Layer 2 Ethernet Switch

AT-S94 V1.1.0

Web Browser Interface Users Guide

Copyright 2008 Allied Telesis, Inc. All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesis, Inc. Allied Telesis is a trademark of Allied Telesis, Inc. Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners. Allied Telesis, Inc. reserves the right to make changes in specifications and other information contained in this document without prior written notice. The information provided herein is subject to change without notice. In no event shall Allied Telesis, Inc. be liable for any incidental, special, indirect, or consequential damages whatsoever, including but not limited to lost profits, arising out of or related to this manual or the information contained herein, even if Allied Telesis, Inc. has been advised of, known, or should have known, the possibility of such damages.

Table of Contents

Table of Contents
Preface.................................................................................................................................... 7
Web Browser Interface Users Guide Overview .............................................................................. 7 Intended Audience........................................................................................................................... 8 Document Conventions ................................................................................................................... 8 Contacting Allied Telesis ................................................................................................................. 8

Getting Started........................................................................................................................ 9
Starting the Application.................................................................................................................... 9 Using the Web Browser Interface .................................................................................................. 11
Viewing the Device Representation.........................................................................................................11 User Interface Components.....................................................................................................................12 Using the Management Buttons ..............................................................................................................13 Adding, Modifying and Deleting Information ............................................................................................14 Saving Configurations..............................................................................................................................15

Logging Out ................................................................................................................................... 15 Resetting the Device ..................................................................................................................... 16

Defining System Information................................................................................................. 17 Configuring System Time...................................................................................................... 19

Setting the System Clock.........................................................................................................................19 Configuring SNTP....................................................................................................................................20 Configuring Daylight Saving Time ...........................................................................................................21

Configuring Device Security.................................................................................................. 25

Configuring Management Security ................................................................................................26
Defining Access Profiles ..........................................................................................................................26 Defining Profile Rules ..............................................................................................................................30 Defining Authentication Profiles...............................................................................................................33 Mapping Authentication Profiles ..............................................................................................................36

Configuring Server Based Authentication...................................................................................... 38

Configuring TACACS+ ............................................................................................................................38 Configuring RADIUS................................................................................................................................41 Configuring Local Users ..........................................................................................................................44 Defining Line Passwords .........................................................................................................................46

Configuring Network Security ........................................................................................................ 47

Managing Port Security ...........................................................................................................................47 Defining 802.1x Port Access....................................................................................................................50 Enabling Storm Control............................................................................................................................53

Defining Access Control ................................................................................................................ 55

Defining MAC Based ACL .......................................................................................................................55 Defining IP Based ACL ............................................................................................................................60 Defining ACL Binding...............................................................................................................................66

Page 3

Table of Contents

Configuring DHCP Snooping ................................................................................................ 68

Defining DHCP Snooping General Properties .........................................................................................68 Defining DHCP Snooping on VLANs .......................................................................................................70 Defining Trusted Interfaces......................................................................................................................71 Binding Addresses to the DHCP Snooping Database .............................................................................73

Configuring Ports .................................................................................................................. 75

Setting Ports Configurations .......................................................................................................... 75
Defining Port Settings ..............................................................................................................................75 Configuring Port Mirroring........................................................................................................................79

Aggregating Ports.......................................................................................................................... 82
Defining Trunk Settings ...........................................................................................................................82 Defining Port Trunking .............................................................................................................................86 Configuring LACP ....................................................................................................................................88

Configuring Interfaces ........................................................................................................... 90

Defining MAC Addresses.........................................................................................................................90

Configuring VLANs ........................................................................................................................ 93

Defining VLAN Properties........................................................................................................................94 Defining VLAN Interface Settings ............................................................................................................96 Defining GVRP ........................................................................................................................................98

Defining MAC Based Groups ......................................................................................................100

Configuring System Logs.................................................................................................... 103

Defining Log Settings.............................................................................................................................103 Viewing Temporary and Flash Logs ......................................................................................................106

Configuring Spanning Tree ................................................................................................. 108

Configuring Classic Spanning Tree .............................................................................................108
Defining STP Properties ........................................................................................................................109 Defining STP Interfaces.........................................................................................................................111

Configuring Rapid Spanning Tree ...............................................................................................114 Configuring Multiple Spanning Tree ............................................................................................116
Defining MSTP Properties .....................................................................................................................116 Defining MSTP Interfaces......................................................................................................................117 Defining MSTP Instance Mappings .......................................................................................................120 Defining MSTP Instance Settings ..........................................................................................................121

Configuring Multicast Forwarding ....................................................................................... 123

Configuring IGMP Snooping ..................................................................................................................124 Defining Multicast Bridging Groups .......................................................................................................126 Defining Multicast Forward All Settings .................................................................................................129

Configuring SNMP .............................................................................................................. 131

Enabling SNMP .....................................................................................................................................132 Defining SNMP Communities ................................................................................................................133 Defining SNMP Groups .........................................................................................................................136 Defining SNMP Users............................................................................................................................138

Page 4

Table of Contents

Defining SNMP Views............................................................................................................................141 Defining Notification Recipients .............................................................................................................143 Defining Notification Filters ....................................................................................................................147

Configuring Power Over Ethernet ....................................................................................... 149

Enabling PoE and Setting the Power Threshold....................................................................................149 Defining Power Over Ethernet Configuration.........................................................................................151

Configuring Services ........................................................................................................... 153

Enabling Class of Service (CoS) ...........................................................................................................154 Configuring CoS Queueing and Scheduling ..........................................................................................156 Mapping CoS Values to Queues ...........................................................................................................157 Mapping DSCP Values to Queues ........................................................................................................158 Configuring QoS Bandwidth ..................................................................................................................159

System Utilities ................................................................................................................... 161

Restoring the Default Configuration.......................................................................................................162 Defining TFTP File Uploads and Downloads.........................................................................................163 Viewing Integrated Cable Tests.............................................................................................................165 Viewing Optical Transceivers ................................................................................................................167 Resetting the Device..............................................................................................................................168

Viewing Statistics ................................................................................................................ 169

Viewing Device Statistics.............................................................................................................169
Viewing Interface Statistics....................................................................................................................169 Viewing Etherlike Statistics....................................................................................................................171

Managing RMON Statistics .........................................................................................................173

Viewing RMON Statistics.......................................................................................................................173 Configuring RMON History ....................................................................................................................175 Configuring RMON Events ....................................................................................................................179 Defining RMON Alarms .........................................................................................................................182

Managing Stacking ............................................................................................................. 185

Stacking Overview.......................................................................................................................185
Stacking Ring Topology.........................................................................................................................185 Stacking Chain Topology.......................................................................................................................186 Stacking Members and Unit ID ..............................................................................................................186 Removing and Replacing Stacking Members........................................................................................186 Exchanging Stacking Members .............................................................................................................187

Configuring Stacking Management .............................................................................................188

Downloading Software with CLI .......................................................................................... 189

Connecting a Terminal ..............................................................................................................189 Initial Configuration ...................................................................................................................190
Configuration .........................................................................................................................................190 Static IP Address and Subnet Mask ......................................................................................................190 User Name.............................................................................................................................................191

Downloading Software ..............................................................................................................191

Page 5

Table of Contents

Standalone Device Software Download ................................................................................................191 Stacking Member Software Download...................................................................................................194

System Defaults.................................................................................................................. 196

RS-232 Port Settings ................................................................................................................197 Port Defaults .............................................................................................................................197 Configuration Defaults ..............................................................................................................198 Security Defaults.......................................................................................................................198 Jumbo Frame Defaults..............................................................................................................198 System Time Defaults ...............................................................................................................198 Spanning Tree Defaults ............................................................................................................199 Address Table Defaults.............................................................................................................199 VLAN Defaults ..........................................................................................................................199 Trunking Defaults......................................................................................................................200 Multicast Defaults......................................................................................................................200 QoS Defaults.............................................................................................................................200

Page 6

Preface
Web Browser Interface Users Guide Overview

Preface
This guide contains instructions on how to configure an AT-S95 Series Layer 2+ Gigabit Ethernet Switch using the interface in the Embedded Management System (EWS). The Embedded Management System enables configuring, monitoring, and troubleshooting of network devices remotely via a web browser. The web pages are easy-to-use and easy-to-navigate. This preface provides an overview of the Web Browser Interface Users Guide, and includes the following sections:

Web Browser Interface Users Guide Overview Intended Audience

Web Browser Interface Users Guide Overview

The Web Browser Interface Users Guide provides the following sections: Section 1,Getting Started Provides information for using the Embedded Web Management System, including adding, editing, and deleting configurations.

Section 2, Defining System Information Provides information for defining basic device information. Section 3, Configuring System Time Provides information for configuring Daylight Savings Time and Simple Network Time Protocol (SNTP). Section 4, Configuring Device Security Provides information for configuring both system and network security, including traffic control, and switch access methods. Section 5, Configuring DHCP Snooping Provides information for enabling and defining DHCP Snooping configurations and trusted interfaces. Section 6, Configuring Ports Provides information for configuring ports, port aggregation, port mirroring and LACP. Section 7, Configuring Interfaces Provides information for defining ports, LAGs, and VLANs. Section 8, Configuring System Logs Provides information for setting up and viewing system logs, and configuring switch log servers. Section 9, Configuring Spanning Tree Provides information for configuring Classic, Rapid, and Multiple Spanning Tree. Section 10, Configuring Multicast Forwarding Provides information for configuring both the static and dynamic forwarding databases. Section 11, Configuring SNMP Provides information for configuring SNMP access and management. Section 12, Configuring Power Over Ethernet Provides information for configuring Power over Ethernet (PoE) on the device. Section 13, Configuring Services Provides information for configuring Quality of Service CoS parameters. Section 14, System Utilities Provides information for managing system files. Section 15, Viewing Statistics Provides information about viewing device statistics, including Remote Monitoring On Network (RMON) statistics, and device history events.

Page 7

Preface
Intended Audience

Section 16, Managing Stacking Provides information for stacking, including a stacking overview. Appendix A, Downloading Software with CLI Provides information for downloading system files using the Command Line Interface. Appendix B, System Defaults Provides lists of the devices default values.

Intended Audience
This guide is intended for network administrators familiar with IT concepts and terminology.

Document Conventions
This document uses the following conventions:

Note Provides related information or information of special importance. Caution Indicates potential damage to hardware or software, or loss of data. Warning Indicates a risk of personal injury.

Contacting Allied Telesis

This section provides Allied Telesis contact information for technical support as well as sales or corporate information. Online Support You can request technical support online by accessing the Allied Telesis Knowledge Base from the following web site: www.alliedtelesis.com/support. You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions. Email and Telephone For Technical Support via email or telephone, refer to the Allied Telesis web site: www.alliedtelesis.com. Select your country from the list displayed on the website. Then Support select the appropriate menu tab. Returning Products Products for return or repair must first be assigned a Return Materials Authorization (RMA) number. A product sent to Allied Telesis without a RMA number will be returned to the sender at the senders expense. To obtain an RMA number, contact the Allied Telesis Technical Support group at our web site: www.alliedtelesis.com/support/rma. Select your country from the list displayed on the website. Then select the appropriate menu tab. Warranty Information The AT-S95 has a lifetime warranty (except the PSU and fan which have a warranty of two years). Go to www.alliedtelesis.com/warranty for the specific terms and conditions of the warranty and for warranty registration.

Page 8

Getting Started
Starting the Application

Section 1. Getting Started

This section provides an introduction to the Web Browser Interface, and includes the following topics:

Starting the Application User Interface Components Resetting the Device Starting the Application

Starting the Application

This section contains information for starting the application. The login information is configured with a default user name and password. The default password is friend; the default user name is manager. Passwords are both case sensitive and alphanumeric. Additional user names can be added. To open the application: 1. Open a web browser. 2. Enter the device IP address in the address bar and press <Enter>. The Embedded Web System Login Page opens:

Figure 1:

Embedded Web System Login Page

3. 4.

Enter the user name and password. Click Sign In. The System General Page opens:

Page 9

Getting Started
Starting the Application

Figure 2:

System General Page

Page 10

Getting Started
Using the Web Browser Interface

Using the Web Browser Interface

This section provides general information about the interface, and describes the following topics:

Viewing the Device Representation User Interface Components Using the Management Buttons Adding, Modifying and Deleting Information

Viewing the Device Representation

Zoom Views provide a graphical representation of the device ports. The Port Settings Page displays an example of the Zoom View with a detailed graphical representation of the device ports. To open a zoom view of device ports: Click Layer 1 > Port Settings. The Port Settings Page opens:

Figure 3:

Port Settings Page

The port status indicators vary with context, for example the general port status indicators are as in the figure above while port mirror indicators are different. Indicator legend descriptions are provided with each context of the specific Zoom View.

Page 11

Getting Started
Using the Web Browser Interface

User Interface Components

The System General Page example shows the interface components.

Figure 4:

System General Page

The following table lists the interface components with their corresponding numbers: Table 1: Interface Components Des cription The Menu provides easy navigation through the main management software features. In addition, the Menu provides general navigation options. Provide navigation to configurable device sub-features. Enable configuring parameters and navigation to other pages, see Using the Management Buttons.

Comp on en t 1 2 3 Menu Tabs Management Buttons

Page 12

Getting Started
Using the Web Browser Interface

Using the Management Buttons

Management buttons provide an easy method of configuring device information, and include the following: Table 2: Butto n Configuration Management Buttons Bu t to n Na me Add Create Modify D escr ip tio n Opens a page which creates new configuration entries. Opens a page which creates new configuration entries. Modifies the configuration settings. The configuration change is saved to the Running Configuration file and is maintained until reset or power-up. Saves configuration changes to the device. The configuration change is saved to the Running Configuration file and is maintained until reset or power-up. Opens a page which creates or modifies configuration entries. Deletes the selected table and configuration entries. Displays detailed information for the current page/configuration. Refreshes information displayed on the current page. Device reset. Resets the device information for all device parameters according to current configuration. Configuration reset. Resets the information for all parameters in the current context (page/tab) to predefined defaults. Performs a diagnostic test. Removes all counters.

Apply

Configure Delete View Refresh Reset Defaults Test Clear All Counters

The application menu includes the following general purpose buttons: Configuration Login Logout Help Exit Help Save Config Opens the default configuration page (System General). Signs the user into the WBI, starts the management session. Signs the user out of the WBI, ending the management session. Opens the online help page. Closes the online help page. Used when configuration changes to the device need to be saved as permanent. The configuration is saved as permanent by copying the current Running Configuration file to the Startup Configuration file.

Page 13

Getting Started
Using the Web Browser Interface

Adding, Modifying and Deleting Information

The WBI contains and tables for configuring devices. User-defined information can be added, modified or deleted in specific WBI pages. To add information to tables or WBI pages: 1. Open a WBI page. 2. Click Add. An Add page opens, for example, the Add Local User Page:

Figure 5:

Add Local User Page

3. 4.

Define the fields. Click Apply. The configuration information is saved, and the device is updated.

To modify information in tables or WBI pages: 1. Open a WBI page. 2. Select a table entry. 3. Click Modify. A Modify (or Settings) page opens, for example, the Local User Settings Page:

Figure 6:

Local User Settings Page

Page 14

Getting Started
Logging Out

4. Define the fields. 5. Click Apply. The fields are modified, and the information is saved to the device. To delete information in tables or WBI pages: 1. 2. 3. Open the WBI page. Select a table row. Click Delete. The information is deleted, and the device is updated.

Saving Configurations
User-defined information can be saved for permanent use or until next update, not just for the current session. A configuration is saved as permanent by copying the current Running Configuration file to the Startup Configuration file. To save changes permanently: Click Save Config on the menu.

Logging Out
The Logout option enables the user to log out of the device thereby terminating the running session. To log out: In any page, click Logout on the menu. The current management session is ended and the Log Off Page opens:

Figure 7:

Log Off Page

Page 15

Getting Started
Resetting the Device

Resetting the Device

The Reset option enables resetting the device from a remote location. Note Save all changes to the Running Configuration file before resetting the device. This prevents the current device configuration from being lost. See also "System Utilities". To reset the device: 1. In the System General Page, click Reset. You are prompted to confirm. 2. Click OK. The device is reset. Resetting the device ends the web browser management session. You must restart the session to continue managing the device. After the device is reset, a prompt for a user name and password displays. 3. Enter a user name and password to reconnect to the Web Interface. To reset the device to the predefined default configuration: In the System General Page, click Defaults. The default settings are restored and the device is reset.

Page 16

Defining System Information

Section 2. Defining System Information

The contains general device information, including system name and its IP addressing, administrator and passwords information, Dynamic Host Configuration Protocol (DHCP) configuration and MAC Address Aging Time. To define the general system information: 1. Click System > General. The opens:

Figure 8:

System General Page

The comprises two sections: Administration and DHCP Configuration. The Administration section of the contains the following fields:

System Name Indicates the user-defined name of the device. This is a required field. The field range is 0-159 characters. Administrator Indicates the name of the administrator responsible for managing the device. The field range is 0-159 characters. Comments (Optional) The user can add any comments about the device in this field, for example, fill in the location of the device. IP Address Indicates the devices IP address. Subnet Mask Indicates the devices subnet mask.

Page 17

Defining System Information

Default Gateway The IP address of a router for remote management of the device. The address must be entered in the format: xxx.xxx.xxx.xxx. The default value is 0.0.0.0. Note Packets are forwarded to the default IP when frames are sent to a remote network via the default gateway. The configured IP address must belong to the same subnet as one of the IP interfaces.

The DHCP Configuration section of the contains the following fields:

DHCP Configuration Indicates if the Dynamic Host Configuration Protocol (DHCP) is enabled.

Enable DHCP dynamically assigns IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. If the DHCP client software is activated, the device immediately begins to query the network for a DHCP server. The device continues to query the network for its IP configuration until it receives a response. If the device and IP address are manually assigned, that address is deleted and replaced by the IP address received from the DHCP server. Disable Disables DHCP on the device. In this case, the device, following reset, checks if the IP address is already defined in the Startup Configuration. If not, the device tries to receive an IP address from a BootIP server until either an IP address is received or the user defines the IP address manually.

Mac Address Aging Time The time interval an inactive dynamic MAC address can remain in the MAC address table before it is deleted. The default time is 300 seconds, and the range is 10-630. Jumbo Frame State Current state of Jumbo Frame support in device. The possible field values are:

Enabled Switch forwards Jumbo Frames.

Disabled Switch does not forward Jumbo Frames. Jumbo Frame After Reset Enables or disables Jumbo Frames on all device ports (packet size of up to 10 Kb is supported). Jumbo Frames enable the transportation of identical data in fewer frames, ensuring less overhead, lower processing time, and fewer interruptions. Jumbo Frames are typically used during server-toserver transmissions. Changing Jumbo Frame status requires system reboot. Jumbo Frames are supported on GE ports only. The possible field values are:

2. 3. 4.

Enabled Switch forwards Jumbo Frames.

Disabled Switch does not forward Jumbo Frames. Define the relevant fields. Click Apply. The system general information is defined and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 18

Configuring System Time

Section 3. Configuring System Time

The System Time Page provides information for configuring system time parameters, including:

Setting the System Clock Configuring SNTP Configuring Daylight Saving Time

Setting the System Clock

The System Time Page contains fields for defining system time parameters for both the local hardware clock and the external SNTP clock. If the system time is kept using an external SNTP clock, and the external SNTP clock fails, the system time reverts to the local hardware clock. Daylight Savings Time can be enabled on the device. To configure the system clock time: 1. Click System > System Time. The System Time Page opens:

Figure 9:

System Time Page

Page 19

Configuring System Time

The Clock Source and System Time sections of the System Time Page contain the following fields:

Clock Source The source used to set the system clock. The possible field values are:

Local Settings Indicates that the clock is set locally.

SNTP Indicates that the system time is set via an SNTP server. System Time Sets the local clock time. The field format is HH:MM:SS. For example: 21:15:03. System Date Sets the system date. The field format is Day/Month/Year. For example: 04/May/50 (May 4, 2050). Time Zone Offset The difference between Greenwich Mean Time (GMT) and local time. For example, the Time Zone Offset for Paris is GMT +1, while the Time Zone Offset for New York is GMT 5.

To set the system clock: 2. Select the system time mode. 3. Define the System Date, System Time and Time Zone Offset fields. 4. Click Apply in each section. The local system clock settings are saved, and the device is updated. 5. Click Save Config on the menu to save the changes permanently.

Configuring SNTP
The device supports the Simple Network Time Protocol (SNTP). SNTP assures accurate network device clock time synchronization up to the millisecond. Time synchronization is performed by a network SNTP server. The device operates only as an SNTP client, and cannot provide time services to other systems. The device can poll the following server types for the server time:

Unicast Anycast Broadcast Time sources are established by stratums. Stratums define the accuracy of the reference clock. The higher the stratum (where zero is the highest), the more accurate the clock. The device receives time from stratum 1 and above. The following is an example of stratums: Stratum 0 A real time clock (such as a GPS system) is used as the time source. Stratum 1 A server that is directly linked to a Stratum 0 time source is used. Stratum 1 time servers provide primary network time standards. Stratum 2 The time source is distanced from the Stratum 1 server over a network path. For example, a Stratum 2 server receives the time over a network link, via NTP, from a Stratum 1 server.

Polling for Unicast Time Information

Polling for Unicast information is used for polling a server for which the IP address is known. T1 - T4 are used to determine the server time. This is the preferred method for synchronizing device time.

Polling for Anycast Time Information

Polling for Anycast information is used when the SNTP server IP address is unknown. The first Anycast server to return a response is used to set the time value. Time levels T3 and T4 are used to determine the server time. Using Anycast time information for synchronizing device time is preferred to using Broadcast time information.

Page 20

Configuring System Time

Broadcast Time Information

Broadcast information is used when the server IP address is unknown. When a broadcast message is sent from an SNTP server, the SNTP client listens for the response. The SNTP client neither sends time information requests nor receives responses from the Broadcast server. Message Digest 5 (MD5) Authentication safeguards device synchronization paths to SNTP servers. MD5 is an algorithm that produces a 128-bit hash. MD5 is a variation of MD4, and increases MD4 security. MD5 verifies the integrity of the communication, authenticates the origin of the communication. To define SNTP global parameters: 1. Click System > System Time. The System Time Page opens. The Simple Network Time Protocol (SNTP) section of the System Time Page contains the following fields:

Status Indicates if SNTP is enabled on the device. The possible field values are:

2. 3. 4. 5.

Disabled Indicates that SNTP is disabled. Enabled Indicates that SNTP is enabled.

Server IP Address Displays a user-defined SNTP server IP address. Poll Interval Defines the interval (in seconds) at which the SNTP server is polled for Unicast information. The Poll Interval default is 1024 seconds. Select the SNTP Status. Define the Server IP Address and the Poll Interval fields. Click Apply. The SNTP global settings are defined, and the device is updated. Click Save Config on the menu to save the changes permanently.

Configuring Daylight Saving Time

To configure Daylight Saving Time: 1. Click System > System Time. The System Time Page opens: The Additional Time Parameters section of the System Time Page contains the following fields:

Daylight Saving Enables automatic Daylight Saving Time (DST) on the device based on the devices location. There are two types of daylight settings, either by a specific date in a particular year or a recurring setting irrespective of the year. For a specific setting in a particular year complete the Daylight Savings area, and for a recurring setting, complete the Recurring area. The possible field values are:

USA The device devices to DST at 2:00 a.m. on the first Sunday of April, and reverts to standard time at 2:00 a.m. on the last Sunday of October. European The device devices to DST at 1:00 am on the last Sunday in March and reverts to standard time at 1:00 am on the last Sunday in October. The European option applies to EU members, and other European countries using the EU standard. Other The DST definitions are user-defined based on the device locality. If Custom is selected, the From and To fields must be defined.

Time Set Offset Used for non-USA and European countries to set the amount of time for DST (in minutes). The default time is 60 minutes. The range is 1-1440 minutes. From Indicates the time that DST begins in countries other than the USA and Europe, in the format Day/ Month/Year in one field and HH:MM in another. For example, if DST begins on October 25, 2007 at 5:00 am, the two fields should be set to 25/Oct./07 and 05:00. The possible field values are:

Date The date on which DST begins. The possible field range is 1-31. Month The month of the year in which DST begins. The possible field range is Jan.-Dec. Year The year in which the configured DST begins.

Page 21

Configuring System Time

Time The time at which DST begins. The field format is HH:MM. For example: 05:30.

To Indicates the time that DST ends in countries other than the USA and Europe, in the format Day/Month/ Year in one field and HH:MM in another. For example, if DST ends on March 23, 2008 at midnight, the two fields should be 23/Mar/08 and 00:00. The possible field values are:

Time The time at which DST starts. The field format is HH:MM. For example: 05:30. Recurring Enables user-defined DST for countries in which DST is constant from year to year, other than the USA and Europe. From The time that DST begins each year. In the example, DST begins locally every first Sunday in April at midnight. The possible field values are:

Date The date on which DST ends. The possible field range is 1-31. Month The month of the year in which DST ends. The possible field range is Jan-Dec. Year The year in which the configured DST ends.

Day The day of the week from which DST begins every year. The possible field range is SundaySaturday. Week The week within the month from which DST begins every year. The possible field range is 1-5. Month The month of the year in which DST begins every year. The possible field range is Jan.-Dec.

Time The time at which DST begins every year. The field format is Hour:Minute. For example: 02:10. To The time that DST ends each year. In the example, DST ends locally every first Sunday in October at midnight. The possible field values are:

2.

Day The day of the week at which DST ends every year. The possible field range is Sunday-Saturday. Week The week within the month at which DST ends every year. The possible field range is 1-5. Month The month of the year in which DST ends every year. The possible field range is Jan.-Dec. Time The time at which DST ends every year. The field format is HH:MM. For example: 05:30.

3. 4.

To configure the device to automatically switch to DST, select Daylight Savings and select either USA, European, or Other. If you select Other, you must define its From and To fields. To configure DST parameters that will recur every year, select Recurring and define its From and To fields. Click Apply. The DST settings are saved, and the device is updated. Click Save Config on the menu to save the changes permanently.

Daylight Savings Time by Country

The following is a list of Daylight Savings Time start and end dates by country:

Albania From the last weekend of March until the last weekend of October. Australia From the end of October until the end of March. Australia - Tasmania From the beginning of October until the end of March. Armenia From the last weekend of March until the last weekend of October. Austria From the last weekend of March until the last weekend of October. Bahamas From April to October, in conjunction with Daylight Savings Time in the United States. Belarus From the last weekend of March until the last weekend of October. Belgium From the last weekend of March until the last weekend of October. Brazil From the third Sunday in October until the third Saturday in March. During the period of Daylight Saving Time, Brazilian clocks go forward one hour in most of the Brazilian southeast. Chile In Easter Island, from March 9 until October 12. In the rest of the country, from the first Sunday in March or after 9th March. China China does not use Daylight Saving Time.

