To run exec commands in the configuration mode
dot1x IEEE Standard for port-based Network Access Control
enable Modify enable password parameters
end Go back to EXEC mode
exit Exit from current mode
green-ethernet Green Ethernet (Power reduction)
help Description of the interactive help system
hostname Set system's network name
interface Select an interface to configure
ip IPv4 configurations
lacp LACP settings
line Configure a terminal line
lldp LLDP configurations.
logging System logging message
loop-protect Loop protection configuration
mac MAC table entries/configuration
monitor Monitoring different system events
no Negate a command or set its defaults
password Specify the password for the administrator
port-security This command is obsolete.
privilege Command privilege parameters
prompt Set prompt
qos
radius-server Configure RADIUS
relay-output Relay output configuration
snmp-server Set SNMP server's configurations
spanning-tree Spanning Tree protocol
svl Shared VLAN Learning
thermal-protect Thermal protection configurations.
time System time
vlan VLAN commands
(config)#
17
(config)# interface ?
thermal-protect Thermal group for the interface.
Interface Configuration: Many features are enabled for a particular interface. The Interface commands enable or
modify the operation of an interface. In this mode, a physical port is set up for a specific logical connection operation.
The Interface Configuration mode provides access to the router interface configuration commands.
This section has three interface configuration, Port interface, LLAG interface, and VLAN interface. For Port interface,
type interface IFNAME in global configuration mode. Then User can enter the interface configuration mode. In this
mode, User can configure port settings. In port interface, the name of Gigabit Ethernet port 1 is GigabitEthernet 1/1,
GigabitEthernet 1/2 and so on. Type exit to leave current level and press ? to see the command list. The command
lists of the global configuration mode.
* All switches or All ports
GigabitEthernet 1 Gigabit Ethernet Port
llag Local link aggregation interface configuration
vlan VLAN interface configurations
(config)# interface GigabitEthernet ?
<port_type_list> Port list in 1/1-10
(config)# interface * / GigabitEthernet 1/1
(config-if)# ?
access-list Access list
aggregation Create an aggregation
description Description of the interface
do To run exec commands in the configuration mode
dot1x IEEE Standard for port-based Network Access Control
duplex Interface duplex
end Go back to EXEC mode
excessive-restart Restart backoff algorithm after 16 collisions (No
excessive-restart means discard frame after 16
collisions)
exit Exit from current mode
flowcontrol Traffic flow control.
frame-length-check Drop frames with mismatch between EtherType/Length
field and actually payload size.
green-ethernet Green Ethernet (Power reduction)
help Description of the interactive help system
ip Interface Internet Protocol configuration commands
lacp Enable LACP on this interface
lldp LLDP configurations.
loop-protect Loop protection configuration on port
mac MAC keyword
media-type Media type.
mtu Maximum transmission unit
no Set to default value.
port-security Enable/disable port security per interface.
priority-flowcontrol Priority Flow Control (802.1Qbb)
pvlan Private VLAN
qos Quality of Service
shutdown Shutdown of the interface.
spanning-tree Spanning Tree protocol
speed Configures interface speed. If you use 10, 100, or
1000 keywords with the auto keyword the port will
only advertise the specified speeds.
switchport Set VLAN switching mode characteristics
18
In global configuration mode, User can configure all the
#LLAG
The second section is LLAG/VLAN interface, press interface LLAG (LLAG-ID)/VLAN (VLAN-ID) in global configuration
mode. User can then enter the interface configuration mode. In this mode, User can configure the settings for the
specific LLAG/V L AN . To l eav e this interface mode type exit. Press ? to see the available command list.
The command lists of the LLAG/ VLAN interface configuration mode.
(config)# interface llag ?
1-5 ID of LLAG interface
(config)# interface llag 1
(config-llag)# ?
do To run exec commands in the configuration mode
end Go back to EXEC mode
exit Exit from current mode
help Description of the interactive help system
lacp
no
#VLAN
(config)# interface vlan ?
<vlan_list> List of VLAN interface numbers
(config)# interface vlan 1
(config-if-vlan)# ?
do To run exec commands in the configuration mode
end Go back to EXEC mode
exit Exit from current mode
help Description of the interactive help system
ip IPv4 configuration
no Negate a command or set its defaults
The table below presents the summary of the 5 command modes:
COMMAND MODE MAIN FUNCTION PROMPT
Privileged EXEC In this mode, the system allows User to view current
configuration, reset default, reload switch, show
system information, save configuration…and enter
global configuration mode.
Global Configuration
features that the system provides User
Port Interface Configuration In this mode, User can configure port related settings. (config-if)#
LLAG / VLAN Interface
Configuration
Here are some useful commands for User to see these available commands. Save User time in typing and avoid
typing error. Press ? to see all the available commands in this mode. It helps User to see the next command User
can/should type as well.
In this mode, User can configure settings for specific
LLAG/VLAN.
#
(config)#
(config-if)#
19
(config)# a?
# co (tab)
(config)# interface ?
* All switches or All ports
GigabitEthernet 1 Gigabit Ethernet Port
llag Local link aggregation interface configuration
vlan VLAN interface configurations
(Character)? To see all the available commands starts from this character.
aaa Authentication, Authorization and Accounting
access Access management
access-list Access list
aggregation Aggregation mode
The tab key helps User to input the command quicker. If there is only one available command in the next, clicking on
tab key can help to finish typing soon.
configure copy
Ctrl+C To stop executing the unfinished command.
Ctrl+Q To show all of the command in the current mode.
Ctrl+Z To exit configuration mode.
Alert message when multiple users want to configure the switch. If the administrator is in configuration mode, then
the Web users can’t change the settings. This managed switch allows only one administrator to configure the switch
at a time.
20
In this Web management for Featured Configuration, user will see all of WoMaster Switch’s various configuration
menus at the left side from the interface and a port state interface at the right side from the configuration page.
Through this web management interface user can configure, monitoring, and set the administration functions. The
whole information used web management interface to introduce the featured functions. User can use all of the
standard web-browser to configure and access the switch on the network.
This web management has 4 big configuration functions:
Configuration
This section will cover all of the configuration features for this switch.
Monitor
This section will cover all of the monitoring sections include the traffic, QoS, Security, Aggregation, spanning tree,
LLDP, VLAN and etc.
Diagnostics
This section will cover the Ping, Traceroute and the VeriPHY features.
Maintenance
This section will cover the firmware upgrade; restart the device, factory reset to defaults, upload and download the
configuration file from the switch.
21
3.1 CONFIGURATION
When the user login to the switch, user will see the system section appear. This section provides all the basic setting
and information or common setting from the switch that can be configured by the administrator.
Following topics is included:
3.1.1 System
3.1.2 Green Ethernet
3.1.3 Thermal Protection
3.1.4 Ports
3.1.5 Security
3.1.6 Aggregation
3.1.7 Loop Protection
3.1.8 Spanning Tree
3.1.9 IPMC
3.1.10 LLDP
3.1.11 MAC Table
3.1.12 VLANs
3.1.13 Private VLANs
3.1.14 QoS
3.1.15 Mirroring
3.1.1 SYSTEM
Information section, this section shows the basic information from the switch to make it easier to identify different
switches that are connected to User network. The figure below shows the interface of the Information section.
Information
The switch system information is provided here.
System Contact
The textual identification of the contact person for this managed node, together with information on how to
contact this person. The allowed string length is 0 to 255, and the allowed content is the ASCII characters
from 32 to 126.
System Name
An admin assigned name for this managed node. By convention, this is the node's fully-qualified domain
22
name. A domain name is a text string drawn from the alphabet (A-Z a-z), digits (0-9), minus sign (-). No
space characters are permitted as part of a name. The first character must be an alpha character. And the
first or last character must not be a minus sign. The allowed string length is 0 to 255.
System Location
The physical location of this node(e.g., telephone closet, 3rd floor). The allowed string length is 0 to 255,
and the allowed content is the ASCII characters from 32 to 126.
Timezone Offset
Provide the timezone offset relative to UTC/GMT.
The offset is given in minutes east of GMT. The valid range is from -1439 to 1439 minutes.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
IP Configuration
This IP Configuration page allows user to configure the device IP Address and in this page user able to set the IP
Address according to the interface and VLAN. The second section is IP Routes, in this section user can configure the
routing feature.
Configure IP basic settings, control IP interfaces and IP routes. The maximum number of interfaces supported
is 8 and the maximum number of routes is 32.
23
IP Interfaces
Delete
Select this option to delete an existing IP interface.
VLAN
The VLAN associated with the IP interface. Only ports in this VLAN will be able to access the IP interface.
This field is only available for input when creating a new interface.
IPv4 DHCP Enabled
Enable the DHCPv4 client by checking this box. If this option is enabled, the system will configure the IPv4
address and mask of the interface using the DHCPv4 protocol.
IPv4 DHCP Client Identifier Type
The type of DHCP client identifier. User can choose Auto, ifmac, ASCII, and HEX.
IPv4 DHCP Client Identifier IfMac
The interface name of DHCP client identifier. When DHCPv4 client is enabled and the client identifier type is
'ifmac', the configured interface's hardware MAC address will be used in the DHCP option 61 field.
IPv4 DHCP Client Identifier ASCII
The ASCII string of DHCP client identifier. When DHCPv4 client is enabled and the client identifier type is
'ascii', the ASCII string will be used in the DHCP option 61 field.
IPv4 DHCP Client Identifier HEX
The hexadecimal string of DHCP client identifier. When DHCPv4 client is enabled and the client identifier
type 'hex', the hexadecimal value will be used in the DHCP option 61 field.
IPv4 DHCP Hostname
The hostname of DHCP client. If DHCPv4 client is enabled, the configured hostname will be used in the
DHCP option 12 field. When this value is empty string, the field uses the configured system name plus the
latest three bytes of system MAC addresses as the hostname.
IPv4 DHCP Fallback Timeout
The number of seconds for trying to obtain a DHCP lease. After this period expires, a configured IPv4
address will be used as IPv4 interface address. A value of zero disables the fallback mechanism, such that
DHCP will keep retrying until a valid lease is obtained. Legal values are 0 to 4294967295 seconds.
IPv4 DHCP Current Lease
For DHCP interfaces with an active lease, this column shows the current interface address, as provided by
the DHCP server.
24
IPv4 Address
The IPv4 address of the interface in dotted decimal notation. If DHCP is enabled, this field configures the
fallback address. The field may be left blank if IPv4 operation on the interface is not desired - or no DHCP
fallback address is desired.
IPv4 Mask
The IPv4 network mask, in number of bits (prefix length). Valid values are between 0 and 30 bits for a IPv4
address. If DHCP is enabled, this field configures the fallback address network mask. The field may be left
blank if IPv4 operation on the interface is not desired - or no DHCP fallback address is desired.
IP Routes
Delete
Select this option to delete an existing IP route.
Network
The destination IP network or host address of this route. Valid format is dotted decimal notation. A default
route can use the value 0.0.0.0.
Mask Length
The destination IP network or host mask, in number of bits (prefix length). It defines how much of a network
address that must match, in order to qualify for this route. Valid values are between 0 and 32 bits. Only a
default route will have a mask length of 0 (as it will match anything).
Gateway
The IP address of the IP gateway. Valid format is dotted decimal notation.
Distance (Only for IPv4)
The distance value of route entry is used to provide the priority information of the routing protocols to
routers. When there are two or more different routing protocols are involved and have the same destination,
the distance value can be used to select the best path.
Next Hop VLAN (Only for IPv6)
The VLAN ID (VID) of the specific IPv6 interface associated with the gateway.
The given VID ranges from 1 to 4095 and will be effective only when the corresponding IPv6 interface is
valid.
If the IPv6 gateway address is link-local, it must specify the next hop VLAN for the gateway.
If the IPv6 gateway address is not link-local, system ignores the next hop VLAN for the gateway.
Buttons
Add Interface: Click to add a new IP interface. A maximum of 8 interfaces is supported.
Add Route: Click to add a new IP route. A maximum of 32routes is supported.
25
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
LOG
System Log Configuration
Configure System Log on this page.
Server Mode
Indicates the server mode operation. When the mode operation is enabled, the syslog message will send
out to syslog server. The syslog protocol is based on UDP communication and received on UDP port 514 and
the syslog server will not send acknowledgments back sender since UDP is a connectionless protocol and it
does not provide acknowledgments. The syslog packet will always send out even if the syslog server does
not exist. Possible modes are:
Enabled: Enable server mode operation.
Disabled: Disable server mode operation.
Server Address
Indicates the IPv4 host address of syslog server. If the switch provide DNS feature, it also can be a domain
name.
Syslog Level
Indicates what kind of message will send to syslog server. Possible modes are:
Error: Send the specific messages which severity code is less or equal than Error(3).
Warning: Send the specific messages which severity code is less or equal than Warning(4).
Notice: Send the specific messages which severity code is less or equal than Notice(5).
Informational: Send the specific messages which severity code is less or equal than Informational(6).
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
26
27
RELAY OUTPUT
This page allows the user to inspect the current Relay Output configurations, and possibly change them as well. Relay
Output Configuration:
Port Link Failure
A check box is provided for each port of a Port Link Failure.
When checked, port link failure will trigger relay status to "on".
When unchecked, port link failure will not trigger relay status to "on".
By default, port link failure is disabled on all ports.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
28
3.1.2 GREEN ETHERNET
PORT POWER SAVINGS
What is EEE?
EEE is a power saving option that reduces the power usage when there is low or no traffic utilization.
EEE works by powering down circuits when there is no traffic. When a port gets data to be transmitted all circuits are
powered up. The time it takes to power up the circuits is named wakeup time. The default wakeup time is 17 us for
1Gbit links and 30 us for other link speeds. EEE devices must agree upon the value of the wakeup time in order to
make sure that both the receiving and transmitting device has all circuits powered up when traffic is transmitted. The
devices can exchange wakeup time information using the LLDP protocol. EEE works for ports in auto-negotiation
mode, where the port is negotiated to either 1G or 100 Mbit full duplex mode. For ports that are not EEE-capable the
corresponding EEE checkboxes are grayed out and thus impossible to enable EEE for.
When a port is powered down for saving power, outgoing traffic is stored in a buffer until the port is powered up
again. Because there are some overhead in turning the port down and up, more power can be saved if the traffic can
be buffered up until a large burst of traffic can be transmitted. Buffering traffic will give some latency in the traffic.
29
Optimize EEE for
The switch can be set to optimize EEE for either best power saving or least traffic latency.
Port Configuration
Port
The switch port number of the logical port.
ActiPHY
Link down power savings enabled.
ActiPHY works by lowering the power for a port when there is no link. The port is power up for short
moment in order to determine if cable is inserted.
PerfectReach
Cable length power savings enabled. Perfect Reach works by determining the cable length and lowering the
power for ports with short cables.
EEE
Controls whether EEE is enabled for this switch port.
For maximizing power savings, the circuit isn't started at once transmit data is ready for a port, but is
instead queued until a burst of data is ready to be transmitted. This will give some traffic latency.
If desired it is possible to minimize the latency for specific frames, by mapping the frames to a specific
queue (done with QOS), and then mark the queue as an urgent queue. When an urgent queue gets data to
be transmitted, the circuits will be powered up at once and the latency will be reduced to the wakeup time.
EEE Urgent Queues
Queues set will activate transmission of frames as soon as data is available. Otherwise the queue will
postpone transmission until a burst of frames can be transmitted.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
30
3.1.3 THERMAL PROTECTION
This page allows the user to inspect and configure the current setting for controlling thermal protection. Thermal
protection is used to protect the chip from getting overheated.
