User Guide SMART SWITCH LGS3XX

Transcription

1 User Guide SMART SWITCH LGS3XX 1

2 Cntents Chapter 1 Getting Started... 5 Chapter 2 System Status... 9 System Summary... 9 RMON Interface Statistics Chapter 3 Quick Start Chapter 4 System Management System Infrmatin Management Sessin Timeut Time SNMP Lgs Chapter 5 Prt Management Prts Link Aggregatin Green Ethernet PE Discvery - LLDP Chapter 6 VLAN Management VLANs Interfaces VLAN Memberships VLAN Grups Vice VLAN Chapter 7 - Spanning Tree Management Spanning Tree STP Interfaces RSTP Interfaces

3 MSTP Prperties MSTP Instance Status MSTP Instance Interface Chapter 8 - MAC Address Management Dynamic MAC Addresses Static MAC Addresses Reserved MAC Addresses Chapter 9 Multicast Feature Cnfiguratin IGMP Snping MLD Snping Multicast Ruter Prts Frward All Unregistered Multicast IGMP/MLD IP Grup Addresses MAC Grup Address FDB IP Grup Address FDB Chapter 10 - IP Interface IPv IPv Chapter 11 - IP Netwrk Operatins Dmain Name System DHCP DHCP Snping Binding Database Interface Settings Chapter 12 Security Management Security RADIUS Netwrk Access Cntrl Prt Security Strm Cntrl

4 Chapter 13 - Access Cntrl List MAC-Based ACL MAC-Based ACE IPv4-Based ACL IPv4-Based ACE IPv6-Based ACL IPv6-Based ACE ACL Binding Chapter 14 - Quality f Service Feature Cnfiguratin Queue Scheduling CS/802.1p t Queue DSCP t Queue Bandwidth Cntrl Egress Shaping Basic QS QS Statistics Chapter 15 - Maintenance Rebt File Management Diagnstics Chapter - 16 Supprt

5 Chapter 1 Getting Started There are tw ways t cnfigure the device: thrugh the graphical user interface and thrugh the menu cmmand line interface. Starting the Web-based Cnfiguratin Utility This sectin describes hw t navigate the Web-based switch cnfiguratin utility. If yu are using a pp-up blcker, make sure it is disabled. The fllwing brwsers are supprted: Firefx (versins 16 and latest) IE versin (versins 10 and latest) Chrme (versins 35 and latest) Brwser Restrictins If yu are using IPv6 interfaces n yur management statin, use the IPv6 glbal address and nt the IPv6 link lcal address t access the device frm yur brwser. Launching the Cnfiguratin Utility T pen the Web-based cnfiguratin utility, d the fllwing: 1. Open a Web brwser. 2. Enter the IP address f the device yu are cnfiguring in the address bar n the brwser, and then press Enter. NOTE When the device is using the factry default IP address f , its pwer LED flashes cntinuusly. When the device is using a DHCP assigned IP address r an administratr-cnfigured static IP address, the pwer LED is n slid. 3. On the lgin page, enter the username/passwrd. The passwrd can cntain up t 64 ASCII characters. The default username is admin and the default passwrd is admin. 5

6 Lgging Out By default, the applicatin lgs ut after ten minutes f inactivity. CAUTION Unless the Running Cnfiguratin is cpied t the Startup Cnfiguratin, rebting the device will remve all changes made since the last time the file was saved. Save the Running Cnfiguratin t the Startup Cnfiguratin befre lgging ff t preserve any changes yu made during this sessin. When yu click Quick Start > Save Yur Cnfiguratins, the Cnfiguratin File Cpy page appears. Save the Running Cnfiguratin file by cpying it t the Startup Cnfiguratin file. T lg ut, click Lgut in the tp right crner f any page. The system lgs ut f the device. NOTE When a timeut ccurs r yu intentinally lg ut f the system, a message appears, and the lgin page appears with a message indicating the lgged-ut state. Interface Naming Cnventins Within the GUI, interfaces are dented by linking the fllwing elements: Type f interface: The fllwing types f interfaces are fund n the switch: Gigabit Ethernet prts (displayed as GE). LAG (Prt Channel) (displayed as LAG). VLAN Interface Number: Prt, LAG r VLAN ID Windw Navigatin This sectin describes the features f the Web-based switch cnfiguratin utility. Applicatin Header The Applicatin Header appears n every page. It prvides the fllwing applicatin links: Applicatin Link Name Descriptin Lgut Firmware Versin Help Click t lg ut f the Web-based switch cnfiguratin utility. Display the device versin number. Click fr the link t this administratin guide. 6

7 Management Buttns The fllwing table describes the cmmnly used buttns that appear n varius pages in the system. Buttn Name Descriptin Add Apply Clse Clear All Click t display the related Add page and add an entry t a table. Enter the infrmatin and click Apply t save it t the Running Cnfiguratin. Click Clse t return t the main page. Click Save t display the Cnfiguratin File Cpy page and save the Running Cnfiguratin t the Startup Cnfiguratin file type n the device. Click t apply changes t the Running Cnfiguratin n the device. If the device is rebted, the Running Cnfiguratin is lst unless it is saved t the Startup Cnfiguratin file type r anther file type. Click Save t display the Cnfiguratin File Cpy page and save the Running Cnfiguratin t the Startup Cnfiguratin file type n the device. Click t return t the previus page. Any changes nt applied are cleared. Click t clear the statistic cunters fr all interfaces. Clear Delete Click t clear infrmatin, such a cunters f an interface, all interface, r lg files. After selecting an entry in the table, click Delete t remve. Edit Select the entry and click Edit. 1. Click Apply t save the changes t the Running Cnfiguratin. 2. Click Clse t return t the main page. Search Enter the query filtering criteria and click Search. Refresh Click Refresh t refresh the cunter values. Test r Start Click Test/Start t perfrm the related tests. View r View All Click View t display details assciated with the entry selected r fr all entries (respectively). 7

8 Cnfiguring with Menu Cmmand Line Interface T cnfigure with the device thrugh the menu CLI: 1. Lg n t the device thrugh telnet. 2. Cnfigure the device. 3. Click Lgut. 8

9 Chapter 2 System Status System Summary The System Summary page prvides a graphic view f the device, and displays device status, hardware infrmatin, firmware versin infrmatin, general PE status, and ther items. T view system infrmatin, click System Status > System Summary. The System Summary page cntains system and hardware infrmatin. System Mde Specifies whether the system is perating in Layer 2 system mde. System Descriptin A descriptin f the system. System Lcatin Physical lcatin f the device. T edit this field, g t Cnfiguratin > System Management > System Infrmatin. System Cntact Name f a cntact persn. T edit this field, g t Cnfiguratin > System Management > System Infrmatin. Hst Name Name f the device. By default, the device hst name is cmpsed f the wrd switch fllwed by the three least significant bytes f the device base MAC address (the six furthest right hexadecimal digits). Base MAC Address Device MAC address. SNMP Object ID Unique vendr identificatin f the netwrk management subsystem. 9

10 Firmware Versin Firmware versin number. Bt Cde Versin Bt versin number. Hardware Versin Hardware versin number f the device. Serial Number Serial number. Device Status Fan Status Applicable nly t mdels that have fans. The fllwing values are pssible: OK Fan is perating nrmally. Fail Fan is nt perating crrectly. Date & Time System date and time. System Uptime Length f time since last rebt. RMON RMON Statistics The Statistics page displays detailed infrmatin regarding packet sizes and infrmatin regarding physical layer errrs. The infrmatin displayed is accrding t the RMON (Remte Netwrk Mnitring) standard. An versized packet is defined as an ethernet frame with the fllwing criteria: Packet length is greater than MRU byte size. Cllisin event has nt been detected. Late cllisin event has nt been detected. Received (Rx) errr event has nt been detected. Packet has a valid CRC. 10

11 T view RMON statistics and/r set the refresh rate: 1. Click System Status > RMON > Statistics. 2. Select the Interface fr which statistics are t be displayed. 3. Select the Refresh Rate, the time perid that passes befre the interface statistics are refreshed. The statistics are displayed fr the selected interface. Bytes Received Number f ctets received, including bad packets and FCS ctets, but excluding framing bits. Drp Events Number f packets drpped. Packets Received Number f gd packets received, including Multicast and Bradcast packets. Bradcast Packets Received Number f gd Bradcast packets received. This number des nt include Multicast packets. Multicast Packets Received Number f gd Multicast packets received. CRC & Align Errrs Number f CRC and Align errrs that have ccurred. Undersize Packets Number f undersized packets (less than 64 ctets) received. Oversize Packets Number f versized packets (ver 2000 ctets) received. Fragments Number f fragments (packets with less than 64 ctets, excluding framing bits, but including Frame Check Sequence ctets) received. Jabbers Ttal number received packets that were lnger than 1632 ctets. This number excludes frame bits, but includes FCS ctets that had either a bad FCS with an integral number f ctets (FCS Errr) r a bad FCS with a nn-integral ctet (Alignment Errr) number. A jabber packet is defined as an Ethernet frame that satisfies the fllwing criteria: Packet data length is greater than MRU. Packet has an invalid CRC. Received (Rx) Errr Event has nt been detected. Cllisins Number f cllisins received. If Jumb Frames are enabled, the threshld f Jabber Frames is raised t the maximum size f Jumb Frames. Frames f 64 Bytes Number f frames, cntaining 64 bytes that were received. Frames f 65 t 127 Bytes Number f frames, cntaining bytes that were received. Frames f 128 t 255 Bytes Number f frames, cntaining bytes that were received. Frames f 256 t 511 Bytes Number f frames, cntaining bytes that were received. 11

12 Frames f 512 t 1023 Bytes Number f frames, cntaining bytes that were received. Packets f 1024 and Mre Bytes Number f frames, cntaining bytes, and Jumb Frames, that were received. T clear r view statistics cunters: Click Refresh t refresh the cunters n the page. Click Clear t clear the selected interfaces cunters. Click View All t see all prts n a single page. RMON Histry The RMON feature enables mnitring statistics per interface. The Histry Cntrl Table page defines the sampling frequency, amunt f samples t stre and the prt frm which t gather the data. After the data is sampled and stred, it appears in the Histry Table page that can be viewed by clicking the Histry buttn. T enter RMON cntrl infrmatin: 1. Click System Status > RMON > Histry. 2. Click Add. 3. Enter the parameters. New Histry Cntrl Entry Index Displays the number f the new Histry table entry. Surce Interface Select the type f interface frm which the histry samples are t be taken. Maximum Samples Enter the number f samples t stre. Samples Cllected RMON is allwed by the standard t nt grant all requested samples, but rather t limit the number f samples per request. Therefre, this field represents the sample number actually granted t the request that is equal r less than the requested maximum sample. Sampling Interval Enter the time in secnds that samples are cllected frm the prts. The field range is Owner Enter the RMON statin r user that requested the RMON infrmatin. 12

13 4. Click Apply. The entry is added t the Histry Cntrl Table page, and the Running Cnfiguratin file is updated. 5. Click the Histry buttn (described belw) t view the actual statistics. RMON Histry Table The Histry Table page displays interface-specific statistical netwrk samplings. The samples were cnfigured in the Histry Cntrl table described abve. T view RMON histry statistics: 1. Click System Status > RMON > Histry. 2. Click Histry. 3. Frm the Histry Entry Index drp dwn menu, ptinally select the entry number f the sample t display. The fields are displayed fr the selected sample. Owner Histry table entry wner. Sample N. Statistics were taken frm this sample. Drp Events Drpped packets due t lack f netwrk resurces during the sampling interval. This may nt represent the exact number f drpped packets, but rather the number f times drpped packets were detected. Bytes Received Octets received including bad packets and FCS ctets, but excluding framing bits. Packets Received Packets received, including bad packets, Multicast, and Bradcast packets. Bradcast Packets Gd Bradcast packets excluding Multicast packets. Multicast Packets Gd Multicast packets received. CRC Align Errrs CRC and Align errrs that have ccurred. Undersize Packets Undersized packets (less than 64 ctets) received. Oversize Packets Oversized packets (ver 2000 ctets) received. Fragments Fragments (packets with less than 64 ctets) received, excluding framing bits, but including FCS ctets. 13

14 RMON Events Jabbers Ttal number f received packets that were lnger than 2000 ctets. This number excludes frame bits, but includes FCS ctets that had either a bad FCS (Frame Check Sequence) with an integral number f ctets (FCS Errr) r a bad FCS with a nn-integral ctet (Alignment Errr) number. Cllisins Cllisins received. Utilizatin Percentage f current interface traffic cmpared t maximum traffic that the interface can handle. Yu can cntrl the ccurrences that trigger an alarm and the type f ntificatin that ccurs. Events Page Cnfigures what happens when an alarm is triggered. This can be any cmbinatin f lgs and traps. Alarms Page Cnfigures the ccurrences that trigger an alarm. T define RMON events: 1. Click System Status > RMON > Events. This page displays previusly defined events. 2. Click Add. 3. Enter the parameters. Event Entry Index Displays the event entry index number fr the new entry. Cmmunity Enter the SNMP cmmunity string t be included when traps are sent (ptinal). Nte that the cmmunity must be defined using the Defining SNMPv1 and v2 Ntificatin Recipients r Defining SNMPv3 Ntificatin Recipients pages fr the trap t reach the Netwrk Management Statin Descriptin Enter a name fr the event. This name is used in the Add RMON Alarm page t attach an alarm t an event. Ntificatin Type Select the type f actin that results frm this event. Nne N actin ccurs when the alarm ges ff. Lg (Event Lg Table) Add a lg entry t the Event Lg table when the alarm is triggered. 14

15 Trap (SNMP Manager and SYSLOG Server) Send a trap t the remte lg server when the alarm ges ff. Lg and Trap Add a lg entry t the Event Lg table and send a trap t the remte lg server when the alarm ges ff. Last Event Time Displays the time f the event. (This is a read-nly table in the parent windw and cannt be defined). Owner Enter the device r user that defined the event. 4. Click Apply. The RMON event is saved t the Running Cnfiguratin file. 5. Click Event Lg t display the lg f alarms that have ccurred and that have been lgged (see descriptin belw). RMON Events Lgs The Event Lg Table page displays the lg f events (actins) that ccurred. Tw types f events can be lgged: Lg r Lg and Trap. The actin in the event is perfrmed when the event is bund t an alarm (see RMON Alarms) and the cnditins f the alarm have ccurred. Click System Status > RMON > Events. Click Event Lg. Event Index Event s lg entry number. Lg Index. Lg number (within the event). Lg Time Time that the lg entry was entered. Descriptin Descriptin f event that triggered the alarm. 15

16 RMON Alarms RMON alarms prvide a mechanism fr setting threshlds and sampling intervals t generate exceptin events n cunters r any ther SNMP bject cunter maintained by the agent. Bth the rising and falling threshlds must be cnfigured in the alarm. After a rising threshld is crssed, n rising events are generated until the cmpanin falling threshld is crssed. After a falling alarm is issued, the next alarm is issued when a rising threshld is crssed. One r mre alarms are bund t an event, which indicates the actin t be taken when the alarm ccurs. Alarm cunters can be mnitred by either abslute values r changes (delta) in the cunter values. T enter RMON alarms: 1. Click System Status > RMON > Alarms. All previusly-defined alarms are displayed. The fields are described in the Add RMON Alarm page belw. Cunter Value Displays the value f the statistic during the last sampling perid. 2. Click Add. 3. Enter the parameters. Alarm Entry Index Displays the alarm entry number. Interface Select the type f interface fr which RMON statistics are displayed. Cunter Name Select the MIB variable that indicates the type f ccurrence measured. Sample Type Select the sampling methd t generate an alarm. The ptins are: Abslute If the threshld is crssed, an alarm is generated. Delta Subtracts the last sampled value frm the current value. The difference in the values is cmpared t the threshld. If the threshld was crssed, an alarm is generated. Interval Enter the alarm interval time in secnds. Rising Event Select an event t be perfrmed when a rising event is triggered. Events are created in the Events page. Rising Threshld Enter the value that triggers the rising threshld alarm Falling Event Select an event t be perfrmed when a falling event is triggered. 16

17 Falling Threshld Enter the value that triggers the falling threshld alarm. Startup Alarm Select the first event frm which t start generatin f alarms. Rising is defined by crssing the threshld frm a lw-value threshld t a highervalue threshld. Rising Alarm A rising value triggers the rising threshld alarm. Falling Alarm A falling value triggers the falling threshld alarm. Rising and Falling Bth rising and falling values trigger the alarm. Owner Enter the name f the user r netwrk management system that receives the alarm. 4. Click Apply. The RMON alarm is saved t the Running Cnfiguratin file. Interface Statistics The Interface Statistics page displays traffic statistics per prt. The refresh rate f the infrmatin can be selected. This page is useful fr analyzing the amunt f traffic that is bth sent and received and its dispersin (Unicast, Multicast, and Bradcast). 17

18 T display Ethernet statistics and/r set the refresh rate: 1. Click System Status > Interface Statistics. 2. Enter the parameters. Interface Select the specific interface fr which Ethernet statistics are t be displayed. Refresh Rate Select the time perid that passes befre the interface Ethernet statistics are refreshed. The available ptins are as fllws: - N Refresh Statistics are nt refreshed Sec Statistics are refreshed every 15 secnds Sec Statistics are refreshed every 30 secnds Sec Statistics are refreshed every 60 secnds. Ttal Octets Octets received, including bad packets and FCS ctets, but excluding framing bits. Unicast Packets Gd Unicast packets received. Multicast Packets Gd Multicast packets received. Bradcast Packets Gd Bradcast packets received. Errr Packets Packets with errrs received. Ttal Octets Octets transmitted, including bad packets and FCS ctets, but excluding framing bits. Unicast Packets Gd Unicast packets transmitted. Multicast Packets Gd Multicast packets transmitted. Bradcast Packets Gd Bradcast packets transmitted. T clear r view statistics cunters: Click Refresh t refresh the cunters n the page. Click Clear t clear the selected interfaces cunters. Click View All t see all prts n a single page. 18

19 Chapter 3 Quick Start T simplify device cnfiguratin thrugh quick navigatin, the Quick Start page prvides links t the mst cmmnly used pages. Link Name (n the Page) Cnfigure User Accunts and Linked Page User Access & Accunts Management Access Cnfigure Device IP Address Create VLANs Cnfigure VLAN Memberships Save Yur Cnfiguratin IPv4 Interface VLANs VLAN Memberships Cnfiguratin File Cpy Clicking n the Supprt link takes yu t the device prduct supprt page. 19

20 Chapter 4 System Management System Infrmatin T enter system infrmatin: 1. Click Cnfiguratin > System Management > System Infrmatin. 2. View r mdify the system settings. System Descriptin Displays a descriptin f the device. System Lcatin Enter the lcatin where the device is physically lcated. System Cntact Enter the name f a cntact persn. System Hst Name Select the hst name f this device. Default The default hst name (System Name) f these switches is switch123456, where represents the last three bytes f the device MAC address in hex frmat. User Defined Enter the hst name. Use nly letters, digits, and hyphens. Hst names cannt begin r end with a hyphen. N ther symbls, punctuatin characters, r blank spaces are permitted (as specified in RFC1033, 1034, 1035). 3. Click Apply t save the values in the Running Cnfiguratin file. 20

21 Management Sessin Timeut The Management Sessin Timeut cnfigures the time intervals that the management sessins can remain idle befre they timeut and yu must lg in again t reestablish the sessin. T set the idle sessin timeut fr varius types f sessins: 1. Click Cnfiguratin > System Management > Management Sessin Timeut. 2. Select the timeut fr the fllwing sessins frm the crrespnding list. The default timeut value is 10 minutes. Telnet Sessin Timeut Select the timeut fr a Telnet sessin. HTTP Sessin Timeut Select the timeut fr an HTTP sessin. HTTPs Sessin Timeut Select the timeut fr an HTTPS sessin. 3. Click Apply t set the cnfiguratin settings n the device. Time Netwrk time synchrnizatin is critical because every aspect f managing, securing, planning, and debugging a netwrk invlves determining when events ccur. Withut synchrnized clcks, accurately crrelating lg files between devices when tracking security breaches r netwrk usage is impssible. Synchrnized time als reduces cnfusin in shared file systems, as it is imprtant fr the mdificatin times t be cnsistent, regardless f the machine n which the file systems reside. Fr these reasns, it is imprtant that the time cnfigured n all f the devices n the netwrk is accurate. Nte The device supprts Simple Netwrk Time Prtcl (SNTP) and when enabled, the device dynamically synchrnizes the device time with time frm an SNTP server. The device perates nly as an SNTP client, and cannt prvide time services t ther devices. 21

22 Clck Surce System time can be set manually by the user, r dynamically frm an SNTP server. If an SNTP server is chsen, the manual time settings are verwritten when cmmunicatins with the server are established. As part f the bt prcess, the device always cnfigures the time, time zne, and DST. These parameters are btained frm SNTP, values set manually, r if all else fails, frm the factry defaults. Manual User must manually set the time. SNTP Time can be received frm SNTP time servers. SNTP ensures accurate netwrk time synchrnizatin f the device up t the millisecnd by using an SNTP server fr the clck surce. When specifying an SNTP server, if chsing t identify it by hstname, three suggestins are given in the GUI: time-a.timefreq.bldrdc.gv time-b.timefreq.bldrdc.gv time-c.timefreq.bldrdc.gv Nte SNTP is the recmmended methd fr time setting. SNTP Mdes The device can receive system time frm an SNTP server in ne f the fllwing ways: Client Bradcast Receptin (passive mde) SNTP servers bradcast the time, and the device listens t these bradcasts. When the device is in this mde, there is n need t define a Unicast SNTP server. Client Bradcast Transmissin (active mde) The device, as an SNTP client, peridically requests SNTP time updates. This mde wrks in either f the fllwing ways: SNTP Anycast Client Mde The device bradcasts time request packets t all SNTP servers in the subnet, and waits fr a respnse. Unicast SNTP Server Mde The device sends Unicast queries t a list f manually-cnfigured SNTP servers, and waits fr a respnse. The device supprts having all f the abve mdes active at the same time and selects the best system time received frm an SNTP server, accrding t an algrithm based n the clsest stratum (distance frm the reference clck). Time Zne and Daylight Savings Time (DST) The Time Zne and DST can be set n the device in the fllwing ways: Dynamic cnfiguratin f the device thrugh a DHCP server, where: Dynamic DST, when enabled and available, always takes precedence ver the manual cnfiguratin f DST. 22

23 If the server supplying the surce parameters fails, r dynamic cnfiguratin is disabled by the user, the manual settings are used. Dynamic cnfiguratin f the time zne and DST cntinues after the IP address lease time has expired. Manual cnfiguratin f the time zne and DST becmes the Operatinal time zne and DST, nly if the dynamic cnfiguratin is disabled r fails. Nte The DHCP server must supply DHCP ptin 100 in rder fr dynamic time zne cnfiguratin t take place. System Time Use the System Time page t select the system time surce. If the surce is manual, yu can enter the time here. Cautin If the system time is set manually and the device is rebted, the manual time settings must be reentered. T define system time: 1. Click Cnfiguratin > System Management > Time > System Time. The current time is displayed. This shws the DHCP time zne r the acrnym fr the userdefined time zne if these were defined. 23

24 2. Enter these parameters: Clck Surce SNTP-If yu enable this, the system time is btained frm an SNTP server. T use this feature, yu must als cnfigure a cnnectin t an SNTP server in the SNTP Unicast Server page. SNTP Client Unicast-Select t enable client Unicast mde. SNTP IPv4 Multicast Rx-Select t receive SNTP IPv4 Multicast synchrnizatin packets requesting system time infrmatin. The packets are transmitted t all SNTP servers n the subnet. SNTP IPv4 Anycast Tx-Select t transmit SNTP IPv4 Anycast synchrnizatin packets requesting system time infrmatin. The packets are transmitted frm any SNTP servers n the subnet. SNTP IPv6 Multicast Rx-Select t receive SNTP IPv6 Multicast synchrnizatin packets requesting system time infrmatin. The packets are transmitted t all SNTP servers n the subnet. SNTP IPv6 Anycast Tx-Select t transmit SNTP IPv6 Anycast synchrnizatin packets requesting system time infrmatin. The packets are transmitted frm any SNTP servers n the subnet. Manual Date/Time-Set the date and time manually. The lcal time is used when there is n alternate surce f time, such as an SNTP server. Time Zne Time Zne frm DHCP-Select t enable dynamic cnfiguratin f the time zne and the DST frm the DHCP server. Whether ne r bth f these parameters can be cnfigured depends n the infrmatin fund in the DHCP packet. If this ptin is enabled, yu must als enable DHCP client n the device. The DHCP Client supprts Optin 100 prviding dynamic time zne setting. DHCP Time Zne-Displays the acrnym f the time zne cnfigured frm the DHCP server. This acrnym appears in the Actual Time field. Time Zne Offset-Select the difference in hurs between Greenwich Mean Time (GMT) and the lcal time. Fr example, the Time Zne Offset fr Paris is GMT +1, while the Time Zne Offset fr New Yrk is GMT - 5. Time Zne Acrnym-Enter a user-defined name that represents the time zne yu have cnfigured. This acrnym appears in the Actual Time field. Daylight Savings Time Select t enable Daylight Saving Time. Time Set Offset-Enter the number f minutes ffset frm GMT ranging frm The default is

25 Daylight Savings Type USA - DST is set accrding t the dates used in the USA. Eurpean - DST is set accrding t the dates used by the Eurpean Unin and ther cuntries that use this standard. By Dates - DST is set manually, typically fr a cuntry ther than the USA r a Eurpean cuntry. This allws custmizatin f the start and stp f DST. - Frm - Date and time that DST starts. - T - Date and time that DST ends. Recurring Frm / Recurring T) - DST ccurs n the same date every year. This allws custmizatin f the start and stp f DST - Day - Day f the week n which DST begins every year. - Week - Week within the mnth frm which DST begins every year. - Mnth - Mnth f the year in which DST begins every year. - Time - The time at which DST begins every year. 3. Click Apply. The system time values are written t the Running Cnfiguratin file. SNTP Unicast Server Up t 16 Unicast SNTP servers can be cnfigured. Nte T specify a Unicast SNTP server by name, yu must first cnfigure DNS server(s) n the device (see Dmain Name System). T add a Unicast SNTP server, SNTP Client Unicast must be enabled (in the System Time page). 25

26 T add a Unicast SNTP server: 1. Click Cnfiguratin > System Management > Time > SNTP Unicast Server. This page displays the fllwing infrmatin fr each Unicast SNTP server: SNTP Server SNTP server IP address. The preferred server, r hstname, is chsen accrding t its stratum level. SNTP Server Status SNTP server status. The pssible values are: - Up SNTP server is currently perating nrmally. - Dwn SNTP server is currently nt available. - Unknwn SNTP server is currently being searched fr by the device. - In Prcess Occurs when the SNTP server des nt fully trust its wn time server (i.e. when first bting up the SNTP server). Stratum Level Distance frm the reference clck expressed as a numerical value. An SNTP server cannt be the primary server (stratum level 1) unless plling interval is enabled. Offset Estimated ffset f the server's clck relative t the lcal clck, in millisecnds. The hst determines the value f this ffset using the algrithm described in RFC Delay Estimated rund-trip delay f the server's clck relative t the lcal clck ver the netwrk path between them, in millisecnds. The hst determines the value f this delay using the algrithm described in RFC Pll Interval Displays whether plling is enabled r disabled. Authenticatin Key ID Key Identificatin used t cmmunicate between the SNTP server and device. Last Respnse Time Last date and time a respnse was received frm this SNTP server. 2. T add a Unicast SNTP server, enable SNTP Client Unicast. 3. Click Add. 4. Enter the fllwing parameters: SNTP Server Select if the SNTP server is ging t be identified by its IP address r if yu are ging t select a well-knwn SNTP server by name frm the list. Nte T specify a well-knwn SNTP server, the device must be cnnected t the internet and cnfigured with a DNS server r cnfigured s that a DNS server is identified by using DHCP. (See Dmain Name System in Chapter 11.) IP Versin Select the versin f the IP address: Versin 6 r Versin 4. IPv6 Address Type Select the IPv6 address type (if IPv6 is used). The ptins are 26

27 Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Link Lcal Interface Select the link lcal interface (if IPv6 AddressType Link Lcal is selected) frm the list. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. SNTP Server IP Address Enter the SNTP server IP address. The frmat depends n which address type was selected. SNTP Server Name Select the name f the SNTP server frm a list f well-knwn NTP servers. If ther is chsen, enter the name f an SNTP server in the adjacent field. Pll Interval Select t enable plling f the SNTP server fr system time infrmatin. All NTP servers that are registered fr plling are plled, and the clck is selected frm the server with the lwest stratum level (distance frm the reference clck) that is reachable. The server with the lwest stratum is cnsidered t be the primary server. The server with the next lwest stratum is a secndary server, and s frth. If the primary server is dwn, the device plls all servers with the plling setting enabled, and selects a new primary server with the lwest stratum. 5. Click Apply. The STNP server is added, and yu are returned t the main page. SNMP This sectin describes the Simple Netwrk Management Prtcl (SNMP) feature that prvides a methd fr managing netwrk devices. SNMP Versins The device functins as an SNMP agent and supprts SNMPv1, v2, and v3. It als reprts system events t trap receivers using the traps defined in the supprted MIBs (Management Infrmatin Base). SNMPv1 and v2 T cntrl access t the system, a list f cmmunity entries is defined. Each cmmunity entry cnsists f a cmmunity string and its access privilege. The system respnds nly t SNMP messages specifying the cmmunity which has the crrect permissins and crrect peratin. SNMP agents maintain a list f variables that are used t manage the device. These variables are defined in the Management Infrmatin Base (MIB). 27

28 Nte Due t the security vulnerabilities f ther versins, it is recmmended t use SNMPv3. SNMPv3 In additin t the functinality prvided by SNMPv1 and v2, SNMPv3 applies access cntrl and new trap mechanisms t SNMPv1 and SNMPv2 PDUs. SNMPv3 als defines a User Security Mdel (USM) that includes: Authenticatin Prvides data integrity and data rigin authenticatin. Privacy Prtects against disclsure message cntent. Cipher Blck- Chaining (CBC-DES) is used fr encryptin. Either authenticatin alne can be enabled n an SNMP message, r bth authenticatin and privacy can be enabled n an SNMP message. Hwever, privacy cannt be enabled withut authenticatin. Timeliness Prtects against message delay r playback attacks. The SNMP agent cmpares the incming message time stamp t the message arrival time. SNMP Wrkflw Nte Fr security reasns, SNMP is disabled by default. Befre yu can manage the device via SNMP, yu must turn n SNMP in the SNMP > Feature Cnfiguratin page. If yu decide t use SNMPv1 r v2: 1. Navigate t the SNMP -> Cmmunities page and click Add. The cmmunity can be assciated with access rights and a view in Basic mde r with a grup in Advanced mde. There are tw ways t define access rights f a cmmunity: Basic mde The access rights f a cmmunity can cnfigure with Read Only, Read Write, r SNMP Admin. In additin, yu can restrict the access t the cmmunity t nly certain MIB bjects by selecting a view (defined in the Views page). Advanced Mde The access rights f a cmmunity are defined by a grup (defined in the Grups page). Yu can cnfigure the grup with a specific security mdel. The access rights f a grup are Read, Write, and Ntify. 2. Chse whether t restrict the SNMP management statin t ne address r allw SNMP management frm all addresses. If yu chse t restrict SNMP management t ne address, then input the address f yur SNMP Management PC in the IP Address field. 3. Input the unique cmmunity string in the Cmmunity String field. 4. Optinally, enable traps by using the Trap Settings page. 5. Optinally, define a ntificatin filter(s) by using the Ntificatin Filter page. 6. Cnfigure the ntificatin recipients n the Ntificatin Recipients SNMPv1, v2 page. 28

29 If yu decide t use SNMPv3: 1. Define the SNMP engine by using the Engine ID page. Either create a unique Engine ID r use the default Engine ID. Applying an Engine ID cnfiguratin clears the SNMP database. 2. Optinally, define SNMP view(s) by using the Views page. This limits the range f Object IDs available t a cmmunity r grup. 3. Define grups by using the Grups page. 4. Define users by using the SNMP Users page, where they can be assciated with a grup. If the SNMP Engine ID is nt set, then users may nt be created. 5. Optinally, enable r disable traps by using the Trap Settings page. 29

30 6. Optinally, define a ntificatin filter(s) by using the Ntificatin Filter page. 7. Define a ntificatin recipient(s) by using the Ntificatin Recipients SNMPv3 page. Device Mdel Object IDs (OIDs): Mde Name Descriptin Object ID LGS308 8-Prt Smart Gigabit Switch enterprises(1). linksys(3955). smb(1000) LGS Prt Smart Gigabit Switch enterprises(1). linksys(3955). smb(1000) LGS Prt Smart Gigabit Switch enterprises(1). linksys(3955). smb(1000) LGS308P 8-Prt Smart Gigabit PE+ Switch enterprises(1). linksys(3955). smb(1000) LGS318P 18-Prt Smart Gigabit PE+ Switch enterprises(1). linksys(3955). smb(1000) LGS326P 26-Prt Smart Gigabit PE+ Switch enterprises(1). linksys(3955). smb(1000) Private OIDs are placed under: enterprises(1).linksys(3955).smb(1000).switch01(201). 30