Page 22

Configuring System Time

Canada From the first Sunday in April until the last Sunday of October. Daylight Saving Time is usually regulated by provincial and territorial governments. Exceptions may exist in certain municipalities. Cuba From the last Sunday of March to the last Sunday of October. Cyprus From the last weekend of March until the last weekend of October. Denmark From the last weekend of March until the last weekend of October. Egypt From the last Friday in April until the last Thursday in September. Estonia From the last weekend of March until the last weekend of October. Finland From the last weekend of March until the last weekend of October. France From the last weekend of March until the last weekend of October. Germany From the last weekend of March until the last weekend of October. Greece From the last weekend of March until the last weekend of October. Hungary From the last weekend of March until the last weekend of October. India India does not use Daylight Saving Time. Iran From Farvardin 1 until Mehr 1. Iraq From April 1 until October 1. Ireland From the last weekend of March until the last weekend of October. Israel Varies year-to-year. Italy From the last weekend of March until the last weekend of October. Japan Japan does not use Daylight Saving Time. Jordan From the last weekend of March until the last weekend of October. Latvia From the last weekend of March until the last weekend of October. Lebanon From the last weekend of March until the last weekend of October. Lithuania From the last weekend of March until the last weekend of October. Luxembourg From the last weekend of March until the last weekend of October. Macedonia From the last weekend of March until the last weekend of October. Mexico From the first Sunday in April at 02:00 to the last Sunday in October at 02:00. Moldova From the last weekend of March until the last weekend of October. Montenegro From the last weekend of March until the last weekend of October. Netherlands From the last weekend of March until the last weekend of October. New Zealand From the first Sunday in October until the first Sunday on or after March 15. Norway From the last weekend of March until the last weekend of October. Paraguay From April 6 until September 7. Poland From the last weekend of March until the last weekend of October. Portugal From the last weekend of March until the last weekend of October. Romania From the last weekend of March until the last weekend of October. Russia From the last weekend of March until the last weekend of October. Serbia From the last weekend of March until the last weekend of October. Slovak Republic - From the last weekend of March until the last weekend of October. South Africa South Africa does not use Daylight Saving Time. Spain From the last weekend of March until the last weekend of October. Sweden From the last weekend of March until the last weekend of October. Switzerland From the last weekend of March until the last weekend of October. Syria From March 31 until October 30. Taiwan Taiwan does not use Daylight Saving Time.

Page 23

Configuring System Time

Turkey From the last weekend of March until the last weekend of October. United Kingdom From the last weekend of March until the last weekend of October. United States of America From the second Sunday in March at 02:00 to the first Sunday in November at 02:00.

Page 24

Configuring Device Security

Section 4. Configuring Device Security

This section describes setting security parameters for ports, device management methods, users, and servers. This section contains the following topics:

Configuring Management Security Configuring Server Based Authentication Configuring Network Security Defining Access Control

Page 25

Configuring Device Security

Configuring Management Security

Configuring Management Security

This section provides information for configuring device management security, device authentication methods, users and passwords. This section includes the following topics:

Defining Access Profiles Defining Profile Rules Defining Authentication Profiles Mapping Authentication Profiles

Defining Access Profiles

Access profiles are profiles and rules for accessing the device. Access to management functions can be limited to user groups. User groups are defined for interfaces according to IP addresses or IP subnets. Access profiles contain management methods for accessing and managing the device. The device management methods include:

All Telnet Secure Telnet (SSH) HTTP

Secure HTTP (HTTPS) Management access to different management methods may differ between user groups. For example, User Group 1 can access the device module only via an HTTPS session, while User Group 2 can access the device module via both HTTPS and Telnet sessions. The Access Profile Page contains the currently configured access profiles and their activity status. Assigning an access profile to an interface denies access via other interfaces. If an access profile is assigned to any interface, the device can be accessed by all interfaces. To define access profiles: 1. Click Mgmt. Security > Access Profile. The Access Profile Page opens:

Page 26

Configuring Device Security

Configuring Management Security

Figure 10: Access Profile Page

The Access Profile Page contains a table listing the currently defined profiles and their active status:

Access Profile Name The name of the profile. The access profile name can contain up to 32 characters. Current Active Access Profile Indicates if the profile is currently active. The possible field values are:

2.

Checked The access profile is currently active. Access Profiles cannot be deleted when active. Unchecked Disables the active access profile.

Click Add. The Add Access Profile Page opens:

Page 27

Configuring Device Security

Configuring Management Security

Figure 11: Add Access Profile Page

The Add Access Profile Page contains the following fields:

Access Profile Name Defines the name of a new access profile. Rule Priority Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fit basis. The rule priorities are assigned in the Profile Rules Page. Management Method Defines the management method for which the rule is defined. Users with this access profile can access the device using the management method selected. The possible field values are:

All Assigns all management methods to the rule. Telnet Assigns Telnet access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device. Secure Telnet (SSH) Assigns SSH access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device. HTTP Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device. Secure HTTP (HTTPS) Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device. SNMP Assigns SNMP access to the rule. If selected, users accessing the device using SNMP meeting access profile criteria are permitted or denied access to the device. Port Specifies the port on which the access profile is defined. Trunk Specifies the trunk on which the access profile is defined.

Interface Defines the interface on which the access profile is defined. The possible field values are:

VLAN Specifies the VLAN on which the access profile is defined. Source IP Address Defines the interface source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork.

Network Mask Defines the network mask of the source IP address. Prefix Length Defines the number of bits that comprise the source IP address prefix, or the network mask of the source IP address.

Page 28

Configuring Device Security

Configuring Management Security

Action Defines the action attached to the access rule. The possible field values are:

3. 4. 5.

Permit Permits access to the device. Deny Denies access to the device. This is the default.

Define the fields. Click Apply. The access profile is saved and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 29

Configuring Device Security

Configuring Management Security

Defining Profile Rules

Access profiles can contain up to 128 rules that determine which users can manage the device module, and by which methods. Users can also be blocked from accessing the device. Rules are composed of filters including:

Rule Priority Interface Management Method IP Address Prefix Length Forwarding Action

To define profile rules: 1. Click Mgmt. Security > Profile Rules: The Profile Rules Page opens:

Figure 12: Profile Rules Page

Access Profile Name Displays the access profile to which the rule is attached. Priority Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fit basis. Interface Indicates the interface type to which the rule applies. The possible field values are:

Port Attaches the rule to the selected port. Trunk Attaches the rule to the selected trunk. VLAN Attaches the rule to the selected VLAN.

Page 30

Configuring Device Security

Configuring Management Security

Management Method Defines the management method for which the rule is defined. Users with this access profile can access the device using the management method selected. The possible field values are:

All Assigns all management methods to the rule. Telnet Assigns Telnet access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device. Secure Telnet (SSH) Assigns SSH access to the rule. If selected, users accessing the device using Telnet meeting access profile criteria are permitted or denied access to the device. HTTP Assigns HTTP access to the rule. If selected, users accessing the device using HTTP meeting access profile criteria are permitted or denied access to the device. Secure HTTP (HTTPS) Assigns HTTPS access to the rule. If selected, users accessing the device using HTTPS meeting access profile criteria are permitted or denied access to the device. SNMP Assigns SNMP access to the rule. If selected, users accessing the device using SNMP meeting access profile criteria are permitted or denied access to the device.

Source IP Address Defines the interface source IP address to which the rule applies. Prefix Length Defines the number of bits that comprise the source IP address prefix, or the network mask of the source IP address. Action Defines the action attached to the rule. The possible field values are:

2.

Permit Permits access to the device. Deny Denies access to the device. This is the default.

Click Add. The Add Profile Rule Page opens:

Figure 13: Add Profile Rule Page

3. 4. 5.

Define the fields. Click Apply. The profile rule is added to the access profile, and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 31

Configuring Device Security

Configuring Management Security

To modify an access rule: 1. Click Mgmt. Security > Profile Rules: The Profile Rules Page opens. 2. Click Modify. The Profiles Rules Configuration Page opens:

Figure 14: Profiles Rules Configuration Page

3. 4.

Define the fields. Click Apply. The profile rule is saved, and the device is updated.

Page 32

Configuring Device Security

Configuring Management Security

Defining Authentication Profiles

Authentication profiles allow network administrators to assign authentication methods for user authentication. User authentication can be performed either locally or on an external server. User authentication occurs in the order the methods are selected. If the first authentication method is not available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and the RADIUS server is not available, then the user is authenticated locally. To define Authentication profiles: 1. Click Mgmt. Security > Authentication Profiles. The Authentication Profiles Page opens:

Figure 15: Authentication Profiles Page

The Authentication Profiles Page contains two tables which display the currently defined profiles: Login Authentication Profiles Provides the method by which system users logon to the device. Enable Authentication Profiles Provides user authentication levels for users accessing the device. Each table contains the following fields: Profile Name Contains a list of user-defined authentication profile lists to which user-defined authentication profiles are added. The default configuration displays as: Console Default, and Network Default. Methods Indicates the authentication method for the selected authentication profile. The possible authentication methods are:

None Assigns no authentication method to the authentication profile. Line Indicates that authentication uses a line password. Enable Indicates that authentication uses an Enable password. Local Authenticates the user at the device level. The device checks the user name and password for authentication.

Page 33

Configuring Device Security

Configuring Management Security

RADIUS Authenticates the user at the RADIUS server. For more information, see Defining RADIUS Server Settings. TACACS+ Authenticates the user at the TACACS+ server. For more information, see Defining TACACS+ Host Settings. Local, RADIUS Indicates that authentication first occurs locally. If authentication cannot be verified locally, the RADIUS server authenticates the management method. If the RADIUS server cannot authenticate the management method, the session is blocked. RADIUS, Local Indicates that authentication first occurs at the RADIUS server. If authentication cannot be verified at the RADIUS server, the session is authenticated locally. If the session cannot be authenticated locally, the session is blocked. Local, RADIUS, None Indicates that authentication first occurs locally. If authentication cannot be verified locally, the RADIUS server authenticates the management method. If the RADIUS server cannot authenticate the management method, the session is permitted. RADIUS, Local, None Indicates that Authentication first occurs at the RADIUS server. If authentication cannot be verified at the RADIUS server, the session is authenticated locally. If the session cannot be authenticated locally, the session is permitted. Local, TACACS+ Indicates that Authentication first occurs locally. If authentication cannot be verified locally, the TACACS+ server authenticates the management method. If the TACACS+ server cannot authenticate the management method, the session is blocked. TACACS+, Local Indicates that authentication first occurs at the TACACS+ server. If authentication cannot be verified at the TACACS+ server, the session is authenticated locally. If the session cannot be authenticated locally, the session is blocked. Local, TACACS+, None Indicates that authentication first occurs locally. If authentication cannot be verified locally, the TACACS+ server authenticates the management method. If the TACACS+ server cannot authenticate the management method, the session is permitted. TACACS+, Local, None Indicates that authentication first occurs at the TACACS+ server. If authentication cannot be verified at the TACACS+ server, the session is authenticated locally. If the session cannot be authenticated locally, the session is permitted.

2.

Click Add. The Add Authentication Profile Page opens:

Figure 16: Add Authentication Profile Page

3.

Select the type of function to configure for the profile: Method or Login.

Page 34

Configuring Device Security

Configuring Management Security

4. 5. 6.

Enter the Profile Name. Using the arrows, move the method(s) from the Optional Method list to the Selected Method list. Click Apply. The authentication profile is defined. The profile is added to the profiles table and the device is updated.

To modify the authentication profile settings: 1. Click Mgmt. Security > Authentication Profiles. The Authentication Profiles Page opens. 2. Click Modify. The Authentication Profile Configuration Page opens:

Figure 17: Authentication Profile Configuration Page

3. 4. 5.

Select the Profile Name from the list. Using the arrows, move the method(s) from the Optional Method list to the Selected Method list. Click Apply. The profile settings are saved and the device is updated.

Page 35

Configuring Device Security

Configuring Management Security

Mapping Authentication Profiles

After authentication profiles are defined, they can be applied to management access methods. For example, console users can be authenticated by Authentication Profile List 1, while Telnet users are authenticated by Authentication Profile List 2. Authentication methods are selected using arrows. The order in which the methods are selected is the order by which the authentication methods are used. To map authentication methods: 1. Click Mgmt. Security > Authentication Mapping. The Authentication Mapping Page opens:

Figure 18: Authentication Mapping Page

The Authentication Mapping Page comprises three sections: Authentication Login and Enable Secure HTTP HTTP The Authentication Mapping Page contains the following fields: Console Indicates that authentication profiles are used to authenticate console users. Telnet Indicates that authentication profiles are used to authenticate Telnet users. Secure Telnet (SSH) Indicates that authentication profiles are used to authenticate Secure Shell (SSH) users. SSH provides clients secure and encrypted remote connections to a device.

Page 36

Configuring Device Security

Configuring Management Security

Secure HTTP Indicates that authentication methods are used for secure HTTP access. The possible methods are:

2. 3. 4. 5.

Local Authentication occurs locally. RADIUS Authenticates the user at the RADIUS server. TACACS+ Authenticates the user at the TACACS+ server. None Indicates that no authentication method is used for access. Local Authentication occurs locally. RADIUS Authenticates the user at the RADIUS server. TACACS+ Authenticates the user at the TACACS+ server. None Indicates that no authentication method is used for access.

HTTP Indicates that authentication methods are used for HTTP access. Possible methods are:

Define the Console, Telnet, and Secure Telnet (SSH) fields. Map the authentication method(s) in the Secure HTTP selection box using the Map the authentication method(s) in the HTTP selection box. Click Save Config on the menu to save the changes permanently. arrow.

Page 37

Configuring Device Security

Configuring Server Based Authentication

Configuring Server Based Authentication

Network administrators assign authentication methods for user authentication. User authentication can be performed locally, or on an external server. User authentication occurs in the order the methods are selected. If the first authentication method is not available, the next selected method is used. This section describes the following configuration methods:

Configuring TACACS+ Configuring RADIUS Configuring Local Users Defining Line Passwords

Configuring TACACS+
Terminal Access Controller Access Control System (TACACS+) provides centralized security user access validation. The system supports up-to 8 TACACS+ servers. TACACS+ provides a centralized user management system, while still retaining consistency with RADIUS and other authentication processes. TACACS+ provides the following services:

Authentication Performed at login and via user names and user-defined passwords. Authorization Performed at login. Once the authentication session is completed, an authorization session starts using the authenticated user name.

The TACACS+ protocol ensures network integrity through encrypted protocol exchanges between the client and TACACS+ server. To define TACACS+ security settings: 1. Click Mgmt. Protocols > TACACS+. The TACACS+ Page opens.

Figure 19: TACACS+ Page

Page 38

Configuring Device Security

Configuring Server Based Authentication

The TACACS+ Page contains the following fields: Timeout for Reply Defines the time interval in seconds that passes before the connection between the device and the TACACS+ server times out. The field range is 1-60 seconds and the default is 10 seconds. Key String Defines the default key string. Server # Displays the server number. Host IP Address Displays the TACACS+ server IP address. Priority Defines the order in which the TACACS+ servers are used. The field range is 0-65535. The default is 0. Authentication Port Identifies the authentication port. The device communicates with the TACACS+ server through the authentication port. Timeout for Reply Defines the time interval in seconds that passes before the connection between the device and the TACACS+ server times out. The field range is 1-60 seconds and the default is 10 seconds.

Single Connection Maintains a single open connection between the device and the TACACS+ server. The possible field values are:

Checked Enables a single connection.

Unchecked Disables a single connection. Status Indicates the connection status between the device and the TACACS+ server. The possible field values are: Connected Indicates there is currently a connection between the device and the TACACS+ server. Not Connected Indicates there is not currently a connection between the device and the TACACS+ server. Click Add. The Add TACACS+ Page opens.

2.

Figure 20: Add TACACS+ Page

3. 4.

Define the fields. Click Apply. The TACACS+ profile is saved, and the device is updated.

Page 39

Configuring Device Security

Configuring Server Based Authentication

To modify TACACS+ server settings: 1. Click Mgmt. Protocols > TACACS+. The TACACS+ Page opens. 2. Click Modify. The TACACS+ Configuration Page opens:

Figure 21: TACACS+ Configuration Page

3. 4.

Define the relevant fields. Click Apply. The TACACS+ settings are modified, and the device is updated.

Page 40

Configuring Device Security

Configuring Server Based Authentication

Configuring RADIUS
Remote Authorization Dial-In User Service (RADIUS) servers provide additional security for networks. RADIUS servers provide a centralized authentication method for web access. To configure RADIUS security settings: 1. Click Mgmt. Protocols > RADIUS. The RADIUS Page opens:

Figure 22: RADIUS Page

The RADIUS Page contains the following fields: Default Retries Defines the default number of transmitted requests sent to the RADIUS server before a failure occurs. Possible field values are 1-10. Default Timeout for Reply Defines the default time interval in seconds that passes before the connection between the device and the TACACS+ server times out. The field range is 1-60 seconds and the default is 10 seconds. Default Dead Time Defines the default amount of time (in minutes) that a RADIUS server is bypassed for service requests. The range is 0-2000. Default Key String Defines the default key string used for authenticating and encrypting all RADIUScommunications between the device and the RADIUS server. This key must match the RADIUS encryption. Source IP Address Defines the default IP address of a device accessing the RADIUS server. The RADIUS table lists known RADIUS servers and contains the following fields:

# Displays the RADIUS server number. IP Address Displays the RADIUS server IP address. Priority Displays the RADIUS server priority. The possible values are 1-65535, where 1 is the highest value. The RADIUS server priority is used to configure the server query order.

Page 41

Configuring Device Security

Configuring Server Based Authentication

Authentication Port Identifies the authentication port. The authentication port is used to verify the RADIUS server authentication. The authenticated port default is 1812. Number of Retries Defines the number of transmitted requests sent to the RADIUS server before a failure occurs. Possible field values are 1-10. Timeout for Reply Defines the time interval in seconds that passes before the connection between the device and the RADUIUS server times out. The field range is 1-60 seconds and the default is 10 seconds. Dead Time Defines the amount of time (in minutes) that a RADIUS server is bypassed for service requests. The range is 0-2000. The default is 0 minutes. Key String Indicates the key string used for authenticating and encrypting all RADIUS-communications between the device and the RADIUS server. This key must match the RADIUS encryption. Source IP Address Displays the default IP address of a device accessing the RADIUS server. Usage Type Specifies the RADIUS server authentication type. The default value is All. The possible field values are:

2.

Log in Indicates the RADIUS server is used for authenticating user name and passwords. 802.1X Indicates the RADIUS server is used for 802.1X authentication.

All Indicates the RADIUS server is used for authenticating user names and passwords, and 802.1X port authentication. Click Add. The Add RADIUS Page opens.

Figure 23: Add RADIUS Page

3. 4.

Define the fields. Click Apply. The RADIUS profile is saved, and the device is updated.

To modify RADIUS server settings: 1. Click Mgmt. Protocols > RADIUS. The RADIUS Page opens: 2. Click Modify. The RADIUS Configuration Page opens:

Page 42

Configuring Device Security

Configuring Server Based Authentication

Figure 24: RADIUS Configuration Page

3. 4.

Define the relevant fields. Click Apply. The RADIUS server settings are modified, and the device is updated.

Page 43

Configuring Device Security

Configuring Server Based Authentication

Configuring Local Users

Network administrators can define users, passwords, and access levels for users using the Local Users Page. To configure local users and passwords: 1. Click Mgmt. Security > Local Users. The Local Users Page opens:

Figure 25: Local Users Page

The Local Users Page displays the list of currently defined local users and contains the following fields: User Name Displays the users name. Access Level Displays the user access level. The lowest user access level is 1 and the highest is 15. Users assigned access level 1 have read/write access to the device. User assigned a access level of 15 have read-only access. The possible field values are:

2.

Configuration Provides configuration device privileges.

Monitoring Provides device Read and Read/Write privileges. Click Create. The Add Local User Page opens:

Page 44

Configuring Device Security

Configuring Server Based Authentication

Figure 26: Add Local User Page

In addition to the fields in the Local Users Page, the Add Local User Page contains the following fields: Password Defines the local user password. Local user passwords can contain up to 159 characters. Confirm Password Verifies the password. 3. 4. Define the fields. Click Apply. The user is added to the Local Users table and the device is updated.

To modify local users: 1. Click Mgmt. Security > Local Users. The Local Users Page opens. 2. Click Modify. The Local Users Configuration Page opens:

Figure 27: Local Users Configuration Page

3. 4.

Define the User Name, Access Level, Password, and Confirm Password fields. Click Apply. The local user settings are defined, and the device is updated.

Page 45

Configuring Device Security

Configuring Server Based Authentication

Defining Line Passwords

Network administrators can define line passwords in the Line Password Page. The administrator enters the new password in the Password column and then confirms it in the Confirm Password column. After the line password is defined, a management method is assigned to the password. The device can be accessed using the following methods:

Console Telnet Secure Telnet To define line passwords: 1. Click Mgmt. Security > Line Password. The Line Password Page opens:

Figure 28: Line Password Page

The Line Password Page contains the following fields:

2. 3.

Console Line Password Defines the line password for accessing the device via a Console session. Passwords can contain a maximum of 159 characters. Telnet Line Password Defines the line password for accessing the device via a Telnet session. Passwords can contain a maximum of 159 characters. Secure Telnet Line Password Defines the line password for accessing the device via a secure Telnet session. Passwords can contain a maximum of 159 characters. Define the Password and Confirm Password fields for the relevant connection. Click Apply. The passwords are modified, and the device is updated.

Page 46

Configuring Device Security

Configuring Network Security

Configuring Network Security

Network security manages locked ports. Port-based authentication provides traditional 802.1x support, as well as, Guest VLANs. Guest VLANs limited network access to authorized ports. If a port is denied network access via port-based authorization, but the Guest VLAN is enabled, the port receives limited network access. For example, a network administrator can use Guest VLANs to deny network access via port-based authentication, but grant Internet access to unauthorized users. This section contains the following topics:

Managing Port Security Defining 802.1x Port Access Enabling Storm Control

Managing Port Security

Network security can be increased by limiting access on a specific port only to users with specific MAC addresses. The MAC addresses can be dynamically learned or statically configured. Locked port security monitors both received and learned packets that are received on specific ports. Access to the locked port is limited to users with specific MAC addresses. These addresses are either manually defined on the port, or learned on that port up to the point when it is locked. When a packet is received on a locked port, and the packet source MAC address is not tied to that port (either it was learned on a different port, or it is unknown to the system), the protection mechanism is invoked, and can provide various options. Unauthorized packets arriving at a locked port are either:

Forwarded with or without a trap Discarded with or without a trap Shuts down the port with or without a trap.

Locked port security also enables storing a list of MAC addresses in the configuration file. The MAC address list can be restored after the device has been reset. Disabled ports are activated from the Port Security Page. The Port Security Page enhances network security by providing port locking management to network administrators. To configure secure ports: 1. Click Network Security > Port Security. The Port Security Page opens:

Page 47

Configuring Device Security

Configuring Network Security

Figure 29: Port Security Page

The Port Security Page displays the Zoom View of the selected stacking members (defined in the Unit No. field) ports. 2. In the Unit No. field, select the stacking member to display. 3. Select the ports to lock. The port indicator changes to selected. 4. Click Modify. The Port Security Configuration Page opens:

Page 48

Configuring Device Security

Configuring Network Security

Figure 30: Port Security Configuration Page

The Port Security Configuration Page contains the following fields: Interface Displays the port name. Action On Violation Indicates the intruder action defined for the port. Indicates the action to be applied to packets arriving on a locked port. The possible values are:

Forward Forwards packets from an unknown source without learning the MAC address. Discard Discards packets from any unlearned source. This is the default value. Shutdown Discards packets from any unlearned source and shuts down the port. The port remains shut down until reactivated, or until the device is reset. Classic Lock Locks the port using the classic lock mechanism. The port is immediately locked, regardless of the number of addresses that have already been learned. Limited Dynamic Lock Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both relearning and aging MAC addresses are enabled.

Learning Mode Defines the locked port type. The possible field values are:

Max Entries Specifies the number of MAC addresses that can be learned on the port before the port is locked. The field range is 1-128. The default is 1. Enable Trap Indicates if the SNMP trap generated if there is a violation. The possible values are:

5. 6. 7.

Yes Trap is generated. No No trap is generated.

Lock Interface Locks the interface. Trap Frequency The time interval (in seconds) between traps. The possible field range is 1-1,000,000 seconds, and the default is 10 seconds. Select the security mode for the selected port(s). Click Apply. The port security settings are saved and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 49

Configuring Device Security

Configuring Network Security

Defining 802.1x Port Access

The 802.1x Port Access Page allows enabling port access globally, defining the authentication method, and configuration of port roles and settings. To configure 802.1x port access parameters: 1. Click Network Security > 802.1x Port Access. The 802.1x Port Access Page opens:

Figure 31: 802.1x Port Access Page

The 802.1x Port Access Page contains the following fields: Enable Port Access Enables the 802.1x port access globally. The possible values are:

Checked Enables the 802.1x port access on the device. Unchecked Disables the 802.1x port access on the device. This is the default value.

Authentication Method Displays the method by which the last session was authenticated. The possible field values are:

None Indicates that no authentication method is used to authenticate the port. RADIUS Provides port authentication using the RADIUS server. RADIUS, None Provides port authentication, first using the RADIUS server. If the port is not authenticated, then no authentication method is used, and the session is permitted.

Guest VLAN Provides limited network access to unauthorized ports. If a port is denied network access via port-based authorization, but the Guest VLAN field is enabled, the port receives limited network access. For example, a network administrator can use Guest VLANs to deny network access via port-based authentication, but grant Internet access to unauthorized users. The possible field values are:

Enable Enables Guest VLAN. Disable Disables Guest VLAN.

VLAN List The currently defined VLAN.

Page 50

Configuring Device Security

Configuring Network Security

The 802.1x Port Access Page also displays the Zoom View of the selected stacking members (defined in the Unit No. field) ports. 2. Select Enable Port Access. 3. Select the Authentication Method. 4. Define the VLAN fields 5. Click Apply. The 802.1x access is configured globally and device information is updated. To modify port based authentication settings: 1. Click Modify. The Port Authentication Settings Page opens:

Figure 32: Port Authentication Settings Page

The Port Authentication Settings Page contains the following port authentication parameters:

Port Displays a list of interfaces on which port-based authentication is enabled. User Name Displays the supplicant user name. Current Port Control Displays the current port authorization state. The possible field values are:

Authorized Indicates the interface is in an authorized state. Unauthorized Denies the selected interface system access.