When the temperature exceeds the configured thermal protection temperature, ports will be turned off in order to
decrease the power consumption. It is possible to arrange the ports with different groups. Each group can be given a
temperature at which the corresponding ports shall be turned off.
Temperature settings for groups
The temperature at which the ports with the corresponding group will be turned off. Temperatures between 0 and 255 C
are supported.
Port groups
The group the port belongs to. 4 groups are supported.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
31
3.1.4 PORTS
This page displays current port configurations. Ports can also be configured here.
Port
This is the logical port number for this row.
Link
The current link state is displayed graphically. Green indicates the link is up and red that it is down.
Current Link Speed
Provides the current link speed of the port.
Configured Link Speed
Selects any available link speed for the given switch port. Only speeds supported by the specific port are
shown. Possible speeds are:
Disabled - Disables the switch port operation.
Auto - Port auto negotiating speed with the link partner and selects the highest speed that is compatible
with the link partner.
10Mbps HDX - Forces the cu port in 10Mbps half-duplex mode.
10Mbps FDX - Forces the cu port in 10Mbps full duplex mode.
100Mbps HDX - Forces the cu port in 100Mbps half-duplex mode.
100Mbps FDX - Forces the cu port in 100Mbps full duplex mode.
1Gbps FDX - Forces the port in 1Gbps full duplex
SFP_Auto_AMS - Automatically determines the speed of the SFP. Note: There is no standardized way to do
SFP auto detect, so here it is done by reading the SFP rom. Due to the missing standardized way of doing SFP
auto detect some SFPs might not be detectable. The port is set in AMS
100-FX - SFP port in 100-FX speed. Cu port disabled.
1000-X - SFP port in 1000-X speed. Cu port disabled.
Ports in AMS mode with 1000-X speed has Cu port preferred.
Ports in AMS mode with 100-FX speed has Cu port preferred.
mode. Cu port is set in Auto mode.
Advertise Duplex
When duplex is set as auto i.e auto negotiation, the port will only advertise the specified duplex as
either Fdx or Hdxto the link partner. By default port will advertise all the supported duplexes if the Duplex is
Auto.
Advertise Speed
When Speed is set as auto i.e auto negotiation, the port will only advertise the specified speeds
(10M 100M 1G2.5G 5G 10G) to the link partner. By default port will advertise all the supported speeds if
speed is set as Auto.
32
Flow Control
When Auto Speed is selected on a port, this section indicates the flow control capability that is advertised to
the link partner.
When a fixed-speed setting is selected, that is what is used. The Current Rx column indicates whether pause
frames on the port are obeyed, and the Current Tx column indicates whether pause frames on the port are
transmitted. The Rx and Tx settings are determined by the result of the last Auto Negotiation.
Check the configured column to use flow control. This setting is related to the setting for Configured Link
Speed.
NOTICE: The 100FX standard doesn't support Auto Negotiation, so when in 100FX mode the flow control
capabilities will always be shown as "disabled".
PFC
When PFC (802.1Qbb Priority Flow Control) is enabled on a port then flow control on a priority level is
enabled. Through the Priority field, range (one or more) of priorities can be configured, e.g. '0-3,7' which
equals '0,1,2,3,7'. PFC is not supported through auto negotiation. PFC and Flow control cannot both be
enabled on the same port.
Maximum Frame Size
Enter the maximum frame size allowed for the switch port, including FCS. The range is 1518-10240 bytes.
Excessive Collision Mode
Configure port transmit collision behavior.
Discard: Discard frame after 16 collisions (default).
Restart: Restart back off algorithm after 16 collisions.
Frame Length Check
Configures if frames with incorrect frame length in the EtherType/Length field shall be dropped. An Ethernet
frame contains a field EtherType which can be used to indicate the frame payload size (in bytes) for values of
1535 and below. If the EtherType/Length field is above 1535, it indicates that the field is used as an
EtherType (indicating which protocol is encapsulated in the payload of the frame). If "frame length check" is
enabled, frames with payload size less than 1536 bytes are dropped, if the EtherType/Length field doesn't
match the actually payload length. If "frame length check" is disabled, frames are not dropped due to frame
length mismatch. Note: No drop counters count frames dropped due to frame length mismatch
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Refresh: Click to refresh the page. Any changes made locally will be undone.
33
3.1.5 SECURITY Switch Password
This page allows you to configure the system password required to access the web pages or log in from CLI.
Old Password
Enter the current system password. If this is incorrect, the new password will not be set.
New Password
The system password. The allowed string length is 0 to 31, and the allowed content is the ASCII characters
from 32 to 126.
Confirm New Password
The new password must be entered twice to catch typing errors.
Buttons
Submit: Click to submit changes.
Authentication Method Configuration
The authentication section allows you to configure how a user is authenticated when he logs into the switch via one
of the management client interfaces. The table has one row for each client type and a number of columns, which are:
Client
The management client for which the configuration below applies.
Methods
Method can be set to one of the following values:
Methods that involves remote servers are timed out if the remote servers are offline. In this case the next
method is tried. Each method is tried from left to right and continues until a method either approves or
rejects a user. If a remote server is used for primary authentication it is recommended to configure
secondary authentication as 'local'. This will enable the management client to login via the local user
• no: Authentication is disabled and login is not possible.
• local: Use the local user database on the switch for authentication.
• radius: Use remote RADIUS server(s) for authentication.
34
database if none of the configured authentication servers are alive.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
HTTPS
This page allows you to configure the HTTPS settings and maintain the current certificate on the switch.
Mode
Indicate the HTTPS mode operation.
Possible modes are:
Enabled: Enable HTTPS mode operation.
Disabled: Disable HTTPS mode operation.
Automatic Redirect
Indicate the HTTPS redirect mode operation. It is only significant when "HTTPS Mode Enabled" is selected.
When the redirect mode is enabled, the HTTP connection will be redirected to HTTPS connection
automatically.
Notice that the browser may not allow the redirect operation due to the security consideration unless the
switch certificate is trusted to the browser. You need to initialize the HTTPS connection manually for this
case.
Possible modes are:
Enabled: Enable HTTPS redirect mode operation.
Disabled: Disable HTTPS redirect mode operation.
Certificate Maintain
The operation of certificate maintenance.
Possible operations are:
None: No operation.
Delete: Delete the current certificate.
Upload: Upload a certificate PEM file. Possible methods are: Web Browser or URL.
Generate: Generate a new self-signed RSA certificate.
Certificate Pass Phrase
Enter the pass phrase in this field if your uploading certificate is protected by a specific passphrase.
Certificate Upload
Upload a certificate PEM file into the switch. The file should contain the certificate and private key together.
If you have two separated files for saving certificate and private key. Use the Linux cat command to combine
them into a single PEM file. For example, cat my.cert my.key > my.pem
Notice that the RSA certificate is recommended since most of the new version of browsers has removed
support for DSA in certificate, e.g. Firefox v37 and Chrome v39.
Possible methods are:
35
Web Browser: Upload a certificate via Web browser.
URL: Upload a certificate via URL, the supported protocols are HT T P, HTTPS, TFTP and FTP. The URL format is
<protocol>://[<username>[:<password>]@]< host>[:<port>][/<path>]/<file_name>. For example,
tftp://10.10.10.10/new_image_path/new_image.dat,
http://username:password@10.10.10.10:80/new_image_path/new_image.dat. A valid file name is a text
string drawn from alphabet (A-Za-z), digits (0-9), dot (.), hyphen (-), under score(_). The maximum length is
63 and hyphen must not be first character. The file name content that only contains '.' is not allowed.
Certificate Status
Display the current status of certificate on the switch.
Possible statuses are:
Switch secure HTTP certificate is presented.
Switch secure HTTP certificate is not presented.
Switch secure HTTP certificate is generating ....
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Refresh: Click to refresh the page. Any changes made locally will be undone.
Access Management Configuration
Configure access management table on this page. The maximum number of entries is 16. If the application's type
match any one of the access management entries, it will allow access to the switch.
Mode
Indicates the access management mode operation. Possible modes are:
Enabled: Enable access management mode operation.
Disabled: Disable access management mode operation.
Delete
Check to delete the entry. It will be deleted during the next save.
VLAN ID
Indicates the VLAN ID for the access management entry.
Start IP address
Indicates the start IP unicast address for the access management entry.
End IP address
Indicates the end IP unicast address for the access management entry.
HTTP/HTTPS
36
Indicates that the host can access the switch from HTTP/HTTPS interface if the host IP address matches the
IP address range provided in the entry.
SNMP
Indicates that the host can access the switch from SNMP interface if the host IP address matches the IP
address range provided in the entry.
Buttons
Add New Entry: Click to add a new access management entry.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
SNMP System
Configure SNMP on this page.
Mode
Indicates the SNMP mode operation. Possible modes are:
Enabled: Enable SNMP mode operation.
Disabled: Disable SNMP mode operation.
Engine ID
Indicates the SNMPv3 engine ID. The string must contain an even number(in hexadecimal format) with
number of digits between 10 and 64, but all-zeros and all-'F's are not allowed. Only users on this Engine ID
can access the device (local users), so changing the Engine ID will revoke access for all current local users.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
37
SNMP Trap
Configure SNMP trap on this page.
Trap Destination Configurations
Configure trap destinations on this page.
Name
Indicates the trap Configuration's name. Indicates the trap destination's name.
Enable
Indicates the trap destination mode operation. Possible modes are:
Enabled: Enable SNMP trap mode operation.
Disabled: Disable SNMP trap mode operation.
Version
Indicates the SNMP trap supported version. Possible versions are:
SNMPv1: Set SNMP trap supported version 1.
SNMPv2c: Set SNMP trap supported version 2c.
SNMPv3: Set SNMP trap supported version 3.
Destination Address
Indicates the SNMP trap destination address. It allow a valid IP address in dotted decimal notation ('x.y.z.w').
Destination port
Indicates the SNMP trap destination port. SNMP Agent will send SNMP message via this port, the port range
is 1~65535.
Buttons
Add New Entry: Click to add a new user.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
38
Trap Source Configurations
This page provides SNMP trap source configurations. A trap is sent for the given trap source if at least one filter with
filter type included matches the filter, and no filters with filter type excluded matches.
Delete
Check to delete the entry. It will be deleted during the next save.
Name
Indicates the name for the entry.
Type
The filter type for the entry. Possible types are:
included: An optional flag to indicate a trap is sent for the given trap source is matched.
excluded: An optional flag to indicate a trap is not sent for the given trap source is matched.
Subset OID
The subset OID for the entry. The value should depend on the what kind of trap name. For example, the
ifIdex is the subset OID of linkUp and linkDown. A valid subset OID is one or more digital
number(0-4294967295) or asterisk(*) which are separated by dots(.). The first character must not begin
withasterisk(*) and the maximum of OID count must not exceed 128.
Buttons
Add New Entry: Click to add a new entry. The maximum entry count is 32.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Communities
SNMPv3 Community Configuration
Configure SNMPv3 community table on this page. The entry index key is Community.
Delete
Check to delete the entry. It will be deleted during the next save.
Community Name
Indicates the security name to map the community to the SNMP Groups configuration. The allowed string
length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Community Secret
Indicates the community secret (access string) to permit access using SNMPv1 and SNMPv2c to the SNMP
39
agent. The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Source IP
Indicates the SNMP access source address. A particular range of source addresses can be used to restrict
source subnet when combined with source prefix.
Source Prefix
Indicates the SNMP access source address prefix.
Buttons
Add New Entry: Click to add a new community entry.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Users
SNMPv3 User Configuration
Configure SNMPv3 user table on this page. The entry index keys are Engine ID and User Name.
Delete
Check to delete the entry. It will be deleted during the next save.
Engine ID
An octet string identifying the engine ID that this entry should belong to. The string must contain an even
number(in hexadecimal format) with number of digits between 10 and 64, but all-zeros and all-'F's are not
allowed. The SNMPv3 architecture uses the User-based Security Model (USM) for message security and the
View-based Access Control Model (VACM) for access control. For the USM entry, the usmUserEngineID and
usmUserName are the entry's keys. In a simple agent, usmUserEngineID is always that agent's own
snmpEngineID value. The value can also take the value of the snmpEngineID of a remote SNMP engine with
which this user can communicate. In other words, if user engine ID equal system engine ID then it is local
user; otherwise it's remote user.
User Name
A string identifying the user name that this entry should belong to. The allowed string length is 1 to 32, and
the allowed content is ASCII characters from 33 to 126.
Security Level
Indicates the security model that this entry should belong to. Possible security models are:
NoAuth, NoPriv: No authentication and no privacy.
Auth, NoPriv: Authentication and no privacy.
Auth, Priv: Authentication and privacy.
The value of security level cannot be modified if entry already exists. That means it must first be ensured
40
that the value is set correctly.
Authentication Protocol
Indicates the authentication protocol that this entry should belong to. Possible authentication protocols are:
None: No authentication protocol.
MD5: An optional flag to indicate that this user uses MD5 authentication protocol.
SHA: An optional flag to indicate that this user uses SHA authentication protocol.
The value of security level cannot be modified if entry already exists. That means must first ensure that the
value is set correctly.
Authentication Password
A string identifying the authentication password phrase. For MD5 authentication protocol, the allowed string
length is 8 to 32. For SHA authentication protocol, the allowed string length is 8 to 40. The allowed content is
ASCII characters from 33 to 126.
Privacy Protocol
Indicates the privacy protocol that this entry should belong to. Possible privacy protocols are:
None: No privacy protocol.
DES: An optional flag to indicate that this user uses DES authentication protocol.
AES: An optional flag to indicate that this user uses AES authentication protocol.
Privacy Password
A string identifying the privacy password phrase. The allowed string length is 8 to 32, and the allowed
content is ASCII characters from 33 to 126.
Buttons
Add New Entry: Click to add a new user entry.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
GROUPS
SNMPv3 Group Configuration
Configure SNMPv3 group table on this page. The entry index keys are Security Model and Security Name.
Delete
Check to delete the entry. It will be deleted during the next save.
41
Security Model
Indicates the security model that this entry should belong to. Possible security models are:
v1: Reserved for SNMPv1.
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).
Security Name
A string identifying the security name that this entry should belong to. The allowed string length is 1 to 32,
and the allowed content is ASCII characters from 33 to 126.
Group Name
A string identifying the group name that this entry should belong to. The allowed string length is 1 to 32, and
the allowed content is ASCII characters from 33 to 126.
Buttons
Add New Entry: Click to add a new group entry.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Views
SNMPv3 View Configuration
Configure SNMPv3 view table on this page. The entry index keys are View Name and OID Subtree.
Delete
Check to delete the entry. It will be deleted during the next save.
View Name
A string identifying the view name that this entry should belong to. The allowed string length is 1 to 32, and
the allowed content is ASCII characters from 33 to 126.
View Type
Indicates the view type that this entry should belong to. Possible view types are:
included: An optional flag to indicate that this view subtree should be included.
excluded: An optional flag to indicate that this view subtree should be excluded.
In general, if a view entry's view type is 'excluded', there should be another view entry existing with view
type as 'included' and it's OID subtree should overstep the 'excluded' view entry.
OID Subtree
The OID defining the root of the subtree to add to the named view. The allowed OID length is 1 to 128. The
allowed string content is digital number or asterisk(*).
42
Buttons
Add New Entry: Click to add a new view entry.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Access
SNMPv3 Access Configuration
Configure SNMPv3 access table on this page. The entry index keys are Group Name, Security Model and Security
Level.
