Transcript
User Guide
PRIMERGY BX900/BX400 Blade Server Systems PRIMERGY 10GbE Connection Blade 18/8 Web-based Management Interface English
Comments… Suggestions… Corrections… The User Documentation Department would like to know your opinion on this manual. Your feedback helps us to optimize our documentation to suit your individual needs. Feel free to send us your comments by e-mail to:
[email protected]
Certified documentation according to DIN EN ISO 9001:2008 To ensure a consistently high quality standard and user-friendliness, this documentation was created to meet the regulations of a quality management system which complies with the requirements of the standard DIN EN ISO 9001:2008. cognitas. Gesellschaft für Technik-Dokumentation mbH www.cognitas.de
2/198
PRIMERGY 10 Gigabit Ethernet Connection Blade 18/8 Web-based Management Interface Guide V0300 Edition April 2012
1/328
Comments… Suggestions… Corrections… The User Documentation Department would like to know your opinion on this manual. Your feedback helps us to optimize our documentation to suit your individual needs. Feel free to send us your comments by e-mail to:
[email protected]
Certified documentation according to DIN EN ISO 9001:2008 To ensure a consistently high quality standard and user-friendliness, this documentation was created to meet the regulations of a quality management system which complies with the requirements of the standard DIN EN ISO 9001:2008. cognitas. Gesellschaft für Technik-Dokumentation mbH www.cognitas.de
Copyright and Trademarks Copyright © Fujitsu Limited Copyright © Fujitsu Technology Solutions GmbH 2012 All rights reserved. Delivery subject to availability; right of technical modifications reserved. All hardware and software names used are trademarks of their respective manufacturers.
2/328
Table of Contents
1.
Switch mode Web Interface ................................................................................................. 5 1.1.
Overview ....................................................................................................................................................... 5
1.1.1.
1.2.
1.2.1. 1.2.2. 1.2.3. 1.2.4. 1.2.5. 1.2.6. 1.2.7. 1.2.8. 1.2.9. 1.2.10. 1.2.11. 1.2.12. 1.2.13.
1.3.
Port Access Control ........................................................................................................................................................................ 81 RADIUS .......................................................................................................................................................................................... 92 TACACS+ ....................................................................................................................................................................................... 97 LDAP ............................................................................................................................................................................................ 102 AAA .............................................................................................................................................................................................. 106 Access Control List ....................................................................................................................................................................... 107 IP Filter ......................................................................................................................................................................................... 115 VLAN Filter ................................................................................................................................................................................... 116 Application Filter ........................................................................................................................................................................... 117
QoS Menu................................................................................................................................................. 125
1.5.1. 1.5.2. 1.5.3.
2.
Forwarding Database ..................................................................................................................................................................... 42 Port ................................................................................................................................................................................................. 43 VLAN .............................................................................................................................................................................................. 47 Protocol-based VLAN Config.......................................................................................................................................................... 50 GVRP ............................................................................................................................................................................................. 53 GMRP ............................................................................................................................................................................................. 57 IGMP .............................................................................................................................................................................................. 60 MLD ................................................................................................................................................................................................ 63 Multicast Forwarding Database ...................................................................................................................................................... 65 Link Aggregation ........................................................................................................................................................................ 65 Spanning Tree ........................................................................................................................................................................... 69 Port Backup ............................................................................................................................................................................... 77 IEEE802.1Q Tunneling .............................................................................................................................................................. 78 MAC Filter .................................................................................................................................................................................. 79
Security Menu ............................................................................................................................................. 81
1.4.1. 1.4.2. 1.4.3. 1.4.4. 1.4.5. 1.4.6. 1.4.7. 1.4.8. 1.4.9.
1.5.
Information ........................................................................................................................................................................................ 8 Configuration .................................................................................................................................................................................. 10 System Utilities ............................................................................................................................................................................... 14 File Management ............................................................................................................................................................................ 15 User Management .......................................................................................................................................................................... 18 Logging ........................................................................................................................................................................................... 20 Statistics ......................................................................................................................................................................................... 22 SNMP ............................................................................................................................................................................................. 28 RMON ............................................................................................................................................................................................. 30 SNTP ......................................................................................................................................................................................... 32 LLDP .......................................................................................................................................................................................... 35 DHCP Client .............................................................................................................................................................................. 40 IPv6 ............................................................................................................................................................................................ 41
Switching Menu .......................................................................................................................................... 42
1.3.1. 1.3.2. 1.3.3. 1.3.4. 1.3.5. 1.3.6. 1.3.7. 1.3.8. 1.3.9. 1.3.10. 1.3.11. 1.3.12. 1.3.13. 1.3.14.
1.4.
Menu Options ................................................................................................................................................................................... 6
Management Menu ....................................................................................................................................... 8
Port Configuration ......................................................................................................................................................................... 125 VLAN Configuration ...................................................................................................................................................................... 128 DSCP Rewriting ............................................................................................................................................................................ 129
End Host mode Web Interface ......................................................................................... 131 2.1.
Overview ................................................................................................................................................... 131
2.1.1.
2.2.
2.2.1. 2.2.2. 2.2.3. 2.2.4. 2.2.5. 2.2.6. 2.2.7. 2.2.8. 2.2.9. 2.2.10. 2.2.11. 2.2.12. 2.2.13.
2.3.
Menu Options ............................................................................................................................................................................... 132
Management Menu ................................................................................................................................... 134 Information .................................................................................................................................................................................... 134 Configuration ................................................................................................................................................................................ 136 System Utilities ............................................................................................................................................................................. 140 File Management .......................................................................................................................................................................... 141 User Management ........................................................................................................................................................................ 144 Logging ......................................................................................................................................................................................... 146 Statistics ....................................................................................................................................................................................... 148 SNMP ........................................................................................................................................................................................... 154 RMON ........................................................................................................................................................................................... 156 SNTP ....................................................................................................................................................................................... 158 LLDP ........................................................................................................................................................................................ 161 DHCP Client ............................................................................................................................................................................ 166 IPv6 .......................................................................................................................................................................................... 167
Switching Menu ........................................................................................................................................ 168
3/328
2.3.1. 2.3.2. 2.3.3. 2.3.4. 2.3.5. 2.3.6. 2.3.7. 2.3.8. 2.3.9. 2.3.10. 2.3.11. 2.3.12. 2.3.13.
2.4.
Security Menu ........................................................................................................................................... 199
2.4.1. 2.4.2. 2.4.3. 2.4.4. 2.4.5. 2.4.6. 2.4.7. 2.4.8. 2.4.9.
2.5.
Port Access Control ...................................................................................................................................................................... 199 RADIUS ........................................................................................................................................................................................ 210 TACACS+ ..................................................................................................................................................................................... 215 LDAP ............................................................................................................................................................................................ 220 AAA .............................................................................................................................................................................................. 224 Access Control List ....................................................................................................................................................................... 225 IP Filter ......................................................................................................................................................................................... 233 VLAN Filter ................................................................................................................................................................................... 234 Application Filter ........................................................................................................................................................................... 235
QoS Menu................................................................................................................................................. 243
2.5.1. 2.5.2. 2.5.3.
3.
