Use the Network Security menu page to set network security through port-based authentication, locked ports, DHCP Filtering configuration, and access control lists.
To display the Network Security page, click Switching→Network Security in the tree view.
The Network Security menu page contains links to the following features:
IEEE 802.1X port-based network access control configuration is performed on the Dot1x Authentication page. MAC-based authentication allows multiple supplicants connected to the same port to each authenticate individually. For example, a system attached to the port might be required to authenticate in order to gain access to the network, while a VoIP phone might not need to authenticate in order to send voice traffic through the port.
Authenticators — Specifies the port that is authenticated before permitting system access.
•
Supplicants — Specifies host connected to the authenticated port requesting access to the system services.
•
Authentication Server — Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services.
Use the Dot1x Authenticationpageto configure the 802.1X administrative mode on the switch and to configure general 802.1X parameters for a port.
To display the Dot1x Authenticationpage, click Switching→Network Security→Dot1x Authentication in the tree view.
Interface — Selects the Unit and Port to be affected.
•
Guest VLAN — Enables or disables the guest VLAN mode on this interface. To enable the guest VLAN, select the VLAN ID to use as the guest VLAN. All VLANs configured on the system are included in the menu.
•
Unauthenticated VLAN — Allows or prohibits unauthenticated traffic on the port. To allow unauthenticated traffic on the port, select the ID of the VLAN to assign to supplicants that fail 802.1X authentication.
•
Admin Interface Control — Defines the port authorization state. The possible field values are:
–
Automode — Automatically detects the mode of the interface.
–
Authorized — Places the interface into an authorized state without being authenticated. The interface sends and receives normal traffic without client port-based authentication.
–
Unauthorized—Denies the selected interface system access by moving the interface into unauthorized state. The switch cannot provide authentication services to the client through the interface.
–
MAC-based — Allows multiple hosts to authenticate on the interface. The hosts are distinguished by their MAC addresses.
Re-Authentication Period — Indicates the time span in which the selected port is reauthenticated. The possible field range is300–4294967295seconds. The field default is 3600 seconds.
•
Re-Authenticate Now — Forces immediate port reauthentication, when selected.
•
Authentication Server Timeout — Defines the amount of time that lapses before the switch resends a request to the authentication server. The possible field range is 1–65535 seconds. The field default is 30 seconds.
•
Resending EAP Identity Request — Defines the amount of time that lapses before EAP requests are resent. The possible field range is 1–65535 seconds. The field default is 30 seconds.
•
Quiet Period — Defines the amount of time that the switch remains in the quiet state following a failed authentication exchange. The possible field range is 0–65535 seconds. The field default is 60 seconds.
•
Supplicant Timeout — Defines the amount of time that lapses before EAP requests are resent to the user. The possible field range is 1–65535 seconds. The field default is 30 seconds.
•
Max EAP Requests — Defines the maximum number of times the switch can send an EAP request before restarting the authentication process if it does not receive a response. The possible field range is 1–10. The field default is 2 retries.
•
Max Users — Set the maximum number of clients supported on the port when MAC-based 802.1X authentication is enabled on the port. The number of users allowed to authenticate per port ranges from 1 to 16.
MAC Authentication Bypass — Enable this feature to provide 802.1x unaware clients controlled access to the network using the MAC address of the device as an identifier. The known and allowable MAC address and corresponding access rights must be configured in the authentication server. MAC Authentication Bypass only works when the port control mode of the port is MAC based.
Authenticator PAE — Current state of the authenticator PAE state machine. Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized.
•
Backend PAE — Current state of the backend authentication state machine. Possible values are Request, Response, Success, Fail, Timeout, Idle, and Initialize.
•
VLAN Assigned — The VLAN assigned to the client by the RADIUS server. When VLAN assignments are disabled, the RADIUS server does not assign any VLAN to the port, and this field is set to 0.
•
VLAN Name — This feature is an extension of the Dot1x Option 81 feature added in PowerConnect Release 2.1. A VLAN name is accepted as an alternative to a number when RADIUS indicates the Tunnel-Private-Group-ID for a supplicant. Because this option is a text string, it can also be used for a VLAN name. To support this feature, ensure that VLAN names are unique.
•
Username — The username representing the identity of the Supplicant. This field shows the username when the Admin Interface Control is Automode or MAC-based. If the port is Authorized, it shows the username of the current user. If the port is unauthorized it shows the last user that was authenticated successfully.
•
Filter ID — The Filter Id assigned to the client by the RADIUS server. This field is not applicable when the Filter-Id feature is disabled on the RADIUS server and client.
Scroll to the right side of the table and select the Edit check box for each port to configure. Change Admin Port Control to Authorized, Unauthorized, or Automode as needed for chosen ports. Only MAC-Based and Automode actually uses dot1x to authenticate. Authorized and Unauthorized are manual overrides.
The Port Security page is used to enable security on a per-port basis. When a port is locked, only packets with allowable source MAC addresses can be forwarded. All other packets are discarded. A MAC address can be defined as allowable by one of two methods: dynamically or statically.
To display the Port Security page, click Switching→Network Security→Port Security in the tree view.
The Port Security page contains the following fields:
•
Interface — Displays the unit and port or the LAG on which the locked port security is enabled.
•
Set Port — Enables locking the port or LAG. When a port is locked, all the current addresses that had been dynamically learned by the switch on that port are removed from the list. When the port is unlocked, they are removed from the static list.
•
Traps — Enables or disables sending a trap when a packet is received on a locked port or LAG.
•
Trap Frequency — Specifies the time interval in seconds between successive traps. The valid range is 1 to 1000000 seconds.
•
Max Learned Addresses — Specifies the Max Learned Addresses count. Valid range is 0 to 100.
Use the IP ACL Configuration page to add or remove IP-based ACLs.
To display the IP ACL Configuration page, click Switching→Network Security→Access Control Lists→IP Access Control Lists→Configuration in the tree view.
Use the IP ACL Rule Configuration page to define rules for IP-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, you can specify to assign traffic to a particular queue, filter on some traffic, change VLAN tag, shut down a port, and/or redirect the traffic to a particular port.
NOTE: There is an implicit "deny all" rule at the end of an ACL list. This means that if an ACL is applied to a packet and if none of the explicit rules match, then the final implicit "deny all" rule applies and the packet is dropped.
To display the IP ACL Rule Configuration page, click Switching→Network Security→Access Control Lists→IP Access Control Lists→Rule Configuration in the tree view.
Rule ID — Selects or creates user-defined ACLs. Enter an existing Rule ID, or create a new one by selecting Create from the drop-down menu and entering the desired new Rule ID in the field next to it. The new ID is created once Apply Changes is clicked. Up to 127 rules can be created for each ACL.
•
Action — Selects the ACL forwarding action. Choose from the drop-down menu options to apply a forwarding action. Possible values are:
–
Permit — Forwards packets which meet the ACL criteria.
Assign Queue ID — Click the check box to apply this criteria, then enter an identifying number from 0 to 6.
•
Redirect Interface — Select from the drop-down list of interfaces one that packets meeting this rule can be redirected to.
•
Mirror Interface — Select from the drop-down list of interfaces one that packets meeting this rule can be mirrored to.
•
Logging — Enables logging for a particular ACL when the check box is selected. Logging is supported for Deny action only.
•
Match Every — Requires a packet to match the criteria of this ACL. Click the check box to apply this criteria. Match Every is exclusive to the other filtering rules, so if checked, the other rules on the screen aren’t accessible.
•
Protocol — Requires a packet’s protocol to match the protocol listed here. Click the check box to apply this criteria, then select one of the following:
–
Select from List — Select from the drop-down list of protocols on which the rule can be based.
–
Match to Value — Click to add a user-defined Protocol ID used to match packets to the rule.
•
Source IP Address — Requires a packet’s source port IP address to match the address listed here. Click the check box and enter an address to apply this criteria.
•
Wild Card Mask — Specifies the source IP address wildcard mask. Wild card masks determines which bits are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all of the bits are important. This field is required when Source IP Address is checked.
•
Source L4 Port — Requires a packet’s TCP/UDP source port to match the port listed here. Click the check box to apply this criteria, then select one of the following from the drop-down menu:
–
Select From List — Click to select from a list of source ports on which the rule can be based.
–
Match to Port — Click to add a user-defined Port ID by which packets are matched to the rule.
•
Destination IP Address — Requires a packet’s destination port IP address to match the address listed here. Click the check box and enter an address to apply this criteria.
•
Wild Card Mask — Specifies the Destination IP address wildcard mask. This field is required when Destination IP Address is checked.
•
Destination L4 Port — Requires a packet’s TCP/UDP destination port to match the port listed here. Click the check box to apply this criteria, then select one of the following:
–
Select From List — Select from a list of destination ports on which the rule can be based.
–
Match to Port — Click to add a user-defined Port ID by which packets are matched to the rule.
IP Precedence — Matches the packet IP Precedence value to the rule when checked. Enter the IP Precedence value to match. Either the DSCP value or the IP Precedence value is used to match packets to ACLs.
•
IP TOS Bits — Matches on the Type of Service bits in the IP header when checked.