Delete
Check to delete the entry. It will be deleted during the next save.
Group Name
A string identifying the group name that this entry should belong to. The allowed string length is 1 to 32, and
the allowed content is ASCII characters from 33 to 126.
Security Model
Indicates the security model that this entry should belong to. Possible security models are:
any: Any security model accepted(v1|v2c|usm).
v1: Reserved for SNMPv1.
v2c: Reserved for SNMPv2c.
usm: User-based Security Model (USM).
Security Level
Indicates the security model that this entry should belong to. Possible security models are:
NoAuth, NoPriv: No authentication and no privac y.
Auth, NoPriv: Authentication and no privacy.
Auth, Priv: Authentication and privacy.
Read View Name
The name of the MIB view defining the MIB objects for which this request may request the current values.
The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Write View Name
The name of the MIB view defining the MIB objects for which this request may potentially set new values.
The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Buttons
Add New Entry: Click to add a new access entry.
Submit: Click to submit changes.
43
Reset: Click to undo any changes made locally and revert to previously saved values.
44
NETWORKS
Port Security
This page allows you to configure the Port Security global and per-port settings. Port Security allows for limiting the
number of users on a given port. A user is identified by a MAC address and VLAN ID. If Port Security is enabled on a
port, the limit specifies the maximum number of users on the port. If this number is exceeded, an action is taken
depending on violation mode. The violation mode can be one of the four different described below.
The Port Security configuration consists of two sections, a global and a per-port.
Global Configuration
Aging Enabled
If checked, secured MAC addresses are subject to aging as discussed under Aging Period.
Aging Period
If Aging Enabled is checked, then the aging period is controlled with this input. If other modules are using
the underlying functionality for securing MAC addresses, they may have other requirements to the aging
period. The underlying functionality will use the shorter requested aging period of all modules that have
aging enabled.
The Aging Period can be set to a number between 10 and 10000000 seconds with a default of 3600 seconds.
To understand why aging may be desired, consider the following scenario: Suppose an end-host is connected
to a 3rd party switch or hub, which in turn is connected to a port on this switch on which Port Security is
enabled. The end-host will be allowed to forward if the limit is not exceeded. Now suppose that the end-host
logs off or powers down. If it wasn't for aging, the end-host would still take up resources on this switch and
will be allowed to forward. To overcome this situation, enable aging. With aging enabled, a timer is started
once the end-host gets secured. When the timer expires, the switch starts looking for frames from the
end-host, and if such frames are not seen within the next Aging Period, the end-host is assumed to be
disconnected, and the corresponding resources are freed on the switch.
Hold Time
The hold time - measured in seconds - is used to determine how long a MAC address is held in the MAC table
if it has been found to violate the limit. Valid range is between 10 and 10000000 seconds with a default
of 300 seconds. The reason for holding a violating MAC address in the MAC table is primarily to ensure that
the same MAC address doesn't give rise to continuous notifications (if notifications on violation count is
45
enabled).
Port Configuration
The table has one row for each port on the switch and a number of columns, which are:
Port
The port number to which the configuration below applies.
Mode
Controls whether Port Security is enabled on this port. Notice that other modules may still use the
underlying port security features without enabling Port Security on a given port.
Limit
The maximum number of MAC addresses that can be secured on this port. This number cannot exceed 1023.
Default is 4. If the limit is exceeded, an action is taken corresponding to the violation mode.
The switch is "born" with a total number of MAC addresses from which all ports draw whenever a new MAC
address is seen on a Port Security-enabled port. Since all ports draw from the same pool, it may happen that
a configured maximum cannot be granted, if the remaining ports have already used all available MAC
addresses.
Violation Mode
If Limit is reached, the switch can take one of the following actions:
Protect: Do not allow more than Limit MAC addresses on the port, but take no further action.
Restrict: If Limit is reached, subsequent MAC addresses on the port will be counted and marked as violating.
Such MAC addreses are removed from the MAC table when the hold time expires. At most Violation
Limit MAC addresses can be marked as violating at any given time.
Shutdown: If Limit is reached, one additional MAC address will cause the port to be shut down. This implies
that all secured MAC addresses be removed from the port, and no new addresses be learned. There are
three ways to re-open the port:
1) In the "Configuration→Ports" page's "Configured" column, first disable the port, then restore the original
mode.
2) Make a Port Security configuration change on the port.
3) Boot the switch.
Violation Limit
The maximum number of MAC addresses that can be marked as violating on this port. This number cannot
exceed 1023. Default is 4. It is only used when Violation Mode is Restrict.
State
This column shows the current Port Security state of the port. The state takes one of four values:
Disabled: Port Security is disabled on the port.
Ready: The limit is not yet reached. This can be shown for all violation modes.
Limit Reached: Indicates that the limit is reached on this port. This can be shown for all violation modes.
Shutdown: Indicates that the port is shut down by Port Security. This state can only be shown if violation
mode is set to Shutdown.
Buttons
Refresh: Click to refresh the page. Note that non-committed changes will be lost.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
46
NAS
This page allows you to configure the IEEE 802.1X and MAC-based authentication system and port settings. The IEEE
802.1X standard defines a port-based access control procedure that prevents unauthorized access to a network by
requiring users to first submit credentials for authentication. One or more central servers, the backend servers,
determine whether the user is allowed access to the network. These backend (RADIUS) servers are configured on the
"Configuration→Security→AAA" page.
MAC-based authentication allows for authentication of more than one user on the same port, and doesn't require
the user to have special 802.1X supplicant software installed on his system. The switch uses the user's MAC address
to authenticate against the backend server. Intruders can create counterfeit MAC addresses, which makes
MAC-based authentication less secure than 802.1X authentications. The NAS configuration consists of two sections, a
system- and a port-wide.
System Configuration
Mode
Indicates if NAS is globally enabled or disabled on the switch. If globally disabled, all ports are allowed
forwarding of frames.
Reauthentication Enabled
If checked, successfully authenticated supplicants/clients are reauthenticated after the interval specified by
the Reauthentication Period. Reauthentication for 802.1X-enabled ports can be used to detect if a new
device is plugged into a switch port or if a supplicant is no longer attached.
For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has changed. It does
not involve communication between the switch and the client, and therefore doesn't imply that a client is
still present on a port (see Aging Period below).
Reauthentication Period
Determines the period, in seconds, after which a connected client must be reauthenticated. This is only
active if the Reauthentication Enabled checkbox is checked. Valid values are in the range 1 to 3600 seconds.
47
EAPOL Timeout
Determines the time for retransmission of Request Identity EAPOL frames.
Valid values are in the range 1 to 65535 seconds. This has no effect for MAC-based ports.
Aging Period
This setting applies to the following modes, i.e. modes using the Port Security functionality to secure MAC
addresses:
• MAC-Based Auth.
When the NAS module uses the Port Security module to secure MAC addresses, the Port Security module
needs to check for activity on the MAC address in question at regular intervals and free resources if no
activity is seen within a given period of time. This parameter controls exactly this period and can be set to a
number between 10 and 1000000 seconds.
For ports in MAC-based Auth. mode, reauthentication doesn't cause direct communication between the
switch and the client, so this will not detect whether the client is still attached or not, and the only way to
free any resources is to age the entry.
Hold Time
This setting applies to the following modes, i.e. modes using the Port Security functionality to secure MAC
addresses:
• MAC-Based Auth.
If a client is denied access - either because the RADIUS server denies the client access or because the RADIUS
server request times out (according to the timeout specified on the "Configuration→Security→AAA" page) the client is put on hold in the Unauthorized state. The hold timer does not count during an on-going
authentication.
The switch will ignore new frames coming from the client during the hold time.
The Hold Time can be set to a number between 10 and 1000000 seconds.
Port Configuration
The table has one row for each port on the switch and a number of columns, which are:
Port
The port number for which the configuration below applies.
Admin State
If NAS is globally enabled, this selection controls the port's authentication mode. The following modes are
available:
Force Authorized
In this mode, the switch will send one EAPOL Success frame when the port link comes up, and any client on
the port will be allowed network access without authentication.
Force Unauthorized
In this mode, the switch will send one EAPOL Failure frame when the port link comes up, and any client on
the port will be disallowed network access.
802.1X
In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the RADIUS server
is the authentication server. The authenticator acts as the man-in-the-middle, forwarding requests and
responses between the supplicant and the authentication server. Frames sent between the supplicant and
switches are special 802.1X frames, known as EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate
EAP PDUs (RFC3748). Frames sent between the switch and RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the switch's IP address, name, and the
supplicant's port number on the switch. EAP is very flexible, in that it allows for different authentication
methods, like MD5-Challenge, P E A P, an d TLS. The important thing is that the authenticator (the switch)
doesn't need to know which authentication method the supplicant and the authentication server are using,
or how many information exchange frames are needed for a particular method. The switch simply
48
encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a success or failure
indication. Besides forwarding this decision to the supplicant, the switch uses it to open up or block traffic on
the switch port connected to the supplicant.
Note: Suppose two backend servers are enabled and that the server timeout is configured to X seconds
(using the AAA configuration page), and suppose that the first server in the list is currently down (but not
considered dead). Now, if the supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then
it will never get authenticated, because the switch will cancel on-going backend authentication server
requests whenever it receives a new EAPOL Start frame from the supplicant. And since the server hasn't yet
failed (because the X seconds haven't expired), the same server will be contacted upon the next backend
authentication server request from the switch. This scenario will loop forever. Therefore, the server timeout
should be smaller than the supplicant's EAPOL Start frame retransmission rate.
MAC-based Auth.
Unlike 802.1X, MAC-based authentication is not a standard, but merely a best-practices method adopted by
the industry. In MAC-based authentication, users are called clients, and the switch acts as the supplicant on
behalf of clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn
uses the client's MAC address as both username and password in the subsequent EAP exchange with the
RADIUS server. The 6-byte MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx",
that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports
the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication, which in turn
causes the switch to open up or block traffic for that particular client, using the Port Security module. Only
then will frames from the client be forwarded on the switch. There are no EAPOL frames involved in this
authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several clients can be connected
to the same port (e.g. through a 3rd party switch or a hub) and still require individual authentication, and
that the clients don't need special supplicant software to authenticate. The disadvantage is that MAC
addresses can be spoofed by malicious users - equipment whose MAC address is a valid RADIUS user can be
used by anyone. Also, only the MD5-Challenge method is supported. The maximum number of clients that
can be attached to a port can be limited using the Port Security Limit Control functionality.
Port State
The current state of the port. It can undertake one of the following values:
Globally Disabled: NAS is globally disabled.
Link Down: NAS is globally enabled, but there is no link on the port.
Authorized: The port is in Force Authorized or a single-supplicant mode and the supplicant is authorized.
Unauthorized: The port is in Force Unauthorized or a single-supplicant mode and the supplicant is not
successfully authorized by the RADIUS server.
X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are authorized and Y are
unauthorized.
Restart
Two buttons are available for each row. The buttons are only enabled when authentication is globally
enabled and the port's Admin State is in an EAPOL-based or MAC-basedmode.
Clicking these buttons will not cause settings changed on the page to take effect.
Reauthenticate: Schedules a reauthentication whenever the quiet-period of the port runs out (EAPOL-based
authentication). For MAC-based authentication, reauthentication will be attempted immediately.
The button only has effect for successfully authenticated clients on the port and will not cause the clients to
get temporarily unauthorized.
Reinitialize: Forces a reinitialization of the clients on the port and thereby a reauthentication immediately.
The clients will transfer to the unauthorized state while the reauthentication is in progress.
49
Buttons
Refresh: Click to refresh the page.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
ACL
Ports
Configure the ACL parameters (ACE) of each switch port. These parameters will affect frames received on a port
unless the frame matches a specific ACE.
Port
The logical port for the settings contained in the same row.
Policy ID
Select the policy to apply to this port. The allowed values are 0 through 63. The default value is 0.
Action
Select whether forwarding is permitted ("Permit") or denied ("Deny"). The default value is "Permit".
Rate Limiter ID
Select which rate limiter to apply on this port. The allowed values are Disabled or the values 1 through 16.
The default value is "Disabled".
Port Redirect
Select which port frames are redirected on. The allowed values are Disabled or a specific port number and it
can't be set when action is permitted. The default value is "Disabled".
Mirror
Specify the mirror operation of this port. The allowed values are:
Enabled: Frames received on the port are mirrored.
50
Disabled: Frames received on the port are not mirrored.
The default value is "Disabled".
Logging
Specify the logging operation of this port. Notice that the logging message doesn't include the 4 bytes CRC.
The allowed values are:
Enabled: Frames received on the port are stored in the System Log.
Disabled: Frames received on the port are not logged.
The default value is "Disabled". Note: The logging feature only works when the packet length is less than
1518(without VLAN tags) and the System Log memory size and logging rate is limited.
Shutdown
Specify the port shut down operation of this port. The allowed values are:
Enabled: If a frame is received on the port, the port will be disabled.
Disabled: Port shut down is disabled.
The default value is "Disabled".
Note: The shutdown feature only works when the packet length is less than 1518(without VLAN tags).
State
Specify the port state of this port. The allowed values are:
Enabled: To reopen ports by changing the volatile port configuration of the ACL user module.
Disabled: To close ports by changing the volatile port configuration of the ACL user module.
The default value is "Enabled".
Counter
Counts the number of frames that match this ACE.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Refresh: Click to refresh the page; any changes made locally will be undone.
Clear: Click to clear the counters.
51
Rate Limiter
Configure the rate limiter for the ACL of the switch.
Rate Limiter ID
The rate limiter ID for the settings contained in the same row and its range is 1 to 16.
Rate
The valid rate is 0 - 99, 100, 200, 300, ...,1092000 in pps
or 0, 100, 200, 300, ..., 1000000 in kbps.
Unit
Specify the rate unit. The allowed values are:
pps: packets per second.
kbps: Kbits per second.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Access Control List
This page shows the Access Control List (ACL), which is made up of the ACEs defined on this switch. Each row
describes the ACE that is defined. The maximum number of ACEs is 128 on each switch.
52
Click on the lowest plus sign to add a new ACE to the list. The reserved ACEs used for internal protocol, cannot be
edited or deleted, the order sequence cannot be changed and the priority is highest.
ACE
Indicates the ACE ID.
Ingress Port
Indicates the ingress port of the ACE. Possible values are:
All: The ACE will match all ingress port.
Port: The ACE will match a specific ingress port.
Policy / Bitmask
Indicates the policy number and bitmask of the ACE.
Frame Type
Indicates the frame type of the ACE. Possible values are:
Any: The ACE will match any frame type.
EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based ACE will not get matched
by IP and ARP frames.
ARP: The ACE will match ARP/RARP frames.
IPv4: The ACE will match all IPv4 frames.
IPv4/ICMP: The ACE will match IPv4 frames with ICMP protocol.
I P v4/ U DP : The ACE will match IPv4 frames with UDP protocol.
I P v4/ T CP : The ACE will match IPv4 frames with TCP protocol.
IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP.
IPv6: The ACE will match all IPv6 standard frames.
Action
Indicates the forwarding action of the ACE.
Permit: Frames matching the ACE may be forwarded and learned.
Deny: Frames matching the ACE are dropped.
Filter: Frames matching the ACE are filtered.
Rate Limiter
Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. When Disabled is displayed, the
rate limiter operation is disabled.
Port Redirect
Indicates the port redirect operation of the ACE. Frames matching the ACE are redirected to the port number.
The allowed values are Disabled or a specific port number. When Disabled is displayed, the port redirect
operation is disabled.
