Use the menus listed on the System page to define the switch’s relationship to its environment. To display the System page, click System in the tree view. The System menu page contains links to the following features:
NOTE: The appropriate telnet parameters are set prior to initiating the telnet session. See "Configuring an Initial Telnet Password" for information. If the client has a Microsoft® Windows® environment, the program must be configured for telnet. If the client has a Unix environment, the telnet program must exist in the path.
The fields on the Summer Time Configuration page change when you select or clear the Recurring check box. The Summer Time Configuration page contains the following fields:
•
Recurring — Select the check box to indicate that the configuration is to be repeated every year.
•
Location — This field displays only when the Recurring check box is selected. The summer time configuration is predefined for the United States and European Union. To set the summer time for a location other than the USA or EU, select None.
•
Start Week — Select the starting week number. This field displays only when the Recurring check box is selected.
•
Start Day — Select the starting day number. This field displays only when the Recurring check box is selected.
The device supports the Simple Network Time Protocol (SNTP). SNTP assures accurate network device clock time synchronization up to the millisecond. Time synchronization is performed by a network SNTP server. The device operates only as an SNTP client and cannot provide time services to other systems.
Stratum 0 — A real time clock is used as the time source, for example, a GPS system.
•
Stratum 1 — A server that is directly linked to a Stratum 0 time source is used. Stratum 1 time servers provide primary network time standards.
•
Stratum 2 — The time source is distanced from the Stratum 1 server over a network path. For example, a Stratum 2 server receives the time over a network link, through NTP, from a Stratum 1 server.
Polling for Unicast information is used for polling a server for which the IP address is known. SNTP servers that have been configured on the device are the only ones that are polled for synchronization information. T1 through T4 are used to determine server time. This is the preferred method for synchronizing device time because it is the most secure method. If this method is selected, SNTP information is accepted only from SNTP servers defined on the device using the SNTP Serverspage.
The SNTP Global Settings page contains the following fields:
•
SNTP Client — Use drop-down list to enable or disable the client. If the client is disabled, some of the fields below are also disabled.
•
Poll Interval — Defines the interval (in seconds) at which the SNTP server is polled for Unicast information. The range is 60–1024 seconds.
•
Receive Broadcast Servers Update — If enabled, listens to the SNTP servers for Broadcast server time information on the selected interfaces. The device is synchronized whenever an SNTP packet is received, even if synchronization was not requested.
The SNTP Authentication page lets you enable SNTP authentication between the device and an SNTP server, and to select the desired SNTP server. Use the SNTP Authentication page to enable or disable SNTP authentication, to modify the authentication key for a selected encryption key ID, to designate the selected authentication key as a trusted key, and to remove the selected encryption key ID.
Click System→SNTP→Authentication in the tree view to display the SNTP Authentication page.
The SNTP Servers page contains the following fields:
•
SNTP Server — Selects user-defined SNTP server IP address from a drop-down menu. Up to eight SNTP servers can be defined by using the Add button.
•
Encryption Key ID — Specifies user-defined key ID used to communicate between the SNTP server and device. The encryption key ID is defined in the SNTP Authentication page.
•
Priority (1–8) — Specifies the priority of this server entry in determining the sequence of servers to which SNTP requests are sent. Values are 1 to 8, and the default is 1. Servers with lowest numbers have priority.
•
Status — Displays the operating SNTP server status. The possible field values are:
–
Up — The SNTP server is currently operating normally.
–
Down — Indicates that a SNTP server is currently not available. For example, the SNTP server is currently not connected or is currently down.
–
In progress — The SNTP server is currently sending or receiving SNTP information.
–
Unknown — The progress of the SNTP information currently being sent is unknown. For example, the device is currently looking for an interface.
•
Last Response — Displays the last time a response was received from the SNTP server.
•
Remove SNTP Server— Removes a specified SNTP server from the SNTP Servers list when checked.
The switch may generate messages in response to events, faults, or errors occurring on the platform as well as changes in configuration or other occurrences. These messages are stored both locally on the platform and forwarded to one or more centralized points of collection for monitoring purposes as well as long term archival storage. Local and remote configuration of the logging capability includes filtering of messages logged or forwarded based on severity and generating component.
The in-memory log stores messages in memory based upon the settings for message component and severity. On stackable systems, this log exists only on the top of stack platform. Other platforms in the stack forward their messages to the top of stack log. Access to in-memory logs on other than the top of stack platform is not supported.
The persistent log is stored in persistent storage. Two types of persistent logs may be configured.
•
The first log type is the system startup log. The system startup log stores the first N messages received after system reboot. This log always has the log full operation attribute set to stop on full and can store up to 32 messages.
•
The second log type is the system operation log. The system operation log stores the last N messages received during system operation. This log always has the log full operation attribute set to overwrite. This log can store up to 1000 messages.
The system keeps up to three versions of the persistent logs, named <FILE>0.txt, <FILE>1.txt, and <FILE>2.txt. Upon system startup, <FILE>2.txt is removed, <FILE>1.txt is renamed <FILE>2.txt, <FILE>0.txt is renamed <FILE>1.txt, <FILE>0.txt is created and logging begins into <FILE>0.txt. (Replace <FILE> in the above example to specify olog for the operation log and slog for the startup log.)
Use the Global Settings page to enable logs globally, and to define log parameters. The Severity log messages are listed from the highest severity to the lowest.
To display the Global Settings page, click System→Logs→Global Settings in the tree view.
The Global Settings page contains the following fields:
•
Logging — Enables device global logs for Cache, File, and Server Logs. All logs which are printed to the console are saved to the log files. The possible field values are:
–
Enable — Enables saving logs in Cache (RAM), File (FLASH), and an External Server.
–
Disable — Disables saving logs. It is not possible to disable logging of logs that are printed to console.
Emergency — The highest level warning level. If the device is down or not functioning properly, an emergency log is saved to the device.
•
Alert — The second highest warning level. An alert log is saved if there is a serious device malfunction, such as all device features being down.
•
Critical — The third highest warning level. A critical log is saved if a critical device malfunction occurs, for example, two device ports are not functioning, while the rest of the device ports remain functional.
•
Error — A device error has occurred, such as if a port is offline.
Use the RAM Log Table page to view information about specific RAM (cache) log entries, including the time the log was entered, the log severity, and a description of the log.
To display the RAM Log Table, click System→Logs→RAM Log in the tree view.
Use the Remote Log Server Settings page to view the available log servers, to define new log servers, and to set the severity of the log events sent to the server.
To display the Remote Log Server Settings page, click System→Logs→Remote Log Server.
UDP Port (1–65535) — Sets the UDP port from which the logs are sent. The default value is 514.
•
Facility — A user-defined application from which system logs are sent to the remote server. Only one facility can be assigned to a single server. If a second facility level is assigned, the first facility level is overridden. All applications defined for a device use the same facility on a server. The possible field values are from Local 0 to Local 7.
•
Description — Sets the server description. The maximum length is 64 characters.
•
Severity — Selects the log severity. Selecting a severity level automatically selects all higher severity levels.
•
Remove Log Server — Removes a server from the Log Server list. Checking the check box removes the server from the list. Leaving the box unchecked maintains the server in the list.
The Remote Log Server Settings page also contains a severity list. The severity definitions are the same as the severity definitions on the RAM Log Table page.
Use the IP Addressing page to assign management interface and default gateway IP addresses, negotiate with the Domain Name System, set a Default Domain Name, perform Host Name Mapping, and define ARP and DHCP parameters for the interfaces.
To display the IP Addressing page, click System→IP Addressing in the tree view. Use this page to go to the following features:
The Default Domain Name page contains the following field:
•
Default Domain Name (0–255 characters) — Contains the user-defined default domain name. When configured, the default domain name is applied to all unqualified host names.
Use the ARP Table page to view ARP parameters for IP interfaces. The ARP table displays the correlation between each MAC address and its corresponding IP address.
To display the ARP Table page, click System→IP Addressing→ARP in the tree view.
The PowerConnect 6200 Series switch software includes several enhancements to the IPv6 management feature. You can assign either an IPv4 or IPv6 address to the management interface. In previous software releases, the management port supported IPv6 addresses, but only when the switch received its IPv6 addressing and gateway definitions through auto-configuration when connected to an IPv6 router on the management network. Support for host name mapping to a host with an IPv6 address is also present.