Forwarding Database ................................................................................................................................................................... 168 Port ............................................................................................................................................................................................... 169 VLAN ............................................................................................................................................................................................ 173 Protocol-based VLAN Config........................................................................................................................................................ 177 GVRP ........................................................................................................................................................................................... 179 GMRP ........................................................................................................................................................................................... 183 IGMP ............................................................................................................................................................................................ 187 MLD .............................................................................................................................................................................................. 190 Multicast Forwarding Database .................................................................................................................................................... 192 Link Aggregation ...................................................................................................................................................................... 192 Port Backup ............................................................................................................................................................................. 195 IEEE802.1Q Tunneling ............................................................................................................................................................ 196 MAC Filter ................................................................................................................................................................................ 197
Port Configuration ......................................................................................................................................................................... 243 VLAN Configuration ...................................................................................................................................................................... 246 DSCP Rewriting ............................................................................................................................................................................ 247
IBP mode Web Interface .................................................................................................. 249 3.1.
Overview ................................................................................................................................................... 249
3.1.1.
3.2.
3.2.1. 3.2.2. 3.2.3. 3.2.4. 3.2.5. 3.2.6. 3.2.7. 3.2.8. 3.2.9. 3.2.10. 3.2.11. 3.2.12. 3.2.13.
3.3.
Group List ..................................................................................................................................................................................... 284 Uplink Sets ................................................................................................................................................................................... 285 Port Groups .................................................................................................................................................................................. 288 VLAN Port Groups ........................................................................................................................................................................ 290 Service LAN .................................................................................................................................................................................. 292 Service VLAN ............................................................................................................................................................................... 294 Port Backup .................................................................................................................................................................................. 295 VLAN ............................................................................................................................................................................................ 297 Port ............................................................................................................................................................................................... 298 Link Aggregation ...................................................................................................................................................................... 301
Security Menu ........................................................................................................................................... 303
3.4.1. 3.4.2. 3.4.3. 3.4.4. 3.4.5. 3.4.6.
3.5.
Information .................................................................................................................................................................................... 252 Configuration ................................................................................................................................................................................ 253 System Utilities ............................................................................................................................................................................. 257 File Management .......................................................................................................................................................................... 258 User Management ........................................................................................................................................................................ 261 Logging ......................................................................................................................................................................................... 263 Statistics ....................................................................................................................................................................................... 265 SNMP ........................................................................................................................................................................................... 271 RMON ........................................................................................................................................................................................... 273 SNTP ....................................................................................................................................................................................... 275 LLDP ........................................................................................................................................................................................ 278 DHCP Client ............................................................................................................................................................................ 282 IPv6 .......................................................................................................................................................................................... 283
Group Administration Menu ...................................................................................................................... 284
3.3.1. 3.3.2. 3.3.3. 3.3.4. 3.3.5. 3.3.6. 3.3.7. 3.3.8. 3.3.9. 3.3.10.
3.4.
Menu Options ............................................................................................................................................................................... 250
Management Menu ................................................................................................................................... 252
Port Access Control ...................................................................................................................................................................... 303 RADIUS ........................................................................................................................................................................................ 309 TACACS+ ..................................................................................................................................................................................... 313 LDAP ............................................................................................................................................................................................ 318 AAA .............................................................................................................................................................................................. 321 Application Filter ........................................................................................................................................................................... 322
QoS Menu................................................................................................................................................. 327
3.5.1.
Port Configuration ......................................................................................................................................................................... 327
4/328
1. Switch mode Web Interface 1.1. Overview PRIMERGY 10 Gigabit Ethernet Connection Blade 18/8 provides a built-in browser software interface that lets you configure and manage it remotely using a standard Web browser. This software interface also allows for system monitoring and management of this connection blade. When you configure this for the first time from the console, you have to assign an IP address and subnet mask to this connection blade. Thereafter, you can access this Web software interface directly using your Web browser by entering its IP address into the address bar. In this way, you can use your Web browser to manage this connection blade form any remote PC station, just as if you ware directly connected to its console port.
Figure 1 Web Management Interface
5/328
1.1.1. Menu Options There are following Menu options in Web Interface in Switch Mode: Management, Switching, Security, and QoS. 1. Management Menu: This section provides information for configuring SNMP and trap manager, Ping, DHCP client, SNTP, system parameters including Hostname, in-band/out-of-band network management setting, Log setting, User management, configure file backup and so on.
Figure 2
2. Switching Menu: This section provides the setting that related to switching functions, such as forwarding mode, port configuration, VLAN, IGMP, Link Aggregation, Spanning Tree, and Port Backup etc,
Figure 3
6/328
3. Security Menu: This section provides users to configure security including IEEE802.1x, Radius, TACACS, LDAP, Access Control Lists, IP filter, VLAN filter etc.
Figure 4
4. QoS Menu: This section provides users to configure QoS setting like queue configuration, Diffserve/CoS configuration of port and vlan.
Figure 5
7/328
1.2. Management Menu 1.2.1. Information 1.2.1.1. Inventory Info
Figure 6
System Description It displays the device name. Base MAC Address It displays the MAC address in hexadecimal number of 12 digits. Boot ROM Version It displays the ROM version. Runtime Version It displays the firmware version and the time when the firmware is made. Memory It displays the memory size of the device. ASIC Firmware It displays the ASIC firmware version. Port It displays the port number. Media type It displays the module type. Vendor PN It displays the vendor PN of the module. Status It displays the module status.
8/328
1.2.1.2. ARP Cache
Figure 7
It displays the entry of ARP table. 1.2.1.3. NDP Cache
Figure 8
It displays the entries of NDP table.
9/328
1.2.2. Configuration 1.2.2.1. System Description
Figure 9
System Description It displays the device name. Host Name Please set the Host Name of this device within 32 characters. It cannot be deleted. System Name Please set MIB variable "sysName" which means the machine name of this device within 32 characters. When it is omitted, it is considered that the "sysName" is not set. System Location Please set MIB variable "sysLocation" which means the location of this device within 72 characters. When it is omitted, it is considered that the "sysLocation" is not set. System Contact Please set MIB variable "sysContact" which means the admin name of this device within 40 characters. When it is omitted, it is considered that the "sysContact" is not set. Engine ID Please set SNMP engine ID for SNMPv3 within 27 characters. When it is omitted, the engine ID will be generated automatically. The value of SNMP engine ID set to the device is as follows. When it is set 1st ~ 5th octet : Fixed as 0x800000d304 6th octet ~ after : Engine ID of this setting When it is omitted 1st ~ 5th octet : Fixed as 0x800000d380 6th octet ~ after : Random value IP Address Set the address of SNMP agent. When it is omitted, it is considered that the agent address is not set. The range that can be specified is as follows. Valid Range) IPv4 address: 10/328
1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6 address: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff System Object ID It displays the Object ID of the device. System Up Time It displays the startup time of the device. 1.2.2.2. In-Band Mgmt
Figure 10
IPv4 Address Please set the IPv4 address. Please set it as DHCP client or set a static IPv4 address. When IPv4 address is changed, you have to input user/password again to login to WEB page. IPv4 Static Route Please set the IPv4 Static Route. It can be set up to 4. IPv6 Please set whether to use IPv6. IPv6 Address Please set the IPv6 address when IPv6 is used. Please set to use the prefix distributed by RA or set a static IPv6 address. When IPv6 address is changed, you have to input user/password again to login to WEB page. IPv6 DHCP Please set whether to use IPv6 DHCP. IPv6 Static Route Please set the IPv6 Static Route. It can be set up to 4. Burned-in MAC Address It displays the MAC address used in In-Band Mgmt LAN. Management VLAN ID Please set VLAN ID by integer within 1~4094. 11/328
1.2.2.3. Out-of-Band Mgmt
Figure 11
IPv4 Address Please set the IPv4 address. Please set it as DHCP client or set a static IPv4 address. When IPv4 address is changed, you have to input user/password again to login to WEB page. IPv4 Static Route Please set the IPv4 Static Route. It can be set up to 4. IPv6 Please set whether to use IPv6. IPv6 Address Please set the IPv6 address when IPv6 is used. Please set to use the prefix distributed by RA or set a static IPv6 address. When IPv6 address is changed, you have to input user/password again to login to WEB page. IPv6 DHCP Please set whether to use IPv6 DHCP. IPv6 Static Route Please set the IPv6 Static Route. It can be set up to 4. Burned-in MAC Address It displays the MAC address used in Out-of-Band Mgmt LAN.