–
TOS Bits — Requires the bits in a packet’s TOS field to match the two-digit hexadecimal number entered here.
–
TOS Mask — Specifies the bit positions used for comparison against the IP TOS field in a packet.
•
Remove — Removes a Rule ID when Remove is checked and Apply Changes is clicked.
The MAC ACL Configuration page allows network administrators to define a MAC-based ACL. For an explanation of ACLs, see "IP ACL Configuration."
To display the MAC ACL Configuration page, click Switching→Network Security→Access Control Lists→MAC Access Control Lists→Configuration in the tree view.
Use the MAC ACL Rule Configuration page to define rules for MAC-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. A default 'deny all' rule is the last rule of every list.
To display the MAC ACL Rule Configuration page, click Switching→Network Security→Access Control Lists→MAC Access Control Lists→Rule Configuration in the tree view.
Rule Id — Selects or creates a user-defined ACLs. Enter an existing Rule ID, or create a new one by selecting Create from the drop-down menu and entering the desired new Rule ID in the field next to it. The new ID is created once Apply Changes is clicked.
•
Action — Selects the ACL forwarding action, which can be one of the following values:
–
Permit — Forwards packets which meet the ACL criteria.
Assign Queue ID — Click the check box to apply this criteria, then enter an identifying number from 0 to 6.
•
Redirect Interface — Select from the drop-down list of interfaces one that packets meeting this rule can be redirected to.
•
Mirror Interface — Select from the drop-down list an interface that packets meeting this rule can be mirrored to.
•
Logging — Click the check box to enable logging for this ACL. This feature is supported for the Deny action only.
•
Match Every — Requires a packet to match the criteria of this ACL. Click the check box to apply this criteria.
•
Class of Service — Requires a packet’s CoS to match the CoS value listed here. Click the check box and enter a CoS value between 0 and 7 to apply this criteria.
•
Secondary CoS — Requires a packet’s secondary CoS to match the CoS value listed here. Click the check box and enter a CoS value between 0 and 7 to apply this criteria.
•
Destination MAC Address — Requires a packet’s destination port MAC address to match the address listed here. Click the check box and enter an address to apply this criteria.
•
Destination MAC Mask — Enter the MAC Mask associated with the Destination MAC to match.
•
EtherType — Requires a packet’s EtherType to match the EtherType listed here. Click the check box and select from a list or enter the EtherType ID:
–
Select from List — Select desired EtherType from the drop-down menu.
Source MAC Address — Requires a packet’s source port MAC address to match the address listed here. Click the check box and enter an address to apply this criteria.
•
Source MAC Mask — If desired, enter the MAC mask for the source MAC address to match.
•
Vlan Id — Requires a packet’s VLAN ID to match the ID listed here. Click the check box and enter the VLAN ID to apply this criteria. Possible field values are 1–4095.
•
Remove — Removes the MAC ACL Rule when Remove is checked and Apply Changes is clicked.
An IPv6 ACL consists of a set of rules which are matched sequentially against a packet. When a packet meets the match criteria of a rule, the specified rule action (Permit/Deny) is taken and the additional rules are not checked for a match. On this menu the interfaces to which an IPv6 ACL applies must be specified, as well as whether it applies to inbound or outbound traffic. Rules for the IPv6 ACL are specified/created using the IPv6 ACL Rule Configuration menu.
First, you use the IPv6 ACL Configuration page to define the IP ACL type and assign an ID to it. Then, you use the IPv6 ACL Rule Configuration page to create rules for the ACL. Finally, you use the ACL Interface Configuration and/or ACL Interface/VLAN Summary pages to assign the ACL by its ID number to a port or VLAN. You can use the IPv6 ACL Table page to view the configurations. See Displaying IPv6 ACLs.
Use the IPv6 ACL Configuration page to add or remove IP-based ACLs. To display the IP ACL Configuration page, click Switching→Network Security→Access Control Lists→IPv6 Access Control Lists→IPv6 ACL Configuration in the tree view.
The IPv6 ACL Configuration page contains the following fields:
•
IPv6 ACL Name — Specify an IPv6 ACL name string which includes alphanumeric characters only. The name must start with an alphabetic character. This field displays the name of the currently selected IPv6 ACL if any ACLs have already been created.
•
Rename — To rename an existing IPv6 ACL, select this option, enter a new name in the text field, and click Apply Changes. The changes are applied to the ACL that is selected in the IPv6 ACL Name field.
•
Remove — To remove an existing IPv6 ACL, select the ACL from the IPv6 ACL Name menu, select the remove option, and click Apply Changes.
IPv6 ACL Name — Describes the number ranges for IPv4 ACL standard versus extended. The range for a standard IP ACL is 1-99. For an extended IP ACL, the ID range is 101-199.
•
Rules — Shows the number of rules currently configured for the IP ACL.
•
Direction — Shows the direction of packet traffic affected by the IP ACL, which can be Inbound or blank.
•
Interface — Shows the interfaces to which the IP ACL applies.
•
VLAN ID — The VLAN(s) to which the IPv6 ACL applies.
Use the IPv6 ACL Rule Configuration page to define rules for IPv6-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, you can specify to assign traffic to a particular queue, filter on some traffic, change VLAN tag, shut down a port, and/or redirect the traffic to a particular port. By default, no specific value is in effect for any of the IPv6 ACL rules.
Rule ID — Select an existing Rule ID to modify or select Create Rule to configure a new ACL Rule. To create a new rule, enter a rule ID from 1–127 in the available field. New rules cannot be created if the maximum number of rules has been reached. For each rule, a packet must match all the specified criteria in order to be true against that rule and for the specified rule action (Permit/Deny) to take place.
•
Action — Specify what action should be taken if a packet matches the rule’s criteria. The choices are Permit or Deny.
•
Assign Queue ID — Specifies the hardware egress queue identifier used to handle all packets matching this IPv6 ACL rule. Valid range of Queue IDs is 0 to 6.
•
Redirect Interface — Specifies the egress interface where the matching traffic stream is forced, bypassing any forwarding decision normally performed by the device. This field cannot be set if a Mirror Interface is already configured for the ACL rule.
•
Mirror Interface — Specifies the egress interface where the matching traffic stream is copied, in addition to it being forwarded normally by the device. This field cannot be set if a Redirect Interface is already configured for the ACL rule.
•
Logging — When set to True, logging is enabled for this ACL rule (subject to resource availability in the device). If the Access List Trap Flag is also enabled, this will cause periodic traps to be generated indicating the number of times this rule was activated during the current report interval. A fixed 5 minute report interval is used for the entire system. A trap is not issued if the ACL rule hit count is zero for the current interval. This field is visible for a Deny action.
Source Prefix/PrefixLength — Specify IPv6 Prefix combined with IPv6 Prefix length of the network or host from which the packet is being sent. Prefix length can be in the range (0 to 128).
•
Source L4 Port — Specify a packet's source layer 4 port as a match condition for the selected IPv6 ACL rule. Source port information is optional. Source port information can be specified in two ways:
Destination Prefix/Prefix Length — Enter up to a 128-bit prefix combined with the prefix length to be compared to a packet's destination IP address as a match criteria for the selected IPv6 ACL rule. The prefix length can be in the range 0 to 128.
•
Destination L4 Port Number — Specify a packet's destination layer 4 port number match condition for the selected IPv6 ACL rule. This is an optional configuration.
•
Destination L4 Port Keyword — Specify the destination layer 4 port match conditions for the selected IPv6 ACL rule. The possible values are DOMAIN, ECHO, FTP, FTPDATA, HTTP, SMTP, SNMP, TELNET, TFTP, and WWW. Each of these values translates into its equivalent port number, which is used as both the start and end of the port range. This is an optional configuration.
•
Flow Label — A 20-bit number that is unique to an IPv6 packet that is used by end stations to signify QoS handling in routers. The flow label can specified within the range 0 to 1048575.
•
IPv6 DSCP Service — Specify the IP DiffServ Code Point (DSCP) value, which is defined as the high-order six bits of the Service Type octet in the IPv6 header. This is an optional configuration. Enter an integer from 0 to 63. The IPv6 DSCP can be selected from one of the DSCP keywords in the menu. To specify a DSCP by its numeric value, select the Other option in the menu, and a text box displays for entering the numeric value.
NOTE: Binding an ACL in the egress direction is not supported by the PowerConnect 6200 Series switches. IP ACLs may be bound to an Ethernet interface in the egress direction.
To display the ACL Bind Configuration page, click Switching→Network Security→Access Control Lists→Binding Configuration in the tree view.
The ACL Bind Configuration page contains the following fields:
•
Interface — Radio buttons permit selection of interface by Unit/port, LAG, or VLAN.
•
Select an ACL — Selects the ACL type to which incoming packets are matched. Packets can be matched to IP-based, MAC-based, or IPv6-based ACLs. Valid combinations of ACLs that can be bound to any interface or VLAN are:
NOTE: Whenever an ACL is assigned on a port, LAG, or VLAN, flows from that ingress interface that do not match the ACL are matched to the default rule, which is Drop unmatched packets.