To display the IPv6 Management Interface page, click System→IP Addressing→IPv6 Address Managementin the tree view.
The IPv6 Address Management page contains the following fields:
•
IPv6 Mode —Enables or disables IPv6 mode on the management interface.
•
Network Configuration Protocol — Specify whether to use DHCP for dynamic IPv6 address assignment. If you select None, you can configure a static IPv6 address.
•
IPv6 Stateless Address AutoConfig Mode — Enable or disable IPv6 auto address configuration on the interface. When IPv6 AutoConfig Mode is enabled, automatic IPv6 address configuration and gateway configuration is allowed by processing the Router Advertisements received on the management interface.
•
DHCPv6 Client DUID — This is a read-only field that contains a unique ID generated from the MAC address when the DHCPv6 client is enabled. To get the value for this field, set the network protocol to DHCP.
•
Change IPv6 Gateway — Select this option to allow the IPv6 Gateway field to be edited.
•
IPv6 Gateway — Enter the IPv6 gateway address (do not include a prefix). Use an IPv6 global or link-local address format.
•
Add IPv6 Address — To add an IPv6 address, select Add so you can specify an address in the New IPv6 Address field.
•
New IPv6 Address — If Add is selected from the Add IPv6 Address field, enter an IPv6 prefix/length in this field.
•
EUI Flag — Select True if the last 64 bits are to be derived from the MAC address. For example, you can enter 2001::/64 and have the EUI Flag (True) use the 64-bit address calculated from the MAC address.
Use the Integrated Cable Test for Copper Cables page to perform tests on copper cables. Cable testing provides information about where errors occurred in the cable, the last time a cable test was performed, and the type of cable error which occurred. The tests use Time Domain Reflectometry (TDR) technology to test the quality and characteristics of a copper cable attached to a port. Cables up to 120 meters long can be tested. Cables are tested when the ports are in the down state, with the exception of the Approximated Cable Length test.
To display the Integrated Cable Test for Copper Cables page, click System→Diagnostics→Integrated Cable Test in the tree view.
Loss of Signal — Indicates if a signal loss occurred in the cable.
•
Data Ready — Indicates the transceiver has achieved power up and data is ready.
NOTE: Finisar transceivers do not support the transmitter fault diagnostic testing. Fiber Optic analysis feature works only on SFPs that support the digital diagnostic standard SFF-4872.
Use theAccess Profile page to define a profile and rules for accessing the device. You can limit access to specific management functions, to specific ingress interfaces, and/or to source IP address and/or source IP subnets. The feature has been modified to include TFTP in the list of management access methods.
To display the Access Profile page, click System→Management Security→Access Profiles in the tree view.
When you add a profile or a rule from the Access Profile page, the Management Method field on the Add Profile and Add Rule pages now contains the TFTP option. Select the TFTP option to limit the user’s access method to TFTP.
RemoveProfile — When checked, removes an access profile from the Access Profile list.
NOTE: Assigning an access profile to an interface implies that access through other interfaces is denied. If an access profile is not activated, the device can be accessed by all.
Management Method— Select from the dropdown box. The policy is restricted by the management chosen.
Interface— Choose the check box for the interface if the policy should have a rule based on the interface. Interface can be a physical interface, a LAG, or a VLAN.
Source IPAddress— Select the Source IP Address check box if the policy should have a rule based on the IP address of the client sending the management traffic. Fill in the source IP address and mask details in the fields provided. Note that Mask can be given in two formats: either dotted IP format (for example, 255.255.255.0) or prefix length (for example, 32)
Action— Choose the action to be performed when the rules selected above are matched. Use the dropdown box and choose Permit or Deny to permit or deny access.
Rule Priority— Configure priorities to the rules. The rules are validated against the incoming management request in the ascending order of their priorities. If a rule matches, action is performed and rules below are ignored. For example, if you configure Source IP 10.10.10.10 with priority 1 to Permit, and configure Source IP 10.10.10.10 with priority 2 to Deny, then access is permitted if the profile is active, and the second rule is ignored.
Management Method— Select from the dropdown box. The policy is restricted by the management chosen.
Interface— Choose the check box for the interface if the policy should have a rule based on the interface. Interface can be a physical interface, a LAG, or a VLAN.
Source IP— Select the Source IP Address check box if the policy should have a rule based on the IP address of the client originating the management traffic. Fill in the source IP address and Mask details in the text boxes provided. Note that Mask can be given in two formats - either dotted IP format (for example, 255.255.255.0) or prefix length (for example, 32).
Action— Choose the action to be performed when the rules selected above are matched. Use the dropdown box and choose Permit or Deny to permit or deny access.
Rule Priority— Configure priorities to the rules. The rules are validated against the incoming management request in the ascending order of their priorities. If a rule matches, action is performed and rules below are ignored. For example, if you configure Source IP 10.10.10.10 with priority 1 to Permit, and configure Source IP 10.10.10.10 with priority 2 to Deny, then access is permitted if the profile is active, and the second rule is ignored.
Local — User authentication occurs at the device level; the device checks the user name and password for authentication.
–
RADIUS — User authentication occurs at the RADIUS server. For more information about RADIUS servers, see "RADIUS Global Configuration."
–
TACACS+ — User authentication occurs at the TACACS+ server. For more information about TACACS+ servers, see "TACACS+ Settings."
–
Line — The line password is used for user authentication.
–
Enable — The enable password is used for authentication.
NOTE: User authentication occurs in the order the methods are selected. If an error occurs during the authentication, the next selected method is used. For example, if Local then RADIUS options are selected, the user is authenticated first locally and then through an external RADIUS server.
After authentication profiles are defined, you can apply them to management access methods. For example, console users can be authenticated by Authentication Profile List 1, while Telnet users are authenticated by Authentication Profile List 2.
To display the Select Authentication page, click System→Management Security→Select Authentication in the tree view.
The Select Authentication page contains the following fields:
•
Console — Authentication profiles used to authenticate console users.
•
Telnet — Authentication profiles used to authenticate Telnet users.
•
Secure Telnet (SSH) — Authentication profiles used to authenticate Secure Shell (SSH) users. SSH provides clients secure and encrypted remote connections to a device.
•
Secure HTTP and HTTP — Authentication method used for Secure HTTP access and HTTP access, respectively. Possible field values are:
–
None — No authentication method is used for access.
RADIUS — Authentication occurs at the RADIUS server.
–
TACACS+ — Authentication occurs at the TACACS+ server.
–
Local, None — Authentication first occurs locally.
–
RADIUS, None — Authentication first occurs at the RADIUS server. If authentication cannot be verified, no authentication method is used. Authentication cannot be verified if the remote server cannot be contacted to verify the user. If the remote server can be contacted, then the response from the remote server is always honored.
–
TACACS+, None — Authentication first occurs at the TACACS+ server. If authentication cannot be verified, no authentication method is used. Authentication cannot be verified if the remote server cannot be contacted to verify the user. If the remote server can be contacted, then the response from the remote server is always honored.
–
Local, RADIUS — Authentication first occurs locally. If authentication cannot be verified locally, the RADIUS server authenticates the management method. If the RADIUS server cannot authenticate the management method, the session is blocked.
–
Local, TACACS+ — Authentication first occurs locally. If authentication cannot be verified locally, the TACACS+ server authenticates the management method. If the TACACS+ server cannot authenticate the management method, the session is blocked.
–
RADIUS, Local — Authentication first occurs at the RADIUS server. If authentication cannot be verified at the RADIUS server, the session is authenticated locally. If the session cannot be authenticated locally, the session is blocked.
–
TACACS+, Local — Authentication first occurs at the TACACS+ server. If authentication cannot be verified at the TACACS+ server, the session is authenticated locally. If the session cannot be authenticated locally, the session is blocked.
–
Local, RADIUS, None — Authentication first occurs locally. If authentication cannot be verified locally, the RADIUS server authenticates the management method. If the RADIUS server cannot authenticate the management method, the session is permitted.
–
RADIUS, Local, None — Authentication first occurs at the RADIUS server. If authentication cannot be verified at the RADIUS server, the session is authenticated locally. If the session cannot be authenticated locally, the session is permitted.