31 Feature Cnfiguratin The Engine ID is used by SNMPv3 entities t uniquely identify them. An SNMP agent is cnsidered an authritative SNMP engine. This means that the agent respnds t incming messages (Get, GetNext, GetBulk, Set) and sends trap messages t a manager. The agent's lcal infrmatin is encapsulated in fields in the message. Each SNMP agent maintains lcal infrmatin that is used in SNMPv3 message exchanges. The default SNMP Engine ID is cmpsed f the enterprise number and the default MAC address. This engine ID must be unique fr the administrative dmain, s that n tw devices in a netwrk have the same engine ID. Lcal infrmatin is stred in fur MIB variables that are read-nly (snmpengineid, snmpenginebts, snmpenginetime, and snmpenginemaxmessagesize). Cautin When the engine ID is changed, all cnfigured users and grups are erased. T cnfigure SNMP: 1. Click Cnfiguratin > System Management > SNMP > Feature Cnfiguratin. 2. Enter the fllwing fields: SNMP Select t enable SNMP. Authenticatin Ntificatin Select t enable SNMP authenticatin failure ntificatin. SNMP Ntificatin Select t enable SNMP ntificatins. Lcal SNMPv3 Engine ID Cnfigure the engine. The ptins: 31

32 Use Default Select t use the device-generated engine ID. The default engine ID is based n the device MAC address, and is defined per standard as: - First 4 ctets First bit = 1, the rest is the IANA enterprise number. - Fifth ctet Set t 3 t indicate the MAC address that fllws. - Last 6 ctets MAC address f the device. - Nne N engine ID is used. User Defined Enter the lcal device engine ID. The field value is a hexadecimal string (range: 10-64). Each byte in the hexadecimal character strings is represented by tw hexadecimal digits. All remte engine IDs and their IP addresses are displayed in the Remte Engine ID table. 3. Click Apply. The Running Cnfiguratin file will be updated. The Remte Engine ID table shws the mapping between IP addresses f the engine and Engine ID. T add the IP address f an engine ID: 4. Click Add. Enter the fllwing fields: Remte Engine IP Address Select whether t specify the Engine ID server by IP address r name. IP Versin Select the supprted IP frmat. IPv6 Address Type Select the IPv6 address type (if IPv6 is used). The ptins are: Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Remte Engine IP Address Enter the IP address f the lg server. Remte Engine IP Name Enter the dmain name f the lg server. Engine ID Enter the Engine ID. 5. Click Apply. The Running Cnfiguratin file is updated. 32

33 Views A view is a user-defined label fr a cllectin f MIB subtrees. Each subtree ID is defined by the Object ID (OID) f the rt f the relevant subtrees. Either well- knwn names can be used t specify the rt f the desired subtree r an OID can be entered (see Device Mdel Object IDs). Each subtree is either included r excluded in the view being defined. The Views page enables creating and editing SNMP views. The default views (Default, DefaultSuper) cannt be changed. Views can be attached t grups in the Grups page r t a cmmunity which emplys basic access mde thrugh the Cmmunities page. T define SNMP views: 1. Click Cnfiguratin > System Management > SNMP > Views. 2. Click Add t define new views. 3. Enter the parameters. View Name Enter a view name between 0-30 characters. View Object Select the nde in the MIB tree that is included r excluded in the selected SNMP view. The ptins t select the bject are as fllws: Object ID Enter an OID nt ffered in the Object ID Selectin List ptin. Object ID Selectin List Enables yu t navigate the MIB tree. Press the Up arrw t g t the level f the selected nde's parent and siblings; press the Dwn arrw t descend t the level f the selected nde's children. Click ndes in the view t pass frm ne nde t its sibling. Use the scrllbar t bring siblings in view. 33

34 4. Include r exclude the MIB bject frm the view. If Include Object is selected, the MIB bjects are included in the view, therwise they are excluded. 5. Click Apply. 6. In rder t verify yur view cnfiguratin, select the user-defined views frm the View Name list. The fllwing views exist by default: Default Default SNMP view fr read and read/write views. DefaultSuper Default SNMP view fr administratr views. Other views can be added. Object ID Displays the Object ID and its subtree t be included r excluded in the SNMP view. Object View Displays whether the defined bject and its subtree are included r excluded in the selected SNMP view. Grups In SNMPv1 and SNMPv2, a cmmunity string is sent alng with the SNMP frames. The cmmunity string acts as a passwrd t gain access t an SNMP agent. Hwever, neither the frames nr the cmmunity string are encrypted. Therefre, SNMPv1 and SNMPv2 are nt secure. In SNMPv3, the fllwing security mechanisms can be cnfigured: Authenticatin The device checks that the SNMP user is an authrized system administratr. This is dne fr each frame. Privacy SNMP frames can carry encrypted data. Thus, in SNMPv3, there are three levels f security: N security (N authenticatin and n privacy) Authenticatin (Authenticatin and n privacy) Authenticatin and privacy 34

35 SNMPv3 prvides a means f cntrlling the cntent each user can read r write and the ntificatins they receive. A grup defines read/write privileges and a level f security. It becmes peratinal when it is assciated with an SNMP user r cmmunity. Nte T assciate a nn-default view with a grup, first create the view in the Views page. T create an SNMP grup: 1. Click Cnfiguratin > System Management>SNMP > Grups. This page displays the existing SNMP grups and their security levels. The fllwing fields are displayed fr each SNMP grup (nly the fields nt explained in the Add page): N Authenticatin Read View N authenticatin is needed, and anyne is able t read the view. N Authenticatin Write View N authenticatin is needed, and anyne is able t write the view. N Authenticatin Ntify View N authenticatin is needed, and anyne is able t receive ntificatin f the view. Authenticatin Read View Only authenticated users are allwed t read the view. By default, all users r cmmunity f a grup can access all the MIB bjects. A grup can be limited t specific view(s) based n the read, write, ntify, authenticatin and/r privacy cnfiguratins. Authenticatin Write View Only authenticated users are able t write the view. Management access is write fr the selected view. Authenticatin Ntify View Only authenticatin users are allwed t received ntificatin. Privacy Read View When reading the bjects in the view, the SNMP messages are encrypted. Privacy Write View When writing the bject in the view, the SNMP messages are encrypted. Privacy Ntify View - Ntificatin n the bjects in the view are encrypted. 2. Click Add. 3. Enter the parameters. Grup Name Enter a new grup name. Security Mdel Select the SNMP versin attached t the grup, SNMPv1, v2, r v3. Three types f views with varius security levels can be defined. Fr each security level, select the views fr Read, Write and Ntify by entering the fllwing fields: Enable Select this field t enable the Security Level. 35

36 Security Level Define the security level attached t the grup. SNMPv1 and SNMPv2 supprt neither authenticatin nr privacy. If SNMPv3 is selected, select t enable ne f the fllwing: N Authenticatin and N Privacy Neither the Authenticatin nr the Privacy security levels are assigned t the grup. Authrized View Select the Read, Write and Ntify views assciated with this grup and with the abve security level. Authenticatin and N Privacy Authenticates SNMP messages, and ensures the SNMP message rigin is authenticated but des nt encrypt them. Authrized View Select the Read, Write and Ntify views assciated with this grup and with the abve security level. Authenticatin and Privacy Authenticates SNMP messages, and encrypts them. Authrized View Select the Read, Write and Ntify views assciated with this grup and with the abve security level. 4. Click Apply. The SNMP grup is saved t the Running Cnfiguratin file. Users An SNMP user is defined by the lgin credentials (username, passwrds, and authenticatin methd) and by the cntext and scpe in which it perates by assciatin with a grup and an Engine ID. The cnfigured user has the attributes f its grup, and the access privileges cnfigured within the assciated view. 36

37 Grups enable netwrk managers t assign access rights t a grup f users instead f t a single user. A user can nly belng t a single grup. T create an SNMPv3 user, the fllwing must first exist: An engine ID must first be cnfigured n the device. This is dne in the Engine ID page. An SNMPv3 grup must be available. An SNMPv3 grup is defined in the Grups page. T display SNMP users and define new nes: 1. Click Cnfiguratin > System Management>SNMP > Users. This page cntains existing users. 2. Click Add. This page prvides infrmatin fr assigning SNMP access cntrl privileges t SNMP users. 3. Enter the parameters. User Name Enter a name fr the user. Engine ID Select either the lcal r remte SNMP entity t which the user is cnnected. Changing r remving the lcal SNMP Engine ID deletes the SNMPv3 User Database. T receive infrm messages and request infrmatin, yu must define bth a lcal and remte user. Lcal User is cnnected t the lcal device. Engine User is cnnected t a different SNMP entity besides the lcal device. If the remte Engine ID is defined, remte devices receive infrm messages, but cannt make requests fr infrmatin. Select the remte engine ID. Grup Name Select the SNMP grup t which the SNMP user belngs. SNMP grups are defined in the Add Grup page. Nte Users, wh belng t grups which have been deleted, remain, but they are inactive. Authenticatin Methd Select the Authenticatin methd that varies accrding t the Grup Name assigned. If the grup des nt require authenticatin, then the user cannt cnfigure any authenticatin. The ptins are: Nne N user authenticatin is used. MD5 A passwrd that is used fr generating a key by the MD5 authenticatin methd. SHA A passwrd that is used fr generating a key by the SHA (Secure Hash Algrithm) authenticatin methd. 37

38 Authenticatin Passwrd If authenticatin is accmplished by either a MD5 r a SHA passwrd, enter the lcal user passwrd in either Encrypted r Plaintext. Lcal user passwrds are cmpared t the lcal database, and can cntain up t 32 ASCII characters. Privacy Methd Select ne f the fllwing ptins: Nne Privacy passwrd is nt encrypted. DES Privacy passwrd is encrypted accrding t the Data Encryptin Standard (DES). Privacy Passwrd 16 bytes are required (DES encryptin key) if the DES privacy methd was selected. This field must be exactly 32 hexadecimal characters. The Encrypted r Plaintext mde can be selected. 4. Click Apply t save the settings. Cmmunities Access rights in SNMPv1 and SNMPv2 are managed by defining cmmunities in the Cmmunities page. The cmmunity name is a type f shared passwrd between the SNMP management statin and the device. It is used t authenticate the SNMP management statin. Cmmunities are nly defined in SNMPv1 and v2 because SNMPv3 wrks with users instead f cmmunities. The users belng t grups that have access rights assigned t them. The Cmmunities page assciates cmmunities with access rights, either directly (Basic mde) r thrugh grups (Advanced mde): Basic Mde The access rights f a cmmunity can cnfigure with Read Only, Read Write, r SNMP Admin. In additin, yu can restrict the access t the cmmunity t nly certain MIB bjects by selecting a view (defined in the SNMP Views page). 38

39 Advanced Mde The access rights f a cmmunity are defined by a grup (defined in the Grups page). Yu can cnfigure the grup with a specific security mdel. The access rights f a grup are Read, Write, and Ntify. T define SNMP cmmunities: 1. Click Cnfiguratin > System Management>SNMP > Cmmunities. This page cntains a table f cnfigured SNMP cmmunities and their prperties. 2. Click Add. This page enables netwrk managers t define and cnfigure new SNMP cmmunities. 3. Enter the fllwing fields: SNMP Management Statin Select User Defined t enter the management statin IP address that can access the SNMP cmmunity. Select All t indicate that any IP device can access the SNMP cmmunity. IP Versin Select either IPv4 r IPv6. IPv6 Address Type Select the supprted IPv6 address type if IPv6 is used. The ptins are: Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Interface If the IPv6 address type is Link Lcal, select whether it is received thrugh a VLAN r ISATAP. IP Address Enter the SNMP management statin IP address. Cmmunity Enter the cmmunity name used t authenticate the management statin t the device. Access Cntrl Select ne f the fllwing: Basic In this mde, there is n cnnectin t any grup. Yu can nly chse the cmmunity access level (Read Only, Read Write, r SNMP Admin) and, ptinally, further qualify it fr a specific view. By default, it applies t the entire MIB. Advanced In this mde, access is cntrlled by grup cnfiguratins. Access Mde Cnfigure the cmmunity: Read Only Management access is restricted t read-nly. Changes cannt be made t the cmmunity. 39

40 Read Write Management access is read-write. Changes can be made t the device cnfiguratin, but nt t the cmmunity. SNMP Admin User has access t all device cnfiguratin ptins, as well as permissins t mdify the cmmunity. SNMP Admin is equivalent t Read Write fr all MIBs except fr the SNMP MIBs. SNMP Admin is required fr access t the SNMP MIBs. View Name Select an SNMP view (a cllectin f MIB subtrees t which access is granted). Grup Name Select an SNMP grup that determines the access rights in Advanced mde. 4. Click Apply. The SNMP Cmmunity is defined, and the Running Cnfiguratin is updated. Ntificatin Filters The Ntificatin Filter page enables cnfiguring SNMP ntificatin filters and Object IDs (OIDs) that are checked. After creating a ntificatin filter, it is pssible t attach it t a ntificatin recipient in the Ntificatin Recipients SNMPv1/v2 page, and Ntificatin Recipients SNMPv3 page. The ntificatin filter enables filtering the type f SNMP ntificatins that are sent t the management statin based n the OID f the ntificatin t be sent. T define a ntificatin filter: 1. Click Cnfiguratin > System Management>SNMP > Ntificatin Filter. The Ntificatin Filter page cntains ntificatin infrmatin fr each filter. The table is able t filter ntificatin entries by Filter Name. 2. Click Add. 40

41 3. Enter the parameters. Filter Name Enter a name between 0-30 characters. Filter Object Select the nde in the MIB tree that is included r excluded in the selected SNMP filter. The ptins t select the bject are as fllws: Selectin List Enables yu t navigate the MIB tree. Press the Up arrw t g t the level f the selected nde's parent and siblings; press the Dwn arrw t descend t the level f the selected nde's children. Click ndes in the view t pass frm ne nde t its sibling. Use the scrllbar t bring siblings in view. If Object ID is used, the bject identifier is included in the view if the Include in filter ptin is selected. 4. Include r exclude in Object Filter. If this is selected, the selected MIBs are included in the filter, therwise they are excluded. 5. Click Apply. The SNMP views are defined and the running cnfiguratin is updated. V1/V2 Ntificatin Recipients Trap messages are generated t reprt system events, as defined in RFC The system can generate traps defined in the MIB that it supprts. Trap receivers (aka Ntificatin Recipients) are netwrk ndes where the trap messages are sent by the device. A list f ntificatin recipients are defined as the targets f trap messages. A trap receiver entry cntains the IP address f the nde and the SNMP credentials crrespnding t the versin that is included in the trap message. When an event arises that requires a trap message t be sent, it is sent t every nde listed in the Ntificatin Recipient Table. 41

42 The Ntificatin Recipients SNMPv1/v2 page and the Ntificatin Recipients SNMPv3 page enable cnfiguring the destinatin t which SNMP ntificatins are sent, and the types f SNMP ntificatins that are sent t each destinatin (traps r infrms). The Add/Edit pp-ups enable cnfiguring the attributes f the ntificatins. An SNMP ntificatin is a message sent frm the device t the SNMP management statin indicating that a certain event has ccurred, such as a link up/ dwn. It is als pssible t filter certain ntificatins. This can be dne by creating a filter in the Ntificatin Filter page and attaching it t an SNMP ntificatin recipient. The ntificatin filter enables filtering the type f SNMP ntificatins that are sent t the management statin based n the OID f the ntificatin that is abut t be sent. T define a recipient in SNMPv1/v2: 1. Click Cnfiguratin > System Management >SNMP > Ntificatin Recipients. This page displays the currently-defined SNMP recipients. 2. Enter the parameters. Recipient Select whether t specify the remte lg server by IP address r server name. IP Versin Select either IPv4 r IPv6. IPv6 Address Type Select either Link Lcal r Glbal. Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Interface If the IPv6 address type is Link Lcal, select whether it is received thrugh a VLAN r ISATAP. Recipient IP Address Enter the IP address f where the traps are sent. Recipient IP Name Enter the server name f where the traps are sent. UDP Prt Enter the UDP prt used fr ntificatins n the recipient device. Ntificatin Type Select whether t send Traps r Infrms. If bth are required, tw recipients must be created. Ntificatin Versin Select the trap SNMP versin 1 r 2. Cmmunity Select frm the pull-dwn the cmmunity string f the trap manager. Cmmunity String names are generated frm thse listed in the Cmmunity page. Ntificatin Filter Select t enable filtering the type f SNMP ntificatins sent t the management statin. The filters are created in the Ntificatin Filter page. 42

43 Filter Name Select the SNMP filter that defines the infrmatin cntained in traps (defined in the Ntificatin Filter page). 3. Click Apply. The SNMP Ntificatin Recipient settings are written t the Running Cnfiguratin file. V3 Ntificatin Recipients T define a recipient in SNMPv3: 1. Click SNMP > Ntificatin Recipients SNMPv3. This page displays recipients fr SNMPv3. 2. Enter the fields: IP Versin Select either IPv4 r IPv6. IPv6 Address Type Select the IPv6 address type (if IPv6 is used). The ptins are: Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Link Lcal Interface Select the link lcal interface (if IPv6 Address Type Link Lcal is selected) frm the pull-dwn list. Recipient IP Address/Name Enter the IP address r server name f where the traps are sent. UDP Prt Enter the UDP prt used t fr ntificatins n the recipient device. 43

44 Ntificatin Versin Select SNMP v3. Ntificatin Type Select whether t send traps r infrms. If bth are required, tw recipients must be created. Timeut Enter the amunt f time (secnds) the device waits befre re- sending infrms/traps. Timeut: Range 1-300, default 15. Retries Enter the number f times that the device resends an infrm request. Retries: Range 1-255, default 3. User Name Select frm the drp-dwn list the user t whm SNMP ntificatins are sent. In rder t receive ntificatins, this user must be defined n the SNMP User page, and its engine ID must be remte. Security Level Select hw much authenticatin is applied t the packet. Nte The Security Level here depends n which User Name was selected. If this User Name was cnfigured as N Authenticatin, the Security Level is N Authenticatin nly. Hwever, if this User Name has assigned Authenticatin and Privacy n the User page, the security level n this screen can be either N Authenticatin, r Authenticatin Only, r Authenticatin and Privacy. The ptins are: N Authenticatin Indicates the packet is neither authenticated nr encrypted. Authenticatin Indicates the packet is authenticated but nt encrypted. Privacy Indicates the packet is bth authenticated and encrypted. Ntificatin Filter Select t enable filtering the type f SNMP ntificatins sent t the management statin. The filters are created in the Ntificatin Filter page. Filter Name Select the SNMP filter that defines the infrmatin cntained in traps (defined in the Ntificatin Filter page). 3. Click Apply. The SNMP Ntificatin Recipient settings are written t the Running Cnfiguratin file. Lgs Each lg is a set f messages describing system events. The device generates the fllwing lcal lgs: Lg sent t the cnsle interface. Lg written int a cyclical list f lgged events in the RAM and erased when the device rebts. Lg written t a cyclical lg-file saved t the Flash memry and persists acrss rebts. 44

45 In additin, yu can send messages t remte SYSLOG servers in the frm f SNMP traps and SYSLOG messages. Yu can cnfigure the messages that are written t each lg by severity, and a message can g t mre. Lg Management Yu can select the events by severity level. Each lg message has a severity level marked with the first letter f the severity level separated by dashes (-) n each side (except fr Emergency that is indicated by the letter F). Fr example, the lg message %INIT-I-InitCmpleted: has a severity level f I, meaning Infrmatinal. The event severity levels are listed frm the highest severity t the lwest severity: 1. Emergency System is nt usable. 2. Alert Actin is needed. 3. Critical System is in a critical cnditin. 4. Errr System is in errr cnditin. 5. Warning System warning has ccurred. 6. Ntice System is functining prperly, but a system ntice has ccurred. 7. Infrmatinal Device infrmatin. 8. Debug Detailed infrmatin abut an event. Yu can select different severity levels fr RAM and Flash lgs. These lgs are displayed in the RAM Lg page and Flash Memry Lg page, respectively. Selecting a severity level t be stred in a lg causes all f the higher severity events t be autmatically stred in the lg. Lwer severity events are nt stred in the lg. 45

46 Fr example, if Warning is selected, all severity levels that are Warning and higher are stred in the lg (Emergency, Alert, Critical, Errr, and Warning). N events with severity level belw Warning are stred (Ntice, Infrmatinal, and Debug). T set glbal lg parameters: 1. Click Cnfiguratin > System Management > Lgs > Lg Management. 2. Enter the parameters: System Lg Lgging Select t enable message lgging. Originatr Identifier Enables adding an rigin identifier t SYSLOG messages. The ptins: Nne D nt include the rigin identifier in SYSLOG messages. Hstname Include the system hstname in SYSLOG messages. IPv4 Address Include the IPv4 address f the sending interface insyslog messages. IPv6 Address Include the IPv6 address f the sending interface insyslog messages. User Defined Enter a descriptin t be included in SYSLOG messages. Lg Settings Severity Select the severity levels f the messages t be lgged t the fllwing: RAM Memry Lgging Severity levels f the messages t be lgged t the RAM. Flash Memry Lgging Severity levels f the messages t be lgged t the Flash memry. 3. Click Apply. The Running Cnfiguratin file is updated. 46

47 Remte Lg Servers The Remte Lg Servers page enables defining remte SYSLOG servers where lg messages are sent (using the SYSLOG prtcl). Fr each server, yu can cnfigure the severity f the messages that it receives. T define SYSLOG servers, d the fllwing: 1. Click Cnfiguratin > System Management > Lgs > Remte Lg Servers. 2. Click Add. 3. Enter the parameters. Enter New Server Remte Lg Server Select whether t identify the remte lg server by IP address r name. IP Versin Select the supprted IP versin. IPv6 Address Type Select the IPv6 address type (if IPv6 is used). The ptins: - Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. - Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. - Interface Select the link lcal interface (if IPv6 Address Type Link Lcal is selected) frm the list. 47

48 Lg Server IP Address Enter the IP address f the lg server if it is t be identified by address. Lg Server Name Enter the dmain name f the lg server if it is t be identified by name. Server Settings UDP Prt Enter the UDP prt t which the lg messages are sent. Facility Select a facility value frm which system lgs are sent t the remte server. Only ne facility value can be assigned t a server. If a secnd facility cde is assigned, the first facility value is verridden. Descriptin Enter a server descriptin. Minimum Lgging Level Select the minimum level f system lg messages t be sent t the server. 4. Click Apply. The SYSLOG server is added, and the Running Cnfiguratin file is updated. RAM Lg The RAM Lg page displays all messages that were saved in the RAM (cache) in chrnlgical rder. Entries are stred in the RAM lg accrding t the cnfiguratin in the Lg Management page. Click Cnfiguratin > System Management > Lgs > RAM Lg. Lg Index Lg entry number. Lg Time Time when message was generated. 48

49 Severity Event severity. Descriptin Message text describing the event. T clear the lg messages, click Clear. Flash Memry Lg The Flash Memry Lg page displays the messages that were stred in the Flash memry, in chrnlgical rder. The minimum severity fr lgging is cnfigured in the Lg Management page. Flash lgs remain when the device is rebted. Yu can clear the lgs manually. Click Cnfiguratin > System Management > Lgs > Flash Memry Lg. Lg Index Lg entry number. Lg Time Time when message was generated. Severity Event severity. Descriptin Message text describing the event. T clear the messages, click Clear. 49

50 Chapter 5 Prt Management Prts T cnfigure prt settings: 1. Click Cnfiguratin > Prt Management > Prts. 2. Select Enable t supprt jumb packets f up t 10 KB in size. If Jumb Frames is nt enabled (default), the system supprts packet size up t 2,000 bytes. Fr Jumb Frames t take effect, the device must be rebted after the feature is enabled. 3. T update the prt settings, select the desired prt, and click Edit. Select Yur Prt Prt Select the prt number frm the drp-dwn menu. Prt settings Operatinal Status Displays whether the prt is up r dwn. If the prt is dwn because f an errr, the descriptin f the errr is displayed. Administrative Mde Select t change the peratinal status. Suspended Prt Select t reactivate a prt that has been suspended. The reactivate peratin brings the prt up withut regard t why the prt was suspended. 50

51 Prtected Prt Select t make this a prtected prt. (A prtected prt is als referred t as a Private VLAN Edge.) Features f a prtected prt: - Prtected Prts prvide Layer 2 islatin between interfaces (Ethernet prts and LAGs) that share the same VLAN. - Packets received frm prtected prts can be frwarded nly t unprtected egress prts. Prtected prt filtering rules are als applied t packets that are frwarded by sftware, such as snping applicatins. - Prt prtectin is nt subject t VLAN membership. Devices cnnected t prtected prts are nt allwed t cmmunicate with each ther, even if they are members f the same VLAN. - Bth prts and LAGs can be defined as prtected r unprtected. - Prtected LAGs are described in the LAGs sectin. Aut Negtiatin Select t enable aut-negtiatin n the prt. Aut negtiatin enables a prt t advertise its transmissin speed, duplex mde, and flw cntrl abilities t the prt link partner. Prt Speed Prt type determines available speeds. Yu can designate this field nly when prt Aut Negtiatin is disabled. Duplex Mde Select the prt duplex mde. This field is cnfigurable nly when Aut Negtiatin is disabled, and the prt speed is set t 10M r 100M. At prt speed f 1G, the mde is always full duplex. - Half The interface supprts transmissin between the device and the client in nly ne directin at a time. - Full The interface supprts transmissin between the device and the client in bth directins simultaneusly. Aut Advertisement Select the capabilities advertised by Aut Negtiatin when it is enabled. - Max Capability All prt speeds and duplex mde settings can be accepted Full Duplex 10 Mbps speed and Full Duplex mde Half Duplex 10 Mbps speed and Half Duplex mde Full Duplex 100 Mbps speed and Full Duplex mde Half Duplex 100 Mbps speed and Half Duplex mde Full Duplex 1000 Mbps speed and Full Duplex mde. 51

52 Back Pressure Used with Half Duplex mde t slw dwn the packet receptin speed when the device is cngested. It disables the remte prt, preventing it frm sending packets by jamming the signal. Flw Cntrl Enable r disable 802.3x Flw Cntrl, r enable the Aut Negtiatin f flw cntrl n the prt (nly when in Full Duplex mde). MDI/MDIX Media Dependent Interface/Media Dependent Interface with Crssver status n the prt. - MDIX Select t swap the prt s transmit and receives pairs. - MDI Select t cnnect this device t a statin by using a straight-thrugh cable. - Aut Select t cnfigure this device t autmatically detect the crrect pinuts fr the cnnectin t anther device. Descriptin Enter a prt descriptin. 4. Click Apply. Link Aggregatin Link Aggregatin Cntrl Prtcl (LACP) is part f the IEEE specificatin (802.3ad) that enables yu t bundle several physical prts tgether t frm a single lgical channel (LAG). LAGs multiply the bandwidth, increase prt flexibility, and prvide link redundancy between tw devices. This switch supprts tw kinds f LAG. Static A LAG is static if the LACP is disabled. The prts assigned t a static LAG are always active members. After a LAG is manually created, the LACP ptin cannt be added r remved until the LAG is edited and a member is remved (which can be added prir t applying), then the LACP buttn becmes available fr editing. Dynamic A LAG is dynamic if LACP is enabled. The prts assigned t dynamic LAG are candidate prts. LACP determines which candidate prts are active member prts. The nn-active candidate prts are standby prts ready t replace any failing active member prts. Lad Balancing Traffic frwarded t a LAG is lad-balanced acrss the active member prts, thus achieving an effective bandwidth clse t the aggregate bandwidth f all the active member prts f the LAG. Traffic lad balancing ver the active member prts f a LAG is managed by a hash-based distributin functin that distributes Unicast and Multicast traffic based n Layer 2 r Layer 3 packet header infrmatin. 52

53 This switch supprts tw mdes f lad balancing. By MAC Addresses (Default) Based n the destinatin and surce MAC addresses f all packets. By IP and MAC Addresses Based n the destinatin and surce IP addresses fr IP packets, and destinatin and surce MAC addresses fr nn-ip packets. LAG Management In general, a LAG is treated by the system as a single lgical prt. In particular, the LAG has prt attributes similar t a regular prt, such as state and speed. The device supprts fur LAGs. Each LAG has the fllwing characteristics: All prts in a LAG must be f the same media type. T add a prt t the LAG, it cannt belng t any VLAN except the default VLAN. Prts in a LAG must nt be assigned t anther LAG. N mre than eight prts are assigned t a static LAG and n mre than 16 prts can be candidates fr a dynamic LAG. All the prts in a LAG must have aut-negtiatin disabled, althugh the LAG can have aut-negtiatin enabled. When a prt is added t a LAG, the cnfiguratin f the LAG is applied t the prt. When the prt is remved frm the LAG, its riginal cnfiguratin is reapplied. Prtcls, such as Spanning Tree, cnsider all the prts in the LAG t be ne prt. Default Settings and Cnfiguratin Prts are nt members f a LAG and are nt candidates t becme part f a LAG. Static and Dynamic LAG Wrkflw After a LAG has been manually created, LACP cannt be added r remved until the LAG is edited and a member is remved. Only then the LACP field is activated. T cnfigure a static LAG: 1. Disable LACP n the LAG t make it static. Assign up t eight member prts t the static LAG in the Prt List t the LAG Prt Member list. Perfrm these actins in the LAGs page. 2. Cnfigure varius aspects f the LAG, such as speed and flw cntrl by using the Edit LAG page. T cnfigure a dynamic LAG: 1. Enable LACP n the LAG. Assign up t 16 candidates prts t the dynamic LAG by selecting and mving the prts frm the Prt List t the LAG Prt Member List by using the LAGs page. 2. Cnfigure varius aspects f the LAG, such as speed and flw cntrl by using the LAGs page. 53

54 LAGs The LAGs page enables yu t cnfigure the glbal settings, and t select and edit the desired LAG n the Edit LAG Membership page. T define the member r candidate prts in a LAG: 1. Click Cnfiguratin > Prt Management > Link Aggregatin > LAGs. 2. Select the Lad Balance Methd by MAC Address (Default) Based n the destinatin and surce MAC addresses f all packets. by IP and MAC Address Based n the destinatin and surce IP addresses fr IP packets, and destinatin and surce MAC addresses fr nn-ip packets. 3. Select the LAG t be cnfigured, and click Edit. Select Yur LAG LAG Select the LAG frm the drp-dwn menu. LAG Settings Operatinal Status Whether the LAG is up r dwn. Prt List Mve thse prts that are t be assigned t the LAG frm the Prt List t the LAG Prt Member list. Up t eight prts per static LAG can be assigned, and 16 prts can be assigned t a dynamic LAG. LAG Mde Displays whether the LAG is up r dwn. Suspended LAG Select t reactivate the LAG. Prtected LAG Select t make the LAG a prtected prt fr Layer 2 islatin. See Prt settings fr details regarding prtected prts and LAGs. LACP Select t enable LACP n the selected LAG. This makes it a dynamic LAG. This field can nly be enabled after mving a prt t the LAG in the next field. 54

55 Aut Negtiatin Select t enable aut-negtiatin n the LAG. Autnegtiatin is a prtcl between tw link partners that enables a LAG t advertise its transmissin speed and flw cntrl t its partner (the Flw Cntrl default is disabled). It is recmmended t keep aut-negtiatin enabled n bth sides f an aggregate link, r disabled n bth sides, while ensuring that link speeds are identical. Prt Speed Cnfigure the speed f the LAG. The prt types determine the available speeds. Yu can designate this field nly when prt autnegtiatin is disabled. Aut Advertisement Select the capabilities t be advertised by the LAG. - Max Capability All LAG speeds and bth duplex mdes are available Full Duplex The LAG advertises a 10 Mbps speed and the mde is full duplex Full Duplex The LAG advertises a 100 Mbps speed and the mde is full duplex Full Duplex The LAG advertises a 1000 Mbps speed and the mde is full duplex. Flw Cntrl Set Flw Cntrl t either Enable r Disable r Aut- Negtiatin. Descriptin Enter the LAG name r a cmment. 4. Click Apply. LAG membership is saved t the Running Cnfiguratin file. 55

56 Green Ethernet Green Ethernet is a cmmn name fr a set f features that is designed t be envirnmentally friendly, and t reduce the pwer cnsumptin f a device. Green Ethernet is different frm EEE in that Green Ethernet energy-detect is enabled n all devices where nly the gigabyte prts are enabled with EEE. The Green Ethernet feature can reduce verall pwer usage in the fllwing ways. Shrt-Reach Mde Prvides fr pwer savings n a shrt length f cable. After cable length is analyzed, the pwer usage is adjusted fr varius cable lengths. If the cable is shrter than 50 meters, the device uses less pwer t send frames ver the cable, thus saving energy. This mde is nly supprted n RJ45 GE prts; it des nt apply t Cmb prts. This mde is glbally disabled by default. It cannt be enabled if EEE mde is enabled (see belw) Energy Efficient Ethernet (EEE) Reduces pwer cnsumptin when there is n traffic n the prt. See Energy Efficient Ethernet fr mre infrmatin. EEE is enabled glbally by default. On a given prt, if EEE is enabled, shrt reach mde will be disabled. If Shrt Reach Mde is enabled, EEE is grayed ut. These mdes are cnfigured per prt, withut taking int accunt the LAG membership f the prts. 56