The Ports menu page provides links for configuring port functionality, including advanced features such as storm control and port mirroring, and for performing virtual port tests.
To display the page, clickSwitching→Portsin the tree view. The Ports menu page contains links to the following features:
Use the Global Parameters to configure Flow Control. Flow Control allows traffic from one switch to be throttled for a specified period of time, and is defined for switches that are directly connected. Flow Control can only be set for ports configured as full-duplex mode of operation. Since ports set to auto negotiate may not be added as LAG members, LAG member ports cannot have flow control configured to auto.
NOTE: Flow Control is incompatible with head of line blocking prevention mode. The switch can operate in either mode, but not at the same time.
To display the Global Parameters page, click Switching→Ports→Global Parametersin the tree view.
Auto Negotiation — Enables Auto Negotiation on the port. Auto Negotiation is a protocol between two link partners that enables a port to advertise its transmission rate, duplex mode, and flow control abilities to its partner.
Transceiver Firmware Version — Displays firmware part number of port transceiver, if available. Valid only for SFX7101 transceivers on 10GBase-T non-stacking ports.
Use the Protected Port Configuration page to specify a Layer 2 security feature, Private VLAN Edge (PVE) ports, that provides port-based security between ports that are members of the same VLAN. Traffic from protected ports is sent only to the uplink ports and cannot be sent to other ports within the VLAN.
To display the Port Configuration page, click Switching→Ports→Protected Port Configuration in the tree view.
The Storm Control page contains the following fields:
•
Port — Specifies the Unit and Port for which storm control is enabled.
•
Storm Control Mode — Specifies the mode of broadcast affected by storm control.
–
Broadcast — If the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped.
–
Multicast — If the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped.
–
Unknown Unicast — If the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped.
Storm Control Rate Threshold (0–100%) — Specifies the maximum rate at which unknown packets are forwarded. The range is a percent of the total threshold.
Port mirroring selects the network traffic for analysis by a network analyzer. This is done for specific ports of the switch. As such, many switch ports are configured as source ports and one switch port is configured as a destination port. You have the ability to configure how traffic is mirrored on a source port. Packets that are received on the source port, that are transmitted on a port, or are both received and transmitted, can be mirrored to the destination port.
MAC addresses are stored in either the static or dynamic address table. Static addresses are defined by you. Dynamic addresses are learned by the system, and are erased after a time-out. A packet addressed to a destination stored in one of the tables is forwarded immediately to the ports. The static and dynamic address tables can be sorted by Interface, VLAN ID, or VLAN Name. In addition, addresses can be added to the static and dynamic address tables.
To display the Address Tables menu page, click Switching→Address Tables in the tree view. The Address Tables menu page contains links to the following features:
The Static MAC Address page contains the following fields:
•
Interface — Specifies the Unit and Port or LAG to which the static MAC address is applied. To view addresses for a different Unit/Port or LAG, change the Interface listed here.
•
VLAN ID - MAC Address — Specifies VLAN ID attached to the MAC Address and the MAC address(es) included in the current static address list.
NOTE: Only MAC addresses assigned to the specified interface and VLAN are displayed.
•
Status — Specifies status of the MAC address. Possible values are:
The Dynamic Address Tablepage contains fields for querying information in the dynamic address table, including the interface type, MAC addresses, VLAN, and table sorting key. Packets forwarded to an address stored in the address table are forwarded directly to those ports.
The Dynamic Address Table also contains information about the aging time before a dynamic MAC address is removed from the table.
To display the Dynamic Address Table, click Switching→Address Tables→Dynamic Address Table in the tree view.
MAC Address — Specifies the MAC address queried for an address.
–
VLAN ID — Specifies the VLAN number (to which the MAC address is attached) that is queried for an address.
•
The Current Address Table contains dynamic address parameters by which packets are directly forwarded to the ports. The Current Address Table contains the following fields:
The GARP Timers page contains the following fields:
•
Interface — Specifies the Unit and Port or LAG on which the GARP timer is enabled.
•
GARP Join Timer (10–100) — Displays time, in centiseconds, that PDUs are transmitted. The possible field value is 10‑100. The default value is 100 centisecs.
•
GARP Leave Timer (30–600) — Displays time lapse, in centiseconds, that the switch waits before leaving its GARP state. Leave time is activated by a Leave All Time message sent/received, and cancelled by the Join message received. Leave time must be greater than or equal to three times the join time. The possible field value is 30–600. The default value is 60 centisecs.
•
GARP Leave All Timer (200–6000) — Displays time lapse, in centiseconds, that all switches wait before leaving the GARP state. The leave all time must be greater than the leave time. The possible field value is 200–6000. The default value is 1000 centisecs.
Multiple Spanning Tree Protocol (MSTP) supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over different interfaces. Each instance of the Spanning Tree behaves in the manner specified in IEEE 802.1w, Rapid Spanning Tree (RSTP), with slight modifications in the working but not the end effect (chief among the effects, is the rapid transitioning of the port to ‘Forwarding’). The difference between the RSTP and the traditional STP (IEEE 802.1d) is the ability to configure and recognize full-duplex connectivity and ports which are connected to end stations, resulting in rapid transitioning of the port to ‘Forwarding’ state and the suppression of Topology Change Notification. These features are represented by the parameters ‘pointtopoint’ and ‘edgeport’. MSTP is compatible to both RSTP and STP. It behaves appropriately to STP and RSTP bridges. A MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge.
To display the Spanning Tree menu page, click Switching→Spanning Tree in the tree view. This Spanning Tree page contains links to the following STP procedures:
STP Operation Mode — Specifies the STP mode by which STP is enabled on the switch. Possible field values are: Classic STP, Rapid STP, and Multiple STP.
•
BPDU Flooding — Specifies Bridge Protocol Data Unit (BPDU) packet handling when the spanning tree is disabled on an interface. The possible field values are Enable or Disable. The default value is Disable.
•
Port Fast — Enables Port Fast mode for all ports on the switch when checked. If Port Fast mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. Port Fast mode optimizes the time it takes for the STP protocol to converge. STP convergence can take 30-60 seconds in large networks.
•
Port Fast BPDU Filter — Specifies BPDU Filter Mode on all ports which are enabled for Port Fast Mode. Possible values are Enable and Disable. The default value is Disable.
•
Loop Guard — Enables or disables Loop Guard on all the ports.
•
BPDU Protection — Disables a port in case a new switch tries to enter the already existing topology of STP. This keeps switches not originally part of an STP from influencing the STP topology.
Priority — Specifies the bridge priority value. When switches or bridges are running STP, each are assigned a priority. After exchanging BPDUs, the switch with the lowest priority value becomes the root bridge. Valid values are from 0–61440. The default value is 32768.
•
Max Age — Specifies the switch maximum age time, which indicates the amount of time in seconds a bridge waits before implementing a topological change. Valid values are from 6 to 40 seconds. The default value is 20 seconds.
•
Forward Delay — Specifies the switch forward delay time, which indicates the amount of time in seconds a bridge remains in a listening and learning state before forwarding packets. Valid values are from 4 to 30 seconds.The default value is 15 seconds.
•
Maximum Hops — Configure the maximum number of hops for the spanning tree. Valid values are from 6 to 40. The default value is 20.
•
Spanning Tree Tx Hold Count — Configure the Bridge Tx Hold Count parameter for the spanning tree. Valid values are from 1 to 10 seconds. The default value is 6 seconds.
Root Port — Displays port number that offers the lowest-cost path from this bridge to the root bridge. It is significant when the bridge is not the root. The default is zero.
•
Root Path Cost — Displays the cost of the path from this bridge to the root.
Last Topology Change — Displays the total amount of time since the last topographic change. The time is displayed in day/hour/minute/second format, for example, 5 hours 10 minutes and 4 seconds.
Port Fast — Enables Port Fast mode for the port when checked. If Port Fast mode is enabled for a port, the Port State is automatically placed in the Forwarding state when the port link is up. STP convergence can take 30–60 seconds in large networks.
•
Port State—Indicates the current STP state of a port. If enabled, the port state determines what forwarding action is taken on traffic. Possible port states are:
–
Disabled — STP is currently disabled on the port. The port forwards traffic while learning MAC addresses.
–
Blocking — The port is currently blocked and cannot be used to forward traffic or learn MAC addresses.
–
Listening — The port is currently in the listening mode. The port cannot forward traffic nor can it learn MAC addresses.
–
Learning — The port is currently in the learning mode. The port cannot forward traffic, however, it can learn new MAC addresses.
–
Forwarding — The port is currently in the forwarding mode. The port can forward traffic and learn new MAC addresses.
•
STP Root Guard — Prevents the root of a Spanning Tree instance from changing unexpectedly. When a root bridge has root guard enabled and a superior BPDU arrives, that port is moved to a root-inconsistent state, which equates to the listening state. The root bridge is enforced.
•
Role — Displays the role this port has in the STP topology. The port role will be one of the following values: Root Port, Designated Port, Alternate Port, Backup Port, Master Port or Disabled Port.
•
Speed — Displays speed at which the port is operating.