–
Local, TACACS+, None — Authentication first occurs locally. If authentication cannot be verified locally, the TACACS+ server authenticates the management method. If the TACACS+ server cannot authenticate the management method, the session is permitted.
–
TACACS+, Local, None — Authentication first occurs at the TACACS+ server. If authentication cannot be verified at the TACACS+ server, the session is authenticated locally. If the session cannot be authenticated locally, the session is permitted.
NOTE: To set the privilege level, use the Service-Type attribute. Do not us any vendor-specific attribute value pairs.
The following example shows an entry in the FreeRADIUS /etc/raddb/users file that allows a user (name: admin) to log onto the switch with read/write privileges, which is equivalent to privilege level 15.
NAS-Prompt-User indicates the user should be provided a command prompt on the NAS, from which nonprivileged commands can be executed.
•
Administrative-User indicates the user should be granted access to the administrative interface to the NAS, from which privileged commands can be executed.
Applying an Authentication Method List to Console Sessions
The Password Management page contains the following fields:
•
Password Minimum Length (8–64) — Indicates the minimum password length, when checked. For example, the administrator can define that all line passwords must have at least 10 characters. If you clear the check box and apply the changes, no minimum password length is required. This means that users can be created without a password.
•
Enable Password Aging (1–365) — Indicates the amount of time that elapses before a password is aged out, when checked. The field value is from 1 to 365 days. The password aging feature functions only if the switch clock is synchronized to an SNTP server. See the "Clock Commands" section in the CLI Reference Guide for additional information.
•
Consecutive Passwords Before Reuse (1–10) — Indicates the amount of times a password is changed, before the password can be reused. The possible field values are 1 to 10.
NOTE: The user is notified to change the password prior to expiry. The Web users do not see this notification.
•
Enable Login Attempts (1–5) — When selected, enables locking a user out of the device when a faulty password is used a defined number of times. For example, if the number of login attempts has been defined as five and the user attempts to log on five times with an incorrect password, the device locks the user out on the sixth attempt. When this happens, a super user must re-enable the user account. The field range is 1 to 5 attempts.
Access Level — User access level. The lowest user access level is 1 (readonly), and 15 (readwrite) is the highest. To suspend a user’s access, set level to 0 (only a level 15 user has this ability).
The Line Password page contains the following fields:
•
Line Mode — Drop-down menu specifies device access through a Console, Telnet, or Secure Telnet (SSH) session.
•
Line Password (8 – 64 characters) — The line password for accessing the device through a console, Telnet, or Secure Telnet session. The password appears in the ***** format.
•
Confirm Password(8 – 64 characters) — Confirms the new line password. The password appears in the ***** format.
The Enable Password page contains the following fields:
•
Enable Password (8–64 characters) — The Enable password for controlling access to normal and privilege levels. The password appears in the ***** format.
•
Confirm Enable Password — Confirms the new Enable password. The password appears in the ***** format.
The device provide Terminal Access Controller Access Control System (TACACS+) client support. TACACS+ provides centralized security for validation of users accessing the device.
Authentication — Provides authentication during login and through user names and user-defined passwords.
•
Authorization — Performed at login. Once the authentication session is completed, an authorization session starts using the authenticated user name. The TACACS+ server checks the user privileges.
Priority (0–65535) — Specifies the order in which the TACACS+ servers are used. The default is 0.
•
Authentication Port (0–65535) — The port number through which the TACACS+ session occurs. The default is port 49.
•
Key String (0–128 Characters) — Defines the authentication and encryption key for TACACS+ communications between the device and the TACACS+ server. This key must match the encryption used on the TACACS+ server. Check Use Default to use the default value.
•
Timeout for Reply (1–30) — The amount of time that passes before the connection between the device and the TACACS+ server times out. The field range is from 1 to 30 seconds. Check Use Default to select the factory-default value.
•
Status — The connection status between the device and the TACACS+ server. The possible field values are:
–
Connected — There is currently a connection between the device and the TACACS+ server.
–
Not Connected — There is not currently a connection between the device and the TACACS+ server.
Key String (0–128 Characters) — Enter the default authentication and encryption key for TACACS+ communication between the device and the TACACS+ server.
•
Timeout for Reply (1–30) — Enter the global user configuration time that passes before the connection between the device and the TACACS+ times out.
The Remote Authorization Dial-In User Service (RADIUS) client on the PowerConnect 6200 Series switch supports multiple, named RADIUS servers. The RADIUS authentication and accounting server groups can contain one or more configured authentication servers that share the same RADIUS server name.
The RADIUS Global Configuration page contains the following fields:
•
Configured Authentication Servers — The number of RADIUS authentication servers configured on the system. The value can range from 0 to 32.
•
Configured Accounting Servers — The number of RADIUS accounting servers configured on the system. The value can range from 0 to 32.
•
Named Authentication Server Groups — The number of authentication server groups configured on the system. An authentication server group contains one or more configured authentication servers that share the same RADIUS server name.
•
Named Accounting Server Groups — The number of accounting server groups configured on the system. An accounting server group contains one or more configured authentication servers that share the same RADIUS server name.
•
Max Number of Retransmits — The value of the maximum number of times a request packet is retransmitted. The valid range is 1-10. Consideration to maximum delay time should be given when configuring RADIUS max retransmit and RADIUS timeout. If multiple RADIUS servers are configured, the max retransmit value on each will be exhausted before the next server is attempted. A retransmit will not occur until the configured timeout value on that server has passed without a response from the RADIUS server. Therefore, the maximum delay in receiving a response from the RADIUS application equals the sum of (retransmit times timeout) for all configured servers. If the RADIUS request was generated by a user login attempt, all user interfaces will be blocked until the RADIUS application returns a response.
•
Timeout Duration — The timeout value, in seconds, for request retransmissions. The valid range is 1 - 30. See the Max Number of Retransmits field description for more information about configuring the timeout duration.
•
Accounting Mode — Use the menu to select whether the RADIUS accounting mode is enabled or disabled on the current server.
•
RADIUS Attribute 4 (NAS-IP Address) — To set the network access server (NAS) IP address for the RADIUS server, select the option and enter the IP address of the NAS in the available field. The address should be unique to the NAS within the scope of the RADIUS server. The NAS IP address is only used in Access-Request packets.
From the RADIUS Server Configuration page, you can add a new RADIUS server, configure settings for a new or existing RADIUS server, and view RADIUS server status information. The RADIUS client on the switch supports up to 32 named authentication and accounting servers.
The RADIUS Server Configuration page contains the following fields:
•
RADIUS Server Host Address — Use the drop-down menu to select the IP address of the RADIUS server to view or configure. Click Add to display the Add RADIUS Server page used to configure additional RADIUS servers.
•
Port — Identifies the authentication port the server uses to verify the RADIUS server authentication. The port is a UDP port, and the valid range is 1-65535. The default port for RADIUS authentication is 1812.
•
Secret — Shared secret text string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This secret must match the RADIUS encryption.
•
Apply — The Secret will only be applied if this box is checked. If the box is not checked, anything entered in the Secret field will have no affect and will not be retained. This field is only displayed if the user has READWRITE access.
•
Primary Server — Sets the selected server to the Primary (Enable) or Secondary (Disable) server. If you configure multiple RADIUS servers with the same RADIUS Server Name, designate one server as the primary and the other(s) as the backup server(s). The switch attempts to use the primary server first, and if the primary server does not respond, the switch attempts to use one of the backup servers with the same RADIUS Server Name.
•
Message Authenticator — Enable or disable the message authenticator attribute for the selected server.
•
Secret Configured — Indicates whether the shared secret for this server has been configured.
•
Status — Indicates whether the selected RADIUS server is currently serving as the active RADIUS server If more than one RADIUS server is configured with the same name, the switch selects one of the servers to be the active server from the group of servers with the same name. The status and can be one of the following:
–
Active — When the switch sends a RADIUS request to the named server, the request is directed to the server selected as the active server. Initially the primary server is selected as the active server. If the primary server fails, one of the other servers becomes the active server. If the primary server is not configured, the active server is the most recently configured RADIUS server.