57 Pwer savings, current pwer cnsumptin and cumulative energy saved can be mnitred. The ttal amunt f saved energy can be viewed as a percentage f the pwer that wuld have been cnsumed by the physical interfaces had they nt been running in Green Ethernet mde. The saved energy displayed is nly related t Green Ethernet. The amunt f energy saved by EEE is nt displayed. Energy Efficient Ethernet EEE is designed t save pwer when there is n traffic n the link. In Green Ethernet, pwer is reduced when the prt is dwn. With EEE, pwer is reduced when the prt is up, but there is n traffic n it. When using EEE, systems n bth sides f the link can disable prtins f their functinality and save pwer during perids f n traffic EEE supprts IEEE MAC peratin at 100 Mbps and 1000 Mbps. LLDP is used t select the ptimal set f parameters fr bth devices. If LLDP is nt supprted by the link partner, r is disabled, EEE will still be peratinal, but it might nt be in the ptimal peratinal mde. The EEE feature is implemented using a prt mde called Lw Pwer Idle (LPI) mde. When there is n traffic and this feature is enabled n the prt, the prt is placed in the LPI mde, which reduces pwer cnsumptin dramatically. Bth sides f a cnnectin (device prt and cnnecting device) must supprt EEE fr it t wrk. When traffic is absent, bth sides send signals indicating that pwer is abut t be reduced. When signals f s (and nt in Dwn status), and pwer is reduced. Fr prts t stay in LPI mde, the Keep Alive signal must be received cntinuusly frm bth sides. Pwer Saving by Disabling Prt LEDs Use the Green Ethernet feature t disable prt LEDs (link, speed, and PE) when they are nt needed. Enable them if needed (debugging, cnnecting additinal devices, etc.). Advertise Capabilities Negtiatin EEE supprt is advertised during the Aut-Negtiatin stage. Aut-Negtiatin prvides a linked device with the capability t detect the abilities (mdes f peratin) supprted by the device at the ther end f the link, determine cmmn abilities, and cnfigure itself fr jint peratin. Aut-Negtiatin is perfrmed at the time f link-up, n cmmand frm management, r upn detectin f a link errr. During the link establishment prcess, bth link partners exchange their EEE capabilities. Aut- Negtiatin functins autmatically withut user interactin when it is enabled n the device. 57

58 Nte If Aut-Negtiatin is nt enabled n a prt, the EEE is disabled. The nly exceptin is if the link speed is 1GB, then EEE will still be enabled even thugh Aut-Negtiatin is disabled. Default Cnfiguratin By default, EEE is enabled glbally and per prt. Interactins Between Features EEE interactins with ther features: If aut-negtiatin is nt enabled n the prt, the EEE peratinal status is disabled. The exceptin t this rule is that if the link speed is 1gigabit, EEE will still be enabled even thugh Aut-Negtiatin is disabled. If EEE is enabled and the prt is ging up, it cmmences t wrk immediately in accrdance with the maximum wake time value f the prt. On the GUI, the EEE field fr the prt is nt available when the Shrt Reach Mde ptin n the prt is checked. If the prt speed n the GE prt is changed t 10Mbit, EEE is disabled. This is supprted in GE mdels nly EEE Cnfiguratin Wrkflw This sectin describes hw t cnfigure the EEE feature and view its cunters. 1. Ensure that aut-negtiatin is enabled n the prt by pening the Prts page. Select a prt and pen the Edit Prts page. Select Aut Negtiatin field t ensure that it is enabled. 2. Ensure that Energy Efficient Ethernet (EEE) is glbally enabled in the Green Ethernet page (it is enabled by default). This page als displays hw much energy has been saved. 3. Ensure that EEE is enabled n a prt by pening the Green Ethernet page. Select a prt, pen the Edit Prts page. Check the Energy Efficient Ethernet (EEE) mde n the prt (it is enabled by default). Cnfiguring Green Ethernet T cnfigure Green Ethernet glbally and n a prt: 1. Click Cnfiguratin > Prt Management > Green Ethernet. Energy Detect Mde Select t glbally enable. Prt LEDs Select t disable prt LEDs. When disabled, prts d nt display link status, activity, etc. Shrt Reach Select t glbally enable Shrt Reach mde if there are Green Ethernet prts n the device. 58

59 Nte If Shrt Reach is enabled, EEE must be disabled Energy Efficient Ethernet (EEE) Select t glbally enable EEE. 2. Click Apply t set the glbal settings. Pwer Savings The percentage f pwer saved by running Green Ethernet and Shrt Reach. The pwer savings displayed is nly relevant t the pwer saved by Shrt Reach and Energy Detect mdes. The EEE pwer savings is dynamic by nature since it is based n prt utilizatin and is therefre nt taken int cnsideratin. The pwer saving calculatin is perfrmed by cmparing the maximum pwer cnsumptin withut pwer savings t the current cnsumptin. Cumulative Energy Saved The amunt f energy saved frm the last device rebt in watt hurs. This value is updated each time there is an event that affects pwer saving. 3. Select a prt and click Edit. Select Yur Prt Prt Select a prt frm the drp-dwn menu. Prt Settings Energy Detect Mde Select t enable. Shrt Reach Mde Select t enable EEE Mde Select t enable. EEE LLDP Mde Select t enable. EEE Status Whether EEE is currently perating n the lcal prt. This is a functin f whether it has been enabled (Administrative Status), whether it has been enabled n the lcal prt and whether it is peratinal n the lcal prt. Nte The Green Ethernet Table displays the Shrt Reach, Energy Detect and EEE settings fr each prt; hwever, they are nt enabled n any prt unless they are als enabled glbally. PE A Pwer ver Ethernet (PE) device is PSE (Pwer Surcing Equipment) that delivers electrical pwer t cnnected PD (Pwered Devices) ver existing cpper cables withut interfering with the netwrk traffic, updating the physical netwrk r mdifying the netwrk infrastructure. The PE feature is nly available n PE-based devices. 59

60 PE capabilities: Eliminates the need t run 110/220 V AC pwer t all devices n a wired LAN. Remves the necessity fr placing all netwrk devices next t pwer surces. Eliminates the need t deply duble cabling systems in an enterprise, significantly decreasing installatin csts. Pwer ver Ethernet can be used in any enterprise netwrk that deplys relatively lwpwered devices cnnected t the Ethernet LAN: IP phnes Wireless access pints IP gateways Audi and vide remte mnitring devices PE Operatin PE implementatin stages: Detectin Sends special pulses n the cpper cable. When a PE device is lcated at the ther end, that device respnds t these pulses. Classificatin Negtiatin between the Pwer Surcing Equipment (PSE) and the Pwered Device (PD) cmmences after the Detectin stage. During negtiatin, the PD specifies its class, which is the amunt f maximum pwer that the PD cnsumes. Pwer Cnsumptin After the classificatin stage cmpletes, the PSE prvides pwer t the PD. If the PD supprts PE, but withut classificatin, it is assumed t be class 0 (the maximum). If a PD tries t cnsume mre pwer than permitted by the standard, the PSE stps supplying pwer t the prt. Pwer Mdes Pwer per prt can be limited depending n the Pwer Mde: Prt Limit Pwer is limited t a specified wattage. Fr these settings t be active, the system must be in PE Prt Limit mde. That mde is cnfigured in the PE Feature Cnfiguratin page. When the pwer cnsumed n the prt exceeds the prt limit, the prt pwer is turned ff. Class Limit Pwer is limited based n the class f the cnnected PD. Fr these settings t be active, the system must be in PE Class Limit mde. That mde is cnfigured in the PE Feature Cnfiguratin page. When the pwer cnsumed n the prt exceeds the class limit, the prt pwer is turned ff. 60

61 PE Pririty Example A 48-prt device is supplying a ttal f 375 watts. The administratr cnfigures all prts t allcate up t 30 watts each. This results in 48 times 30 prts equaling 1440 watts, which is t much. The device cannt prvide enugh pwer t each prt, s it prvides pwer accrding t the pririty.the administratr sets the pririty fr each prt, allcating hw much pwer it can be given. These pririties are entered in the PE Prt Limit Mde r Class Limit Pwer Mde pages. PE Cnfiguratin Cnsideratins There are tw factrs t cnsider in PE cnfiguratin: The amunt f pwer that the PSE can supply The amunt f pwer that the PD is attempting t cnsume Yu can decide the fllwing: Maximum pwer a PSE is allwed t supply t a PD POE mde T change the mde frm Class Pwer Limit t Prt Limit, and vice versa, during device peratin. The pwer values per prt that were cnfigured fr the Prt Limit mde are retained. Nte Changing the mde frm Class Limit t Prt limit, and vice versa, when the device is peratinal frces the Pwered Device t rebt. Maximum prt limit allwed as a per-prt numerical limit in mw (Prt Limit mde). The PE-specific hardware autmatically detects the PD class and its pwer limit accrding t the class f the device cnnected t each specific prt (Class Limit mde). If at any time during the cnnectivity an attached PD requires mre pwer frm the device than the cnfigured allcatin allws (n matter if the device is in Class Limit r Prt Limit mde), the device maintains the up/dwn status f the PE prt link, turns ff pwer delivery t the PE prt, and lgs the reasn fr turning ff pwer. Cautin Cnsider the fllwing when cnnecting switches capable f supplying PE. The PE mdel f the device is PSE (Pwer Surcing Equipment) that is capable f supplying DC pwer t attaching PD (Pwered Devices). These devices include VIP phnes, IP cameras, and wireless access pints. Even thugh the PE switches are PSE, and as such shuld be pwered by AC, they culd be pwered up as a legacy PD by anther PSE due t false detectin. When this happens, the PE device may nt perate prperly and may nt be able t prperly supply pwer t its attaching PDs. 61

62 T prevent false detectin, yu shuld disable PE n the prts n the PE switches that are used t cnnect t PSEs. Yu shuld als first pwer up a PSE device befre cnnecting it t a PE device. When a device is being falsely detected as a PD, yu shuld discnnect the device frm the PE prt and pwer cycle the device with AC pwer befre recnnecting its PE prts. Feature Cnfiguratin The Feature Cnfiguratin page enables selecting either the Prt Limit r Class Limit PE mde. These settings are entered in advance. When the PD actually cnnects and is cnsuming pwer, it might cnsume much less than the maximum pwer allwed. Output pwer is disabled during pwer-n rebt, initializatin, and system cnfiguratin t ensure that PDs are nt damaged. T cnfigure PE n the device and mnitr current pwer usage: 1. Click Cnfiguratin > Prt Management > PE > Feature Cnfiguratin. 2. Enter values fr: Pwer Mde Select ne f the fllwing ptins: Prt Limit The maximum pwer limit per each prt is cnfigured by the user. Class Limit The maximum pwer limit per prt is determined by the class f the device, which results frm the Classificatin stage. Nte When yu change frm Prt Limit t Class Limit, r vice versa, yu must disable PE prts, and enable them after changing the pwer cnfiguratin. The fllwing cunters are displayed fr the device: Nminal Pwer The ttal amunt f pwer in watts that the device can supply t all the cnnected PDs. 62

63 Cnsumed Pwer Amunt f pwer in watts that is currently being cnsumed by the PE prts. Available Pwer Nminal pwer in watts minus the amunt f cnsumed pwer. 3. Click Apply t save the PE prperties. Prt Limit Pwer Mde T cnfigure prt limit pwer mde: 1. Click Cnfiguratin > Prt Management > PE > Prt Limit Pwer Mde. The list f fields belw is fr Prt Limit Pwer Mde. PE Status Enable r disable PE n the prt. Pwer Pririty Level Prt pririty is lw, high, r critical, fr use when the pwer supply is lw. Fr example, if the pwer supply is running at 99% usage and prt 1 is priritized as high, but prt 3 is priritized as lw, prt 1 receives pwer and prt 3 might be denied pwer. Pwer Allcatin Limit (mw) Pwer in milliwatts allcated t the prt. Max Pwer Allcatin (mw) Maximum amunt f pwer permitted n this prt. Pwer Cnsumptin (mw) Amunt f pwer assigned t the pwered device cnnected t the selected interface. Class Pwer class f device. Operatinal Status Displays whether Pwer Limit mde is enabled r disabled n the prt. 2. Select a prt and click Edit. Enter the fields as described abve. 3. Click Apply. The PE settings fr the prt are written t the Running Cnfiguratin file. 63

64 Class Limit Pwer Mde T cnfigure class limit pwer mde: 1. Click Cnfiguratin > Prt Management > PE > Class Limit Pwer Mde. PE Status Enable r disable PE n the prt. Pwer Pririty Level Prt pririty is lw, high, r critical, fr use when the pwer supply is lw. Fr example, if the pwer supply is running at 99% usage and prt 1 is priritized as high, but prt 3 is priritized as lw, prt 1 receives pwer and prt 3 might be denied pwer. Class Class cnfigured n this prt. The classes are shwn in the fllwing: Class Maximum Pwer Delivered by Device Prt watt watt watt watt watt Max Pwer Allcatin (mw) Maximum amunt f pwer permitted n this prt. The switch hardware may actually supply 5-10% mre pwer than Max Pwer Allcatin t accmmdate the pwer lss ver the wire. Pwer Cnsumptin (mw) Amunt f pwer assigned t the pwered device cnnected t the selected interface. Operatinal Status Whether the Class Limit mde is enabled r disabled n the prt. 64

65 2. Select a prt and click Edit. Enter the fields as described abve. 3. Click Apply. The PE settings fr the prt are written t the Running Cnfiguratin file. Discvery - LLDP Link Layer Discvery Prtcl (LLDP) is a link layer prtcl fr directly-cnnected LLDP-capable neighbrs t advertise themselves and their capabilities. LLDP enables netwrk managers t trublesht and enhance netwrk management in multi-vendr envirnments. LLDP standardizes methds fr netwrk devices t advertise themselves t ther systems, and t stre discvered infrmatin. By default, the device sends an LLDP advertisement peridically t all its interfaces and prcesses incming LLDP packets as required by the prtcls. In LLDP, advertisements are encded as TLV (Type, Length, Value) in the packet. The infrmatin learned is stred in the data in a Management Infrmatin Base (MIB). The netwrk management system mdels the tplgy f the netwrk by querying these MIB databases. By default, the device terminates and prcesses all incming LLDP packets as required by the prtcl. The LLDP prtcl has an extensin called LLDP Media Endpint Discvery (LLDP-MED) that prvides and accepts infrmatin frm media endpint devices such as VIP phnes and vide phnes. Sme ntes abut LLDP cnfiguratin: LLDP can be enabled r disabled glbally r per prt. The LLDP capability f a prt is relevant nly if LLDP is glbally enabled. If LLDP is glbally enabled, the device filters ut incming LLDP packets frm prts that are LLDP-disabled. If LLDP is glbally disabled, the device can be cnfigured t discard, VLAN- aware flding, r VLAN-unaware flding f all incming LLDP packets. VLAN-aware flding flds an incming LLDP packet t the VLAN where the packet is received excluding the ingress prt. VLAN-unaware flding flds an incming LLDP packet t all the prts excluding the ingress prt. The default is t discard LLDP packets when LLDP is glbally disabled. Yu can cnfigure the discard/flding f incming LLDP packets frm the LLDP Feature Cnfiguratin page. LLDP end devices, such as IP phnes, learn the vice VLAN cnfiguratin frm LLDP advertisements. By default, the device is enabled t send ut LLDP advertisement based n the vice VLAN cnfigured at the device. Refer t the Vice VLAN fr details. Nte LLDP des nt distinguish if a prt is in a LAG. If there are multiple prts in a LAG, LLDP transmit packets n each prt withut taking int accunt the fact that the prts are in a LAG. 65

66 The peratin f LLDP is independent f the STP status f an interface. If 802.1x prt access cntrl is enabled at an interface, the device transmits and receives LLDP packets t and frm the interface nly if the interface is authenticated and authrized. If a prt is the target f mirrring, then LLDP cnsiders it dwn. Nte LLDP are link layer prtcls fr directly-cnnected LLDP capable devices t advertise themselves and their capabilities. In deplyments where the LLDP-capable devices are nt directly cnnected and are separated with LLDP-incapable devices, the LLDP-capable devices may be able t receive the advertisement frm ther devices nly if the LLDP-incapable devices fld the LLDP packets they receive. If the LLDP-incapable devices perfrm VLAN-aware flding, then LLDP-capable devices can hear each ther nly if they are in the same VLAN. An LLDP-capable device may receive advertisements frm mre than ne device if the LLDPincapable devices fld the LLDP packets. Wrkflws Fllwing are examples f actins that can be perfrmed with the LLDP feature and in a suggested rder. Yu can refer t the LLDP sectin fr additinal guidelines n LLDP cnfiguratin. LLDP cnfiguratin pages are accessible under the Cnfiguratin > Prt Management > Discvery - LLDP menu. 1. Enter LLDP glbal parameters, such as LLDP Frames Handling using the LLDP Feature Cnfiguratin page. 2. Cnfigure LLDP per prt by using the LLDP Feature Cnfiguratin page. On this page, interfaces can be cnfigured t receive/transmit LLDP PDUs, send SNMP ntificatins, specify which TLVs t advertise, and advertise the device's management address. 3. Create LLDP MED netwrk plicies by using the LLDP MED Netwrk Plicy page. 4. Assciate LLDP MED netwrk plicies and the ptinal LLDP-MED TLVs t the desired interfaces by using the LLDP MED Prt Settings page. Feature Cnfiguratin 66

67 The LLDP-MED TLVs t be advertised can be selected in the LLDP MED Prt Settings page, and the management address TLV f the device may be cnfigured t be advertised. T cnfigure the LLDP prt settings: 1. Click Cnfiguratin > Prt Management > Discvery LLDP > Feature Cnfiguratin. The fllwing fields are displayed (nly fields that d nt appear in the Edit page are described): Interface The prt t edit. LLDP MED Status Enabled r disabled. Number f neighbrs Number f neighbrs discvered. Neighbr Capability Displays the primary functins f the neighbr; fr example: Bridge r Ruter. Lcal PE Lcal PE infrmatin advertised. pwer pririty Prt pwer pririty pwer value Prt pwer value Neighbr PE PE infrmatin advertised by the neighbr. pwer pririty Prt pwer pririty pwer value Prt pwer value 2. Enter the fllwing fields. LLDP Status Select t enable LLDP n the device (enabled by default). LLDP Frame Handling If LLDP is nt enabled, select the actin t be taken if a packet that matches the selected criteria is received: Filtering Delete the packet. Flding Frward the packet t all VLAN members. 3. Select a prt and click Edit. Prt Select the prt t edit. LLDP Status Select the LLDP publishing ptin fr the prt. The values are: Tx Only Publishes but des nt discver. Rx Only Discvers but des nt publish. Tx & Rx Publishes and discvers. Disable Indicates that LLDP is disabled n the prt. Available Optinal TLVs Infrmatin t be published by the device. Advertise Optinal TLVs Select the infrmatin t be published by the device by mving the TLV frm the Available Optinal TLVs list. The available TLVs cntain the fllwing infrmatin: 67

68 Prt Descriptin Infrmatin abut the prt, including manufacturer, prduct name and hardware/sftware versin. System Name System's assigned name (in alpha-numeric frmat). The value equals the sysname bject. System Descriptin Descriptin f the netwrk entity (in alpha-numeric frmat). This includes the system's name and versins f the hardware, perating system, and netwrking sftware supprted by the device. The value equals the sysdescr bject. System Capabilities Primary functins f the device, and whether r nt these functins are enabled n the device. The capabilities are indicated by tw ctets. Bits 0 thrugh 7 indicate Other, Repeater, Bridge, WLAN AP, Ruter, Telephne, DOCSIS cable device, and statin respectively. Bits 8 thrugh 15 are reserved MAC-PHY Duplex and bit rate capability and the current duplex and bit rate settings f the sending device. It als indicates whether the current settings are due t aut-negtiatin r manual cnfiguratin Link Aggregatin Whether the link (assciated with the prt n which the LLDP PDU is transmitted) can be aggregated. It als indicates whether the link is currently aggregated, and if s, prvides the aggregated prt identifier Maximum Frame Maximum frame size capability f the MAC/PHY Management Address TLV Select ne f the fllwing ways t advertise the IP management address f the device: Aut Advertise Specifies that the sftware autmatically chses a management address t advertise frm all the IP addresses f the device. In case f multiple IP addresses, the sftware chses the lwest IP address amng the dynamic IP addresses. If there are n dynamic addresses, the sftware chses the lwest IP address amng the static IP addresses. Nne D nt advertise the management IP address. Manual Advertise Select this ptin and the management IP address t be advertised. Management IP Address If Manual Advertise was selected, select the Management IP address frm the addresses prvided. 4. Enter the relevant infrmatin, and click Apply. The prt settings are written t the Running Cnfiguratin file. 68

69 LLDP MED Prts The LLDP MED Prts page enables the selectin f the LLDP MED TLVs and/r the netwrk plicies t be included in the utging LLDP advertisement fr the desired interfaces. Netwrk Plicies are cnfigured using the LLDP MED Netwrk Plicy page. T cnfigure LLDP MED n each prt: 1. Click Cnfiguratin > Prt Management > Discvery LLDP > LLDP MED Prts. This page displays the fllwing LLDP MED settings fr all prts (nly fields nt described in the Edit page are listed): Lcatin Whether Lcatin TLV is transmitted. PE Whether POE-PSE TLV is transmitted. Inventry Whether Inventry TLV is transmitted. 2. The message at the tp f the page indicates whether the generatin f the LLDP MED Netwrk Plicy fr the vice applicatin is autmatic r nt. Click n the link t change the mde. 3. T assciate additinal LLDP MED TLV and/r ne r mre user-defined LLDP MED Netwrk Plicies t a prt, select it, and click Edit. 4. Enter the parameters: Prt Select the interface t cnfigure. LLDP MED Status Enable/disable LLDP MED n this prt. Available Optinal TLVs Select the TLVs that can be published by the device by mving them frm the Advertise Optinal TLVs list. 69

70 Available Netwrk Plicies Select the LLDP MED plicies t be published by LLDP by mving them frm the Available Netwrk Plicies list. These were created in the LLDP MED Netwrk Plicy page. T include ne r mre user-defined netwrk plices in the advertisement, yu must als select Netwrk Plicy frm the Available Optinal TLVs. Nte The fllwing fields must be entered in hexadecimal characters in the exact data frmat that is defined in the LLDP-MED standard (ANSI-TIA- 1057_final_fr_publicatin.pdf): Lcatin Crdinate Enter the crdinate lcatin t be published by LLDP. Lcatin Civic Address Enter the civic address t be published by LLDP. Lcatin (ECS) ELIN Enter the Emergency Call Service (ECS) ELIN lcatin t be published by LLDP. 5. Click Apply. The LLDP MED prt settings are written t the Running Cnfiguratin file. LLDP Lcal Infrmatin 70

71 T view the LLDP lcal prt status advertised n a prt: 1. Click Cnfiguratin > Prt Management Discvery - LLDP > LLDP Lcal Infrmatin. 2. Select the desired prt frm the Prt list. This page displays the fllwing grups f fields (the actual fields displayed depend n the ptinal TLVs selected t be advertised): Glbal Chassis ID Subtype Type f chassis ID. (Fr example, the MAC address.) Chassis ID Identifier f chassis. Where the chassis ID subtype is a MAC address, the MAC address f the device appears. System Name Name f device. System Descriptin Descriptin f the device (in alpha-numeric frmat). Supprted System Capabilities Primary functins f the device, such as Bridge, WLAN AP, r Ruter. Enabled System Capabilities Primary enabled functin(s) f the device. Prt ID Subtype Type f the prt identifier that is shwn. Prt ID Identifier f prt. Prt Descriptin Infrmatin abut the prt, including manufacturer, prduct name and hardware/sftware versin. Management Address Displays the table f addresses f the lcal LLDP agent. Other remte managers can use this address t btain infrmatin related t the lcal device. The address cnsists f the fllwing elements: Address Subtype Type f management IP address that is listed in the Management Address field; fr example, IPv4. Address Returned address mst apprpriate fr management use. Interface Subtype Numbering methd used fr defining the interface number. Interface Number Specific interface assciated with this management address. MED Infrmatin Capabilities Supprted MED capabilities supprted n the prt. Current Capabilities MED capabilities enabled n the prt. Device Class LLDP-MED endpint device class. The pssible device classes are: Endpint Class 1 Generic endpint class, ffering basic LLDP services. 71

72 Endpint Class 2 Media endpint class, ffering media streaming capabilities, as well as all Class 1 features. Endpint Class 3 Cmmunicatins device class, ffering all Class 1 and Class 2 features plus lcatin, 911, Layer 2 device supprt, and device infrmatin management capabilities. PE Device Type Prt PE type; fr example, pwered. PE Pwer Surce Prt pwer surce. PE Pwer Pririty Prt pwer pririty. PE Pwer Value Prt pwer value. Hardware Revisin Hardware versin. Firmware Revisin Firmware versin. Sftware Revisin Sftware versin. Serial Number Device serial number. Manufacturer Name Device manufacturer name. Mdel Name Device mdel name. Asset ID Asset ID. Lcatin Infrmatin Civic Street address. Crdinates Map crdinates: latitude, lngitude, and altitude. ECS ELIN Emergency Call Service (ECS) Emergency Lcatin Identificatin Number (ELIN). Netwrk Plicy Applicatin Type Netwrk plicy applicatin type; fr example, Vice. VLAN ID VLAN ID fr which the netwrk plicy is defined. VLAN Type VLAN type fr which the netwrk plicy is defined. The pssible field values are: - Tagged Indicates the netwrk plicy is defined fr tagged VLANs. - Untagged Indicates the netwrk plicy is defined fr untagged VLANs. User Pririty Netwrk plicy user pririty. DSCP Netwrk plicy DSCP. 72

73 LLDP Neighbr Infrmatin The LLDP Neighbrs Infrmatin page cntains infrmatin that was received frm neighbring devices. After timeut (based n the value received frm the neighbr Time T Live TLV during which n LLDP PDU was received frm a neighbr), the infrmatin is deleted. T view the LLDP neighbr infrmatin: Click Cnfiguratin>Prt Management > Discvery - LLDP > LLDP Neighbr Infrmatin. Lcal Prt Number f the lcal prt t which the neighbr is cnnected Glbal Lcal Prt Prt number. (Rn- Gina Please cnfirm the Glbal items.) MSAP Entry Device Media Service Access Pint (MSAP) entry number. Basic Details Chassis ID Subtype Type f chassis ID (fr example, MAC address). Chassis ID Identifier f the 802 LAN neighbring device chassis. Prt ID Subtype Type f the prt identifier that is shwn. Prt ID Identifier f prt. Prt Descriptin Infrmatin abut the prt, including manufacturer, prduct name and hardware/sftware versin. System Name Name f system that is published. System Descriptin Descriptin f the netwrk entity (in alpha-numeric frmat). This includes the system name and versins f the hardware, perating system, and netwrking sftware supprted by the device. The value equals the sysdescr bject. 73

74 Supprted System Capabilities Primary functins f the device. The capabilities are indicated by tw ctets. Bits 0 thrugh 7 indicate Other, Repeater, Bridge, WLAN AP, Ruter, Telephne, DOCSIS cable device, and statin, respectively. Bits 8 thrugh 15 are reserved. Enabled System Capabilities Primary enabled functin(s) f the device. Management Address Address Subtype Managed address subtype; fr example, MAC r IPv4. Address Managed address. Interface Subtype Prt subtype. Interface Number Prt number. MED Infrmatin Capabilities Supprted MED capabilities enabled n the prt. Current Capabilities MED TLVs advertised by the prt. Device Class LLDP-MED endpint device class. The pssible device classes are: - Endpint Class 1 Indicates a generic endpint class, ffering basic LLDP services. - Endpint Class 2 Indicates a media endpint class, ffering media streaming capabilities as well as all Class 1 features. - Endpint Class 3 Indicates a cmmunicatins device class, ffering all Class 1 and Class 2 features plus lcatin, 911, Layer 2 switch supprt and device infrmatin management capabilities. PE Device Type Prt PE type, fr example, pwered. PE Pwer Surce Prt s pwer surce. PE Pwer Pririty Prt s pwer pririty. PE Pwer Value Prt s pwer value. Hardware Revisin Hardware versin. Firmware Revisin Firmware versin. Sftware Revisin Sftware versin. Serial Number Device serial number. Manufacturer Name Device manufacturer name. Mdel Name Device mdel name. Asset ID Asset ID. Lcatin Infrmatin Enter the fllwing data structures in hexadecimal as described in sectin f the ANSI-TIA-1057 standard: 74

75 Civic Civic r street address. Crdinates Lcatin map crdinates latitude, lngitude, and altitude. ECS ELIN Device s Emergency Call Service (ECS) Emergency Lcatin Identificatin Number (ELIN). Unknwn Unknwn lcatin infrmatin. Netwrk Plicy Applicatin Type Netwrk plicy applicatin type, fr example, Vice. VLAN ID VLAN ID fr which the netwrk plicy is defined. VLAN Type VLAN type, Tagged r Untagged, fr which the netwrk plicy is defined. User Pririty Netwrk plicy user pririty. DSCP Netwrk plicy DSCP. LLDP MED Netwrk Plicy LLDP Media Endpint Discvery (LLDP-MED) is an extensin f LLDP that prvides the fllwing additinal capabilities t supprt media endpint devices: Enables the advertisement and discvery f netwrk plices fr real-time applicatins such as vice and/r vide. Enables discvery f the device lcatin t allw creatin f lcatin databases and, in the case f Vice ver Internet Prtcl (VIP), Emergency Call Service (E-911) by using IP Phne lcatin infrmatin. Trubleshting infrmatin. LLDP MED sends alerts t netwrk managers upn: Prt speed and duplex mde cnflicts QS plicy miscnfiguratins 75

76 Setting LLDP MED Netwrk Plicy An LLDP-MED netwrk plicy is a related set f cnfiguratin settings fr a specific real-time applicatin such as vice, r vide. A netwrk plicy, if cnfigured, can be included in the utging LLDP packets t the attached LLDP media endpint device. The media endpint device must send its traffic as specified in the netwrk plicy it receives. Fr example, a plicy can be created fr VIP traffic that instructs VIP phne t: Send vice traffic n VLAN 10 as tagged packet and with 802.1p pririty 5. Send vice traffic with DSCP 46. Netwrk plicies are assciated with prts by using the LLDP MED Prt Settings page. An administratr can manually cnfigure ne r mre netwrk plicies and the interfaces where the plicies are t be sent. It is the administratr's respnsibility t manually create the VLANs and their prt memberships accrding t the netwrk plicies and their assciated interfaces. In additin, an administratr can instruct the device t autmatically generate and advertise a netwrk plicy fr vice applicatin based n the vice VLAN maintained by the device. Refer the Aut Vice VLAN sectin fr details n hw the device maintains its vice VLAN. T define an LLDP MED netwrk plicy: 1. Click Cnfiguratin > Prt Management > Discvery LLDP > LLDP MED Netwrk. This page cntains previusly-created netwrk plicies. 2. When Netwrk Plicy fr Vice Applicatin is enabled, the device autmatically generates and advertises a netwrk plicy with the current vice VLAN cnfiguratin. G t Vice VLAN > Feature Cnfiguratin page t cnfigure the vice VLAN. 3. Click Apply t add this setting t the Running Cnfiguratin file. 4. T define a new plicy, click Add. 5. Enter the values: Netwrk Plicy Number Select the number f the plicy t be created. Applicatin Select the type f applicatin (type f traffic) fr which the netwrk plicy is being defined. VLAN ID Enter the VLAN ID t which the traffic must be sent. VLAN Tag Select whether the traffic is Tagged r Untagged. Layer 2 Pririty Select the traffic pririty applied t traffic defined by this netwrk plicy. This is the CS value. DSCP Value Select the DSCP value t assciate with applicatin data sent by neighbrs. This infrms them hw they must mark the applicatin traffic they send t the device. 6. Click Apply. The netwrk plicy is defined. Nte Yu must manually cnfigure the interfaces t include the desired manually-defined netwrk plicies fr the utging LLDP packets using the LLDP MED Prt Settings. 76

77 Chapter 6 VLAN Management VLANs A VLAN is a lgical grup f prts that enables devices assciated with it t cmmunicate with each ther ver the Ethernet MAC layer, regardless f the physical LAN segment f the bridged netwrk t which they are cnnected. Each VLAN is cnfigured with a unique VLAN ID (VID) with a value frm 1 t A prt n a device in a bridged netwrk is a member f a VLAN if it can send data t and receive data frm the VLAN. A prt is an untagged member f a VLAN if all packets destined fr that prt int the VLAN have n VLAN tag. A prt is a tagged member f a VLAN if all packets destined fr that prt int the VLAN have a VLAN tag. A prt can be a member f nly ne untagged VLAN but can be a member f multiple tagged VLANs. A prt in VLAN Access mde can be part f nly ne VLAN. If it is in General r Trunk mde, the prt can be part f ne r mre VLANs. VLANs address security and scalability issues. Traffic frm a VLAN stays within the VLAN, and terminates at devices in the VLAN. It als eases netwrk cnfiguratin by lgically cnnecting devices withut physically relcating thse devices. If a frame is VLAN-tagged, a fur-byte VLAN tag is added t each Ethernet frame. The tag cntains a VLAN ID between 1 and 4094, and a VLAN Pririty Tag (VPT) between 0 and 7. See QS Operatin fr details abut VPT. When a frame enters a VLAN-aware device, it is classified as belnging t a VLAN, based n the fur-byte VLAN tag in the frame. If there is n VLAN tag in the frame r the frame is pririty-tagged nly, the frame is classified t the VLAN based n the PVID (Prt VLAN Identifier) cnfigured at the ingress prt where the frame is received. 77