•
Path Cost — Specifies the port contribution to the root path cost. The path cost is adjusted to a higher or lower value, and is used to forward traffic when a path is being rerouted. A value of zero means the path cost is set according to the port's speed. The possible values are 0 to 200000000. The default value is 0.
•
Priority — Specifies priority value of the port. The priority value influences the port choice when a bridge has two ports connected in a loop. The possible values are 0 to 240. The default value is 128.
•
External Path Cost — Specifies the External Path Cost to a new value for the specified port in the spanning tree. Enter 0 to set the external path cost value automatically on the basis of Link Speed. The possible values are 0 to 200000000. The default value is 0.
•
Loop Guard — Prevents a port from erroneously transitioning from blocking state to forwarding when the port stops receiving BPDUs. The port is marked as being in loop-inconsistent state. In this state, the port does not forward packets. The possible values are Enable or Disable.
•
TCN Guard — Enabling the TCN Guard feature restricts the port from propagating any topology change information received through that port. This means that even if a port receives a BPDU with the topology change flag set to true, the port will not flush its MAC address table and send out a BPDU with a topology change flag set to true.
•
Auto Edge — Enabling the Auto Edge feature allows the port to become an edge port if it does not see BPDUs for some duration.
Designated Cost — Displays cost of the port participating in the STP topology. Ports with a lower cost are less likely to be blocked if STP detects loops.
The STP LAG Settings page contains the following fields:
•
Select a LAG — Specifies the LAG number for which you want to modify STP settings.
•
STP — Enables or disables STP on the LAG. Default is enable.
•
Port Fast — Enables Port Fast mode for the LAG. If Port Fast mode is enabled for a LAG, the Port State is automatically placed in the Forwarding state when the LAG is up. Port Fast mode optimizes the time it takes for the STP protocol to converge. STP convergence can take 30–60 seconds in large networks.
•
Port State — Displays current STP state of a LAG. If enabled, the LAG state determines what forwarding action is taken on traffic. If the bridge discovers a malfunctioning LAG, the LAG is placed in the Broken state. Possible LAG states are:
–
Disabled — STP is currently disabled on the LAG. The LAG forwards traffic while learning MAC addresses.
–
Blocking — The LAG is blocked and cannot be used to forward traffic or learn MAC addresses.
–
Listening — The LAG is in the listening mode and cannot forward traffic or learn MAC addresses.
–
Learning — The LAG is in the learning mode and cannot forward traffic, but it can learn new MAC addresses.
–
Forwarding — The LAG is currently in the forwarding mode, and it can forward traffic and learn new MAC addresses.
–
Broken — The LAG is currently malfunctioning and cannot be used for forwarding traffic.
•
STP Root Guard — Enables or disables STP Root Guard. The default is disable.
•
Role — Displays the role this port has in the STP topology.
•
Path Cost — Specifies amount the LAG contributes to the root path cost. The path cost is adjusted to a higher or lower value, and is used to forward traffic when a path is being rerouted. The range is 0–200000000. The default is 0.
•
Priority — Specifies priority value of the LAG. The priority value influences the LAG choice when a bridge has two looped ports. The priority value is between 0–240. The default value is 128.
•
External Path Cost — Specifies the External Path Cost to a new value for the specified port in the spanning tree. Enter 0 to set the external path cost value automatically on the basis of Link Speed. The default value is 0.
•
Loop Guard — Prevents a LAG from erroneously transitioning from blocking state to forwarding when the LAG stops receiving BPDUs. The LAG is marked as being in loop-inconsistent state. In this state, the LAG does not forward packets. The possible values are Enable or Disable.
•
TCN Guard — Enabling the TCN Guard feature restricts the LAG from propagating any topology change information received through that LAG. This means that even if a LAG receives a BPDU with the topology change flag set to true, the port will not flush its MAC address table and send out a BPDU with a topology change flag set to true.
•
Auto Edge — Enabling the Auto Edge feature allows the LAG to become an edge port if it does not see BPDUs for some duration.
Designated Cost — Displays cost of the port participating in the STP topology. Ports with a lower cost are less likely to be blocked if STP detects loops.
The Rapid Spanning Tree page contains the following fields:
•
Interface — Determines if RSTP is enabled on a Unit/Port or on a LAG. Click Unit/Port or LAG to specify the type of interface, then select the Unit/Port or LAG to configure from the drop-down menu.
•
State — Displays the spanning tree state for the port.
•
Role — Displays the spanning tree role for the port in the STP topology.
•
Mode — Displays the administrative mode and if its enabled or disabled.
•
Fast Link Operational Status — Indicates if Fast Link is enabled or disabled for the port or LAG. If Fast Link is enabled for a port, the port is automatically placed in the forwarding state. This setting can be changed from the "STP Port Settings" or "STP LAG Settings" page.
To establish communications over a point-to-point link, the originating PPP first sends Link Control Protocol (LCP) packets to configure and test the data link. After a link is established and optional facilities are negotiated as needed by the LCP, the originating PPP sends Network Control Protocols (NCP) packets to select and configure one or more network layer protocols. When each of the chosen network layer protocols has been configured, packets from each network layer protocol can be sent over the link. The link remains configured for communications until explicit LCP or NCP packets close the link, or until some external event occurs. This is the actual switch port link type.
The MSTP Settings page contains the following fields divided into two sections, Global Settings and Instance Settings:
•
Region Name (1–32 characters) — Specifies a user-defined MST region name.
•
Revision (0–65535) — Specifies unsigned 16-bit number that identifies the revision of the current MST configuration. The revision number is required as part of the MST configuration. Default is 0.
•
Max Hops (1–40) — Specifies the total number of hops that occur in a specific region before the BPDU is discarded. Once the BPDU is discarded, the port information is aged out. Default is 20.
•
Instance ID — Specifies the ID of the spanning tree instance. The field range is 1–15, and default is 1.
•
Included VLANs — Maps the selected VLANs to the selected instance. Every VLAN belongs to one instance only.
•
Priority (0–61440) — Specifies the switch priority for the selected spanning tree instance. The default value is 32768.
•
Bridge ID — Indicates the bridge ID of the selected instance.
•
Root Bridge ID of the root bridge which is the one with the lowest path cost.
•
Root Port — Indicates the root port of the selected instance.
•
Root Path Cost — Indicates the path cost of the selected instance.
The MSTP Interface Settings page contains the following fields:
•
Instance ID — Selects the MSTP instances configured on the switch. Possible field range is 1–15.
•
Interface — Selects either a Unit/Port or LAG for this MSTP instance.
•
Port State — Indicates whether the port is enabled or disabled in the specific instance.
•
Port Type — Indicates whether MSTP treats the port as a point-to-point port or a port connected to a hub and whether the port is internal to the MST region or a boundary port. If the port is a boundary port, it also indicates whether the switch on the other side of the link is working in RSTP or STP mode
•
Role — Indicates the port role assigned by the STP algorithm in order to provide to STP paths. The possible field values are:
–
Root — Provides the lowest cost path to forward packets to root switch.
–
Designated — Indicates the port or LAG through which the designated switch is attached to the LAN.
–
Alternate — Provides an alternate path to the root switch from the interface.
–
Backup — Provides a backup path to the designated LAN. Backup ports occur only when two ports are connected in a loop by a point-to-point link. Backup ports also occur when a LAN has two or more connections connected to a shared segment.
–
Disabled — Indicates the port is not participating in the Spanning Tree.
•
Priority — Defines the interface priority for the specified instance. The priority range is 0–240 in steps of 16. The default value is 128.
•
Path Cost (0–200000000) — Indicates the port contribution to the Spanning Tree instance. The range should always be 0–200,000,000. The default value is determined by the port’s speed. The default value is:
Each VLAN in a network has an associated VLAN ID, which appears in the IEEE 802.1Q tag in the Layer 2 header of packets transmitted on a VLAN. An end station may omit the tag, or the VLAN portion of the tag, in which case the first switch port to receive the packet may either reject it or insert a tag using its default VLAN ID. A given port may handle traffic for more than one VLAN, but it can only support one default VLAN ID.
To display the VLAN menu page, click Switching→VLAN in the tree view. This VLAN page contains links to the following features:
Use the VLAN Membership page to define VLAN groups stored in the VLAN membership table. Your switch supports up to 4094 VLANs. However, you can actually create only 4092 VLANs because:
The VLAN Membership page is divided into two sections. The top section contains fields that define the entire VLAN’s membership. The bottom section contains tables that define membership settings for specific Ports and LAGs on this VLAN. Following are the VLAN Membership fields:
•
Show VLAN — Selects the VLAN to display. Use either the VLAN ID or VLAN Name drop-down menu to select the VLAN.
•
VLAN Name (0–32) — Indicates the user-defined VLAN name. This field is defined using the Add button. Valid names can range from 0–32 characters in length.
•
Status—Indicates the VLAN type. Possible values are:
–
Dynamic — Indicates the VLAN was dynamically created through GVRP.
–
Static — Indicates the VLAN is user-defined and may be modified.
Remove VLAN — Removes the displayed VLAN from the VLAN Membership Table when checked.