From the RADIUS Accounting Server Configuration page, you can add a new RADIUS accounting server, configure settings for a new or existing RADIUS accounting server, and view RADIUS accounting server status information. The RADIUS client on the switch supports up to 32 named authentication and accounting servers.
The RADIUS Accounting Server Configuration page contains the following fields:
•
RADIUS Accounting Server Host Address — Use the drop-down menu to select the IP address of the accounting server to view or configure. Click Add to display the Add RADIUS Accounting Server page used to configure additional RADIUS servers.
•
Port — Identifies the authentication port the server uses to verify the RADIUS accounting server authentication. The port is a UDP port, and the valid range is 1-65535. The default port for RADIUS accounting is 1813.
•
Secret — Specifies the shared secret to use with the specified accounting server. This field is only displayed if you are logged into the switch with READWRITE access.
•
Apply — The Secret will only be applied if this box is checked. If the box is not checked, anything entered in the Secret field will have no affect and will not be retained. This field is only displayed if you are logged into the switch with READWRITE access.
•
Secret Configured — Indicates whether the shared secret for this server has been configured.
•
RADIUS Accounting Server Name — Enter the name of the RADIUS accounting server. The name can contain from 1 to 32 alphanumeric characters. Hyphens, and underscores are also permitted.
The RADIUS Accounting Server Statistics page contains the following fields:
•
RADIUS Accounting Server Host Address — Use the drop-down menu to select the IP address of the RADIUS accounting server for which to display statistics.
•
Round Trip Time — Displays the time interval, in hundredths of a second, between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server.
•
Accounting Requests — The number of RADIUS Accounting-Request packets sent to this server. This number does not include retransmissions.
•
Accounting Retransmissions — The number of RADIUS Accounting-Request packets retransmitted to this server.
•
Accounting Responses — Displays the number of RADIUS packets received on the accounting port from this server.
•
Malformed Accounting Responses — Displays the number of malformed RADIUS Accounting-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators and unknown types are not included as malformed accounting responses.
•
Bad Authenticators — Displays the number of RADIUS Accounting-Response packets that contained invalid authenticators received from this accounting server.
•
Pending Requests — The number of RADIUS Accounting-Request packets destined for this server that have not yet timed out or received a response.
•
Timeouts — The number of accounting timeouts to this server.
•
Unknown Types — The number of RADIUS packets of unknown type which were received from this server on the accounting port.
•
Packets Dropped — The number of RADIUS packets received from this server on the accounting port and dropped for some other reason.
The RADIUS Server Statistics page contains the following fields:
•
RADIUS Server Host Address — Use the drop-down menu to select the IP address of the RADIUS server for which to display statistics.
•
Round Trip Time — The time interval, in hundredths of a second, between the most recent Access-Reply/Access-Challenge and the Access-Request that matched it from this RADIUS authentication server.
•
Access Requests — The number of RADIUS Access-Request packets sent to this server. This number does not include retransmissions.
•
Access Retransmissions — The number of RADIUS Access-Request packets retransmitted to this server.
•
Access Accepts — The number of RADIUS Access-Accept packets, including both valid and invalid packets, that were received from this server.
•
Access Rejects — The number of RADIUS Access-Reject packets, including both valid and invalid packets, that were received from this server.
•
Access Challenges — The number of RADIUS Access-Challenge packets, including both valid and invalid packets, that were received from this server.
•
Malformed Access Responses — The number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or signature attributes or unknown types are not included as malformed access-responses.
•
Bad Authenticators — The number of RADIUS Access-Response packets containing invalid authenticators or signature attributes received from this server.
•
Pending Requests — The number of RADIUS Access-Request packets destined for this server that have not yet timed out or received a response.
•
Timeouts — The number of authentication timeouts to this server.
•
Unknown Types — The number of RADIUS packets of unknown type which were received from this server on the authentication port.
•
Packets Dropped — The number of RADIUS packets received from this server on the authentication port and dropped for some other reason.
The Telnet Server page contains the following fields:
•
New Telnet Sessions — Controls the administrative mode for inbound telnet sessions. If you set the mode to Block, new telnet sessions are not allowed, but existing sessions are not interrupted. The default value is Allow.
•
Telnet Port Number — Port number on which telnet session can be initiated. This port will be used for new inbound Telnet session on the switch. After you modify the telnet server port, new inbound telnet sessions use the new port and existing telnet sessions are not affected.
The Denial of Service page contains the following fields:
•
Denial of Service SIP=DIP — Enabling SIP=DIP DoS prevention causes the switch to drop packets that have a source IP address equal to the destination IP address.
•
Denial of Service First Fragment — Enabling First Fragment DoS prevention causes the switch to drop packets that have a TCP header smaller than the configured minimum TCP header size (Min TCP Hdr Size).
•
Denial of Service Min TCP Hdr Size — Specify the minimum TCP header size allowed. If First Fragment DoS prevention is enabled, the switch will drop packets that have a TCP header smaller then this configured value.
•
Denial of Service TCP Fragment — Enabling TCP Fragment DoS prevention causes the switch to drop packets that have an IP fragment offset equal to one.
•
Denial of Service TCP Flag — Enabling TCP Flag DoS prevention causes the switch to drop packets that meet any of the following conditions:
Denial of Service L4 Port — Enabling L4 Port DoS prevention causes the switch to drop packets that have the TCP/UDP source port equal to TCP/UDP destination port.
•
Denial of Service ICMP — Enabling ICMP DoS prevention causes the switch to drop ICMP packets that have a type set to ECHO_REQ (ping) and a size greater than the configured ICMP packet size (ICMP Pkt Size).
•
Denial of Service Max ICMP Pkt Size — Specify the maximum ICMP packet size to allow. If ICMP DoS prevention is enabled, the switch will drop ICMP ping packets that have a size greater then this configured value.
The Captive Portal (CP) feature allows you to block clients directly connected to the switch from accessing the network until user verification has been established. You can configure CP verification to allow access for both guest and authenticated users. Authenticated users must be validated against a database of authorized Captive Portal users before access is granted. The database can be stored locally on the switch or on a RADIUS server.
When a port is enabled for Captive Portal, all the traffic coming onto the port from the unauthenticated clients are dropped except for the ARP, DHCP, DNS and NETBIOS packets. These packets are allowed to be forwarded by the switch so that the unauthenticated clients can get an IP address and be able to resolve the hostname or domain names. Data traffic from authenticated clients goes through as expected. If an unauthenticated client opens a web browser and tries to connect to network, the Captive Portal redirects all the HTTP/HTTPS traffic from unauthenticated clients to the authenticating server on the switch. A Captive portal web page is sent back to the unauthenticated client and the client can authenticate and based upon the authentication the client is given access to the port.
NOTE: For information about the CLI commands you use to view and configure Captive Portal settings, refer to the Captive Portal Commands chapter in the CLI Reference Guide.
From the CP Global Configuration page, you can control the administrative state of the CP feature and configure global settings that affect all captive portals configured on the switch.
Additional HTTP Port — HTTP traffic uses port 80, but you can configure an additional port for HTTP traffic. Enter a port number between 0-65535 (excluding ports 80, 443, and the configured switch management port).
•
Additional HTTP Secure Port — HTTP traffic over SSL (HTTPS) uses port 443, but you can configure an additional port for HTTPS traffic. Enter a port number between 0-65535 (excluding ports 80, 443, and the configured switch management port).
•
Authentication Timeout — To access the network through a portal, the client must first enter authentication information on an authentication Web page. Enter the number of seconds to keep the authentication session open with the client. When the timeout expires, the switch disconnects any active TCP or SSL connection with the client.
From the CP Configuration page, you can view summary information about captive portals on the system, add a captive portal, and configure existing captive portals.
The CP Configuration page contains the following fields:
•
Configuration Name — If multiple CP configurations exist on the system, select the CP configuration to view or configure. Use the Add button to add a new CP configuration to the switch.
•
Captive Portal — Use this field to enable or disable the selected CP configuration.
•
Protocol Mode — Choose whether to use HTTP or HTTPS as the protocol for the portal to use during the verification process.
–
HTTP — Does not use encryption during verification
–
HTTPS — Uses the Secure Sockets Layer (SSL), which requires a certificate to provide encryption. The certificate is presented to the user at connection time.