78 The frame is discarded at the ingress prt if Ingress Filtering is enabled and the ingress prt is nt a member f the VLAN t which the packet belngs. A frame is regarded as pririty-tagged nly if the VID in its VLAN tag is 0. Frames belnging t a VLAN remain within the VLAN. This is achieved by sending r frwarding a frame nly t egress prts that are members f the target VLAN. An egress prt may be a tagged r untagged member f a VLAN. The egress prt: Adds a VLAN tag t the frame if the egress prt is a tagged member f the target VLAN, and the riginal frame des nt have a VLAN tag. Remves the VLAN tag frm the frame if the egress prt is an untagged member f the target VLAN, and the riginal frame has a VLAN tag. VLAN Rles All VLAN traffic (Unicast/Bradcast/Multicast) remains within its VLAN. Devices attached t different VLANs d nt have direct cnnectivity t each ther ver the Ethernet MAC layer. Device VLANs can nly be created statically. Sme VLANs can have additinal rles, including: Vice VLAN: Fr mre infrmatin refer t the Vice VLAN sectin. Guest VLAN: Set in the Edit VLAN Authenticatin page. Default VLAN: Fr mre infrmatin refer t the Cnfiguring Default VLAN Settings sectin. Management VLAN: Fr mre infrmatin refer t the Cnfiguring IP Infrmatin sectin. VLAN Cnfiguratin T cnfigure VLANs: 1. If required, change the default VLAN as described in the Default VLAN Settings sectin. 2. Create the required VLANs as described in the VLANs - Creating VLANs sectin. 3. Set the desired VLAN-related cnfiguratin fr prts, as described in the Interface Settings sectin. 4. Assign interfaces t VLANs as described in the Prt t VLAN sectin r the VLAN Memberships sectin. 5. View the current VLAN prt membership fr all the interfaces as described in the VLAN Memberships sectin. 6. If required, cnfigure VLAN grups as described in the MAC-based Grups sectin. 78

79 Default VLAN Settings When using factry default settings, the device autmatically creates VLAN 1 as the default VLAN, the default interface status f all prts is Trunk, and all prts are cnfigured as untagged members f the default VLAN. The default VLAN has the fllwing characteristics: It is distinct, nn-static/nn-dynamic, and all prts are untagged members by default. It cannt be deleted. It cannt be given a label. It cannt be used fr any special rle, such as unauthenticated VLAN r Vice VLAN. This is nly relevant fr OUI-enabled vice VLAN. If a prt is n lnger a member f any VLAN, the device autmatically cnfigures the prt as an untagged member f the default VLAN. A prt is n lnger a member f a VLAN if the VLAN is deleted r the prt is remved frm the VLAN. When the VID f the default VLAN is changed, the device perfrms the fllwing n all the prts in the VLAN, after saving the cnfiguratin and rebting the device: Remves VLAN membership f the prts frm the riginal default VLAN (takes effect after rebt). Changes the PVID (Prt VLAN Identifier) f the prts t the VID f the new default VLAN. The riginal default VLAN ID is remved frm the device. T be used, it must be recreated. Adds the prts as untagged VLAN members f the new default VLAN. T change the default VLAN: 1. Click Cnfiguratin > VLAN Management > VLANs. 2. Enter the value fr the fllwing field: Current Default VLAN ID Displays the current default VLAN ID. Default VLAN ID After Rebt Enter a new VLAN ID t replace the default VLAN ID after rebt. 3. Click Apply. 4. Click Save and save the Running Cnfiguratin t the Startup Cnfiguratin. The Default VLAN ID After Reset becmes the Current Default VLAN ID after yu rebt the device. Creating VLANs Yu can create a VLAN, but this has n effect until the VLAN is attached t at least ne prt, either manually r dynamically. Prts must always belng t ne r mre VLANs. 79

80 The Smart device supprts up t 128 VLANs, including the default VLAN. Each VLAN must be cnfigured with a unique VID with a value frm 1 t The device reserves VID 4095 as the Discard VLAN and VID 4094 fr 802.1x. All packets classified t the Discard VLAN are discarded at ingress, and are nt frwarded t a prt. The VLANs page enables yu t change the default VLAN and create a new VLAN. T change r add a VLAN: 1. Click Cnfiguratin > VLAN Management > VLANs. 2. Click Add t add ne r mre new VLANs. The page enables the creatin f either a single VLAN r a range f VLANs. 3. Enter the fllwing fields fr the new VLANs. VLAN Select ne f the fllwing ptins: - Single VLAN Select t create a single VLAN. - Range f VLANs Select t create a range f VLANs and specify the range f VLANs t be created by entering the Starting VID and Ending VID, inclusive. When using the Range functin, the maximum number f VLANs yu can create at ne time is 100. VLAN ID Enter a VLAN ID. VLAN Name Enter a VLAN name. VLAN ID Range Enter a range f VLANs. 4. Click Apply t create the VLAN(s). 80

81 Interfaces The Interface Settings page displays and enables cnfiguratin f VLAN-related parameters fr all interfaces. T cnfigure the interface settings: 1. Click VLAN Management > Interface Settings. 2. Select an interface type (Prt r LAG), and click Search. Prts r LAGs and their VLAN Membership are displayed. 3. T cnfigure a Prt r LAG, select it and click Edit. Nte T add a prt r LAG t a VLAN, click Jin VLAN. The Jin VLAN page is displayed. 4. Enter the values fr the fllwing fields: Interface Select a Prt/LAG. Interface VLAN Mde Select the interface mde fr the VLAN. The ptins are: - Access The interface is an untagged member f a single VLAN. A prt cnfigured in this mde is knwn as an access prt. - Trunk The interface is an untagged member f ne VLAN at mst, and is a tagged member f zer r mre VLANs. A prt cnfigured in this mde is knwn as a trunk prt. - General Prt The interface can supprt all functins as defined in the IEEE 802.1q specificatin. The interface can be a tagged r untagged member f ne r mre VLANs. 81

82 PVID Enter the Prt VLAN ID (PVID) f the VLAN t which incming untagged and pririty tagged frames are classified. The pssible values are 1 t Acceptable Frame Type Select the type f frame that the interface can receive. Frames that are nt f the cnfigured frame type are discarded at ingress. These frame types are nly available in General mde. Pssible values are: - Admit All The interface accepts all types f frames: untagged frames, tagged frames, and pririty tagged frames. - Admit Tagged Only The interface accepts nly tagged frames. - Admit Untagged Only The interface accepts nly untagged and pririty frames. Ingress Filtering (Available nly in General mde) Select t enable ingress filtering. When an interface is ingress filtering enabled, the interface discards all incming frames that are classified as VLANs f which the interface is nt a member. Ingress filtering can be disabled r enabled n general prts. It is always enabled n access prts and trunk prts. 5. Click Apply. The parameters are written t the Running Cnfiguratin file. Jin VLAN When a prt is frbidden default VLAN membership, that prt is nt allwed membership in any ther VLAN. An internal VID f 4095 is assigned t the prt. T frward packets prperly, intermediate VLAN-aware devices that carry VLAN traffic alng the path between end ndes must be manually cnfigured. Untagged prt membership between tw VLAN-aware devices with n intervening VLAN-aware devices, must be t the same VLAN. In ther wrds, the PVID n the prts between the tw devices must be the same if the prts are t send and receive untagged packets t and frm the VLAN. Otherwise, traffic might leak frm ne VLAN t anther. Frames that are VLAN-tagged can pass thrugh ther netwrk devices that are VLAN-aware r VLAN-unaware. If a destinatin end nde is VLAN-unaware, but is t receive traffic frm a VLAN, then the last VLAN-aware device (if there is ne), must send frames f the destinatin VLAN t the end nde untagged. T add a prt t a VLAN: 1. Click VLAN Management > Interface Settings. 2. Select an interface type (Prt r LAG), and click Search. 3. T add a Prt r LAG t a VLAN, select it and click Jin VLAN. 82

83 4. Enter the fllwing fields: VLAN Mde - Access The interface is an untagged member f a single VLAN. A prt cnfigured in this mde is knwn as an access prt. - Trunk The interface is an untagged member f ne VLAN at mst, and is a tagged member f zer r mre VLANs. A prt cnfigured in this mde is knwn as a trunk prt. - General Prt The interface can supprt all functins as defined in the IEEE 802.1q specificatin. The interface can be a tagged r untagged member f ne r mre VLANs. Tagging - Frbidden The interface is nt allwed t jin the VLAN. When a prt is nt a member f any ther VLAN, enabling this ptin n the prt makes the prt part f internal VLAN 4095 (a reserved VID). - Excluded The interface is currently nt a member f the VLAN. This is the default fr all the prts and LAGs when the VLAN is newly created. - Tagged The interface is a tagged member f the VLAN. - Untagged The interface is an untagged member f the VLAN. Frames f the VLAN are sent untagged t the interface VLAN. - PVID Prt PVID is set t this VLAN. If the interface is in access mde r trunk mde, the device autmatically makes the interface an untagged member f the VLAN. If the interface is in general mde, yu must manually cnfigure VLAN membership. 5. Click Apply. The prt is added t the VLAN and the settings are written t the Running Cnfiguratin file. 83

84 VLAN Memberships The VLAN Memberships page displays the VLAN memberships f the prts in varius presentatins. Yu can use them t add memberships t r remve memberships frm the VLANs. When a prt is frbidden default VLAN membership, that prt is nt allwed membership in any ther VLAN. An internal VID f 4095 is assigned t the prt. T frward packets prperly, intermediate VLAN-aware devices that carry VLAN traffic alng the path between end ndes must be manually cnfigured. Untagged prt membership between tw VLAN-aware devices with n intervening VLAN-aware devices, must be t the same VLAN. In ther wrds, the PVID n the prts between the tw devices must be the same if the prts are t send and receive untagged packets t and frm the VLAN. Otherwise, traffic might leak frm ne VLAN t anther. Frames that are VLAN-tagged can pass thrugh ther netwrk devices that are VLAN-aware r VLAN-unaware. If a destinatin end nde is VLAN-unaware, but is t receive traffic frm a VLAN, then the last VLAN-aware device (if there is ne), must send frames f the destinatin VLAN t the end nde untagged. Use the VLAN Memberships page t display and cnfigure the prts within a specific VLAN. T assign a prt t ne r mre VLANs: 1. Click Cnfiguratin > VLAN Management > VLAN Memberships. 2. Select VLAN ID and interface type (Prt r LAG), and click Search. 84

85 Interface Prt/LAG ID. PVID Prt PVID is set t this VLAN. If the interface is in access mde r trunk mde, the device autmatically makes the interface an untagged member f the VLAN. If the interface is in general mde, yu must manually cnfigure VLAN membership. Access Select t make the interface an access interface n this VLAN. Trunk Select t make the interface a trunk interface n this VLAN. General Prt The interface can supprt all functins as defined in the IEEE 802.1q specificatin. The interface can be a tagged r untagged member f ne r mre VLANs. Frbidden The interface is nt allwed t jin the VLAN. When a prt is nt a member f any ther VLAN, enabling this ptin n the prt makes the prt part f internal VLAN 4095 (a reserved VID). Excluded The interface is currently nt a member f the VLAN. This is the default fr all the prts and LAGs when the VLAN is newly created. Tagged The interface is a tagged member f the VLAN. This is nt relevant fr Access prts. Untagged The interface is an untagged member f the VLAN. Frames f the VLAN are sent untagged t the interface VLAN. This is nt relevant fr Access prts. 3. Click Apply. The settings are mdified and written t the Running Cnfiguratin file. VLAN Grups This sectin describes hw t cnfigure Mac-based VLAN grups. VLAN grups classify packets int VLANs based n their MAC addresses. VLAN grups can be used t separate traffic int different VLANs fr security and/r lad balancing. If several classificatins schemes are defined, packets are assigned t a VLAN in the fllwing rder: TAG If the packet is tagged, the VLAN is taken frm the tag. MAC-Based VLAN If a MAC-based VLAN has been defined, the VLAN is taken frm the surce MAC-t-VLAN mapping f the ingress interface. PVID VLAN is taken frm the prt default VLAN ID. 85

86 MAC-Based Grup MAC-based VLAN classificatin enables packets t be classified accrding t their surce MAC address. Yu can then define MAC-t-VLAN mapping per interface. Yu can define several MAC-based grups, which each grup cntaining different MAC addresses. These MAC-based grups can be assigned t specific prts/lags. MAC-based grups cannt cntain verlapping ranges f MAC addresses n the same prt. The fllwing table describes the availability f MAC-based grups in varius SKUs: Table 1 MAC-Based Grup Availability SKU System Mde MAC-Based Grups Smart Layer 2 S Yes Layer 3 N Managed Layer 2 Yes Layer 3 N d T define a MAC-based grup: 1. Assign a MAC address t a VLAN grup ID (using the MAC-Based Grups page). 2. Fr each required interface: Assign the VLAN grup t a VLAN (using the Mac-Based VLAN page). The interfaces must be in General mde. If the interface des nt belng t the VLAN, manually assign it t the VLAN using the VLAN Membership page. 86

87 T assign a MAC address t a VLAN Grup: 1. Click Cnfiguratin > VLAN Management > MAC-Based Grup. 2. Click Add. 3. Enter the values fr the fllwing fields: Grup ID Enter a user-created VLAN grup ID number. MAC Address Enter a MAC address t be assigned t a VLAN grup. Nte This MAC address cannt be assigned t any ther VLAN grup. Prefix Mask Enter ne f the fllwing: - Hst Surce hst f the MAC address - Length Prefix f the MAC address 4. Click Apply. The MAC address is assigned t a VLAN grup. MAC-Based VLAN per interface See Table 1 fr a descriptin f the availability f this feature. Prts/LAGs must be in General mde. T assign a MAC-based VLAN grup t a VLAN n an interface: 1. Click Cnfiguratin > VLAN Management > MAC-Based VLAN. 2. Click Add. 3. Enter the values fr the fllwing fields: Interface Enter a general interface (prt/lag) thrugh which traffic is received. Grup ID Select a VLAN grup, defined in the MAC-Based Grups page. VLAN ID Select the VLAN t which traffic frm the VLAN grup is frwarded. 87

88 4. Click Apply t set the mapping f the VLAN grup t the VLAN. This mapping des nt bind the interface dynamically t the VLAN; the interface must be manually added t the VLAN.) Vice VLAN In a LAN, vice devices, such as IP phnes, VIP endpints, and vice systems are placed int the same VLAN. This VLAN is referred as the vice VLAN. If the vice devices are in different vice VLANs, IP (Layer 3) ruters are needed t prvide cmmunicatin. Aut Vice VLAN The device supprts the Telephny OUI (Organizatin Unique Identifier) vice VLAN mde. The tw mdes affect hw vice VLAN and/r vice VLAN prt memberships are cnfigured. In Telephny OUI mde, the vice VLAN must be a manually-cnfigured VLAN, and cannt be the default VLAN. When the device is in Telephny OUI mde and a prt is manually cnfigured as a candidate t jin the vice VLAN, the device dynamically adds the prt t the vice VLAN if it receives a packet with a surce MAC address matching ne f the cnfigured telephny OUIs. An OUI is the first three bytes f an Ethernet MAC address. Fr mre infrmatin abut Telephny OUI, see Telephny OUI Interfaces. Vice End-Pints T have a vice VLAN wrk prperly, the vice devices, such as IP phnes and VIP endpints, must be assigned t the vice VLAN where it sends and receives its vice traffic. Tw pssible scenaris: A phne/endpint may be statically cnfigured with the vice VLAN. A phne/endpint may btain the vice VLAN in the bt file it dwnlads frm a TFTP server. A DHCP server may specify the bt file and the TFTP server when it assigns an IP address t the phne. Yu can create a netwrk plicy manually r enable the device t autmatically generate a netwrk plicy, based n a vice VLAN cnfiguratin. The device expects the attaching vice devices t send vice VLAN, tagged packets. On prts where the vice VLAN is the native VLAN r that is cnfigured with aut vice VLAN by Telephny OUI, vice VLAN untagged packets are pssible. 88

89 Vice VLAN CS The device can advertise the CS/802.1p and DSCP settings f the vice VLAN by using LLDP- MED Netwrk plicies. Yu can create yur netwrk plicy manually r enable the device t autmatically generate the netwrk plicy based n yur vice VLAN cnfiguratin. MEDsupprted devices must send their vice traffic with the same CS/802.1p and DSCP values, as received with the LLDP- MED respnse. Yu can disable the autmatic update between Vice VLAN and LLDP-MED and use his wn netwrk plicies. Wrking with the OUI mde, the device can additinally cnfigure the mapping and remarking (CS/802.1p) f the vice traffic based n the OUI. By default, all interfaces are CS/802.1p trusted. The device applies the quality f service based n the CS/802.1p value fund in the vice stream. Fr Telephny OUI vice streams, yu can verride the class f service and ptinally remark the 802.1p f the vice streams by specifying the desired CS/802.1p values and using the remarking ptin under Telephny OUI. Vice VLAN Cnstraints The fllwing cnstraints exist: Only ne Vice VLAN is supprted. A VLAN that is defined as a Vice VLAN cannt be remved. In additin the fllwing cnstraints are applicable fr Telephny OUI: The Vice VLAN cannt be VLAN1 (the default VLAN). The Vice VLAN QS decisin has pririty ver any ther QS decisin, except fr the Plicy decisin. A new VLAN ID can be cnfigured fr the Vice VLAN nly if the current Vice VLAN des nt have candidate prts. The interface VLAN f a candidate prt must be in General r Trunk mde. The Vice VLAN QS is applied t candidate prts that have jined the Vice VLAN, and t static prts. The vice flw is accepted if the MAC address can be learned by the Frwarding Database (FDB). (If there is n free space in FDB, n actin ccurs). 89

90 Feature Cnfiguratin T cnfigure Aut Vice VLAN: 1. Click Cnfiguratin > VLAN Management > Vice VLAN > Feature Cnfiguratin. 2. Enter the fllwing t cnfigure Vice VLAN: Vice VLAN ID Enter the identifier f the current vice VLAN CS/802.1p Select the CS/802.1p value t be used by the LLDP-MED as a vice netwrk plicy. 3. Enter the fllwing t cnfigure telephne OUI vice VLAN: Telephne OUI Vice VLAN Check t enable autmatically adding prts t vice VLAN when OUI packets are received. Remark CS/802.1p Select the enable remarking packets with the CS/802.1p value. Aging Time Enter the time delay t remve a prt frm the vice VLAN after all f the MAC addresses f the phnes detected n the prts have aged ut. 4. Click Apply t save the settings t the Running Cnfiguratin file. Refer t Administratin > Discvery > LLDP > LLDP MED Netwrk Plicy t enable autmatic generatin f netwrk plicy fr vice. T view r add a new OUI: 1. Click Cnfiguratin > VLAN Management > Vice VLAN > Feature Cnfiguratin. 2. Click Add t add a new OUI. 90

91 3. Enter the values fr the fllwing fields: Telephny OUI First six digits f the MAC address that are reserved fr OUIs. Descriptin User-assigned OUI descriptin. Nte Click Restre t delete all f the user-created OUIs, and leave nly the default OUIs in the table. The OUI infrmatin may nt be accurate until the restratin is cmpleted. This may take several secnds. After several secnds have passed, refresh the page by exiting it and re-entering it. T delete all the OUIs, select the tp checkbx. All the OUIs are selected and can be deleted by clicking Delete. If yu then click Restre, the system recvers the knwn OUIs. 4. Click Apply. The OUI is added t the Telephny OUI Table. Telephny OUI Interfaces QS attributes can be assigned per prt t the vice packets in ne f tw mdes: All Quality f Service (QS) values cnfigured t the Vice VLAN are applied t all f the incming frames that are received n the interface and are classified t the Vice VLAN. Telephny Surce MAC Address (SRC) The QS values cnfigured fr the Vice VLAN are applied t any incming frame that is classified t the Vice VLAN and cntains an OUI in the surce MAC address that matches a cnfigured telephny OUI. Use the Telephny OUI Interface page t add an interface t the vice VLAN n the basis f the OUI identifier and t cnfigure the OUI QS mde f vice VLAN. 91

92 T cnfigure Telephny OUI n an interface: 1. Click Cnfiguratin > VLAN Management > Vice VLAN > Telephny OUI Interfaces. 2. T cnfigure an interface t be a candidate prt f the telephny OUI-based vice VLAN, click Edit. 3. Enter the values fr the fllwing fields: Interface Select an interface. Telephny OUI VLAN If enabled, the interface is a candidate prt f the telephny OUI based vice VLAN. When packets that match ne f the cnfigured telephny OUI are received, the prt is added t the vice VLAN. QS Mde Select ne f the fllwing ptins: All QS attributes are applied n all packets that are classified t the Vice VLAN. Telephny Surce MAC Address QS attributes are applied nly n packets frm IP phnes. 4. Click Apply. 92

93 Chapter 7 - Spanning Tree Management Spanning Tree Prtcl prtects a Layer 2 Bradcast dmain frm Bradcast strms by selectively setting links t standby mde t prevent lps. In standby mde, these links temprarily stp transferring user data. After the tplgy changes s that the data transfer is made pssible, the links are autmatically reactivated. Lps ccur when alternate rutes exist between hsts. Lps in an extended netwrk can cause switches t frward traffic indefinitely, resulting in increased traffic lad and reduced netwrk efficiency. STP prvides a tree tplgy fr any arrangement f switches and intercnnecting links, by creating a unique path between end statins n a netwrk, and thereby eliminating lps. Spanning Tree Prtcl versins: Classic STP Prvides a single path between any tw end statins, aviding and eliminating lps. Rapid STP (RSTP) Detects netwrk tplgies t prvide faster cnvergence f the spanning tree. This is mst effective when the netwrk tplgy is naturally treestructured, and therefre faster cnvergence might be pssible. RSTP is enabled by default. Multiple STP (MSTP) Classic STP and Rapid STP detect Layer 2 lps, and attempt t mitigate them by preventing the invlved prt frm transmitting traffic. Since lps exist n a per-layer 2-dmain basis, there can be a lp in VLAN A and n lp in VLAN B. If bth VLANs are n Prt X, Classic STP and Rapid STP will mitigate the lp by stpping traffic n the entire prt, including VLAN B traffic. MSTP slves this prblem by enabling several STP instances, s that it is pssible t detect and mitigate lps separately in each instance. By assciating instances t VLANs, each instance is assciated with the Layer 2 dmain n which it perfrms lp detectin and mitigatin. This enables a prt t be stpped in ne instance, such as traffic frm VLAN A that is causing a lp, while traffic can remain active in anther dmain where n lp was seen, such as n VLAN B. 93

94 Spanning Tree T set the STP status and glbal settings: 1. Click Cnfiguratin > Spanning Tree Management > Spanning Tree. 2. Enter the parameters. Glbal Settings: Spanning Tree Select t enable n the device. Spanning Tree Mde Select an STP mde - Classic STP, Rapid STP r Multiple STP. Path Cst Default Values Selects the methd used t assign default path csts t the STP prts. The default path cst assigned t an interface varies accrding t the selected methd. Shrt Specifies the range 1 thrugh 65,535 fr prt path csts. Lng Specifies the range 1 thrugh 200,000,000 fr prt path csts. BPDU Handling Select hw Bridge Prtcl Data Unit (BPDU) packets are managed when STP is disabled n the prt r the device. BPDUs are used t transmit spanning tree infrmatin. Filtering Filters BPDU packets when Spanning Tree is disabled n an interface. Flding Flds BPDU packets when Spanning Tree is disabled n an interface. 94

95 Bridge Settings: Pririty Sets the bridge pririty value. After exchanging BPDUs, the device with the lwest pririty becmes the Rt Bridge. In the case that all bridges use the same pririty, then their MAC addresses are used t determine the Rt Bridge. The bridge pririty value is prvided in increments f Fr example, 4096, 8192, 12288, and s n. Hell Time Set the interval (in secnds) that a Rt Bridge waits between cnfiguratin messages. Max Age Set the interval (in secnds) that the device can wait withut receiving a cnfiguratin message, befre attempting t redefine its wn cnfiguratin. Frward Delay Set the interval (in secnds) that a bridge remains in a learning state befre frwarding packet. Designated Rt: Bridge ID The bridge pririty cncatenated with the MAC address f the device. Rt Bridge ID The Rt Bridge pririty cncatenated with the MAC address f the Rt Bridge. Rt Prt The prt that ffers the lwest cst path frm this bridge t the Rt Bridge. (This is significant when the bridge is nt the rt.) Rt Path Cst The cst f the path frm this bridge t the rt. Tplgy Changes Cunts The ttal number f STP tplgy changes that have ccurred. Last Tplgy Change The time interval that elapsed since the last tplgy change ccurred. The time appears in a days/hurs/minutes/secnds frmat. 3. Click Apply. The STP Glbal settings are written t the Running Cnfiguratin file. 95

96 STP Interfaces The STP Interface page enables yu t cnfigure STP n a per-prt basis, and t view the infrmatin learned by the prtcl, such as the designated bridge. The defined cnfiguratin entered is valid fr all flavrs f the STP prtcl. T cnfigure STP n an interface: 1. Click Cnfiguratin > Spanning Tree Management > STP Interfaces. 2. Select an interface type and click Edit. 3. Enter the parameters. STP Select t enable STP n the prt. BPDU Handling Select hw BPDU packets are managed when STP is disabled n the prt r the device. BPDUs are used t transmit spanning tree infrmatin. Use Glbal Settings Select t use the settings defined in the Spanning Tree page. Filtering Filters BPDU packets when Spanning Tree is disabled n an interface. Flding Flds BPDU packets when Spanning Tree is disabled n an interface. Path Cst Set the prt cntributin t the rt path cst r use the default cst generated by the system. Pririty Select the pririty value f the prt. The pririty value influences the prt chice when a bridge has tw prts cnnected in a lp. The pririty is a value frm 0 t 240, set in increments f

97 Prt State Displays the current STP state f a prt. Disabled STP is currently disabled n the prt. The prt frwards traffic while learning MAC addresses. Blcking The prt is currently blcked, and cannt frward traffic (with the exceptin f BPDU data) r learn MAC addresses. Listening The prt is in Listening Mde. The prt cannt frward traffic, and cannt learn MAC addresses. Learning The prt is in Learning Mde. The prt cannt frward traffic, but it can learn new MAC addresses. Frwarding The prt is in Frwarding Mde. The prt can frward traffic and learn new MAC addresses. Designated Bridge ID Displays the pririty and interface f the selected prt. Designated Prt ID Displays the pririty and interface f the selected prt. Designated Cst Displays the cst f the prt participating in the STP tplgy. Prts with a lwer cst are less likely t be blcked if STP detects lps. 4. Click Apply. The interface settings are written t the Running Cnfiguratin file. RSTP Interfaces Rapid Spanning Tree Prtcl (RSTP) enables a faster STP cnvergence withut creating frwarding lps. The RSTP Interface Settings page enables yu t cnfigure RSTP per prt. Any cnfiguratin that is dne n this page is active when the glbal STP mde is set t RSTP r MSTP. 97

98 T cnfigure RSTPs: 1. Click Cnfiguratin > Spanning Tree Management > Spanning Tree. 2. Select Rapid STP n the Spanning Tree Mde line. 3. Click Cnfiguratin > Spanning Tree Management > Spanning Tree > RSTP Interfaces. 4. Select an interface, and click Edit. 5. Enter the interface settings: Pint t Pint Mde - Define the pint-t-pint link status. Prts defined as full duplex are cnsidered pint-t-pint prt links. Enable - This prt is an RSTP edge prt when this feature is enabled, and is brught t Frwarding Mde quickly (usually within 2 secnds). Disable - The prt is nt cnsidered pint-t-pint fr RSTP purpses, which means that STP wrks n it at regular speed, as ppsed t high speed. Aut - Autmatically determines the device status by using RSTP BPDUs Edge Prt Mde - Enables r disables Fast Link n the prt. If Fast Link Mde is enabled n a prt, the prt is autmatically set t frwarding state when the prt link is up. Fast Link ptimizes the STP prtcl cnvergence. The ptins: Enable - Enables Fast Link immediately. Disable - Disables Fast Link. Aut - Enables Fast Link a few secnds after the interface becmes active. This allws STP t reslve lps befre enabling Fast Link. Nte It is recmmended t set the value t Aut s that the device sets the prt t fast link mde if a hst is cnnected t it, r sets it as a regular STP prt if cnnected t anther device. This helps avid lps. STP Mde - Select either STP r RSTP. Pint t Pint Status-Displays the pint-t-pint peratinal status if the Pint t Pint Administrative Status is set t Aut. Prt Rle - Displays the rle f the prt that was assigned by STP t prvide STP paths. Pssible rles: Rt - Lwest cst path t frward packets t the rt bridge. Designated - The interface thrugh which the bridge is cnnected t the LAN, which prvides the lwest cst path frm the LAN t the rt bridge. Alternate - Prvides an alternate path t the rt bridge frm the rt interface. 98

99 Backup - Prvides a backup path t the designated prt path tward the spanning tree leaves. This prvides a cnfiguratin in which tw prts are cnnected in a lp by a pint-t-pint link. Backup prts are als used when a LAN has tw r mre established cnnectins t a shared segment. Disabled - The prt is nt participating in spanning tree. Prt Status - Displays the RSTP status n the specific prt. Disabled - STP is currently disabled n the prt. Blcking - The prt is currently blcked, and it cannt frward traffic r learn MAC addresses. Listening - The prt is in Listening Mde. The prt cannt frward traffic, and cannt learn MAC addresses. Learning - The prt is in Learning Mde. The prt cannt frward traffic, hwever it can learn new MAC addresses. Frwarding - The prt is in Frwarding Mde. The prt can frward traffic and learn new MAC addresses. 6. Click Apply. The Running Cnfiguratin file is updated. MSTP Prperties Multiple Spanning Tree Prtcl (MSTP) is used t separate the STP prt state between varius dmains (n different VLANs). Fr example, while prt A is blcked in ne STP instance due t a lp n VLAN A, the same prt can be placed in the Frwarding State in anther STP instance. The MSTP Prperties page enables yu t define the glbal MSTP settings. Each MSTP instance calculates and builds a lp free tplgy t bridge packets frm the VLANs that map t the instance. Refer t the MSTP Prperties page. 99

100 Decide which MSTP instance be active in what VLAN, and assciate these MSTP instances t VLAN(s) accrdingly. Cnfigure MSTP attributes n the fllwing pages: MSTP Prperties MSTP Instance Status MSTP Instance Interface MSTP Interfaces The glbal MSTP cnfigures a separate Spanning Tree fr each VLAN grup and blcks all but ne f the pssible alternate paths within each spanning tree instance. MSTP enables frmatin f MST regins that can run multiple MST instances (MSTI). Multiple regins and ther STP bridges are intercnnected using ne single cmmn spanning tree (CST). MSTP is fully cmpatible with RSTP bridges, in that an MSTP BPDU can be interpreted by an RSTP bridge as an RSTP BPDU. This nt nly enables cmpatibility with RSTP bridges withut cnfiguratin changes, but als causes any RSTP bridges utside f an MSTP regin t see the regin as a single RSTP bridge, regardless f the number f MSTP bridges inside the regin itself. Up t three MST instances (predefined frm 1-3) can be defined n Smart switches, in additin t instance zer. VLAN t MSTP Instance Mapping Fr tw r mre switches t be in the same MST regin, they must have the same VLANs t MST instance mapping, the same cnfiguratin revisin number, and the same regin name. Switches intended t be in the same MST regin are never separated by switches frm anther MST regin. If they are separated, the regin becmes tw separate regins. The VLAN t MSTP instance mapping is dne in the MSTP Prperties page. Each VLAN can be mapped t a MSTP instance. Fr devices t be in the same regin, they must have the same mapping f VLANs t MSTP instances. Cnfiguratin n this page (and all f the MSTP pages) applies if the system STP mde is MSTP. Nte The same MSTI can be mapped t mre than ne VLAN, but each VLAN can nly have ne MST Instance attached t it. Fr thse VLANs that are nt explicitly mapped t ne f the MST instances, the device autmatically maps them t the CIST (Cre and Internal Spanning Tree) instance. The CIST instance is MST instance 0. T cnfigure MSTP: 1. Click Cnfiguratin > Spanning Tree Management > Spanning Tree. 2. Select Multiple STP n the Spanning Tree Mde line. 3. Click Cnfiguratin > Spanning Tree Management> MSTP Prperties. 100

101 4. Enter the parameters. Regin Name Define an MSTP regin name. Revisin Define an unsigned 16-bit number that identifies the revisin f the current MST cnfiguratin. The field range is frm 0 t Maximum Hps Set the ttal number f hps that ccur in a specific regin befre the BPDU is discarded. Once the BPDU is discarded, the prt infrmatin is aged ut. The field range is frm 1 t 40. IST Master (display nly) Displays the regin s master. 5. Click Apply. The MSTP prperties are defined, and the Running Cnfiguratin file is updated. T edit an MSTP instance: 1. Click Cnfiguratin > Spanning Tree Management> MSTP Prperties. 2. Select the MST instance frm the MST Instance Table and click Edit. 3. Enter the parameters. MST Instance ID Select an MST instance t be displayed and defined. Bridge Pririty Set the pririty f this bridge fr the selected MST instance. Actin Select Add VLAN r Remve VLAN. VLANs Displays the VLANs mapped t the selected instance. The default mapping is that all VLANs are mapped t the cmmn and internal spanning tree (CIST) instance 0). 4. Click Apply. The MSTP prperties are defined, and the Running Cnfiguratin file is updated. 101

102 MSTP Instance Status The MSTP Instance Status page displays parameters f MST instances. This is the per-instance equivalent t the Spanning Tree page. T view MSTP instance settings: Click Cnfiguratin > Spanning Tree Management > MSTP Instance Status. Instance ID Select an MST instance t be displayed and defined. Bridge Pririty Set the pririty f this bridge fr the selected MST instance. Designated Rt Bridge ID Displays the pririty and MAC address f the Rt Bridge fr the MST instance. Rt Prt Displays the rt prt f the selected instance. Rt Path Cst Displays the rt path cst f the selected instance. Bridge ID Displays the bridge pririty and the MAC address f this device fr the selected instance. Remaining Hps Displays the number f hps remaining t the next destinatin. 102