Mirror
Specify the mirror operation of this port. Frames matching the ACE are mirrored to the destination mirror
port. The allowed values are:
Enabled: Frames received on the port are mirrored.
Disabled: Frames received on the port are not mirrored.
The default value is "Disabled".
Counter
The counter indicates the number of times the ACE was hit by a frame.
Modification Buttons
53
You can modify each ACE (Access Control Entry) in the table using the following buttons:
: Inserts a new ACE before the current row.
: Edits the ACE row.
: Moves the ACE up the list.
: Moves the ACE down the list.
: Deletes the ACE.
: The lowest plus sign adds a new entry at the bottom of the ACE listings.
Buttons
Auto-refresh: Check this box to refresh the page automatically. Automatic refresh occurs every 3 seconds.
Refresh: Click to refresh the page; any changes made locally will be undone.
Clear: Click to clear the counters.
Remove All: Click to remove all ACEs.
Configure an ACE (Access Control Entry) on this page. An ACE consists of several parameters. These parameters vary
according to the frame type that you select. First select the ingress port for the ACE, and then select the frame type.
Different parameter options are displayed depending on the frame type selected. A frame that hits this ACE matches
the configuration that is defined here.
Ingress Port
Select the ingress port for which this ACE applies.
All: The ACE applies to all port.
Port n: The ACE applies to this port number, where n is the number of the switch port.
Policy Filter
Specify the policy number filter for this ACE.
Any: No policy filter is specified. (policy filter status is "don't-care".)
Specific: If you want to filter a specific policy with this ACE, choose this value. Two field for entering an policy
value and bitmask appears.
54
Policy Value
When "Specific" is selected for the policy filter, you can enter a specific policy value. The allowed range is 0 to 63.
Policy Bitmask
When "Specific" is selected for the policy filter, you can enter a specific policy bitmask. The allowed range
is 0x0 to 0x3f. Notice the usage of bitmask, if the binary bit value is "0", it means this bit is "don't-care". The
real matched pattern is [policy_value & policy_bitmask]. For example, if the policy value is 3 and the policy
bitmask is 0x10(bit 0 is "don't-care" bit), then policy 2 and 3 are applied to this rule.
Frame Type
Select the frame type for this ACE. These frame types are mutually exclusive.
Any: Any frame can match this ACE.
Ethernet Type: Only Ethernet Type frames can match this ACE. The IEEE 802.3 describes the value of
Length/Type Field specifications to be greater than or equal to 1536 decimal (equal to 0600 hexadecimal)
and the value should not be equal to 0x800(IPv4), 0x806(ARP) or 0x86DD(IPv6).
ARP: Only ARP frames can match this ACE. Notice the ARP frames won't match the ACE with ethernet type.
IPv4: Only IPv4 frames can match this ACE. Notice the IPv4 frames won't match the ACE with ethernet type.
IPv6: Only IPv6 frames can match this ACE. Notice the IPv6 frames won't match the ACE with Ethernet type.
Action
Specify the action to take with a frame that hits this ACE.
Permit: The frame that hits this ACE is granted permission for the ACE operation.
Deny: The frame that hits this ACE is dropped.
Filter: Frames matching the ACE are filtered.
Rate Limiter
Specify the rate limiter in number of base units. The allowed range is 1 to 16. Disabled indicates that the rate
limiter operation is disabled.
Port Redirect
Frames that hit the ACE are redirected to the port number specified here. The rate limiter will affect these
ports. The allowed range is the same as the switch port number range. Disabled indicates that the port
redirect operation is disabled and the specific port number of 'Port Redirect' can't be set when action is
permitted.
Mirror
Specify the mirror operation of this port. Frames matching the ACE are mirrored to the destination mirror
port. The rate limiter will not affect frames on the mirror port. The allowed values are:
Enabled: Frames received on the port are mirrored.
Disabled: Frames received on the port are not mirrored.
The default value is "Disabled".
Logging
Specify the logging operation of the ACE. Notice that the logging message doesn't include the 4 bytes CRC
information. The allowed values are:
Enabled: Frames matching the ACE are stored in the System Log.
Disabled: Frames matching the ACE are not logged.
Note: The logging feature only works when the packet length is less than 1518(without VLAN tags) and the
System Log memory size and logging rate is limited.
Shutdown
Specify the port shut down operation of the ACE. The allowed values are:
Enabled: If a frame matches the ACE, the ingress port will be disabled.
55
Disabled: Port shut down is disabled for the ACE.
Note: The shutdown feature only works when the packet length is less than 1518(without VLAN tags).
Counter
The counter indicates the number of times the ACE was hit by a frame.
MAC Parameters
SMAC Filter
(Only displayed when the frame type is Ethernet Type or ARP.)
Specify the source MAC filter for this ACE.
Any: No SMAC filter is specified. (SMAC filter status is "don't-care".)
Specific: If you want to filter a specific source MAC address with this ACE, choose this value. A field for
entering an SMAC value appears.
SMAC Value
When "Specific" is selected for the SMAC filter, you can enter a specific source MAC address. The legal
format is "xx-xx-xx-xx-xx-xx" or "xx.xx.xx.xx.xx.xx" or "xxxxxxxxxxxx" (x is a hexadecimal digit). A frame that
hits this ACE matches this SMAC value.
DMAC Filter
Specify the destination MAC filter for this ACE.
Any: No DMAC filter is specified. (DMAC filter status is "don't-care".)
MC: Frame must be multicast.
BC: Frame must be broadcast.
UC: Frame must be unicast.
Specific: If you want to filter a specific destination MAC address with this ACE, choose this value. A field for
entering a DMAC value appears.
DMAC Value
When "Specific" is selected for the DMAC filter, you can enter a specific destination MAC address. The legal
format is "xx-xx-xx-xx-xx-xx" or "xx.xx.xx.xx.xx.xx" or "xxxxxxxxxxxx" (x is a hexadecimal digit). A frame that
hits this ACE matches this DMAC value.
VLAN Parameters
802.1Q Tagged
Specify whether frames can hit the action according to the 802.1Q tagged. The allowed values are:
Any: Any value is allowed ("don't-care").
Enabled: Tagged frame only.
Disabled: Untagged frame only.
The default value is "Any".
VLAN ID Filter
VLAN ID
Specify the VLAN ID filter for this ACE.
Any: No VLAN ID filter is specified. (VLAN ID filter status is "don't-care".)
Specific: If you want to filter a specific VLAN ID with this ACE, choose this value. A field for entering a VLAN
ID number appears.
When "Specific" is selected for the VLAN ID filter, you can enter a specific VLAN ID number. The allowed
range is 1 to 4095. A frame that hits this ACE matches this VLAN ID value.
56
Tag Priority
Specify the tag priority for this ACE. A frame that hits this ACE matches this tag priority. The allowed number
range is 0 to 7 or range 0-1, 2-3, 4-5, 6-7, 0-3 and 4-7. The value Any means that no tag priority is specified
(tag priority is "don't-care".)
ARP Parameters
The ARP parameters can be configured when Frame Type "ARP" is selected.
ARP/RARP
Specify the available ARP/RARP opcode (OP) flag for this ACE.
Any: No ARP/RARP OP flag is specified. (OP is "don't-care".)
ARP: Frame must have ARP opcode set to ARP.
RARP: Frame must have RARP opcode set to RARP.
Other: Frame has unknown ARP/RARP Opcode flag.
Request/Reply
Specify the available Request/Reply opcode (OP) flag for this ACE.
Any: No Request/Reply OP flag is specified. (OP is "don't-care".)
Request: Frame must have ARP Request or RARP Request OP flag set.
Reply: Frame must have ARP Reply or RARP Reply OP flag.
Sender IP Filter
Specify the sender IP filter for this ACE.
Any: No sender IP filter is specified. (Sender IP filter is "don't-care".)
Host: Sender IP filter is set to Host. Specify the sender IP address in the SIP Address field that appears.
Network: Sender IP filter is set to Network. Specify the sender IP address and sender IP mask in the SIP
Address and SIP Mask fields that appear.
Sender IP Address
When "Host" or "Network" is selected for the sender IP filter, you can enter a specific sender IP address
in dotted decimal notation. Notice the invalid IP address configuration is acceptable too, for example, 0.0.0.0.
Normally, an ACE with invalid IP address will explicitly adding deny action.
Sender IP Mask
When "Network" is selected for the sender IP filter, you can enter a specific sender IP mask in dotted
decimal notation.
Target IP Filter
Specify the target IP filter for this specific ACE.
Any: No target IP filter is specified. (Target IP filter is "don't-care".)
Host: Target IP filter is set to Host. Specify the target IP address in the Target IP Address field that
appears.Network: Target IP filter is set to Network. Specify the target IP address and target IP mask in the
Target IP Address and Target IP Mask fields that appear.
Target IP Address
When "Host" or "Network" is selected for the target IP filter, you can enter a specific target IP address
in dotted decimal notation. Notice the invalid IP address configuration is acceptable too, for example, 0.0.0.0.
Normally, an ACE with invalid IP address will explicitly adding deny action.
Target IP Mask
When "Network" is selected for the target IP filter, you can enter a specific target IP mask in dotted decimal
notation.
57
ARP Sender MAC Match
Specify whether frames can hit the action according to their sender hardware address field (SHA) settings.
0: ARP frames where SHA is not equal to the SMAC address.
1: ARP frames where SHA is equal to the SMAC address.
Any: Any value is allowed ("don't-care").
RARP Target MAC Match
Specify whether frames can hit the action according to their target hardware address field (THA) settings.
0: RARP frames where THA is not equal to the target MAC address.
1: RARP frames where THA is equal to the target MAC address.
Any: Any value is allowed ("don't-care").
IP/Ethernet Length
Specify whether frames can hit the action according to their ARP/RARP hardware address length (HLN) and
protocol address length (PLN) settings.
0: ARP/RARP frames where the HLN is not equal to Ethernet (0x06) or the (PLN) is not equal to IPv4 (0x04).
1: ARP/RARP frames where the HLN is equal to Ethernet (0x06) and the (PLN) is equal to IPv4 (0x04).
Any: Any value is allowed ("don't-care").
IP
Specify whether frames can hit the action according to their ARP/RARP hardware address space (HRD)
settings.
0: ARP/RARP frames where the HLD is not equal to Ethernet (1).
1: ARP/RARP frames where the HLD is equal to Ethernet (1).
Any: Any value is allowed ("don't-care").
Ethernet
Specify whether frames can hit the action according to their ARP/RARP protocol address space (PRO)
settings.
0: ARP/RARP frames where the PRO is not equal to IP (0x800).
1: ARP/RARP frames where the PRO is equal to IP (0x800).
Any: Any value is allowed ("don't-care").
IP Parameters
The IP parameters can be configured when Frame Type "IPv4" is selected.
IP Protocol Filter
Specify the IP protocol filter for this ACE.
Any: No IP protocol filter is specified ("don't-care").
Specific: If you want to filter a specific IP protocol filter with this ACE, choose this value. A field for entering
an IP protocol filter appears.
ICMP: Select ICMP to filter IPv4 ICMP protocol frames. Extra fields for defining ICMP parameters will appear.
These fields are explained later in this help file.
UDP: Select UDP to filter IPv4 UDP protocol frames. Extra fields for defining UDP parameters will appear.
These fields are explained later in this help file.
TCP: Select TCP to filter IPv4 TCP protocol frames. Extra fields for defining TCP parameters will appear. These
fields are explained later in this help file.
IP Protocol Value
When "Specific" is selected for the IP protocol value, you can enter a specific value. The allowed range
is 0 to 255. A frame that hits this ACE matches this IP protocol value.
58
IP TTL
Specify the T ime-to-Live settings for this ACE.
zero: IPv4 frames with a Time-to-Live field greater than zero must not be able to match this entry.
non-zero: IPv4 frames with a Time-to-Live field greater than zero must be able to match this entry.
Any: Any value is allowed ("don't-care").
IP Fragment
Specify the fragment offset settings for this ACE. This involves the settings for the More Fragments (MF) bit
and the Fragment Offset (FRAG OFFSET) field for an IPv4 frame.
No: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero must not be able to
match this entry.
Yes: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero must be able to match
this entry.
Any: Any value is allowed ("don't-care").
IP Option
Specify the options flag setting for this ACE.
No: IPv4 frames where the options flag is set must not be able to match this entry.
Yes: IPv4 frames where the options flag is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
SIP Filter
Specify the source IP filter for this ACE.
Any: No source IP filter is specified. (Source IP filter is "don't-care".)
Host: Source IP filter is set to Host. Specify the source IP address in the SIP Address field that appears.
Network: Source IP filter is set to Network. Specify the source IP address and source IP mask in the SIP
Address and SIP Mask fields that appear.
SIP Address
When "Host" or "Network" is selected for the source IP filter, you can enter a specific SIP address in dotted
decimal notation. Notice the invalid IP address configuration is acceptable too, for example, 0.0.0.0.
Normally, an ACE with invalid IP address will explicitly adding deny action.
SIP Mask
When "Network" is selected for the source IP filter, you can enter a specific SIP mask in dotted decimal
notation.
DIP Filter
Specify the destination IP filter for this ACE.
Any: No destination IP filter is specified. (Destination IP filter is "don't-care".)
Host: Destination IP filter is set to Host. Specify the destination IP address in the DIP Address field that
appears.
Network: Destination IP filter is set to Network. Specify the destination IP address and destination IP mask in
the DIP Address and DIP Mask fields that appear.
DIP Address
When "Host" or "Network" is selected for the destination IP filter, you can enter a specific DIP address
in dotted decimal notation. Notice the invalid IP address configuration is acceptable too, for example, 0.0.0.0.
Normally, an ACE with invalid IP address will explicitly adding deny action.
DIP Mask
When "Network" is selected for the destination IP filter, you can enter a specific DIP mask in dotted decimal
notation.
59
IPv6 Parameters
The IPv6 parameters can be configured when Frame Type "IPv6" is selected.
Next Header Filter
Specify the IPv6 next header filter for this ACE.
Any: No IPv6 next header filter is specified ("don't-care").
Specific: If you want to filter a specific IPv6 next header filter with this ACE, choose this value. A field for
entering an IPv6 next header filter appears.
ICMP: Select ICMP to filter IPv6 ICMP protocol frames. Extra fields for defining ICMP parameters will appear.
These fields are explained later in this help file.
UDP: Select UDP to filter IPv6 UDP protocol frames. Extra fields for defining UDP parameters will appear.
These fields are explained later in this help file.
TCP: Select TCP to filter IPv6 TCP protocol frames. Extra fields for defining TCP parameters will appear. These
fields are explained later in this help file.
Next Header Value
When "Specific" is selected for the IPv6 next header value, you can enter a specific value. The allowed range
is 0 to 255. A frame that hits this ACE matches this IPv6 protocol value.
SIP Filter
Specify the source IPv6 filter for this ACE.
Any: No source IPv6 filter is specified. (Source IPv6 filter is "don't-care".)
Specific: Source IPv6 filter is set to Network. Specify the source IPv6 address and source IPv6 mask in the SIP
Address fields that appear.
SIP Address
When "Specific" is selected for the source IPv6 filter, you can enter a specific SIPv6 address. The field only
supported last 32 bits for IPv6 address.