•
Verification Mode — Select the mode for the CP to use to verify clients:
–
Guest — The user does not need to be authenticated by a database.
–
Local — The switch uses a local database to authenticated users.
–
RADIUS — The switch uses a database on a remote RADIUS server to authenticate users.
NOTE: To configure authorized users on the local or remote RADIUS database, see Local User.
•
Enable Redirect Mode — Select this option to specify that the CP should redirect the newly authenticated client to the configured URL. If this option is clear, the user sees the welcome page after a successful verification.
•
Redirect URL — Specify the URL to which the newly authenticated client is redirected if the URL Redirect Mode is enabled.
•
RADIUS Auth Server — If the verification mode is RADIUS, click the drop-down menu and select the name of the RADIUS server used for client authentications. The switch acts as the RADIUS client and performs all RADIUS transactions on behalf of the clients. To configure RADIUS server information, go to the Management Security→RADIUS Server Configuration page.
•
User Group — If the Verification Mode is Local or RADIUS, assign an existing User Group to the captive portal or create a new group. All users who belong to the group are permitted to access the network through this portal. The User Group list is the same for all CP configurations on the switch.
•
Session Timeout — Enter the number of seconds to wait before terminating a session. A user is logged out once the session timeout is reached. If the value is set to 0 then the timeout is not enforced. The default value is 0. The range is 0 to 86400 seconds.
The CP Web Customization page contains the following fields:
•
Captive Portal ID — The drop-down menu lists each CP configured on the switch. To view information about the clients connected to the CP, select it from the list.
•
Branding Image — Select the name of the image file to display on the top left corner of the page. This image is used for branding purposes, such as the company logo.
•
Fonts — Enter the name of the font to use for all text on the CP page.
•
Browser Title — Enter the text to display on the client’s Web browser title bar or tab.
•
Page Title — Enter the text to use as the page title. This is the text that identifies the page.
•
Separator Color — Enter the hexadecimal color code to use as the separator above and below the login area and acceptance use policy. Press the ... button for a color pick list. The sample account information is updated with the colors you choose.
•
Foreground Color— Enter the hexadecimal color code to use as the foreground color in the login area. Press the ... button for a color pick list. The sample account information is updated with the colors you choose.
•
Background Color — Enter the hexadecimal color code to as the background color in the login area. Press the ... button for a color pick list. The sample account information is updated with the colors you choose.
•
Account Image — Select the image that will display on the Captive Portal page above the login field. The image display area is 55H X 310W pixels. Your image will be resized to fit the display area. Click Download Image, then browse to and select an image on your local system (or accessible from your local system) to download to the switch.
•
Account Title — Enter the summary text to display that instructs users to authenticate.
•
User Label — Enter the text to display next to the field where the user enters the username.
•
Password Label — Enter the text to display next to the field where the user enters the password.
•
Button Label — Enter the text to display on the button the user clicks to connect to the network.
•
Acceptance Use Policy — Enter the text to display in the Acceptance Use Policy field. The acceptance use policy instructs users about the conditions under which they are allowed to access the network. The policy can contain up to 128 characters.
•
Acceptance Message — Enter the text to display next to the box that the user must select to indicate that he or she accepts the terms of use.
•
Instructional Text — Enter the detailed text to display that instructs users to authenticate. This text appears under the button.
•
Denied Message — Enter the text to display when the user does not provide valid authentication information. This message displays after the user clicks the button to connect to the network.
•
Resource Message — Enter the text to display when the system has rejected authentication due to system resource limitations. This message displays after the user clicks the button to connect to the network.
•
Timeout Message — Enter the text to display when the system has rejected authentication because the authentication transaction took too long. This could be due to user input time, or a timeout due to the overall transaction.
•
Busy Message — Enter the text to display when the user does not provide valid authentication information. This message displays after the user clicks the button to connect to the network.
•
No Accept Message — Enter the text to display when the user did not accept the acceptance use policy. This message displays after the user clicks the button to connect to the network.
•
Welcome Title — Enter the title to display to greet the user after he or she successfully connects to the network.
•
Welcome Text — Enter the optional text to display to further identify the network to be access by the CP user. This message displays under the Welcome Title.
The Local User page allows you to add authorized users to the local database, which can contain up to 1024 user entries. You can also add and delete users from the local database from the Local User page.
The following figure shows the Local User page after a user has been added. If no users have been added to the switch, many of the fields do not display on the screen.
Password — Enter a password for the user. The password length can be from 8 to 64 characters.
•
User Group — Assign the user to at least one User Group. New users are assigned to the 1-Default user group by default.
•
Session Timeout — Enter the number of seconds a user is permitted to remain connected to the network. Once the Session Timeout value is reached, the user is logged out automatically. A value of 0 means that the user does not have a Session Timeout limit.
The User Group page contains the following fields:
•
Group Name — The menu contains the name of all of the groups configured on the system. The Default user group is configured by default. New users are assigned to the 1-Default user group by default. To delete a user group, select the name of the group from the Group Name menu, select the Remove option, and then click Apply Changes.
•
Rename — To rename a Group Name, click the check box, type a new group name from 1 to 31 alphanumeric characters in the Rename field, then click Apply Changes.
From the Interface Association page, you can associate a configured captive portal with specific interfaces. The captive portal feature only runs on the interfaces that you specify. A captive portal can have multiple interfaces associated with it, but an interface can be associated to only one CP at a time.
To view the Interface Association page, click System→Captive Portal→Interface Association.
NOTE: When you associate an interface with a captive portal, the interface is removed from the Interface List. Each interface can be associated with only one captive portal at a time.
The CP Status page contains a variety of information about the CP feature. From the CP Status page, you can access information about the CP activity and interfaces.
The CP Activation and Activity Status page provides information about each CP configured on the switch.
The CP Activation and Activity Status page has a drop-down menu that contains all captive portals configured on the switch. When you select a captive portal, the activation and activity status for that portal displays.
The CP Activation and Activity Status page contains the following fields:
•
CP Configuration — Select the CP configuration with the information to view.
•
Operational Status — Indicates whether the captive portal is enabled or disabled.
•
Disable Reason — If the captive portal is disabled, then this field indicates the reason. The portal instance may be disabled for the following reasons:
The Interface Capability Status page contains information about interfaces that can have CPs associated with them. The page also contains status information for various capabilities. Specifically, this page indicates what services are provided through the CP to clients connected on this interface. The list of services is determined by the interface capabilities.
Use the Client Summary page to view summary information about all authenticated clients that are connected through the captive portal. From this page, you can manually force the captive portal to disconnect one or more authenticated clients. The list of clients is sorted by client MAC address.
The Client Detail page contains the following fields:
•
MAC Address — The menu lists each associated client by MAC address. To view status information for a different client, select its MAC address from the list.
•
Client IP Address — Identifies the IP address of the client (if applicable).
•
CP Configuration — Identifies the CP configuration the client is using.
•
Protocol — Shows the current connection protocol, which is either HTTP or HTTPS.
•
Session Time — Shows the amount of time that has passed since the client was authorized.
•
User Name — Displays the user name (or Guest ID) of the connected client.
•
Interface — Identifies the interface the client is using.
•
Verification — Shows the current account type, which is Guest, Local, or RADIUS.
The Interface Client Status page contains the following fields:
•
Interface — The drop-down menu lists each interface on the switch. To view information about the clients connected to a CP on this interface, select it from the list.
•
MAC Address — Identifies the MAC address of the client.
•
IP Address — Identifies the IP address of the client.
•
CP Configuration — Identifies the captive portal the client used to access the network.
•
Protocol — Shows the current connection protocol, which is either HTTP or HTTPS.
•
Verification — Shows the current account type, which is Guest, Local, or RADIUS.
The CP - Client Status page contains the following fields:
•
Configuration Name — The drop-down menu lists each CP configured on the switch. To view information about the clients connected to the CP configuration, select the CP configuration name from the list.
•
MAC Address — Identifies the MAC address of the client.
•
IP Address — Identifies the IP address of the client.
•
Interface — Identifies the interface the client used to access the network.
•
Protocol — Shows the current connection protocol, which is either HTTP or HTTPS.