Page 51

Configuring Device Security

Configuring Network Security

Admin Port Control Indicates the port state. The possible field values are:

Auto Enables port-based authentication on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client. ForceAuthorized Indicates the interface is in an authorized state without being authenticated. The interface re-sends and receives normal traffic without client port-based authentication.

ForceUnauthorized Denies the selected interface system access by moving the interface into unauthorized state. The device cannot provide authentication services to the client through the interface. Enable Guest VLAN Indicates if the Guest VLAN is enabled. The possible field values are: Checked Enables the Guest VLAN.

Unchecked Disables the Guest VLAN. This is the default value. Authentication Method Defines the user authentication methods. MAC authentication ensures that enduser stations meet security policies criteria, and protects networks from viruses. To activate MAC authentication first define the following: 1. 2. Enable Guest VLAN. Set the Admin Port Control option to Auto.

The possible values are:

802.1X Only Enables only 802.1X authentication on the device. MAC Only Enables only MAC authentication on the device.

MAC + 802.1X Enables MAC Authentication + 802.1X authentication on the device. In case of MAC+ 802.1x, 802.1x takes precedence. Enable Periodic Reauthentication Permits port reauthentication. The possible field values are: Enable Enables port reauthentication. This is the default value.

2. 3.

Disable Disables port reauthentication. Reauthentication Period Displays the time span (in seconds) in which the selected port is reauthenticated. The field default is 3600 seconds. Reauthenticate Now Reauthenticates the port immediately. Authenticator State Displays the current authenticator state (as defined in Admin Port Control). Quiet Period Displays the number of seconds that the device remains in the quiet state following a failed authentication exchange. The possible field range is 0-65535. The field default is 60 seconds. Resending EAP Defines the amount of time (in seconds) that lapses before EAP requests are resent. The field default is 30 seconds. Max EAP Requests Displays the total amount of EAP requests sent. If a response is not received after the defined period, the authentication process is restarted. The field default is 2 retries. Supplicant Timeout Displays the amount of time (in seconds) that lapses before EAP requests are resent to the supplicant. The field default is 30 seconds. Server Timeout Displays the amount of time (in seconds) that lapses before the device re-sends a request to the authentication server. The field default is 30 seconds. Termination Cause Indicates the reason for which the port authentication was terminated. Click Apply. The port authentication configuration is saved and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 52

Configuring Device Security

Configuring Network Security

Enabling Storm Control

Storm control limits the amount of unknown Unicast, Multicast and Broadcast frames accepted and forwarded by the device. When Layer 2 frames are forwarded, Broadcast, and Multicast frames are flooded to all ports on the relevant VLAN. This occupies bandwidth, and loads all nodes on all ports. A Broadcast Storm is a result of an excessive amount of broadcast messages simultaneously transmitted across a network by a single port. Forwarded message responses are heaped onto the network, straining network resources or causing the network to time out. Storm control is enabled for all ports by defining the packet type and the rate the packets are transmitted. The system measures the incoming Broadcast and Multicast frame rates separately on each port, and discards the frames when the rate exceeds a user-defined rate. The Storm Control Page provides fields for configuring broadcast storm control. To enable storm control: 1. Click Network Security > Storm Control. The Storm Control Page opens:

Figure 33: Storm Control Page

The Storm Control Page displays the Zoom View of the selected stacking members (defined in the Unit No. field) ports. 2. Select a port to configure. The port indicator changes to Port is selected (white). 3. Click Modify. The Storm Control Configuration Page opens:

Page 53

Configuring Device Security

Configuring Network Security

Figure 34: Storm Control Configuration Page

The Storm Control Configuration Page contains the following fields: Port Indicates the port from which storm control is enabled. Enable Broadcast Control Indicates if forwarding Broadcast packet types is enabled on the port. The field values are:

Enabled Enables storm control on the selected port. Disabled Disables storm control on the selected port.

Broadcast Mode Specifies the Broadcast mode currently enabled on the device. The possible field values are:

Multicast & Broadcast Counts both Broadcast and Multicast traffic together. Broadcast Only Counts only the Broadcast traffic.

Broadcast Rate Threshold Indicates the maximum rate (kilobits per second) at which unknown packets are forwarded. The range for FE ports is 70-100,000. The range for Giga ports is 3500-100,000. The default value is 3500. Select the Port Storm Control Settings. Click Enable Broadcast Control, and define the Rate Threshold. Click Apply. Storm control is enabled on the device for the selected port. Click Save Config on the menu to save the changes permanently.

4. 5. 6. 7.

Page 54

Configuring Device Security

Defining Access Control

Defining Access Control

Access Control Lists (ACL) allow network managers to define classification actions and rules for specific ingress ports. Your switch supports up to 256 ACLs. Packets entering an ingress port, with an active ACL, are either admitted or denied entry. If they are denied entry, the user can disable the port. ACLs are composed of access control entries (ACEs) that are made of the filters that determine traffic classifications. The total number of ACEs that can be defined in all ACLs together is 256. This section contains the following topics:

Defining MAC Based ACL Defining IP Based ACL Defining ACL Binding

Defining MAC Based ACL

The MAC Based ACL Page page allows a MAC-based Access Control List (ACL) to be defined. The table lists Access Control Elements (ACE) rules, which can be added only if the ACL is not bound to an interface. To define a MAC Based ACL: 1. Click Network Security > MAC Based ACL. The MAC Based ACL Page opens:

Figure 35: MAC Based ACL Page

Page 55

Configuring Device Security

Defining Access Control

The MAC Based ACL Page contains the following fields:

ACL Name Displays the specific MAC based ACLs. Remove ACL Deletes the specified ACL. The possible field values are: Unchecked Maintains the ACL. Priority Indicates the ACE priority, which determines which ACE is matched to a packet on a first-match basis. The possible field values are 1-2147483647. Source MAC Address Matches the source MAC address from which packets are addressed to the ACE. Source MAC Mask Indicates the source MAC Address wild card mask. Wildcards are used to mask all or part of a source MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the source MAC address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored. Destination MAC Address Matches the destination MAC address to which packets are addressed to the ACE. Destination MAC Mask Indicates the destination MAC Address wild card mask. Wildcards are used to mask all or part of a destination MAC Address. Wild card masks specify which octets are used and which octets are ignored. A wild card mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the destination IP address 09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored. VLAN ID Matches the packets VLAN ID to the ACE. The possible field values are 1 to 4093. CoS Class of Service of the packet. CoS Mask Wildcard bits to be applied to the CoS. Ether Type The Ethernet type of the packet. Action Indicates the ACL forwarding action. For example, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. Possible field values are:

Checked Deletes the ACL when user clicks the Apply button.

2.

Permit Forwards packets which meet the ACL criteria. Deny Drops packets which meet the ACL criteria.

Shutdown Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed. Ports are reactivated from the Port Setting Configuration Page. Delete To remove an ACE, click the ACEs checkbox and click the Delete button. Click the Add ACL button. The Add MAC Based ACL Page opens:

Page 56

Configuring Device Security

Defining Access Control

Figure 36: Add MAC Based ACL Page

3. 4. 5. 6.

In the ACL Name field, type a name for the ACL. Enable Rule Priority and define the ACLs relevant fields. Click Apply. The MAC Based ACL configuration is defined and the device is updated. Click Save Config on the menu to save the changes permanently.

Adding ACE Rules

1. 2. Click Network Security > MAC Based ACL. The MAC Based ACL Page opens. Click the Add ACE button. The Add MAC Based ACE Page opens.

Page 57

Configuring Device Security

Defining Access Control

Figure 37: Add MAC Based ACE Page

3. 4. 5.

Define the fields. Click Apply. The MAC Based ACE rule is defined and the device is updated. Click Save Config on the menu to save the changes permanently.

To modify the MAC Based ACL configuration: 1. Click Network Security > MAC Based ACL. The MAC Based ACL Page opens. 2. Click Modify. The MAC Based ACE Configuration Page opens:

Figure 38: MAC Based ACE Configuration Page

Page 58

Configuring Device Security

Defining Access Control

3. 4. 5.

Define the fields. Click Apply. The MAC Based ACL configuration is defined, and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 59

Configuring Device Security

Defining Access Control

Defining IP Based ACL

The IP Based ACL Page contains information for defining IP Based ACLs, including defining the ACEs defined for IP Based ACLs. 1. Click Network Security > IP Based ACL. The IP Based ACL Page opens.

Figure 39: IP Based ACL Page

The IP Based ACL Page contains the following fields:

ACL Name Displays the specific IP based ACLs. Remove ACL Deletes the specified ACL. The possible field values are:

Checked Deletes the ACL when user clicks the Apply button.

Unchecked Maintains the ACL. ACE Priority Indicates the rule priority, which determines which rule is matched to a packet on a firstmatch basis. Protocol Creates an ACE based on a specific protocol. The available protocols are:

ICMP Internet Control Message Protocol (ICMP). The ICMP allows the gateway or destination host to communicate with the source host. For example, reporting a processing error. IGMP Internet Group Management Protocol (IGMP). Allows hosts to notify their local switch or router that they want to receive transmissions assigned to a specific multicast group. IP Internet Protocol (IP). Specifies the format of packets and their addressing method. IP defines addresses to packets and forwards the packets to the correct port.

Page 60

Configuring Device Security

Defining Access Control

TCP Transmission Control Protocol (TCP). Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery, and guarantees packets are transmitted and received in the order they are sent. EGP Exterior Gateway Protocol (EGP). Permits the exchange of routing information between two neighboring gateway hosts in an autonomous systems network. IGP Interior Gateway Protocol (IGP). Permits the exchange of routing information between gateways in an autonomous network. UDP User Datagram Protocol (UDP). Communication protocol that transmits packets but does not guarantee their delivery. HMP Host Mapping Protocol (HMP). Collects network information from various networks hosts. HMP monitors hosts spread over the internet as well as hosts in a single network. RDP Remote Desktop Protocol (RDP). Allows clients to communicate with the Terminal Server over the network. IDPR Matches the packet to the Inter-Domain Policy Routing (IDPR) protocol. IDRP Matches the packet to the Inter-Domain Routing Protocol (IDRP). RSVP Matches the packet to the ReSerVation Protocol (RSVP). AH Authentication Header (AH). Provides source host authentication and data integrity. EIGRP Enhanced Interior Gateway Routing Protocol (EIGRP). Provides fast convergence, support for variable-length subnet mask, and supports multiple network layer protocols. OSPF The Open Shortest Path First (OSPF) protocol is a link-state, hierarchical interior gateway protocol (IGP) for network routing Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs). IPIP IP over IP (IPIP). Encapsulates IP packets to create tunnels between two routers. This ensures that IPIP tunnel appears as a single interface, rather than several separate interfaces. IPIP enables tunnel intranets to access the internet, and provides an alternative to source routing. PIM Matches the packet to Protocol Independent Multicast (PIM). L2TP Matches the packet to Layer 2 Internet Protocol (L2IP). ISIS Intermediate System - Intermediate System (ISIS). Distributes IP routing information throughout a single Autonomous System in IP networks.

Any Matches the protocol to any protocol. Source Port Defines the TCP/UDP source port to which the ACE is matched. This field is active only if 800/6-TCP or 800/17-UDP are selected in the Select from List drop-down menu. The possible field range is 0 - 65535. Destination Port Defines the TCP/UDP destination port. This field is active only if 800/6-TCP or 800/17UDP are selected in the Select from List drop-down menu. The possible field range is 0 - 65535. Source

IP Address Matches the source port IP address from which packets are addressed to the ACE. Mask Defines the source IP address wildcard mask. Wildcard masks specify which bits are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important. For example, if the source IP address 149.36.184.198 and the wildcard mask is 255.36.184.00, the first eight bits of the IP address are ignored, while the last eight bits are used.

Page 61

Configuring Device Security

Defining Access Control

Destination

IP Address Matches the destination port IP address to which packets are addressed to the ACE.

Mask Defines the destination IP address wildcard mask. Wildcard masks specify which bits are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important. For example, if the destination IP address 149.36.184.198 and the wildcard mask is 255.36.184.00, the first eight bits of the IP address are ignored, while the last eight bits are used. Flag Set Sets the indicated TCP flag that can be triggered. The possible values are:

Urg, Ack, Psh, Rst, Syn, and Fin. The indicated value setting is represented by one of the following:
1 Flag is set. 0 Flag is disabled.

x Dont care. ICMP Type Filters packets by ICMP message type. The field values are 0-255. ICMP Code Indicates and ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. IGMP Type Filters packets by IGMP message or message types. DSCP Matches the packets DSCP value. IP Prec. Matches the packet IP Precedence value to the ACE. Either the DSCP value or the IP Precedence value is used to match packets to ACLs. The possible field range is 0-7. Action Indicates the action assigned to the packet matching the ACL. Packets are forwarded or dropped. In addition, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. The options are as follows:

2.

Permit Forwards packets which meet the ACL criteria. Deny Drops packets which meet the ACL criteria.

Shutdown Drops packet that meets the ACL criteria, and disables the port to which the packet was addressed. Ports are reactivated from the Port Management page. Delete To remove an ACE, click the ACEs checkbox and click the Delete button. Click the Add ACL Button. The Add IP Based ACL Page opens:

Page 62

Configuring Device Security

Defining Access Control

Figure 40: Add IP Based ACL Page

In addition to the IP Based ACL Page, the Add IP Based ACL Page contains the following fields:

Match QoS Enables or disables the ACL classification to identify flows based on QoS values, such as DSCP or IP Precedence. The possible field values are:

3. 4. 5.

Checked Enables identification of flows based on QoS values. Selecting this option makes the Match DSCP and Match IP Precedence fields available.

Unchecked Disables identification of flows based on QoS values. Define the fields. Click Apply. The IP Based ACL configuration is defined, and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 63

Configuring Device Security

Defining Access Control

Adding ACE Rules

1. 2. Click Network Security > IP Based ACL. The IP Based ACL Page opens. Click the Add ACE button. The Add IP Based ACE Page page opens.

Figure 41: Add IP Based ACE Page

3. 4. 5.

Define the fields. Click Apply. The IP Based ACE rule is defined and the device is updated. Click Save Config on the menu to save the changes permanently.

To modify the IP Based ACL configuration: 1. Click Network Security > IP Based ACL. The IP Based ACL Page opens. 2. Click Modify. The IP Based ACL Configuration Page opens:

Page 64

Configuring Device Security

Defining Access Control

Figure 42: IP Based ACL Configuration Page

3. 4. 5.

Define the fields. Click Apply. The IP Based ACL configuration is defined, and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 65

Configuring Device Security

Defining Access Control

Defining ACL Binding

When an ACL is bound to an interface, all the ACE rules that have been defined are applied to the selected interface. Whenever an ACL is assigned on an interface, flows from that ingress interface that do not match the ACL are matched to the default rule, which is Drop unmatched packets. 1. Click Network Security > ACL Binding. The ACL Binding Page opens:

Figure 43: ACL Binding Page

The ACL Binding Page contains the following fields:

Interface Indicates the interface to which the ACL is bound. The possible values are:

Trunk Trunk associated with the ACL. For each entry, an interface has a bound ACL.

Unit Stacking member and port associated with the ACL.

2.

Interface Indicates the interface associated with the ACL. ACL Name Indicates the ACL that is bound to the interface. Click the Edit button. The ACL Binding Configuration opens:

Page 66

Configuring Device Security

Defining Access Control

Figure 44: ACL Binding Configuration

The ACL Binding Configuration contains the following fields:

Interface Choose the interface to which the ACL is bound. The possible values are:

3. 4. 5.

Port Port associated with the ACL.

Trunk Trunk associated with the ACL. Select IP Based ACL or MAC Based ACL Choose the ACL which is bound to the interface. Define the fields. Click Apply. ACL binding is defined, and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 67

Configuring DHCP Snooping

Section 5. Configuring DHCP Snooping

DHCP Snooping expands network security by providing an extra layer of security between untrusted interfaces and DHCP servers. By enabling DHCP Snooping network administrators can identify between trusted interfaces connected to end-users or DHCP Servers, and untrusted interface located beyond the network firewall. DHCP Snooping filters untrusted messages. DHCP Snooping creates and maintains a DHCP Snooping Table which contains information received from untrusted packets. Interfaces are untrusted if the packet is received from an interface from outside the network or from a interface beyond the network firewall. Trusted interfaces receive packets only from within the network or the network firewall. DHCP with Option 82 attaches authentication messages to the packets sent from the host. DHCP passes the configuration information to hosts on a TCP/IP network. This permits network administrators to limit address allocation authorized hosts. DHCP with Option 82 can be enabled only if DHCP snooping is enabled. The DHCP Snooping Table contains the untrusted interfaces MAC address, IP address, Lease Time, VLAN ID, and interface information. This section contains the following topics: Defining DHCP Snooping General Properties Defining DHCP Snooping on VLANs Defining Trusted Interfaces Binding Addresses to the DHCP Snooping Database

Defining DHCP Snooping General Properties

The DHCP Snooping General Page contains parameters for enabling DHCP Snooping on the device. To define DHCP Snooping on the device: 1. Click DHCP Snooping > General. The DHCP Snooping General Page opens:

Page 68

Configuring DHCP Snooping

Figure 45: DHCP Snooping General Page

The DHCP Snooping General Page contains the following fields:

Enable DHCP Snooping Status Indicates if DHCP Snooping is enabled on the device. The possible field values are:

Checked Enables DHCP Snooping on the device.

Unchecked Disables DHCP Snooping on the device. This is the default value. Pass Through Option 82 Indicates if DHCP Option 82 with data insertion is enabled on the device. The possible field values are: Enable If DHCP Option 82 with data insertion is enabled, the DHCP relay agent or DHCP Snooping switch can insert information into the DHCP DISCOVER message. The Relay agent information option specifies the port number from which the clients packet was received.

Disable Disables DHCP Option 82 with data insertion on the device. This is the default value. Verify MAC Address Indicates if MAC addresses are verified. The possible field values are: Enable Verifies that an untrusted port source MAC address matches the clients MAC address. Disable Disables verifying that an untrusted port source MAC address matches the clients MAC address. This is the default value. Backup Database Indicates if the DHCP Snooping Database is enabled. The possible field values are: Enable Enables storing allotted IP addresses in the DHCP Snooping Database.

Disable Disables storing allotted IP addresses in the DHCP Snooping Database. This is the default value. Database Update Interval Indicates how often the DHCP Snooping Database is updated. The possible field range is 600 86400 seconds. The field default is 1200 seconds.

Page 69

Configuring DHCP Snooping

DHCP Option 82 Insertion DHCP Option 82 attaches authentication messages to the packets sent to DHCP Server via TCP/IP network. The option permits network administrators to limit address allocation to authorized hosts only. This permits network administrators to limit address allocation authorized hosts. The possible field values are:

2. 3. 4.

Enable Enables DHCP Option 82 Insertion on the device.

Disable Disables DHCP Option 82 Insertion on the device. This is the default value. Define the fields. Click Apply. The DHCP Snooping configuration is defined and the device is updated. Click Save Config on the menu to save the changes permanently.

Defining DHCP Snooping on VLANs

The VLAN Settings Page allows network managers to enable DHCP snooping on VLANs. To enable DHCP Snooping on a VLAN, ensure DHCP Snooping is enabled on the device. To define DHCP Snooping on VLANs: 1. Click DHCP Snooping > VLAN Settings. The VLAN Settings Page opens:

Figure 46: VLAN Settings Page

The VLAN Settings Page contains the following fields:

2. 3.

VLAN ID Indicates the VLAN to be added to the Enabled VLAN list. Enabled VLANs Contains a list of VLANs for which DHCP Snooping is enabled. Select the VLAN name from the VLAN ID list and click Add. This VLAN name then appears in the Enabled VLANs list. Click Save Config on the menu to save the changes permanently.

Page 70

Configuring DHCP Snooping

Defining Trusted Interfaces

The Trusted Interfaces Page allows network manager to define Trusted interfaces. Trusted interfaces are connected to DHCP servers, switches, or hosts which do not require DHCP packet filtering. Trusted interfaces receive packets only from within the network or the network firewall, and are allowed to respond to DHCP requests. Packets sent from an interface outside the network, or from beyond the network firewall, are blocked by trusted interfaces. Conversely, untrusted interfaces can be configured to receive traffic from outside the network or the firewall. To define trusted interfaces: 1. Click DHCP Snooping > Trusted Interfaces. The Trusted Interfaces Page opens:

Figure 47: Trusted Interfaces Page

The Trusted Interfaces Page contains the following fields:

Global-level Parameter Interface Defines the interfaces whose trusted interface configuration is displayed. The possible field
values are:

Ports of Unit Displays the stacking member whose trusted interface configuration is displayed. Trunk Displays the trunks whose trusted interface configuration is displayed.

Interface-level Parameters Interface Contains a list of existing interfaces. Trust Indicates whether the interface is a Trusted interface.

Page 71

Configuring DHCP Snooping

2. 3.

From the global Interface field, define the specific port or trunk. In the table, select an interface and click Modify. The Trusted Configuration page opens.

Figure 48: Trusted Configuration Page

4.

Edit the following field: Trusted Status Indicates whether the interface is a Trusted Interface.

5. 6.

Enable Interface is in trusted mode.

Disable Interface is in untrusted mode. Click Apply. The Trusted Interfaces configuration is defined and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 72

Configuring DHCP Snooping

Binding Addresses to the DHCP Snooping Database

The Binding Database Page contains parameters for querying and adding IP addresses to the DHCP Snooping Database. To bind addresses to the DHCP Snooping database: 1. Click DHCP Snooping > Binding Database. The Binding Database Page opens:

Figure 49: Binding Database Page

2.

Define any of the following fields as a query filter:

Query Parameters MAC Address Indicates the MAC addresses recorded in the DHCP Database. The Database can be
queried by MAC address. IP Address Indicates the IP addresses recorded in the DHCP Database The Database can be queried by IP address. VLAN Indicates the VLANs recorded in the DHCP Database. The Database can be queried by VLAN. Interface Contains a list of interface by which the DHCP Database can be queried. The possible field values are:

3.

Unit No. and Port Queries the VLAN database by a specific stacking member and port number.

Trunk Queries the VLAN database by trunk number. Click Query. The results appear in the Query Results table.

Page 73

Configuring DHCP Snooping

Query Results
The Query Results table contains the following fields:

MAC Address Indicates the MAC address found during the query. VLAN ID Displays the VLAN ID to which the IP address is attached in the DHCP Snooping Database. IP Address Indicates the IP address found during the query. Interface Indicates the specific interface connected to the address found during the query. Type Displays the IP address binding type. The possible field values are: Dynamic Indicates the IP address is dynamically defined by the DHCP server. Lease Time Displays the lease time. The Lease Time defines the amount of time the DHCP Snooping entry is active. Addresses whose lease times are expired are ignored by the switch. The possible values are 10 4294967295 seconds. In the Add Binding Database Page, select Infinite if the DHCP Snooping entry never expires. Click Create. The Add Binding Database Page opens.

Static Indicates the IP address is static.

4.

Figure 50: Add Binding Database Page

5. 6. 7. 8. 9.

Define the fields. Click Apply. The bound address is added to the DHCP Snooping database, the Add Binding Database Page closes, and the device is updated. To remove dynamic addresses from the Query Results table, click Clear Dynamic. Click Apply. The addresses in the Query Results table are added to the DHCP Snooping Database. Click Save Config on the menu to save the changes permanently.

Page 74

Configuring Ports
Setting Ports Configurations

Section 6. Configuring Ports

Port Configuration includes the following procedures for configuring ports and trunks on the device.

Setting Ports Configurations Aggregating Ports

Setting Ports Configurations

This section contains the following topics:

Defining Port Settings Configuring Port Mirroring

Defining Port Settings

The Port Settings Page contains fields for defining port parameters. To define port general settings: 1. Click Layer 1 > Port Settings. The Port Settings Page opens:

Figure 51: Port Settings Page

2.

Select the port(s). Clicking a port toggles it through the possible settings.

Page 75

Configuring Ports
Setting Ports Configurations

3.

Click Modify. The Port Setting Configuration Page opens:

Figure 52: Port Setting Configuration Page

The Port Setting Configuration Page contains the following fields: Port Lists the names of configured ports. Description Provides a user-defined port description. Port Type Indicates the type of port.

Page 76

Configuring Ports
Setting Ports Configurations

Admin Status Displays the link operational status. The possible field values are:

Up Indicates that the port is currently operating.

Down Indicates that the port is currently not operating. Current Port Status Indicates whether the port is currently operational or non-operational. The possible field values are: Up Indicates the port is currently operating. Down Indicates the port is currently not operating. Checked Reactivates the selected suspended port.

Reactivate Suspended Port Reactivates suspended ports. The possible field values are: Unchecked Maintains the port status. This is the default value. Operational Status Indicates the port operational status. Possible field values are: Suspended The port is currently active, and is not receiving or transmitting traffic. Active Indicates the port is currently active and is receiving and transmitting traffic. Disable Indicates the port is currently disabled, and is not receiving or transmitting traffic.

Unknown Indicates the port status is currently unknown. Admin Speed Indicates the configured rate for the port. The port type determines what speed setting options are available. Admin speed can only be designated when auto-negotiation is disabled. The possible field values are: 10M Indicates the port is currently operating at 10 Mbps. 100M Indicates the port is currently operating at 100 Mbps.

1000M Indicates the Giga port is currently operating at 1000 Mbps. Current Port Speed Displays the configured rate for the port. The port type determines the speed settings available. Port speeds can only be configured when auto-negotiation is disabled. Admin Duplex Indicates the port duplex mode. This field is configurable only when auto negotiation is disabled, and the port speed is set to 10M or 100M. This field cannot be configured on trunks. The possible field values are:

Full The interface supports transmission between the device and its link partner in both directions simultaneously. Half The interface supports transmission between the device and the client in only one direction at a time.

Current Duplex Mode Displays the current duplex mode. Auto Negotiation Defines the auto negotiation status on the port. Auto negotiation is a protocol between two link partners that enables a port to advertise its transmission rate, duplex mode, and flow control abilities to its partner. Current Auto Negotiation Displays the current Auto Negotiation setting.

Page 77

Configuring Ports
Setting Ports Configurations

Admin Advertisement Defines the auto negotiation setting the port advertises. The possible field values are:

Max Capability Indicates that all port speeds and duplex mode settings are accepted. 10 Half Indicates that the port advertises for a 10 Mbps speed port and half duplex mode setting. 10 Full Indicates that the port advertises for a 10 Mbps speed port and full duplex mode setting. 100 Half Indicates that the port advertises for a 100 Mbps speed port and half duplex mode setting. 100 Full Indicates that the port advertises for a 100 Mbps speed port and full duplex mode setting. 1000 Full Indicates that the port advertises for a 1000 Mbps speed port and full duplex mode setting.