12/328
1.2.2.4. Telnet Session
Figure 12
Auto Logout Specify the length of the auto logout time within the range of 0 second ~ 86400 seconds(1 day). If the command input/output is not done from the client connected by telnet, after the period of the auto logout time, the telnet connection will be cut off automatically. The time unit can be specified as any of the (day), (hour), (minute), or (second). 1.2.2.5. Serial Port
Figure 13
Auto Logout Specify the length of the auto logout time within the range of 0 second ~ 86400 seconds(1 day). During the login state, if the command input/output is not done from the serial port, after the period of the auto logout time, it will be forced to logout. The time unit can be specified as any of the (day), (hour), (minute), or (second). 13/328
1.2.3. System Utilities 1.2.3.1. Save All Changes Saving all applied changes will cause all changes to configuration panels that were applied but not saved, to be saved, thus retaining their new values across a system reboot. 1.2.3.2. System Reset Resetting the switch will cause all operations of this switch to stop. This session will be broken and you will have to login again after the switch has rebooted. Any unsaved changes will be lost. 1.2.3.3. Set Config to Default Initialize the configuration and reboot the switch. 1.2.3.4. Set Passwords to Default Set the password of admin and user to default. 1.2.3.5. Ping
Figure 14
IPv4/IPv6 Address Specify the IPv4 address or IPv6 address of sending destination. 1.2.3.6. DDNS Summary It displays summary of dynamic DNS action.
14/328
1.2.4. File Management 1.2.4.1. Download to Switch
Figure 15
TFTP server IP Address Set IPv4 or IPv6 address of TFTP server. TFTP File Path(Source) Set the path on the TFTP server where to download the file. TFTP File Name(Source) Set the name of the file to download. TFTP File Name(Target) Set the file name of the downloaded file on this device. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2 switch_firmware Switch Firmware ibp_firmware IBP Firmware sshkey SSH Key Information
15/328
1.2.4.2. Upload from Switch
Figure 16
TFTP server IP Address Set IPv4 or IPv6 address of TFTP server. TFTP File Path(Target) Set the path on the TFTP server where to upload the file. TFTP File Name(Target) Set the file name of the uploaded file on TFTP server. TFTP File Name(Source) Set the file name on this device to upload. Set it from the follows. running-config Config Definition in use startup-config Config Definition when start up config1 Config Definition 1 config2 Config Definition 2 switch_firmware Switch Firmware ibp_firmware IBP Firmware
16/328
1.2.4.3. Start-Up File
Figure 17
Change config definition or firm and then reset the device. Current Runtime File It displays the name of the firm which is being used. Current Configuration File It displays the name of the current configuration file, which is being used. Runtime File Set the firm to be used when the device is started next time. Set it from the follows. switch_firm Switch Firm ehm_firm EHM Firm ibp_firm IBP Firm Configuration File Set the name of configuration file which will be used as Startup-config when the device is started next time. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2 Caution: - "Save" button is disabled when "Configuration File" is different from "Current Configuration File". - When "Save" button is clicked, the selected "Runtime File" will be saved. - When "Save and Reset" button is clicked, the device will be reset with the selected parameter
17/328
1.2.4.4. Copy File
Figure 18
File Name Set the name of configuration file which will be used to save running-config. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2 1.2.4.5. Clear SSH Key Delete SSH user public key.
1.2.5. User Management 1.2.5.1. User Accounts
Figure 19
18/328
Please set the password used for operating the device. The admin password is the password used when the user name is "admin", and the user password is the password used when the user name is "user". The authority class is decided by login user, and the web pages which can be executed are different according to the authority class. It becomes the administrator class when login with "admin" and it becomes the general user class when login with "user". When login by console, TELNET or SSH, the admin password and the user password are used. When login by FTP or SFTP, the admin password is used. After input password it can be operated for 10 minutes. After that it needs to input password again to operate. Admin Password Set the password within 64 characters. It is the password when user name is "admin". The authority class is administrator class when login with "admin". User Password Set the password within 64 characters. It is the password when user name is "user". The authority class is general user class when login with "user". Caution: - If the password is set less than 7 characters, English letters only or numbers only, or if the admin password is deleted, it can be set or deleted normally. However, the warning message of weak password will be displayed. User Account Extension Please set whether to extend user accounts besides the fixed accounts(admin/user). enable Extend it. disable Do not extend it. AAA Group Index Specify the group ID of AAA which is referred to when user authentication is done. Specify the group ID of AAA in decimal number of less than 10.
19/328
1.2.5.2. Login Session
Figure 20
It displays the information of login user. Line It displays the connection type(console, http, ssh) and connection line. User Name It displays the user name. Class It displays the authority class of user. Remote Host It displays the information of remote host. Since It displays the login time. Idle It displays the period of time without any operation.
1.2.6. Logging 1.2.6.1. Configuration – Syslog
Figure 21
20/328
Server Address Set IP address of the server where the system log information(message) will be sent. Priority Specify the priority level from the follows for the system log information to be output. error Check it when priority LOG_ERROR is included in the ouput object. warn Check it when priority LOG_WARNING is included in the ouput object. notice Check it when priority LOG_NOTICE is included in the ouput object. info Check it when priority LOG_INFO is included in the ouput object. Facility Set the facility of system log information within the range of 0~23 in decimal number. Duplication Abbreviation Specify whether to abbreviate the message which is duplicated to the message output before, when output message to system log. Command Logging Specify whether to output the command execution history to system log. As for the parameter of encrypted object, the log will be encrypted before output for security consideration. 1.2.6.2. View - System Log
Figure 22
It displays the system log information.
21/328
1.2.6.3. View - Error Log
Figure 23
It displays the hard error diagnosed in ROM or I/O driver and the error log information of system down.