SIP BitMask
When "Specific" is selected for the source IPv6 filter, you can enter a specific SIPv6 mask. The field only
supported last 32 bits for IPv6 address. Notice the usage of bitmask, if the binary bit value is "0", it means
this bit is "don't-care". The real matched pattern is [sipv6_address & sipv6_bitmask] (last 32 bits). For
example, if the SIPv6 address is 2001::3 and the SIPv6 bitmask is 0xFFFFFFFE(bit 0 is "don't-care" bit), then
SIPv6 address 2001::2 and 2001::3 are applied to this rule.
Hop Limit
Specify the hop limit settings for this ACE.
zero: IPv6 frames with a hop limit field greater than zero must not be able to match this entry.
non-zero: IPv6 frames with a hop limit field greater than zero must be able to match this entry.
Any: Any value is allowed ("don't-care").
ICMP Parameters
ICMP Type Filter
Specify the ICMP filter for this ACE.
Any: No ICMP filter is specified (ICMP filter status is "don't-care").
Specific: If you want to filter a specific ICMP filter with this ACE, you can enter a specific ICMP value. A field
for entering an ICMP value appears.
ICMP Type Value
When "Specific" is selected for the ICMP filter, you can enter a specific ICMP value. The allowed range
is 0 to 255. A frame that hits this ACE matches this ICMP value.
60
ICMP Code Filter
Specify the ICMP code filter for this ACE.
Any: No ICMP code filter is specified (ICMP code filter status is "don't-care").
Specific: If you want to filter a specific ICMP code filter with this ACE, you can enter a specific ICMP code
value. A field for entering an ICMP code value appears.
ICMP Code Value
When "Specific" is selected for the ICMP code filter, you can enter a specific ICMP code value. The allowed
range is 0to 255. A frame that hits this ACE matches this ICMP code value.
TCP/UDP Parameters
TCP/UDP Source Filter
Specify the TCP/UDP source filter for this ACE.
Any: No TCP/UDP source filter is specified (TCP/UDP source filter status is "don't-care").
Specific: If you want to filter a specific TCP/UDP source filter with this ACE, you can enter a specific TCP/UDP
source value. A field for entering a TCP/UDP source value appears.
Range: If you want to filter a specific TCP/UDP source range filter with this ACE, you can enter a specific
TCP/UDP source range value. A field for entering a TCP/UDP source value appears.
TCP/UDP Source No.
When "Specific" is selected for the TCP/UDP source filter, you can enter a specific TCP/UDP source value. The
allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP source value.
TCP/UDP Source Range
When "Range" is selected for the TCP/UDP source filter, you can enter a specific TCP/UDP source range value.
The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP source value.
TCP/UDP Destination Filter
Specify the TCP/UDP destination filter for this ACE.
Any: No TCP/UDP destination filter is specified (TCP/UDP destination filter status is "don't-care").
Specific: If you want to filter a specific TCP/UDP destination filter with this ACE, you can enter a specific
TCP/UDP destination value. A field for entering a TCP/UDP destination value appears.
Range: If you want to filter a specific range TCP/UDP destination filter with this ACE, you can enter a specific
TCP/UDP destination range value. A field for entering a TCP/UDP destination value appears.
TCP/UDP Destination Number
When "Specific" is selected for the TCP/UDP destination filter, you can enter a specific TCP/UDP destination
value. The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP destination value.
TCP/UDP Destination Range
When "Range" is selected for the TCP/UDP destination filter, you can enter a specific TCP/UDP destination
range value. The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP destination
value.
TCP FIN
Specify the TCP "No more data from sender" (FIN) value for this ACE.
0: TCP frames where the FIN field is set must not be able to match this entry.
1: TCP frames where the FIN field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
61
TCP SYN
TCP RST
TCP PSH
TCP ACK
Specify the TCP "Synchronize sequence numbers" (SYN) value for this ACE.
0: TCP frames where the SYN field is set must not be able to match this entry.
1: TCP frames where the SYN field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
Specify the TCP "Reset the connection" (RST) value for this ACE.
0: TCP frames where the RST field is set must not be able to match this entry.
1: TCP frames where the RST field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
Specify the TCP "Push Function" (PSH) value for this ACE.
0: TCP frames where the PSH field is set must not be able to match this entry.
1: TCP frames where the PSH field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
Specify the TCP "Acknowledgment field significant" (ACK) value for this ACE.
0: TCP frames where the ACK field is set must not be able to match this entry.
1: TCP frames where the ACK field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
TCP URG
Specify the TCP "Urgent Pointer field significant" (URG) value for this ACE.
0: TCP frames where the URG field is set must not be able to match this entry.
1: TCP frames where the URG field is set must be able to match this entry.
Any: Any value is allowed ("don't-care").
Ethernet Type Parameters
The Ethernet Type parameters can be configured when Frame Type "Ethernet Type" is selected.
EtherType Filter
Specify the Ethernet type filter for this ACE.
Any: No EtherType filter is specified (EtherType filter status is "don't-care").
Specific: If you want to filter a specific EtherType filter with this ACE, you can enter a specific EtherType
value. A field for entering a EtherType value appears.
Ethernet Type Value
When "Specific" is selected for the EtherType filter, you can enter a specific EtherType value. The allowed
range is 0x600 to 0xFFFF but excluding 0x800(IPv4), 0x806(ARP) and 0x86DD(IPv6). A frame that hits this
ACE matches this EtherType value.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Cancel: Return to the previous page.
AAA
This page allows you to configure up to 5 RADIUS servers.
Global Configuration
These setting are common for all of the RADIUS servers.
Timeout
Timeout is the number of seconds, in the range 1 to 1000, to wait for a reply from a RADIUS server before
retransmitting the request.
Retransmit
Retransmit is the number of times, in the range 1 to 1000, a RADIUS request is retransmitted to a server that is
not responding. If the server has not responded after the last retransmit it is considered to be dead.
Deadtime
Deadtime, which can be set to a number between 0 to 1440minutes, is the period during which the switch will
not send new requests to a server that has failed to respond to a previous request. This will stop the switch from
continually trying to contact a server that it has already determined as dead.
Setting the Deadtime to a value greater than 0 (zero) will enable this feature, but only if more than one server
has been configured.
Change Secret Key
Specify to change the secret key or not. When "Yes" is selected for the option, you can change the secret key up to 63 characters long - shared between the RADIUS server and the switch.
NAS-IP-Address (Attribute 4)
The IPv4 address to be used as attribute 4 in RADIUS Access-Request packets. If this field is left blank, the IP
address of the outgoing interface is used.
NAS-Identifier (Attribute 32)
The identifier - up to 253 characters long - to be used as attribute 32 in RADIUS Access-Request packets. If this
62
field is left blank, the NAS-Identifier is not included in the packet.
Server Configuration
The table has one row for each RADIUS server and a number of columns, which are:
Delete
To delete a RADIUS server entry, check this box. The entry will be deleted during the next Save.
Hostname
The IPv4/IPv6 address of the RADIUS server.
Auth Port
The UDP port to use on the RADIUS server for authentication. Set to 0 to disable authentication.
Acct Port
The UDP port to use on the RADIUS server for accounting. Set to 0 to disable accounting.
Timeout
This optional setting overrides the global timeout value. Leaving it blank will use the global timeout value.
Retransmit
This optional setting overrides the global retransmit value. Leaving it blank will use the global retransmit value.
Change Secret Key
Specify to change the secret key or not. When the checkbox is checked, you can change the setting overrides the
global key. Leaving it blank will use the global key.
Adding a New Server
Click to add a new RADIUS server. An empty row is added to the table, and the RADIUS server can be configured as
needed. Up to 5 servers are supported.
The button can be used to undo the addition of the new server.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
3.1.6 AGGREGATION
This document provides examples on how to configure Link Aggregation Control Protocol (LACP)/AGGR using the
Command Line Interface (CLI). The commands apply to an enhanced version of the LACP. The examples used in this
document pertain to WoMaster switches.
LACP ENHANCEMENT FEATURES
The following sections describe various LACP enhancement features.
Aggregation Groups
To create an aggregation a group type must be chosen on the interfaces that are participating in the group.
This can be LACP active, LACP passive, or statically created aggregation “On”. No looping occurs even
though the parallel links have links and have not formed an aggregation. Spanning tree is not needed for
this but can be enabled to avoid loops between groups. LACP active initiates the LACP frames to partner.
LACP passive does not initiate the LACP frames to partner, but answers if requested. “On” is a statically
created aggregation without LACP.
63
# show
aggregation
Aggr ID Name
Type
Speed
Configured
Aggregated
------- ----
-----------
--------
----------
----------
1
LLAG1
LACP_ACTIV
E Undefined
G i 1/1 -2
none
Show the internal configuration and status.
Bundle Max
If there any exist suitable link partner, each LACP group automatically forms an aggregation for all of its
members. The number of members can be restricted by setting the max bundle value to a number less
than the number of group members. When the numbers of members who have formed aggregation reach
the specified value, the remaining ports are set to standby and do not forward any frames. If an active
member goes down, then a standby member will take over. The priority assignment controls to which
member goes active/standby.
Revertive/Non-Revertive
The LACP group can be configured to be revertive (default) or non-revertive. When a higher priority port is
in active/standby configuration comes back up, it becomes active again and the current active port (if it has
lower priority) becomes standby, unless the group is configured to be non-revertive. In non-revertive mode,
if a port comes back up, nothing changes and the traffic is not disturbed.
Note: Each time a link changes, the traffic is halted until the new aggregation (key) is fully set up.
1:1 Active (Standby) LACP
To achieve 1:1 active/standby configuration, create a group with two ports and configure one of the ports
as bundle max. One of the ports, with higher priority, actively forwards traffic while the other remains in
standby mode. The port, in standby mode, does not forward any frames other than BPDUs. The LACP state
of the standby port is in no sync state. If the active port goes down, the standby port takes over. When the
failed port becomes operational, it takes over the frame forwarding (unless configured not to non-revertive) operation.
LACP State Information
The states of the LACP protocol (partner and actor) are visible through show lacp neighbor detail and
show lacp internal detail commands.
CLI
The CLI syntax (for configuration and status) follows the Cisco IOS port-channel style. Port-channel is
called aggregation in WoMaster terms.
ICLI Commands
The following sections describe the implementation of the preciously discussed LACP features through ICLI commands.
Creating an Aggregation Group
The following snippet shows how to create an active LACP group with ports Gig 1/1-2 as members.
# conf t
(config)# interface GigabitEthernet 1/1-2
(config-if)# aggregation group 1 mode ?
active Active LACP
on Static aggregation
passive Passive LACP
<cr>
Showing the Status of an Aggregation Group
The following snippet shows the status of the active LACP group, created in the previous chapter.
(config-if)# aggregation group 1 mode active
Active can be replaced with passive and on.
64
# show
lacp
internal
Port State Key
Priority
----------
-------- ----
--------
G i 1/1
Down
1
32768
Gi 1/2
Down
1
32768
Port : The
local port
State : The
active/inactive state of this port
Aggr ID : The
group id of this aggregation
Partner
Key
: The
aggr key of the partner
Partner
Port
: The
port of the partner
Partner
Port Prio : The
partner port priority
[Activ
Timeou Aggrege Synchro Collect Distrib Defau Expired]:
Booleans. The LACP protocol state seen from the link par tner.
# show lacp internal details
Port
: The
local port
State
: The
active/inactive state of this port
Key
: The
key of this port, same as group id.
Priority : The
LACP priority of this port
[Activ
Timeo
u
Aggrege
Synchro Collect Distrib Defau Expired]:
# show lacp
statistics
Port
Rx Frames
Tx Frames
Rx Unknown
Rx Illegal
----------
----------
----------
----------
----------
Gi
1/1
2572
14067
0
0
Gi
1/2
2572
14068
0
0
Where,
Port—is the local port.
State—indicates if a partner is seen and an aggregation created.
Key—is used as a term in the 802.1D standard. Here it equals the group id.
Priority—is used for active/standby purpose.
Showing the Detailed Status of an Aggregation Group
The following snippet shows the detailed status of the aggregation group.
# show lacp neighbor details
Booleans. The LACP protocol state seen from the actor (the local unit).
Statistics
The following snippet shows the statistics of the aggregation group.
System ID
The following snippet shows the system ID. The system ID is the combination of the priority and the MAC address.
(config)# lacp system-priority ?
<1-65535> Priority value, lower means higher priority
# show lacp system-id
System ID: 32768 - 00:01:c1:00:f6:90
Port LACP Commands
The following snippet shows how to configure LACP for each port.
# conf t
(config)# interface GigabitEthernet 1/1-2
(config-if)# lacp ?
Where,
port-priority—the LACP priority for the port.
Timeout—fast or slow protocol timeout.
port-priority timeout <cr>
65
Group LACP Commands
The following snippet shows how to perform an additional configuration of LACP based groups.
# conf t
(config)# interface llag 1
(config-llag)# lacp ?
failover
max-bundle
failover—revertive (default) /non-revertive
max-bundle—max size of the aggregation (1-max). All the default ports in the group can aggregate.
Forwarding Mode of the Aggregation
The forwarding distribution of the traffic can be affected by changing the aggregation mode. This is a global parameter
and affects all aggregations. These mode parameters can be combined.
Note: Any change in the aggregation mode stops all forwarding until the key is fully setup.
config)# aggregation mode ?
dmac Destination MAC affects the distribution
ip IP address affects the distribution
port IP port affects the distribution
smac Source MAC affects the distribution
(config)# aggregation mode ?
aggregation mode { [ smac ] [ dmac ] [ ip ] [ port ] }
(config)# aggregation mode smac dmac
(config)# end
#
Delete an Aggregation Group
The following snippet shows how to delete an aggregation group.
# conf t
(config)# no interface llag 1
(config)#
66
3.1.7 LOOP PROTECTION
Since firmware of WoMaster switch supports loop elimination function that is based on per port or system configure. It
prevents any communicate looping caused by RSTP and Ring when ring topology changes. The following figure shows the
Loop Protection page.
This page allows the user to inspect the current Loop Protection configurations, and possibly change them as well.
General Settings
Enable Loop Protection
Controls whether loop protections is enabled (as a whole).
Transmission Time
The interval between each loop protection PDU sent on each port. Valid values are 1 to 10 seconds. Default
value is 5 seconds.
Shutdown T ime
The period (in seconds) for which a port will be kept disabled in the event of a loop is detected (and the port
action shuts down the port). Valid values are 0 to 604800 seconds (7 days). A value of zero will keep a port
disabled (until next device restart). Default value is 180 seconds.
Port Configuration
Port
The switch port number of the port.
Enable
Controls whether loop protection is enabled on this switch port.
Action
Configures the action performed when a loop is detected on a port. Valid values are Shutdown Port, Shutdown
Port and Log or Log Only.
Tx Mode
Controls whether the port is actively generating loop protection PDU's, or whether it is just passively looking for
looped PDU's.
67
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
3.1.8 SPANNING TREE
This page allows you to configure STP system settings. The settings are used by all STP Bridge instances in the
Switch.
Basic Settings
Protocol Version
The RSTP / STP protocol version setting. Valid values are RSTP and STP.
Bridge Priority
Controls the bridge priority. Lower numeric values have better priority. The bridge priority plus the MSTI
instance number, concatenated with the 6-byte MAC address of the switch forms a Bridge Identifier.
Hello Time
The interval between sending STP BPDU's. Valid values are in the range 1 to 10 seconds, default is 2 seconds.
Note: Changing this parameter from the default value is not recommended, and may have adverse effects on
your network.
Forward Delay
The delay used by STP Bridges to transit Root and Designated Ports to Forwarding (used in STP compatible
mode). Valid values are in the range 4 to 30 seconds.