103 MSTP Instance Interface The MSTP Instance Interface page enables yu t cnfigure the prt MSTP settings fr every MST instance, and t view infrmatin that has currently been learned by the prtcl, such as the designated bridge per MST instance. T cnfigure the prts in an MST instance: 1. Click Cnfiguratin > Spanning Tree Management > MSTP Instance Interface. 2. Enter the parameters. MSTP Instance Select the MSTP instance t be cnfigured. Interface Type Select whether t display the list f prts r LAGs. 3. Click Search. The fllwing MSTP parameters fr the interfaces n the instance are displayed: Interface Select the interface fr which the MSTI settings are t be defined. Interface Pririty Set the prt pririty fr the specified interface and MST instance. Path Cst Enter the prt cntributin t the rt path cst in the User Defined textbx r select Use Default t use the default value. Prt State Displays the MSTP status f the specific prt n a specific MST instance. The parameters are defined as: Disabled STP is currently disabled. Blcking The prt n this instance is currently blcked, and cannt frward traffic (with the exceptin f BPDU data) r learn MAC addresses. Listening The prt n this instance is in Listening mde. The prt cannt frward traffic, and cannt learn MAC addresses. 103

104 Learning The prt n this instance is in Learning mde. The prt cannt frward traffic, but it can learn new MAC addresses. Frwarding The prt n this instance is in Frwarding mde. The prt can frward traffic and learn new MAC addresses. Bundary The prt n this instance is a bundary prt. It inherits its state frm instance 0 and can be viewed n the STP Interface Settings page. Prt Rle Displays the prt r LAG rle, per prt r LAG per instance, assigned by the MSTP algrithm t prvide STP paths: Rt Frwarding packets thrugh this interface prvides the lwest cst path fr frwarding packets t the rt device. Designated The interface thrugh which the bridge is cnnected t the LAN, which prvides the lwest rt path cst frm the LAN t the Rt Bridge fr the MST instance. Alternate The interface prvides an alternate path t the rt device frm the rt interface. Backup The interface prvides a backup path t the designated prt path tward the Spanning Tree leaves. Backup prts ccur when tw prts are cnnected in a lp by a pint-t-pint link. Backup prts als ccur when a LAN has tw r mre established cnnectins t a shared segment. Disabled The interface des nt participate in the Spanning Tree. Bundary The prt n this instance is a bundary prt. It inherits its state frm instance 0 and can be viewed n the STP Interface Settings page. Mde Displays the current interface Spanning Tree mde. If the link partner is using MSTP r RSTP, the displayed prt mde is RSTP. If the link partner is using STP, the displayed prt mde is STP. Type Displays the MST type f the prt. Bundary A Bundary prt attaches MST bridges t a LAN in a remte regin. If the prt is a bundary prt, it als indicates whether the device n the ther side f the link is wrking in RSTP r STP mde. Internal The prt is an internal prt. Designated Bridge ID Displays the ID number f the bridge that cnnects the link r shared LAN t the rt. Designated Prt ID Displays the Prt ID number n the designated bridge that cnnects the link r the shared LAN t the rt. Designated Cst Displays the cst f the prt participating in the STP tplgy. Prts with a lwer cst are less likely t be blcked if STP detects lps. Remain Hps Displays the hps remaining t the next destinatin. 104

105 Frward Transitins Displays the number f times the prt has changed frm the Frwarding state t the Blcking state. 4. Select an interface, and click Edit. 5. Enter the parameters. 6. Click Apply. The Running Cnfiguratin file is updated. 105

106 Chapter 8 - MAC Address Management There are tw types f MAC addresses static and dynamic. Depending n their type, MAC addresses are either stred in the Static Address table r in the Dynamic Address table, alng with VLAN and prt infrmatin. Static addresses are cnfigured by the user, and therefre, they d nt expire. A new surce MAC address that appears in a frame arriving at the device is added t the Dynamic Address table. This MAC address is retained fr a cnfigurable perid f time. If anther frame with the same surce MAC address des nt arrive at the device befre that time perid expires, the MAC entry is aged (deleted) frm the table. When a frame arrives, the device searches fr a crrespnding/matching MAC address in the static r dynamic table. If a match is fund, the frame is marked fr egress n the prt specified in the table. If frames are sent t a MAC address that is nt fund in the tables, they are transmitted/bradcasted t all the prts n the relevant VLAN. Such frames are referred t as unknwn Unicast frames. The device supprts a maximum f 8,000 static and dynamic MAC addresses. Dynamic MAC Addresses The Dynamic Address Table (bridging table) cntains the MAC addresses acquired by mnitring the surce addresses f frames entering the device. T prevent this table frm verflwing and t make rm fr new MAC addresses, an address is deleted if n crrespnding traffic is received fr a certain perid f time knwn as the aging time. T cnfigure the aging time fr dynamic addresses: 1. Click Cnfiguratin > MAC Address Management > Dynamic MAC Addresses. 106

107 2. Enter Aging Time. The aging time is a value between the user-cnfigured value and twice that value minus 1. Fr example, if yu entered 300 secnds, the aging time is between 300 and 599 secnds. 3. Click Apply. The aging time is updated. 4. In the Dynamic MAC Address Table blck, enter the query criteria: VLAN ID Enter the VLAN ID fr which the table is queried. MAC Address Enter the MAC address fr which the table is queried. Interface Select the interface fr which the table is queried. The query can search fr specific unit/slt, prts, r LAGs. Srt By Select the field fr which the table is queried. 5. Click Search. The Dynamic MAC Address Table is queried and the results are displayed. 6. T delete all dynamic MAC addresses click Clear. Static MAC Addresses Static MAC addresses are assigned t a specific physical interface and VLAN n the device. If that address is detected n anther interface, it is ignred, and is nt written t the address table. T define a static address: 1. Click Cnfiguratin > MAC Address Management > Static Addresses. The Static Addresses page cntains the currently defined static addresses. 2. Click Add. 3. Enter the parameters. VLAN ID Select the VLAN ID fr the prt. MAC Address Enter the interface MAC address. Interface Select an interface (unit/slt, prt, r LAG) fr the entry. Status Select hw the entry is treated. The ptins are: 107

108 Permanent The system never remves this MAC address. If the static MAC address is saved in the Startup Cnfiguratin, it is retained after rebting. Delete n reset The static MAC address is deleted when the device is reset. Delete n timeut The MAC address is deleted when aging ccurs. Secure The MAC address is secure when the interface is in classic lcked mde (see Prt Security). 4. Click Apply. A new entry appears in the table. Reserved MAC Addresses When the device receives a frame with a destinatin MAC address that belngs t a reserved range (per the IEEE standard), the frame can be discarded r bridged. The entry in the Reserved MAC Address Table can either specify the reserved MAC address r the reserved MAC address and a frame type. T add an entry fr a reserved MAC address: 1. Click Cnfiguratin > MAC Address Management > Reserved MAC Addresses. 2. Click Add. 3. Enter the values fr the fllwing fields: MAC Address Select the MAC address t be reserved. Frame Type Select a frame type based n the fllwing criteria: Ethernet II Applies t Ethernet II packets with the specific MAC address and ethertype. LLC Applies t Lgical Link Cntrl (LLC) packets with the specific MAC address and DSAP-SSAP. 108

109 LLC-SNAP Applies t Lgical Link Cntrl/Sub-Netwrk Access Prtcl (LLC-SNAP) packets with the specific MAC address. All Applies t all packets with the specific MAC address and prtcl. Actin Select ne f the fllwing actins t be taken upn receiving a packet that matches the selected criteria: Bridge Frward the packet t all VLAN members. Discard Delete the packet. 4. Click Apply. A new MAC address is reserved. 109

110 Chapter 9 Multicast Multicast frwarding enables ne-t-many infrmatin disseminatin. Multicast applicatins are useful fr disseminatin f infrmatin t multiple clients, where clients d nt require receptin f the entire cntent. A typical applicatin is a cable-tv-like service, where clients can jin a channel in the middle f a transmissin, and leave befre it ends. The data is sent nly t relevant prts. Frwarding the data nly t the relevant prts cnserves bandwidth and hst resurces n links. Fr Multicast frwarding t wrk acrss IP subnets, ndes and ruters must be Multicastcapable. A Multicast-capable nde must be able t d the fllwing: Send and receive Multicast packets. Register the Multicast addresses being listened t by the nde with lcal ruters, s that lcal and remte ruters can rute the Multicast packet t the ndes. Typical Multicast Setup While Multicast ruters rute Multicast packets between IP subnets, Multicast- capable Layer 2 switches frward Multicast packets t registered ndes within a LAN r VLAN. A typical setup invlves a ruter that frwards the Multicast streams between private and/r public IP netwrks, a device with Internet Grup Membership Prtcl (IGMP) snping capabilities, and a Multicast client that wants t receive a Multicast stream. In this setup, the ruter sends IGMP queries peridically. These queries reach the device, which in turn flds the queries t the VLAN, and als learns the prt where there is a Multicast ruter (Mruter). When a hst receives the IGMP query message, it respnds with an IGMP Jin message saying that the hst wants t receive a specific Multicast stream and ptinally frm a specific surce. The device with IGMP snping analyzes the Jin messages, and learns that the Multicast stream the hst has requested must be frwarded t this specific prt. It then frwards the IGMP Jin t the Mruter nly. Similarly, when the Mruter receives an IGMP Jin message, it learns the interface frm which it received the Jin messages that wants t receive a specific Multicast stream. The Mruter frwards the requested Multicast stream t the interface. In a Layer 2 Multicast service, a Layer 2 switch receives a single frame addressed t a specific Multicast address. It creates cpies f the frame t be transmitted n each relevant prt. When the device is IGMP snping-enabled and receives a frame fr a Multicast stream, it frwards the Multicast frame t all the prts that have registered t receive the Multicast stream using IGMP Jin messages. 110

111 The device can frward Multicast streams based n ne f the fllwing ptins: Multicast MAC Grup Address IP Multicast Grup Address (G) A cmbinatin f the surce IP address (S) and the destinatin IP Multicast Grup Address (G) f the Multicast packet. One f these ptins can be cnfigured per VLAN. The system maintains lists f Multicast grups fr each VLAN, and this manages the Multicast infrmatin that each prt shuld receive. The Multicast grups and their receiving prts can be cnfigured statically r learned dynamically using IGMP snping. Multicast registratin is the prcess f listening and respnding t Multicast registratin prtcls. The available prtcls are IGMP fr IPv4. When IGMP snping is enabled in a device n a VLAN, it analyzes the IGMP packets it receives frm the VLAN cnnected t the device and Multicast ruters in the netwrk. When a device learns that a hst is using IGMP messages t register t receive a Multicast stream, ptinally frm a specific surce, the device adds the registratin t its Multicast Frwarding Data Base (MFDB). IGMP snping can effectively reduce Multicast traffic frm streaming bandwidth- intensive IP applicatins. A device using IGMP snping nly frwards Multicast traffic t the hsts interested in that traffic. This reductin f Multicast traffic reduces the packet prcessing at the device, and als reduces the wrklad f the end hsts, since they d nt have t receive and filter all f the Multicast traffic generated in the netwrk. This device supprts IGMP v1/v2/v3. Multicast Address Prperties Each IPv4 Multicast address is in the address range t T map an IP Multicast grup address t a Layer 2 Multicast address fr IPv4, take the 23 lwrder bits frm the IPv4 address, and add them t the 01:00:5e prefix. By standard, the upper nine bits f the IP address are ignred. IP addresses that differ nly in the value f the upper nine bits are mapped t the same Layer 2 address because the lwer 23 bits are identical. Fr example, is mapped t a MAC Multicast grup address 01:00:5e:01:02:03. Up t 32 IP Multicast grup addresses can be mapped t the same Layer 2 address. 111

112 Feature Cnfiguratin The Feature Cnfiguratin page enables yu t cnfigure the Bridge Multicast filtering status. By default, all Multicast frames are flded t all prts f the VLAN. T selectively frward nly t relevant prts and filter (drp) the Multicast n the rest f the prts, enable Bridge Multicast filtering status in the Feature Cnfiguratin page. If filtering is enabled, Multicast frames are frwarded t a subset f the prts in the relevant VLAN as defined in the Multicast Frwarding Data Base. Multicast filtering is enfrced n all traffic. By default, such traffic is flded t all relevant prts, but yu can limit frwarding t a smaller subset. A cmmn way f representing Multicast membership is the (S, G) ntatin where S is the (single) surce sending a Multicast stream f data, and G is the IPv4 grup address. If a Multicast client can receive Multicast traffic frm any surce f a specific Multicast grup, this is saved as (*, G). Ways f frwarding Multicast frames: MAC Grup Address Based n the destinatin MAC address in the Ethernet frame. Nte One r mre IP Multicast grup addresses can be mapped t a MAC grup address. Frwarding, based n the MAC grup address, can result in an IP Multicast stream being frwarded t prts that have n receiver fr the stream. IP Grup Address Based n the destinatin IP address f the IP packet (*, G). Surce Specific IP Grup Address Based n bth the destinatin IP address and the surce IP address f the IP packet (S, G). 112

113 By selecting the frwarding mde, yu can define the methd used by hardware t identify Multicast flw by ne f the fllwing ptins: MAC Grup Address, IP Grup Address, r Surce Specific IP Grup Address. (S, G) is supprted by IGMPv3, while IGMPv1/2 supprt nly (*, G), which is just the grup ID. The device supprts a maximum f 256 static and dynamic Multicast grup addresses. T enable Multicast filtering, and select the frwarding methd: 1. Click Cnfiguratin > Multicast > Feature Cnfiguratin. 2. Bridge Multicast Filtering Select t enable filtering f Multicast addresses. 3. VLAN ID Select the VLAN ID t set its frwarding methd. 4. IPv6 Multicast Frwarding Select ne f the fllwing ptins: By MAC Address Select t enable the MAC address methd fr frwarding Multicast packets. By IPv6 Grup Address Select t enable the IPv4 grup address methd fr frwarding Multicast packets. By Surce Specific IPv6 Grup Address Select t enable the surce-specific IPv6 grup address methd fr frwarding Multicast packets. 5. IPv4 Multicast Frwarding Select ne f the fllwing ptins: By MAC Address Select t enable the MAC address methd fr frwarding Multicast packets. By IPv4 Grup Address Select t enable the IPv4 grup address methd fr frwarding Multicast packets. By Surce Specific IPv4 Grup Address Select t enable the surce-specific IPv4 grup address methd fr frwarding Multicast packets. 6. Click Apply. The Running Cnfiguratin file is updated. 113

114 IGMP Snping T enable IGMP Snping and identify the device as an IGMP Snping Querier n a VLAN: 1. Click Cnfiguratin > Multicast > IGMP Snping. 2. Enable IGMP Snping. When IGMP Snping is enabled glbally, the device mnitring netwrk traffic can determine which hsts have requested t receive Multicast traffic. The device nly perfrms IGMP Snping if bth IGMP snping and Bridge Multicast filtering are enabled. 3. Select a VLAN, and click Edit. 4. Enter the parameters: VLAN ID-Select the VLAN ID n which IGMP snping is defined. IGMP Snping Status-Enable r disable the mnitring f netwrk traffic fr the selected VLAN. Aut Learn MRuter Prts -Select t enable aut learning f the prts t which the Mruter is cnnected. Immediate Leave-Select t enable Immediate Leave t decrease the time it takes t blck a Multicast stream sent t a member prt when an IGMP Grup Leave message is received n that prt. IGMP Querier-Select t enable the IGMP Querier. IGMP Querier Versin-Select the IGMP versin used if the device becmes the elected querier. Select IGMPv3 if there are switches and/r Multicast ruters in the VLAN that perfrm surce-specific IP Multicast frwarding. 114

115 Querier Surce IP Address-Select the surce IP address f the IGMP Querier. The fllwing ptins are available: Aut-The system decides whether t use the IP address f the VLAN r the management IP address. User Defined-This can be the IP address f the VLAN r it can be the management IP address. 5. Click Apply. The Running Cnfiguratin file is updated. MLD Snping T enable MLD Snping and cnfigure it n a VLAN: 1. Click Cnfiguratin > Multicast > MLD Snping. When MLD Snping is glbally enabled, the device mnitring netwrk traffic can determine which hsts have requested t receive Multicast traffic. The device perfrms MLD Snping nly if bth MLD snping and Bridge Multicast filtering are enabled. 2. Enable MLD Snping. 3. Chse a VLAN ID. 4. Click Edit. 5. Enable r disable the fllwing features fr the selected VLAN: VLAN ID Select a VLAN n which t cnfigure MLD Snping. MLD Snping Status Select t enable MLD snping glbally n all interfaces. Aut-Learn MRuter Prts Select t enable Aut Learn f the Multicast ruter. 115

116 Immediate Leave Select t enable the switch t remve an interface that sends a leave message frm the frwarding table withut first sending ut MAC-based general queries t the interface. When an MLD Leave Grup message is received frm a hst, the system remves the hst prt frm the table entry. After it relays the MLD queries frm the Multicast ruter, it deletes entries peridically if it des nt receive any MLD membership reprts frm the Multicast clients. When enabled, this feature reduces the time it takes t blck unnecessary MLD traffic sent t a device prt. 6. Click Apply. The Running Cnfiguratin file is updated. Multicast Ruter Prts A Multicast ruter (Mruter) prt is a prt that cnnects t a Multicast ruter. The device includes the Multicast ruter prt(s) numbers when it frwards the Multicast streams and IGMP registratin messages. This is required s that the Multicast ruters can, in turn, frward the Multicast streams and prpagate the registratin messages t ther subnets. T statically cnfigure r see dynamically-detected prts cnnected t the Multicast ruter: 1. Click Cnfiguratin > Multicast > Multicast Ruter Prts. 2. Enter sme r all f fllwing query filter criteria: VLAN ID Select the VLAN ID fr the ruter prts that are described IP Versin--Select IPv4 r IPv6 Interface Type Select whether t display prts r LAGs. 116

117 3. Click Search. The interfaces matching the query criteria are displayed. Fr each prt r LAG, select its assciatin type. Static The prt is statically cnfigured as a Multicast ruter prt. Dynamic (Display nly) The prt is dynamically cnfigured as a Multicast ruter prt by a IGMP query. T enable the dynamic learning f Multicast ruter prts, g t the IGMP Snping page. Frbidden This prt is nt t be cnfigured as a Multicast ruter prt, even if IGMP queries are received n this prt. If Frbidden is enabled n a prt, Mruter is nt learned n this prt (i.e. MRuter Prts Aut-Learn is nt enabled n this prt). Nne The prt is nt currently a Multicast ruter prt. 4. Click Apply t update the device. Frward All The Frward All page enables and displays the cnfiguratin f the prts and/ r LAGs that are t receive Multicast streams frm a specific VLAN. This feature requires that Bridge Multicast filtering in the Feature Cnfiguratin page be enabled. If it is disabled, then all Multicast traffic is flded t prts in the device. Yu can statically (manually) cnfigure a prt t Frward All, if the devices cnnecting t the prt d nt supprt IGMP. IGMP messages are nt frwarded t prts defined as Frward All. Nte The cnfiguratin affects nly the prts that are members f the selected VLAN. 117

118 T define Frward All Multicast: 1. Click Cnfiguratin > Multicast > Frward All. STEP 2 Define the fllwing: 2. VLAN ID The VLAN ID the prts/lags are t be displayed. 3. Interface Type Define whether t display prts r LAGs. 4. Click Search. The status f all prts/lags are displayed. 5. Define hw each prt/lag handles Multicast streams. Static The prt receives all Multicast streams. Frbidden Prts cannt receive any Multicast streams, even if IGMP snping designated the prt t jin a Multicast grup. Nne The prt is nt currently a Frward All prt. 6. Click Apply. The Running Cnfiguratin file is updated. Unregistered Multicast Multicast frames are generally frwarded t all prts in the VLAN. If IGMP Snping is enabled, the device learns abut the existence f Multicast grups, and mnitrs which prts have jined which Multicast grup. Multicast grups can als be statically cnfigured. Multicast grups that were either dynamically learned r statically cnfigured are cnsidered registered. The device frwards Multicast frames (frm a registered Multicast grup) nly t prts that are registered t that Multicast grup. The Unregistered Multicast page enables handling Multicast frames that belng t grups that are nt knwn t the device (unregistered Multicast grups). Unregistered Multicast frames are usually frwarded t all prts n the VLAN. 118

119 Yu can select a prt t receive r filter unregistered Multicast streams. The cnfiguratin is valid fr any VLAN f which it is a member (r will be a member). This feature ensures that the custmer receives nly the Multicast grups requested and nt thers that may be transmitted in the netwrk. T define unregistered Multicast settings: 1. Click Cnfiguratin > Multicast > Unregistered Multicast. 2. Define the fllwing: Interface Type Define whether t display prts r LAGs. Interface Settings Displays the frwarding status f the selected interface. The pssible values are as fllws: Frwarding Enables frwarding f unregistered Multicast frames t the selected interface. Filtering Enables filtering (rejecting) f unregistered Multicast frames t the selected interface. 3. Click Apply. The settings are saved, and the Running Cnfiguratin file is updated. 119

120 IGMP/MLD IP Grup Addresses The IGMP IP Grup Addresses page displays the IPv4 grup address learned frm IGMP messages. There might be a difference between infrmatin n this page and, fr example, infrmatin displayed in the MAC Grup Address FDB page. Assuming that the system is in MAC-based grups and a prt that requested t jin the fllwing Multicast grups and , bth are mapped t the same MAC Multicast address 01:00:5e:01:01:01. In this case, there is a single entry in the MAC Grup Address FDB page, but tw entries n this page. T query fr an IP Multicast grup: 1. Click Cnfiguratin > Multicast > IGMP IP Grup Addresses. 2. Enter sme r all f fllwing query filter criteria: VLAN ID Defines the VLAN ID t query. IP Grup Address Defines the Multicast grup MAC address r IP address t query. Surce IP Address Defines the sender address t query. 3. Click Search. The fllwing fields are displayed fr each Multicast grup: Dynamic IP Grup Type VLAN ID The VLAN ID. IP Grup Address The Multicast grup MAC address r IP address. Surce IP Address The sender address fr all f the specified grup prts. Included Prts The list f destinatin prts fr the Multicast stream. 120

121 Excluded Prts The list f prts nt included in the grup. Cmpatibility Mde The ldest IGMP versin f registratin frm the hsts the device receives n the IP grup address. MAC Grup Address FDB The device supprts frwarding incming Multicast traffic based n the Multicast grup infrmatin. This infrmatin is derived frm the IGMP packets received r as the result f manual cnfiguratin, and it is stred in the Multicast Frwarding Database (MFDB). When a frame is received frm a VLAN that is cnfigured t frward Multicast streams, based n MAC grup addresses, and its destinatin address is a Layer 2. Multicast address, the frame is frwarded t all prts that are members f the MAC grup address. The MAC Grup Address FDB page has the fllwing functins: Query and view infrmatin frm the MFDB, relating t a specific VLAN ID r a specific MAC address grup. This data is acquired either dynamically thrugh IGMP snping r statically by manual entry. Add r delete static entries t the MFDB that prvide static frwarding infrmatin, based n MAC destinatin addresses. Display a list f all prts/lags that are a member f each VLAN ID and MAC address grup, and enter whether traffic is frwarded t it r nt. 121

122 T define and view MAC Multicast grups: 1. Click Cnfiguratin > Multicast > MAC Grup Address FDB. 2. Enter the parameters. VLAN ID Enter the VLAN ID f the grup t be displayed. MAC Grup Address Set the MAC address f the Multicast grup t be displayed. If n MAC Grup Address is specified, the page cntains all the MAC Grup Addresses frm the selected VLAN. 3. Click Search, and the MAC Multicast grup addresses are displayed in the lwer blck. Entries that were created bth in this page and in the IP Grup Address FDB page are displayed. Fr thse created in the IP Grup Address FDB page, the IP addresses are cnverted t MAC addresses. 4. Click Add t add a static MAC Grup Address. 5. Enter the parameters. VLAN ID Defines the VLAN ID f the new Multicast grup. MAC Grup Address Defines the MAC address f the new Multicast grup. 6. Click Apply, the MAC Multicast grup is saved t the Running Cnfiguratin file. T cnfigure and display the registratin fr the interfaces within the grup, select an address, and click Membership. The MAC Grup Address FDB page pens. Enter the fllwing: VLAN ID The VLAN ID f the Multicast grup. MAC Grup Address The MAC address f the grup. Interface Type Prt r LAG. 7. Click Search t display the prt r LAG membership. 8. Select the way that each interface is assciated with the Multicast grup: Static Attaches the interface t the Multicast grup as a static member. Dynamic Indicates that the interface was added t the Multicast grup as a result f IGMP snping. Frbidden Specifies that this prt is nt allwed t jin this grup n this VLAN. Excluded Specifies that the prt is nt currently a member f this Multicast grup n this VLAN. 9. Click Apply, and the Running Cnfiguratin file is updated. Nte Entries that were created in the IP Grup Address FDB page cannt be deleted in this page (even if they are selected). 122

123 IP Grup Address FDB The IP Grup Address FDB page enables querying and adding IP Multicast grups cntained in the IP Multicast Grups Frwarding Data Base. T define and view IP Multicast grups: 1. Click Cnfiguratin > Multicast > IP Grup Address FDB. The page cntains all f the IP Multicast grup addresses learned by snping. 2. Enter the parameters required fr filtering. VLAN ID Enter the VLAN ID f the grup t be displayed. IP Grup Address Define the IP address f the Multicast grup t be displayed. This is nly relevant when the Frwarding Mde is (S, G). Surce IP Address Define the surce IP address f the sending device. If mde is (S, G), enter the sender S. This tgether with the IP grup address is the Multicast grup ID (S,G) t be displayed. If mde is (*, G), enter an * t indicate that the Multicast grup is nly defined by destinatin. 3. Click Search. The results are displayed in the lwer blck.. 4. Click Add t add a static IP Multicast grup address. 5. Enter the parameters. VLAN ID Defines the VLAN ID f the grup t be added. IP Grup Address Define the IP address f the new Multicast grup. Grup Address Settings Surce Specific IP Multicast Select t indicate that the entry cntains a specific surce, and adds the address in the IP Surce Address field. If nt, the entry is added as a (*,G) entry, an IP grup address frm any IP surce. Surce IP Address Enter the surce address t be included. 123

124 6. Click Apply. The IP Multicast grup is added, and the device is updated. T cnfigure and display the registratin f an IP grup address, select an address and click Membership. The VLAN ID, IP Versin, IP Multicast grup address, and Surce IP address selected are displayed as read-nly in the tp f the windw. Yu can select whether t display prts r LAGs. 7. Fr each interface, select its assciatin type. Static Attaches the interface t the Multicast grup as a static member. Dynamic Indicates that the interface was added t the Multicast grup as a result f IGMP snping. Frbidden Specifies that this prt is frbidden frm jining this grup n this VLAN. Excluded Indicates that the prt is nt currently a member f this Multicast grup n this VLAN. This is selected by default until Static r Frbidden is selected. 8. Click Apply. The Running Cnfiguratin file is updated. 124

125 Chapter 10 - IP Interface IPv4 Layer 2 IP Addressing The device has ne IPv4 address and up t tw IPv6 interfaces in the management VLAN. This IP address and the default gateway can be cnfigured manually, r by DHCP. The static IP address and default gateway are cnfigured n the IPv4 Interface page. The device uses the default gateway, if cnfigured, t cmmunicate with devices that are nt in the same IP subnet as the device. By default, VLAN 1 is the management VLAN, but this can be mdified. The device can nly be reached at the cnfigured IP address thrugh its management VLAN. The factry default setting f the IPv4 address cnfiguratin is DHCPv4. This means that the device acts as a DHCPv4 client, and sends ut a DHCPv4 request during bt up. If the device receives a DHCPv4 respnse frm the DHCPv4 server with an IPv4 address, it sends Address Reslutin Prtcl (ARP) packets t cnfirm that the IP address is unique. If the ARP respnse shws that the IPv4 address is in use, the device sends a DHCPDECLINE message t the ffering DHCP server, and sends anther DHCPDISCOVER packet that restarts the prcess. If the device des nt receive a DHCPv4 respnse in 60 secnds, it cntinues t send DHCPDISCOVER queries, and adpts the default IPv4 address: /24. IP address cllisins ccur when the same IP address is used in the same IP subnet by mre than ne device. Address cllisins require administrative actins n the DHCP server and/r the devices that cllide with the device. When a VLAN is cnfigured t use dynamic IP addresses, the device issues DHCPv4 requests until it is assigned an IPv4 address frm a DHCPv4 server. The management VLAN can be cnfigured with a static r dynamic IP address. The IP address assignment rules fr the device: Unless the device is cnfigured with a static IPv4 address, it issues DHCPv4 queries until a respnse is received frm a DHCPv4 server. If the IP address n the device is changed, the device issues gratuitus ARP packets t the crrespnding VLAN t check IP address cllisins. This rule als applies when the device reverts t the default IP address. The system status LED changes t slid blue when a new unique IP address is received frm the DHCP server. If a static IP address has been set, the system status LED als changes t slid blue. The LED flashes when the device is acquiring an IP address and is currently using the factry default IP address The same rules apply when a client must renew the lease, prir t its expiratin date thrugh a DHCPREQUEST message. 125

126 With factry default settings, when n statically defined r DHCP- acquired IP address is available, the default IP address is used. When the ther IP addresses becme available, the addresses are autmatically used. The default IP address is always n the management VLAN. IPv4 Interface T manage the device by using the web-based cnfiguratin utility, the IPv4 device management IP address must be defined and knwn. The device IP address can be manually cnfigured r autmatically received frm a DHCP server. T cnfigure the IPv4 device IP address: 1. Click Cnfiguratin > IP Interface > IPv4 > IPv4 Interface. 2. Enter values fr the fllwing fields: Management VLAN Select the Management VLAN used t access the device thrugh telnet r the Web GUI. VLAN1 is the default Management VLAN. IP Address Type Select ne f the fllwing ptins: Dynamic (DHCP) Discver the IP address using DHCP frm the management VLAN. Static IP Address Manually define a static IP address. Nte DHCP Optin 12 (Hst Name ptin) is supprted when the device is a DHCP client. If DHCP Optin 12 is received frm a DHCP server, it is saved as the server s hst name. DHCP ptin 12 will nt be requested by the device. The DHCP server must be cnfigured t send ptin 12, regardless f what is requested in rder t make use f this feature. Dynamic IP Address Select t renew the DHCP-supplied IP address. IP Address Enter the IP address, and cnfigure ne f the fllwing Mask fields: IP Subnet Mask Cnfigure ne f the fllwing Mask fields: 126

127 SubNet Mask Select and enter the IP address mask. Prefix Length Select and enter the length f the IPv4 address prefix. User Defined Default Gateway Select User Defined and enter the default gateway IP address. Default Gateway Displays the current default gateway status. Nte If the device is nt cnfigured with a default gateway, it cannt cmmunicate with ther devices that are nt in the same IP subnet. 3. Click Apply. The IPv4 interface settings are written t the Running Cnfiguratin file. ARP The device maintains an ARP (Address Reslutin Prtcl) table fr all knwn devices that reside in the IP subnets directly cnnected t it. A directly-cnnected IP subnet is the subnet t which an IPv4 interface f the device is cnnected. When the device is required t send/rute a packet t a lcal device, it searches the ARP table t btain the MAC address f the device. The ARP table cntains dynamic addresses. The device creates dynamic addresses frm the ARP packets it receives. Dynamic addresses age ut after a cnfigured time. T view the ARP tables: 1. Click Cnfiguratin > IP Interface > IPv4 > ARP. 2. Enter ARP Entry Aging Time ( ) Enter the number f secnds that dynamic addresses can remain in the ARP table. A dynamic address ages ut after the time it is in the table exceeds the ARP Entry Age Out time. When a dynamic address ages ut, it is deleted frm the table, and nly returns when it is relearned. 3. Click Apply. The ARP glbal settings are written t the Running Cnfiguratin file. 127

128 The ARP table displays the fllwing fields: IP Interface The IPv4 Interface f the directly-cnnected IP subnet where the IP device resides. IP Address The IP address f the IP device. MAC Address The MAC address f the IP device. Status Whether the entry was manually entered (static) r dynamically learned. T add a static ARP entry: 1. Click Add. 2. Enter the parameters: Interface An IPv4 interface can be cnfigured n a prt, LAG r VLAN. Select the desired interface frm the list f cnfigured IPv4 interfaces n the device. IP Address Enter the IP address f the lcal device. MAC Address Enter the MAC address f the lcal device. 3. Click Apply. The ARP entry is saved t the Running Cnfiguratin file IPv6 The Internet Prtcl versin 6 (IPv6) is a netwrk-layer prtcl fr packet-switched Internet wrks. IPv6 was designed t replace IPv4, the predminantly deplyed Internet prtcl. IPv6 intrduces greater flexibility in assigning IP addresses because the address size increases frm 32-bit t 128-bit addresses. IPv6 addresses are written as eight grups f fur hexadecimal digits, fr example FE80:0000:0000:0000:0000:9C00:876A:130B. The abbreviated frm, in which a grup f zeres can be left ut, and replaced with :: is als acceptable, fr example, ::- FE80::9C00:876A:130B. IPv6 ndes require an intermediary mapping mechanism t cmmunicate with ther IPv6 ndes ver an IPv4-nly netwrk. This mechanism, called a tunnel, enables IPv6-nly hsts t reach IPv4 services, and enables islated IPv6 hsts and netwrks t reach an IPv6 nde ver the IPv4 infrastructure. The device detects IPv6 frames by the IPv6 Ethertype. 128