•
Verification — Shows the current account type, which is Guest, Local, or RADIUS.
Simple Network Management Protocol (SNMP) provides a method for managing network devices. The device supports SNMP version 1, SNMP version 2, and SNMP version 3.
NOTE: By default, SNMPv2 is automatically enabled on the device. To enable SNMPv3, a local engine ID must be defined for the device. The local engineID is by default set to the switch MAC address, however when the switch operates in a stacking mode, it is important to manually configure the local engineID for the stack. This local engineID must be defined so that it is unique within the network. It is important to do this because the default engineID in a stack is the MAC address of the master unit, which may change if the master unit fails and another unit takes over the stack. For information on how to configure the local engine ID, see "SNMP Global Parameters."
Authentication — Provides data integrity and data origin authentication.
•
Privacy — Protects against disclosure of message content. Cipher-Bock-Chaining(CBC) is used for encryption. Either authentication is enabled on an SNMP message, or both authentication and privacy are enabled on an SNMP message. However privacy cannot be enabled without authentication.
•
Timeliness — Protects against message delay or message redundancy. The SNMP agent compares incoming message to the message time information.
Use the Access Control Group page to view information for creating SNMP groups, and to assign SNMP access privileges. Groups allow network managers to assign access rights to specific device features or features aspects.
To display the Access Control Group page, click System→SNMP→Access Control in the tree view.
The Access Control Group page contains the following fields:
•
Group Name — Contains a list of user-defined groups to which access control rules are applied. A group name can contain a maximum of 30 alphanumeric characters.
•
Security Model — Defines the SNMP version attached to the group. The possible field values are:
SNMPv3 — SNMPv3 User Security Model (USM) is defined for the group.
•
Security Level — The security level attached to the group. Security levels apply to SNMPv3 groups only. The possible field values are:
–
noauth no priv — Neither Authentication nor Privacy security levels are assigned to the group.
–
auth nopriv — Authenticates SNMP messages without encrypting them.
–
auth priv — Authenticates SNMP messages and encrypts them.
•
Context Prefix (1–30) — This field permits the user to specify the context name by entering the first 1 to 30 characters of the context name.
•
Operation — Defines group access rights. The possible field values are:
–
Read — Select a view that restricts management access to viewing the contents of the agent. If no view is selected, all objects except the community-table, SNMPv3 user and access tables can be viewed.
–
Write — Select a view that permits management read-write access to the contents of the agent.
–
Notify — Select a view that permits sending SNMP traps or informs.
MD5 — Users are authenticated using the HMAC-MD5-96 authentication level. The user should specify a password.
–
SHA — Users are authenticated using the HMAC-SHA-96 authentication level. The user should enter a password.
•
Password — Modifies the user defined password for the group. Passwords can contain a maximum of 32 characters. Passwords are defined only if the authentication method is MD5 or SHA Password. You define the password on the Add Local User page.
•
Privacy — Specifies whether or not the authentication key is to be used. Choose one of the following values:
The SNMPv1, 2 Community page contains the following fields:
•
Community String — Contains a list of user-defined community strings that act as a password and are used to authenticate the SNMP management station to the device. A community string can contain a maximum of 20 characters.
•
SNMP Management Station — Contains a list of management station IP address for which community strings have been defined.
•
Basic — EnablesSNMP Basic mode for the selected community. The possible field values are:
–
Access Mode — Defines the access rights of the community. The possible field values are:
•
Read-Only — Community has read only access to the MIB objects configured in the view.
•
Read-Write — Community has read/modify access to the MIB objects configured in the view.
•
Super User — Community has read/modify access to all MIB objects.
–
View Name — Contains a list of user-defined SNMP views.
•
Advanced — Contains a list of user-defined groups. When SNMP Advanced mode is selected, the SNMP access control rules comprising the group are enabled for the selected community. The Advanced mode also enables SNMP groups for specific SNMP communities. The SNMP Advanced mode is defined only with SNMPv3.
In addition to the fields in the SNMPv1, 2 Community page, the Add SNMPv1,2 Community page contains the All (0.0.0.0) field, which indicates that the community can be used from any management station.
Use the Notification Filter page to set filtering traps based on OIDs. Each OID is linked to a device feature or a feature aspect. The Notification Filter page also allows you to filter notifications.
To display the Notification Filter page, click System→SNMP→Notification Filters in the tree view.
Use the Notification Recipients pageto view information for defining filters that determine whether traps are sent to specific users, and the trap type sent. SNMP notification filters provide the following services:
Select the Remove check box for one or more notification recipients in the SNMPV1,2 Notification Recipient and/or SNMPv3 Notification Recipient Tables.
Use the File Management menu page to manage device software, the image file, and the configuration files. In addition to a TFTP server, the file management feature has been enhanced to allow file uploads and downloads by using an HTTP session (in other words, by using your web browser).
Configuration — Choose this option to update the switch’s configuration. If the file has errors the update will be stopped. If File Type - Configuration and Transfer Mode - HTTP are selected, the Destination File Name field is also displayed.
•
Transfer Mode — Select the file transfer mode for the configuration to download. The options are:
Select File — Used in case of HTTP download. Enter the path and filename or browse for the file you want to download. You may enter up to 80 characters.
Click Apply Changes to initiate the file download.
NOTE: HTTP File Download is not available by using the CLI.
NOTE: After you start a file download, the page refreshes and a transfer status field appears to indicate the number of bytes transferred. The Web interface is blocked until the file download is complete.
Use the File Upload to Server page to upload configuration (ASCII), image (binary), operational log, and startup log files from the device to the server.
To display the File Upload to Server page, click System→File Management→File Upload in the tree view.
NOTE: After you start a file upload, the page refreshes and a transfer status field appears to indicate the number of bytes transferred. The Web interface is blocked until the file upload is complete.
The Auto Configuration feature enables the configuration of a switch automatically when the device is turned on and, during the boot process, no configuration file is found in device storage. By communicating with a DHCP server, obtains an IP address for the switch and an IP address for a TFTP server. Auto Configuration attempts to download a configuration file from the TFTP server and install it on the switch.
Use the Auto Configuration page to enable the switch to be automatically configured when it is initialized and cannot find a configuration file. With Auto Configuration enabled, the switch obtains an IP address and downloads a configuration file from a TFTP server.
NOTE: The Auto Configuration process requires the DHCP client on the switch to be enabled by default. The Auto Configuration feature also depends upon the configuration of other devices in the network, including a DHCP or BOOTP server, a TFTP server and, if necessary, a DNS server.
To display the Auto Configuration page, click System→Advanced Settings→Auto Configuration in the tree view.
The Auto Configuration page contains the following fields:
•
Auto Configuration Mode — Enables (Start) or disables (Stop) the Auto Configuration feature on the switch. Select Start to initiate sending a request to a DHCP server to obtain an IP address of a server and the configuration file name. If it obtains the server address, Auto Configuration proceeds to search for and download a configuration file from the server. If successful, it applies the configuration file to the switch. After starting the Auto Configuration process, you can monitor the status of the process by the messages in the Auto Configuration State and Retry Count fields.
•
Auto Save Mode — Specifies whether to save the automatically downloaded configuration file to the startup configuration.
–
Enable — Automatically saves the configuration file to the startup configuration.
–
Disable — Uses the configuration file as the running configuration only. When the switch reboots, it will load the configuration from the startup configuration file.
•
Retry Count — Indicates the number of times to attempt the auto configuration process during boot up. The number of times the switch has attempted to contact the TFTP server during the current Auto Configuration session.
A stack is created by daisy-chaining stacking links on adjacent units. A stack of units is manageable as a single entity when the units are connected together. If a unit cannot detect a stacking partner on a port enabled for stacking, the unit automatically operates as a standalone unit. If a stacking partner is detected, the switch always operates in stacking mode. One unit in the stack is designated as the Master unit. The Master manages all the units in the stack. A second switch is designated as the Standby unit, which becomes the Master if the Master unit is unavailable. The Standby unit can either be user-configurable or automatically selected by the software.
NOTE: The terms "Master" and "Manager/Management Unit" are used interchangeably in this section.