Current Advertisement Indicates the port advertises its speed to its neighbor port to start the negotiation process. The possible field values are those specified in the Admin Advertisement field. Neighbor Advertisement Indicates the neighboring ports advertisement settings. Back Pressure Displays the back pressure mode on the port. Back pressure mode is used to adjust the transmission speed to avoid losing data. The possible field values are:

Enabled Indicates that back pressure is enabled for the selected port. Disabled Indicates that back pressure is currently disabled for the selected port. This is the default value.

Current Back Pressure Displays the current Back Pressure setting. Flow Control Displays the flow control status on the port. Operates when the port is in full duplex mode.

Enable Indicates that flow control is currently enabled for the selected port. Disable Indicates that flow control is currently disabled for the selected port. This is the default value.

Current Flow Control Displays the current Flow Control setting. MDI/MDIX Defines the MDI/MDIX status on the port. Hubs and switches are deliberately wired opposite the way end stations are wired, so that when a hub or switch is connected to an end station, a straight through Ethernet cable can be used, and the pairs are matched up properly. When two hubs or switches are connected to each other, or two end stations are connected to each other, a crossover cable is used to ensure that the correct pairs are connected. The possible field values are:

MDIX (Media Dependent Interface with Crossover) Use for hubs and switches. Current MDI/MDIX Displays the current MDI/MDIX setting. Trunk Defines if the port is part of a trunk. PVE Enables a port to be a Private VLAN Edge (PVE) port, which is isolated from other ports. When a port is defined as PVE, it bypasses the Forwarding Database (FDB), and forwards all Unicast, Multicast and Broadcast traffic to an uplink (except MAC-to-me packets). Uplinks can be an FE port or GE port. Traffic from the uplink is distributed to all interfaces. None indicates that the port is not defined as PVE. Only one uplink can be defined for a protected port. An IP address cannot be configured on the VLAN of which a protected port is a member.

Auto Use to automatically detect the cable type. MDI (Media Dependent Interface) Use for end stations.

4. 5. 6.

Define the fields. Click Apply. The port settings are saved and the device is updated. The Port Settings Page is displayed. Click Save Config on the menu to permanently save the change.

Page 78

Configuring Ports
Setting Ports Configurations

Configuring Port Mirroring

Port mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets from one port to a monitoring port. Port mirroring can be used as a diagnostic tool as well as a debugging feature. Port mirroring also enables device performance monitoring. Network administrators can configure port mirroring by selecting a specific port from which to copy all packets, and other ports to which the packets copied. Any number of ports on the device can be mirrors, except the destination port. To define port mirroring: 1. Click Layer 1 > Port Mirroring. The Port Mirroring Page opens:

Figure 53: Port Mirroring Page

The Port Mirroring Page contains information about all port mirrors currently defined on the device. The following information is displayed:

Unit No. Indicates the stacking members unit number. Destination Port Defines the port number to which port traffic is copied. Note that this port has to be detached from its VLAN before mirroring is configured. Only one destination port can be defined. Source Port Indicates the port from which the packets are mirrored. Type Indicates the port mode configuration for port mirroring. The possible field values are:

RX Defines the port mirroring on receiving ports. TX Defines the port mirroring on transmitting ports. Both Defines the port mirroring on both receiving and transmitting ports.

Page 79

Configuring Ports
Setting Ports Configurations

Status Indicates if the port is currently monitored. The possible field values are:

2.

Active Indicates the port is currently monitored. Ready Indicates the port is not currently monitored.

Click Add. The Add Port Mirroring Page opens:

Figure 54: Add Port Mirroring Page

The Add Port Mirroring Page contains the following fields: Unit Number Displays the stacking member for which the port is defined. Source Port Defines the port from which traffic is to be analyzed. Type Indicates the port mode configuration for port mirroring. The possible field values are:

3. 4.

Rx Only Defines the port mirroring on receiving ports. Tx Only Defines the port mirroring on transmitting ports. This is the default value.

Tx and Rx Defines the port mirroring on both receiving and transmitting ports. Click Apply. The port mirror status indicators are updated. Click Save Config on the menu to permanently save the change.

To modify or delete a port mirror: 1. Click Layer 1 > Port Mirroring. The Port Mirroring Page opens. 2. Click Modify. The Port Mirroring Configuration opens.

Figure 55: Port Mirroring Configuration

Page 80

Configuring Ports
Setting Ports Configurations

3. 4. 5.

Define the Type field. Click Apply. The Port mirroring is modified, and the device is updated. Click Save Config on the menu to permanently save the change.

Page 81

Configuring Ports
Aggregating Ports

Aggregating Ports
Link Aggregation optimizes port usage by linking a group of ports together to form a single trunk. Aggregating ports multiplies the bandwidth between the devices, increases port flexibility, and provides link redundancy. The device supports both static trunks and Link Aggregation Control Protocol (LACP) trunks. LACP trunks negotiate aggregating port links with other LACP ports located on a different device. If the other device ports are also LACP ports, the devices establish a trunk between them. Ensure the following: All ports within a trunk must be the same media type. A VLAN is not configured on the port. The port is not assigned to a different trunk. Auto-negotiation mode is not configured on the port. The port is in full-duplex mode. All ports in the trunk have the same ingress filtering and tagged modes. All ports in the trunk have the same back pressure and flow control modes. All ports in the trunk have the same priority. All ports in the trunk have the same transceiver type. The device supports up to eight trunks, and eight ports in each trunk. Ports can be configured as LACP ports only if the ports are not part of a previously configured trunk. Ports added to a trunk lose their individual port configuration. When ports are removed from the trunk, the original port configuration is applied to the ports. This section contains the following procedures for configuring static port trunks on the device.

Defining Trunk Settings Defining Port Trunking Configuring LACP

Defining Trunk Settings

The Trunk Settings Page contains parameters for defining Trunks. To define a port trunk: 1. Click Layer 1 > Trunk Settings. The Trunk Settings Page opens:

Page 82

Configuring Ports
Aggregating Ports

Figure 56: Trunk Settings Page

The Trunk Settings Page displays information about the currently defined trunks and contains the following fields: Trunk Displays the trunk name. Description Displays the user-defined trunk name and/or description. Type Indicates the type of trunk defined by the first port assigned to the trunk. For example, 100-Copper, or 100-Fiber. Status Indicates if the trunk is currently linked. The possible field values are:

Up Indicates the trunk is currently linked, and is forwarding or receiving traffic.

Down Indicates the trunk is not currently linked, and is not forwarding or receiving traffic. Speed Displays the configured aggregated rate for the trunk. The possible field values are: 10 Indicates the port is currently operating at 10 Mbps. 100 Indicates the port is currently operating at 100 Mbps.

1000 Indicates the port is currently operating at 1000 Mbps. Auto Negotiation Displays the auto negotiation status of the trunk. Auto negotiation is a protocol between two link partners that enables a port to advertise its transmission rate, duplex mode, and flow control abilities to its partner. Flow Control Displays the flow control status of the trunk. LACP Indicates if LACP is enabled on the trunk. The possible values are: Enable LACP is enabled on the trunk.

Page 83

Configuring Ports
Aggregating Ports

2.

Disable LACP is disabled on the trunk.

PVE Enables a port to be a Private VLAN Edge (PVE) port. When a port is defined as PVE, it bypasses the Forwarding Database (FDB), and forwards all Unicast, Multicast and Broadcast traffic to an uplink (except MAC-to-me packets). Uplinks can be a port or GE port. Traffic from the uplink is distributed to all interfaces. Click Modify. The Trunk Setting Configuration Page opens:

Figure 57: Trunk Setting Configuration Page

The Trunk Setting Configuration Page contains the following fields:

Trunk Lists the names of configured trunks. Description Provides a user-defined trunk description. Type Indicates the type of trunk. Admin Status Displays the link operational status. Changes to the trunk state are active only after the device is reset. The possible field values are:

Up Indicates that the trunk is currently operating. Down Indicates that the trunk is currently not operating.

Page 84

Configuring Ports
Aggregating Ports

Current Status Indicates whether the trunk is currently operational or non-operational. The possible field values are:

Up Indicates the trunk is currently operating. Down Indicates the trunk is currently not operating. Checked Reactivates the selected suspended trunk.

Reactivate Suspended Reactivates suspended trunks. The possible field values are: Unchecked Maintains the trunk status. This is the default value. Operational Status Indicates the trunk operational status. Possible field values are: Suspended The trunk is currently active, and is not receiving or transmitting traffic. Active Indicates the trunk is currently active and is receiving and transmitting traffic.

Disable Indicates the trunk is currently disabled, and is not receiving or transmitting traffic. Admin Auto Negotiation Displays the auto negotiation status on the trunk. Auto negotiation is a protocol between two link partners that enables a trunk to advertise its transmission rate, duplex mode, and flow control abilities to its partner. Current Auto Negotiation Displays the current Auto Negotiation setting. Admin Advertisement Defines the auto negotiation setting the trunk advertises. The possible field values are: Max Capability Indicates that all trunk speeds and duplex mode settings are accepted. 10 Half Indicates that the trunk advertises for a 10 Mbps speed trunk and half duplex mode setting. 10 Full Indicates that the trunk advertises for a 10 Mbps speed trunk and full duplex mode setting. 100 Half Indicates that the trunk advertises for a 100 Mbps speed trunk and half duplex mode setting. 100 Full Indicates that the trunk advertises for a 100 Mbps speed trunk and full duplex mode setting. 1000 Full Indicates that the trunk advertises for a 1000 Mbps speed trunk and full duplex mode setting.

Current Advertisement Indicates the trunk advertises its speed to its neighbor trunk to start the negotiation process. The possible field values are those specified in the Admin Advertisement field. Neighbor Advertisement Indicates the neighboring trunks advertisement settings. The field values are identical to the Admin Advertisement field values. Admin Speed Indicates the configured rate for the trunk. The trunk type determines the speed settings available. Trunk speeds can only be configured when auto-negotiation is disabled. The possible field values are: 100M Indicates the trunk is currently operating at 100 Mbps. Current Speed Displays the configured rate for the trunk. Admin Flow Control Displays the flow control status on the trunk. Operates when the trunk is in full duplex mode.

10M Indicates the trunk is currently operating at 10 Mbps.

Enable Indicates that flow control is currently enabled for the selected trunk. This is the default value. Disable Indicates that flow control is currently disabled for the selected trunk.

Current Flow Control Displays the current Flow Control setting. LACP Indicates if LACP is enabled on the trunk. The possible values are:

Enabled LACP is enabled on the trunk. Disabled LACP is disabled on the trunk.

Page 85

Configuring Ports
Aggregating Ports

3. 4.

PVE Enables a port to be a Private VLAN Edge (PVE) port. When a port is defined as PVE, it bypasses the Forwarding Database (FDB), and forwards all Unicast, Multicast and Broadcast traffic to an uplink (except MAC-to-me packets). Uplinks can be a port or GE port. Traffic from the uplink is distributed to all interfaces. Modify the fields. Click Apply. The Trunk settings are saved and the device is updated.

Defining Port Trunking

The Port Trunking Page displays information about the defined trunks. To modify Port Trunking settings: 1. Click Layer 1 > Port Trunking. The Port Trunking Page opens:

Figure 58: Port Trunking Page

The Port Trunking Page contains information about all port trunks currently defined on the device. The following information is displayed:

2. 3.

Trunk Displays the ID number of the trunk. Name Displays the name of the trunk. The name can be up to sixteen alphanumeric characters. No spaces or special characters, such as asterisks and exclamation points, are allowed. Each trunk must be given a unique name. Link State Indicates the current link status. Members Indicates the ports which are defined for the trunk. Select the trunk to modify. Click Modify. The Port Trunking Configuration Page opens:

Page 86

Configuring Ports
Aggregating Ports

Figure 59: Port Trunking Configuration Page

In addition to the fields in the The Port Trunking Page, the Port Trunking Configuration Page contains the following additional field:

Unit Number Displays the stacking member for which the port trunking parameters are defined. LACP Indicates if LACP is enabled on the trunk. The possible field values are:

4. 5. 6. 7.

Checked Enables LACP on the trunk.

Unchecked Disables LACP on the trunk. This is the default value. Modify the Trunk, LACP, Unit Number, and Trunk Name fields. arrow. The selected ports are displayed as

Select the ports for the trunk from the Port List using the

Trunk Members. Click Apply. Trunking information is modified and the device is updated. Click Save Config in the Trunk Settings Page menu to permanently save the changes.

Page 87

Configuring Ports
Aggregating Ports

Configuring LACP
Trunk ports can contain different media types if the ports are operating at the same speed. Aggregated links can be set up manually or automatically established by enabling Link Aggregation Control Protocol (LACP) on the relevant links. Aggregate ports can be linked into link-aggregation port-groups. Each group is comprised of ports with the same speed. The LACP Page contains fields for configuring LACP trunks. To configure LACP for trunks: 1. Click Layer 1 > LACP. The LACP Page opens:

Figure 60: LACP Page

The LACP Page contains the following fields:

2.

LACP System Priority Specifies system priority value. The field range is 1-65535. The field default is 1. Unit Number Displays the stacking member for which the trunk parameters are defined. Port Displays the port number to which timeout and priority values are assigned. Port Priority Displays the LACP priority value for the port. The field range is 1-65535. LACP Timeout Displays the administrative LACP timeout. Click Modify. the LACP Configuration Page opens:

Page 88

Configuring Ports
Aggregating Ports

Figure 61: LACP Configuration Page

3. 4.

Define the fields. Click Apply. The LACP settings are saved and the device is updated.

Page 89

Configuring Interfaces

Section 7. Configuring Interfaces

This section contains information on configuring the interfaces of the device. This section describes the following topics:

Defining MAC Addresses Configuring VLANs Defining MAC Based Groups

Defining MAC Addresses

The MAC Address Page contains parameters for querying information in the Static MAC Address Table and the Dynamic MAC Address Table, in addition to viewing and configuring Unicast addresses. The MAC Address tables contain address parameters by which packets are directly forwarded to the ports and can be sorted by interface, VLAN, and MAC Address. To configure MAC addresses: 1. Click Layer 2 > MAC Address. The MAC Address Page opens:

Figure 62: MAC Address Page

Page 90

Configuring Interfaces

The MAC Address Page contains the following fields: View Static Displays the static addresses assigned to the ports on the device. View Dynamic Displays the dynamic addresses learned on the ports on the device. View MAC Addresses on Interface Displays the ports or trunks dynamic or static MAC addresses. View MAC Addresses for VLAN Displays the static or dynamic addresses learned on the tagged and untagged ports of a specific VLAN. You specify the VLAN by entering the VLAN ID. Only one VLAN at one time can be defined. View MAC Address Displays the number of the port on which a MAC address was assigned or learned. To find out on which port a particular MAC address was learned, even if the device is part of a large network, specify the MAC address. The system automatically locates the port that is connected to the device.

2. 3.

Delete All Dynamic MAC Addresses Clicking Delete removes all dynamic addresses from the MAC Address Table. Define the fields for the Unicast or Multicast MAC addresses to add. Click Add. The Add MAC Address Page opens:

Figure 63: Add MAC Address Page

The Add MAC Address Page contains the following fields: Interface Indicates the port or trunk on which the address was learned or assigned. MAC Address Defines the static Unicast MAC address. VLAN ID Displays the VLAN ID number to which the entry refers. VLAN Name Displays the VLAN name to which the entry refers. Status Indicates the current status of the address. The possible values are:

Permanent The MAC address is permanent. Delete on Reset The MAC address is deleted when the device is reset. Delete on Timeout The MAC address is deleted when a timeout occurs. Secure Options The MAC Address is defined for locked ports. Note When viewed, the information also includes the Type of the address: static or dynamic.

4.

Click Apply. The new MAC address is added to the addresses table and the device information is updated.

Page 91

Configuring Interfaces

To delete all MAC addresses: 1. Click Layer 2 > MAC Address. The MAC Address Page opens. 2. Click Delete in the Delete All MAC Addresses section of the MAC Address Page. All addresses are cleared from the Dynamic MAC Address Table and the device begins to learn new addresses as packets arrive on the ports. To view or remove static MAC addresses: 1. Click Layer 2 > MAC Address. The MAC Address Page opens. 2. Click View. Depending on whether View Static or View Dynamic is chosen, the View Static MAC Address Table Page or View Dynamic MAC Address Table Page opens:

Figure 64: View Static MAC Address Table Page

The View Static MAC Address Table Page and or View Dynamic MAC Address Table Page display all static or dynamic MAC addresses, respectively. 3. Click the radio button to select a VLAN ID. 4. Click Delete. The MAC Address is deleted from the list (applicable to Static addresses only). 5. Click Refresh. The MAC Address information is updated. 6. Click Close. The MAC Address Page is displayed.

Page 92

Configuring Interfaces
Configuring VLANs

Configuring VLANs
This section describes how to create and configure Virtual LANs (VLANs). VLANs are logical subgroups with a Local Area Network (LAN) which combine user stations and network devices into a single unit, regardless of the physical LAN segment to which they are attached. VLANs allow network traffic to flow more efficiently within subgroups. VLANs use software to reduce the amount of time it takes for network changes, additions, and moves to be implemented. VLANs have no minimum number of ports, and can be created per unit, per device, or through any other logical connection combination, since they are software-based and not defined by physical attributes. VLANs function at Layer 2. Since VLANs isolate traffic within the VLAN, a Layer 3 router working at a protocol level is required to allow traffic flow between VLANs. Layer 3 routers identify segments and coordinate with VLANs. VLANs are Broadcast and Multicast domains. Broadcast and Multicast traffic is transmitted only in the VLAN in which the traffic is generated. VLAN tagging provides a method of transferring VLAN information between VLAN-aware devices. VLAN tagging attaches a 4-byte tag to frame headers. The VLAN tag indicates to which VLAN the frames belong. VLAN tags are attached to the VLAN by either the end station or the network device. VLAN tags also contain VLAN network priority information. Combining VLANs and Generic Attribute Registration Protocol (GARP) allows network managers to define network nodes into Broadcast domains. When configuring VLANs ensure the following:

When using this feature, the management VLAN must exist on each AT-S95 Series device that you want to manage.

The uplink and downlink ports on each device that are functioning as the tagged or untagged data links between the devices must be either tagged or untagged members of the management VLAN. The port on the device to which the management station is connected must be a member of the management VLAN. This section contains the following topics:

Defining VLAN Properties Defining VLAN Interface Settings Defining GVRP

Page 93

Configuring Interfaces
Configuring VLANs

Defining VLAN Properties

The VLAN Page provides information and global parameters for configuring and working with VLANs. To configure a VLAN: 1. Click Layer 2 > VLAN. The VLAN Page opens:

Figure 65: VLAN Page

The VLAN Page is divided into two sections. The first section contains the following fields: VLAN ID Defines the VLAN ID. Possible VLAN IDs are 1-4095, in which 1 is reserved for the default VLAN, and 4095 is reserved as the discard VLAN. VLAN Name Displays the user-defined VLAN name. VLAN Type Displays the VLAN type. The possible field values are:

Dynamic Indicates the VLAN was dynamically created through GARP. Static Indicates the VLAN is user-defined. Default Indicates the VLAN is the default VLAN. Checked Deletes the specified VLAN.

Delete VLAN Removes the specified VLAN. The possible field values are:

Unchecked Maintains the specified VLAN. The second section contains a table that maps VLAN parameters to ports.

Select the interfaces displayed in the table.

Ports of Unit Specifies the port and stacking member for which the VLAN mapping is displayed. Trunk Specifies the trunk for which the VLAN mapping is displayed.

Page 94

Configuring Interfaces
Configuring VLANs

Interface Status Indicates the interfaces membership status in the VLAN. The possible field values are:

2.

Tagged Indicates the interface is a tagged member of a VLAN. All packets forwarded by the interface are tagged. The packets contain VLAN information. Untagged Indicates the interface is an untagged VLAN member. Packets forwarded by the interface are untagged. In the default VLAN, this is the default value for all interfaces. Excluded Indicates that the port is excluded from the VLAN.

Forbidden Indicates that the port cannot be included in the VLAN. Click the Add button. The Add VLAN Page opens:

Figure 66: Add VLAN Page

3. 4.

Define the fields. Click Apply. The VLAN is created, and the device is updated.

To modify VLAN settings: 1. Click Layer 2 > VLAN. The VLAN Page opens: 2. Select a VLAN from the table. 3. Click Modify. The VLAN Configuration opens.

Figure 67: VLAN Configuration

4. 5. 6.

Change the Interface Status setting. Click Apply. The VLAN configuration is modified, and the device is updated. Click Save Config on the menu to permanently save the change.

Page 95

Configuring Interfaces
Configuring VLANs

Defining VLAN Interface Settings

The VLAN Interface Page contains fields for managing ports that are part of a VLAN. To define a VLAN interface: 1. Click Layer 2 > VLAN Interface. The VLAN Interface Page opens:

Figure 68: VLAN Interface Page

The VLAN Interface Page displays the VLAN interface information for a selected Port/Unit or Trunk:

Select the interfaces displayed in the table.

Ports of Unit Specifies the port and stacking member for which the VLAN mapping is displayed.

Trunk Specifies the trunk for which the VLAN mapping is displayed. Interface Displays the port or trunk number. Interface VLAN Mode Indicates the interface membership status in the VLAN. The possible values are: General Indicates the port belongs to VLANs, and each VLANs interface is user-defined as tagged or untagged (full IEEE802.1q mode). Access Indicates a port belongs to a single untagged VLAN. When a port is in Access mode, the packet types which are accepted on the port cannot be designated. Ingress filtering is always enabled for ports in Access mode. Trunk Indicates the port belongs to VLANs in which all VLANs are tagged, except for one VLAN that is untagged.

Page 96

Configuring Interfaces
Configuring VLANs

PVID Port Default VLAN ID. Assigns a VLAN ID to untagged packets. The possible values are 1-4094. VLAN 4095 is defined as per standard and industry practice as the Discard VLAN. Packets classified to the Discard VLAN are dropped. Frame Type Specifies the packet type accepted on the port. The possible field values are:

2. 3.

Admit Tag Only Only tagged packets are accepted on the port. Admit All Both tagged and untagged packets are accepted on the port. Enable Enables ingress filtering on the device. Ingress filtering discards packets that are defined to VLANs of which the specific port is not a member. Disable Disables ingress filtering on the device.

Ingress Filtering Indicates whether ingress filtering is enabled on the port. The possible field values are:

Reserved VLAN Indicates the VLAN that is currently reserved for internal use by the system. Select an interface from the table. Click Modify. The VLAN Interface Configuration Page opens:

Figure 69: VLAN Interface Configuration Page

In addition to the VLAN Interface Page, the VLAN Interface Configuration Page contains the following field:

4. 5. 6.

Reserve VLAN for Internal Use Indicates which VLAN is reserved for internal use by the system. One VLAN must be reserved. Define the fields. Click Apply. The VLAN interface configuration is saved and the device is updated. Click Save Config on the menu to permanently save the change.

Page 97

Configuring Interfaces
Configuring VLANs

Defining GVRP
The GVRP Page enables users to configure GARP VLAN Registration Protocol (GVRP) on the device. GVRP is specifically provided for automatic distribution of VLAN membership information among VLAN-aware bridges. GVRP allows VLAN-aware bridges to automatically learn VLANs to bridge ports mapping, without having to individually configure each bridge and register VLAN membership. In the GVRP Page, users can do the following tasks:

Configuring GVRP Enabling/Disabling GVRP on a Port Caution The settings for the three GVRP timers must be the same on all GVRP-active devices in your network. This is configurable only in the CLI, using the config-if garp timer command.

Configuring GVRP
To define GVRP on the device: 1. Click Layer 2 > GVRP. The GVRP Page opens:

Figure 70: GVRP Page

The GVRP Page contains the following fields: GVRP Global Status Indicates if GVRP is enabled on the device. The possible field values are:

Enable Enables GVRP on the selected device. Disable Disables GVRP on the selected device.

Page 98

Configuring Interfaces
Configuring VLANs

Select the interfaces displayed in the table.

Ports of Unit Specifies the port and stacking member for which the GVRP settings are displayed.

Trunk Specifies the trunk for which the GVRP settings are displayed. Interface Displays the port or trunk name on which GVRP is enabled. The possible field values are: GVRP State Indicates if GVRP is enabled on the port. The possible field values are: Enable Enables GVRP on the interface. Disable Disables GVRP on the interface.

Dynamic VLAN Creation Indicates if Dynamic VLAN creation is enabled on the interface. The possible field values are:

Enable Enables Dynamic VLAN creation on the interface. Disable Disables Dynamic VLAN creation on the interface.

GVRP Registration Indicates if VLAN registration through GVRP is enabled on the interface. The possible field values are:

2. 3. 4. 5.

Enable Enables GVRP registration on the device. Disable Disables GVRP registration on the device.

Select Enable GVRP. Define the GVRP parameters. Click Apply. The global GVRP parameters are saved and the device is updated. Click Save Config on the menu to permanently save the change.

Enabling/Disabling GVRP on a Port

To enable or disable GVRP on ports: 1. Click Layer 2 > GVRP. The GVRP Page opens. 2. Select a Port on Unit or Trunk. 3. Click Modify. The GVRP Configuration Page opens:

Figure 71: GVRP Configuration Page

4. 5. 6.

Select the interface (Port or Trunk). Define the fields. Click Apply. The change to the GVRP mode is activated on the selected interface.

Page 99

Configuring Interfaces
Defining MAC Based Groups

Defining MAC Based Groups

The MAC Based Groups Page allows network managers to group VLANs based on the VLAN MAC address, and to map protocol groups to VLANs. For these purposes, the page contains two tables:

MAC-Based Groups table Mapping Group table To define MAC Based Groups: 1. Click Layer 2 > MAC Based Groups. The MAC Based Groups Page opens:

Figure 72: MAC Based Groups Page

The MAC Based Groups Page contains the following fields: MAC-Based Group In the MAC-Based Group table, network managers group VLANs based on the VLAN MAC address.

MAC Address Displays the MAC address associated with the VLAN group. Prefix Displays the MAC prefix associated with the MAC group. Group ID Displays the VLAN Group ID. Mapping Groups In the Mapping Group table, network managers assign MAC groups to interfaces. Interface Indicates the interface type to add to the VLAN group. The possible field values are:

Port Indicates the specific port added to the VLAN group. Trunk Indicates the specific trunk added to the VLAN group.

Page 100

Configuring Interfaces
Defining MAC Based Groups

2.

Group ID Defines the protocol group ID to which the interface is added. VLAN ID Attaches the interface to a user-defined VLAN ID. VLAN group ports can be attached to a VLAN ID. The possible field range is 1-4093, and 4095 (4094 is not available for configuration). Below the MAC-Based Group table, click the Add button. The Add MAC Address Group Page opens:

Figure 73: Add MAC Address Group Page

In addition to the fields in the MAC Based Groups Page, the Add MAC Address Group Page contains the following additional fields:

3. 4.