Max Age
The maximum age of the information transmitted by the Bridge when it is the Root Bridge. Valid values are in
the range 6 to 40 seconds, and MaxAge must be <= (FwdDelay-1)*2.
Maximum Hop Count
68
This defines the initial value of remaining Hops for MSTI information generated at the boundary of an MSTI
region. It defines how many bridges a root bridge can distribute its BPDU information to. Valid values are in the
range 6 to 40 hops.
Transmit Hold Count
The number of BPDU's a bridge port can send per second. When exceeded, transmission of the next BPDU will
be delayed. Valid values are in the range 1 to 10 BPDU's per second.
Advanced Settings
Edge Port BPDU Filtering
Control whether a port explicitly configured as Edgewill transmit and receive BPDUs.
Edge Port BPDU Guard
Control whether a port explicitly configured as Edgewill disable itself upon reception of a BPDU. The port will
enter the error-disabled state, and will be removed from the active topology.
Port Error Recovery
Control whether a port in the error-disabled state automatically will be enabled after a certain time. If recovery
is not enabled, ports have to be disabled and re-enabled for normal STP operation. The condition is also cleared
by a system reboot.
Port Error Recovery Timeout
The time to pass before a port in the error-disabled state can be enabled. Valid values are between 30 and
86400 seconds (24 hours).
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
This page allows the user to inspect the current STP CIST port configurations, and possibly change them as well.
This page contains settings for physical and aggregated ports.
69
Port
The switch port number of the logical STP port.
STP Enabled
Controls whether STP is enabled on this switch port.
Path Cost
Controls the path cost incurred by the port. The Autosetting will set the path cost as appropriate by the physical
link speed, using the 802.1D recommended values. Using the Specific setting, a user-defined value can be
entered. The path cost is used when establishing the active topology of the network. Lower path cost ports are
chosen as forwarding ports in favour of higher path cost ports. Valid values are in the range 1 to 200000000.
Priority
Controls the port priority. This can be used to control priority of ports having identical port cost. (See above).
Lower priority is better.
operEdge (state flag)
Operational flag describing whether the port is connecting directly to edge devices. (No Bridges attached).
Transition to the forwarding state is faster for edge ports (having operEdgetrue) than for other ports. The value
of this flag is based on AdminEdge and AutoEdge fields. This flag is displayed as Edge in Monitor->Spanning Tree
-> STP Detailed Bridge Status.
AdminEdge
Controls whether the operEdge flag should start as set or cleared. (The initial operEdge state when a port is
initialized).
AutoEdge
Controls whether the bridge should enable automatic edge detection on the bridge port. This
allows operEdge to be derived from whether BPDU's are received on the port or not.
Restricted Role
If enabled, causes the port not to be selected as Root Port for the CIST, even if it has the best spanning tree
priority vector. Such a port will be selected as an Alternate Port after the Root Port has been selected. If set, it
can cause lack of spanning tree connectivity. It can be set by a network administrator to prevent bridges external
to a core region of the network influence the spanning tree active topology, possibly because those bridges are
not under the full control of the administrator. This feature is also known as Root Guard.
Restricted TCN
If enabled, causes the port not to propagate received topology change notifications and topology changes to
other ports. If set it can cause temporary loss of connectivity after changes in a spanning tree's active topology
as a result of persistently incorrect learned station location information. It is set by a network administrator to
prevent bridges external to a core region of the network, causing address flushing in that region, possibly
because those bridges are not under the full control of the administrator or the physical link state of the
attached LANs transits frequently.
BPDU Guard
If enabled, causes the port to disable itself upon receiving valid BPDU's. Contrary to the similar bridge setting,
the port Edge status does not effect this setting.
70
A port entering error-disabled state due to this setting is subject to the bridge Port Error Recovery setting as
well.
Point-to-Point
Controls whether the port connects to a point-to-point LAN rather than to a shared medium. This can be
automatically determined, or forced either true or false. Transition to the forwarding state is faster for
point-to-point LANs than for shared media.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
3.1.9 IPMC
Basic Configuration
This page provides IGMP Snooping related configuration.
Snooping Enabled
Enable the Global IGMP Snooping.
Unregistered IPMCv4 Flooding Enabled
Enable unregistered IPMCv4 traffic flooding.
The flooding control takes effect only when IGMP Snooping is enabled.
When IGMP Snooping is disabled, unregistered IPMCv4 traffic flooding is always active in spite of this setting.
Router Port
Specify which ports act as router ports. A router port is a port on the Ethernet switch that leads towards the
Layer 3 multicast device or IGMP querier.
If an aggregation member port is selected as a router port, the whole aggregation will act as a router port.
Fast Leave
Enable the fast leave on the port. System will remove group record and stop forwarding data upon receiving the
IGMPv2 leave message without sending last member query messages.
It is recommended to enable this feature only when a single IGMPv2 host is connected to the specific port.
71
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
VLAN Configuration
Navigating the IGMP Snooping VLANTable
Each page shows up to 99 entries from the VLAN table, default being 20, selected through the "entries per page" input
field. When first visited, the web page will show the first 20 entries from the beginning of the VLAN Table. The first
displayed will be the one with the lowest VLAN ID found in the VLAN Table.
The "VLAN" input fields allow the user to select the starting point in the VLAN Table. Clicking the Refresh button will
update the displayed table starting from that or the next closest VLAN Table match.
The >> will use the last entry of the currently displayed entry as a basis for the next lookup. When the end is reached the
text "No more entries" is shown in the displayed table. Use the |<< button to start over.
IGMP Snooping VLAN Table Columns
For IGMP VLAN interface creation, you need to enter IP configuration page to setup IP interface first. System -> IP -> Add
IP interface.
VLAN ID
The VLAN ID of the entry.
IGMP Snooping Enabled
Enable the per-VLAN IGMP Snooping. Up to 8 VLANs can be selected for IGMP Snooping.
Querier Election
Enable to join IGMP Querier election in the VLAN. Disable to act as an IGMP Non-Querier.
Querier Address
Define the IPv4 address as source address used in IP header for IGMP Querier election.
When the Querier address is not set, system uses IPv4 management address of the IP interface associated with
this VLAN.
When the IPv4 management address is not set, system uses the first available IPv4 management address.
Otherwise, system uses a pre-defined value. By default, this value will be 192.0.2.1.
Buttons
Refresh: Refreshes the displayed table starting from the "VLAN" input fields.
|<<: Updates the table starting from the first entry in the VLAN Table, i.e. the entry with the lowest VLAN ID.
>>: Updates the table, starting with the entry after the last entry currently displayed.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
72
3.1.10 LLDP
This page allows the user to inspect and configure the current LLDP interface settings.
LLDP Parameters
Tx Interval
The switch periodically transmits LLDP frames to its neighbors for having the network discovery information
up-to-date. The interval between each LLDP frame is determined by the Tx Interval value. Valid values are
restricted to 5 - 32768 seconds.
Tx Hold
Each LLDP frame contains information about how long time the information in the LLDP frame shall be
considered valid. The LLDP information valid period is set to Tx Hold multiplied by Tx Inter val seconds. Valid
values are restricted to 2 - 10 times.
Tx Delay
If some configuration is changed (e.g. the IP address) a new LLDP frame is transmitted, but the time between
the LLDP frames will always be at least the value of Tx Delay seconds. Tx Delay cannot be larger than 1/4 of
the Tx Inter val value. Valid values are restricted to 1 - 8192 seconds.
Tx Reinit
When a interface is disabled, LLDP is disabled or the switch is rebooted, a LLDP shutdown frame is transmitted
to the neighboring units, signaling that the LLDP information isn't valid anymore. Tx Reinit controls the amount
of seconds between the shutdown frame and a new LLDP initialization. Valid values are restricted to 1 - 10
seconds.
LLDP Interface Configuration
Interface
The switch interface name of the logical LLDP interface.
Mode
73
Select LLDP mode.
Rx only The switch will not send out LLDP information, but LLDP information from neighbor units is analyzed.
Tx only The switch will drop LLDP information received from neighbors, but will send out LLDP information.
Disabled The switch will not send out LLDP information, and will drop LLDP information received from
neighbors.
Enabled The switch will send out LLDP information, and will analyze LLDP information received from neighbors.
Port Descr
Optional TLV: When checked the "port description" is included in LLDP information transmitted.
Sys Name
Optional TLV: When checked the "system name" is included in LLDP information transmitted.
Sys Descr
Optional TLV: When checked the "system description" is included in LLDP information transmitted.
Sys Capa
Optional TLV: When checked the "system capability" is included in LLDP information transmitted.
Mgmt Addr
Optional TLV: When checked the "management address" is included in LLDP information transmitted.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
74
3.1.11 MAC TABLE
The MAC Address Table is configured on this page. Set timeouts for entries in the dynamic MAC Ta b le and configure the
static MAC table here.
Aging Configuration
By default, dynamic entries are removed from the MAC table after 300 seconds. This removal is also called aging.
Configure aging time by entering a value here in seconds; for example, Age time
The allowed range is 10 to 1000000 seconds.
Disable the automatic aging of dynamic entries by checking
seconds.
Disable automatic aging.
MAC Table Learning
If the learning mode for a given port is greyed out, another module is in control of the mode, so that it cannot be
changed by the user. An example of such a module is the MAC-Based Authentication under 802.1X.
Each port can do learning based upon the following settings:
Auto
Learning is done automatically as soon as a frame with unknown SMAC is received.
Disable
No learning is done.
Secure
Only static MAC entries are learned, all other frames are dropped.
Note: Make sure that the link used for managing the switch is added to the Static Mac Table before changing to
secure learning mode, otherwise the management link is lost and can only be restored by using another
non-secure port or by connecting to the switch via the serial interface.
75
VLAN Learning Configuration
Learning-disabled VLANs
This field shows the Learning-disabled VLANs. When a NEW MAC arrives into a learning-disabled VLAN, the MAC
won't be learnt. By the default, the field is empty. More VLANs may be created by using a list syntax where the
individual elements are separated by commas. Ranges are specified with a dash separating the lower and upper
bound.
The following example will create VLANs 1, 10, 11, 12, 13, 200, and 300: 1,10-13,200,300. Spaces are allowed in
between the delimiters.
Static MAC Table Configuration
The static entries in the MAC table are shown in this table. The static MAC table can contain 64 entries. The MAC table is
sorted first by VLAN ID and then by MAC address.
Delete
Check to delete the entry. It will be deleted during the next save.
VLAN ID
The VLAN ID of the entry.
MAC Address
The MAC address of the entry.
Port Members
Checkmarks indicate which ports are members of the entry. Check or uncheck as needed to modify the entry.
Adding a New Static Entry
Click to add a new entry to the static MAC table. Specify the VLAN ID, MAC address, and port members for the
new entry. Click "Submit".
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
76
3.1.12 VLAN
Configuration
This page allows for controlling VLAN configuration on the switch. The page is divided into a global section and
a per-port configuration section.
Global VLAN Configuration
Allowed Access VLANs
This field shows the allowed Access VLANs, i.e. it only affects ports configured as Access ports. Ports in other
modes are members of the VLANs specified in the Allowed VLANs field. By default, only VLAN 1 is enabled.
More VLANs may be created by using a list syntax where the individual elements are separated by commas.
Ranges are specified with a dash separating the lower and upper bound.
The following example will create VLANs 1, 10, 11, 12, 13, 200, and 300: 1,10-13,200,300. Spaces are allowed in
between the delimiters.
Ethertype for Custom S-ports
This field specifies the ethertype/TPID (specified in hexadecimal) used for Custom S-ports. The setting is in force
for all ports whose Port Type is set to S-Custom-Port.
Port VLAN Configuration
Port
This is the logical port number of this row.
Mode
The port mode (default is Access) determines the fundamental behavior of the port in question. A port can be in
one of three modes as described below. Whenever a particular mode is selected, the remaining fields in that
row will be either grayed out or made changeable depending on the mode in question. Grayed out fields show
the value that the port will get when the mode is applied.
Access:
Access ports are normally used to connect to end stations. Dynamic features like Voice VLAN may add the port
to more VLANs behind the scenes. Access ports have the following characteristics:
• Member of exactly one VLAN, the Port VLAN (a.k.a. Access VLAN), which by default is 1
77
• Accepts untagged and C-tagged frames
• Discards all frames not classified to the Access VLAN
• On egress all frames are transmitted untagged
Trunk:
Trunk ports can carry traffic on multiple VLANs simultaneously, and are normally used to connect to other
switches. Trunk ports have the following characteristics:
• By default, a trunk port is member of all VLANs (1-4095)
• The VLANs that a trunk port is member of may be limited by the use of Allowed VLANs
• Frames classified to a VLAN that the port is not a member of are discarded
• By default, all frames but frames classified to the Port VLAN (a.k.a. Native VLAN) get tagged on egress.
Frames classified to the Port VLAN do not get C-tagged on egress
• Egress tagging can be changed to tag all frames, in which case only tagged frames are accepted on
ingress
Hybrid:
Hybrid ports resemble trunk ports in many ways, but adds additional port configuration features. In addition to
the characteristics described for trunk ports, hybrid ports have these abilities:
• Can be configured to be VLAN tag unaware, C-tag aware, S-tag aware, or S-custom-tag aware
• Ingress filtering can be controlled
• Ingress acceptance of frames and configuration of egress tagging can be configured independently
Port VLAN
Determines the port's VLAN ID (a.k.a. PVID). Allowed VLANs are in the range 1 through 4095, default being 1.
On ingress, frames get classified to the Port VLAN if the port is configured as VLAN unaware, the frame is
untagged, or VLAN awareness is enabled on the port, but the frame is priority tagged (VLAN ID = 0).
On egress, frames classified to the Port VLAN do not get tagged if Egress Tagging configuration is set to untag
Port VLAN. The Port VLAN is called an "Access VLAN" for ports in Access mode and Native VLAN for ports in
Trunk or Hybrid mode.
Port Type
Ports in hybrid mode allow for changing the port type, that is, whether a frame's VLAN tag is used to classify the
frame on ingress to a particular VLAN, and if so, which TPID it reacts on. Likewise, on egress, the Port Type
determines the TPID of the tag, if a tag is required.
Unaware:
On ingress, all frames, whether carrying a VLAN tag or not, get classified to the Port VLAN, and possible tags are
not removed on egress.
C-Port:
On ingress, frames with a VLAN tag with TPID = 0x8100 get classified to the VLAN ID embedded in the tag.
If a frame is untagged or priority tagged, the frame gets classified to the Port VLAN.
If frames must be tagged on egress, they will be tagged with a C-tag.
S-Port:
On egress, if frames must be tagged, they will be tagged with an S-tag.
On ingress, frames with a VLAN tag with TPID = 0x88A8 get classified to the VLAN ID embedded in the tag.
Priority-tagged frames are classified to the Port VLAN.
If the port is configured to accept Tagged Only
are dropped.
frames (see Ingress Acceptance below), frames without this TPID
78
Notice:
If the S-port is configured to accept Tagged and Untagged
C-tag are treated like frames with an S-tag.
If the S-port is configured to accept Untagged Only frames, S-tagged frames will be discarded (except for priority
S-tagged frames). C-tagged frames are initially considered untagged and will therefore not be discarded. Later
on in the ingress classification process, they will get classified to the VLAN embedded in the tag instead of the
port VLAN ID.
S-Custom-Port:
On egress, if frames must be tagged, they will be tagged with the custom S-tag.
On ingress, frames with a VLAN tag with a TPID equal to the Ethertype configured for Custom-S ports get
classified to the VLAN ID embedded in the tag.