129 IPv6 Interface An IPv6 interface can be cnfigured n a prt, LAG, r VLAN. T define an IPv6 interface: 1. Click Cnfiguratin > IP Interface> IPv6 > IPv6 Interface. 2. Click Add t add a new interface n which interface IPv6 is enabled. 3. Enter the fields: IPv6 Interface Select a specific prt, LAG, r VLAN fr the IPv6 address. Number f DAD Attempts Enter the number f cnsecutive neighbr slicitatin messages that are sent while Duplicate Address Detectin (DAD) is perfrmed n the interface s Unicast IPv6 addresses. DAD verifies the uniqueness f a new Unicast IPv6 address befre it is assigned. New addresses remain in a tentative state during DAD verificatin. Entering 0 in this field disables duplicate address detectin prcessing n the specified interface. Entering 1 in this field indicates a single transmissin withut fllw-up transmissins. IPv6 Address Aut Cnfiguratin Select t enable autmatic address cnfiguratin frm ruter advertisements sent by neighbrs. Nte The device des nt supprt stateful address autcnfiguratin frm a DHCPv6 server. 4. Send ICMPv6 Messages Select t enable generating unreachable destinatin messages. 5. Click Apply t enable IPv6 prcessing n the selected interface. Regular IPv6 interfaces have the fllwing addresses autmatically cnfigured: Link lcal address using EUI-64 frmat interface ID based n a device s MAC address 129

130 All link lcal Multicast addresses (FF02::1) Slicited-Nde Multicast address (frmat FF02::1:FFXX:XXXX) IPv6 Interface Addresses T assign an IPv6 address t an IPv6 Interface: 1. Click Cnfiguratin > IP Interface> IPv6 > IPv6 Interface Addresses. 2. T filter the table, select an interface name, and click Search. The interface appears in the IPv6 Address Table. 3. Click Add. 4. Enter values fr the fields. IPv6 Interface Displays the interface n which the IPv6 address is t be defined. If an * is displayed, the IPv6 interface is nt enabled but has been cnfigured. IPv6 Address Type Select the type f the IPv6 address t add. Link Lcal An IPv6 address that uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal An IPv6 address that is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. IPv6 Address In Layer 2, the device supprts a singleipv6 interface. In additin t the default link lcal and Multicast addresses, the device als autmatically adds glbal addresses t the interface based n the ruter advertisements it receives. The device supprts a maximum f 128 addresses at the interface. Each address must be a valid IPv6 address that is specified in hexadecimal frmat by using 16-bit values separated by clns. 130

131 Prefix Length The length f the Glbal IPv6 prefix is a value frm indicating the number f the high-rder cntiguus bits f the address that cmprise the prefix (the netwrk prtin f the address). EUI-64 Select t use the EUI-64 parameter t identify the interface ID prtin f the Glbal IPv6 address n a device MAC address. 5. Click Apply. The Running Cnfiguratin file is updated. IPv6 Default Ruters The IPv6 Default Ruters page enables cnfiguring and viewing the default IPv6 ruter addresses. This list cntains the ruters that are candidates t becme the device default ruter fr nnlcal traffic (it may be empty). The device randmly selects a ruter frm the list. The device supprts ne static IPv6 default ruter. Dynamic default ruters are ruters that have sent ruter advertisements t the device IPv6 interface. When adding r deleting IP addresses, the fllwing events ccur: When remving an IP interface, all the default ruter IP addresses are remved. Dynamic IP addresses cannt be remved. An alert message appears after an attempt is made t insert mre than a single userdefined address. An alert message appears when attempting t insert a nn-link lcal type address, meaning fe80:. T define a default ruter: 1. Click Cnfiguratin > IP Interface > IPv6 > Default Ruters. Default Ruter IPv6 Address Link lcal IP address f the default ruter. IPv6 Interface Outging IPv6 interface where the default ruter resides. State Whether rute is reachable r unreachable. 131

132 Type The default ruter cnfiguratin that includes the fllwing ptins: Static The default ruter was manually added t this table thrugh the Add buttn. Dynamic The default ruter was dynamically cnfigured. 2. Click Add t add a static default ruter. 3. Enter the fllwing fields: IPv6 Interface Displays the utging Link Lcal interface. Default Ruter IPv6 Address The IP address f the default ruter 4. Click Apply. The default ruter is saved t the Running Cnfiguratin file. IPv6 Rutes The IPv6 Frwarding Table cntains the varius rutes that have been cnfigured. One f these rutes is a default rute (IPv6 address:0) that uses the default ruter selected frm the IPv6 Default Ruter List t send packets t destinatin devices that are nt in the same IPv6 subnet as the device. In additin t the default rute, the table als cntains dynamic rutes that are ICMP redirect rutes received frm IPv6 ruters by using ICMP redirect messages. This culd happen when the default ruter the device uses is nt the ruter fr traffic t which the IPv6 subnets that the device wants t cmmunicate. T view IPv6 rutes: 1. Click Cnfiguratin > IP Interface > IPv6 > IPv6 Rutes. This page displays the fllwing fields: IPv6 Subnet Address The IPv6 subnet address. Prefix Length IP rute prefix length fr the destinatin IPv6 subnet address. It is preceded by a frward slash. IPv6 Interface Interface used t frward the packet. 132

133 Next Hp Ruter IPv6 Address Address where the packet is frwarded. Typically, this is the address f a neighbring ruter. It can be ne f the fllwing types. Link Lcal An IPv6 interface and IPv6 address that uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal An IPv6 address that is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Pint-t-Pint A Pint-t-pint tunnel. Metric Value used fr cmparing this rute t ther rutes with the same destinatin in the IPv6 ruter table. All default rutes have the same value. Lifetime Time perid during which the packet can be sent, and resent, befre being deleted. Rute Type Hw the destinatin is attached, and the methd used t btain the entry. The fllwing values are: Lcal A directly-cnnected netwrk whse prefix is derived frm a manuallycnfigured device s IPv6 address. Dynamic The destinatin is an indirectly-attached (remte) IPv6 subnet address. The entry was btained dynamically via the ND r ICMP prtcl. IPv6 Neighbrs 133

134 The IPv6 Neighbrs page enables cnfiguring and viewing the list f IPv6 neighbrs n the IPv6 interface. The IPv6 Neighbr Table (als knwn as IPv6 Neighbr Discvery Cache) displays the MAC addresses f the IPv6 neighbrs that are in the same IPv6 subnet as the device. This is the IPv6 equivalent f the IPv4 ARP Table. When the device needs t cmmunicate with its neighbrs, the device uses the IPv6 Neighbr Table t determine the MAC addresses based n their IPv6 addresses. This page displays the neighbrs that were autmatically detected. Each entry displays t which interface the neighbr is cnnected, the neighbr s IPv6 and MAC addresses, the entry type), and the state f the neighbr. T define IPv6 neighbrs: Click Cnfiguratin > IP Interface > IPv6 > IPv6 Neighbrs. The fllwing fields are displayed fr the neighbring interfaces: IPv6 Interface Neighbring IPv6 interface type. IPv6 Address IPv6 address f a neighbr. MAC Address MAC address mapped t the specified IPv6 address. Type Neighbr discvery cache infrmatin entry type. State Specifies the IPv6 neighbr status. The values are: Incmplete Address reslutin is wrking. The neighbr has nt yet respnded. Reachable Neighbr is knwn t be reachable. Stale Previusly-knwn neighbr is unreachable. N actin is taken t verify its reachability until traffic must be sent. Delay Previusly-knwn neighbr is unreachable. The interface is in Delay state fr a predefined Delay Time. If n reachability cnfirmatin is received, the state changes t Prbe. Prbe Neighbr is n lnger knwn t be reachable, and Unicast Neighbr Slicitatin prbes are being sent t verify the reachability. 134

135 Chapter 11 - IP Netwrk Operatins Dmain Name System The Dmain Name System (DNS) translates dmain names int IP addresses fr the purpse f lcating and addressing hsts. As a DNS client, this device reslves dmain names t IP addresses thrugh the use f ne r mre cnfigured DNS servers. DNS Use the DNS page t enable the DNS feature, cnfigure the DNS servers and set the default dmain used by the device. 1. Click Cnfiguratin > IP Netwrk Operatins > Dmain Name System > DNS. 2. Enter the fllwing fields: DNS Select t designate the device as a DNS client, which can reslve DNS names int IP addresses thrugh ne r mre cnfigured DNS servers. Default Dmain Name Enter the DNS dmain name used t cmplete unqualified hst names. The device appends this t all nn-fully qualified dmain names (NFQDNs) turning them int FQDNs. The fllwing fields are displayed fr each cnfigured DNS server: DNS Server IP Address IP address f the DNS server. DNS Server State Whether DNS server is Active r Inactive. IP Interface Interface cnnected t DNS server. Preference Each server has a preference value, a lwer value means a higher chance f being used. Cnfiguratin Surce Surce f the server s IP address (static r DHCPv4 r DHCPv6) 135

136 Up t eight DNS servers can be defined. T add a DNS server: 1. Click Add. 2. Enter the parameters. IP Versin Select IPv6 r IPv4. IPv6 Address Type Select the IPv6 address type (if IPv6 is used). Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Interface If the IPv6 address type is Link Lcal, select the interface thrugh which it is received. DNS Server IP Address Enter the DNS server IP address. Preference Select a value that determines the rder in which the dmains are used (frm lw t high). This effectively determines the rder in which unqualified names are cmpleted during DNS queries. 3. Click Apply. The DNS server is saved t the Running Cnfiguratin file. DHCP DHCP snping prvides a security mechanism t prevent receiving false DHCP respnse packets and t lg DHCP addresses. It des this by treating prts n the device as either trusted r untrusted. A trusted prt is a prt that is cnnected t a DHCP server and is allwed t assign DHCP addresses. DHCP messages received n trusted prts are allwed t pass thrugh the device. An untrusted prt is a prt that is nt allwed t assign DHCP addresses. By default, all prts are cnsidered untrusted until yu declare them trusted in the Interface Settings page. Optin 82 Optin 82 (DHCP Relay Agent Infrmatin Optin) passes prt and agent infrmatin t a central DHCP server, indicating where an assigned IP address physically cnnects t the netwrk. The main gal f ptin 82 is t help t the DHCP server select the best IP subnet (netwrk pl) frm which t btain an IP address. The fllwing Optin 82 ptins are available n the device: 136

137 DHCP Insertin - Add Optin 82 infrmatin t packets that d nt have freign Optin 82 infrmatin. DHCP Passthrugh - Frward r reject DHCP packets that cntain Optin 82 infrmatin frm untrusted prts. On trusted prts, DHCP packets cntaining Optin 82 infrmatin are always frwarded. DHCP Snping Binding Database DHCP Snping builds a database (knwn as the DHCP Snping Binding database) derived frm infrmatin taken frm DHCP packets entering the device thrugh trusted prts. The DHCP Snping Binding database cntains the fllwing data: input prt, input VLAN, MAC address f the client, and IP address f the client if it exists. The DHCP Snping Binding database is als used by IP Surce Guard and Dynamic ARP Inspectin features t determine legitimate packet surces. DHCP Trusted Prts Prts can be either DHCP trusted r untrusted. By default, all prts are untrusted. T create a prt as trusted, use the DHCP Snping Trusted Interface page. Packets frm these prts are autmatically frwarded. Packets frm trusted prts are used t create the Binding database and are handled as described belw. If DHCP Snping is nt enabled, all prts are trusted by default. Hw the DHCP Snping Binding Database is Built The fllwing describes hw the device handles DHCP packets when bth the DHCP client and DHCP server are trusted. The DHCP Snping Binding database is built in this prcess. DHCP Trusted Packet Handling 1. Device sends DHCPDISCOVER t request an IP address r DHCPREQUEST t accept an IP address and lease. 2. Device snps packet and adds the IP-MAC infrmatin t the DHCP Snping Binding database. 3. Device frwards DHCPDISCOVER r DHCPREQUEST packets. 137

138 4. DHCP server sends DHCPOFFER packet t ffer an IP address, DHCPACK t assign ne, r DHCPNAK t deny the address request. 5. Device snps packet. If an entry exists in the DHCP Snping Binding table that matches the packet, the device replaces it with IP-MAC binding n receipt f DHCPACK. 6. Device frwards DHCPOFFER, DHCPACK, r DHCPNAK. The fllwing summarizes hw DHCP packets are handled frm bth trusted and untrusted prts. The DHCP Snping Binding database is stred in nn- vlatile memry. DHCP Snping Packet Handling Packet Type DHCPDISCOVER DHCPOFFER DHCPREQUEST DHCPACK DHCPNAK DHCPDECLINE Packet Type Arriving frm Untrusted Ingress Interface Frward t trusted interfaces nly. Filter. Frward t trusted interfaces nly. Filter. Filter. Check if there is infrmatin in the database. If the infrmatin exists and des nt match the interface n which the message was received, the packet is filtered. Otherwise, the packet is frwarded t trusted interfaces nly, and the entry is remved frm database. Arriving frm Untrusted Ingress Interface Arriving frm Trusted Ingress Frwarded t trusted interfaces nly. Frward the packet accrding t DHCP infrmatin. If the destinatin address is unknwn the packet is filtered. Frward t trusted interfaces nly. Same as DHCPOFFER and an entry is added t the DHCP Snping Binding database. Same as DHCPOFFER. Remve entry if exists. Frward t trusted interfaces nly Arriving frm Trusted Ingress Interface DHCPRELEASE Same as DHCPDECLINE. Same as DHCPDECLINE. DHCPINFORM Frward t trusted interfaces nly. Frward t trusted interfaces nly. DHCPLEASEQUE RY Filtered. Frward. 138

139 DHCP Snping In Layer 2, DHCP Snping can nly be enabled n VLANs with IP addresses. T glbally cnfigure DHCP Snping/Relay: 1. Click Cnfiguratin > IP Netwrk Operatins > DHCP > DHCP Snping. 2. T enable DHCP Snping enter the fllwing fields: DHCP Snping Select t enable DHCP Snping. Optin 82 Passthrugh Select t leave freign Optin 82 infrmatin when frwarding packets. Verify MAC Address Select t verify that the surce MAC address f the Layer 2 header matches the client hardware address as appears in the DHCP Header (part f the paylad) n DHCP untrusted prts. Backup Database Select t back up the DHCP Snping Binding database n the device s flash memry. 139

140 DHCP Interfaces In Layer 2, DHCP Snping can nly be enabled n VLANs with IP addresses. T enable DHCP Snping n specific interfaces: 1. Click Cnfiguratin > IP Netwrk Operatins > DHCP > DHCP Interfaces. 2. The fllwing fields are displayed fr each interface fr which the DHCP Snping is enabled: Interface On which DHCP Snping is enabled r disabled. Interface IP Address IP address f the interface n which DHCP Snping is enabled. DHCP Snping Select t enable DHCP snping. 3. T enable DHCP Snping n an interface, click Add. 4. Select the interface and the feature t be enabled: DHCP Snping. 5. Click Apply. The settings are written t the Running Cnfiguratin file. 140

141 Trusted Interface Packets frm untrusted prts/lags are checked against the DHCP Snping Binding Database. By default, interfaces are untrusted. T designate an interface as untrusted g t Interface Settings. DHCP Snping Binding Database Nte the fllwing pints abut maintenance f the DHCP Snping Binding database: The device des nt update the DHCP Snping Binding database when a statin mves t anther interface. If a prt is dwn, the entries fr that prt are nt deleted. 141

142 When DHCP Snping is disabled fr a VLAN, the binding entries that were cllected fr that VLAN are remved. If the database is full, DHCP Snping cntinues t frward packets, but new entries are nt created. T add entries t the DHCP Snping Binding database: 1. Click Cnfiguratin > IP Netwrk Operatins > DHCP Snping Binding Database. T see a subset f entries in the DHCP Snping Binding database, enter the relevant search criteria and click Search. 2. T add an entry, click Add and enter the fields: VLAN ID VLAN n which a packet is expected. MAC Address MAC address f a packet. IPv4 Address IP address f a packet. Interface Type f interface n which a packet is expected. Type The pssible field values are the fllwing: Dynamic Entry has limited lease time. Static Entry was statically cnfigured. Lease Time If the entry is dynamic, enter the amunt f time that the entry is t be active in the DHCP Database in User Defined. If there is n Lease Time, check Infinite.) 3. Click Apply. The settings are defined, and the device is updated. 142

143 Interface Settings T cnfigure trusted interfaces: Click Cnfiguratin > IP Netwrk Operatin > Interface Settings. Interface Interface identifier. DHCP Snping Trusted Interface Whether the interface is DHCP Snping trusted. 143

144 Chapter 12 Security Management Security The default username/passwrd is admin/admin. User Access & Accunts The User Access & Accunts page enables entering additinal users that are permitted t access t the device (read-nly r read-write) r changing the passwrds f existing users. User authenticatin ccurs in the rder that the authenticatin methds are selected. If the first authenticatin methd is nt available, the next selected methd is used. Fr example, if the selected authenticatin methds are RADIUS and Lcal, and all cnfigured RADIUS servers are queried in pririty rder and d nt reply, the user is authenticated lcally. If an authenticatin methd fails r the user has insufficient privilege level, the user is denied access t the device. In ther wrds, if authenticatin fails at an authenticatin methd, the device stps the authenticatin attempt; it des nt cntinue and des nt attempt t use the next authenticatin methd. After adding a user (as described belw), the default user is remved frm the system. Nte It is nt permitted t delete all users. If all users are selected, the Delete buttn is disabled. 144

145 T add a new user: 1. Click Cnfiguratin > Security > Management Security > User Access & Accunts. 2. Enter the fllwing fields: HTTP Service Select t enable n the device. HTTP Server Prt Enter the prt n which HTTP is enabled. HTTPS Service Select t enable n the device. HTTPS Server Prt Enter the prt n which HTTPS is enabled. Telnet Select t enable n the device. 3. Click Add t add a new user r click Edit t mdify a user. 4. Enter the parameters. User Name Enter a new username between 0 and 20 characters. UTF-8 characters are nt permitted. Passwrd Enter a passwrd (UTF-8 characters are nt permitted). Cnfirm Passwrd Enter the passwrd again. 5. Click Apply. The user is added t the Running Cnfiguratin file f the device. Access Authenticatin Yu can assign authenticatin methds t the varius management access methds, such as cnsle, HTTP, and HTTPS. The authenticatin can be perfrmed lcally r n a RADIUS server. 145

146 User authenticatin ccurs in the rder that the authenticatin methds are selected. If the first authenticatin methd is nt available, the next selected methd is used. Fr example, if the selected authenticatin methds are RADIUS and Lcal, and all cnfigured RADIUS servers are queried in pririty rder and d nt reply, the user is authenticated lcally. If an authenticatin methd fails r the user has insufficient privilege level, the user is denied access t the device. If authenticatin fails at an authenticatin methd, the device stps the authenticatin attempt; it des nt cntinue and des nt attempt t use the next authenticatin methd. T define authenticatin methds fr an access methd: 1. Click Cnfiguratin > Security > Management Security > Management Access Authenticatin. 2. Select an access methd frm the Applicatin list. 3. Use the arrws t mve the authenticatin methd between the Methd Available clumn and the Methd T Use clumn. The first methd selected is the first methd that is used. RADIUS User is authenticated n a RADIUS server. Yu must have cnfigured ne r mre RADIUS servers. Nne User is allwed t access the device withut authenticatin. Lcal Username and passwrd are checked against the data stred n the lcal device. These username and passwrd pairs are defined in the User Accunts page. Nte The Lcal r Nne authenticatin methd must always be selected last. All authenticatin methds selected after Lcal r Nne are ignred. 4. Click Apply. The selected authenticatin methds are assciated with the access methd. 146

147 Access Prfile Access prfiles determine hw t authenticate and authrize users accessing the device thrugh varius access methds. Access prfiles can limit management access frm specific surces. Only users wh pass bth the active access prfile and are authrized based n the authenticatin methds that crrespnd t the access methd are given management access t the device. Fr mre infrmatin, see Access Authenticatin. There can nly be a single access prfile active n the device at ne time. Access prfiles cnsist f ne r mre rules. The rules are executed in rder f their pririty within the access prfile (tp t bttm). Rules are cmpsed f filters that include the fllwing elements: Access Methds Methds fr accessing and managing the device: The authenticatin methd fr the selected access methd is specified in Management Access Authenticatin Telnet Hypertext Transfer Prtcl (HTTP) Secure HTTP (HTTPS) Simple Netwrk Management Prtcl (SNMP) All f the abve Actin Permit r deny access t an interface r surce address. Interface Which prts, LAGs, r VLANs are permitted t access r are denied access t the web-based cnfiguratin utility. 147

148 Surce IP Address IP addresses r subnets. Access t management methds might differ amng user grups. Fr example, ne user grup might be able t access the device mdule nly by using an HTTPS sessin, while anther user grup might be able t access the device mdule by using bth HTTPS and Telnet sessins. The Access Prfile page displays the access prfiles that are defined and enables selecting ne access prfile t be the active ne. When a user attempts t access the device thrugh an access methd, the device lks t see if the active access prfile explicitly permits management access t the device thrugh this methd. If n match is fund, access is denied. When an attempt t access the device is in vilatin f the active access prfile, the device generates a SYSLOG message t alert the system administratr f the attempt. If a cnsle-nly access prfile has been activated, the nly way t deactivate it is thrugh a direct cnnectin frm the management statin t the physical cnsle prt n the device. Use the Access Prfiles page t create an access prfile and t add its first rule. If the access prfile nly cntains a single rule, yu are finished. T add additinal rules t the prfile, use the Prfile Rules page. 1. Click Cnfiguratin > Security > Management Security > Access Prfile. This page displays all f the access prfiles, active and inactive. 2. T change the active access prfile, select a prfile frm the Active Access Prfile drp dwn menu and click Apply. This makes the chsen prfile the active access prfile. Nte A cautin message appears if yu selected Cnsle Only. If yu cntinue, yu are immediately discnnected frm the web-based cnfiguratin utility and can access the device nly thrugh the cnsle prt. This nly applies t device types that ffer a cnsle prt. 3. Click OK t select the active access prfile r click Cancel t discntinue the actin. 4. Click Add t pen the Add Access Prfile page. The page allws yu t cnfigure a new prfile and ne rule. 5. Enter the Access Prfile Name. This name can cntain up t 32 characters. 6. Enter the new rule parameters. Rule Pririty Enter the rule pririty. When the packet is matched t a rule, user grups are either granted r denied access t the device. The rule pririty is essential t matching packets t rules, as packets are matched n a first-match basis. One is the highest pririty. Management Access Methd Select the management methd fr which the rule is defined. The ptins are: All Assigns all management methds t the rule. 148

149 Telnet Users requesting access t the device that meets the Telnet access prfile criteria are permitted r denied access. HTTP Users requesting access t the device that meets the HTTP access prfile criteria, are permitted r denied. Secure HTTP (HTTPS) Users requesting access t the device that meets the HTTPS access prfile criteria, are permitted r denied. SNMP Users requesting access t the device that meets the SNMP access prfile criteria are permitted r denied. Access Cntrl Select the actin attached t the rule. The ptins are: Permit Permits access t the device if the user matches the settings in the prfile. Deny Denies access t the device if the user matches the settings in the prfile. Interface Select the interface attached t the rule. The ptins are: All Applies t all prts, VLANs, and LAGs. Prt Rule applies t prts. LAG Rule applies t LAGs. VLAN Rule applies t VLANs. Surce IP Address Select the type f surce IP address t which the access prfile applies. The Surce IP Address field is valid fr a subnetwrk. Select ne f the fllwing values: All Applies t all types f IP addresses. User Defined Applies t nly thse types f IP addresses defined in the fields. IP Versin Enter the versin f the surce IP address: Versin 6 r Versin 4. IP Address Enter the surce IP address. IP Subnet Mask Select the frmat fr the subnet mask fr the surce IP address, and enter a value in ne f the fields: Netwrk Mask Select the subnet t which the surce IP address belngs and enter the subnet mask in dtted decimal frmat. Prefix Length Select the Prefix Length and enter the number f bits that cmprise the surce IP address prefix. 7. Click Apply. The access prfile is written t the Running Cnfiguratin file. Yu can nw select this access prfile as the active access prfile. 149

150 Access Prfile Rules Access prfiles can cntain up t 128 rules t determine wh is permitted t manage and access the device, and the access methds that may be used. Each rule in an access prfile cntains an actin and criteria (ne r mre parameters) t match. Each rule has a pririty; rules with the lwest pririty are checked first. If the incming packet matches a rule, the actin assciated with the rule is perfrmed. If n matching rule is fund within the active access prfile, the packet is drpped. Fr example, yu can limit access t the device frm all IP addresses except IP addresses that are allcated t the IT management center. In this way, the device can still be managed and has gained anther layer f security. T add prfile rules t an access prfile: 1. Click Cnfiguratin > Security > Management Security > Access Prfile Rules. 2. Select the Filter field, and an access prfile. Click Search. The selected access prfile appears in the Prfile Rule Table. 3. Click Add t add a rule. 4. Enter the parameters. Access Prfile Name Select an access prfile. Rule Pririty Enter the rule pririty. When the packet is matched t a rule, user grups are either granted r denied access t the device. The rule pririty is essential t matching packets t rules, as packets are matched n a first-fit basis. Management Access Methd Select the management methd fr which the rule is defined. The ptins are: 150

151 All Assigns all management methds t the rule. Telnet Users requesting access t the device that meets the Telnet access prfile criteria are permitted r denied access. HTTP Assigns HTTP access t the rule. Users requesting access t the device that meets the HTTP access prfile criteria, are permitted r denied. Secure HTTP (HTTPS) Users requesting access t the device that meets the HTTPS access prfile criteria, are permitted r denied. SNMP Users requesting access t the device that meets the SNMP access prfile criteria are permitted r denied. Access Cntrl Select Permit t permit the users that attempt t access the device by using the cnfigured access methd frm the interface and IP surce defined in this rule. Or select Deny t deny access. Interface Select the interface attached t the rule. The ptins are: All Applies t all prts, VLANs, and LAGs. Prt Select the prt attached t the rule. LAG Select the LAG attached t the rule. VLAN Select the VLAN attached t the rule. Surce IP Address Select the type f surce IP address t which the access prfile applies. The Surce IP Address field is valid fr a subnetwrk. Select ne f the fllwing values: All Applies t all types f IP addresses. User Defined Applies t nly thse types f IP addresses defined in the fields. IP Versin Select the supprted IP versin f the surce address: IPv6 r IPv4. IP Address Enter the surce IP address. IP Subnet Mask Select the frmat fr the subnet mask fr the surce IP address, and enter a value in ne f the field: Netwrk Mask Select the subnet t which the surce IP address belngs and enter the subnet mask in dtted decimal frmat. Prefix Length Select the Prefix Length and enter the number f bits that cmprise the surce IP address prefix. 5. Click Apply, and the rule is added t the access prfile. 151

152 RADIUS Remte Authrizatin Dial-In User Service (RADIUS) servers prvide a centralized 802.1X netwrk access cntrl. The device is a RADIUS client that can use a RADIUS server t prvide centralized security. An rganizatin can establish a RADIUS server t prvide centralized 802.1X netwrk access cntrl fr all f its devices. In this way, authenticatin and authrizatin can be handled n a single server fr all devices in the rganizatin. The device can act as a RADIUS client that uses the RADIUS server fr the fllwing services: Authenticatin Prvides authenticatin f regular and 802.1X users lgging nt the device by using usernames and user-defined passwrds. Authrizatin Perfrmed at lgin. After the authenticatin sessin is cmpleted, an authrizatin sessin starts using the authenticated username. The RADIUS server then checks user privileges. Accunting Enable accunting f lgin sessins using the RADIUS server. This enables a system administratr t generate accunting reprts frm the RADIUS server. Accunting Using a RADIUS Server The user can enable accunting f lgin sessins using a RADIUS server. The user-cnfigurable, TCP prt used fr RADIUS server accunting is the same TCP prt that is used fr RADIUS server authenticatin and authrizatin. 152

153 Defaults The fllwing defaults are relevant t this feature: N default RADIUS server is defined by default. If yu cnfigure a RADIUS server, the accunting feature is disabled by default. T user a RADIUS server: 1. Open an accunt fr the device n the RADIUS server. 2. Cnfigure that server alng with the ther parameters in the RADIUS and ADD RADIUS Server pages. Nte If mre than ne RADIUS server has been cnfigured, the device uses the cnfigured pririties f the available RADIUS servers t select the RADIUS server t be used by the device. T set the RADIUS server parameters: 1. Click Security > RADIUS. 2. Enter the default RADIUS parameters if required. If a value is nt entered fr a specific server (in the Add RADIUS Server page) the device uses the values in these fields. Retries Enter the number f transmitted requests that are sent t the RADIUS server befre a failure is cnsidered t have ccurred. Timeut fr Reply Enter the number f secnds that the device waits fr an answer frm the RADIUS server befre retrying the query, r switching t the next server. Dead Time Enter the number f minutes that elapse befre a nn- respnsive RADIUS server is bypassed fr service requests. If the value is 0, the server is nt bypassed. Key String Enter the default key string used fr authenticating and encrypting between the device and the RADIUS server. This key must match the key cnfigured n the RADIUS serve. A key string is used t encrypt cmmunicatins by using MD5. This verrides the default key string if ne has been defined. 3. Click Apply. The RADIUS default settings fr the device are updated in the Running Cnfiguratin file. 4. T add a RADIUS server, click Add. 5. Enter the values in the fields fr each RADIUS server. T use the default values entered in the RADIUS page, select Use Default. Add Server Select whether t specify the RADIUS server by IP address r name. IP Versin Select the versin f the IP address f the RADIUS server. 153

154 IPv6 Address Type Select the IPv6 address type (if IPv6 is used). The ptins are: Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Interface Select the link lcal interface (if IPv6 Address Type Link Lcal is selected) frm the list. Server IP Address Enter the IP address f the RADIUS server. Server IP Name Enter the name f the RADIUS server. Authenticatin Prt Enter the UDP prt number f the RADIUS server prt fr authenticatin requests. Accunting Prt Enter the UDP prt number f the RADIUS server prt fr accunting requests. Pririty Enter the pririty f the server. The pririty determines the rder the device attempts t cntact the servers t authenticate a user. The device starts with the highest pririty RADIUS server first. Zer is the highest pririty. Key String Enter the key string used fr authenticating and encrypting cmmunicatin between the device and the RADIUS server. This key must match the key cnfigured n the RADIUS server. If Use Default is selected, the device attempts t authenticate t the RADIUS server by using the default Key String. Usage Type Enter the RADIUS server authenticatin type. The ptins are: Lgin RADIUS server is used fr authenticating users that ask t administer the device X RADIUS server is used fr 802.1x authenticatin. All RADIUS server is used fr authenticating user that ask t administer the device and fr 802.1X authenticatin. 6. Click Apply. The RADIUS server definitin is added t the Running Cnfiguratin file f the device. 154

155 Netwrk Access Cntrl 802.1x authenticatin restricts unauthrized clients frm cnnecting t a LAN thrugh publicityaccessible prts x authenticatin is a client-server mdel. In this mdel, netwrk devices have the fllwing specific rles: Client r supplicant Authenticatr Authenticatin server This is described in the figure belw: A netwrk device can be either a client/supplicant, an authenticatr r bth per prt. Client r Supplicant A client r supplicant is a netwrk device that requests access t the LAN. The client is cnnected t an authenticatr. If the client uses the 802.1x prtcl fr authenticatin, it runs the supplicant part f the 802.1x prtcl and the client part f the EAP prtcl. Authenticatr An authenticatr is a netwrk device that prvides netwrk services and t which supplicant prts are cnnected. The fllwing authenticatin mdes n prts are supprted: Multiple Hst (802.1x) Supprts prt-based authenticatin. If ne client is authenticated, all client devices attaching t the prt have access. Multiple Sessins Supprts client-based authenticatin. Each client must be authenticated individually befre receiving access. See Prt Hst Mdes fr mre infrmatin. In 802.1x-based authenticatin, the authenticatr extracts the EAP messages frm the 802.1x messages (EAPOL frames) and passes them t the authenticatin server, using the RADIUS prtcl. 155

156 Authenticatin Server An authenticatin server perfrms the actual authenticatin f the client. The authenticatin server fr the device is a RADIUS authenticatin server with EAP extensins. Prt Administrative Authenticatin States The prt administrative state determines whether the client is granted access t the netwrk. The prt administrative state can be cnfigured in the Prt Authenticatin page. The fllwing values are available: Frce Authrized Prt authenticatin is disabled and the prt transmits all traffic in accrdance with its static cnfiguratin withut requiring any authenticatin. The switch sends the 802.1x EAP-packet with the EAP success message inside when it receives the 802.1x EAPOL-start message. This is the default state. Frce Unauthrized Prt authenticatin is disabled and the prt transmits all traffic via the guest VLAN. The switch sends 802.1x EAP packets with EAP failure messages inside when it receives 802.1x EAPOL- Start messages. Aut Enables x authenticatins in accrdance with the cnfigured prt hst mde and authenticatin methds cnfigured n the prt. Prt Hst Mdes Prts can be placed in the fllwing prt hst mdes (cnfigured in the Hst Authenticatin page): Multi-Hst Mde A prt is authrized if there is at least ne authrized client. When a prt is unauthrized and a guest VLAN is enabled, untagged traffic is remapped t the guest VLAN. Tagged traffic is drpped unless it belngs t the guest VLAN.When a prt is authrized, untagged and tagged traffic frm all hsts cnnected t the prt is bridged, based n the static VLAN membership prt cnfiguratin. Yu can specify that untagged traffic frm the authrized prt will be remapped t a VLAN that is assigned by a RADIUS server during the authenticatin prcess. Tagged traffic is drpped unless it belngs t the RADIUS-assigned VLAN. Radius VLAN assignment n a prt is set in the Prt Authenticatin page. Multi-Sessins Mde Unlike multi-hst mdes, a prt in the multi-sessin mde des nt have an authenticatin status. The maximum number f authrized hsts allwed n the prt is cnfigured in the Prt Authenticatin page. Tagged and untagged traffic frm unauthrized hsts is remapped t the guest VLAN if it is defined and enabled n the VLAN, r it is drpped if the guest VLAN is nt enabled n the prt. If an authrized hst is assigned a VLAN by a RADIUS server, all its tagged and untagged traffic is bridged via the VLAN. If the VLAN is nt assigned, all its traffic is bridged based n the static VLAN membership prt cnfiguratin. 156