Host Defines the specified MAC address as the only address associated with the VLAN group. Define the fields. Click Apply. The MAC based VLAN group is defined, and the device is updated.

To modify MAC based group settings: 1. Click Layer 2 > MAC Based Groups. The MAC Based Groups Page opens: 2. Click Modify. The MAC Address Group Configuration opens.

Figure 74: MAC Address Group Configuration

3. 4. 5.

Modify the fields. Click Apply. The MAC based VLAN group is modified, and the device is updated. Click Save Config on the menu to permanently save the change.

Page 101

Configuring Interfaces
Defining MAC Based Groups

To add a mapped group: 1. 2. Click Layer 2 > MAC Based Groups. The MAC Based Groups Page opens: Below the Mapping Group table, click the Add button. The Add MAC Address Group Mappings Page opens:

Figure 75: Add MAC Address Group Mappings Page

In addition to the fields in the MAC Based Groups Page, the Add MAC Address Group Mappings Page contains the following additional fields:

3. 4.

Group Type Indicates the VLAN Group to which interfaces are mapped. The possible field value is:

MAC-based Indicates that interfaces are mapped to MAC based VLAN groups. Select a VLAN to map with the group (VLAN ID). Click Apply. The mapping group is added, and the device is updated.

To modify mapping group settings: 1. Click Layer 2 > MAC Based Groups. The MAC Based Groups Page opens: 2. Click Modify. The MAC Address Group Mappings Configuration Page opens.

Figure 76: MAC Address Group Mappings Configuration Page

3. 4.

Change the mapped VLAN (VLAN ID). Click Apply. The mapping group is modified, and the device is updated.

Page 102

Configuring System Logs

Section 8. Configuring System Logs

This section provides information for managing system logs. System logs enable viewing device events in real time and recording the events for later usage. System Logs record and manage events, and report errors and informational messages. This section includes the following topics:

Defining Log Settings Viewing Temporary and Flash Logs

Defining Log Settings

Event messages have a unique format, which is the Syslog protocols recommended message format for all error reporting. For example, Syslog and local device reporting messages are assigned a severity code and include a message mnemonic which identifies the source application generating the message. This allows messages to be filtered based on their urgency or relevancy. The message severity determines the set of event logging devices that are sent for each event message. The default severity for all logs is Informational, with the exception of logs in the Remote Log Server, which are Error. The following table lists the available system log severity levels and the corresponding messages: Table 3: Seve rity Emergency System Log Severity Levels Le vel 0 De scrip tio n The highest warning level. If the device is down or not functioning properly, an emergency log message is saved to the specified logging location. The second highest warning level. An alert log is saved if there is a serious device malfunction. For example, all device features are down. The third highest warning level. A critical log is saved if a critical device malfunction occurs. For example, two device ports are not functioning, while the rest of the device ports remain functional A device error has occurred. For example, a single port is offline. The lowest level of a device warning. The device is functioning, but an operational problem has occurred. The system is functioning properly, but a system notice has occurred. Mess ag e The system is not functioning.

Alert

The system needs immediate attention.

Critical

The system is in a critical state.

Error

A system error has occurred.

Warning

A system warning has occurred.

Notice

The system is functioning properly, but a system notice has occurred.

Page 103

Configuring System Logs

Seve rity Informational Debug

Le vel 6 7

De scrip tio n Provides device information. Provides detailed information about the log. If a Debug error occurs, contact Customer Tech Support.

Mess ag e Provides device information. Provides detailed information about the log. If a Debug error occurs, contact Customer Tech Support.

The Event Log Page page contains fields for defining which events are recorded to which logs. It contains fields for enabling logs globally and parameters for defining logs. To view system log parameters: 1. Click System > Event Log. The Event Log Page opens:

Figure 77: Event Log Page

The Event Log Page contains the following fields: The Configure Log Outputs table displays the following log information: Type Indicates the log type included in the output. The possible values are:

Console Indicates that the output is of a console log. Temporary Indicates that the output is of the temporary memory log. Syslog Indicates that the output is of a system log. Flash Indicates that the output is of a Flash memory log.

Page 104

Configuring System Logs

IP Address Displays the defined IP address of the syslog server. Minimum Severity Indicates the defined minimum severity level. Description Provides additional information about the syslog server.

Clearing Event Logs

To clear all events from the log: 1. Click System > Event Log. The Event Log Page opens: 2. Click Clear Logs. The stored logs are cleared. If logging is enabled, the system begins to log new events.

Adding Log Servers

To add a log server: 1. Click System > Event Log. The Event Log Page opens. 2. Select a Log Type in the Configure Log Outputs table 3. Click Add. The Add Syslog Page opens:

Figure 78: Add Syslog Page

The Add Syslog Page contains the following fields: Log Server IP Address Defines the IP address of the syslog server. Description Provides any additional information about the syslog server, for example its location. UDP Port Defines the UDP port to which the server logs are sent. The possible range is 1-65535. The default value is 514. Minimum Severity Indicates the minimum severity level to be included in the log output. All logs that have the severity higher than the minimum severity are also included in the output. When the minimum severity level is defined, logs of all higher severity levels are selected automatically.

Page 105

Configuring System Logs

4. 5.

Facility Defines an application from which system logs are sent to the remote server. Only one facility can be assigned to a single server. If a second facility level is assigned, the first facility is overridden. All applications defined for a device utilize the same facility on a server. The field default is Local 7. The possible field values are Local 0 - Local 7. Define the fields. Click Apply. The Log server is defined and the device is updated.

Modifying Log Servers

Clicking Modify opens the Event Log Configuration Page, in which administrators can modify Server Log entries. To modify a Server Log entry: 1. Select the entry in the Log Table and click Modify. The Event Log Configuration Page opens.

Figure 79: Event Log Configuration Page

2. 3. 4.

Define the relevant fields. Click Apply. The Server Log configuration is updated in the Log Table. The device is updated. Click Save Config in the Event Log Page menu to save the changes permanently.

Viewing Temporary and Flash Logs

The Temporary Log and View Flash Log Pages contain information about log entries saved to the respective log files, including the time the log was generated, the log severity, and a description of the log message. The Flash log is available after reboot, but the Temporary log is deleted during reboot. To display Flash logs: 1. Click System > Event Log. The Event Log Page opens. 2. In the Configure Log Outputs table, select a Temporary or Flash entry. 3. Click View. The selected log page opens:

Page 106

Configuring System Logs

Figure 80: View Flash Log Page

The View Flash Log Page and View Temporary Log Page list the following information: Log Index The log index number. Log Time The date and time that the log was entered. Severity The severity of the event for which the log entry was created. Description The event details. To clear memory logs: 1. Click Clear Logs. Logs are removed from the table. 2. Click Close. The Event Log Page is displayed.

Page 107

Configuring Spanning Tree

Configuring Classic Spanning Tree

Section 9. Configuring Spanning Tree

Spanning Tree Protocol (STP) provides tree topography for any arrangement of bridges. STP also provides a single path between end stations on a network, eliminating loops. Loops occur when alternate routes exist between hosts. Loops in an extended network can cause bridges to forward traffic indefinitely, resulting in increased traffic and reducing network efficiency. The device supports the following STP versions:

Classic STP Provides a single path between end stations, avoiding and eliminating loops. For more information on configuring Classic STP, see Configuring Classic Spanning Tree. Rapid STP Detects and uses network topologies that provide faster convergence of the spanning tree, without creating forwarding loops. For more information on configuring Rapid STP, see Configuring Rapid Spanning Tree. Multiple STP Provides various load balancing scenarios. For example, if port A is blocked in one STP instance, the same port can be placed in the Forwarding State in another STP instance. For more information on configuring Multiple STP, see Configuring Multiple Spanning Tree.

This section contains the following topics: Configuring Classic Spanning Tree Configuring Rapid Spanning Tree Configuring Multiple Spanning Tree

Configuring Classic Spanning Tree

This section contains the following topics:

Defining STP Properties Defining STP Interfaces

Page 108

Configuring Spanning Tree

Configuring Classic Spanning Tree

Defining STP Properties

The Spanning Tree Page contains parameters for enabling and configuring STP on the device. To enable STP on the device: 1. Click Layer 2 > Spanning Tree. The Spanning Tree Page opens:

Figure 81: Spanning Tree Page

The STP General section of the Spanning Tree Page contains the following fields:

Spanning Tree State Indicates whether STP is enabled on the device. The possible field values are:

Enable Enables STP on the device. Disable Disables STP on the device.

STP Operation Mode Specifies the STP mode that is enabled on the device. The possible field values are:

Classic STP Enables Classic STP on the device. This is the default value. Rapid STP Enables Rapid STP on the device. Multiple STP Enables Multiple STP on the device.

BPDU Handling Determines how BPDU packets are managed when STP is disabled on the port or device. BPDUs are used to transmit spanning tree information. The possible field values are:

Filtering Filters BPDU packets when spanning tree is disabled on an interface. Flooding Floods BPDU packets when spanning tree is disabled on an interface. This is the default value.

Page 109

Configuring Spanning Tree

Configuring Classic Spanning Tree

Path Cost Default Values Specifies the method used to assign default path cost to STP ports. The possible field values are:

Short Specifies 1 through 65,535 range for port path cost. Long Specifies 1 through 200,000,000 range for port path cost. This is the default value.

The Bridge Settings section of the Spanning Tree Page contains the following fields: Priority Specifies the bridge priority value. When switches or bridges are running STP, each is assigned a priority. After exchanging BPDUs, the device with the lowest priority value becomes the Root Bridge. The default value is 32768. The port priority value is provided in increments of 4096; the value range is 0-65535. Hello Time Specifies the device Hello Time, in seconds. The Hello Time is the time interval during which a Root Bridge waits between configuration messages. The value range is 1-10 seconds; the default value is 2 seconds. Max Age Specifies the device Maximum Age Time, in seconds. The Maximum Age Time is the time interval during which a bridge waits before sending configuration messages. The value range is 6-40 seconds; the default value is 20 seconds. Forward Delay Specifies the device Forward Delay Time, in seconds. The Forward Delay Time is the time interval during which a bridge remains in the listening-and-learning state before forwarding packets. The value range is 4-30 seconds; the default value is 15 seconds. The Designated Root section of the Spanning Tree Page contains the following fields: Bridge ID Identifies the Bridge priority and MAC address. Root Bridge ID Identifies the Root Bridge priority and MAC address. Root Port Indicates the port number that offers the lowest cost path from this bridge to the Root Bridge. This field is significant when the bridge is not the Root Bridge. The default is zero. Root Path Cost The cost of the path from this bridge to the Root Bridge. Topology Changes Counts Specifies the total amount of STP state changes that have occurred. Last Topology Change Indicates the time interval that has elapsed since the bridge was initialized or reset, and the last topographic change that occurred. The time is displayed in a day-hour-minute-second format, such as 2 days 5 hours 10 minutes and 4 seconds.

2. 3. 4.

Complete the STP General and Bridge Settings fields. Click Apply. The new STP definition is added and device information is updated. Click Save Config on the menu to save the settings permanently.

Page 110

Configuring Spanning Tree

Configuring Classic Spanning Tree

Defining STP Interfaces

Network administrators can assign STP settings to a specific interface (port or trunk) using the STP Interface Configuration Page. The Global trunks section displays the STP information for Link Aggregated Groups. To assign STP settings to an interface (port or trunk): 1. Click Layer 2 > Spanning Tree. The Spanning Tree Page opens. 2. Click Configure. The STP Interface Configuration Page opens:

Figure 82: STP Interface Configuration Page

The STP Interface Configuration Page contains the following sections: STP Port Parameters table Global System Trunk table The parameters listed in both tables are identical. The STP Interface Configuration Page contains the following fields: Select the interfaces displayed in the table.

Ports of Unit Specifies the port and stacking member for which the STP settings are displayed.

Trunk Specifies the trunk for which the STP settings are displayed. Port/Trunks Indicates the port or trunk number. STP Indicates if STP is enabled on the port. The possible field values are: Enabled Indicates that STP is enabled on the port. Disabled Indicates that STP is disabled on the port.

Page 111

Configuring Spanning Tree

Configuring Classic Spanning Tree

Port Fast Indicates if Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. Fast Link optimizes the STP protocol convergence. STP convergence can take 30-60 seconds in large networks. The possible values are:

Enable Port Fast is enabled. Disable Port Fast is disabled.

Auto Port Fast mode is enabled a few seconds after the interface becomes active. Root Guard Prevents devices outside the network core from being assigned the spanning tree root. Port State Displays the current STP state of a port. If enabled, the port state determines what forwarding action is taken on traffic. Possible port states are: Disabled Indicates that STP is currently disabled on the port. The port forwards traffic while learning MAC addresses. Blocking Indicates that the port is currently blocked and cannot forward traffic or learn MAC addresses. Blocking is displayed when Classic STP is enabled.

Forwarding Indicates the port is currently in the Forwarding mode. The port can forward traffic and learn new MAC addresses. Port Role Displays the port role assigned by the STP algorithm to provide to STP paths. The possible field values are:

Root Provides the lowest cost path to forward packets to the root switch. Designated The port or trunk through which the designated switch is attached to the LAN. Alternate Provides an alternate path to the root switch from the root interface. Backup Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link, or when a LAN has two or more connections connected to a shared segment.

3. 4.

Disabled The port is not participating in the Spanning Tree. Speed Indicates the speed at which the port is operating. Path Cost Indicates the port contribution to the root path cost. The path cost is adjusted to a higher or lower value, and is used to forward traffic when a path is rerouted. Priority Indicates the priority value of the port connected to the selected port. A lower priority increases the probability of connecting to a root port. The priority value is between 0-240. The priority value is determined in increments of 16. Designated Bridge ID Indicates the bridge priority and the MAC Address of the designated bridge. Designated Port ID Indicates the selected port priority and interface. Designated Cost Indicates the cost of the port participating in the STP topology. Ports with a lower cost are less likely to be blocked if STP detects loops. Forward Transitions Indicates the number of times the port has changed from Forwarding state to Blocking state. Trunk Indicates the trunk to which the port belongs. Select the Unit, in the STP Interface Configuration section. Click Modify. The Spanning Tree Configuration Page for ports or for trunks opens:

Page 112

Configuring Spanning Tree

Configuring Classic Spanning Tree

Figure 83: Spanning Tree Configuration Page

In addition to the STP Interface Configuration Page, the port-level Spanning Tree Configuration Page contains the following fields: Default Path Cost Select if the default path cost of the port is automatically set by the port speed and the default path cost method. 5. Select Enable in the STP field. 6. Define the Port Fast, Enable Root Guard, Path Cost, Default Path Cost, and Priority fields. 7. Click Apply. STP is enabled on the interface, and the device is updated.

Page 113

Configuring Spanning Tree

Configuring Rapid Spanning Tree

Configuring Rapid Spanning Tree

While Classic STP prevents Layer 2 forwarding loops in a general network topology, convergence can take between 30-60 seconds. This time may delay detecting possible loops and propagating status topology changes. Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies that allow a faster STP convergence without creating forwarding loops. To define RSTP on the device: 1. Click Layer 2 > RSTP. The RSTP Page opens:

Figure 84: RSTP Page

The RSTP Page contains the following fields:

Select the interfaces displayed in the table.

Ports of Unit Specifies the port and stacking member for which the RSTP settings are displayed.

Trunk Specifies the trunk for which the RSTP settings are displayed. Interface Displays the port or trunk on which Rapid STP is enabled. Role Displays the port role assigned by the STP algorithm to provide to STP paths. The possible field values are:

Root Provides the lowest cost path to forward packets to the root switch. Designated The port or trunk through which the designated switch is attached to the LAN. Alternate Provides an alternate path to the root switch from the root interface. Backup Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link, or when a LAN has two or more connections to a shared segment. Disabled The port is not participating in the Spanning Tree.

Page 114

Configuring Spanning Tree

Configuring Rapid Spanning Tree

Mode Displays the current STP mode. The STP mode is selected in the Spanning Tree Page. The possible field values are: Rapid STP Rapid STP is enabled on the device. Fast Link Operational Status Indicates whether Fast Link is enabled or disabled for the port or trunk. If Fast Link is enabled for a port, the port is automatically placed in the forwarding state. Point-to-Point Admin Status Indicates whether a point-to-point link is established on the port. Ports defined as Full Duplex are considered Point-to-Point port links. The possible field values are:

STP Classic STP is enabled on the device.

Enable Enables the device to establish point-to-point links. Disable Device establishes shared, half duplex links. Auto Device automatically determines the state.

Point-to-Point Operational Status Displays the point-to-point operating state. Activate Protocol Migration Test Select to run a Protocol Migration Test. The test identifies the STP mode of the interface connected to the selected interface.

2.

Checked Runs a Protocol Migration Test on the interface after the user clicks the Apply button.

Unchecked Does not run a Protocol Migration Test. Click Modify. The Modify RSTP Page opens:

Figure 85: Modify RSTP Page

In addition to the RSTP Page, the Modify RSTP Page contains the following fields:

Port State Indicates whether the port is enabled for the specific instance. The possible field values are:

3. 4. 5.

Forwarding Indicates that the port forwards packets. Discarding Indicates that the port discards packets.

Disabled Indicates that RSTP is disabled on the port. Define the Interface, Point to Point Admin Status, and Activate Protocol Migration Test fields. Click Apply. RSTP is defined for the selected interface, and the device is updated. Click Save Config on the menu, to save changes permanently.

Page 115

Configuring Spanning Tree

Configuring Multiple Spanning Tree

Configuring Multiple Spanning Tree

Multiple Spanning Tree Protocol (MSTP) provides differing load balancing scenarios. For example, while port A is blocked in one STP instance, the same port can be placed in the Forwarding state in another STP instance. This section contains the following topics: Defining MSTP Properties Defining MSTP Interfaces Defining MSTP Instance Mappings Defining MSTP Instance Settings

Defining MSTP Properties

The MSTP Page contains information for defining global MSTP settings, including region names, MSTP revisions, and maximum hops. To define MSTP: 1. Click Layer 2 > MSTP. The MSTP Page opens:

Figure 86: MSTP Page

Page 116

Configuring Spanning Tree

Configuring Multiple Spanning Tree

The MSTP Page contains the following fields: Region Name User-defined STP region name. Revision An unsigned 16-bit number that identifies the revision of the current MSTP configuration. The revision number is required as part of the MSTP configuration. The possible field range is 0-65535. Max Hops Specifies the total number of hops that occur in a specific region before the BPDU is discarded. Once the BPDU is discarded, the port information is aged out. The possible field range is 1-40. The field default is 20 hops. IST Master Identifies the Spanning Tree Master instance. The IST Master is the specified instance root.

2. 3.

Configure Interface Settings Click Configure to assign MSTP settings to a specific interface. Configure Instance Mapping Click Configure to assign MSTP mapping to a specific instance. Configure Instance Settings Click Configure to define MSTP Instances settings. Define the Region Name, Revision, and Max Hops fields. Click Apply. The MSTP properties are defined, and the device is updated.

Defining MSTP Interfaces

Network administrators can assign MSTP settings to a specific interface (port or trunk) using the MSTP Interface Settings Page. To define MSTP interface settings: 1. Click Layer 2 > MSTP. The MSTP Page opens. 2. Click Configure next to the Configure Interface Settings option. The MSTP Interface Settings Page opens:

Figure 87: MSTP Interface Settings Page

Page 117

Configuring Spanning Tree

Configuring Multiple Spanning Tree

The MSTP Interface Settings Page contains the following fields: Instance ID Lists the MSTP instances configured on the device. The possible field range is 1-16. Interface Displays the specific interface for this pages MSTP setting. The possible field values are:

Port of Unit Specifies the port for which the MSTP settings are displayed.

Trunk Specifies the trunk for which the MSTP settings are displayed. STP Port State Indicates if STP is enabled on the port. The possible field values are: Enabled Indicates that STP is enabled on the port. Disabled Indicates that STP is disabled on the port. Port State Indicates whether the port is enabled for the specific instance. The possible field values are: Forwarding Indicates that the port forwards packets. Discarding Indicates that the port discards packets. Disabled Indicates that STP is disabled on the port.

N/A Indicates that the port is not available for STP; for example, if the port belongs to a trunk. Type Indicates whether the port is a Boundary or Master port. The possible field values are: Boundary Indicates that the port attaches MST bridges to LANs in an outlying region. If the port is a Boundary port, this field also indicates whether the device on the other side of the link is working in RSTP or STP mode. Internal Indicates the port provides connectivity within the same region.

Role Indicates the port role assigned by the STP algorithm to provide to STP paths. The possible field values are:

Root Provides the lowest cost path to forward packets to the root device. Designated Indicates the port or trunk through which the designated device is attached to the LAN. Alternate Provides an alternate path to the root device from the root interface. Backup Provides a backup path to the designated port path toward the Spanning Tree leaves. Backup ports occur only when two ports are connected in a loop by a point-to-point link or when a LAN has two or more connections to a shared segment. Disabled Indicates the port is not participating in the Spanning Tree. Classic STP Classic STP is enabled on the device. This is the default value.

Mode Indicates the STP mode by which STP is enabled on the device. The possible field values are: Rapid STP Rapid STP is enabled on the device. Interface Priority (0-240,in steps of 16) Indicates the priority value of the port connected to the selected port for the specified instance. A lower priority increases the probability of connecting to a root port. The possible field values are 0-240, in multiples of 16. The default value is 128. Path Cost (1-200,000,000) Indicates the port contribution to the Spanning Tree instance. The field range is 1-200,000,000.

Use Default Defines the default path cost as the Path Cost field setting. Designated Bridge ID Displays the ID of the bridge that connects the link or shared LAN to the root. Designated Port ID Displays the ID of the port on the designated bridge that connects the link or the shared LAN to the root. Designated Cost Indicates that the default path cost is assigned according to the method selected on the Spanning Tree Global Settings. Forward Transitions Indicates the number of times the Trunk State has changed from a Forwarding state to a Blocking state. Remain Hops Indicates the hops remaining in the region before the BPDU is discarded.

Page 118

Configuring Spanning Tree

Configuring Multiple Spanning Tree

3. 4. 5. 6.

Define the fields. Click Apply. MSTP is defined for the selected interface. Click Save Config on the menu, to save changes permanently. To view the MSTP configurations of all interfaces, click Interface Table. The MSTP Interface Table is displayed. In the MSTP Interface Table, administrators can modify the Interface Priority and Path Cost of any interface.

Figure 88: MSTP Interface Table

Page 119

Configuring Spanning Tree

Configuring Multiple Spanning Tree

Defining MSTP Instance Mappings

Network administrators can assign MSTP mapping to a specific instance (port or trunk) using the MSTP Instance Mapping Page. To define MSTP interface mapping: 1. Click Layer 2 > MSTP. The MSTP Page opens. 2. Click Configure next to the Configure Instance Mapping option. The MSTP Instance Mapping Page opens:

Figure 89: MSTP Instance Mapping Page

The MSTP Instance Mapping Page contains the following fields: VLAN Displays the VLAN ID. Instance ID Defines the mapped MSTP instance. The possible field range is 1-16. 3. Map the VLANs to Instance IDs. 4. Click Apply to implement the mapping. 5. Click Save Config on the menu, to save changes permanently.

Page 120

Configuring Spanning Tree

Configuring Multiple Spanning Tree

Defining MSTP Instance Settings

MSTP maps VLANs into STP instances. Packets assigned to various VLANs are transmitted along different paths within Multiple Spanning Tree Regions (MST Regions). Regions are one or more Multiple Spanning Tree bridges by which frames can be transmitted. In configuring MSTP, the MST region to which the device belongs is defined. A configuration consists of the name, revision, and VLANs that belong to an instance. To configure devices in the same region, the three components must be the same for all the devices. Network Administrators can define MSTP Instances settings using the MSTP Instance Settings Page. To define MSTP interface settings: 1. Click Layer 2 > MSTP. The MSTP Page opens. 2. Click Configure next to the Configure Instance Settings option. The MSTP Instance Settings Page opens:

Figure 90: MSTP Instance Settings Page

The MSTP Instance Settings Page contains the following fields:

Instance ID Defines the VLAN group to which the interface is assigned. The possible field range is 1-15. Included VLAN Maps the selected VLAN to the selected instance. Each VLAN belongs to one instance. Bridge Priority Specifies the selected spanning tree instance device priority. The possible field range is 0-61440 in multiples of 4096. Designated Root Bridge ID Indicates the ID of the bridge with the lowest path cost to the instance ID. Root Path Cost Indicates the selected instances path cost. Root Port Indicates the selected instances root port. Remaining Hops Indicates the number of hops remaining in the region until the BPDU is discarded. Bridge ID Indicates the bridge ID of the selected instance.

Page 121

Configuring Spanning Tree

Configuring Multiple Spanning Tree

3. 4. 5.

Define the fields. Click Apply. MSTP is defined for the selected instance, and the device is updated. The MSTP Page is displayed. Click Save Config on the menu, to save changes permanently.

Page 122

Configuring Multicast Forwarding

Section 10. Configuring Multicast Forwarding

Multicast forwarding allows a single packet to be forwarded to multiple destinations. Layer 2 Multicast service is based on a Layer 2 switch receiving a single packet addressed to a specific multicast address. Multicast forwarding creates copies of the packet, and transmits the packets to the relevant ports. The Internet Group Management Protocol (IGMP) allows hosts to notify their local switch or router that they want to receive transmissions assigned to a specific multicast group. Multicast forwarding enables transmitting packets from either a specific multicast group to a source, or from a nonspecific source to a Multicast group. The device supports IGMPv1, IGMPv2, and IGMPv3. This section contains the following topics: Configuring IGMP Snooping Defining Multicast Bridging Groups Defining Multicast Forward All Settings

Page 123

Configuring Multicast Forwarding

Configuring IGMP Snooping

When IGMP Snooping is enabled globally, all IGMP packets are forwarded to the CPU. The CPU analyzes the incoming packets and determines:

Which ports want to join which Multicast groups. Which ports have Multicast routers generating IGMP queries. Which routing protocols are forwarding packets and Multicast traffic. Ports requesting to join a specific Multicast group issue an IGMP report, specifying that Multicast group is accepting members. This results in the creation of the Multicast filtering database. To configure IGMP Snooping: 1. Click Multicast > IGMP. The IGMP Page opens:

Figure 91: IGMP Page

The IGMP Page contains the following fields:

Enable IGMP Snooping Status Indicates if IGMP Snooping is enabled on the device. IGMP Snooping can be enabled only if Bridge Multicast Filtering is enabled. The possible field values are:

Checked Enables IGMP Snooping on the device.