1.2.7. Statistics 1.2.7.1. Port Summary
Figure 24
[Input Statistics] Octets The number of octets of the data received bits/sec The number of received bits per second(bits/sec) Frames The total number of frames received frames/sec 22/328
The number of received frames per second(frames/sec) Unicast The number of unicast frames received frames/sec The number of received unicast frames per second(frames/sec) Multicast/Broadcast The number of multicast/broadcast frames received frames/sec The number of received multicast/broadcast frames per second(frames/sec) Discards DiscardsPkts The total number of discarded frames after received Errors Oversize The number of oversize frames received(more than 1519 bytes without TAG, more than 1523 bytes with TAG). FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes AlignmentErrors The number of received frames where Alignment errors are detected [Output Statistics] Octets The number of octets of the data sent bits/sec The number of sent bits per second(bits/sec) Frames The total number of frames sent frames/sec The number of sent frames per second(frames/sec) Unicast The number of unicast frames sent frames/sec The number of sent unicast frames per second(frames/sec) Multicast/Broadcast The number of multicast/broadcast frames sent frames/sec The number of sent multicast frames per second(frames/sec) Discards DiscardsPkts The total number of discarded frames after sent Errors CarrierSenseErrors The total number of error frames due to undetected carrier ExcessiveCollisions The total number of error frames that failed to send due to a lot of collision 23/328
LateCollisions The total number of late collisions SingleCollisionFrames The total number of frames succeeded to send after one collision occurred. MultipleCollisionFrames The total number of frames succeeded to send after several collisions occurred. DeferredTransmissions The total number of frames delayed to send due to busy of transmission path. 1.2.7.2. Port Detailed
Figure 25
[Input Statistics] Octets The number of octets of the data received bits/sec The number of received bits per second(bits/sec) Frames The total number of frames received frames/sec The number of received frames per second(frames/sec) Unicast The number of unicast frames received frames/sec The number of received unicast frames per second(frames/sec) Multicast The number of multicast frames received frames/sec The number of received multicast frames per second(frames/sec) Broadcast The number of broadcast frames received frames/sec 24/328
The number of received broadcast frames per second(frames/sec) Pause frames The number of PAUSE frames received Mac Control frames The number of MAC control frames received Priority pause 0 frames The number of received pause frames for priority 0 Priority pause 1 frames The number of received pause frames for priority 1 Priority pause 2 frames The number of received pause frames for priority 2 Priority pause 3 frames The number of received pause frames for priority 3 Priority pause 4 frames The number of received pause frames for priority 4 Priority pause 5 frames The number of received pause frames for priority 5 Priority pause 6 frames The number of received pause frames for priority 6 Priority pause 7 frames The number of received pause frames for priority 7 Discards All DiscardsPkts The total number of discarded frames after received Resource Full The number of discarded received frames due to insufficient resource Policy Discards The number of discarded received frames due to discards policy VLAN dropped The number of discarded received unicast frames due to no member of setting vlan Errors Undersize The number of undersize frames received(under 64 bytes) FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes AlignmentErrors The number of received frames where Alignment errors are detected FragmentErrors The number of frames with short size(under 64 bytes) where FCS errors or alignment errors are detected Jabbers Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) SymbolErrors Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) UnknownOpcodes Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) 25/328
[Output Statistics] Octets The number of octets of the data sent bits/sec The number of sent bits per second(bits/sec) Frames The total number of frames sent frames/sec The number of sent frames per second(frames/sec) Unicast The number of unicast frames sent frames/sec The number of sent unicast frames per second(frames/sec) Multicast The number of multicast frames sent frames/sec The number of sent multicast frames per second(frames/sec) Broadcast The number of broadcast frames sent frames/sec The number of sent broadcast frames per second(frames/sec) Pause frames The number of PAUSE frames sent Mac Control frames The number of MAC control frames sent Priority pause 0 frames The number of sent pause frames for priority 0 Priority pause 1 frames The number of sent pause frames for priority 1 Priority pause 2 frames The number of sent pause frames for priority 2 Priority pause 3 frames The number of sent pause frames for priority 3 Priority pause 4 frames The number of sent pause frames for priority 4 Priority pause 5 frames The number of sent pause frames for priority 5 Priority pause 6 frames The number of sent pause frames for priority 6 Priority pause 7 frames The number of sent pause frames for priority 7 Discards DiscardsPkts The total number of discarded frames after received DelayExceededDiscards The number of discarded frames due to exceeded delay 26/328
Errors Undersize The number of undersize frames received(under 64 bytes) FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes FragmentErrors The number of frames with short size(under 64 bytes) where FCS errors or alignment errors are detected [Detail Statistics] The number of frames per second accumulated by different frame size. 1.2.7.3. IP
Figure 26
It displays the statistics of IPv4 packets.
1.2.7.4. LACP It displays the statistics of LACP packets. The items won't be displayed if the Count is 0. 1.2.7.5. Net Time It displays the statistics of SNTP/TIME client. 1.2.7.6. SNMP It displays the statistics of SNMP.
27/328
1.2.8. SNMP 1.2.8.1. Community Config
Figure 27
SNMP Agent Set whether to enable SNMP Agent function and SNMP Trap function. RMON Set whether to use RMON function. Community Name Specify the community name within 1~32 characters used when sending trap. Specify it as "public" for it to communicate with any SNMP manager. IP Address Specify the address of the SNMP manager. Valid Range) IPv4 address: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6 address: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Access Mode Specify whether writing from SNMP manager is permitted. Trap Mode Specify whether to send trap. Off Select it when not sending trap. V1 Select it when sending SNMPv1 trap. V2c Select it when sending SNMPv2 trap.