The VLAN Membership tables display which Ports and LAGs are members of the VLAN, and whether they’re tagged (T), untagged (U), or forbidden (F). The tables have two rows: Static and Current. Only the Static row is accessible from this page. The Current row is updated either dynamically through GVRP or when the Static row is changed and Apply Changes is clicked.
Ports — Displays and assigns VLAN membership to ports. To assign membership, click in Static for a specific port. Each click toggles between U, T, and blank. See the following table for definitions.
•
LAGs — Displays and assigns VLAN membership to LAGs. To assign membership, click in Static for a specific LAG. Each click toggles between U, T, and blank. See the following table for definitions.
In the VLAN Port Membership Table, assign a value by clicking in the Static row for a specific Port/LAG. Each click toggles between U, T, and blank (not a member).
In the VLAN Port Membership Table, change a Port or LAG value by clicking in the Static row for that Port/LAG. Each click toggles between U, T, and blank (not a member).
The Double VLAN Global Configuration page contains the following fields:
•
EtherType— The two-byte hex Ethertype to be used as the first 16 bits of the Double VLAN tag:
–
802.1Q — Commonly used tag representing 0x8100. This value is supported by several network equipment manufacturers. If a double-tagged frame with the first Ethertype value set to 802.1Q is forwarded to hardware which does not support Double VLAN (or the corresponding configuration is not set), it will be misinterpreted as a regular, single-tagged frame.
–
vMAN — Commonly used tag representing 0x88A8, defined for the Virtual Metropolitan Area Network. This value is often used to indicate double-tagged frames. If a double-tagged frame with an Ethertype value set to vMAN is forwarded to hardware without Double VLAN support (or when Double VLAN is not configured), it will be dropped due to unknown Ethertype. This outcome may be more efficient, and cause less harm than when the 802.1Q Ethertype value is used for double-tagged frames. When presented with a double-tagged frame with an 802.1Q Ethertype value, the switch that does not support double-tagging may attempt to process the double-tagged frame with the incorrect assumption that frame contains only a single VLAN tag.
–
Custom — Use this to specify that double-tagged frames will use a custom Ethertype. A custom Ethertype may be used to make the switch interoperable with specific or non-standard equipment that does not support 802.1 or vMAN values of Ethertype in double-tagged frames. For more information, refer to the list of registered Ethertype values for common protocols.
•
Custom Type — If Custom is selected in the Ethertype field, enter a custom Ethertype value in any range from 0 to 65535.
Use the Double VLAN Interface Configuration page to enable or disable Double VLAN mode on a physical port or LAG.
To access the Double VLAN Interface Configuration page, click Switching→VLAN→Double VLAN Interface Configuration from the navigation tree.
The VLAN Port Settings page contains the following fields:
•
Ports — Specifies the Unit and Port included in the VLAN.
•
Port VLAN Mode — Indicates the port mode. Possible values are:
–
General — The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode).
–
Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types which are accepted on the port (packet type) cannot be designated. It is also not possible to enable/disable ingress filtering on an access port.
–
Trunk — The port belongs to more than one VLAN, and all ports are tagged (except for an optional single native VLAN).
•
PVID (1–4093) | 4095 — Assigns a VLAN ID to untagged packets. Possible values are 1–4093 or 4095.
•
Frame Type — Specifies frame type accepted on the port. Default is Admit All. Possible values are:
–
Admit Tag Only—Indicates that only tagged frames are accepted on the port.
–
Admit All—Indicates that both tagged and untagged frames are accepted on the port.
•
Ingress Filtering — Enables or disables Ingress filtering on the port. Ingress filtering discards frames where the VLAN tag does not match the port VLAN membership.
NOTE: If an Access port is chosen, the packet types that are accepted on the port (packet type) cannot be designated. It is also not possible to enable or disable ingress filtering on an access port.
3.
Use the Unit drop-down menu to view the VLAN Port Table for other units in the stack, if they exist.
Admit All — Tagged and untagged packets are both accepted by the LAG.
•
Ingress Filtering — Enables or disables Ingress filtering by the LAG. Ingress filtering discards packets where the VLAN tag does not match the LAG VLAN membership.
Use the Bind MAC to VLAN page to map a MAC entry to the VLAN table. After the source MAC address and the VLAN ID are specified, the MAC to VLAN configurations are shared across all ports of the switch. The MAC to VLAN table supports up to 128 entries.
To display the Bind MAC to VLANpage, click Switching→VLAN→Bind MAC to VLANin the tree view.
The Protocol Group page contains the following fields:
•
Protocol Group — Displays the name associated with the protocol group ID (up to 16 characters). Create a new group by clicking the Add button.
•
Protocol — Specifies protocols (in hexadecimal format in the range 0x0600 to 0xffff) associated with this group. Enter up to 16 protocols using comma separated list.
Interface — Selects the interface(s) to add or remove from this group. Highlight the interfaces to be in the protocol group and click the right arrow. Interfaces displayed in right-hand column are part of the protocol group.
•
Remove Protocol Group — Removes the protocol group displayed on screen when checked and Apply Changes is clicked. To remove multiple groups at the same time, click Show All and use the Remove check boxes on the Protocol Group Table.
The Voice VLAN feature enables switch ports to carry voice traffic with defined priority. The priority level enables the separation of voice and data traffic coming onto the port. A primary benefit of using Voice VLAN is to ensure that the sound quality of an IP phone is safeguarded from deteriorating when the data traffic on the port is high. The system uses the source MAC address of the traffic traveling through the port to identify the IP phone data flow.
None — Allow the IP phone to use its own configuration to send untagged voice traffic.
–
VLAN ID — Configure VLAN tagging for the voice traffic. The VLAN ID range is 1–4093.
–
dot1p — Configure Voice VLAN 802.1p priority tagging for voice traffic. The priority tag range is 0–7.
–
Untagged — Configure the phone to send untagged voice traffic.
•
DSCP Value — Configures the Voice VLAN DSCP value for the port. The default value is 46.
•
CoS Override Mode — Select the Cos Override mode for selected interface. The default is disable.
•
Operational State — This is the operational status of the voice VLAN on the given interface.
•
Authentication Mode — Enable or disable 802.1X authentication on the voice VLAN. When voice VLAN authentication is disabled, VoIP devices may use the voice VLAN without authenticating.
NOTE: IEEE 802.1X must be enabled on the switch before you disable voice VLAN authentication. Voice VLAN authentication can be disabled in order to allow VoIP phones that do not support authentication to send and receive unauthenticated traffic on the Voice VLAN.
To display the Link Aggregation menu page, click Switching→Link Aggregation in the tree view. The Link Aggregation page contains links to the following features:
The LAG Membership page contains a table with the following fields:
•
LACP — Aggregates a LAG port to LACP membership. For ports with a number in the LAG row, you can click in the LACP row to toggle LACP "on." Each click toggles between L (LACP) and blank (no LACP).
•
LAG — Adds a port to a LAG, and indicates the specific LAG to which the port belongs. Each click toggles through the LAG numbers, 1–48, and then back to blank (no LAG assigned).
When a packet enters the switch, the destination MAC address is combined with the VLAN ID and a search is performed in the Layer 2 Forwarding database. If no match is found, then the packet is either flooded to all ports in the VLAN or discarded, depending on the switch configuration. If a match is found, then the packet is forwarded only to the ports that are members of that multicast group.
To display the Multicast Support menu page, click Switching→Multicast Support in the tree view. This Multicast Support page contains links to the following features:
Use the Multicast Global Parameters page to enable bridge multicast filtering or IGMP Snooping on the switch. Parameters for these features can be modified from the Bridge Multicast Forwardand IGMP Snooping web pages.
To display the Multicast Global Parameters page, click Switching→Multicast Support→Global Parameters in the tree view.
Use the Bridge Multicast Group page to create new multicast service groups or to modify ports and LAGs assigned to existing multicast service groups. Attached interfaces display in the Port and LAG tables, and reflect the manner in which each is joined to the Multicast group.
To display the Bridge Multicast Group page, click Switching→Multicast Support→Bridge Multicast Group in the tree view.
The Bridge Multicast Group page contains the following fields:
•
VLAN ID — Selects the VLAN to add a multicast group to or to modify ports on an existing multicast group.
•
Bridge Multicast Address — Identifies the multicast group MAC address/IP address associated with the selected VLAN ID. Use the Add button to associate a new address with a VLAN ID.
•
Remove — Removes a Bridge Multicast address when checked.
The Bridge Multicast Group tables display which Ports and LAGs are members of the multicast group, and whether they’re static (S), dynamic (D), or forbidden (F). The tables have two rows: Static and Current. Only the Static row is accessible from this page. The Current row is updated when the Static row is changed and Apply Changes is clicked.
The Bridge Multicast Group page contains two editable tables:
•
Unit and Ports — Displays and assigns multicast group membership to ports. To assign membership, click in Static for a specific port. Each click toggles between S, F, and blank. See the following table for definitions.
•
LAGs — Displays and assigns multicast group membership to LAGs. To assign membership, click in Static for a specific LAG. Each click toggles between S, F, and blank. See the following table for definitions.
In the Bridge Multicast Group tables, assign a setting by clicking in the Static row for a specific port/LAG. Each click toggles between S, F, and blank. (not a member).