Unchecked Disables IGMP Snooping on the device. IGMP Snooping Version Displays the IGMP Snooping version enabled on the device. The possible field values are:

IGMPv2 Indicates that IGMP version 2 is enabled on the device. IGMPv3 Indicates that IGMP version 3 is enabled on the device.

VLAN ID Specifies the VLAN ID.

Page 124

Configuring Multicast Forwarding

IGMP Snooping Status Indicates if IGMP snooping is enabled on the VLAN. The possible field values are:

Enable Enables IGMP Snooping on the VLAN. Disable Disables IGMP Snooping on the VLAN.

IGMP Querier Status Indicates if the specific VLAN can operate as an IGMP Querier. The possible field values are:

Enable Enables IGMP Querying on the VLAN.

Disable Disables IGMP Querying on the VLAN. IGMP Querier Version Displays the IGMP Snooping version enabled on the device which functions as an IGMP Snooper of the selected VLAN. The possible field values are: IGMPv3 Indicates that IGMP version 3 is enabled on the device. Administrative IP Address The configured IP address of the IGMP Querier interface on the VLAN. The VLANs IP address is the default address for the IGMP Querier. Operational IP Address The current IP address of the IGMP Querier interface on the VLAN. Auto Learn Indicates if Auto Learn is enabled on the device. If Auto Learn is enabled, the devices automatically learns where other Multicast groups are located. Enables or disables Auto Learn on the Ethernet device.The possible field values are:

IGMPv2 Indicates that IGMP version 2 is enabled on the device.

Enable Enables auto learn

Disable Disables auto learn. Host Timeout Indicates the amount of time host waits to receive a message before timing out. The default time is 260 seconds. MRouter Timeout Indicates the amount of the time the Multicast router waits to receive a message before it times out. The default value is 300 seconds. Leave Timeout Indicates the amount of time the host waits, after requesting to leave the IGMP group and not receiving a Join message from another station, before timing out. If a Leave Timeout occurs, the switch notifies the Multicast device to stop sending traffic The Leave Timeout value is either user-defined, or an immediate leave value. The default timeout is 10 seconds. Click the Enable IGMP Snooping Status checkbox. IGMP Snooping is enabled on the device.

2.

To modify the IGMP Snooping configuration: 1. Click Multicast > IGMP. The IGMP Page opens. 2. Click Modify. The IGMP Configuration Page opens:

Page 125

Configuring Multicast Forwarding

Figure 92: IGMP Configuration Page

In addition to the IGMP Page, the IGMP Configuration Page contains the following field:

Immediate Leave Host immediately times out after requesting to leave the IGMP group and not receiving a Join message from another station.

3. 4. 5.

Checked Host immediately times out.

Unchecked Host times out as specified in the Leave Timeout field. Define the fields. Select Reset as Default to use the default value. Click Apply. The IGMP Snooping global parameters are modified, and the device is updated. Click Save Config on the menu to save the changes permanently.

Defining Multicast Bridging Groups

The Multicast Group Page displays the ports and trunks attached to the Multicast service group in the Ports and Trunks tables. The Port and Trunk tables also reflect the manner in which the port or trunks joined the Multicast group. Ports can be added either to existing groups or to new Multicast service groups. New Multicast service groups can be created and ports can be assigned to a specific Multicast service address group. To define Multicast Groups: 1. Click Multicast > Multicast Group. The Multicast Group Page opens:

Page 126

Configuring Multicast Forwarding

Figure 93: Multicast Group Page

The Multicast Group Page contains the following fields:

Enable Bridge Multicast Filtering Indicates if bridge Multicast filtering is enabled on the device. The possible field values are:

Checked Enables Multicast filtering on the device. Unchecked Disables Multicast filtering on the device. If Multicast filtering is disabled, Multicast frames are flooded to all ports in the relevant VLAN. Disabled is the default value.

VLAN ID Displays the VLAN for which Multicast parameters are displayed. Bridge Multicast Address Identifies the Multicast group MAC address/IP address. Select the interfaces displayed in the table.

2. 3.

Ports of Unit Specifies the port and stacking member for which the Multicast group settings are displayed.

Trunk Specifies the trunk for which the Multicast group settings are displayed. Interface Displays the currently defined interface. Interface Status Displays the current interface status.

Check the Enable Bridge Multicast Filtering checkbox. Click Add. The Add Multicast Group Page opens:

Page 127

Configuring Multicast Forwarding

Figure 94: Add Multicast Group Page

4. 5. 6.

Select the VLAN ID. Enter the Bridge Multicast MAC Address and the Bridge Multicast IP Address. Click Apply. The new Multicast group is saved and the device is updated.

To modify a multicast group: 1. Click Modify. The Multicast Group Configuration Page opens:

Figure 95: Multicast Group Configuration Page

2. 3.

Define the fields. Click Apply. The Multicast Group is saved and the device is updated.

Page 128

Configuring Multicast Forwarding

Defining Multicast Forward All Settings

Multicast forwarding enables transmitting packets from either a specific multicast group to a source, or from a nonspecific source to a Multicast group. The Bridge Multicast Forward All page contains fields for attaching ports or trunks to a device that is attached to a neighboring Multicast router/switch. Once IGMP Snooping is enabled, Multicast packets are forwarded to the appropriate port or VLAN. Unless trunks are defined, only a Multicast Forward All table displays. To define Multicast forward all settings: 1. Click Multicast > Multicast Forward All. The Multicast Forward All Page opens:

Figure 96: Multicast Forward All Page

The Multicast Forward All Page contains the following fields: VLAN ID Displays the VLAN for which Multicast parameters are displayed. Select the interfaces displayed in the table.

Ports of Unit Specifies the port and stacking member for which the Multicast Forward All settings are displayed.

Trunk Specifies the trunk for which the Multicast Forward All settings are displayed. The Multicast Forward All table displays the following information, identical for ports and trunks. Interface Displays the interface ID. Interface Status Indicates the forwarding status of the selected interface. The possible values are:
Static Attaches the port to the Multicast router or switch as a static port. Dynamic Attaches the port to the Multicast router or switch as a dynamically configured port. Excluded The port is not attached to a Multicast router or switch. Forbidden Indicates that the port is forbidden for forward all.

Page 129

Configuring Multicast Forwarding

2. 3.

Select interfaces to modify. Click Modify. The Multicast Forward All Configuration Page opens:

Figure 97: Multicast Forward All Configuration Page

4. 5.

Define the Interface Status field. Click Apply. The Multicast Forward All settings are saved and the device is updated.

Page 130

Configuring SNMP

Section 11. Configuring SNMP

Simple Network Management Protocol (SNMP) provides a method for managing network devices. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems. Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. Access to the onboard agent using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication. Access to the switch using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having its own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3. Users are assigned to groups that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as views. The device has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings. The SNMP agents maintain a list of variables, which are used to manage the device. The variables are defined in the Management Information Base (MIB). The SNMP agent defines the MIB specification format, as well as the format used to access the information over the network. Access rights to the SNMP agents are controlled by access strings. The device is SNMP-compliant and contains an SNMP agent that supports a set of standard and private MIB variables. Developers of management stations require the exact structure of the MIB tree and receive the complete private MIBs information before being able to manage the MIBs. All parameters are manageable from any SNMP management platform, except the SNMP management station IP address and community (community name and access rights). The SNMP management access to the device is disabled if no community strings exist. This section contains the following topics:

Enabling SNMP Defining SNMP Communities Defining SNMP Groups Defining SNMP Users Defining SNMP Views Defining Notification Recipients Defining Notification Filters

Page 131

Configuring SNMP

Enabling SNMP
The SNMP Global Page provides fields for globally enabling and configuring SNMP on the device. To enable SNMP: 1. Click SNMP > Global. The SNMP Global Page opens:

Figure 98: SNMP Global Page

The SNMP Global Page contains the following fields: Local Engine ID (9-64 Hex Characters) Displays the engine number. Use Default Restores default SNMP settings, using the Local Engine ID. Enable SNMP Notifications Indicates if SNMP traps are enabled for the device. The possible values are:

Checked Traps are enabled. Unchecked Traps are disabled.

Enable Authentication Notifications Indicates if notification messages are issued if unauthorized connection attempts occur. The possible values are:

2. 3.

Checked Notifications are issued. Unchecked Notifications are not issued.

Define the fields. Click Apply. The global SNMP settings are saved and the device is updated.

Page 132

Configuring SNMP

Defining SNMP Communities

Access rights are managed by defining communities in the SNMP Community Page. When the community names are changed, access rights are also changed. SNMP communities are defined only for SNMP v1 and SNMP v2c. Note The device switch is delivered with no community strings configured. To define SNMP communities: 1. Click SNMP > Community. The SNMP Global Page opens. The SNMP Community Page opens:

Figure 99: SNMP Community Page

The SNMP Community Page contains the Basic and the Advanced Table:

SNMP Communities Basic Table

The SNMP Communities Basic Table contains the following fields: Management Station Displays the management station IP address for which the basic SNMP community is defined. 0.0.0.0 indicates all management station IP addresses. Community String Defines the community name used to authenticate the management station to the device.

Page 133

Configuring SNMP

Access Mode Defines the access rights of the community. The possible field values are:

Read Only Management access is restricted to read-only, and changes cannot be made to the community. Read Write Management access is read-write and changes can be made to the device configuration, but not to the community. SNMP Admin User has access to all device configuration options, as well as permissions to modify the community.

View Name Contains a list of user-defined SNMP views in addition to the Default and DefaultSuper views.

SNMP Communities Advanced Table

The SNMP Communities Advanced Table contains the following fields: Management Station Displays the management station IP address for which the advanced SNMP community is defined. 0.0.0.0 indicates all management station IP addresses. Community String Defines the community name used to authenticate the management station to the device. Group Name Indicates the group that was assigned to the community. 2. Click the Add button. The Add SNMP Community Page opens.

Figure 100:Add SNMP Community Page

3. 4. 5.

Define the fields. Click Apply. The SNMP community is added, and the device is updated. Click Save Config on the menu to save the changes permanently.

To modify SNMP community settings: 1. Select an SNMP community entry in the Basic table or in the Advanced Table. 2. Click Modify. The Community Configuration Page opens:

Page 134

Configuring SNMP

Figure 101:Community Configuration Page

3. 4.

Define the Basic or Advanced configuration of the community. Click Apply. The SNMP community settings are modified, and the device is updated.

Page 135

Configuring SNMP

Defining SNMP Groups

The SNMP Group Page provides information for creating SNMP groups, and assigning SNMP access control privileges to SNMP groups. Groups allow network managers to assign access rights to specific device features, or feature aspects. To define an SNMP group: 1. Click SNMP > Groups. The SNMP Group Page opens:

Figure 102:SNMP Group Page

The SNMP Group Page contains the following fields:

Group Name Displays the user-defined group to which access control rules are applied. The field range is up to 30 characters. Security Model Defines the SNMP version attached to the group. The possible field values are:

SNMPv1 SNMPv1 is defined for the group. SNMPv2 SNMPv2 is defined for the group.

SNMPv3 SNMPv3 is defined for the group. Security Level Defines the security level attached to the group. Security levels apply to SNMPv3 only. The possible field values are: No Authentication Indicates that neither the Authentication nor the Privacy security levels are assigned to the group. Authentication Authenticates SNMP messages, and ensures that the SNMP messages origin is authenticated. Privacy Encrypts SNMP messages. Read Management access is restricted to read-only, and changes cannot be made to the assigned SNMP view. Write Management access is read-write and changes can be made to the assigned SNMP view. Notify Sends traps for the assigned SNMP view.

Operation Defines the group access rights. The possible field values are:

Page 136

Configuring SNMP

2.

Click Add. The Add Group Page opens:

Figure 103:Add Group Page

3. 4.

Define the Group Name, Security Level, Security Model, and Operation. Click Apply. The new SNMP group is saved.

To modify an SNMP group: 1. Click SNMP > Groups. The SNMP Group Page opens. 2. Click Modify. The Group Configuration Page opens:

Figure 104:Group Configuration Page

3. 4.

Define the Group Name, Security Level, Security Model, and Operation. Click Apply. The SNMP group profile is saved.

Page 137

Configuring SNMP

Defining SNMP Users

The SNMP Users Page enables assigning system users to SNMP groups, as well as defining the user authentication method. To define SNMP group membership: 1. Click SNMP > Users. The SNMP Users Page opens:

Figure 105:SNMP Users Page

The SNMP Users Page contains the following fields:

User Name Contains a list of user-defined user names. The field range is up to 30 alphanumeric characters. Group Name Contains a list of user-defined SNMP groups. SNMP groups are defined in the SNMP Group Profile Page. Engine ID Displays either the local or remote SNMP entity to which the user is connected. Changing or removing the local SNMP Engine ID deletes the SNMPv3 user database.

Local Indicates that the user is connected to a local SNMP entity. Remote Indicates that the user is connected to a remote SNMP entity. If the Engine ID is defined, remote devices receive inform messages.

Page 138

Configuring SNMP

Authentication Displays the method used to authenticate users. The possible field values are:

2.

MD5 Key Users are authenticated using the HMAC-MD5 algorithm. SHA Key Users are authenticated using the HMAC-SHA-96 authentication level. MD5 Password The HMAC-MD5-96 password is used for authentication. The user should enter a password. SHA Password Users are authenticated using the HMAC-SHA-96 authentication level. The user should enter a password. None No user authentication is used.

Click Add. The Add SNMP User Page opens.

Figure 106:Add SNMP User Page

In addition to the SNMP Users Page, the Add SNMP User Page contains the following fields:

Authentication Method Defines the SNMP Authentication method. The possible field values are:

MD5 Key Users are authenticated using the HMAC-MD5 algorithm. SHA Key Users are authenticated using the HMAC-SHA-96 authentication level. MD5 Password The HMAC-MD5-96 password is used for authentication. The user should enter a password. SHA Password Users are authenticated using the HMAC-SHA-96 authentication level. The user should enter a password.

None No user authentication is used. Password Define the local user password. Local user passwords can contain up to 42 characters for MD5 or 32 characters for SHA. This field is available if the Authentication Method is a password.

Page 139

Configuring SNMP

Authentication Key Defines the HMAC-MD5-96 or HMAC-SHA-96 authentication level. The authentication and privacy keys are entered to define the authentication key. If only authentication is required, 16 bytes are defined. If both privacy and authentication are required, 32 bytes are defined. Each byte in hexadecimal character strings is two hexadecimal digits. Each byte can be separated by a period or a colon. This field is available if the Authentication Method is a key. Privacy Key Defines the Privacy Key (LSB). If only authentication is required, 20 bytes are defined. If both privacy and authentication are required, 36 bytes are defined. Each byte in hexadecimal character strings is two hexadecimal digits. Each byte can be separated by a period or colon. This field is available if the Authentication Method is a key. 3. Define the fields. 4. Click Apply. The SNMP user is added, and the device is updated. To modify SNMP control privileges: 1. 2. Click SNMP > Users. The SNMP Users Page opens. Click Modify. The SNMP User Configuration Page opens:

Figure 107:SNMP User Configuration Page

3. 4.

Define the fields. Click Apply. The SNMP User is modified, and the device is updated.

Page 140

Configuring SNMP

Defining SNMP Views

The SNMP views provide or block access to device features or portions of features. Feature access is granted via the MIB name or MIB Object ID. To define SNMP views: 1. Click SNMP > Views. The SNMP Views Page opens:

Figure 108:SNMP Views Page

The SNMP Views Page contains the following fields:

2.

View Name Displays the user-defined views. The view name can contain a maximum of 30 alphanumeric characters. Object ID Subtree Displays the device feature OID included in or excluded from the selected SNMP view. View Type Indicates whether the defined OID branch will be included in or excluded from the selected SNMP view. Click Add. The Add SNMP VIew Page opens:

Page 141

Configuring SNMP

Figure 109:Add SNMP VIew Page

3. 4.

Define the View Name field. Select the Subtree ID Tree using one of the following options: Select from List Select the Subtree from the list provided. Pressing the Up and Down buttons allows you to change the priority by moving the selected subtree up or down in the list.

5.

Insert Enables a Subtree not included in the Select from List field to be entered. Click Apply. The view is defined, and the device is updated.

Page 142

Configuring SNMP

Defining Notification Recipients

The SNMP Notify Page contains fields for defining SNMP notification recipients. the page contains information for defining filters that determine whether traps are sent to specific users, and the trap type sent. SNMP notification filters provide the following services:

Identifying Management Trap Targets Trap Filtering Selecting Trap Generation Parameters Providing Access Control Checks

To configure SNMP notification recipients: 1. Click SNMP > Notify. The SNMP Notify Page opens:

Figure 110: SNMP Notify Page

The SNMP Notify Page contains tables for SNMPv2 and SNMP v3 notification recipients and lists the following parameters:

Page 143

Configuring SNMP

SNMPv1,2c Notification Recipient

The SNMP v1, v2c Recipient table contains the following fields: Recipients IP Displays the IP address to which the traps are sent. Notification Type Displays the type of notification sent. The possible field values are:

Trap Indicates that traps are sent. Inform Indicates that informs are sent.

Community String Displays the community string of the trap manager. Notification Version Displays the trap type. The possible field values are:

SNMP V1 Indicates that SNMP Version 1 traps are sent. SNMP V2c Indicates that SNMP Version 2 traps are sent.

UDP Port Displays the UDP port used to send notifications. The field range is 1-65535. The default is 162. Filter Name Indicates if the SNMP filter for which the SNMP Notification filter is defined. Timeout Indicates the amount of time (in seconds) the device waits before resending informs. The field range is 1-300. The default is 15 seconds. Retries Indicates the number of times the device resends an inform request. The field range is 1-255. The default is 3.

SNMPv3 Notification Recipient

The SNMPv3 Notification Recipient table contains the following fields: Recipients IP Displays the IP address to which the traps are sent. Notification Type Displays the type of notification sent. The possible field values are:

Trap Indicates that traps are sent. Inform Indicates that informs are sent.

User Name Displays the user to which SNMP notifications are sent. Security Level Displays the means by which the packet is authenticated. The possible field values are:

2.

No Authentication Indicates that the packet is neither authenticated nor encrypted. Authentication Indicates that the packet is authenticated.

UDP Port Displays the UDP port used to send notifications. The field range is 1-65535. The default is 162. Filter Name Includes or excludes SNMP filters. Timeout Indicates the amount of time (in seconds) the device waits before resending informs. The field range is 1-300. The default is 15 seconds. Retries Indicates the number of times the device resends an inform request. The field range is 1255.The default is 3. Click Add. The Add Notify Page opens:

Page 144

Configuring SNMP

Figure 111: Add Notify Page

3. 4. 5. 1. 2.

Define the relevant fields. Click Apply. The notification recipient settings are saved and the device is updated. Click Save Config on the menu to save the changes permanently. Click SNMP > Notify. The SNMP Notify Page opens. Select an entry from one of the tables and click Modify. The SNMP Notify Configuration Page opens.

To modify notification settings:

Page 145

Configuring SNMP

Figure 112: SNMP Notify Configuration Page

3. 4. 5.

Define the fields. Click Apply. The SNMP Notification configuration is modified, and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 146

Configuring SNMP

Defining Notification Filters

The SNMP Notification Filter Page permits filtering traps based on OIDs. Each OID is linked to a device feature or a portion of a feature. The SNMP Notification Filter Page also allows network managers to filter notifications. To configure SNMP notification filters: 1. Click SNMP > Notify. The SNMP Notify Page opens. 2. Click Configure next to Configure Notification Filters. The SNMP Notification Filter Configuration Page opens:

Figure 113: SNMP Notification Filter Configuration Page

3. 4. 5.

Define the Filter Name and Filter Type fields. Click Apply. The SNMP notification filter is defined, and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 147

Configuring SNMP

To add an SNMP notification filter: 1. Click the Add button. The Add SNMP Notification Filter Page opens:

Figure 114: Add SNMP Notification Filter Page

The Add SNMP Notification Filter Page contains the following fields:

Filter Name Contains a list of user-defined notification filters. Subtree ID Tree Displays the OID for which notifications are sent or blocked. If a filter is attached to an OID, traps or informs are generated and sent to the trap recipients. Object IDs are selected from either the Select from List or the Object ID field. there are two configuration options:

2. 3. 4.

Select from List Select the OID from the list provided. Pressing the Up and Down buttons allows you to change the priority by moving the selected subtree up or down in the list.

Object ID Enter an OID not offered in the Select from List option. Filter Type Indicates whether informs or traps are sent regarding the OID to the trap recipients. Excluded Restricts sending OID traps or informs.

Included Sends OID traps or informs. Define the relevant fields. Click Apply. The SNMP Notification Filter is added to the list, and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 148

Configuring Power Over Ethernet

Section 12. Configuring Power Over Ethernet

This section describes configuring Power over Ethernet (PoE) for an AT-S95 device. PoE only applies to the ATS95/24POE and AT-S95/48POE device. Power-over-Ethernet (PoE) provides power to devices over existing LAN cabling, without updating or modifying the network infrastructure. Power-over-Ethernet removes the necessity of placing network devices next to power sources. Power-over-Ethernet can be used in the following applications:

IP phones Wireless Access Points IP gateways PDAs Audio and video remote monitoring

Powered Devices are devices which receive power from the device power supplies, for example IP phones. Powered Devices are connected to the device via Ethernet ports. This section includes the following topic:

Enabling PoE and Setting the Power Threshold

Enabling PoE and Setting the Power Threshold

The PoE threshold is a percentage of the total maximum PoE power on the device (375 W). If the total power requirements of the powered devices exceed this threshold, the device sends an SNMP trap to the management workstation and enters an event in the event log. The threshold is adjustable. For management workstations to receive traps from the device, configure SNMP on the device by specifying the IP addresses of the workstations. The Power Over Ethernet Page contains system PoE information for enabling PoE on the device, monitoring the current power usage, and enabling PoE traps. To enable PoE for the device: 1. Click System > Power Over Ethernet. The Power Over Ethernet Page opens:

Page 149

Configuring Power Over Ethernet

Figure 115: Power Over Ethernet Page

The Power Over Ethernet Page contains the following fields: Global PoE Configuration

Power Threshold Indicates the percentage of power consumed before an alarm is generated. The value range is 1-99 percent; the default value is 95 percent. If maximum power available is 375 W, and the power threshold is 95%, the threshold is exceeded when the PoE devices require more than 356.25 W. Maximum Power Available Indicates the maximum power allocated to the device. Unit Number Indicates the stacking member for which the PoE information is displayed. Click the ports to enable. Clicking a port toggles it through the possible settings. Define the fields. Click Modify. PoE is enabled on the device and global settings are saved. The new threshold is immediately activated on the device. Click Save Config on the menu to permanently save the change.

2. 3. 4. 5.

Page 150

Configuring Power Over Ethernet

Defining Power Over Ethernet Configuration

To modify PoE port settings: 1. In the Power Over Ethernet Page Zoom View, click the port(s) to modify. The port indication changes to Port is selected. 2. Click Modify. The Power Over Ethernet Configuration Page opens:

Figure 116: Power Over Ethernet Configuration Page

The Power Over Ethernet Configuration Page displays the currently configured PoE ports and contains the following information:

Interface Displays the selected ports number. Admin Mode Indicates whether PoE is enabled or disabled on the port. The possible values are: Disable Disables PoE on the port. Priority Level Indicates the PoE ports priority. The possible values are: High, Medium and Low. The default is Low. Class Indicates the power class, the IEEE 802.3af class of the device. Output Voltage (Volt) The voltage delivered to the powered device. Output Current (mA) The current drawn by the powered device. Output Power (Watt) Indicates the power being supplied to the device, in Watts. Power Limit (Watt) Indicates the maximum amount of power allowed by the port for the device. The default is 15400 milliwatts (15.4 W), and the range is 3000 -15400 milliwatts. Status Indicates if the port is enabled to work on PoE. The possible field values are:

Enable Enables PoE on the port. This is the default setting.

On Indicates the device is delivering power to the interface. Off Indicates the device is not delivering power to the interface. Searching Indicates that the device is currently searching for a powered device. Searching is the default PoE operational status.

Page 151

Configuring Power Over Ethernet

Fault Indicates one of the following:

3. 4. 5.

The powered device test has failed. For example, a port could not be enabled and cannot be used to deliver power to the powered device. The device has detected a fault on the powered device. For example, the powered device memory could not be read.

Test Indicates the powered device is being tested. For example, a powered device is tested to confirm it is receiving power from the power supply. Modify the Admin Mode and Priority Level fields. Click Apply. The PoE settings are saved and the device is updated. Click Save Config on the menu, to save the settings permanently.

Page 152

Configuring Services

Section 13. Configuring Services

This section describes Quality of Service related configurations. QoS supports activating one of the following Trust settings:

VLAN Priority Tag DiffServ Code Point None Only packets that have a Forward action are assigned to the output queue, based on the specified classification. By properly configuring the output queues, the following basic mode services can be set:

Minimum Delay The queue is assigned to a strict priority policy, and traffic is assigned to the highest priority queue. Best Effort Traffic is assigned to the lowest priority queue Bandwidth Assignments Bandwidths are assigned by configuring the WRR scheduling scheme. After packets are assigned to a specific egress queue, Class of Service (CoS) services can be assigned to the queue. Egress queues are configured with a scheduling scheme by one of the following methods: Strict Priority Ensures that time-sensitive applications are always forwarded. Strict Priority (SP) allows the prioritization of mission-critical, time-sensitive traffic over less time-sensitive applications. For example, under SP, voice over IP (VoIP) traffic can be prioritized so that it is forwarded before FTP or e-mail (SMTP) traffic. Weighted Round Robin Ensures that a single application does not dominate the device forwarding capacity. Weighted Round Robin (WRR) forwards entire queues in a round robin order. All queues can participate in WRR, except SP queues. SP queues are serviced before WRR queues. If the traffic flow is minimal, and SP queues do not occupy the whole bandwidth allocated to a port, the WRR queues can share the bandwidth with the SP queues. This ensures that the remaining bandwidth is distributed according to the weight ratio. If WRR is selected, the following weights are assigned to the queues: 1, 2, 4, 8. This section contains the following topics: Enabling Class of Service (CoS) Configuring CoS Queueing and Scheduling Mapping CoS Values to Queues Mapping DSCP Values to Queues Configuring QoS Bandwidth

Page 153

Configuring Services

Enabling Class of Service (CoS)

The CoS Page enables configuring the CoS ports or trunks on the device. To configure CoS ports or trunks on the device: 1. Click Services > CoS. The CoS Page opens:

Figure 117: CoS Page

As a default the CoS Page opens displaying the port options. The fields are identical when displaying the trunk CoS. The CoS Page contains the following fields:

Enable QoS Mode Indicates if QoS is enabled on the device. The possible values are: Unchecked Disables QoS on the device. Trust Mode Defines which packet fields to use for classifying packets entering the device. When no rules are defined, the traffic containing the predefined packet CoS field is mapped according to the relevant trust modes table. Traffic not containing a predefined packet field is mapped to best effort. The possible Trust Mode field values are:

Checked Enables QoS on the device.