Use the Stacking menu to set the stacking characteristics of the device. The changes to these attributes are applied only after the device is reset. Click System→ Stacking in the tree view to display the Stacking page. Use this page to go to the following features:
Admin Management Preference — Determines whether this unit is capable of becoming the master switch. Values range from Disable (the unit cannot support Master Switch function) to Preference 15. The higher value means that the unit is more desirable than another unit with lower value for running the management function. An additional value is Unassigned, which means that preference is not configured, and election of the Master is left to the stack units.
Unit Type— This field indicates whether the switch is configured as the management switch, the standby switch, or a stack member.
•
Pre-configured Model Identifier — This field displays the 16-character field assigned by the device manufacturer to identify the pre-configured device.
•
Plugged-in Model Identifier — This field displays the 16-character field assigned by the device manufacturer to identify the plugged-in device.
•
Switch Status — Indicates the unit status. There are five possible state values:
Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches.
To display the Supported Switches page, click System→ Stacking→ Supported Switches in the tree view.
Switch Model ID — Displays a 16-byte character string to identify the model of the supported switch.
•
Description — Displays a 256-byte data field used to identify the device.
•
Management Preference — Determines whether this unit is capable of becoming the master switch. If the value is set to zero then the unit cannot support Master Switch function. The higher value means that the unit is more desirable than another unit with lower value for running the management function. The device manufacturer sets the initial value of this field.
•
Expected Code Type — Displays the release number and version number of the code expected.
Use the Stack Port Summary page to view the stackable ports present. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port.
To display the Stack Port Summary page, click System→ Stacking→ Stack Port Summary in the tree view.
When switches are members of a stack, packet forwarding rules, protocol configurations, and state information are controlled by a designated stack management unit. Typically, when the management unit fails due to a power failure, hardware failure, or software fault, neighbor routers detect that the management unit is down or restarting. Neighbor routers may recalculate route topology to avoid the restarting router, which can result in instability and degrade performance in the network.
Operation Status — Indicates whether NSF is operational on the stack, which may differ from the Admin Status setting. If a unit that does not support NSF is connected to the stack, then NSF is disabled on all stack members. When a unit that does not support NSF is disconnected from the stack and all other units support NSF, and NSF is administratively enabled, then NSF operation resumes.
Click Initiate Failover to start a warm restart. On a warm restart, the backup unit becomes the management unit without clearing its hardware tables (on a cold restart, hardware tables are cleared). Applications apply checkpointed data from the former management unit to the backup unit as the original management unit reboots.
Use the Trap Manager menus to configure traps flags and view the trap log. Click System→Trap Manager in the tree view to display the Trap Manager page. Use this page to go to the following features:
The Trap Flags page is used to specify which traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
To access the Trap Flags page, click System→Trap Manager→Trap Flags in the navigation tree.
Authentication — Enable or disable activation of authentication failure traps by selecting the corresponding line on the pull-down entry field. The factory default is enabled.
–
Link Up/Down — Enable or disable activation of link status traps by selecting the corresponding line on the pull-down entry field. The factory default is enabled.
–
Multiple Users — Enable or disable activation of multiple user traps by selecting the corresponding line on the pull-down entry field. The factory default is enabled. This trap is triggered when the same user ID is logged into the switch more than once at the same time (either via telnet or the serial port).
–
Spanning Tree — Enable or disable activation of spanning tree traps by selecting the corresponding line on the pull-down entry field. The factory default is enabled.
ACL Traps — Enable or disable activation of ACL traps by selecting the corresponding line on the pull-down entry field. The factory default is enabled.
DVMRP Traps — Enable or disable activation of DVMRP traps by selecting the corresponding line on the pull-down entry field. The factory default is disabled.
–
PIM Traps — Enable or disable activation of PIM traps by selecting the corresponding line on the pull-down entry field. The factory default is disabled.
Captive Portal Trap Mode — Displays the captive portal trap mode status. Enable or disable by selecting the corresponding line on the pull-down entry field. The factory default is disabled.
–
Client Authentication Failure Traps — When enabled, the SNMP agent sends a trap when a client unsuccessfully attempts to authenticate with a captive portal.
–
Client Connection Traps — When enabled, the SNMP agent sends a trap when a client authenticates with and connects to a captive portal.
–
Client Database Full Traps — When enabled, the SNMP agent sends a trap each time an entry cannot be added to the client database because it is full.
–
Client Disconnection Traps — When enabled, the SNMP agent sends a trap when a client disconnects from a captive portal.
The OSPFv2 Trap Flags page is used to specify which OSPFv2 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
To access the OSPFv2 Trap Flags page, click System→Trap Manager→OSPFv2 Trap Flags in the navigation tree.
Authentication Failure — Signifies that a packet has been received on a non-virtual interface from a router with an authentication key or authentication type that conflicts with this router's authentication key or authentication type. The factory default is disabled.
–
Bad Packet — Signifies that an OSPF packet has been received on a non-virtual interface that cannot be parsed. The factory default is disabled.
–
Configuration Error — Signifies that a packet has been received on a non-virtual interface from a router with configuration parameters that conflict with this router's configuration parameters. The factory default is disabled.
Virtual Bad packet — Signifies that an OSPF packet has been received on a virtual interface that cannot be parsed. The factory default is disabled.
–
Virtual Link Configuration Error — Signifies that a packet has been received on a virtual interface from a router with configuration parameters that conflict with this router's configuration parameters. The factory default is disabled.
LSA Max Age — Signifies that one of the LSA in the router link-state database has aged to MaxAge. The factory default is disabled.
–
LSA Originate — Signifies that a new LSA has been originated by this router. This trap should not be invoked for simple refreshes of LSAs (every 30 minutes), but only when an LSA is (re)originated due to a topology change. This trap does not include LSAs that are being flushed because they have reached MaxAge. The factory default is disabled.
LSDB Overflow — Signifies that the number of LSAs in the router link-state database has exceeded OSPF External LSDB Limit. The factory default is disabled.
–
LSDB Approaching Overflow — Signifies that the number of LSAs in the router link-state database has exceeded ninety percent of OSPF External LSDB Limit. The factory default is disabled.
Retransmit Packets — Signifies that an OSPF packet has been retransmitted on a non- virtual interface. All packets that may be retransmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry. The factory default is disabled.
–
Virtual Link Retransmit Packets — Signifies that an OSPF packet has been retransmitted on a virtual interface. All packets that may be retransmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry. The factory default is disabled.
Interface State Change — Signifies that there has been a change in the state of a non-virtual OSPF interface. This trap should be generated when the interface state regresses (e.g., goes from Dr to Down) or progresses to a terminal state (i.e., Point-to-Point, DR Other, Dr, or Backup). The factory default is disabled.
–
Neighbor State Change — Signifies that there has been a change in the state of a non-virtual OSPF neighbor. This trap should be generated when the neighbor state regresses (e.g., goes from Attempt or Full to 1-Way or Down) or progresses to a terminal state (e.g.,2-Way or Full). When a neighbor transitions from or to Full on non-broadcast multi-access and broadcast networks, the trap should be generated by the designated router. A designated router transitioning to Down will be noted by OSPF Interface State Change. The factory default is disabled.
–
Virtual Link Interface State Change — Signifies that there has been a change in the state of an OSPF virtual interface. This trap should be generated when the interface state regresses (e.g., goes from Point- to-Point to Down) or progresses to a terminal state (i.e., Point-to-Point). The factory default is disabled.
–
Virtual Neighbor State Change — Signifies that there has been a change in the state of an OSPF virtual neighbor. This trap should be generated when the neighbor state regresses (e.g., goes from Attempt or Full to 1-Way or Down) or progresses to a terminal state (e.g., Full). The factory default is disabled.
The OSPFv3 Trap Flags page is used to specify which OSPFv3 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
To access the OSPFv3 Trap Flags page, click System→Trap Manager→OSPFv3 Trap Flags in the navigation tree.
Bad Packet — Signifies that an OSPF packet has been received on a non-virtual interface that cannot be parsed. The factory default is disabled.
–
Configuration Error — Signifies that a packet has been received on a non-virtual interface from a router with configuration parameters that conflict with this router's configuration parameters. The factory default is disabled.
–
Virtual Bad packet — Signifies that an OSPF packet has been received on a virtual interface that cannot be parsed. The factory default is disabled.