157 This image cannt currently be displayed. Multiple Authenticatin Methds If mre than ne authenticatin methd is enabled n the switch, the fllwing hierarchy f authenticatin methds is applied: 802.1x Authenticatin: Highest MAC-Based Authenticatin: Lwest Multiple methds can run at the same time. When ne methd finishes successfully, the client becmes authrized, the methds with lwer pririty are stpped and the methds with higher pririty cntinue. When ne f the authenticatin methds running simultaneusly fails, the ther methds cntinue. When an authenticatin methd finishes successfully fr a client authenticated by a methd with a lwer pririty, the attributes f the new methd are applied.when the new methd fails, the client is left authrized with the ld methd x-Based Authenticatin The device supprts the 802.1x authenticatin mechanism, as described in the standard, t authenticate and authrize 802.1x supplicants. The 802.1x-based authenticatr relays transparent EAP messages between 802.1x supplicants and authenticatin servers. The EAP messages between supplicants and the authenticatr are encapsulated int the 802.1x messages, and the EAP messages between the authenticatr and authenticatin servers are encapsulated int the RADIUS messages. This is described in the fllwing: MAC-Based Authenticatin MAC-based authenticatin is an alternative t 802.1X authenticatin that allws netwrk access t devices (such as printers and IP phnes) that d nt have the 802.1X supplicant capability. MAC-based authenticatin uses the MAC address f the cnnecting device t grant r deny netwrk access. 157

158 In this case, the switch supprts EAP MD5 functinality with the username and passwrd equal t the client MAC address, as shwn belw. Guest VLAN The guest VLAN prvide access t services that d nt require the subscribing devices r prts t be 802.1X r MAC-based authenticated and authrized. The guest VLAN is the VLAN that is assigned t an unauthrized client. Yu can cnfigure the guest VLAN and ne r mre VLANs t be unauthenticated in the Security > Netwrk Access Cntrl > Feature Cnfiguratin page. The guest VLAN, if cnfigured, is a static VLAN with the fllwing characteristics: It must be manually defined frm an existing static VLAN. The guest VLAN cannt be used as the Vice VLAN. Hst Mdes with Guest VLAN The hst mdes wrk with guest VLAN in Single-Hst and Multi-Hst Mde. Untagged traffic and tagged traffic belnging t the guest VLAN arriving n an unauthrized prt are bridged via the guest VLAN. All ther traffic is discarded. Dynamic VLAN Assignment An authrized client can be assigned a VLAN by the RADIUS server, if this ptin is enabled in the Prt Authenticatin page. This is called either Dynamic VLAN Assignment (DVA) r RADIUS- Assigned VLAN. In this guide, RADIUS-Assigned VLAN is used. When a prt is in multi-sessin mde and RADIUS-Assigned VLAN is enabled, the device autmatically adds the prt as an untagged member f the VLAN that is assigned by the RADIUS server during the authenticatin prcess. The device classifies untagged packets t the assigned VLAN if the packets riginated frm the devices r prts that are authenticated and authrized. Nte In multi-sessin mde, RADIUS VLAN assignment is nly supprted when the device is in Layer 2 system mde. 158

159 When the RADIUS-Assigned VLAN feature is enabled, the hst mdes behave as fllws: Single-Hst and Multi-Hst Mde Untagged traffic and tagged traffic belnging t the RADIUS-assigned VLAN are bridged via this VLAN. All ther traffic nt belnging t unauthenticated VLANs is discarded. Full Multi-Sessins Mde Untagged traffic and tagged traffic nt belnging t the unauthenticated VLANs arriving frm the client are assigned t the RADIUS-assigned VLAN using TCAM rules and are bridged via the VLAN. Wrkflw 1: T enable 802.1x authenticatin n a prt 1. Click Cnfiguratin > Security > Netwrk AccessCntrl > Feature Cnfiguratin. 2. Enable Prt-based Authenticatin. 3. Select the Authenticatin Methd. 4. Click Apply, and the Running Cnfiguratin file is updated. 5. Click Cnfiguratin > Security > Netwrk Access Cntrl > Prt Authenticatin. 6. Select the required prt and click Edit. 7. Set the Hst Authenticatin mde. 8. Select a prt, and click Edit. 9. Set the Administrative Prt Cntrl field t Aut. 10. Define the authenticatin methds. 11. Click Apply, and the Running Cnfiguratin file is updated. Wrkflw 2: T cnfigure 802.1x-based authenticatin 1. Click Cnfiguratin > Security > Netwrk Access Cntrl > Prt Authenticatin. 2. Select the required prt and click Edit. 3. Enter the fields required fr the prt. The fields in this page are described in Prt Authenticatin. 4. Click Apply, and the Running Cnfiguratin file is updated. Wrkflw 3: T cnfigure the guest VLAN 1. Click Security > Netwrk Access Cntrl > Feature Cnfiguratin. 2. Select Enable in the Guest VLAN field. 3. Select the guest VLAN in the Guest VLAN ID field. 4. Click Apply, and the Running Cnfiguratin file is updated. 159

160 Feature Cnfiguratin The Feature Cnfiguratin page is used t glbally enable 802.1X and define hw prts are authenticated. Fr 802.1X t functin, it must be activated glbally and individually n each prt. T define prt-based authenticatin: 1. Click Cnfiguratin > Security > Netwrk Access Cntrl > Feature Cnfiguratin. 2. Enter the parameters: Prt-Based Authenticatin Enable r disable prt-based authenticatin. If this is disabled 802.1X is disabled. Authenticatin Methd Select the user authenticatin methds. The ptins are as fllws: RADIUS, Nne Perfrm prt authenticatin first by using the RADIUS server. If n respnse is received frm RADIUS (fr example, if the server is dwn), then n authenticatin is perfrmed, and the sessin is permitted. RADIUS Authenticate the user n the RADIUS server. If n authenticatin is perfrmed, the sessin is nt permitted. Nne D nt authenticate the user. Permit the sessin. 160

161 Guest VLAN Enable the use f a guest VLAN fr unauthrized prts. If a guest VLAN is enabled, all unauthrized prts autmatically jin the VLAN selected in the Guest VLAN ID field. If a prt is later authrized, it is remved frm the guest VLAN. Guest VLAN ID Select the guest VLAN frm the list f VLANs. 3. Click Apply. The settings are written t the Running Cnfiguratin file. Prt Authenticatin The Prt Authenticatin page enables cnfiguratin f 802.1X parameters fr each prt. Since sme f the cnfiguratin changes are nly pssible while the prt is in Frce Authrized state, such as hst authenticatin, it is recmmended that yu change the prt cntrl t Frce Authrized befre making changes. When the cnfiguratin is cmplete, return the prt cntrl t its previus state. Nte A prt with 802.1x defined n it cannt becme a member f a LAG. T cnfigure 802.1X authenticatin: 1. Click Security > Netwrk Access Cntrl > Prt Authenticatin. This page displays authenticatin settings fr all prts. The Current Prt Cntrl displays the current prt authrizatin state. If the state is Authrized, the prt is either authenticated r the Administrative Prt Cntrl is Frce Authrized. Cnversely, if the state is Unauthrized, then the prt is either nt authenticated r the Administrative Prt Cntrl is Frce Unauthrized. 161

162 2. Select a prt, and click Edit. 3. Enter the parameters. Interface Select a prt. Prt Cntrl Select the Administrative Prt Authrizatin state. Frce Unauthrized Denies the interface access by mving the interface int the unauthrized state. The device des nt prvide authenticatin services t the client thrugh the interface. Aut Enables prt-based authenticatin and authrizatin n the device. The interface mves between an authrized r unauthrized state based n the authenticatin exchange between the device and the client. Frce Authrized Authrizes the interface withut authenticatin. Hst Authenticatin Mde Multiple Hst (802.1x) Supprts prt-based authenticatin with multiple clients per prt. Multiple Sessins Supprts client-based authenticatin with multiple clients per prt. RADIUS VLAN Assignment Select t enable Dynamic VLAN assignment n the selected prt. Guest VLAN Select t indicate that the usage f a previusly-defined guest VLAN is enabled fr the device. Enables using a guest VLAN fr unauthrized prts. If a guest VLAN is enabled, the unauthrized prt autmatically jins the VLAN selected in the Guest VLAN ID field in the 802.1X Prt Authenticatin page. After an authenticatin failure, and if guest VLAN is activated glbally n a given prt, the guest VLAN is autmatically assigned t the unauthrized prts as an Untagged VLAN X Based Authenticatin Select t enable 802.1X authenticatin n the prt. MAC Based Authenticatin Select t enabled MAC-based authenticatin n the prt. The prt is authenticated based n the supplicant MAC address. Only 8 MACbased authenticatins can be used n the prt. Nte Fr MAC authenticatin t succeed, the RADIUS server supplicant username and passwrd must be the supplicant MAC address. The MAC address must be in lwer case letters and entered withut the. r - separatrs; fr example: 0020aa00bbcc. Perid Reauthenticatin Select t enable prt re-authenticatin attempts after the specified Reauthenticatin Perid. 162

163 Reauthenticatin Perid Enter the number f secnds after which the selected prt is reauthenticated. 4. Click Apply. The prt settings are written t the Running Cnfiguratin file. Authenticated Hsts T display details abut authenticated users: Click Cnfiguratin > Security > Netwrk Access Cntrl > Authenticated Hsts. User Name Supplicant names that were authenticated n each prt. MAC Address Displays the supplicant MAC address. Prt Number f the prt. VLAN ID VLAN where the hst is learned r assigned. Sessin Time Amunt f time that the supplicant was lgged n the prt. Authenticatin Methd Methd by which the last sessin was authenticated. The fllwing table shws which cmbinatins f authenticatin methd and prt mde are supprted. Authenticati n Methd Multi-hst Multi-sessins Device in L3 Device in L x MAC The prt mde als supprts the guest VLAN and RADIUS-VLAN assignment. This device is a L2 device. 163

164 Mde Behavir The fllwing tables describes hw authenticated and nn-authenticated traffic is handled in varius situatins. Unauthenticated Traffic With Guest VLAN Withut Guest VLAN Untagged Tagged Untagged Tagged Multi-hst Frames are remapped t the guest VLAN Frames are drpped unless they belng t the guest VLAN r t the unauthenticated VLANs Frames are drpped Frames are drpped unless they belng t the unauthenticated VLANs N/S N/S Frames are drpped Frames are drpped unless they belng t the unauthenticated VLANs N/S The authenticatin methd des nt supprt the prt mde. Authenticated Traffic With RADIUS VLAN Withut RADIUS VLAN Untagged Tagged Untagged Tagged Multi-hst Frames are remapped t the RADIUS VLAN Frames are drpped unless they belng t the guest RADIUS r unauthenticated VLANs Frames are bridged based n the static VLAN cnfiguratin Frames are bridged based n the static VLAN cnfiguratin Multisessin Multisessin N/S N/S Frames are bridged based n the static VLAN cnfiguratin Frames are bridged based n the static VLAN cnfiguratin N/S The authenticatin methd des nt supprt the prt mde. 164

165 Prt Security Netwrk security can be increased by limiting access n a prt t users with specific MAC addresses. The MAC addresses can be either dynamically learned r statically cnfigured. Prt security mnitrs received and learned packets. Access t lcked prts is limited t users with specific MAC addresses. Prt Security has tw mdes: Classic Lck All learned MAC addresses n the prt are lcked, and the prt des nt learn any new MAC addresses. The learned addresses are nt subject t aging r relearning. Limited Dynamic Lck The device learns MAC addresses up t the cnfigured limit f allwed addresses. After the limit is reached, the device des nt learn additinal addresses. In this mde, the addresses are subject t aging and relearning. When a frame frm a new MAC address is detected n a prt where it is nt authrized (the prt is classically lcked, and there is a new MAC address, r the prt is dynamically lcked, and the maximum number f allwed addresses has been exceeded), the prtectin mechanism is invked, and ne f the fllwing actins can take place: Frame is discarded Frame is frwarded Prt is shut dwn 165

166 T cnfigure prt security: 1. Click Cnfiguratin > Security > Prt Security. 2. Select an interface t be mdified, and click Edit. 3. Enter the parameters. Interface Select the interface name. Interface Status Select t lck the prt. Learning Mde Select the type f prt lcking. T cnfigure this field, the Interface Status must be unlcked. The Learning Mde field is enabled nly if the Interface Status field is lcked. T change the Learning Mde, the Lck Interface must be cleared. After the mde is changed, the Lck Interface can be reinstated. The ptins: Classic Lck Lcks the prt immediately, regardless f the number f addresses that have already been learned. Limited Dynamic Lck Lcks the prt by deleting the current dynamic MAC addresses assciated with the prt. The prt learns up t the maximum addresses allwed n the prt. Bth relearning and aging f MAC addresses are enabled. Maximum Addresses Enter the maximum number f MAC addresses that can be learned n the prt if Limited Dynamic Lck learning mde is selected. The number 0 indicates that nly static addresses are supprted n the interface. Actin n Vilatin Select an actin t be applied t packets arriving n a lcked prt. The ptins: Discard Discards packets frm any unlearned surce. Frward Frwards packets frm an unknwn surce withut learning the MAC address. Shutdwn Discards packets frm any unlearned surce, and shuts dwn the prt. The prt remains shut dwn until reactivated, r until the device is rebted. Trap Enable Trap and set the trap frequency 4. Click Apply. Prt security is mdified, and the Running Cnfiguratin file is updated. 166

167 Strm Cntrl When Bradcast, Multicast, r Unknwn Unicast frames are received, they are duplicated, and a cpy is sent t all pssible egress prts. This means that in practice they are sent t all prts belnging t the relevant VLAN. In this way, ne ingress frame is turned int many, creating the ptential fr a traffic strm. Strm prtectin enables yu t limit the number f frames entering the device and t define the types f frames that are cunted twards this limit. When the rate f Bradcast, Multicast, r Unknwn Unicast frames is higher than the userdefined threshld, frames received beynd the threshld are discarded. T define Strm Cntrl: 1. Click Cnfiguratin > Security > Strm Cntrl. 2. Select a prt and click Edit. Prt Select the prt fr which strm cntrl is enabled. Strm Cntrl Select t enable Strm Cntrl. Strm Cntrl Mde Select ne f the mdes: Unknwn Unicast, Multicast & Bradcast Cunts unknwn Unicast, Bradcast, and Multicast traffic twards the bandwidth threshld. Multicast & Bradcast Cunts Bradcast and Multicast traffic twards the bandwidth threshld. Bradcast Only Cunts nly Bradcast traffic twards the bandwidth threshld. 167

168 Strm Cntrl Rate Threshld Enter the maximum rate at which unknwn packets can be frwarded. The default fr this threshld is 10,000 fr FE devices and 100,000 fr GE devices. 3. Click Apply. Strm cntrl is mdified, and the Running Cnfiguratin file is updated. 168

169 Chapter 13 - Access Cntrl List The Access Cntrl List (ACL) feature is part f the security mechanism. ACLs enable netwrk managers t define patterns (filter and actins) fr ingress traffic. Packets, entering the device n a prt r LAG with an active ACL, are either admitted r denied entry. An Access Cntrl List (ACL) is an rdered list f classificatin filters and actins. Each single classificatin rule, tgether with its actin, is called an Access Cntrl Element (ACE). Each ACE is made up f filters that distinguish traffic grups and assciated actins. A single ACL may cntain ne r mre ACEs, which are matched against the cntents f incming frames. Either a DENY r PERMIT actin is applied t frames whse cntents match the filter. The device supprts a maximum f 256 ACLs, and a maximum f 256 ACEs. When a packet matches an ACE filter, the ACE actin is taken and that ACL prcessing is stpped. If the packet des nt match the ACE filter, the next ACE is prcessed. If all ACEs f an ACL have been prcessed withut finding a match, and if anther ACL exists, it is prcessed in a similar manner. Nte If n match is fund t any ACE in all relevant ACLs, the packet is drpped (as a default actin). Because f this default drp actin yu must explicitly add ACEs int the ACL t permit the desired traffic, including management traffic, such as Telnet, HTTP r SNMP that is directed t the device itself. Fr example, if yu d nt want t discard all the packets that d nt match the cnditins in an ACL, yu must explicitly add a lwest pririty ACE int the ACL that permits all the traffic. If IGMP snping is enabled n a prt bund with an ACL, add ACE filters in the ACL t frward IGMP/MLD packets t the device; therwise, IGMP snping fails at the prt. The rder f the ACEs within the ACL is significant, since they are applied in a first-fit manner. The ACEs are prcessed sequentially, starting with the first ACE. ACLs can be used fr security, fr example by permitting r denying certain traffic flws. There can nly be ne ACL per prt. T assciate mre than ne ACL with a prt, a plicy with ne r mre class maps must be used. The fllwing types f ACLs can be defined (depending n which part f the frame header is examined): MAC ACL Examines Layer 2 fields nly, as described in Defining MAC-based ACLs. IP ACL Examines the Layer 3 layer f IP frames, as described in IPv4/IPv6-Based ACLs. If a frame matches the filter in an ACL, it is defined as a flw with the name f that ACL. Creating ACLs Wrkflw T create ACLs and assciate them with an interface: 1. Create ne r mre f the fllwing types f ACLs: 169

170 MAC-based ACL by using the MAC Based ACL page and the MAC Based ACE page. IPv4-Based ACL by using the IPv4 Based ACL page and the IPv4 Based ACE page. IPv6-Based ACL by using the IPv6 Based ACL page and the IPv6 Based ACE page. 2. Assciate the ACL with interfaces by using the ACL Binding page. Mdifying ACLs Wrkflw An ACL can nly be mdified if it is nt in use. T unbind an ACL in rder t mdify it: 1. If the ACL has been assciated with an interface, unbind it frm the interface using the ACL Binding page. 2. If the ACL is part f the class map and nt bund t an interface, then it can be mdified. 3. If the ACL is part f a class map cntained in a plicy bund t an interface, yu must perfrm the chain f unbinding: Unbind the plicy cntaining the class map frm the interface by using Plicy Binding. Delete the class map cntaining the ACL frm the plicy using the Cnfiguring a Plicy (Edit). Delete the class map cntaining the ACL, by using Defining Class Mapping page. Only then can the ACL be mdified, as described in this sectin. MAC-Based ACL MAC-based ACLs are used t filter traffic based n Layer 2 fields. MAC-based ACLs check all frames fr a match. 170

171 MAC-based ACLs are defined in the MAC Based ACL page. The rules are defined in the MAC- Based ACE page. T define a MAC-based ACL: 1. Click Cnfiguratin > Access Cntrl List > MAC Based ACL. This page cntains a list f all currently-defined MAC-based ACLs. 2. Click Add. 3. Enter the name f the new ACL in the ACL Name field. ACL names are case-sensitive. 4. Click Apply. The MAC-based ACL is saved t the Running Cnfiguratin file. MAC-Based ACE T add rules (ACEs) t an ACL: 1. Click Cnfiguratin > Access Cntrl List > MAC-based ACE. 2. Select an ACL, and click Search. The ACEs in the ACL are listed. 3. Click Add. 4. Enter the parameters. ACL Name Select the name f the ACL t which an ACE is being added. ACE Pririty Enter the pririty f the ACE. ACEs with higher pririty are prcessed first. One is the highest pririty. Actin n Matched Packets Select the actin taken upn a match. The ptins: Permit Frward packets that meet the ACE criteria. Deny Drp packets that meet the ACE criteria. Shutdwn Drp packets that meet the ACE criteria, and disable the prt frm where the packets were received. Such prts can be reactivated frm the Prt Settings page. 171

172 Destinatin MAC Address Select Any if all destinatin addresses are acceptable r User Defined t enter a destinatin address r a range f destinatin addresses. Destinatin MAC Address Value Enter the MAC address t which the destinatin MAC address is t be matched and its mask (if relevant). Destinatin MAC Wildcard Mask Enter the mask t define a range f MAC addresses. Nte that this mask is different than in ther uses, such as subnet mask. Here, setting a bit as 1 indicates dn t care and 0 indicates t mask that value. Nte Given a mask f (which means that yu match n the bits where there is 0 and dn t match n the bits where there are 1 s). Yu need t translate the 1 s t a decimal integer and yu write 0 fr each fur zers. In this example since = 255, the mask wuld be written: as Surce MAC Address Select Any if all surce address are acceptable r User Defined t enter a surce address r range f surce addresses. Surce MAC Address Value Enter the MAC address t which the surce MAC address is t be matched and its mask (if relevant). Surce MAC Wildcard Mask Enter the mask t define a range f MAC addresses. VLAN ID Enter the VLAN ID sectin f the VLAN tag t match p Select Match t use 802.1p p Value Enter the 802.1p value t be added t the VPT tag p Mask Enter the wildcard mask t be applied t the VPT tag. EtherType Enter the frame EtherType t be matched. 5. Click Apply. The MAC-Based ACE is saved t the Running Cnfiguratin file. 172

173 IPv4-Based ACL IPv4-based ACLs are used t check IPv4 packets, while ther types f frames, such as ARPs, are nt checked. The fllwing fields can be matched: IP prtcl (by name fr well-knwn prtcls r directly by value) Surce/destinatin prts fr TCP/UDP traffic Flag values fr TCP frames ICMP and IGMP type and cde Surce/destinatin IP addresses (including wildcards) DSCP/IP-precedence value Nte ACLs are als used as the building elements f flw definitins fr per-flw QS handling. The IPv4 Based ACL page enables adding ACLs t the system. The rules are defined in the IPv4 Based ACE page. T define an IPv4-Based ACL: 1. Click Cnfiguratin > Access Cntrl List > IPv4 Based ACL. This page cntains all currently defined IPv4-based ACLs. 2. Click Add. 3. Enter the name f the new ACL in the ACL Name field. The names are case-sensitive. 4. Click Apply. The IPv4-Based ACL is saved t the Running Cnfiguratin file. 173

174 IPv4-Based ACE T add rules (ACEs) t an IPv4-Based ACL: 1. Click Cnfiguratin > Access Cntrl List > IPv4-Based ACE. 2. Select an ACL, and click Search. All currently-defined IP ACEs fr the selected ACL are displayed. 3. Click Add. 4. Enter the parameters. ACL Name Displays the name f the ACL. ACE Pririty Enter the pririty. ACEs with higher pririty are prcessed first. Actin n Match Packets Select the actin assigned t the packet matching the ACE. The ptins: Permit Frward packets that meet the ACE criteria. Deny Drp packets that meet the ACE criteria. Shutdwn Drp packet that meets the ACE criteria and disable the prt t which the packet was addressed. Prts are reactivated frm the Prt Management page. Prtcl Select t create an ACE based n a specific prtcl r prtcl ID. Select Any IPv4 t accept all IP prtcls. Otherwise select ne f the fllwing prtcls frm the drp-dwn list: ICMP Internet Cntrl Message Prtcl IGMP Internet Grup Management Prtcl IP in IP IP in IP encapsulatin TCP Transmissin Cntrl Prtcl UDP User Datagram Prtcl 174

175 Prtcl ID Instead f selecting the name, enter the prtcl ID. Surce IP Address Select Any if all surce address are acceptable r User Defined t enter a surce address r range f surce addresses. Surce IP Address Value Enter the IP address t which the surce MAC address is t be matched and its mask (if relevant). Surce IP Wildcard Mask Enter the mask t define a range f IP addresses. Setting a bit as 1 indicates dn t care and 0 indicates t mask that value. Nte Given a mask f (which means that yu match n the bits where there is 0 and dn t match n the bits where there are 1 s). Yu need t translate the 1 s t a decimal integer and yu write 0 fr each fur zers. In this example since = 255, the mask wuld be written: as Destinatin IP Address Select Any if all destinatin address are acceptable r User Defined t enter a destinatin address r range f destinatin addresses. Destinatin IP Address Value Enter the IP address t which the destinatin IP address is t be matched. Destinatin IP Wildcard Mask Enter the mask t define a range f IP addresses. Surce Prt Select ne f the fllwing: Any Match t all surce prts. Single Prt Enter a single TCP/UDP surce prt t which packets are matched. This field is active nly if 800/6-TCP r 800/17-UDP is selected in the Select frm List drp-dwn menu. Destinatin Prt Select ne f the available values that are the same as the Surce Prt field described abve. Nte Yu must specify the IP prtcl fr the ACE befre yu can enter the surce and/r destinatin prt. Type f Service The service type f the IP packet. Any Any service type DSCP t Match Differentiated Serves Cde Pint (DSCP) t match IP Precedence t match IP precedence is a mdel f TOS (type f service) that the netwrk uses t help prvide the apprpriate QS cmmitments. This mdel uses the 3 mst significant bits f the service type byte in the IP header, as described in RFC 791 and RFC Click Apply. The IPv4-Based ACE is saved t the Running Cnfiguratin file. 175

176 IPv6-Based ACL T define an IPv6-Based ACL: 1. Click Cnfiguratin > Access Cntrl List > IPv6 Based ACL. This page cntains all currently defined IPv6-Based ACLs. 2. Click Add. 3. Enter the name f the new ACL in the ACL Name field. The names are case-sensitive. 4. Click Apply. The IPv6-Based ACL is saved t the Running Cnfiguratin file. IPv6-Based ACE T add rules (ACEs) t an IPv6-Based ACL: 1. Click Cnfiguratin > Access Cntrl List > IPv6-Based ACE. 176

177 2. Select an ACL, and click Search. All currently-defined IP ACEs fr the selected ACL are displayed. 3. Click Add. 4. Enter the parameters. ACL Name Displays the name f the ACL. ACE Pririty Enter the pririty. ACEs with higher pririty are prcessed first. Actin n Match Packets Select the actin assigned t the packet matching the ACE. The ptins: Permit Frward packets that meet the ACE criteria. Deny Drp packets that meet the ACE criteria. Shutdwn Drp packet that meets the ACE criteria and disable the prt t which the packet was addressed. Prts are reactivated frm the Prt Management page. Prtcl Select t create an ACE based n a specific prtcl r prtcl ID. Select Any IPv6 t accept all IP prtcls. Otherwise select ne f the fllwing prtcls frm the drp-dwn list: ICMP Internet Cntrl Message Prtcl TCP Transmissin Cntrl Prtcl UDP User Datagram Prtcl Prtcl ID Instead f selecting the name, enter the prtcl ID. Surce IP Address Select Any if all surce addresses are acceptable r User Defined t enter a surce address r range f surce addresses. Surce IP Address Value Enter the IP address t which the surce MAC address is t be matched and its mask (if relevant). Surce IP Prefix Length Enter the prefix length f the surce IP address. Destinatin IP Address Select Any if all destinatin addresses are acceptable r User Defined t enter a destinatin address r range f destinatin addresses. Destinatin IP Address Value Enter the IP address t which the destinatin IP address is t be matched. Destinatin IP Prefix Length Enter the prefix length f the destinatin IP address. Surce Prt Select ne f the fllwing: Any Match t all surce prts. Single Prt Enter a single TCP/UDP surce prt t which packets are matched. This field is active nly if 800/6-TCP r 800/17-UDP is selected in the Select frm List drp-dwn menu. Destinatin Prt Select ne f the available values that are the same as the Surce Prt field described abve. 177

178 Nte Yu must specify the IP prtcl fr the ACE befre yu can enter the surce and/r destinatin prt. Type f Services The service type f the IP packet. Any Any service type DSCP t Match Differentiated Serves Cde Pint (DSCP) t match IP Precedence IP precedence is a mdel f TOS (type f service) that the netwrk uses t help prvide the apprpriate QS cmmitments. This mdel uses the 3 mst significant bits f the service type byte in the IP header, as described in RFC 791 and RFC Click Apply. The IPv6-Based ACE is saved t the Running Cnfiguratin file. ACL Binding When an ACL is bund t an interface (prt, LAG r VLAN), its ACE rules are applied t packets arriving at that interface. Packets that d nt match any f the ACEs in the ACL are matched t a default rule, whse actin is t drp unmatched packets. Multiple interfaces can be bund t the same ACL. After an ACL is bund t an interface, it cannt be edited, mdified, r deleted until it is remved frm all the prts t which it is bund r in use. T bind an ACL t a prt r LAG: 1. Click Cnfiguratin > Access Cntrl List > ACL Binding (Prt). 2. Select an interface type Prts/LAGs (Prt r LAG). 3. Click Search. Fr each type f interface selected, all interfaces f that type are displayed with a list f their current ACLs. 178

179 Nte T unbind all ACLs frm an interface, select the interface, and click Clear. 4. Select an interface, and click Edit. 5. Select ne f the fllwing: MAC Based ACL Select a MAC-based ACL t be bund t the interface. IPv4 Based ACL Select an IPv4-Based ACL t be bund t the interface. IPv6 Based ACL Select an IPv6-Based ACL t be bund t the interface. Permit Any Unmatched Packets Select t enable/disable this actin. 6. Click Apply. The ACL binding is mdified, and the Running Cnfiguratin file is updated. Nte If n ACL is selected, the ACL(s) that is previusly bund t the interface are unbund. 179

180 Chapter 14 - Quality f Service The Quality f Service feature is applied thrughut the netwrk t ensure that netwrk traffic is priritized accrding t required criteria and the desired traffic receives preferential treatment. The QS feature is used t ptimize netwrk perfrmance. It prvides classificatin f incming traffic t traffic classes, based n attributes, including: Device cnfiguratin Ingress interface Packet cntent Cmbinatin f these attributes QS includes the fllwing: Traffic Classificatin Classifies each incming packet as belnging t a specific traffic flw, based n the packet cntents and/r the prt. Assignment t Hardware Queues Assigns incming packets t frwarding queues. Packets are sent t a particular queue fr handling as a functin f the traffic class t which they belng. See Queue Scheduling. Other Traffic Class-Handling Attribute Applies QS mechanisms t varius classes, including bandwidth management. QS Operatin When using the QS feature, all traffic f the same class receives the same treatment, which cnsists f a single QS actin f determining the egress queue n the egress prt, based n the indicated QS value in the incming frame. This is the VLAN Pririty Tag (VPT) 802.1p value in Layer 2 and the Differentiated Service Cde Pint (DSCP) value fr IPv4 r Traffic Class (TC) value fr IPv6 in Layer 3. When perating in Basic Mde, the device trusts this external assigned QS value. The external assigned QS value f a packet determines its traffic class and QS. The type f header field t be trusted is entered in the Basic QS page. Fr every value f that field, an egress queue is assigned, indicating thrugh which queue the frame is sent, in the CS/802.1p t Queue page r the DSCP t Queue page (depending n whether the trust mde is CS/802.1p r DSCP, respectively). 180

181 QS Mdes The QS mde that is selected applies t all interfaces in the system. Basic Mde Class f Service (CS). All traffic f the same class receives the same treatment, which is the single QS actin f determining the egress queue n the egress prt, based n the indicated QS value in the incming frame. This can be the VLAN Pririty Tag (VPT) 802.1p value in Layer 2 and the Differentiated Service Cde Pint (DSCP) value fr IPv4 r Traffic Class (TC) value fr IPv6 in Layer 3. When perating in Basic Mde, the device trusts this external assigned QS value. The external assigned QS value f a packet determines its traffic class and QS. The header field t be trusted is entered in the Basic QS page. Fr every value f that field, an egress queue is assigned where the frame is sent in the CS/802.1p t Queue page r the DSCP t Queue page (depending n whether the trust mde is CS/802.1p r DSCP, respectively). Disable Mde In this mde all traffic is mapped t a single best effrt queue, s that n type f traffic is priritized ver anther. When disabling QS, the shaper and queue setting (WRR/SP bandwidth setting) are reset t default values. All ther user cnfiguratins remain intact. QS Wrkflw T cnfigure general QS parameters: 1. Chse the QS mde (Basic, r Disabled by using the Feature Cnfiguratin page. The fllwing steps in the wrkflw, assume that yu have chsen t enable QS. 2. Assign each interface a default CS pririty by using the Feature Cnfiguratin page. 3. Assign the schedule methd (Strict Pririty r WRR) and bandwidth allcatin fr WRR t the egress queues by using the Queue Scheduling page. 4. Set the trusted mde in the Basic QS page. 5. Designate an egress queue t each IP DSCP/TC value with the DSCP t Queue page. If the device is in DSCP trusted mde, incming IP packets are put int the egress queues based n their DSCP/TC value. 6. Designate an egress queue t each CS/802.1p pririty. If the device is in CS/802.1 trusted mde, all incming packets are put int the designated egress queues accrding t the CS/802.1p pririty in the packets. This is dne by using the CS/802.1p t Queue page. 7. Enter bandwidth and rate limits in the fllwing pages: Set egress shaping per queue by using the Egress Shaping page. Set ingress rate limit and egress shaping rate per prt by using the Bandwidth Cntrl page. 181