CoS Classifies traffic based on the CoS tag value. DSCP Classifies traffic based on the DSCP tag value.

Page 154

Configuring Services

Select the interfaces displayed in the table.

Ports of Unit Specifies the port and stacking member for which the CoS configuration is displayed.

Trunk Specifies the trunk for which the CoS configuration is displayed. Interface Displays the interface number. Default CoS Determines the default CoS value for incoming packets for which a VLAN tag is not defined. The possible field values are 0-7. The default CoS is 0. This field appears in the CoS Ports table. Restore Defaults Restores the factory CoS defaults. The possible field values are:

2. 3. 4.

Checked Restores the factory CoS defaults on the interface.

Unchecked Maintains the current CoS settings. This is the default value. Select the interfaces. Check the Restore Defaults option, where needed. Click Modify. The CoS Configuration Page opens:

Figure 118: CoS Configuration Page

The CoS Configuration Page contains the following fields: Interface Sets this CoS configuration for a port or trunk.

5. 6. 7.

Port Defines CoS for a specific port. Trunk Defines CoS for a specific trunk.

Set Default User Priority Indicates the priority level for CoS on the selected port/trunk. Default Priority determines the default CoS value for incoming packets. The value range is 0-7 and the default is 0. Select the Interface and the Priority level. Click Apply. The CoS settings for the selected port/trunk are updated. Click Save Config on the menu to save the changes permanently.

Page 155

Configuring Services

Configuring CoS Queueing and Scheduling

The CoS Queuing & Scheduling Page provides fields for configuring CoS Priority to Egress Queues and for defining Egress Weights. The queue settings are set system-wide. To define schedule and queue settings for Quality of Service: 1. Click Services > Queuing & Scheduling. The CoS Queuing & Scheduling Page opens:

Figure 119: CoS Queuing & Scheduling Page

The CoS Queuing & Scheduling Page contains scheduling and Priority Queue settings for the defined CoS and DSCP and contains the following fields:

Select Schedule Defines the priority method in queuing.

Strict Priority Indicates that traffic scheduling for the selected queue is based strictly on the queue priority.

Weighted Priority Indicates that traffic scheduling for the selected queue is based strictly on the Weighted Priority. Configure Priority to Egress Queues Maps CoS (VPT tag) or DSCP values to a queue (1-4). Configure CoS Maps CoS priority to a queue.

2. 3. 4.

Configure DSCP Maps DSCP priority to a queue. Select a schedule type. Click Apply. The configuration is saved and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 156

Configuring Services

Mapping CoS Values to Queues

The Configure CoS Page contains fields for classifying CoS settings to traffic queues. To set CoS to queue: 1. Click Services > Queuing & Scheduling. The CoS Queuing & Scheduling Page opens: 2. In the Configure Priority to Egress Queues section, select Configure CoS. 3. Click Configure. The Configure CoS Page opens:

Figure 120:Configure CoS Page

The Configure CoS Page contains the following fields: Restore Defaults Restores the device factory defaults for mapping CoS tags to a forwarding queue. Class of Service Specifies the CoS priority tag values, where zero is the lowest and 7 is the highest. Queue Defines the traffic forwarding queue to which the CoS priority is mapped. Four traffic priority queues are supported, where zero is the lowest and 3 is the highest. 4. 5. 6. Modify the Queue values or select Restore Defaults. Click Apply. The CoS to Queue mapping settings are saved and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 157

Configuring Services

Mapping DSCP Values to Queues

The Configure DSCP Page contains fields for classifying DSCP settings to traffic queues. For example, a packet with a DSCP tag value of 3 can be assigned to queue 2. To set DSCP to queues: 1. Click Services > Queuing & Scheduling. The CoS Queuing & Scheduling Page opens: 2. In the Configure Priority to Egress Queues section, select Configure DSCP. 3. Click Configure. The Configure DSCP Page opens:

Figure 121:Configure DSCP Page

Page 158

Configuring Services

The Configure DSCP Page contains the following fields: Restore Defaults Restores the device factory defaults for mapping DSCP values to a forwarding queue. DSCP In Displays the incoming packets DSCP value. Queue Defines the traffic forwarding queue to which the DSCP priority is mapped. Four traffic priority queues are supported. 4. Modify the Queue values. 5. Click Apply. The DSCP to Queue mapping is updated. 6. Click Save Config on the menu to save the changes permanently.

Configuring QoS Bandwidth

The Bandwidth Page allows network managers to define the bandwidth settings for a specified egress interface. The Bandwidth Page is not used with the Service mode, as bandwidth settings are based on services. To configure bandwidth: 1. Click Services > Bandwidth. The Bandwidth Page opens:

Figure 122:Bandwidth Page

Page 159

Configuring Services

As a default the Bandwidth Page opens displaying the port options. The fields are identical when displaying the trunk CoS. The Bandwidth Page contains the following fields: Select the interfaces displayed in the table.

Ports of Unit Specifies the port and stacking member for which the bandwidth settings are displayed.

Trunk Specifies the trunk for which the bandwidth settings are displayed. Interface Indicates the interface for which this bandwidth information is displayed. Ingress Rate Limit Indicates the traffic limit for ingress interfaces. The possible field values are: Status Enables or disables rate limiting for ingress interfaces. Disable is the default value.

Rate Limit Defines the rate limit for ingress ports. Defines the amount of bandwidth assigned to the interface. The available values are3.5 Mbps - 1 Gbps (for FE ports, the maximum value equals the maximum port speed). Egress Shaping Rates Indicates the traffic shaping type, if enabled, for egress ports. The possible field values are:

2. 3. 4.

Status Indicates the egress shaping rate status. The default status is Disabled. CIR Defines Committed Information Rate (CIR) as the queue shaping type. The possible field values are 64 Kbps - 1 Gbps.

CBS Defines Committed Burst Size (CbS) as the queue shaping type. CbS is supported only on GE interfaces. The possible field value is 4 KB - 16 MB. Select the port/unit or trunk. Select the interfaces to configure. Click Modify. The Bandwidth Configuration Page opens:

Figure 123:Bandwidth Configuration Page

5. 6. 7.

Define the fields. Click Apply. The bandwidth information is saved and the device is updated. Click Save Config on the menu to save the changes permanently.

Page 160

System Utilities

Section 14. System Utilities

The configuration file structure involves the following configuration files:

Startup Configuration File Contains the commands required to reconfigure the device to the same settings as when the device is powered down or rebooted. The Startup file is created by copying the configuration commands from the Running Configuration file or the Backup Configuration file. Running Configuration File Contains all configuration file commands, as well as all commands entered during the current session. After the device is powered down or rebooted, all commands stored in the Running Configuration file are lost. During the startup process, all commands in the Startup file are copied to the Running Configuration File and applied to the device. During the session, all new commands entered are added to the commands existing in the Running Configuration file. Commands are not overwritten. To update the Startup file, before powering down the device, the Running Configuration file must be copied to the Startup Configuration file. The next time the device is restarted, the commands are copied back into the Running Configuration file from the Startup Configuration file. Backup Configuration Files Contains a backup copy of the device configuration. Up to five backup configuration files can be saved on the device, with user configured names. These files are generated when the user copies the Running Configuration file or the Startup Configuration file to a user-named file. The contents of the backup configuration files can be copied to either the Running Configuration or the Startup Configuration files. Image Files Software upgrades are used when a new version file is downloaded. The file is checked for the right format, and that it is complete. After a successful download, the new version is marked, and is used after the device is reset. There are two types of files, firmware files and configuration files. The firmware files manage the device, while the configuration files configure the device for transmissions. Configuration files can be uploaded and downloaded to the device. System files are uploaded or downloaded using the Trivial File Transfer Protocol (TFTP). TFTP utilizes the User Data Protocol (UDP) without security features. Note Only one type of download or upload can be performed at any one time. During upload or download, no user configuration can be performed. File maintenance includes configuration file management and device access, and is described in the following topics:

Restoring the Default Configuration Defining TFTP File Uploads and Downloads Viewing Integrated Cable Tests Viewing Optical Transceivers Resetting the Device

Page 161

System Utilities

Restoring the Default Configuration

in the System Utilities Page, the Reset to Factory Defaults function restores the Configuration file to factory defaults during device reset. When this option is not selected, the device maintains the current Configuration file. To restore the default system configuration: 1. Click Utilities > System Utilities. The System Utilities Page opens:

Figure 124:System Utilities Page

The System Utilities Page contains the following fields: Reboot Switch After Resetting to Defaults Performs reboot after the reset. The possible field values are:

Checked System restarts after the Configuration File is restored to the factory defaults.

Unchecked After the Configuration File is restored to the factory defaults, the system remains in session. Unit No. Indicates the unit number. Active Image indicates the current image file. After Reset The Image file which is active after the device is reset. The possible field values are: Image 1 Activates Image file 1 after the device is reset.

Image 2 Activates Image file 2 after the device is reset. To reset the configuration file to defaults without rebooting the device: Click Apply in the Reset to Factory Defaults section. To reset the configuration file to defaults with reboot: 1. Check the Reboot Switch After Resetting to Defaults option.

Page 162

System Utilities

2. 3.

Select the After Reset image file. Click Apply (below the table). The factory defaults are restored, and the device is updated. The device reboots.

Defining TFTP File Uploads and Downloads

The File System Page contains parameters for system uploads and downloads and for copying firmware and configuration files. To define file upload and download settings: 1. Click Utilities > File System The File System Page opens:

Figure 125:File System Page

The TFTP File Uploads and Downloads section of the File System Page contains the following fields: TFTP Operation Defines the type of TFTP operation and the type of file. The possible values are:

Download Downloads a firmware or configuration file, depending on the selection below. Upload Uploads a firmware or configuration file, depending on the selection below. Firmware Device will download or upload a firmware file, depending on the selection above. Configuration Device will download or upload a configuration file, depending on the selection above.

Source Filename Specifies the file to be uploaded or downloaded. Destination File Defines the type of file that the device creates. If the TFTP Operation is Firmware, the possible values are:

Software Image Boots the Image file. Boot File Copies the boot file from the TFTP server to the device.

Page 163

System Utilities

If the TFTP Operation is Configuration, the possible values are:

Running Configuration Contains the configuration currently valid on the device. Starting Configuration Contains the configuration which will be valid following system startup or reboot. Note The configuration file is copied only to the Master Unit, since this unit controls the entire stack. The configuration file is automatically synchronized with the configuration file on the Backup Unit, so that in the event of failure of the Master Unit, the Backup Unit takes over immediately with the same configuration information.

TFTP Server IP Address Specifies the TFTP Server IP Address from which files are downloaded. To download or upload TFTP Files: 1. Select the TFTP Operation type: upload or download; firmware or configuration file. 2. Define the Source file and Destination file type. 3. Click Apply.

In the Copy Files section, network administrators can copy firmware or configuration files from one device to another. Copy Master Firmware Copies the Firmware or the Boot file from the Stacking Master.

Software Image Downloads the Image file. Destination Unit Downloads firmware or the Boot file to the designated unit. The values are:

All Copies the Firmware or the Boot file to all stacking members. To copy firmware: 1. Click Copy Master Firmware. The copy firmware parameters are activated. 2. Select the Source and the Destination Unit. 3. Click Apply.
The Configuration Copy section of the File System Page contains the following fields: Copy Configuration Allows the copy configuration operation. Source File Name Specifies the configuration file type to be copied.

Startup Configuration Copies the Startup Configuration file, and overwrites the old Startup Configuration file.

Running Configuration Copies the Running Configuration file. Destination File Name Specifies the destination file type to create. The possible field values are: Startup Configuration Downloads the Startup Configuration file, and overwrites it.

Running Configuration Downloads commands into the Running Configuration file. To copy configuration: 1. Click Copy Configuration. The copy configuration parameters are activated. 2. Select the Source file name and the Destination file name. 3. Click Apply.

Page 164

System Utilities

Viewing Integrated Cable Tests

The Cable Test Page contains fields for performing tests on copper cables. Cable testing provides diagnostic information about where errors occurred in the cable, the last time a cable test was performed, and the type of cable error that occurred. The tests use Time Domain Reflectometry (TDR) technology to test the quality and characteristics of a copper cable attached to a port. Cables up to 120 meters long can be tested. Cables are tested when the ports are in the down state, with the exception of the Approximated Cable Length test. To perform a copper cable test: 1. Click Utilities > Cable Test. The Cable Test Page opens:

Figure 126:Cable Test Page

The Cable Test Page displays the following information: Unit Number Indicates the stacking member for which the Ethernet ports information is displayed. Port Specifies the port to which the cable is connected. Test Result Displays the cable test results. Possible values are:

No Cable Indicates that a cable is not connected to the port. Open Cable Indicates that a cable is connected on only one side. Short Cable Indicates that a short has occurred in the cable. OK Indicates that the cable passed the test.

Cable Fault Distance Indicates the distance from the port where the cable error occurred. Last Update Indicates the last time the port was tested.

Page 165

System Utilities

2. 3. 4.

Cable Length Indicates the approximate cable length. This test can only be performed when the port is up and operating at 1 Gbps. Select the Unit Number, and the Port. Click Test. The cable test is performed. Click Advanced. The Cable Test Configuration Page opens, and the copper cable test results are displayed.

Figure 127:Cable Test Configuration Page

Page 166

System Utilities

Viewing Optical Transceivers

The Optical Transceivers Page allows network managers to perform tests on Fiber Optic cables. Optical transceiver diagnostics can be performed only when the link is present. To view transceiver diagnostics: 1. Click Utilities > Optical Transceivers. The Optical Transceivers Page opens:

Figure 128:Optical Transceivers Page

The Optical Transceivers Page contains the following fields: Unit No. Indicates the stacking member for which the interface configuration information is displayed. Port Displays the IP address of the port on which the cable is tested. Temperature (Celsius) Displays the temperature (oC) at which the cable is operating. Voltage (Volts) Displays the voltage at which the cable is operating. Current (mA) Displays the current at which the cable is operating. Output Power (Watts) Indicates the rate at which the output power is transmitted. Input Power (Watts) Indicates the rate at which the input power is transmitted. Transmitter Fault Indicates if a fault occurred during transmission. Loss of Signal Indicates if a signal loss occurred in the cable. Data Ready Indicates the transceiver has achieved power up and data is ready.

Page 167

System Utilities

Resetting the Device

The Reset page enables the user to reset the system. Save all changes to the Running Configuration file before resetting the device. This prevents the current device configuration from being lost. To reset the device: 1. Click Utilities > Reset. The Reset Page opens.

Figure 129:Reset Page

2.

3. 4.

Select the Reset Unit No. The possible values are: 1 Reset the Master unit. 2 Reset the Backup unit.

Stack Reset all stacking members. Click Reset. The confirmation message appears informing that reset ends the management session. Click OK. The device is reset.

Page 168

Viewing Statistics
Viewing Device Statistics

Section 15. Viewing Statistics

The device provides statistics for RMON, interfaces, and Etherlike. This section contains the following topics:

Viewing Device Statistics Managing RMON Statistics

Viewing Device Statistics

This section contains the following topics:

Viewing Interface Statistics Viewing Etherlike Statistics

Viewing Interface Statistics

The Interface Statistics Page contains statistics for both received and transmitted packets. To view interface statistics: 1. Click Statistics > Interface. The Interface Statistics Page opens:

Figure 130:Interface Statistics Page

Page 169

Viewing Statistics
Viewing Device Statistics

The Interface Statistics Page contains the following fields: Select the interfaces displayed in the table.

Unit No. Indicates the stacking member for which the interface statistics are displayed. Port Specifies the port for which the interface statistics are displayed.

Trunk Specifies the trunk for which the interface statistics are displayed. Refresh Rate Defines the frequency of the interface statistics updates. The possible field values are: No Refresh Indicates that the Interface statistics are not refreshed. 15 Sec Indicates that the Interface statistics are refreshed every 15 seconds. 30 Sec Indicates that the Interface statistics are refreshed every 30 seconds. 60 Sec Indicates that the Interface statistics are refreshed every 60 seconds.

Receive Statistics Total Bytes (Octets) Displays the number of octets received on the selected interface. Unicast Packets Displays the number of Unicast packets received on the selected interface. Multicast Packets Displays the number of Multicast packets received on the selected interface. Broadcast Packets Displays the number of Broadcast packets received on the selected interface. Transmit Statistics Total Bytes (Octets) Displays the number of octets transmitted from the selected interface. Unicast Packets Displays the number of Unicast packets transmitted from the selected interface. Multicast Packets Displays the number of Multicast packets transmitted from the selected interface. Broadcast Packets Displays the number of Broadcast packets transmitted from the selected interface.
2. Select the Interface and the Refresh Rate. The selected interfaces Interface statistics are displayed. To reset interface statistics counters: 1. Open the Interface Statistics Page. 2. Click Clear All Counters. The interface statistics counters are cleared.

Page 170

Viewing Statistics
Viewing Device Statistics

Viewing Etherlike Statistics

The Etherlike Statistics Page displays interface statistics. To view Etherlike statistics: 1. Click Statistics > Etherlike. The Etherlike Statistics Page page opens:

Figure 131:Etherlike Statistics Page

The Etherlike Statistics Page contains the following fields: Select the interfaces displayed in the table.

Unit No. Indicates the stacking member for which the Etherlike statistics are displayed. Port Specifies the port for which the Etherlike statistics are displayed. Trunk Defines the specific trunk for which the Etherlike statistics are displayed. No Refresh Indicates that the Etherlike statistics are not refreshed. 15 Sec Indicates that the Etherlike statistics are refreshed every 15 seconds. 30 Sec Indicates that the Etherlike statistics are refreshed every 30 seconds.

Refresh Rate Defines the frequency of the interface statistics updates. The possible field values are:

60 Sec Indicates that the Etherlike statistics are refreshed every 60 seconds. Frame Check Sequence (FCS) Errors Displays the number of FCS errors received on the selected interface. Single Collision Frames Displays the number of single collision frames received on the selected interface. Late Collisions Displays the number of late collision frames received on the selected interface.

Page 171

Viewing Statistics
Viewing Device Statistics

2.

Excessive Collisions Displays the number of excessive collisions received on the selected interface. Oversize Packets Displays the number of oversized packet errors on the selected interface. Internal MAC Receive Errors Displays the number of internal MAC received errors on the selected interface. Received Pause Frames Displays the number of received paused frames on the selected interface. Transmitted Paused Frames Displays the number of paused frames transmitted from the selected interface. Select the Interface and the Refresh Rate. The selected interfaces Etherlike statistics are displayed.

To update the refresh time: To change the refresh rate for statistics, select another rate from the Refresh Rate drop-down list.

To reset Etherlike interface statistics counters: 1. Open the Etherlike Statistics Page. 2. Click Clear All Counters. The Etherlike interface statistics counters are cleared.

Page 172

Viewing Statistics
Managing RMON Statistics

Managing RMON Statistics

This section contains the following topics:

Viewing RMON Statistics Configuring RMON History Configuring RMON Events Defining RMON Alarms

Viewing RMON Statistics

The RMON Statistics Page contains fields for viewing information about device utilization and errors that occurred on the device. The RMON Statistics Page contains statistics for both received and transmitted packets. To view RMON statistics: 1. Click Statistics > RMON Statistics. The RMON Statistics Page opens:

Figure 132:RMON Statistics Page

The RMON Statistics Page contains the following fields:

Select the interfaces displayed in the table.

Unit No. Indicates the stacking member for which the RMON statistics are displayed. Port Specifies the port for which the RMON statistics are displayed. Trunk Defines the specific trunk for which the RMON statistics are displayed.

Page 173

Viewing Statistics
Managing RMON Statistics

Refresh Rate Defines the frequency of the RMON statistics updates. The possible field values are:

60 Sec Indicates that the RMON statistics are refreshed every 60 seconds. Received Bytes (Octets) Displays the number of octets received on the interface since the device was last refreshed. This number includes bad packets and FCS octets, but excludes framing bits. Received Packets Displays the number of packets received on the interface, including bad packets, Multicast and broadcast packets, since the device was last refreshed. Broadcast Packets Received Displays the number of good broadcast packets received on the interface since the device was last refreshed. This number does not include Multicast packets. Multicast Packets Received Displays the number of good Multicast packets received on the interface since the device was last refreshed. CRC & Align Errors Displays the number of CRC and Align errors that have occurred on the interface since the device was last refreshed. Undersize Packets Displays the number of undersized packets (less than 64 octets) received on the interface since the device was last refreshed. Oversize Packets Displays the number of oversized packets (over 1518 octets) received on the interface since the device was last refreshed. Fragments Displays the number of fragments (packets with less than 64 octets, excluding framing bits, but including FCS octets) received on the interface since the device was last refreshed. Jabbers Displays the total number of received packets that were longer than 1518 octets. This number excludes frame bits, but includes FCS octets that had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral octet (Alignment Error) number. The field range to detect jabbers is between 20 ms and 150 ms. Collisions Displays the number of collisions received on the interface since the device was last refreshed. Frames of xx Bytes Displays the number of xx-byte frames received on the interface since the device was last refreshed.

No Refresh Indicates that the RMON statistics are not refreshed. 15 Sec Indicates that the RMON statistics are refreshed every 15 seconds. 30 Sec Indicates that the RMON statistics are refreshed every 30 seconds.

2. Select the Interface and the Refresh Rate. The selected interfaces RMON statistics are displayed. To reset Etherlike interface statistics counters: 1. Open the RMON Statistics Page. 2. Click Clear All Counters. The RMON interface statistics counters are cleared.

Page 174

Viewing Statistics
Managing RMON Statistics

Configuring RMON History

The RMON History Page contains information about samples of data taken from ports. For example, the samples may include interface definitions or polling periods. To view RMON history information: 1. Click Statistics > RMON History. The RMON History Page opens:

Figure 133:RMON History Page

The RMON History Page contains the following fields:

History Entry No. Displays the history control entry number. Source Interface Displays the interface from which the history samples were taken. The possible field values are:

Port Specifies the port from which the RMON information was taken. Trunk Specifies the trunk from which the RMON information was taken.

Sampling Interval Indicates in seconds the time period that samplings are taken from the ports. The field range is 1-3600. The default is 1800 seconds (equal to 30 minutes). Sampling Requested Displays the number of samples that the device saves (see Max. No. of Samples to Keep in the Add RMON History Page). The field range is 1-65535. The default value is 50. Current Number of Samples Displays the current number of samples taken. This number should be equal to or close to the number of samples requested. If the number of samples exceeds the requested number, the device discards the older samples until the current number equals the requested amount. Owner Displays the RMON station or user that requested the RMON information. The field range is 0-20 characters.

Page 175

Viewing Statistics
Managing RMON Statistics

2.

Click Add. The Add RMON History Page opens:

Figure 134:Add RMON History Page

In addition to the RMON History Page, the Add RMON History Page contains the following fields:

3. 4.

Max No. of Samples to Keep Defines the maximum number of samples that the device saves. The field range is 1-65535. The default value is 50. Define the Source Interface, Owner, Max. No. of Samples to Keep, and Sampling Interval fields. Click Apply. The new entry is added to the history table, and the device is updated.

To edit an RMON history entry: 1. Click Statistics > RMON History. The RMON History Page opens. 2. Click Modify. The RMON History Configuration Page opens:

Figure 135:RMON History Configuration Page

3. 4.

Define the fields. Click Apply. The new entry is added to the history table, and the device is updated.

Page 176

Viewing Statistics
Managing RMON Statistics

Viewing the RMON History Table

The RMON History Table Page contains interface specific statistical network samplings. Each table entry represents all counter values compiled during a single sample. To view the RMON History Table: 1. Click Statistics > RMON History. The RMON History Page opens. 2. Click View. The RMON History Table Page opens:

Figure 136:RMON History Table Page

The RMON History Table Page contains the following fields: History Entry No. Select the history table entry number. Owner Displays the RMON station or user that requested the RMON information. The field range is 0-20 characters. Each table entry represents all counter values compiled during a single sample.

Sample No. Displays the entry number for the History Control Table page. Received Bytes (Octets) Displays the number of octets received on the interface since the device was last refreshed. This number includes bad packets and FCS octets, but excludes framing bits. Received Packets Displays the number of packets received on the interface since the device was last refreshed, including bad packets, Multicast and Broadcast packets. Broadcast Packets Displays the number of good Broadcast packets received on the interface since the device was last refreshed. This number does not include Multicast packets. Multicast Packets Displays the number of good Multicast packets received on the interface since the device was last refreshed.

Page 177

Viewing Statistics
Managing RMON Statistics

3. 4. 5.

CRC Align Errors Displays the number of CRC and Align errors that have occurred on the interface since the device was last refreshed. Undersize Packets Displays the number of undersized packets (less than 64 octets) received on the interface since the device was last refreshed. Oversize Packets Displays the number of oversized packets (over 1518 octets) received on the interface since the device was last refreshed. Fragments Displays the number of fragments (packets with less than 64 octets, excluding framing bits, but including FCS octets) received on the interface since the device was last refreshed. Jabbers Displays the total number of received packets that were longer than 1518 octets. This number excludes frame bits, but includes FCS octets that had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral octet (Alignment Error) number. The field range to detect jabbers is between 20 ms and 150 ms. Collisions Displays the number of collisions received on the interface since the device was last refreshed. Utilization Displays the percentage of the interface utilized. Select an entry in the History Entry No. field. Select the sample number. The statistics are displayed. Click RMON History to return to the RMON History Page.

Page 178

Viewing Statistics
Managing RMON Statistics

Configuring RMON Events

The RMON Events Page contains fields for defining, modifying and viewing RMON events statistics. To add an RMON event: 1. Click Statistics > RMON Events. The RMON Events Page opens:

Figure 137:RMON Events Page

The RMON Events Page contains the following fields: Event Entry Displays the event. Community Displays the community to which the event belongs. Description Displays the user-defined event description. Type Describes the event type. Possible values are:

2.

Log Indicates that the event is a log entry. Trap Indicates that the event is a trap. Log and Trap Indicates that the event is both a log entry and a trap. None Indicates that no event occurred.

Time Displays the time that the event occurred. Owner Displays the device or user that defined the event. Click Add. The Add RMON Events Page opens:

Page 179

Viewing Statistics
Managing RMON Statistics

Figure 138:Add RMON Events Page

3. 4.

Define the Community, Description, Type and Owner fields. Click Apply. The event entry is added and the device is updated.

To modify the RMON Event entry settings: 1. Click Statistics > RMON Events. The RMON Events Page opens. 2. Click Modify. The RMON Events Configuration Page opens:

Figure 139:RMON Events Configuration Page

3. 4.