Priority-tagged frames are classified to the Port VLAN.
If the port is configured to accept Tagged Only
are dropped.
Notice:
If the custom S-port is configured to accept Tagged and Untagged
frames with a C-tag are treated like frames with a custom S-tag.
If the Custom S-port is configured to accept Untagged Onlyframes, custom S-tagged frames will be discarded
(except for priority custom S-tagged frames). C-tagged frames are initially considered untagged and will
therefore not be discarded. Later on in the ingress classification process, they will get classified to the VLAN
embedded in the tag instead of the port VLAN ID.
frames (see Ingress Acceptance below), frames without this TPID
frames (see Ingress Acceptance below), frames with a
frames (see Ingress Acceptance below),
Ingress Filtering
Hybrid ports allow for changing ingress filtering. Access and Trunk ports always have ingress filtering enabled.
If ingress filtering is enabled (checkbox is checked), frames classified to a VLAN that the port is not a member of
get discarded.
If ingress filtering is disabled, frames classified to a VLAN that the port is not a member of are accepted and
forwarded to the switch engine. However, the port will never transmit frames classified to VLANs that it is not a
member of.
Ingress Acceptance
Hybrid ports allow for changing the type of frames that are accepted on ingress.
Tagged and Untagged
Both tagged and untagged frames are accepted. See Port Type for a description of when a frame is considered
tagged.
Tagged Only
Only frames tagged with the corresponding Port Type tag are accepted on ingress.
Untagged Only
Only untagged frames are accepted on ingress. See Port Type for a description of when a frame is considered
untagged.
Egress Tagging
Ports in Trunk and Hybrid mode may control the tagging of frames on egress.
Untag Port VLAN
Frames classified to the Port VLAN are transmitted untagged. Other frames are transmitted with the relevant tag.
Tag All
79
All frames, whether classified to the Port VLAN or not, are transmitted with a tag.
Untag All
All frames, whether classified to the Port VLAN or not, are transmitted without a tag.
This option is only available for ports in Hybrid mode.
Allowed VLANs
Ports in Trunk and Hybrid mode may control which VLANs they are allowed to become members of. Access ports
can only be member of one VLAN, the Access VLAN.
The field's syntax is identical to the syntax used in the Enabled VLANs field. By default, a Trunk or Hybrid port
will become member of all VLANs, and is therefore set to 1-4095.
The field may be left empty, which means that the port will not become member of any VLANs.
Forbidden VLANs
A port may be configured to never become member of one or more VLANs. This is particularly useful when
dynamic VLAN protocols like MVRP and GVRP must be prevented from dynamically adding ports to VLANs.
The trick is to mark such VLANs as forbidden on the port in question. The syntax is identical to the syntax used in
the Enabled VLANs field.
By default, the field is left blank, which means that the port may become a member of all possible VLANs.
Buttons
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
SVL (Shared VLAN Learning)
Shared VLAN Learning allows for frames initially classified to a particular VLAN (based on Port VLAN ID or VLAN tag
information) be bridged on a shared VLAN. In SVL two or more VLANs are grouped to share common source address
information in the MAC table. The common entry in the MAC table is identified by a Filter ID (FID). SVL is useful for
configuration of more complex, asymmetrical cross-VLAN traffic patterns, like E-TREE (Rooted-Multipoint) and
Multi-netted Server. The alternative VLAN learning mode is IVL. The default VLAN learning mode is IVL and not all
switches support SVL. In Independent VLAN Learning, every VLAN uses its own logical source address table as opposed
to SVL where two or more VLANs share the same part of the MAC address table.
This page allows for controlling SVL configuration on the switch. In SVL, one or more VLANs map to a Filter ID (FID). By
default, there is a one-to-one mapping from VLAN to FID, in which case the switch acts as an IVL bridge, but with SVL
multiple VLANs may share the same MAC address table entries.
Delete
A previously allocated FID can be deleted by the use of this button.
FID
The Filter ID (FID) is the ID that VLANs get learned on in the MAC table when SVL is in effect.
No two rows in the table can have the same FID and the FID must be a number between 1 and 63.
VLANs
80
List of VLANs mapped into FID.
The syntax is as follows: Individual VLANs are separated by commas. Ranges are specified with a dash separating
the lower and upper bound.
The following example will map VLANs 1, 10, 11, 12, 13, 200, and 300: 1,10-13,200,300. Spaces are allowed in
between the delimiters. The range of valid VLANs is 1 to 4095.
The same VLAN can only be a member of one FID. A message will be displayed if one VLAN is grouped into two
or more FIDs.
All VLANs must map to a particular FID, and by default VLAN x maps to FID x. This implies that if FID x is defined,
then VLAN x is implicitly a member of FID x unless it is specified for another FID. If FID x doesn't exist, a
confirmation message will be displayed, asking whether to continue adding VLAN x implicitly to FID x.
Buttons
Add FID: Add a new row to the SVL table. The FID will be pre-filled with the first unused FID.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
81
3.1.13 PRIVATE VLANS
This switch also has private VLAN functions; it helps to resolve the primary VLAN ID shortage, client ports’ isolation and
network security issues. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing
User to isolate the ports on the switch from each other. A subdomain consists of a primary VLAN and one or more
secondary VLANs. All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID
differentiates one subdomain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A
host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on
community VLANs can communicate among themselves and with their associated promiscuous port but not with ports
in other community VLANs.
Membership
The Private VLAN membership configurations for the switch can be monitored and modified here. Private VLANs can be
added or deleted here. Port members of each Private VLAN can be added or removed here.
Private VLANs are based on the source port mask, and there are no connections to VLANs. This means that VLAN IDs and
Private VLAN IDs can be identical.
A port must be a member of both a VLAN and a Private VLAN to be able to forward packets. By default, all ports are
VLAN unaware and members of VLAN 1 and Private VLAN 1.
A VLAN unaware port can only be a member of one VLAN, but it can be a member of multiple Private VLANs.
Delete
To delete a private VLAN entry, check this box. The entry will be deleted during the next save.
Private VLAN ID
Indicates the ID of this particular private VLAN.
Port Members
A row of check boxes for each port is displayed for each private VLAN ID. To include a port in a Private VLAN,
check the box. To remove or exclude the port from the Private VLAN, make sure the box is unchecked. By default,
no ports are members, and all boxes are unchecked.
Adding a New Private VLAN
Click Add New Private VLAN to add a new private VLAN ID. An empty row is added to the table, and the private
VLAN can be configured as needed. The allowed range for a private VLAN ID is the same as the switch port
number range. Any values outside this range are not accepted, and a warning message appears. Click "OK" to
discard the incorrect entry, or click "Cancel" to return to the editing and make a correction.
The Private VLAN is enabled when you click "Submit".
The Delete button can be used to undo the addition of new Private VLANs.
82
Buttons
Auto-refresh: Check this box to refresh the page automatically. Automatic refresh occurs every 3 seconds.
Refresh: Click to refresh the page immediately.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
Port Isolation
This page is used for enabling or disabling port isolation on ports in a Private VLAN.
A port member of a VLAN can be isolated to other isolated ports on the same VLAN and Private VLAN.
Configuration
Port Members
A check box is provided for each port of a private VLAN.
When checked, port isolation is enabled on that port.
When unchecked, port isolation is disabled on that port.
By default, port isolation is disabled on all ports.
Buttons
Auto-refresh: Check this box to refresh the page automatically. Automatic refresh occurs every 3 seconds.
Refresh: Click to refresh the page immediately.
Submit: Click to submit changes.
Reset: Click to undo any changes made locally and revert to previously saved values.
3.1.14 QoS
QoS is a mechanism for providing different priorities to different applications, users, or data flows, or to guarantee a
certain level of performance for a data flow.
All incoming frames are classified into a Class of Service (CoS), which is used in the queue system when the assigning
resources, in the arbitration from ingress to egress queues and in the egress scheduler when selecting the next frame for
transmission.
There is a one-to-one mapping between the terms CoS, QoS class, queue, and priority. A CoS of zero has the lowest
priority.
Bandwidth control in the queues can be done by using policers or shapers.
Apart from shapers and policers, different scheduling mechanisms can be configured based on how the different priority
queues in the QoS system are handled.
Weighted Random Early Detection (WRED) can be configured globally to avoid congestion and drop the Yellow Frames
(frames with DPL greater than zero) when the queues are filled.
The storm policers of the devices can be used at a global level to control the amount of flooded frames. It is also possible
to configure per-port storm policers.
83
3.1.14.1 QOS CLASSIFICATION
QoS is classified as:
•
Basic QoS - This enables predefined schemes for handling CoS, Drop Precedence Level (DPL), Priority Code Points
(PCP), Drop Eligible Indicator (DEI), Class of Service ID (CoSID), and Differentiated Service Code Points (DSCP):
•
CoS and DPL classification based on PCP and DEI for tagged frames. The mapping table from PCP and DEI to CoS and
DPL is programmable per port.
•
CoS and DPL classification based on DSCP values.
•
DSCP translation.
•
DSCP remarking based on CoS.
•
Per-port CoS and DPL configuration for untagged and non-IP Frames.
•
Per-port CoSID configuration. CoSID is a value that can be used as a selector in Egress Maps and Ethernet Services. It
does not relate to CoS in any way.
•
General classification using an Ingress Map.
•
General remarking using an Egress Map.
•
Advanced QoS - This uses the QoS Control Lists (QCLs), which provides a flexible classification:
•
Higher layer protocol fields (Layer 2 through Layer 4) for rule matching.
•
Actions include reclassification of CoS, DPL, P C P, DEI, D S C P, and ACL policy values. It is also possible to reclassify by
using an Ingress Map.
3.1.14.2 POLICERS
Policers limit the bandwidth of received frames exceeding the configurable rates. Policers can be configured at queue
level or at a port level. There is also a provision to add policers at the EVC level, although this provision is not discussed
in this document.
3.1.14.3 SHAPERS
Egress traffic shaping can be achieved using bandwidth shapers. Shapers can be configured at queue level or at a port
level.
3.1.14.4 SCHEDULING ALGORITHM
Two types of scheduling are possible on the device at a port level:
•
Strict Priority: All queues follow strict priority scheduling.
•
Deficit Weighted Round Robin (DWRR): Scheduling is based on the weights configured for each queue. Configuration
is present to select the number of queues which can be under DWRR. It is possible to include from two to all eight
queues in DWRR mode.
When the number of queues selected for DWRR is less than eight then the lowest priority queues are put in DWRR and
higher priority queues are put in Strict Priority. For example if number of Queues is two for DWRR then Queue 0 and
Queue 1 are set in DWRR mode, and the remaining Queues 2 to 7 are set in Strict Priority.
3.1.14.5 WEIGHTED RANDOM EARLY DETECTION (WRED)
Congestion can be avoided in the queue system by enabling and configuring the Weighted Random Early Detection
(WRED) function. WRED can discard frames with DPL greater than zero.
There are three separate WRED groups, and each port belongs to one of these groups.
Configuration includes enabling WRED per group, queue, and DPL and setting the minimum and maximum Threshold.
Minimum threshold is the queue fills level at which the WRED starts discarding the Frames. Maximum threshold can be
configured as either Drop Probability or Fill Level. When the unit is Drop Probability, the mentioned threshold would be
the Drop Probability with the queue fill level is just about 100%. When the unit is Fill Level, then it represents the queue
fill level where Drop Probability is 100%.
84
3.1.14.6 STORM POLICING
Storm policers restrict the amount of flooded frames (frames coming with SMAC which are not learnt earlier) entering the
device. The configurations are global per-device and not per-port. Storm policers can be applied separately on Unicast,
Multicast, or Broadcast packets.
It is also possible to configure per-port storm policers. Port storm policers can be applied separately on Unicast,
Broadcast, and flooded (unknown) packets.
3.1.14.7 INGRESS MAP
An Ingress Map is a mapping table created to classify values at ingress such as, CoS, DPL, PCP, DEI, DSCP, and CoSID based
on the key values in the packet (PCP, PCP/DEI, DSCP, or PCP/DEI/DSCP).
In order to use an Ingress Map, it must first be created and configured. Configuration consists of the following
parameters:
•
Key: Which part of the packet to use for lookup.
•
Actions: Which kinds of values to classify.
•
Mappings: The actual value to use for classification for each value of the key.
A specific Ingress Map can be associated with one or more ports, QCEs, or EVCs/ECEs. Using an Ingress Map will always
take precedence over other kinds of port-based classification.
3.1.14.8 EGRESS MAP
An Egress Map is a mapping table created to control the rewriting of packets at egress. Values such as P CP, DEI, and DSCP
can be updated based on the classified key values (CoSID, CoSID/DPL, DS C P, or DSCP/DPL).
In order to use an Egress Map, it must first be created and configured. Configuration consists of the following parameters:
•
Key: This classified value(s) to use for lookup.
•
Actions: Which kinds of values to rewrite in the packet.
•
Mappings: The actual value to use for rewriting for each value of the key. A specific Egress Map can be associated
with one or more ports or EVCs.
Configuration Examples
In the following sections, web interface and ICLI configuration examples are given according to the different QoS
classifications.
Note: It is recommended to do a restore to default before starting to configure any of the examples in the following
sections.
# reload defaults
#
Basic QoS: Port Classification
Basic QoS classification configuration can be done per port. Ingress traffic coming on each port can be assigned
to a CoS, DPL, PCP, and DEI.
Example: All traffic coming on Port 1 is mapped to CoS 2, and PCP is set as 1.
Configuring Basic QoS Classification Using WebGUI
To configure all traffic coming on Port 1 is mapped to CoS 2 and PCP is set as 1, perform the following step.
•
Click Configuration > QoS > Port Classification, and enter the settings as shown in the following illustration.
Set Up CoS and PCP for Ingress Traffic
85
The equivalent ICLI commands are:
# configure terminal
(config)# interface GigabitEthernet 1/1
! Set CoS to 2 and PCP to 1
(config-if)# qos cos 2
(config-if)# qos pcp 1
(config-if)# end
Basic QoS: Tag ged Frame Classification per Port
Ingress port tag classification can be done based on the PCP and DEI values received on the incoming packets. This is
done by enabling tag classification for that port.
Example: Map PCP 0 and DEI 0 to CoS 2 and DPL 0, Map PCP 0 and DEI 1 to CoS 3 and DPL 1 on Port 2.
Configuring Ingress Port Tag Classification Using WebGUI
In order to configure the mapping from PCP 0 and DEI 0 to CoS 2 and DPL 0, and mapping from PCP 0 and DEI 1 to CoS 3
and DPL 1 on Port 2, please perform to the following steps.
1.
Click Configuration > QoS > Port Classification.
2.
On the Port Classification page, click the Tag Class corresponding to the port, and enter the
parameters as shown in the following illustration.
Map PCP and DEI for Tagged Frames
86
The equivalent ICLI commands are:
# configure terminal
(config)# interface GigabitEthernet 1/2
! Enable Tag Classification
(config-if)# qos trust tag
! Map PCP 0 and DEI 0 to CoS 2 and DPL 0
(config-if)# qos map tag-cos pcp 0 dei 0 cos 2 dpl 0
! Map PCP 0 and DEL 1 to CoS 3 and DPL 1
(config-if)# qos map tag-cos pcp 0 dei 1 cos 3 dpl 1
(config-if)# end
Basic QoS: Tag Remarking per Port
Tag remarking on the egress frames can be done in three ways:
•
Classified: PCP and DEI values on the egress frames are updated with the classified values at the ingress. By
default, the PCP and DEI values are set to classified values.