28/328
1.2.8.1.1. Trap Flags
Figure 28
Cold Start Set to enable or disable the coldStart trap. Link Down Set to enable or disable the linkDown trap. Link Up Set to enable or disable the linkUp trap. Authentication Set to enable or disable the authenticationFailure trap. Rising Alarm Set to enable or disable the risingAlarm trap. Falling Alarm Set to enable or disable the fallingAlarm trap. New Root Set to enable or disable the newRoot trap. Topology Change Set to enable or disable the topologyChange trap. LLDP Remote Tables Change Set to enable or disable the lldpRemTablesChange trap. LLDP DCBX Set to enable or disable all the following lldpXdcbx traps. lldpXdcbxMiscControlError lldpXdcbxMiscFeatureError lldpXdcbxMultiplePeers lldpXdcbxLldpTxDisabled lldpXdcbxLldpRxDisabled lldpXdcbxDupControlTlv lldpXdcbxDupFeatureTlv lldpXdcbxPeerNoFeat lldpXdcbxPeerNoResp lldpXdcbxPeerConfigMismatch 29/328
1.2.9. RMON 1.2.9.1. Alarm Config
Figure 29
Alarm ID Specify ID of the RMON alarm group in decimal number value of 1 ~ 64. Sampling Variable Specify the object identifier of MIB that will be checked with the threshold in the dot form or the alphanumeric character. The range that can be specified is as follows. 1 ~ 63(characters) The object identifier can only be specified with the following types. INTEGER Integer32 Counter32 Counter64 Gauge32 TimeTicks Sampling Interval Please set the interval time of checking the threshold within the range of 1 ~ 43200 (seconds). The unit can be specified as hour, minute or second. Sampling Type Specify the type of checking threshold. Absolute(default value) The current value is compared directly with the threshold. Delta The difference between the current value and the value when sampling it last time is compared with the threshold. Rising-Threshold Specify the upper threshold of the RMON alarm group. The range that can be specified is as follows. 30/328
0 ~ 4294967295 Rising-Threshold Event ID Specify the corresponding RMON event group id in decimal number which has been set in "Event ID" of [Event Config]. It is used as the event definition number which will be generated when the upper threshold is exceeded. The alarm event will not be generated when there is no specified definition number. Falling-Threshold Specify the lower threshold of the RMON alarm group. The range that can be specified is as follows. 0 ~ 4294967295 Falling-Threshold Event ID Specify the corresponding RMON event group id in decimal number which has been set in "Event ID" of [Event Config]. It is used as the event definition number which will be generated when the lower threshold is surpassed. The alarm event will not be generated when there is no specified definition number. 1.2.9.2. Event Config
Figure 30
Event ID Specify ID of the RMON event group in decimal number value of 1 ~ 64. Type Specify the notification method of this event(alarm). Blank No event processing. Log The log of the event will be kept. Trap The trap will be transmitted to the SNMP host who has the community name specified in "Community" of [Event Config]. Log-Trap The log of the event will be kept while the trap will be transmitted to the SNMP host who has the community name specified in "Community" of [Event Config]. 31/328
Description Set the description of the RMON event group. Specify the explanation of the event (the note related to the content of the event) by the character string of 0x21, 0x23 ~ 0x7e. The range that can be specified is as follows. 1~ 127 (characters) Community Specify the community name which will be set to the trap packets when the trap is sent. This setting is effective when the notification method specified in "Type" of [Event Config] is "Trap" or "Log-Trap". And the trap will be sent in the following case. When the community name specified here has been set in [Community Config] of [SNMP]. The range that can be specified is as follows. 1 ~ 32(characters)
1.2.10. SNTP 1.2.10.1.Server Config
Figure 31
Client Mode Please set the protocol when time information is acquired from the time server. Disable Time information is not acquired. SNTP Select it when the simple NTP protocol(UDP) is used. TIME Select it when the TIME protocol(TCP) is used. DHCP Select it when the protocol notified by DHCP is used. IP Address IPv4 Address Specify the IPv4 address of the server that offers time information. The range that can be specified is as follows. 0.0.0.0 (from DHCP server) 32/328
1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 224.0.0.1 ~ 239.255.255.254 (Multicast) 255.255.255.255 (Broadcast) IPv6 Address Specify the IPv6 address of the server that offers time information. The range that can be specified is as follows. ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface Please set the interface used to communicate with time server. When IPv4 address of server is multicast or broadcast address and protocol is SNTP, please set it other than "Auto". Otherwise, set it as "Auto". Auto Interface is auto-selected. Out-of-Band Use Out-of-Band interface(oob0). In-Band Use In-Band interface(lan0). Interval Please set the acquisition cycle within the range of 0~10 day, when acquiring time information from the time server periodically. The time unit can be specified as any of the day, hour, minute or second. If it is omitted or 0 is set, time information will be acquired only when the device starts (restarts). 1.2.10.2.Server Status
Figure 32
Protocol It displays the protocol when time information is acquired from the time server. Version 33/328
It displays the version of protocol. Last Update Time It displays the last time when time information is acquired from server. Server IP Address It displays the IP address of time server. Unicast Server Max Entries It displays the maximum number of time server. 1.2.10.3.Current Time
Figure 33
Current Time Set the current time. Please select from the following 3 methods. Set it as the time of PC used for setting. Set it from the SNTP/TIME server. Set it manually.
34/328
1.2.10.4.Time Zone Settings
Figure 34
Time Zone Hours Please set the time difference(hour) from GMT(Greenwich Standard Time) in decimal number from 0 to 12. Time Zone Minutes Please set the time difference(minute) from GMT in decimal number from 0 to 59. Direction Please set whether it is before GMT or after GMT. Before GMT It means it is ahead of GMT. After GMT It means it is late than GMT.
1.2.11. LLDP 1.2.11.1.Configuration – Global Config
Figure 35
35/328
Transmit Interval Specify a fixed time interval to transmit LLDP information by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 5 seconds ~ 32768 seconds. This setting is corresponding to the variable "msgTxInterval" of 802.1AB. Transmit Delay Specify the minimum time interval to transmit LLDP information by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 1 second ~ 0.25 *
(no more than 8192 seconds). This setting is corresponding to the variable "txDelay" of 802.1AB. Transmit Hold As for the time length that adjacent device should maintain LLDP information of this device, specify it by the count of "Transmit Interval" of LLDP. The range that can be specified is 2 times ~ 10 times, specify it by decimal number within the range of 2~10. TTL(no more than 65535 seconds) which is calculated by the method of [LLDP Transmit Interval * LLDP Transmit Hold] will be notified to the adjacent device. This setting is corresponding to the variable "msgTxHold" of 802.1AB. Reinitialize Delay When the LLDP transmission is set to be disabled, after sending LLDP information with TTL value of 0, the internal state will be re-initialized. Specify the delay time of re-initialized by decimal number and time unit. The range that can be specified is 1second ~ 10seconds. This setting is corresponding to the variable "reinitDelay" of 802.1AB. SNMP Notification Interval Specify the minimum time interval of the transmission of SNMP Notification Trap by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 5 seconds ~ 3600 seconds. This setting is corresponding to the variable "NotificationInterval" of 802.1AB.
36/328
1.2.11.2.Configuration – Interface Config
Figure 36
Slot/Port Select a port to set. Mode Specify the action mode of the LLDP function at the specified port. Port Description Specify whether to transmit Port Description TLV. System Name Specify whether to transmit System Name TLV. System Description Specify whether to transmit System Description TLV. System Capabilities Specify whether to transmit System Capabilities TLV. Management Address Specify whether to transmit Management Address TLV. Port VLAN ID Specify whether to transmit IEEE802.1 Port VLAN ID TLV. Port and Protocol VLAN ID Specify whether to transmit Protocol VLAN ID information. VLAN Name Specify whether to transmit IEEE802.1 VLAN Name TLV. Protocol Identity Specify whether to transmit IEEE802.1 Protocol VLAN Identity TLV. MAC PHY Configuration Status Specify whether to transmit IEEE802.3 MAC/PHY Configuration/Status TLV. Power via MDI Specify whether to transmit IEEE802.3 Power Via MDI TLV. Link Aggregation Specify whether to transmit IEEE802.3 Link Aggregation TLV. Maximum Frame Size Specify whether to transmit IEEE802.3 Maximum Frame Size TLV. 37/328
1.2.11.3.Information – Interface Summary
Figure 37
It displays the LLDP setup information at all physical ports where the LLDP function is enabled. The content of "Info" is as follows. About TLV P Port Description TLV is transmitted N System Name TLV is transmitted D System Description TLV is transmitted C System Capabilities TLV is transmitted A Management Address TLV is transmitted No Transmit (disable) Blank No Transmit (receive only) About VLAN P Port VLAN ID p Port And Protocol VLAN ID N VLAN Name I Protocol Identity No Transmit (disable) Blank No Transmit (receive only) About Configration M MAC/PHY Configuration/Status P Power Via MDI L Link Aggregation F Maximum Frame Size 38/328
No Transmit (disable) Blank No Transmit (receive only) About SNMP T SNMP Notification Trap No Transmit (disable) Blank No Transmit (receive only)
1.2.11.4.Information – Statistics It displays the LLDP statistics information. 1.2.11.5.Information – Local Info
Figure 38
It displays the LLDP setup information and LLDP transmission information at all physical ports where the LLDP function is enabled.