182 Feature Cnfiguratin The Feature Cnfiguratin page cntains fields fr setting the QS mde fr the system (Basic, r Disabled, as described in the QS Mdes sectin). In additin, the default CS pririty fr each interface can be defined. T select the QS mde: 1. Click Cnfiguratin > Quality f Service > Feature Cnfiguratin. 2. Set the QS mde. The fllwing ptins are available: Disable QS is disabled n the device. Basic QS is enabled n the device in Basic mde. 3. Select Prt/LAG and click Search t display/mdify all prts/lags n the device and their CS infrmatin. The fllwing fields are displayed fr all prts/lags: Interface Type f interface. Default CS Default VPT value fr incming packets that d nt have a VLAN Tag. The default CS is 0. The default is nly relevant fr untagged frames and nly if the system is in Basic mde and Trust CS is selected in the Basic QS page. 4. Click Apply. The Running Cnfiguratin file is updated. T set QS n an interface: 1. Select an interface, and click Edit. 182

183 2. Enter the parameters. Interface Select the prt r LAG. Default CS Select the default CS (Class-f-Service) value t be assigned fr incming packets (that d nt have a VLAN tag). 3. Click Apply. The interface default CS value is saved t Running Cnfiguratin file. Queue Scheduling The device supprts 4 queues fr each interface. Queue number fur is the highest pririty queue. Queue number ne is the lwest pririty queue. There are tw ways f determining hw traffic in queues is handled: Strict Pririty Egress traffic frm the highest-pririty queue is transmitted first. Traffic frm the lwer queues is prcessed nly after the highest queue has been transmitted, thus prviding the highest level f pririty f traffic t the highest numbered queue. Weighted Rund Rbin (WRR) In WRR mde, the number f packets sent frm the queue is prprtinal t the weight f the queue (the higher the weight the mre frames are sent). Fr example, if there are a maximum f fur queues pssible and all fur queues are WRR and the default weights are used, queue 1 receives 1/15 f the bandwidth (assuming all queues are saturated and there is cngestin), queue 2 receives 2/15, queue 3 receives 4/15 and queue 4 receives 8 /15 f the bandwidth. The type f WRR algrithm used in the device is nt the standard Deficit WRR (DWRR), but rather Shaped Deficit WRR (SDWRR). The queuing mdes can be selected in the Queue Scheduling page. When the queuing mde is by strict pririty, the pririty sets the rder in which queues are serviced, starting with Queue 4 (the highest pririty queue) and ging t the next lwer queue when each queue is cmpleted. When the queuing mde is Weighted Rund Rbin, queues are serviced until their quta has been used up and then anther queue is serviced. 183

184 It is als pssible t assign sme f the lwer queues t WRR, while keeping sme f the higher queues in strict pririty. In this case, traffic fr the strict pririty queues is always sent befre traffic frm the WRR queues. Only after the strict pririty queues have been emptied is traffic frm the WRR queues frwarded. (The relative prtin frm each WRR queue depends n its weight). T select the pririty methd and enter WRR data: 1. Click Cnfiguratin > Quality f Service > Queue Scheduling. 2. Enter the parameters. Queue Displays the queue number. Scheduling Methd: Select ne f the fllwing ptins: Strict Pririty Traffic scheduling fr the selected queue and all higher queues is based strictly n the queue pririty. WRR Traffic scheduling fr the selected queue is based n WRR. The perid time is divided between the WRR queues that are nt empty, meaning they have descriptrs t egress. This happens nly if strict pririty queues are empty. WRR Weight If WRR is selected, enter the WRR weight assigned t the queue. % f WRR Bandwidth Displays the amunt f bandwidth assigned t the queue. These values represent the percent f the WRR weight. 3. Click Apply. The queues are cnfigured, and the Running Cnfiguratin file is updated. CS/802.1p t Queue 184

185 The CS/802.1p t Queue page maps 802.1p pririties t egress queues. The CS/802.1p t Queue Table determines the egress queues f the incming packets based n the 802.1p pririty in their VLAN Tags. Fr incming untagged packets, the 802.1p pririty is the default CS/802.1p pririty assigned t the ingress prts. The fllwing table describes the default mapping: 802.1p Values (0-7, 7 being the highest) Queue (4 queues 1-4, 4 being the highest pririty) Ntes 0 1 Backgrund 1 1 Best Effrt 2 2 Excellent Effrt 3 3 Critical Applicatin VIP phne SIP 4 3 Vide 5 4 Vice Cisc IP phne default 6 4 Interwrk Cntrl VIP phne RTP 7 4 Netwrk Cntrl By changing the CS/802.1p t Queue mapping (CS/802.1p t Queue page), the Queue schedule methd (Queue Scheduling page) and bandwidth allcatin (Bandwidth page), it is pssible t achieve the desired quality f service in a netwrk. The CS/802.1p t Queue mapping is applicable nly if ne f the fllwing exists: The device is in QS Basic mde and CS/802.1p trusted mde Queue 1 has the lwest pririty; queue 4 has the highest pririty. T map CS /802.1p values t egress queues: 1. Click Cnfigure> Quality f Service > CS/802.1p t Queue. 2. Enter the parameters p Displays the 802.1p pririty tag values t be assigned t an egress queue, where 0 is the lwest and 7 is the highest pririty. Output Queue Select the egress queue t which the 802.1p pririty is mapped. Either fur r eight egress queues are supprted, where Queue 4 is the highest pririty egress queue and Queue 1 is the lwest pririty. 3. Fr each 802.1p pririty, select the Output Queue t which it is mapped. 4. Click Apply p pririty values t queues are mapped, and the Running Cnfiguratin file is updated. 185

186 DSCP t Queue The DSCP (IP Differentiated Services Cde Pint) t Queue page maps DSCP values t egress queues. The DSCP t Queue Table determines the egress queues f the incming IP packets based n their DSCP values. The riginal VPT (VLAN Pririty Tag) f the packet is unchanged. By simply changing the DSCP t Queue mapping and the Queue schedule methd and bandwidth allcatin, it is pssible t achieve the desired quality f services in a netwrk. The DSCP t Queue mapping is applicable t IP packets if the device is in QS Basic mde and DSCP is the trusted mde. Nn-IP packets are always classified t the best-effrt queue. The fllwing tables describe the default DSCP t queue mapping: DSCP Queue DSCP (EF) 38 (AF3) 30 (AF33) 22(AF23) 14 6 Queue DSCP Queue DSCP (AF42) 28(AF32) 20(AF22) 12(AF12) 4 Queue DSCP Queue DSCP (AF41) 26(AF31) 18(AF21) 10(AF11) 2 Queue DSCP Queue DSCP 56(CS7) 48(CS6) 40(CS5) 32(CS4) 24(CS3) 16(CS2) 8(CS1) 0(BE) Queue The queue 4 is the highest queue and the default classes in the parentheses are defined by IETF. 186

187 T map DSCP t queues: 1. Click Cnfiguratin > Quality f Service > DSCP t Queue. 2. Select the Output Queue (traffic frwarding queue) t which the DSCP value is mapped. 3. Click Apply. The Running Cnfiguratin file is updated. Bandwidth Cntrl The Bandwidth Cntrl page enables users t define tw values, Ingress Rate Limit and Egress Shaping Rate, which determine hw much traffic the system can receive and send. The ingress rate limit is the number f bits per secnd that can be received frm the ingress interface. Excess bandwidth abve this limit is discarded. The fllwing values are entered fr egress shaping: Cmmitted Infrmatin Rate (CIR) sets the average maximum amunt f data allwed t be sent n the egress interface, measured in bits per secnd. Cmmitted Burst Size (CBS) is the burst f data that is allwed t be sent, even thugh it is abve the CIR. This is defined in number f bytes f data. T enter bandwidth limitatin: 1. Click Cnfiguratin > Quality f Service > Cnfigure > Bandwidth Cntrl. The Bandwidth page displays bandwidth infrmatin fr each interface. 2. Select an interface, and click Edit. 3. Select the Prt r LAG interface. 4. Enter the fields fr the selected interface: 187

188 Ingress Rate Cntrl Select t enable the ingress rate limit, which is defined in the field belw. Ingress Rate Limit Enter the maximum amunt f bandwidth allwed n the interface. Ingress Cmmitted Burst Size Enter the maximum burst size f data fr the ingress interface in bytes f data. This amunt can be sent even if it temprarily increases the bandwidth beynd the allwed limit. This field is nly available if the interface is a prt. Nte The abve Ingress Rate Limit fields d nt appear when the interface type is LAG. Egress Shaping Cntrl Select t enable egress shaping n the interface. Egress Cmmitted Infrmatin Rate Enter the maximum bandwidth fr the egress interface. Egress Cmmitted Burst Size (CBS) Enter the maximum burst size f data fr the egress interface in bytes f data. This amunt can be sent even if it temprarily increases the bandwidth beynd the allwed limit. 5. Click Apply. The bandwidth settings are written t the Running Cnfiguratin file. Egress Shaping In additin t limiting transmissin rate per prt, which is dne in the Bandwidth page, the device can limit the transmissin rate f selected egressing frames n a per-queue basis. Egress rate limiting is perfrmed by shaping the utput lad. The device limits all frames except fr management frames. Any frames that are nt limited are ignred in the rate calculatins, meaning that their size is nt included in the limit ttal. Per-queue Egress rate shaping can be disabled. 188

189 T define egress shaping per queue: 1. Click Cnfiguratin > Quality f Service > Egress Shaping. The Egress Shaping page displays the rate limit and burst size fr each queue. 2. Select an interface type (Prt r LAG), and click Search. 3. Select a Prt/LAG, and click Edit. This page enables shaping the egress fr up t fur queues n each interface. 4. Select the Interface. 5. Fr each queue that is required, enter the fllwing fields: Queue x Select t enable egress shaping n queue number x. Cmmitted Infrmatin Rate Enter the maximum rate (CIR) in Kbits per secnd (Kbps). CIR is the average maximum amunt f data that can be sent. Cmmitted Burst Size Enter the maximum burst size (CBS) in bytes. CBS is the maximum burst f data allwed t be sent even if a burst exceeds CIR. 6. Click Apply. The bandwidth settings are written t the Running Cnfiguratin file. Basic QS In QS Basic mde, a specific dmain in the netwrk can be defined as trusted. Within that dmain, packets are marked with 802.1p pririty and/r DSCP t signal the type f service they require. Ndes within the dmain use these fields t assign the packet t a specific utput queue. The initial packet classificatin and marking f these fields is dne in the ingress f the trusted dmain. 189

190 T cnfigure Basic QS mde: 1. Select Basic mde fr the system by using the Feature Cnfiguratin page. 2. Select the trust-behavir using the Basic QS page. The device supprts CS/802.1p trusted mde and DSCP trusted mde. CS/802.1p trusted mde uses the 802.1p pririty in the VLAN tag. DSCP trusted mde use the DSCP value in the IP header. In Basic QS Mde, it is recmmended that yu disable the trusted mde at the prts where the CS/802.1p and/r DSCP values f the incming packets are nt trustwrthy. Otherwise, it might negatively affect the perfrmance f yur netwrk. Incming packets frm prts that are disabled withut trust mde are frwarded in best effrt. Basic QS The Basic QS page cntains infrmatin fr enabling Trust n the device. This cnfiguratin is nly active when the QS mde is Basic mde. Packets entering a QS dmain are classified at the edge f the QS dmain. T define the Trust cnfiguratin: 1. Click Cnfiguratin > Quality f Service > Basic QS. 2. Select the Trust Mde while the device is in Basic mde. The Trust mde determines the queue t which the packet is assigned: CS/802.1p Traffic is mapped t queues based n the VPT field in the VLAN tag, r based n the per-prt default CS/802.1p value (if there is n VLAN tag n the incming packet), the actual mapping f the VPT t queue can be cnfigured in the mapping CS/802.1p t Queue page. DSCP All IP traffic is mapped t queues based n the DSCP field in the IP header. The actual mapping f the DSCP t queue can be cnfigured in the DSCP t Queue page. If traffic is nt IP traffic, it is mapped t the best effrt queue. CS/802.1p-DSCP All IP traffic is mapped t queues based n the values in their DSCP field. All nn IP traffic is mapped t queues based n the their CS/802.1p value. T disable QS n a prt, click Edit, select a prt r LAG, deselect Enable QS. 3. Click Apply. The Running Cnfiguratin file is updated with the new settings. 190

191 QS Statistics Queues Statistics The Queues Statistics page displays queue statistics, including statistics f frwarded and drpped packets, based n interface, queue, and drp precedence. T view Queues Statistics: 1. Click Cnfiguratin > Quality f Service > QS Statistics > Queues Statistics. This page displays the fllwing fields: Refresh Rate Select the time perid that passes befre the interface Ethernet statistics are refreshed. The available ptins: N Refresh Statistics are nt refreshed. 15 Sec Statistics are refreshed every 15 secnds. 30 Sec Statistics are refreshed every 30 secnds. 60 Sec Statistics are refreshed every 60 secnds. Cunter Set The available ptins: Set 1 Displays the statistics fr Set 1 that cntains all interfaces and queues with a high DP (Drp Precedence). Set 2 Displays the statistics fr Set 2 that cntains all interfaces and queues with a lw DP. Interface Queue statistics are displayed fr this interface. 191

192 Queue Packets were frwarded r tail drpped frm this queue. Drp Precedence Lwest drp precedence has the lwest prbability f being drpped. Ttal Packets Number f packets frwarded r tail drpped. Tail Drp Packets Percentage f packets that were tail drpped. 2. Click Add. 3. Enter the parameters. Cunter Set Select the cunter set. Set 1 Displays the statistics fr Set 1 that cntains all interfaces and queues with a high DP (Drp Precedence). Set 2 Displays the statistics fr Set 2 that cntains all interfaces and queues with a lw DP. Interface Select the prts fr which statistics are displayed. Prt Selects the prt n the selected unit number fr which statistics are displayed. All Prts Specifies that statistics are displayed fr all prts. Queue Select the queue fr which statistics are displayed. Drp Precedence Enter drp precedence that indicates the prbability f being drpped. 4. Click Apply. The Queue Statistics cunter is added, and the Running Cnfiguratin file is updated. 192

193 Chapter 15 - Maintenance All mdels can be fully managed thrugh the web-based switch cnfiguratin utility. GE is the naming cnventin used fr Gigabit Ethernet (10/100/1000) prts. In Layer 2 system mde, the device frwards packets as a VLAN-aware bridge. Rebt Sme cnfiguratin changes, such as enabling jumb frame supprt, require the system t be rebted befre they take effect. Hwever, rebting the device deletes the Running Cnfiguratin, s it is critical that the Running Cnfiguratin is saved t the Startup Cnfiguratin befre the device is rebted. Restre t Factry Defaults Select t rebt the device by using the factry default cnfiguratin. This prcess erases the Startup Cnfiguratin file and the backup cnfiguratin file. File Management System files are files that cntain cnfiguratin infrmatin, firmware images r bt cde. Varius actins can be perfrmed with these files, such as selecting the firmware file frm which the device bts, cpying varius types f cnfiguratin files internally n the device, r cpying files t r frm an external device, such as an external server. Pssible methds f file transfer: Internal cpy HTTP/HTTPS that uses the facilities that the brwser prvides TFTF client, requiring a TFTP server Cnfiguratin files n the device are defined by their type, and cntain the settings and parameter values fr the device. When a cnfiguratin is referenced n the device, it is referenced by its cnfiguratin file type (such as Startup Cnfiguratin r Running Cnfiguratin), as ppsed t a file name that can be mdified by the user. 193

194 Cntent can be cpied frm ne cnfiguratin file type t anther, but the names f the file types cannt be changed by the user. Other files n the device include firmware, bt cde, and lg files, and are referred t as peratinal files. The cnfiguratin files are text files and can be edited in a text editr, such as Ntepad after they are cpied t an external device, such as a PC. Files and File Types The fllwing types f cnfiguratin and peratinal files are fund n the device: Running Cnfiguratin Cntains the parameters currently being used by the device t perate. This is the nly file type that is mdified when yu change parameter values n the device. If the device is rebted, the Running Cnfiguratin is lst. The Startup Cnfiguratin, stred in flash memry, verwrites the Running Cnfiguratin, stred in RAM. T preserve any changes yu made t the device, yu must save the Running Cnfiguratin t the Startup Cnfiguratin, r anther file type. Startup Cnfiguratin The parameter values that were saved by cpying anther cnfiguratin (usually the Running Cnfiguratin) t the Startup Cnfiguratin. The Startup Cnfiguratin is retained in flash memry and is preserved when the device is rebted. At this time, the Startup Cnfiguratin is cpied t RAM and identified as the Running Cnfiguratin. Backup Cnfiguratin A manual cpy f a cnfiguratin file used fr prtectin against system shutdwn r fr the maintenance f a specific perating state. Yu can cpy the Startup Cnfiguratin, r Running Cnfiguratin t a Backup Cnfiguratin file. The Backup Cnfiguratin exists in flash memry and is preserved if the device is rebted. Firmware The prgram that cntrls the peratins and functinality f the device. Mre cmmnly referred t as the image. Bt Cde Cntrls the basic system startup and launches the firmware image. Flash Lg SYSLOG messages stred in Flash memry. File Actins The fllwing actins can be perfrmed t manage firmware and cnfiguratin files: Upgrade the firmware r bt cde as described in Overview sectin. View the firmware image currently in use r select the image t be used in the next rebt as described in the Active Firmware Image sectin. Save cnfiguratin files n the device t a lcatin n anther device as described in the Cnfiguratin & Lg sectin. Cpy ne cnfiguratin file type t anther cnfiguratin file type as described in the Cnfiguratin File Cpy sectin. 194

195 Firmware & Bt Cde The Upgrade/Backup Firmware prcess can be used t upgrade r backup the firmware image and/r bt cde. The fllwing methds fr transferring files are supprted: HTTP/HTTPS that uses the facilities prvided by the brwser TFTP that requires a TFTP server There are tw firmware images stred n the device. One f the images is identified as the active image and ther image is identified as the inactive image. When yu upgrade the firmware, the new image always replaces the image identified as the inactive image. Even after uplading new firmware n the device, the device cntinues t bt by using the active image (the ld versin) until yu change the status f the new image t be the active image by using the prcedure in the Active Firmware Image sectin. Then bt the device. T upgrade r backup a sftware image: 1. Click Maintenance > File Management > Firmware & Bt Cde. 2. Select the Transfer Methd. If yu selected TFTP, g t STEP 3. If yu selected HTTP/HTTPS, g t STEP If yu selected via TFTP, enter the parameters as described in this step. Otherwise, skip t STEP 4. Select ne f the fllwing ptins fr Cmmand: Upgrade Specifies that the file type n the device is t be replaced with a new versin f that file type lcated n a TFTP server. Backup Specifies that a cpy f the file type is t be saved t a file n anther device. Enter the fllwing fields: File Type Select the destinatin file type: Firmware The prgram that cntrls the peratins and functinality f the device. Mre cmmnly referred t as the image. 195

196 Bt Cde Cntrls the basic system startup and launches the firmware image. Surce File Name Enter the name f the surce file. TFTP Server Select whether t specify the TFTP server by IP address r dmain name. IP Versin Select whether an IPv4 r an IPv6 address is used. IPv6 Address Type Select the IPv6 address type (if IPv6 is used). The ptins are as fllws: Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Interface Select the link lcal interface (if IPv6 is used) frm the list. TFTP Server IP Address Enter the IP address f the TFTP server. TFTP Server Name Enter the dmain name f the TFTP server. 4. If yu selected via HTTP/HTTPS, yu can nly upgrade. Click Brwse t select a file r enter the path and surce file name t be used in the transfer. 5. Click Apply. Nte When the prcess is cmplete, the fllwing infrmatin is displayed. Bytes Transferred Hw many bites were transferred in the prcess. Status Did the prcess succeed r fail. Errr Message Reasn fr failure f the prcess. 196

197 Active Firmware Image There are tw firmware images stred n the device. One f the images is identified as the active image and the ther image is identified as the inactive image. The device bts frm the image yu set as the active image. Yu can change the image identified as the inactive image t the active image. T select the active image: 1. Click Maintenance > File Management > Active Firmware Image. Active Firmware Image Displays the image file that is currently active n the device. Versin Displays the firmware versin f the active image. Active Firmware Image After Rebt Displays the image that is active after rebt. Versin Displays the firmware versin f the active image as it will be after rebt. 2. Select the image frm the Active Firmware Image After Rebt menu t identify the firmware image that is used as the active image after the device is rebted. The versin number assciated with it displays the firmware versin f the active image that is used after the device is rebted. 3. Click Apply. The active image selectin is updated. 197

198 Cnfiguratin & Lg The Cnfiguratin & Lg (Backup & Dwnlad) page enables: Backing up cnfiguratin files r lgs frm the device t an external device. Restring cnfiguratin files frm an external device t the device. When restring a cnfiguratin file t the Running Cnfiguratin, the imprted file adds any cnfiguratin cmmands that did nt exist in the ld file and verwrites any parameter values in the existing cnfiguratin cmmands. When restring a cnfiguratin file t the Startup Cnfiguratin r a backup cnfiguratin file, the new file replaces the previus file. When restring t Startup Cnfiguratin, the device must be rebted fr the restred Startup Cnfiguratin t be used as the Running Cnfiguratin. Yu can rebt the device by using the prcess described in the Management Interface sectin. T backup r restre the system cnfiguratin file: 1. Click Maintenance > File Management > Cnfiguratin & Lg. 2. Select the File Transfer Prtcl. 3. If yu selected via TFTP, enter the parameters. Otherwise, skip t STEP 4. Enter the fllwing fields: Cmmand Dwnlad Specifies that the file n anther device upgrades a file type n the device. Backup Specifies that a file is t be cpied t a file n anther device. Surce File Name Enter the surce file name fr dwnlad. File names cannt cntain slashes (\ r /), cannt start with a perid (.), and must include between 1 and 160 characters. (Valid characters: A-Z, a-z, 0-9,., -, _ ). Destinatin File Select ne f the files displayed as the file t be upgraded. Only valid file types are displayed. (The file types are described in the Files and File Types sectin). 198

199 TFTP Server Select whether t specify the TFTP server by IP address r dmain name. IP Versin Select whether an IPv4 r an IPv6 address is used. IPv6 Address Type Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Interface Select the link lcal interface (if IPv6 is used) frm the list. TFTP Server IP Address Enter the IP address f the TFTP server. TFTP Server Name Enter the dmain name f the TFTP server. Nte If the server is selected by name in the Server Definitin, there is n need t select the IP versin-related ptins. 4. Click Apply. The file is upgraded r backed up. 5. If yu selected via HTTP/HTTPS, enter the parameters as described in this step. Cmmand Select ne f the fllwing ptins: Dwnlad Transfer the surce file f the lcal device t the destinatin file n this switch. Backup Transfer the surce file t the lcal device. Surce File Name Enter the file name fr dwnlad. Destinatin File Select the cnfiguratin file type t be dwnladed t. Only valid file types are displayed. (The file types are described in the Files and File Types sectin). 6. Click Apply. The file is upgraded r backed up. Nte When the prcess initiated is cmpleted, the fllwing infrmatin is displayed: Bytes Transferred Hw many bites were transferred in the prcess. Status Did the prcess succeed r fail. Errr Message Reasn fr failure f the prcess. 199

200 Cnfiguratin File Cpy When yu click Apply n any windw, changes that yu made t the device cnfiguratin settings are stred nly in the Running Cnfiguratin. T preserve the parameters in the Running Cnfiguratin, the Running Cnfiguratin must be cpied t anther cnfiguratin type r saved n anther device. CAUTION Unless the Running Cnfiguratin is cpied t the Startup Cnfiguratin r anther cnfiguratin file, all changes made since the last time the file was cpied are lst when the device is rebted. The fllwing cmbinatins f cpying internal file types are allwed: Frm the Running Cnfiguratin t the Startup Cnfiguratin r Backup Cnfiguratin. Frm the Startup Cnfiguratin t the Running Cnfiguratin r Backup Cnfiguratin. Frm the Backup Cnfiguratin t the Running Cnfiguratin, Startup Cnfiguratin. T cpy ne type f cnfiguratin file t anther type f cnfiguratin file: 1. Click Maintenance > File Management > Cnfiguratin File Cpy. 2. Select the Surce File t be cpied. Only valid file types are displayed (described in the Files and File Types sectin). 3. Select the Destinatin File t be verwritten by the surce file. 4. Click Apply. The file is cpied. 200

201 Diagnstics Cpper Test The Cpper Test page displays the results f integrated cable tests perfrmed n cpper cables by the Virtual Cable Tester (VCT). VCT perfrms tw types f tests: Time Dmain Reflectmetry (TDR) technlgy tests the quality and characteristics f a cpper cable attached t a prt. Cables f up t 140 meters lng can be tested. These results are displayed in the Test Results blck f the Cpper Test page. DSP-based tests are perfrmed n active GE links t measure cable length. These results are displayed in the Advanced Infrmatin blck f the Cpper Test page. Precnditins t Running the Cpper Prt Test Befre running the test: (Mandatry) Disable Shrt Reach mde (g t Prt Management > Green Ethernet > Prperties) (Optinal) Disable EEE (g t Cnfiguratin > Prt Management > Green Ethernet > Prperties page) Use a CAT5 data cable when testing cables using (VCT). Accuracy f the test results can have an errr range f +/10 fr Advanced Testing and +/2 fr basic testing. CAUTION When a prt is tested, it is set t the Dwn state and cmmunicatins are interrupted. After the test, the prt returns t the Up state. It is nt recmmended that yu run the cpper prt test n a prt yu are using t run the web-based switch cnfiguratin utility, because cmmunicatins with that device are disrupted. 201

202 T test cpper cables attached t prts: 1. Click Maintenance > Diagnstics > Cpper Test. 2. Select the prt n which t run the test. 3. Click Test. 4. When the message appears, click OK t cnfirm that the link can g dwn r Cancel t abrt the test. The fllwing fields are displayed in the Test Results blck: Test Results Cable test results. Pssible values are: OK Cable passed the test. N Cable Cable is nt cnnected t the prt. Open Cable Cable is cnnected n nly ne side. Shrt Cable Shrt circuit has ccurred in the cable. Unknwn Test Result Errr has ccurred. Distance t Fault Distance frm the prt t the lcatin n the cable where the fault was discvered. Prt Operatinal Status Displays whether prt is up r dwn. Nte TDR tests cannt be perfrmed when the prt speed is 10Mbit/Sec. Optical Mdule Status The Optical Mdule Status page displays the perating cnditins reprted by the SFP (Small Frm-factr Pluggable) transceiver. Sme infrmatin might nt be available fr SFPs that d nt supprt the digital diagnstic mnitring standard SFF T view the results f ptical tests: Click Maintenance > Diagnstics > Optical Mdule Status. This page displays the fllwing fields: Prt Prt number n which the SFP is cnnected. Descriptin Descriptin f ptical transceiver. 202

203 Serial Number Serial number f ptical transceiver. Data Ready SFP is peratinal. Values are True and False Lss f Signal Lcal SFP reprts signal lss. Values are True and False. Transmitter Fault Remte SFP reprts signal lss. Values are True, False, and N Signal (N/S). Temperature Temperature (Celsius) at which the SFP is perating. Ping Ping is a utility used t test if a remte hst can be reached and t measure the rund-trip time fr packets sent frm the device t a destinatin device. Ping perates by sending Internet Cntrl Message Prtcl (ICMP) ech request packets t the target hst and waiting fr an ICMP respnse, smetimes called a png. It measures the rundtrip time and recrds any packet lss. T ping a hst: 1. Click Maintenance > Diagnstics > Ping. 2. Cnfigure ping by entering the fields: Target Select whether t specify the surce interface by its IP address r name. This field influences the interfaces that are displayed in the Surce IP field, as described belw. IP Versin If the surce interface is identified by its IP address, select either IPv4 r IPv6 t indicate that it will be entered in the selected frmat. 203

204 IPv6 Address Type Select Link Lcal r Glbal as the type f IPv6 address t enter as the destinatin IP address. Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Interface If the IPv6 address type is Link Lcal, select frm where it is received. Target IP Address Address f the device t be pinged. Whether this is an IP address r hst name depends n the Hst Definitin. Target Name Hst name f the device t be pinged. Whether this is an IP address r hst name depends n the Hst Definitin. Ping Interval Length f time the system waits between ping packets. Ping is repeated the number f times cnfigured in the Number f Pings field, whether the ping succeeds r nt. Chse t use the default interval r specify yur wn value. Number f Pings The number f times the ping peratin is perfrmed. Chse t use the default r specify yur wn value. 3. Click Start t ping the hst. The ping status appears and anther message is added t the list f messages, indicating the result f the ping peratin. 4. View the results f ping in the Ping Result sectin f the page: Result Success r fail f ping. Number f Pings Sent Numbers f respnses sent. Number f Ping Respnses Received Numbers f respnses received. Packets Lst Numbers f respnses nt received. Minimum Rund Trip Time Minimum time passed between sending f packets and receptin f respnses. Maximum Rund Trip Time Maximum time passed between sending f packets and receptin f respnses. Average Rund Trip Time Average time passed between sending f packets and receptin f respnses. 204

205 Tracerute Tracerute discvers the IP rutes alng which packets were frwarded by sending an IP packet t the target hst and back t the device. The Tracerute page shws each hp between the device and a target hst, and the rundtrip time t each such hp. 1. Click Maintenance > Diagnstics > Tracerute. 2. Cnfigure Tracerute by entering infrmatin int the fllwing fields: Target Select whether target hsts are identified by their IP address r name. IP Versin If the target hst is identified by its IP address, select either IPv4 r IPv6 t indicate that it will be entered in the selected frmat. IPv6 Address Type Select the IPv6 address type (if IPv6 is used). The ptins are: Link Lcal The IPv6 address uniquely identifies hsts n a single netwrk link. A link lcal address has a prefix f FE80, is nt rutable, and can be used fr cmmunicatin nly n the lcal netwrk. Only ne link lcal address is supprted. If a link lcal address exists n the interface, this entry replaces the address in the cnfiguratin. Glbal The IPv6 address is a glbal Unicast IPV6 type that is visible and reachable frm ther netwrks. Interface If the IPv6 address type is Link Lcal, select frm where it is received. Target IP Address Select the target surce interface whse IPv4 address will be used as the surce IPv4 address fr cmmunicatin messages. Only the existing IP addresses f the type specified in the IP Versin field will be displayed. Target Name Enter the target hst name. TTL Enter the maximum number f hps that Tracerute permits. This is used t prevent a case where the sent frame gets int an endless lp. The Tracerute cmmand terminates when the destinatin is reached r when this value is reached. T use the default value (30), select Use Default. 205

206 Timeut Enter the length f time that the system waits fr a frame t return befre declaring it lst, r select Use Default. 3. Click Start. The peratin is perfrmed. A page appears shwing the Rund Trip Time (RTT) and status fr each trip in free text cntaining the fllwing infrmatin: Index Displays the number f the hp. Hst Displays a stp alng the rute t the destinatin. Rund Trip Time (1-3) Displays the rund trip time in (ms) fr the first thrugh third frame and the status f the first thrugh third peratin. Prt Mirrring Prt mirrring is used n a netwrk device t send a cpy f netwrk packets seen n ne r multiple device prts, t a netwrk mnitring cnnectin n anther prt n the device. This is cmmnly used fr netwrk appliances that require mnitring f netwrk traffic, such as an intrusin-detectin system. A netwrk analyzer cnnected t the mnitring prt prcesses the data packets fr diagnsing, debugging, and perfrmance mnitring. Up t fur surces can be mirrred. This can be any cmbinatin f fur individual prts. A packet that is received n a netwrk prt assigned t a VLAN that is subject t mirrring is mirrred t the analyzer prt even if the packet was eventually trapped r discarded. Packets sent by the device are mirrred when Transmit (Tx) mirrring is activated. Mirrring des nt guarantee that all traffic frm the surce prt(s) is received n the analyzer (destinatin) prt. If mre data is sent t the analyzer prt than it can supprt, sme data might be lst. Only ne instance f mirrring is supprted system-wide. The analyzer prt is the same fr all the mirrred prts. T enable mirrring: 1. Click Maintenance > Diagnstics > Prt Mirrring. The fllwing fields are displayed: Destinatin Prt Prt t which traffic is t be cpied; the analyzer prt. 206

207 Surce Prt Interface, prt, frm which traffic is sent t the analyzer prt. Mirrr Type Type f mnitring: incming t the prt (Rx), utging frm the prt (Tx), r bth. Status Displays ne f the fllwing values: Active Bth surce and destinatin interfaces are up and frwarding traffic. Nt Ready Either surce r destinatin (r bth) are dwn r nt frwarding traffic fr sme reasn. 2. Click Add t add a prt t be mirrred. 3. Enter the parameters: Destinatin Prt Select the analyzer prt t where packets are cpied. A netwrk analyzer, such as a PC running Wireshark, is cnnected t this prt. If a prt is identified as an analyzer destinatin prt, it remains the analyzer destinatin prt until all entries are remved. Surce Prt Select the surce prt frm where traffic is t be mirrred. Mirrr Type Select whether incming, utging, r bth types f traffic are mirrred t the analyzer prt. If Prt is selected, the ptins are as fllws: Rx Only Prt mirrring n incming packets. Tx Only Prt mirrring n utging packets. Tx and Rx Prt mirrring n bth incming and utging packets. 4. Click Apply. Prt mirrring is added t the Running Cnfiguratin. 207

208 Chapter - 16 Supprt Click Get Supprt t g t the Linksys Small Business supprt website. Resurces available there include setup help, frequently asked questins, sftware dwnlads, live chat with technical supprt, and cmmunity frums. 208