In the Bridge Multicast Group tables, assign a setting by clicking in the Static row for a specific port/LAG. Each click toggles between S, F, and blank (not a member).
Use the Bridge Multicast Forward page to enable attaching ports or LAGs to a switch that is attached to a neighboring Multicast switch. Once IGMP Snooping is enabled, multicast packets are forwarded to the appropriate port or VLAN.
To display the Bridge Multicast Forward page, click Switching→Multicast Support→Bridge Multicast Forward in the tree view.
Forwarding Mode — Specifies the multicast forwarding mode for the selected VLAN. Possible values are:
–
Forward Unregistered — Permits the forwarding of IPv4 multicast packets with a destination address that does not match any of the groups announced in earlier IGMP Membership Reports.
–
Forward All — Permits registered and unregistered multicast packets to forward.
–
Filter Unregistered — Prohibits the forwarding of IPv4 multicast packets with a destination address that does not match any of the groups announced in earlier IGMP Membership Reports.
Internet Group Management Protocol (IGMP) Snooping is a feature that allows a switch to forward multicast traffic intelligently on the switch. Multicast IP traffic is traffic that is destined to a host group. Host groups are identified by class D IP addresses, which range from 224.0.0.0 to 239.255.255.255. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request the multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly affecting network performance.
The General IGMP snooping page contains the following fields:
•
Interface — Selects the Unit and Port, LAG, or VLAN to be affected.
•
Auto-Learn — Enables or disables Auto-Learn on the switch.
•
Host Timeout — Specifies time before an IGMP snooping entry is aged out. The default time is 260 seconds.
•
Multicast Router Timeout — Specifies time before aging out a Multicast router entry. The default value is 300 seconds.
•
Leave Timeout — Specifies time, in seconds, after a port leave message is received before the entry is aged out. Enter an amount of time for the timeout period, or click Immediate Leave to specify an immediate timeout. The default timeout is 10 seconds.
The Global Querier Configuration page contains the following fields:
•
IP Address— Specifies the Snooping Querier IP Address which will be used as the source address in periodic IGMP queries. This address is used when no address is configured for the VLAN on which the query is being sent.
The VLAN Querier page contains the following fields:
•
VLAN ID — Specifies the VLAN for the IGMP Snooping Querier configuration.
•
VLAN Mode — Enables or disables the IGMP Snooping Querier on the VLAN selected in the VLAN ID field.
•
Querier Election Participate Mode — Enables or disables the IGMP participation in election mode by the Snooping Querier. When this mode is disabled, upon seeing another querier of same version in the VLAN, the Snooping Querier transitions to non-querier state. When this mode is enabled, the Snooping Querier participates in querier election, where in the lowest IP address wins the querier election and operates as the querier in that VLAN. The other querier transitions to non‑querier state.
•
Snooping Querier VLAN Address — Specifies the Snooping Querier address to be used as source address in periodic IGMP queries sent on the specified VLAN.
VLAN Mode — Shows whether the IGMP Snooping Querier is enabled or disabled on the VLAN.
•
Querier Election Participate Mode — Shows whether the mode is enabled or disabled. When this mode is disabled, upon seeing another querier of same version in the VLAN, the Snooping Querier transitions to non-querier state. When this mode is enabled, the Snooping Querier participates in querier election, where in the lowest IP address wins the querier election and operates as the querier in that VLAN. The other querier transitions to non‑querier state.
•
Snooping Querier VLAN Address — Identifies the Snooping Querier address to be used as source address in periodic IGMP queries sent on the VLAN.
•
Operational State — Displays the operational state of the IGMP Snooping Querier on the specified VLAN. It can be in any of the following states:
–
Querier — The Snooping switch that is the Querier in the VLAN. The Snooping switch will send out periodic queries with a time interval equal to the configured querier Query Interval. If the Snooping switch sees a better querier in the VLAN, it transitions to non-querier mode.
–
Non-Querier — The Snooping switch is in Non-Querier mode in the VLAN. If the querier Expiry Interval timer is expires, the Snooping switch will transition into querier mode.
–
Disabled — The Snooping Querier is not operational on the VLAN. The Snooping Querier transitions to disabled mode when 1) IGMP Snooping is not operational on the VLAN, 2) the querier address is not configured or 3) the network management address is not configured.
•
Operational Version — Displays the operational IGMP protocol version of the querier.
•
Last Querier Address — Displays the IP address of the last querier from which a query was snooped on the VLAN.
•
Last Querier Version — Displays the IGMP protocol version of the last querier from which a query was snooped on the VLAN.
•
Operational Max Response Time — Displays the maximum response time to be used in the queries that are sent by the Snooping Querier.
The MFDB IGMP Snooping Table page contains the following fields:
•
VLAN — Displays the VLAN ID associated with an IGMP group entry in the MFDB table.
•
MAC Address — Displays the MAC Address associated with an IGMP group entry in the MFDB table.
•
Type — Displays the type of the entry. Static entries are those that are configured by the user. Dynamic entries are added to the table as a result of a learning process or protocol.
•
Description — The text description of this multicast table entry. Possible values are Management Configured, Network Configured and Network Assisted.
•
Ports — The list of interfaces designated for forwarding (Fwd:) for a corresponding MFDB entry.
The Forbidden Ports section of the page contains the following fields:
•
VLAN — Displays the VLAN ID associated with an IGMP group entry in the MFDB table.
•
MAC Address — Displays the MAC Address associated with an IGMP group entry in the MFDB table.
•
Ports — The list of interfaces that are designated for filtering (Flt:) for a corresponding MFDB entry.
In IPv4, Layer 2 switches can use IGMP snooping to limit the flooding of multicast traffic by dynamically configuring Layer-2 interfaces so that multicast traffic is forwarded to only those interfaces associated with an IP multicast address. In IPv6, MLD snooping performs a similar function. With MLD snooping, IPv6 multicast data is selectively forwarded to a list of ports that want to receive the data instead of being flooded to all ports in a VLAN. This list is constructed by snooping IPv6 multicast control packets.
MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on its directly-attached links and to discover which multicast packets are of interest to neighboring nodes. MLD is derived from IGMP; MLD version 1 (MLDv1) is equivalent to IGMPv2, and MLD version 2 (MLDv2) is equivalent to IGMPv3. MLD is a subprotocol of Internet Control Message Protocol version 6 (ICMPv6), and MLD messages are a subset of ICMPv6 messages.
The MLD Snooping Global Querier Configuration page contains the following fields:
•
IP Address— Specifies the Snooping Querier IPv6 Address which will be used as the source address in periodic MLD queries. This address is used when no address is configured for the VLAN on which the query is being sent.
The MLD Snooping VLAN Querier page contains the following fields:
•
VLAN ID — Specifies the VLAN for the MLD Snooping Querier configuration.
•
VLAN Mode — Enables or disables the MLD Snooping Querier on the VLAN selected in the VLAN ID field.
•
Querier Election Participate Mode — Enables or disables the MLD participation in election mode by the Snooping Querier. When this mode is disabled, upon seeing another querier of same version in the VLAN, the Snooping Querier transitions to non-querier state. When this mode is enabled, the Snooping Querier participates in querier election, where in the lowest IP address wins the querier election and operates as the querier in that VLAN. The other querier transitions to non‑querier state.
•
Snooping Querier VLAN Address — Specifies the Snooping Querier address to be used as source address in periodic MLD queries sent on the specified VLAN.
VLAN Mode — Shows whether the MLD Snooping Querier is enabled or disabled on the VLAN.
•
Querier Election Participate Mode — Shows whether the mode is enabled or disabled. When this mode is disabled, upon seeing another querier of same version in the VLAN, the Snooping Querier transitions to non-querier state. When this mode is enabled, the Snooping Querier participates in querier election, where in the lowest IP address wins the querier election and operates as the querier in that VLAN. The other querier transitions to non‑querier state.
•
Snooping Querier VLAN Address — Identifies the Snooping Querier address to be used as source address in periodic MLD queries sent on the VLAN.
•
Operational State — Displays the operational state of the MLD Snooping Querier on the specified VLAN. It can be in any of the following states:
–
Querier — The Snooping switch that is the Querier in the VLAN. The Snooping switch will send out periodic queries with a time interval equal to the configured querier Query Interval. If the Snooping switch sees a better querier in the VLAN, it transitions to non-querier mode.
–
Non-Querier — The Snooping switch is in Non-Querier mode in the VLAN. If the querier Expiry Interval timer is expires, the Snooping switch will transition into querier mode.
–
Disabled — The Snooping Querier is not operational on the VLAN. The Snooping Querier transitions to disabled mode when 1) MLD Snooping is not operational on the VLAN, 2) the querier address is not configured or 3) the network management address is not configured.
•
Operational Version — Displays the operational MLD protocol version of the querier.
•
Last Querier Address — Displays the IP address of the last querier from which a query was snooped on the VLAN.
•
Last Querier Version — Displays the MLD protocol version of the last querier from which a query was snooped on the VLAN.
•
Operational Max Response Time — Displays the maximum response time to be used in the queries that are sent by the Snooping Querier.