39/328
1.2.11.6.Information – Local Summary
Figure 39
It displays the number of physical ports where the LLDP function is enabled. 1.2.11.7.Information – Remote Info It displays the detail information of adjacent device. 1.2.11.8.Information – Remote Summary It displays the LLDP adjacent device information at all physical ports where the LLDP function is enabled.
1.2.12. DHCP Client 1.2.12.1.DHCP Restart Issues a DHCP client request for any IP interface that has been set to DHCP mode. 1.2.12.2.DHCPv6 Restart Issues a DHCPv6 client request for any IPv6 interface that has been set to DHCP mode.
40/328
1.2.13. IPv6 1.2.13.1.Statistics
Figure 40
It displays statistics information of IPv6 packets.
41/328
1.3. Switching Menu 1.3.1. Forwarding Database 1.3.1.1. Config
Figure 41
Forwarding Mode Set the switching method. Buffering Mode Set the mode of buffer control. When "max mode" is set, the buffer control mode of using maximum buffer will be used and it is possible that it will not operate according to the QoS operation settings. When "QoS mode" is set, the buffer control mode of using QoS priority will be used and the possibility of discarding frame becomes higher. Aging Interval Specify Age Out Time of MAC Address Learning Table within the range of 10~ 3500 seconds.
42/328
1.3.1.2. Search
Figure 42
It displays the contents of Learning Table. You can specify a certain part of MAC address, VLAN ID or port name to display. 1.3.1.3. Clear To delete the Forwarding Database.
1.3.2. Port 1.3.2.1. Config
Figure 43
Enable/Disable Port 43/328
Specify whether to use ether port. Link Aggregation Group Specify the group number of Link Aggregation group to be used. LACP Port Priority Specify the LACP Port Priority. When LACP is not used, this definition means nothing. Backup Group Specify the backup group number for using backup port. Set it as master port or backup port. Master Master Port Backup Backup Port STP Mode Specify whether to use STP. Even if "enable" is set here, this setting is invalid when the STP operation mode of this device is "disable". Flow Control Set the action of "send" and "receive" for the Flow Control Function. Egress Permission Set the port list where forwarding is permitted. If the ports specified in the port list are Link Aggregation ports or backup ports, forwarding will be permitted for all the ports in the Link Aggregation group or backup group. Start-up Link Status Set block state of the ports when the device starts or doing dynamic definition reflection. Link Recovery Limit Specify the limit of Link Down frequency. It is the upper limit for the corresponding port to enter block state. When the Link Down frequency reaches the limit, the port which displays in system log will enter the block state. Link Down Relay Set the list of the ports which will be relayed to Link Down(port block) when other ports Link Down. When the operation of Link Down Relay is done, it will be output in system log that the relayed port enters block state. In "Recovery Mode", the block release method can be set. It is used for the ports set in the relay port list information of the Link Down Relay function to be released from block state. When "Manual" is set as Recovery Mode, the relayed ports can be released from block state by the block release command or definition change. When "Auto" is set as Recovery Mode, besides block release command or definition change, the relayed ports can also be released from block state by Link Up of the ports set in the Link Down Relay function. In the case of "Auto" , when block release is done by Link Up, it will output to system log. In "Recovery Cause", specify block factor as the block release object of relay port list. When "Link Relay" is set, only the block factor of Link Down Relay function is the release object. When "All" is set, block release will be done for all block factors. In "Recovery Sync", the synchronization operation of the relay port list can be specified. When "Recovery Sync" is set as "Enable", by synchronization operation before the port link up, the relayed ports will stand by in block state by Link Down Relay. When "Recovery Sync" is set as "Disable", the synchronization operation will not be done. 44/328
ICMP Watching IP Address Please specify the destination IP address to monitor when using monitor function. ICMP ECHO packets will be sent from the ether port to the specified destination IP address, and existence can be confirmed by the response. Please do not set it as the IP address of the device itself. Please also confirm that the specified IP address is in the same subnet, or the monitor function may not operate normally. ICMP Watching Interval Specify the normal sending interval of ICMP ECHO packets within the range of 1 second ~ 60 seconds(1 minute). ICMP Watching Timeout Specify the timeout interval within the range of 5 seconds ~ 180 seconds(3 minutes). It is considered that monitor fails when reaching the timeout interval. ICMP Watching Retry When there is no response for the normal sending ICMP ECHO packets, the ICMP ECHO packets will be resent. Specify the resend interval within the range of 1 second ~ (ICMP Watching Timeout) - 1 seconds. Broadcast Storm Control Set the threshold of the traffic for broadcast storm. Set the data amount in 1 second within the range of 8Kbps~8Gbps. When the threshold is not set(text box is blank), the storm observation will not be done. Multicast Storm Control Set the threshold of the traffic for multicast storm. Set the data amount in 1 second within the range of 8Kbps~8Gbps. When the threshold is not set(text box is blank), the storm observation will not be done. Storm Control Action Specify the action when broadcast/multicast storm occurs. Link down Block the port Discard Discard the data that surpasses threshold Output Rate Control The output rate is set by the unit of bps. The actual operation for the device is controlled by the value rounded down to the unit of 1/256 of 10Gbps (About 40Mbps). LLDP Notification Trap Set whether to send SNMP Notification Trap when LLDP information is changed. IEEE802.1Q Tunneling Mode Select whether to use IEEE802.1Q Tunneling. Even if "Enable" is set here, this setting is invalid when the IEEE802.1Q Tunneling mode of this device is "Disable". MAC Learning Set the mac learning. Converged Enhanced Ethernet mode Select whether to use Converged Enhanced Ethernet. Priority group Set the Priority group number. Weight Set the Weight within the range of 1~100. Priority-based Flow Control 45/328
Select whether to use Priority-based Flow Control. Priority map Set Priority group to each priority. Buffer optimization mode Select whether to enable the buffer optimization appropriate for the situation where PFC enabled traffic is excessively congested. FCoE Priority Set the priority of FCoE. FCoE use Select whether to use FCoE. iSCSI-Priority Set the priority of iSCSI. iSCSI use Select whether to use iSCSI. Caution: - If total weight exceeds 100, Converged Enhanced Ethernet is invalid. - If more than 1 Priority-based Flow Control exist, port is disabled. - If Converged Enhanced Ethernet mode is "Disable" even if Priority group and Priority map are set, Converged Enhanced Ethernet is invalid. - If Priority group, Weight or Priority map is not set even if Converged Enhanced Ethernet mode is "Enable", Converged Enhanced Ethernet is invalid. 1.3.2.2. Summary
Figure 44
It displays the port information simply.