Select an event entry and define the fields for the entry. Click Apply. The event control settings are saved and the device is updated.

Page 180

Viewing Statistics
Managing RMON Statistics

Viewing the RMON Events Logs

The RMON Events Logs Page contains interface specific statistical network samplings. Each table entry represents all counter values compiled during a single sample. To view the RMON Events Table: 1. Click Statistics > RMON Events. The RMON Events Page opens. 2. Click View. The RMON Events Logs Page opens:

Figure 140:RMON Events Logs Page

The RMON Events Logs Page contains the following event log information: Event Displays the RMON Events Log entry number. Log No. Displays the log number. Log Time Displays the time when the log entry was entered. Description Displays the log entry description. 3. Click RMON Event to return to the RMON Events Page.

Page 181

Viewing Statistics
Managing RMON Statistics

Defining RMON Alarms

The RMON Alarm Page contains fields for setting network alarms. Network alarms occur when a network problem, or event, is detected. Rising and falling thresholds generate events. To set RMON alarms: 1. Click Statistics > RMON Alarm. The RMON Alarm Page opens:

Figure 141:RMON Alarm Page

The RMON Alarm Page contains the following fields: Alarm Entry Indicates a specific alarm. Counter Name Displays the selected MIB variable. Interface Displays interface for which RMON statistics are displayed. The possible field values are:

Port Displays the RMON statistics for the selected port. Trunk Displays the RMON statistics for the selected trunk.

Counter Value Displays the selected MIB variable value. Sample Type Defines the sampling method for the selected variable and comparing the value against the thresholds. The possible field values are:

Delta Subtracts the last sampled value from the current value. The difference in the values is compared to the threshold. Absolute Compares the values directly with the thresholds at the end of the sampling interval.

Rising Threshold Displays the rising counter value that triggers the rising threshold alarm.

Page 182

Viewing Statistics
Managing RMON Statistics

2.

Rising Event Displays the event that triggers the specific alarm. The possible field values are userdefined RMON events. Falling Threshold Displays the falling counter value that triggers the falling threshold alarm. Falling Event Displays the event that triggers the specific alarm. The possible field values are userdefined RMON events. Startup Alarm Displays the trigger that activates the alarm generation. Rising is defined by crossing the threshold from a low-value threshold to a higher-value threshold. Interval (sec) Defines the alarm interval time in seconds. Owner Displays the device or user that defined the alarm. Click Add. The Add Alarm Page opens:

Figure 142:Add Alarm Page

3. 4.

Define the Interface, Counter Name, Sample Type, Rising Threshold, Rising Event, Falling Threshold, Falling Event, Startup Alarm, Interval, and Owner fields. Click Apply. The RMON alarm is added, and the device is updated.

To modify RMON alarms: 1. Click Statistics > RMON Alarm. The RMON Alarm Page opens. 2. Click Modify. The Alarm Configuration Page opens:

Page 183

Viewing Statistics
Managing RMON Statistics

Figure 143:Alarm Configuration Page

3. 4.

Define the fields. Click Apply. The RMON alarm is saved, and the device is updated.

Page 184

Managing Stacking
Stacking Overview

Section 16. Managing Stacking

This section describes the stacking control management and includes the following topics:

Stacking Overview Configuring Stacking Management

Stacking Overview
Stacking provides multiple switch management through a single point as if all stack members are a single unit. All stack members are accessed through a single IP address through which the stack is managed. The stack can be managed using the following interfaces:

Web-based Interface SNMP Management Station Command Line Interface (CLI)

Devices support stacking up to six units per stack, or can operate as stand-alone units. During the Stacking setup, one switch is selected as the Stacking Master and another stacking member can be selected as the Secondary Master. All other devices are selected as stack members, and assigned a unique Unit ID. Switch software is downloaded separately for each stack member. However, all units in the stack must be running the same software version. Switch stacking and configuration is maintained by the Stacking Master. The Stacking Master detects and reconfigures the ports with minimal operational impact in the event of:

Unit Failure Inter-unit Stacking Link Failure Unit Insertion Removing a Stacking Unit

This section includes the following topics: Stacking Ring Topology Stacking Chain Topology Stacking Members and Unit ID Removing and Replacing Stacking Members Exchanging Stacking Members

Stacking Ring Topology

Stacked devices operate in a Ring topology. A Ring topology is where all devices in the stack are connected to each other forming a circle. Each stacked device accepts data and sends it to the device to which it is physically connected. The packet continues through the stack until it reaches the destination port. The system automatically discovers the optimal path on which to send traffic. Most difficulties in Ring topologies occur when a device in the ring becomes non-functional, or a link is severed. In a stack, the system automatically switches to a Stacking Failover topology without any system downtime. An SNMP message is automatically generated, but no stack management action is required. However, the stacking link or stacking member must be repaired to ensure the stacking integrity. After the stacking issues are resolved, the device can be reconnected to the stack without interruption, and the Ring topology is restored.

Page 185

Managing Stacking
Stacking Overview

Stacking Chain Topology

In a chain topology, there are two units that have only one neighbor. Every unit has an uplink neighbor and a downlink neighbor. The chain topology is less robust than the ring topology. A failure in the chain results in a topology change to the stack. The location of the failure determines the severity of this topology change. The chain topology also acts as a fail-safe for the ring topology. When the ring topology fails, the stack automatically reverts to the chain topology.

Stacking Members and Unit ID

Stacking Unit IDs are essential to the stacking configuration. The stacking operation is determined during the boot process. The Operation Mode is determined by the Unit ID selected during the initialization process. For example, if the user selected stand-alone mode, the device boots as a stand-alone device. The device units are shipped with the default Unit ID of the stand-alone unit. If the device is operating as a standalone unit, all stacking LEDs are off. Once the user selects a different Unit ID, the default Unit ID is not erased, and remains valid, even if the unit is reset. Unit ID 1 and Unit ID 2 are reserved for Master-enabled units. Unit IDs 3 to 6 can be defined for stack members. When the Stacking Master unit boots, or when inserting or removing a stack member, the Stacking Master initiates a stacking discovering process. If two members are discovered with the same Unit ID, the stack continues to function, however only the unit with the older join time joins the stack. A message is sent to the user, notifying that a unit failed to join the stack. For first time Unit ID assignment, see the Installation Guide.

Removing and Replacing Stacking Members

Stacking member 1 and stacking member 2 are Master-enabled units. Unit 1 and Unit 2 are either designated as Stacking Master or Secondary Master. The Stacking Master assignment is performed during the configuration process. One Master-enabled stack member is elected Stacking Master, and the other Master-enabled stack member is elected Secondary Master, according to the following decision process: If only one Master-enabled unit is present, it is elected Stacking Master. If two Master-enabled stacking members are present, and one has been manually configured as the Stacking Master, the manually configured member is elected Stacking Master. If two Master-enabled units are present and neither has been manually configured as the Stacking Master, the one with the longer up-time is elected Stacking Master. If the two Master-enabled stacking members are the same age, Unit 1 is elected Stacking Master. Two stacking member are considered the same age if they were inserted within the same ten minute interval. For example, if Stack member 2 is inserted in the first minute of a ten-minute cycle, and Stack member 1 is inserted in fifth minute of the same cycle, the units are considered the same age. If there are two Master-enabled units that are the same age, then Unit 1 is elected Stacking Master. The Stacking Master and the Secondary Master maintain a Warm Standby. The Warm Standby ensures that the Secondary Master takes over for the Stacking Master if a failover occurs. This guarantees that the stack continues to operate normally. During the Warm Standby, the Master and the Secondary Master are synchronized with the static configuration only. When the Stacking Master is configured, the Stacking Master must synchronize the Secondary Master. The Dynamic configuration is not saved, for example, dynamically learned MAC addresses are not saved.

Page 186

Managing Stacking
Stacking Overview

Each port in the stack has a specific Unit ID, port type, and port number, which are part of both the configuration commands and the configuration files. Configuration files are managed only from the device Stacking Master, including:

Saving to the Flash Uploading configuration files to an external TFTP Server Downloading configuration files from an external TFTP Server Whenever a reboot occurs, topology discovery is performed, and the Master learns all units in the stack. Unit IDs are saved in the unit and are learned through topology discovery. If a unit attempts to boot without a selected Master, and the unit is not operating in stand-alone mode, the unit does not boot. Configuration files are changed only through explicit user configuration. Configuration files are not automatically modified when:

Units are added Units are removed Units are reassigned Unit IDs Units toggle between Stacking mode and Stand-alone mode

Each time the system reboots, the Startup configuration file in the Master unit is used to configure the stack. If a stack member is removed from the stack and then replaced with a unit with the same Unit ID, the stack member is configured with the original device configuration. Only ports which are physically present are displayed in the Web Management Interface home page, and can be configured through the web management system. Non-present ports are configured through the CLI or SNMP interfaces.

Exchanging Stacking Members

If a stack member with the same Unit ID replaces an existing Unit ID with the same Unit ID, the previous device configuration is applied to the inserted stack member. If the new inserted device has either more ports or less ports than the previous device, the relevant port configuration is applied to the new stack member. The Secondary Master replaces the Stacking Master if the following events occur:

The Stacking Master fails or is removed from the stack. Links from the Stacking Master to the stacking members fails. A soft switchover is performed via the web interface or the CLI.

Switching between the Stacking Master and the Secondary Master results in a limited service loss. Any dynamic tables are relearned if a failure occurs. The Running Configuration file is synchronized between the Stacking Master and the Secondary Master, and continues running on the Secondary Master.

Page 187

Managing Stacking
Configuring Stacking Management

Configuring Stacking Management

The Stacking Page allows network managers to either reset the entire stack or a specific device. Device configuration changes that are not saved before the device is reset are not saved. If the Stacking Master is reset, the entire stack is reset. In addition, Unit IDs can be changed on the Stacking Page. To configure stack control: 1. Click Mgmt. Protocols > Stacking. The Stacking Page opens:

Figure 144:Stacking Page

The Stacking Page contains the following stack configuration fields: Force Master The unit is forced to be master of the stack. Note that only Unit 1 or Unit 2 can be the stack master. Unit No. Indicates the Unit ID assigned to the unit in the current stacking configuration. Unit No. After Reset Indicates the Unit ID to be reassigned to the unit in the stacking configuration after reset. 2. 3. 4. 5. 6. Select the master election method, type of ports to be used in stacking, Map/assign the unit numbers. Click Apply. A confirmation message displays. The stacking settings are saved and the device configuration is updated. Click Refresh. The stacking configuration is applied. Click Save Config on the menu to save the changes permanently. Note If a different Unit ID is selected, the device must be reset for the configuration changes are active.

Page 188

Downloading Software with CLI

Connecting a Terminal

Appendix A. Downloading Software with CLI

This section describes how to download system files using the Command Line Reference (CLI), and includes the following topics:

Connecting a Terminal Initial Configuration Downloading Software

Connecting a Terminal
Before connecting a device, ensure that the device has been installed according to the instructions described in the Allied Telesis AT-S95 Installation Guide. Once installed the device is connected to a terminal through a console port (located on the front panel of 24 port devices and the back panel for the 48 port devices). The console connection enables a connection to a terminal desktop system running a terminal emulation software for monitoring and configuring the device. For a stack, only the console port of the Stacking Master is connected. The terminal must be a VT100 compatible terminal or a desktop or portable system with a serial port and running VT100 terminal emulation software. The CLI can be accessed through the connected Terminal. To connect a terminal to the device Console port, perform the following: 1. Connect a cable from the device console port to the terminal running VT100 terminal emulation software. 2. Ensure that the terminal emulation software is set as follows: a) Select the appropriate port to connect to the device. b) Set the data rate to 9600 baud. c) Set the data format to 8 data bits, 1 stop bit, and no parity. d) Set flow control to none. e) Under Properties, select VT100 for Emulation mode. f) Select Terminal keys for Function, Arrow, and Ctrl keys. Ensure that the setting is for Terminal keys (not Windows keys). Note When using HyperTerminal with Microsoft Windows 2000, ensure that you have Windows 2000 Service Pack 2 or later installed. With Windows 2000 Service Pack 2, the arrow keys function properly in HyperTerminals VT100 emulation. Go to www.microsoft.com for information on Windows 2000 service packs. The device is now ready to download the system software.

Page 189

Downloading Software with CLI

Initial Configuration

Initial Configuration
Before a device can download system software, the device must have an initial configuration of IP address and network mask. Before assigning a static IP address to the device, obtain the following information from the network administrator:

A specific IP address allocated by the network administrator for the switch to be configured Network mask for the network After making any configuration changes, the new configuration must be saved before rebooting. To save the configuration, enter the following CLI command: The following prompt is displayed: Console# copy running-config startup-config

Configuration
The initial configuration, which starts after the device has booted successfully, includes static IP address and subnet mask configuration, and setting user name and privilege level to allow remote management. If the device is to be managed from an SNMP-based management station, SNMP community strings must also be configured. The following basic configurations are required:

"Static IP Address and Subnet Mask" "User Name"

Static IP Address and Subnet Mask

IP interfaces can be configured on each port of the device. After entering the configuration command, it is recommended to check if a port was configured with the IP address by entering the show ip interface command. The commands to configure the device are port specific. To manage the switch from a remote network, a static route must be configured, which is an IP address to where packets are sent when no entries are found in the device tables. The configured IP address must belong to the same subnet as one of the device IP interfaces. To configure a static route, enter the required commands at the system prompt as shown in the following configuration example where 101.101.101.101 is the specific management station, and 5.1.1.100 is the static route: Console# configure Console(config)# interface vlan 1 Console(config-if)# ip address 100.101.101.101 255.255.255.0 Console(config-if)# exit Console# ip route 192.168.2.0/24 100.1.1.33

Note 100.1.1.33 is the IP address of the next hop that can be used to reach the management network 192.168.2.0.

Page 190

Downloading Software with CLI

Downloading Software

To check the configuration, enter the command show ip interface as illustrated in the following example. Console# show ip interface Proxy ARP is disabled IP Address -----------100.101.101.101/24 I/F -----vlan 1 Type -----static Broadcast Directed --------disable

User Name
A user name is used to manage the device remotely, for example through SSH, Telnet, or the Web interface. To gain complete administrative (super-user) control over the device, the highest privilege (15) must be specified. Note Only an administrator (super-user) with the highest privilege level (15) is allowed to manage the device through the Web browser interface. For more information about the privilege level, see the CLI Reference Guide. The configured user name is entered as a login name for remote management sessions. To configure user name and privilege level, enter the command at the system prompt as shown in the configuration example: Console> enable Console# configure Console(config)# username admin password lee privilege 15

Downloading Software
For this explanation, the following parameters are going to be used:

TFTP Server 172.16.101.101 System software file file1 Boot file file 2

Standalone Device Software Download

To download software an a standalone device perform the following: 1. Power up the device as described in the Allied Telesis AT-S95 Installation Guide. The CLI command prompt is displayed.

Console#

Page 191

Downloading Software with CLI

Downloading Software

2.

Enter the copy command to download the boot file.

Console# copy tftp://172.16.101.101/file2.rfb boot Accessing file 'file2' on 172.16.101.101... Loading file1 from 172.16.101.101: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 09-Jul-2006 03:15:21 %COPY-W-TRAP: The copy operation was completed successfully ! Copy: 3329361 bytes copied in 00:03:00 [hh:mm:ss] 3. Enter the bootvar command to determine which file contains the boot file. By default the inactive image area contains the newly downloaded boot file.

console# show bootvar Unit Image Filename ---- ----- --------1 1 image-1 1 2 image-2 2 1 image-1 2 2 image-2 3 1 image-1 3 2 image-2 4 1 image-1 4 2 image-2 5 1 image-1 5 2 image-2 6 1 image-1 6 2 image-2

Version --------v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29 v1.1.0.29

Date --------------------25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12 25-Nov-2007 12:46:12

Status ----------Not active Active* Not active Active* Active* Not active Active* Not active Active* Not active Active* Not active

"*" designates that the image was selected for the next boot console# 4. Enter the boot system command to change the booting image to the currently inactive image. In the example it is image 1 which has the latest downloaded boot file.

Console# boot system image-1

Page 192

Downloading Software with CLI

Downloading Software

5.

Enter the copy command to download the system file.

Console# copy tftp://172.16.101.101/file1.ros image Accessing file 'file1' on 172.16.101.101... Loading file1 from 172.16.101.101: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 09-Jul-2006 03:22:27 %COPY-W-TRAP: The copy operation was completed successfully ! Copy: 6720861 bytes copied in 00:05:00 [hh:mm:ss] 6. Reboot the device. The device boots up with the updated boot and system files.

Page 193

Downloading Software with CLI

Downloading Software

Stacking Member Software Download

Ensure the stack has been correctly connected as described in the Allied Telesis AT-S95 Installation Guide. Downloading software to Stacking Members can be performed in the following ways:

Download the software to an individual device in the stack. In this example the software is downloaded to the device defined as Stacking Member number 3. Download the software to all devices in the stack. The * character is used instead of the Stacking Member number. The software is downloaded to the device allocated as the Stacking Master, defined as Stacking Member number 1. The software is then copied from the Stacking Master to a specified Stacking Member.

Downloading Software to a Stacking Member

To download software an Stacking Member number 3 perform the following: 1. Power up the stack as described in the Allied Telesis AT-S95 Installation Guide. The CLI command prompt is displayed.

Console# 2. Enter the copy command to download the boot file.

Console# copy tftp://172.16.101.101/file2.rfb unit://3/boot Accessing file 'file2' on 172.16.101.101... Loading file1 from 172.16.101.101: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 09-Jul-2006 03:15:21 %COPY-W-TRAP: The copy operation was completed successfully ! Copy: 3329361 bytes copied in 00:03:00 [hh:mm:ss] 3. Enter the bootvar command to determine which file contains the boot file. By default the inactive image area contains the newly downloaded boot file.

Console# show bootvar Images currently available on the FLASH image-1 active (selected for next boot) image-2 not active 4. Enter the boot system command to change the booting image to the currently inactive image. In the example it is image 2 which has the latest downloaded boot file.

Console# boot system image-2

Page 194

Downloading Software with CLI

Downloading Software

5.

Enter the copy command to download the system file.

Console# copy tftp://172.16.101.101/file1.ros unit://3/image Accessing file 'file1' on 172.16.101.101... Loading file1 from 172.16.101.101: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 09-Jul-2006 03:22:27 %COPY-W-TRAP: The copy operation was completed successfully ! Copy: 6720861 bytes copied in 00:05:00 [hh:mm:ss] 6. Reboot the devices being updated. The allocated devices boot up with the updated boot and system files.

Copying Software from the Stacking Master to a Stacking Member

To copy the software from the Stacking Master to a specified Stacking Member, number 4 in this example, perform the following: 1. 2. Download the software to the Stacking Master as previously described, using the Stacking Member number 1 instead of number 3, as per the previous example. Enter the copy command to copy the software from the Stacking Master to the Stacking Member. To copy the software from the Stacking Master to all the Stacking Members, use the * character instead of the Stacking Member number, number 4 in this example.

Console# copy unit://1/image unit://4/image 3. Reboot the devices being updated. The allocated devices boot up with the updated boot and system files.

Page 195

System Defaults

Appendix B. System Defaults

This section contains the system defaults, and includes the following topics:

RS-232 Port Settings Port Defaults Configuration Defaults Security Defaults Jumbo Frame Defaults System Time Defaults Spanning Tree Defaults Address Table Defaults VLAN Defaults Trunking Defaults Multicast Defaults QoS Defaults

Page 196

System Defaults
RS-232 Port Settings

RS-232 Port Settings

The following table contains the RS-232 port setting defaults: Data Bits Stop Bits Parity Flow Control Baud Rate 8 1 None None

115,200 bps

Port Defaults
The following are the port defaults: Auto Negotiation Auto Negotiation advertised capabilities Auto MDI/MDIX Head of Line Blocking Back Pressure Flow Control Cable Analysis Optical Transceiver Analysis Enabled Enabled

Enabled Enabled

Disabled Disabled Disabled Disabled

Manual Port Control Disabled and Identification

Page 197

System Defaults
Configuration Defaults

Configuration Defaults
The following are the initial device configuration defaults: Default User Name Default Password System Name Comments BootP DHCP manager friend None None Enabled Disabled

Security Defaults
The following are the system security defaults: Locked Ports 802.1X Port Based Authentication Storm Control DHCP Snooping Disabled Disabled

Disabled Disabled

Jumbo Frame Defaults

The following is the Jumbo Frame default: Jumbo Frame After Reset Disabled

System Time Defaults

The following is the system time default: SNTP Enabled

Page 198

System Defaults
Spanning Tree Defaults

Spanning Tree Defaults

The following are the spanning tree defaults: STP STP Port Rapid STP Multiple STP Fast Link Path Cost Enabled Disabled Enabled Disabled Disabled Long

Address Table Defaults

The following the Address Table defaults: Number of MAC Entries MAC Address Aging Time VLAN-Aware MACbased Switching 8,000

300 seconds

Enabled

VLAN Defaults
The following are the VLAN defaults: Possible VLANs GVRP Management VLAN Join Timer Leave Timer Leave All Timer Private VLAN Edge 256 Disabled VLAN 1 20 centiseconds 60 centiseconds 1000 centiseconds Enabled

Page 199

System Defaults
Trunking Defaults

Trunking Defaults
The following are the trunking defaults: Possible Trunks Possible Ports per Trunk LACP Ports/Trunk 8 8

16

Multicast Defaults
The following are the Multicast defaults: IGMP Snooping Maximum Multicast Groups Disable 256

QoS Defaults
The following are the QoS defaults: QoS Mode Queue Mapping Disable Cos 0 1 2 3 4 5 6 7 DSCP 1 2 3 4 Queue 2 1 1 2 3 3 4 4 Queue 0-15 16-31 32-47 48-63

Page 200

Index

Index
Symbols
802.1x port access 51

D
Daylight Saving Time (DST) configuration broadcast time 22 DST per country 23 parameters 22 Debug 108 Default gateway 19 Delta 186 device management methods 27, 29 DHCP 19 DHCP database 75 DHCP Snooping 70, 75 General Settings 70 Option 82 70, 71 VLANs 72 DSCP 158, 160, 163

A
Absolute 186 Access level 45 access profiles 27 rules 31 ACE 57 ACL 57, 68 ACL Binding 68 Alarms 186 Alert 107 Authentication key 144 Authentication methods 34, 51, 54, 143 secure HTTP 38 authentication profiles 34 mapping 37 Secure Shell (SSH) 37 Auto learn 129

E
Emergency 107 Enable authentication 34 Engine ID 142 Error 107 Etherlike statistics 175 EVENTS 183

B
Back pressure 81 Bandwidth 163 Binding Database 75 Boundary 122 BPDU 113 handling 113 max hops 121 Bridge ID 114, 125

F
Facility 110 factory defaults, restoring 166 FCS 175, 178, 182 FCS error 178, 182 FDB 87 Fiber optic cables 171 file management, overview 166 Flash 108 Flash log 110 Flow control 81, 86, 88 for 186 ForceAuthorized 54 ForceUnauthorized 54 Forwarding database 87 Fragments 182 Frame Check Sequence 175, 178, 182

C
CIR 164 Class of Service (CoS) 157 Clock 21 Collision 175 Committed Burst Size 164 Committed Information Rate 164 Copper cables 169 CRC 182 Critical 107

Page 201

Index

G
GARP VLAN Registration Protocol (GVRP) 102 Guest VLAN 51 GVRP 103 configuration 102

N
Notice 107 Notifications 136, 148

O
Object ID 145 Offset 21, 22 Option 82 70, 71

H
Host 105 HTTP 29, 38

I
IGMPv1 and 2 128 IGMPv3 128 Informational 108 interface configuration access profiles 27 Internet Group Management Protocol (IGMP) 127 IP Addresses 18 IP Base ACL 62

P
Path cost 125 PoE configuration enabling 153 port based authentication 48 Port mirroring 82 Port security 48 Port status 80 ports configuration 77 Power 154, 171 Power-over-Ethernet (PoE) 153 Powered Devices 153 Priority 122 Privacy key 144 Private VLAN Edge (PVE) 87, 89 Profiles 28, 31, 34 PVE (Private VLAN Edge) 81, 87 PVID 101

J
Jabbers 182

L
LACP 86, 88, 90, 91 Learning mode 50 Line passwords 47 Local Engine ID 136 Login authentication 34 Logs 107

Q
QoS mode 158 Queues 160, 161, 163

M
Mac Address Aging Time 19 MAC addresses 19, 93 MAC Based ACL 57 Management methods 29, 32 Management Station 137, 138 MDI 81 MDIX 81 MSTP instance 125 MSTP interface 121 MSTP mapping 124 MSTP properties 120 Multicast 128, 130, 133 Multicast Forwarding 127 Multicast groups 128 Multiple Spanning Tree Protocol (MSTP) 120

R
RADIUS 35 RADIUS authentication 42 RADIUS server authentication methods 35 Rate limiting 164 Remote Authorization Dial-In User Service (RADIUS) 42 Remote log server 107 restoring configuration file to factory defaults 166 RMON 181, 183, 185, 186 RSTP 118 Rules 29

Page 202

Index

S
Samples 179 Scheduling 160 Secure HTTP 29, 38 Secure Telnet 29, 37 security 802.1x port access 51 server based authentication methods 39 servers configuration RADIUS 42 TACACS+ 39 Severity 109, 111 Simple Network Management Protocol (SNMP) 135 Simple Network Time Protocol (SNTP) 21 SNMP communities 137 notification 147 overview 135 versions 135 views 145 SNTP configuration 22 SNTP overview anycast time 21 broadcast time 22 unicast time 21 SSH 37 stacking chain topology 190 configuration 192 management interfaces 189 members 190 ring topology 189 Stacking Master 190 STP 113, 115, 119 STP configuration Fast Link 116 Stratum 21 Strict Priority 157, 160 Subtree ID 152 Suspended 80 system log configuration 108 modify 110 severity levels 107 System time 20

Threshold 153, 154, 186 Time Domain Reflectometry (TDR) 169 Trunks 89 Trust mode 158 Trusted Interface 73

U
UDP port 109 Untrusted Interface 73

V
VLAN 102 access profile interface 29 DHCP Snooping 72 guest VLAN 48 VLAN-aware bridges 102 VLAN ID 94, 97, 105, 128, 131, 133 VLAN mode 100 Voltage 171

W
Warning 107 Weighted Priority 160 Weighted Round Robin 157

Z
Zone offset 21 Zoom View 12, 49, 52, 56, 78, 154 802.1x Port Access 52, 56 PoE ports 154 port security 49

T
TACACS+ 35 Telnet 29, 37 Temporary 108 Terminal Access Controller Access Control System (TACACS+) 39

Page 203