The MFDB MLD Snooping Table page contains the following fields:
•
VLAN — Displays the VLAN ID associated with an MLD group entry in the MFDB table.
•
MAC Address — Displays the MAC Address associated with an MLD group entry in the MFDB table.
•
Type — Displays the type of entry. Static entries are those that are configured by the user. Dynamic entries are added to the table as a result of a learning process or protocol.
•
Description — The text description of this multicast table entry. Possible values are Management Configured, Network Configured and Network Assisted.
•
Ports — The list of interfaces that are designated for forwarding (Fwd:) for a corresponding MFDB entry.
LLDP is a one-way protocol; there are no request/response sequences. Information is advertised by stations implementing the transmit function, and is received and processed by stations implementing the receive function. The transmit and receive functions can be enabled/disabled separately per port. By default, both transmit and receive are enabled on all ports. The application is responsible for starting each transmit and receive state machine appropriately, based on the configured status and operational state of the port.
The LLDP menu page contains links to the following features:
Use the LLDP Configuration page to specify LLDP parameters. Parameters that affect the entire system as well as those for a specific interface can be specified here.
To display the LLDP Configuration page, click Switching→LLDP→LLDP Configuration in the tree view.
Last Update — Displays the value of system up time the last time a remote data entry was created, modified, or deleted.
•
Total Inserts — Displays the number of times a complete set of information advertised by a remote switch has been inserted into the table.
•
Total Deletes — Displays the number of times a complete set of information advertised by a remote switch has been deleted from the table.
•
Total Drops — Displays the number of times a complete set of information advertised by a remote switch could not be inserted due to insufficient resources.
•
Total Ageouts — Displays the number of times any remote data entry has been deleted due to TTL (Time-to-Live) expiration.
Interface — Displays the Unit and Port to which the statistics on that line apply.
•
Transmit Total — Displays the total number of LLDP frames transmitted on the indicated port.
•
Receive Total — Displays the total number of valid LLDP frames received on the indicated port.
•
Discards — Displays the number of LLDP frames received on the indicated port and discarded for any reason.
•
Errors — Displays the number of invalid LLDP frames received on the indicated port.
•
Ageouts — Displays the number of times a remote data entry on the indicated port has been deleted due to TTL expiration.
•
TLV Discards — Displays the number of LLDP TLVs (Type, Length, Value sets) received on the indicated port and discarded for any reason by the LLDP agent.
•
TLV Unknowns — Displays the number of LLDP TLVs received on the indicated port for a type not recognized by the LLDP agent.
Use the Unit drop-down menu to view the LLDP Statistics for other units in the stack, if they exist.
Use the Clear Statistics button to reset all LLDP Statistics to zero.
The IEEE 802.1AB standard, which describes the Link Layer Discovery Protocol (LLDP), formalizes the discovery and capability retrieval of elements in a data network in a LAN/MAN environment. The information exchanged is stored in MIBs, and the information is accessible by a network management system (NMS) like SNMP. This framework is extensible and allows advanced utilization is areas like VoIP networks.
The LLDP-MED Global Configuration page contains the following fields:
•
Fast Start Repeat Count — Specifies the number of LLDP PDUs that will be transmitted when the protocol is enabled. The range is from (1 to 10). Default value of fast repeat count is 4.
•
Device Class — Specifies local device's MED Classification. There are four different kinds of devices, three of them represent the actual end points (classified as Class I Generic [IP Communication Controller etc.], Class II Media [Conference Bridge etc.], Class III Communication [IP Telephone etc.]). The fourth device is Network Connectivity Device, which is typically a LAN Switch/Router, IEEE 802.1 Bridge, IEEE 802.11 Wireless Access Point, and so on.
The LLDP-MED Interface Configuration page contains the following fields:
•
Interface — Specifies the list of ports on which LLDP-MED - 802.1AB can be configured. Select the All option list to configure all interfaces on the system with the same LLDP-MED settings.
•
LLDP-MED Mode — Specifies the Link Layer Data Protocol-Media End Point (LLDP-MED) mode for the selected interface. Enabling MED effectively enables the transmit and receive function of LLDP.
•
Config Notification Mode — Specifies the LLDP-MED topology notification mode for the selected interface.
•
Transmit TLVs — Specifies which optional type length values (TLVs) in the LLDP-MED will be transmitted in the LLDP PDUs frames for the selected interface.
–
MED Capabilities — To transmit the capabilities TLV in LLDP frames.
–
Network Policy — To transmit the network policy TLV in LLDP frames.
NOTE: If you configured All ports, the settings you applied will not display after the page updates. Select a specific interface or click Show All to view interface LLDP-MED settings.
The LLDP-MED Local Device Information page contains the following fields:
•
Port — Select the unit and port to display the LLDP local data advertised by the port. The port drop-down list contains only the ports with LLDP-MED enabled.
•
Network Policies Information — If a network policy TLV is present in the LLDP frames, the following information displays:
–
Network Application — Specifies the type of media application the local device advertises in the policy. A port may receive one or more types, which include the following:
The LLDP-MED Remote Device Information page contains the following fields:
•
Local Interface — Specifies the list of all the ports on which LLDP-MED is enabled.
•
Capability Information — Specifies the supported and enabled capabilities that was received in MED TLV on this port.
–
Supported Capabilities — Specifies supported capabilities that was received in MED TLV on this port.
–
Enabled Capabilities — Specifies enabled capabilities that was received in MED TLV on this port.
–
Device Class — Specifies device class as advertised by the device remotely connected to the port.
•
Network Policy Information —If a network policy TLV is received in the LLDP frames on this port, the following information displays:
–
Network Application — Specifies the type of media application that the local device advertises in the policy. A port may receive one or more application types, which include the following types:
The link dependency feature provides the ability to enable or disable one or more ports based on the link state of one or more different ports. With link dependency enabled on a port, the link state of that port is dependent on the link state of another port. For example, if port A is dependent on port B and the switch detects a link loss on port B, the switch automatically brings down the link on port A. When the link is restored to port B, the switch automatically restores the link to port A.
Use the Link Dependency Summary page to view all link dependencies on the system and to access the Link Dependency Configuration page. You can create a maximum of 16 dependency groups. The page displays the groups whether they have been configured or not.
To display the Link Dependency Summary page, click Switching→Link Dependency→Link Dependency Summary in the tree view.
To add a port to the Member Ports column, click the port in the Available Ports column, and then click the << button to the left of the Available Ports column. Ctrl + click to select multiple ports.
4.
To add a port to the Ports Depended On column, click the port in the Available Ports column, and then click the >> button to the right of the Available Ports column.
The Dynamic ARP Inspection Global Configuration page contains the following fields:
•
Validate Source MAC — Select the DAI Source MAC Validation Mode for the switch. If you select Enable, Sender MAC validation for the ARP packets will be enabled. The default is Disable.
•
Validate Destination MAC—Select the DAI Destination MAC Validation Mode for the switch. If you select Enable, Destination MAC validation for the ARP Response packets will be enabled. The default is Disable.
•
Validate IP—Select the DAI IP Validation Mode for the switch. If you select Enable, IP Address validation for the ARP packets will be enabled. The default is Disable.
The Dynamic ARP Inspection Interface Configuration page contains the following fields:
•
Port— Select the port or LAG for which data is to be displayed or configured.
•
Trust State — Indicates whether the interface is trusted for Dynamic ARP Inspection. If you select Enable, the interface is trusted. ARP packets coming to this interface will be forwarded without checking. If you select Disable, the interface is not trusted. ARP packets coming to this interface will be subjected to ARP inspection. The default is Disable.
•
Rate Limit — Specify the rate limit value for Dynamic ARP Inspection. If the incoming rate exceeds the Rate Limit value for consecutively burst interval seconds, ARP packets will be dropped. Use the corresponding check box to set No Limit. The default is 15 packets per second (pps).
•
Burst Interval — Specify the burst interval for rate limiting on this interface. If the Rate Limit is None, then Burst Interval has no meaning and shows as N/A (Not Applicable). The default is 1 second.
The Dynamic ARP Inspection VLAN Configuration page contains the following fields:
•
VLAN ID — Select the VLAN ID for which information is to be displayed or configured.
•
Dynamic ARP Inspection — Select whether Dynamic ARP Inspection is Enabled or Disabled on this VLAN. The default is Disable.
•
Logging Invalid Packets — Select whether Dynamic ARP Inspection logging is Enabled or Disabled on this VLAN. The default is Disable.
•
ARP ACL Name — The name of the ARP Access List. A VLAN can be configured to use this ARP ACL containing rules as the filter for ARP packet validation. The name can contain 1-31 alphanumeric characters.
•
Static Flag — Use this flag to determine whether the ARP packet needs validation using the DHCP snooping database, in case the ARP ACL rules do not match. If Enabled, then the ARP Packet will be validated by the ARP ACL Rules only. If Disabled, then the ARP Packet needs further validation by using the DHCP Snooping entries. The default is Disable.
The Dynamic ARP Inspection Statistics page contains the following fields:
•
VLAN ID — Select the DAI-enabled VLAN ID for which to display statistics.