46/328
1.3.2.3. Mirroring
Figure 45
Target Port Set the target port number. Source Port Set the source port number in decimal number. If you want to specify two or more ports, delimit them by ","(comma). Source Link Aggregation Group Set the source Link Aggregation Group number in decimal number. If you want to specify two or more Link Aggregation Groups, delimit them by ","(comma).
1.3.3. VLAN 1.3.3.1. Config
Figure 46
47/328
VLAN ID and Name Select existing VLAN or newly created VLAN. Select "Create" to create a new one. However, if "Create" is selected but the port belongs to the new VLAN is not set, the VLAN will not be created. VLAN ID Specify VLAN ID within the range of 1~4094 in decimal number. VLAN Name Specify VLAN name with no more than 32 ASCII characters within the range of 0x21,0x23 ~ 0x7e. VLAN Type It displays VLAN type. The contents are as follows. Default It displays "Default" when VLAN ID is 1. Static It displays "Static" for defined VLAN. Participation It is set whether each port belongs to current VLAN or not. Include The corresponding port belongs to the VLAN. Exclude The corresponding port does not belong to the VLAN. And if there is no corresponding port which belongs to the VLAN, the VLAN will be deleted. Tagging Set the tag of each port. Tagged Add tag to the corresponding port. Untagged Remove tag from the corresponding port. 1.3.3.2. Status
Figure 47
VLAN ID It displays VLAN ID. VLAN Name It displays VLAN NAME. 48/328
VLAN Type It displays VLAN type. The contents are as follows. Default It displays "Default" when VLAN ID is 1. Static It displays "Static" for defined VLAN. Slot/Port It displays the ports which belong to the corresponding VLAN. 1.3.3.3. Forward Database Config
Figure 48
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. MAC Address Set the destination MAC address. Specify it in the format of xx:xx:xx:xx:xx:xx(xx is hexadecimal of 2 digits). 00:00:00:00:00:00, broadcast or multicast can not be specified. Slot/Port Select the corresponding port for the destination MAC address. If the selected port is a Link Aggregation member port, the settings are effective for the Link Aggregation Group. If the selected port is a Backup port, the settings are effective for the working port of the Backup Port Group.
49/328
1.3.3.4. Forward Database Summary
Figure 49
It displays the contents of VLAN forward database. VLANID Number MAC Address Slot/Port
VLANID Destination MAC Address number Destination MAC Address Corresponding forwarding port
1.3.3.5. Reset Config Exercising this function will cause all VLAN configuration parameters to be reset to their default values.
1.3.4. Protocol-based VLAN Config 1.3.4.1. Config
Figure 50
VLAN ID and Name
50/328
Select existing protocol VLAN or newly created protocol VLAN. Select "Create" to create a new one. VLAN Name Specify VLAN name of protocol VLAN with no more than 32 ASCII characters within the range of 0x21,0x23 ~ 0x7e. VLAN ID Specify VLAN ID of protocol VLAN within the range of 2 ~ 4094 in decimal number. Protocol IPv4 Specify it as IPv4 protocol. It is the packets of EthernetII Ethertype=0800,0806,8035. IPv6 Specify it as IPv6 protocol. It is the packets of EthernetII Ethertype=86dd.
51/328
1.3.4.2. Summary VLAN Name It displays VLAN name of protocol VLAN. VLAN ID It displays VLAN ID of protocol VLAN. Protocol IPv4 It is specified as IPv4 protocol. It is the packets of EthernetII Ethertype=0800,0806,8035. IPv6 It is specified as IPv6 protocol. It is the packets of EthernetII Ethertype=86dd.
52/328
1.3.5. GVRP 1.3.5.1. GVRP - Global Config
Figure 51
GVRP Mode Specify whether to use GVRP on this device. - Disable GVRP is not to be used on this device. - Enable GVRP is to be used on this device. 1.3.5.2. GVRP - Port Config
Figure 52
GVRP Mode Specify whether to use GVRP on this port. - Disable GVRP is not to be used on this device. - Enable GVRP is to be used on this device. Registration Specify Registrar Administrative Control value of GVRP on this port. - Normal Specify Registrar as Normal Registration on this port. The Registrar responds normally to incoming GVRP messages. Dynamic VLAN can be added or deleted on this port. Static VLAN can not be configured through CLI command on this port. - Fixed Specify Registrar as Registration Fixed on this port. The Registrar transmit GVRP messages, but Dynamic VLAN can not be added or deleted on this port. 53/328
Dynamic VLANs which have been configed on this port must be deleted. Static VLAN can be configed through CLI command on this port. - Forbidden Specify Registrar as Registration Forbidden on this port. The Registrar transmit GVRP messages, but Dynamic VLAN can not be added or deleted on this port. Dynamic VLANs and static VLANs (exclude default VLAN) which have been configed on this port must be deleted. Static VLAN can not be configed through CLI command on this port. Join Time Specify interval between transmitting of GVRP messages, within the range of 20 centiseconds to 16375 centiseconds. Default value is 20 centiseconds. If not set, default value will be used. Leave Time Specify the time to wait after receiving an unregister request for a VLAN before deleting the associated entry, within the range of 45 centiseconds to 32760 centiseconds. Default value is 60 centiseconds. If not set, default value will be used. Leaveall Time The Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. Specify GVRP leaveall timer within the range of 50 centiseconds to 32765 centiseconds. Default value is 1000 centiseconds. If not set, default value will be used.
54/328
1.3.5.3. GVRP - Port Status
Figure 53
If GVRP is enabled, GVRP information will be displayed here. Port Port number. Gvrp GVRP is enabled or disabled on this port. Regist Registrar Administrative Control value of GVRP on this port. join timer The time between the transmission of GARP PDUs registering (or re-registering) membership for a VLAN. leave timer The time to wait after receiving an unregister request for a VLAN before deleting the associated entry. leaveall timer The Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. Vlan Dynamic VLAN registered by GVRP.
55/328
1.3.5.4. GVRP - Port Statistics
Figure 54
It displays the statistics of received and sent GVRP BPDU of the port which is selected.
1.3.5.5. GVRP – Clear Statistics GVRP statistics of all ports will be cleared when "clear" button be clicked.
56/328
1.3.6. GMRP 1.3.6.1. GMRP - Global Config
Figure 55
GMRP Mode Specify whether to use GMRP on this device. - Disable GMRP is not to be used on this device. - Enable GMRP is to be used on this device.
1.3.6.2. GMRP – Port Config
Figure 56
GMRP Mode Specify whether to use GMRP on this port. - Disable GMRP is not to be used on this port. - Enable GMRP is to be used on this port. Forward All Specify whether to forward all multicast packets through this port when GMRP is used on this device. Please set Forward All option as Enable when the port is connected to multicast router. Join Time Specify interval between transmitting of GMRP messages, within the range of 20 centiseconds to 16375 centiseconds. Default value is 20 centiseconds. If not set, default value will be used. Leave Time 57/328
Specify the time to wait after receiving an unregister request for a multicast MAC address before deleting the associated entry, within the range of 45 centiseconds to 32760 centiseconds. Default value is 60 centiseconds. If not set, default value will be used. Leaveall Time The Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. Specify GMRP leaveall timer within the range of 50 centiseconds to 32765 centiseconds. Default value is 1000 centiseconds. If not set, default value will be used. 1.3.6.3. GMRP – Port Status
Figure 57
If GMRP is enabled, GMRP information will be displayed here. Port Port number. Gmrp GMRP is enabled or disabled on this port. forward-all Forward all option is enabled or disabled on this port. join timer The time between the transmission of GARP PDUs registering (or re-registering) membership for a multicast MAC address. leave timer
58/328
The time to wait after receiving an unregister request for a multicast MAC address before deleting the associated entry. leaveall timer The Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. 1.3.6.4. GMRP – GMRP Registration Table
Figure 58
It displays multicast MAC address registered by GMRP and the corresponding port for each multicast MAC address.