•
Default: PCP and DEI values on the egress frames are updated to default values defined per port.
•
Mapped: PCP and DEI values on the egress frames are updated based on the tag remarking CoS/DPL to
PCP/DEI mapping per port.
Example: Set Default PCP to 5 and DEI to 0 on Port 3.
Setting Up PCP Port Using WebGUI
To set the default PCP to 5 and DEI to 0 on Port 3, perform the following steps.
1.
Click Configuration > QoS > Port Ta g Remarking.
2.
On the Port Tag Remarking page, click the Port Number corresponding to the port, and set the
parameters as shown in the following illustration.
87
Set Up PCP and DEI for Default Tag Remarking
The equivalent ICLI commands are:
# configure terminal
(config)# interface GigabitEthernet 1/3
! Set Default PCP to 5 and DEI to 0 (config-if)# qos tag-remark
pcp 5 dei 0 (config-if)# end
Example: Map CoS 2 and DPL 0 to PCP 3 and DEI 0. Map CoS 3 and DPL 1 to PCP 4 and DEI 1.
Mapping CoS and DPL Using WebGUI
To map CoS 2/DPL 0 to PCP 3/DEI 0 and CoS 3/DPL 1 to PCP 4/DEI 1, perform the following steps.
1.
Click Configuration > QoS > Port Ta g Remarking.
2.
On the Port Tag Remarking page, click the Port Number corresponding to the port, and enter the parameters as
shown in the following illustration.
Set Up CoS and DPL for Mapped Tag Remarking
The equivalent ICLI commands are:
# configure terminal
(config)# interface GigabitEthernet 1/2
! Set Tag Remarking to Mapped
(config-if)# qos tag-remark mapped
! Map QoS Class 2 and DPL 0 to PCP 3 and DEI 0
(config-if)# qos map cos-tag cos 2 dpl 0 pcp 3 dei 0
! Map QoS Class 3 and DPL 1 to PCP 4 and DEI 1
(config-if)# qos map cos-tag cos 3 dpl 1 pcp 4 dei 1
(config-if)# end
88
Basic QoS: DSCP Configuration
The following DSCP Configuration settings are present per port for both the ingress and egress.
•
DSCP-based QoS classification
•
Selection of trusted DSCP values used for QoS Classification
•
DSCP translation: DSCP translation is done based on the DSCP Translation table
•
Classify (for rewriting if enabled):
•
No DSCP classification
•
Classify only DSCP = 0
•
Classify only selected (trusted) DSCP values based on the DSCP Classification table
•
Classify all DSCP
•
Rewrite (on Egress):
• No Egress rewrite
• Rewrite enabled without remapping
• Remap DSCP with DP unaware
• Remap DSCP with DP aware
Example: DSCP (Only Trusted) to QoS Class/DPL classification at ingress on Port 2.
Configuring DSCP to QoS Classification Using WebGUI
To configure DSCP (only trusted) to QoS Class/DPL classification at ingress on Port 2, perform the following
steps.
1.
Click Configuration > QoS > Port Classification, and select the DSCP Based option as shown in the
following illustration.
Enable Trusted DSCP for Port
2.
Click Configuration > QoS > DSCP-Based QoS, and configure as shown in the following
illustration.
89
Map Trusted DSCP for Ingress Traffic
The equivalent ICLI commands are:
# configure terminal
! Enable DSCP Trust for DSCP at Port 2.
(config)# interface GigabitEthernet 1/2
(config-if)# qos trust dscp
(config-if)# exit
! Map DSCP Values 4 and 5 to QoS Class 6.
(config)# qos map dscp-cos 4 cos 6 dpl 0
(config)# qos map dscp-cos 5 cos 6 dpl 0
(config)# end
Example: Translate DSCP at ingress on Port 2 and rewrite enabled on Port 3.
90
Translating DSCP at Ingress Using WebGUI
To translate DSCP at Ingress on Port 2 and rewrite enabled on Port 3, perform the following steps.
1.
Click Configuration > QoS > Port Classification, and select the DSCP Based options as shown in the following
illustration.
Enable DSCP-Based QoS for Translation and DSCP Rewrite
2.
Click Configuration > QoS > Port DSCP and select the Translate option.
Config DSCP Ingress Translation and DSCP Egress Rewrite
3.
Click Configuration > QoS > DSCP Translation, and configure translation mapping as shown in the following
illustration.
Set Up Ingress Translation Map for DSCP
The equivalent ICLI commands are:
# configure terminal
! Enable DSCP Translate at ingress on Port 2
(config)# interface GigabitEthernet 1/2
(config-if)# qos trust dscp
(config-if)# qos dscp-translate
(config-if)# exit
! Enable DSCP Remark at egress on Port 3
(config)# interface GigabitEthernet 1/3
91
(config-if)# qos trust dscp
(config-if)# qos dscp-remark rewrite
(config-if)# exit
! Create Ingress DSCP Translation Map
(config)# qos map dscp-ingress-translation 1 to 5
(config)# qos map dscp-ingress-translation 2 to 6
(config)# end
Example: Classify only DSCP as 0 at ingress on Port 2 and rewrite enabled on Port 3.
Configuring DSCP Classification at Ingress Using WebGUI
To classify only DSCP as 0 at ingress on Port 2 and rewrite enabled on Port 3, perform the following steps.
1.
Click Configuration > QoS > Port Classification, and select the DSCP Based options as shown in the
following illustration.
Enable DSCP-Based QoS for DSCP 0 Classification and DSCP Rewrite
2.
Click Configuration > QoS > Port DSCP, and set the Ingress values as shown in the following
illustration.
Set Up DSCP 0 Ingress Classification and DSCP Egress Rewrite
3.
Click Configuration > QoS > DSCP Translation, and enter translation mapping as shown in the
following illustration.
92
Set Up Ingress Translation Map for DSCP 0
The equivalent ICLI commands are:
# configure terminal
! Enable DSCP=0 Classification and Translation at ingress on Port 2
(config)# interface GigabitEthernet 1/2
(config-if)# qos trust dscp
(config-if)# qos dscp-classify zero
(config-if)# qos dscp-translate
(config-if)# exit
! Create Ingress DSCP Translation Map.
(config)# qos map dscp-ingress-translation 0 to 7
(config)# qos map dscp-ingress-translation 1 to 5
! Note: Only DSCP=0 will be rewritten as these are only classified.
! Enable DSCP Remark at egress on Port 3
(config)# interface GigabitEthernet 1/3
(config-if)# qos trust dscp
(config-if)# qos dscp-remark rewrite
(config-if)# exit
(config)# end
Example: Classify Selected DSCP at ingress on Port 2, DSCP rewrite enabled on Port 3.
93
Classifying Selected DSCP at Ingress Using WebGUI
To classify selected DSCP at ingress on Port 2, and DSCP rewrite enabled on Port 3, perform the following steps.
1.
Click Configuration > QoS > Port Classification, and select the DSCP Based option.
Enable Selected DSCP Classification and DSCP Rewrite
2.
Click Configuration > QoS > Port DSCP, and set the values as shown in the following illustration.
Set Up Selected DSCP Ingress Classification and DSCP Egress Rewrite
3.
Click Configuration > QoS > DSCP Translation, and configure translation mapping as shown in the
following illustration.
Set Up Ingress Translation Map for Selected DSCP
The equivalent ICLI commands are:
# configure terminal
! Enable DSCP classification for selected DSCP values at ingress Port 2
(config)# interface GigabitEthernet 1/2
(config-if)# qos trust dscp
(config-if)# qos dscp-classify selected
(config-if)# exit
(config)# qos map dscp-classify 0
(config)# qos map dscp-classify 1
(config)# qos map dscp-classify 2
! Create Ingress DSCP Translation Map.
(config)# qos map dscp-ingress-translation 0 to 7
94
(config)# qos map dscp-ingress-translation 1 to 5
(config)# qos map dscp-ingress-translation 2 to 8
! Enable DSCP Remark at egress on Port 3
(config)# interface GigabitEthernet 1/3
(config-if)# qos trust dscp
(config-if)# qos dscp-remark rewrite
(config-if)# exit
(config-if)# end
Example: Classify all DSCP values at ingress on Port 2, rewrite enabled on Port 3.
Classifying All DSCP at Ingress Using WebGUI
To classify all DSCP values at ingress on Port 2, rewrite enabled on Port 3, perform the following steps.
1.
Click Configuration > QoS > Port Classification, and select the DSCP Based option as shown in the following
illustration.
Enable All DSCP Classification and DSCP Rewrite
2.
Click Configuration > QoS > Port DSCP, and set the values as shown in the following illustration.
Set Up All DSCP Ingress Classification and DSCP Egress Rewrite
The equivalent ICLI commands are:
# configure terminal
! Enable DSCP classification for all DSCP values at ingress Port 2
(config)# interface GigabitEthernet 1/2
(config-if)# qos trust dscp
(config-if)# qos dscp-classify any
(config-if)# exit
! Enable DSCP Remark at egress on Port 3
(config)# interface GigabitEthernet 1/3
95
(config-if)# qos trust dscp
(config-if)# qos dscp-remark rewrite
(config-if)# exit
(config)# end
Example: QoS/DP to DSCP Classification enabled. Rewrite DSCP at egress on Port 3.
Enabling QoS/DP to DSCP Classification Using WebGUI
To enable QoS/DP to DSCP Classification and rewrite DSCP at egress on Port 3, perform the following steps.
1. Click Configuration > QoS > Port Classification, and select the DSCP Based option as shown in the following
illustration.
Enable All DSCP Classification and DSCP Egress Remap
2. Click Configuration > QoS > DSCP Classification, and set the values as shown in the following illustration.
Map QoS/DP to DSCP Classification
3. Click Configuration > QoS > Port DSCP, and set the values as shown in the following illustration.
Set Up All DSCP Ingress Classification and DSCP Egress Remap
4. Click Configuration > QoS > DSCP Translation, and configure translation mapping as shown in the following
illustration.
96
Remap DSCP from Ingress to Egress
The equivalent ICLI commands are:
# configure terminal
! Enable DSCP Classification on all DSCP values on port 2. (config)# interface GigabitEthernet 1/2
(config-if)# qos trust dscp (config-if)# qos dscp-classify
any (config-if)# exit
! Map QoS Class 5, DP 0 to DSCP 4, QoS Class 5, DP 1..3 to DSCP 5
(config)# qos map cos-dscp 5 dpl 0 dscp 4
(config)# qos map cos-dscp 5 dpl 1 dscp 5
(config)# qos map cos-dscp 5 dpl 2 dscp 5
(config)# qos map cos-dscp 5 dpl 3 dscp 5
! Remap DSCP 4 to DSCP = 8 and DSCP 5 to DSCP = 9 on Egress (config)# qos map
dscp-egress-translation 4 to 8
(config)# qos map dscp-egress-translation 5 to 9
! Enable DSCP rewrite with DSCP Remap on Port 3 (config)# interface
GigabitEthernet 1/3
(config-if)# qos dscp-remark remap (config-if)# end
Advanced QoS: QCLs
Advanced QoS classification can be done by checking fields from Layer 2 to Layer 4 and mapping them to CoS,
PCP/DEI, and DSCP values.
Example: Match on a particular Destination MAC on Port 2 and map these to CoS = 5.
Mapping a Particular MAC Destination to CoS Using WebGUI
To match on a particular destination MAC on Port 2 and map these to CoS = 5, perform the following steps.
1.
Click Configuration > QoS > QoS Control List and click the Add QCE to end of list icon. The QCE onfiguration
page opens.
Create QCE Entry for Mapping MAC Address
2.
On the QCE Configuration page, set Port, DMAC, and CoS as shown in the following illustration.
Map Frame with Particular Destination MAC to CoS
97
The equivalent ICLI commands are:
# configure terminal
! Create QCL rule for matching particular destination MAC on Port 2 (config)# qos qce 1 interface GigabitEthernet
1/2 dmac 00-00-00-00-00-23 action cos 5
(config-if)# end
Example: Match on a particular VLAN Tag and PCP range on Port 2 and map these to CoS = 6. Also, map these
frames to PCP = 6 and DEI = 0.
Mapping a Particular VLAN Tag and PCP Range to CoS Using WebGUI
To match on a particular VLAN Tag and PCP range on Port 2 and map these to CoS = 6, and also to map these
frames to PCP = 6 and DEI = 0, perform the following steps.
1.
Click Configuration > QoS > QoS Control List and click the Add QCE to end of list icon. The QCE
Configuration page opens.
Create QCE Entry for Mapping VLAN Tag and PCP
2.
On the QCE Configuration page, set the appropriate values as shown in the following illustration.
Map Frame with Particular VLAN Tag and PCP to CoS, PCP, and DEI
98
The equivalent ICLI commands are:
# configure terminal
! Create QCL rule for matching particular VLAN ID and range of PCP values. (config)# qos qce 1 interface
GigabitEthernet 1/2 tag vid 10 pcp 4-5 action cos 6
pcp-dei 6 0 (config)# end
Example: Map on specific Dest MAC, Source IP, UDP Sport number on Port 2. Map these to CoS = 7, DP = 1 and,
DSCP = 9.
Mapping a Particular MAC Adress, Source IP, and UDP Sport Number Using WebGUI
To map specific destination MAC, Source IP, and UDP Sport number on Port 2, and map these to CoS = 7, DP = 1
and, DSCP = 9, perform the following steps.
1.
Click Configuration > QoS > QoS Control List and click the Add QCE to End of List icon. The QCE Configuration
page opens. Create QCE Entry for Mapping MAC Address, IP, and UDP Port
2.
On the QCE Configuration page, set the appropriate values as shown in the following illustration. Map Frame
With Specifc MAC, IP, and UDP Port to CoS, DP, and DSCP
The equivalent ICLI commands are:
# configure terminal
! Create QCL rule for matching DMAC, SIP, UDP Sport on Port 2. (config)# qos qce 1 interface
GigabitEthernet 1/2 dmac 00-00-00-00-00-23 frametype
ipv4 proto udp sip 192.168.1.100/24 sport 4154 action cos 7 dpl 1 dscp 9 (config)# end
99
Policers
Port Policers
Enable policing at port level on a particular port.
Example: Enable policer on Port 2 and set the policer rate to 2 Mbps. For better performance, we can optionally
enable Flow control as well if the policed traffic is TCP traffic.
Configuring Policer Rate (Mbps) on a Port Using WebGUI
To configure policer on Port 2 and set the policer rate to 2 Mbps, perform the following step.
•
Click Configuration > QoS > Port Policing, and set the policer rate as shown in the following illustration.
Set Up Port Policer Rate in Mbps Throughput
The equivalent ICLI commands are:
# configure terminal
! Enable Policer on Port 2 with a rate set to 2 Mbps (config)# interface
GigabitEthern et 1/2
(config-if)# qos policer 2 mbps flowcontrol (config-if)# end
Example: Enable policer on Port 2 and set the policer rate to 200 Fps. The units are frames per second.
Configuring Policer Rate (Fps) on a Port Using WebGUI
To configure the policer on Port 2 and set the policer rate to 200 Fps, perform the following step.
•
Click Configuration > QoS > Port Policing, and set the policer rate as shown in the following illustration.
Set Up Port Policer Rate in Fps Throughput
The equivalent ICLI commands are:
# configure terminal
! Enable Policer on Port 2 with a rate set to 200fps (config)# interface
GigabitEthernet 1/2
(config-if)# qos policer 200 fps (config-if)# end
100
Loading...