•
DHCP Drops — The number of ARP packets that were dropped by DAI because there was no matching DHCP snooping binding entry found.
•
ACL Drops — The number of ARP packets that were dropped by DAI because there was no matching ARP ACL rule found for this VLAN and the static flag is set on this VLAN.
•
DHCP Permits — The number of ARP packets that were forwarded by DAI because there was a matching DHCP snooping binding entry found.
•
ACL Permits — The number of ARP packets that were permitted by DAI because there was a matching ARP ACL rule found for this VLAN.
•
Bad Source MAC — The number of ARP packets that were dropped by DAI because the sender MAC address in the ARP packet did not match the source MAC in the Ethernet header.
•
Bad Dest MAC — The number of ARP packets that were dropped by DAI because the target MAC address in the ARP reply packet did not match the destination MAC in the Ethernet header.
•
Invalid IP — The number of ARP packets dropped by DAI because the sender IP address in the ARP packet or target IP address in the ARP reply packet is not valid. Invalid addresses include 0.0.0.0, 255.255.255.255, IP multicast addresses, class E addresses (240.0.0.0/4), and loopback addresses (127.0.0.0/8).
•
Forwarded — The number of valid ARP packets forwarded by DAI.
•
Dropped — The number of not valid ARP packets dropped by DAI.
DHCP snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP servers to filter harmful DHCP messages and to build a bindings database of MAC address, IP address, VLAN ID, and port tuples that are considered authorized. You can enable DHCP snooping globally, per-interface, and on specific VLANs, and configure ports within the VLAN to be trusted or untrusted. DHCP servers must be reached through trusted ports.
The hardware identifies all incoming DHCP packets on ports where DHCP snooping is enabled. DHCP snooping is enabled on a port if (a) DHCP snooping is enabled globally, and (b) the port is a member of a VLAN where DHCP snooping is enabled. On untrusted ports, the hardware traps all incoming DHCP packets to the CPU. On trusted ports, the hardware forwards client messages and copies server messages to the CPU so that DHCP snooping can learn the binding.
To prevent DHCP packets from being used as a DoS attack when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on untrusted interfaces. DHCP snooping monitors the receive rate on each interface separately. If the receive rate exceeds the configuration limit, DHCP snooping brings down the interface. The port must be administratively enabled from the Switching→Ports→Port Configuration page (or the no shutdown CLI command) to further work with the port. You can configure both the rate and the burst interval.
The DHCP snooping application processes incoming DHCP messages. For DHCPRELEASE and DHCPDECLINE messages, the application compares the receive interface and VLAN with the client’s interface and VLAN in the binding database. If the interfaces do not match, the application logs the event and drops the message. For valid client messages, DHCP snooping compares the source MAC address to the DHCP client hardware address. Where there is a mismatch, DHCP snooping logs and drops the packet. You can disable this feature using the DHCP Snooping Interface Configuration page or by using the no ip dhcp snooping verify mac-address command. DHCP snooping forwards valid client messages on trusted members within the VLAN. If DHCP relay and/or DHCP server co-exist with the DHCP snooping, the DHCP client message will be sent to the DHCP relay and/or DHCP server to process further.
To access the DHCP Snooping Interface Configuration page, click Switching→DHCP Snooping→Interface Configuration in the navigation tree.
The DHCP Snooping Interface Configuration page contains the following fields:
•
Port — Select the interface for which data is to be displayed or configured.
•
Trust State — If it is enabled, the DHCP snooping application considers the port as trusted. The default is Disable.
•
Logging Invalid Packets — If it is enabled, the DHCP snooping application logs invalid packets on this interface. The default is Disable.
•
Rate Limit — Specifies the rate limit value for DHCP snooping purposes. If the incoming rate of DHCP packets exceeds the value of this object for consecutively burst interval seconds, the port will be shutdown. If this value is None, there is no limit. The default is 15 packets per second (pps). The Rate Limit range is 0 to 300.
•
No Limit — Specifies the value of Rate Limit which is -1. If the rate limit is -1, burst interval has no meaning and is therefore disabled.
•
Burst Interval — Specifies the burst interval value for rate limiting purposes on this interface. If the rate limit is None, the burst interval has no meaning and displays it as “N/A”. The default is 1 second. The Burst Interval range is 1 to 15.
DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP packet is received on a routing VLAN, the DHCP snooping application applies its filtering rules and updates the bindings database. If a client message passes filtering rules, the message is placed into the software forwarding path, where it may be processed by the DHCP relay agent, the local DHCP server, or forwarded as an IP packet.
Use the DHCP Snooping Persistent Configuration page to configure the persistent location of the DHCP snooping database. This location can be local or remote on a given IP machine. For more information about DHCP bindings and the DHCP Snooping database, see DHCP Snooping Static Bindings Configuration.
To access the DHCP Snooping Persistent Configuration page, click Switching→DHCP Snooping→Persistent Configuration in the navigation tree.
Use the DHCP Snooping Static Bindings Configuration page to add static DHCP bindings to the binding database.
The DHCP snooping application uses DHCP messages to build and maintain the binding’s database. The binding’s database only includes data for clients on untrusted ports. DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to a port (the port where the DHCP client message was received). Tentative bindings are completed when DHCP snooping learns the client’s IP address from a DHCP ACK message on a trusted port. DHCP snooping removes bindings in response to DECLINE, RELEASE, and NACK messages. The DHCP snooping application ignores the ACK messages as a reply to the DHCP Inform messages received on trusted ports. You can also enter static bindings into the binding database.
The DHCP binding database is persisted on a configured external server or locally in flash, depending on the user configuration. A row-wise checksum is placed in the text file that is going to be stored in the remote configured server. On reloading, the switch reads the configured binding file to build the DHCP snooping database. When the switch starts and the calculated checksum value equals the stored checksum, the switch reads entries from the binding file and populates the binding database. A checksum failure or a connection problem to the external configured server will cause the switch to loose the bindings and will cause a host’s data loss if DAI is enabled.
If the absolute lease time of the snooping database entry expires, then that entry will be removed. You should take care of the system time to be consistent across the reboots. Otherwise, the snooping entries will not expire properly. If a host sends a DHCP release while the switch is rebooting then, when the switch receives the DHCP discovery or request, the client’s binding will go to the tentative binding as shown in the following figure.
The DHCP Snooping Statistics page contains the following fields:
•
Interface — Select the untrusted and snooping-enabled interface for which statistics are to be displayed.
•
MAC Verify Failures — The number of DHCP messages that were filtered on an untrusted interface because of source MAC address and client MAC address mismatch.
•
Client Ifc Mismatch — The number of DHCP release and Deny messages received on the different ports than previously learned.
When a DHCP client and server are in the same IP subnet, they can directly connect to exchange IP address requests and replies. However, having a DHCP server on each subnet can be expensive and is often impractical. Alternatively, network infrastructure devices can be used to relay packets between a DHCP client and server on different subnets. Such a device, a Layer 3 Relay agent, is generally a router that has IP interfaces on both the client and server subnets and can route between them. However, in Layer 2 switched networks, there may be one or more infrastructure devices (for example, a switch) between the client and the L3 Relay agent/DHCP server. In this instance, some of the client device information required by the L3 Relay agent may not be visible to it. In this case, an L2 Relay agent can be used to add the information that the L3 Relay Agent and DHCP server need to perform their roles in address and configuration and assignment.
The DHCP Relay Interface Statistics page contains the following fields:
•
Interface — Select the slot/port to configure this feature on.
•
Untrusted Server Msgs With Option-82 — If the selected interface is configured in untrusted mode, this field shows the number of messages received on the interface from a DHCP server that contained Option 82 data.These messages are dropped.
•
Untrusted Client Msgs With Option-82 — If the selected interface is configured in untrusted mode, this field shows the number of messages received on the interface from a DHCP client that contained Option 82 data.These messages are dropped.
•
Trusted Server Msgs Without Option-82 — If the selected interface is configured in trusted mode, this field shows the number of messages received on the interface from a DHCP server that did not contain Option 82 data. These messages are dropped.
•
Trusted Client Msgs Without Option-82 — If the selected interface is configured in trusted mode, this field shows the number of messages received on the interface from a DHCP client that did not contain Option 82 data. These messages are dropped.
The DHCP Relay VLAN Configuration page contains the following fields:
•
VLAN ID — Select a VLAN ID from the list for configuration. This is an S-VID (as indicated by the service provider) that identifies a VLAN that is authorized to relay DHCP packets through the provider network.
•
DHCP Relay Mode — Enable or disable the selected VLAN for DHCP Relay services. The default is Disable.
•
DHCP Relay Circuit-Id — When enabled, if a client sends a DHCP request to the switch and the client is in a VLAN that corresponds to the selected S-VID, the switch adds the client’s interface number to the Circuit ID sub-option of Option 82 in the DHCP request packet. The default is Disable.
DHCP Relay Remote-Id — When a string is entered here, if a client sends a DHCP request to the switch and the client is in a VLAN that corresponds to the selected S-VID, then the switch adds the string to the Remote-ID sub-option of Option 82 in the DHCP request packet. The range is 0-128 alphanumeric characters. The default is NULL string.