–
Virtual Link Configuration Error — Signifies that a packet has been received on a virtual interface from a router with configuration parameters that conflict with this router's configuration parameters. The factory default is disabled.
LSA Max Age — Signifies that one of the LSA in the router link-state database has aged to MaxAge. The factory default is disabled.
–
LSA Originate — Signifies that a new LSA has been originated by this router. This trap should not be invoked for simple refreshes of LSAs (every 30 minutes), but only when an LSA is (re)originated due to a topology change. This trap does not include LSAs that are being flushed because they have reached MaxAge. The factory default is disabled.
LSDB Overflow — Signifies that the number of LSAs in the router link-state database has exceeded OSPF External LSDB Limit. The factory default is disabled.
–
LSDB Approaching Overflow — Signifies that the number of LSAs in the router link-state database has exceeded ninety percent of OSPF External LSDB Limit. The factory default is disabled.
Retransmit Packets — Signifies that an OSPF packet has been retransmitted on a non- virtual interface. All packets that may be retransmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry. The factory default is disabled.
–
Virtual Link Retransmit Packets — Signifies that an OSPF packet has been retransmitted on a virtual interface. All packets that may be retransmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry. The factory default is disabled.
Interface State Change — Signifies that there has been a change in the state of a non-virtual OSPF interface. This trap should be generated when the interface state regresses (e.g., goes from Dr to Down) or progresses to a terminal state (i.e., Point-to-Point, DR Other, Dr, or Backup). The factory default is disabled.
–
Neighbor State Change — Signifies that there has been a change in the state of a non-virtual OSPF neighbor. This trap should be generated when the neighbor state regresses (e.g., goes from Attempt or Full to 1-Way or Down) or progresses to a terminal state (e.g.,2-Way or Full). When a neighbor transitions from or to Full on non-broadcast multi-access and broadcast networks, the trap should be generated by the designated router. A designated router transitioning to Down will be noted by OSPF Interface State Change. The factory default is disabled.
–
Virtual Link Interface State Change — Signifies that there has been a change in the state of an OSPF virtual interface. This trap should be generated when the interface state regresses (e.g., goes from Point- to-Point to Down) or progresses to a terminal state (i.e., Point-to-Point). The factory default is disabled.
–
Virtual Neighbor State Change — Signifies that there has been a change in the state of an OSPF virtual neighbor. This trap should be generated when the neighbor state regresses (e.g., goes from Attempt or Full to 1-Way or Down) or progresses to a terminal state (e.g., Full). The factory default is disabled.
Trap Log Capacity — The maximum number of traps stored in the log. If the number of traps exceeds the capacity, the entries will overwrite the oldest entries.
•
Number of Traps Since Log Last Viewed — The number of traps that have occurred since the traps were last displayed. Displaying the traps by any method (terminal interface display, Web display etc.) will cause this counter to be cleared to 0.
sFlow® is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources.
Packet Flow Sampling and Counter Sampling are performed by sFlow Instances associated with individual data sources within the sFlow Agent. Packet Flow Sampling and Counter Sampling are designed as part of an integrated system. Both types of samples are combined in sFlow datagrams. Packet Flow Sampling will cause a steady, but random, stream of sFlow datagrams to be sent to the sFlow Collector. Counter samples may be taken opportunistically in order to fill these datagrams.
In order to perform Packet Flow Sampling, an sFlow Sampler Instance is configured with a Sampling Rate. The Packet Flow sampling process results in the generation of Packet Flow Records. In order to perform Counter Sampling, the sFlow Poller Instance is configured with a Polling Interval, The Counter Sampling process results in the generation of Counter Records. The sFlow Agent collects Counter Records and Packet Flow Records and sends them in the form of sFlow datagrams to sFlow Collectors.
The sFlow Agent Summary page contains the following fields:
•
Version — Uniquely identifies the version and implementation of this MIB. The version string must have the following structure: MIB Version; Organization; Software Revision where:
The sFlow Receiver Configuration page contains the following fields:
•
Receiver Index — Selects the receiver for which data is to be displayed or configured. The allowed range is 1 to 8.
•
Receiver Owner String — The entity making use of this sFlowRcvrTable entry. The empty string indicates that the entry is currently unclaimed and the receiver configuration is reset to the default values. An entity wishing to claim an sFlowRcvrTable entry must ensure that the entry is unclaimed before trying to claim it. The entry is claimed by setting the owner string. The entry must be claimed before any changes can be made to other sampler objects.
•
Receiver Timeout — The time (in seconds) remaining before the sampler is released and stops sampling. A management entity wanting to maintain control of the sampler is responsible for setting a new value before the old one expires. The allowed range is 0 to 4294967295 seconds. A value of zero sets the selected receiver configuration to its default values.
•
Receiver Maximum Datagram Size — The maximum number of data bytes that can be sent in a single sample datagram. The manager should set this value to avoid fragmentation of the sFlow datagrams. The default value is 1400. The allowed range is 200 to 9116.)
•
Receiver Address — The IP address of the sFlow collector. If set to 0.0.0.0 no sFlow datagrams will be sent.
•
Receiver Port — The destination port for sFlow datagrams. The allowed range is 1 to 65535).
At this point, a decision is made on whether or not to sample the packet. The mechanism involves a counter that is decremented with each packet. When the counter reaches zero, a sample is taken. When a sample is taken, the counter that indicates how many packets to skip before taking the next sample is reset. The value of the counter is set to a random integer where the sequence of random integers used over time is the Sampling Rate.
To access the sFlow Sampler Configuration page, click System→sFlow→Sampler Configuration in the navigation tree.
The sFlow Sampler Configuration page contains the following fields:
•
Sampler DataSource— The sFlow data source for this sFlow sampler. This Agent supports physical ports only.
•
Receiver Index — The sFlow Receiver for this sFlow sampler. If set to zero, no packets will be sampled. Only active receivers can be set. If a receiver expires, then all samplers associated with the receiver will also expire. The allowed range is 1 to 8.
•
Sampling Rate — The statistical sampling rate for packet sampling from this source. A sampling rate of zero (0) disables sampling. The allowed range is 1024 to 65536.
•
Maximum Header Size — The maximum number of bytes that should be copied from a sampled packet. The allowed range is 20 to 256.
The sFlow Agent keeps a list of counter sources being sampled. When a Packet Flow Sample is generated, the sFlow Agent examines the list and adds counters to the sample datagram, least recently sampled first. Counters are only added to the datagram if the sources are within a short period, i.e. five seconds, of failing to meet the required Sampling Interval. Periodically, i.e. every second, the sFlow Agent examines the list of counter sources and sends any counters that need to be sent to meet the sampling interval requirement.
To access the sFlow Poll Configuration page, click System→sFlow→Poll Configuration in the navigation tree.
The sFlow Poll Configuration page contains the following fields:
•
Poll DataSource — The sFlow Sampler data source for this flow sampler. This Agent supports physical ports only.
•
Receiver Index — The sFlowReceiver for this sFlow Counter Poller. If set to zero, the poller configuration is set to the default and the poller is deleted. Only active receivers can be set. If a receiver expires, then all pollers associated with the receiver will also expire. The allowed range is 1 to 8.
•
Poll Interval — The maximum number of seconds between successive samples of the counters associated with this data source. The range is 0 to 86400 seconds.
serialNumber — Indicates that the device uses serial number as the format for its Device ID.
–
macAddress — Indicates that the device uses layer 2 MAC address as the format for its Device ID.
–
other — Indicates that the device uses its platform specific format as the format for its Device ID.
•
Device ID Format — Indicates the Device ID format of the device.
–
serialNumber — Indicates that the value is in the form of an ASCII string containing the device serial number.
–
macAddress — Indicates that the value is in the form of Layer 2 MAC address.
–
other — Indicates that the value is in the form of a platform specific ASCII string containing info that identifies the device. For example: ASCII string contains serialNumber appended/prepended with system name.
Table Full — Displays the number of times the system tried to add an entry to the ISDP table but was unsuccessful because the table was full.
•
ISDP IP Address Table Full — Displays the number of times the system tried to add an entry to the ISDP IP Address table but was unsuccessful because the table was full.