1.3.6.5. GMRP – Port Statistics
Figure 59
It displays the statistics of received and sent GMRP BPDU of the port which is selected. 1.3.6.6. GMRP – Clear Statistics GMRP statistics of all ports will be cleared when "clear" button be clicked.
59/328
1.3.7. IGMP 1.3.7.1. IGMP Snooping – Config and Status
Figure 60
Admin Mode Specify the operation mode of IGMP Snoop Function. Enable Enable IGMP Snoop Function. Disable Disable IGMP Snoop Function. Local Multicast Group Set the action when receiving packets of Local Multicast Group. Auto Join Multicast packets of local group can be transferred when it is received. Watch Join When Membership Report of local group is received, it can be transferred. Flooding Multicast packets of local group can be transferred.
60/328
1.3.7.2. IGMP Snooping – VLAN Config
Figure 61
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. Multicast Router Port Specify the judging method of Multicast Router Port. Auto Multicast Router Port is judged dynamically. Yes Multicast Router Port is specified statically. Only the specified port is set as router port. 1.3.7.3. Snooping Querier – VLAN Config
Figure 62
61/328
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. Querier Specify the operation mode of querier. Enable Operates as querier when multicast router does not exist. Disable Do not operate as querier regardless of the existence of multicast router. IP Address Specify the source IP address for using IGMP snoop. The IP address set here will be set as source address in the IGMP packets sent from this device. The valid range is as follows. 0.0.0.0 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IGMP Proxy Specify the mode of sending IGMP proxy response. Disable IGMP proxy response will not be sent. Enable IGMP proxy response will be sent. Please specify it as "Disable" when the device using IGMP V1 exists. If querier operation mode is disabled, when multicast router does not exist, multicast transfer will be stopped.
1.3.7.4. Snooping Querier – VLAN Status It displays the information of IGMP snoop port.
62/328
1.3.8. MLD 1.3.8.1. MLD Snooping – Config and Status
Figure 63
Admin Mode Specify the operation mode of MLD Snoop Function. Enable Enable MLD Snoop Function. Disable Disable MLD Snoop Function. Local Multicast Group Set the action when receiving packets of Local Multicast Group. Flooding Multicast packets of local group can be transferred. Watch Join When Membership Report of local group is received, it can be transferred. 1.3.8.2. MLD Snooping – VLAN Config
Figure 64
63/328
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. Multicast Router Port Specify the judging method of Multicast Router Port. Auto Multicast Router Port is judged dynamically. Yes Multicast Router Port is specified statically. Only the specified port is set as router port. 1.3.8.3. Snooping Querier – VLAN Config
Figure 65
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. Querier Specify the operation mode of querier. Enable Operates as querier when multicast router does not exist. Disable Do not operate as querier regardless of the existence of multicast router. IP Address Specify the source IP address for using MLD snoop. The IP address set here will be set as source address in the MLD packets sent from this device. The valid range is as follows. FE80::/10 ... Link-Local Unicast address MLD Proxy Specify the mode of sending MLD proxy response. Disable MLD proxy response will not be sent. Enable MLD proxy response will be sent. 64/328
If querier operation mode is disabled, when multicast router does not exist, multicast transfer will be stopped. 1.3.8.4. Snooping Querier – VLAN Status It displays the information of MLD snoop port.
1.3.9. Multicast Forwarding Database 1.3.9.1. IGMP – IGMP Snooping Table It displays the multicast listener information of IGMP Snoop. 1.3.9.2. IGMP – IGMP Statistics It displays the statistics information of IGMP Snoop. 1.3.9.3. MLD – MLD Snooping Table It displays the multicast listener information of MLD Snoop. 1.3.9.4. MLD – MLD Statistics It displays the statistics information of MLD Snoop.
1.3.10. Link Aggregation 1.3.10.1.LACP Config
Figure 66
System Priority Set the LACP system priority. The Link Aggregation Group will exchange information with other Link Aggregation Group, then use the system priority to decide which one has higher priority. When they have the same system priority, the one with smaller system ID(Designated MAC Address + 1) has higher priority. When LACP is not used, this definition is meaningless. BPDU Mode 65/328
Set whether to transfer BPDU frame when LACP function is ineffective. Enable Set as BPDU transfer mode. Disable Set as BPDU discard mode. When Link Aggregation has been set in the device, BPDU frame will not be transferred. 1.3.10.2.Group Config
Figure 67
Group Set the Link Aggregation group id. Algorithm Specify the load-balance algorithm. Source MAC Address Divide by source MAC address Destination MAC Address Divide by destination MAC address Both MAC Address Divide by both source and destination MAC address Source IP Address Divide by source IP address Destination IP Address Divide by destination IP address Both IP Address Divide by XOR of source and destination IP address Received Ethernet Port Divide by received Ethernet port Mode Set the operation mode of Link Aggregation. When "Static" is set, it will compose the static Link Aggregation without using LACP. When "Active" or "Passive" is set, it is the dynamic Link Aggregation using LACP. In the "Active" mode, the LACPDU periodical transmission to remote LACP device will start voluntarily. In the "Passive" mode, as long as LACPDU is not received from remote LACP, LACPDU periodical transmission will not be done. In other words, Link Aggregation is not composed when both devices are in "Passive" mode. 66/328
Backup Group Specify the backup group number for using backup Link Aggregation. Set it as master port or backup port. Master Master Port Backup Backup Port Minimum Link Set the Minimum number of member ports for Link Aggregation communication within the range of 1 ~ 10 in decimal number. If the number of ports united by Link Aggregation is less than the specified Minimum Link, communication can not be done in the Link Aggregation. And when the number of member ports falls below the specified Minimum Link because of trouble, etc, communication can not be done in the Link Aggregation. Link Down Relay Set the list of the ports which will be relayed to Link Down(port block) when Link Aggregation is down. When the operation of Link Down Relay is done, it will be output in system log that the relayed port enters block state. In "Recovery Mode", the block release method can be set. It is used for the ports set in the relay port list information of the Link Down Relay function to be released from block state. When "Manual" is set as Recovery Mode, the relayed ports can be released from block state by the block release command or definition change. When "Auto" is set as Recovery Mode, besides block release command or definition change, the relayed ports can also be released from block state by Link Up of the ports set in the Link Down Relay function. In the case of "Auto" , when block release is done by Link Up, it will output to system log. In "Recovery Cause", specify block factor as the block release object of relay port list. When "Link Relay" is set, only the block factor of Link Down Relay function is the release object. When "All" is set, block release will be done for all block factors. In "Recovery Sync", the synchronization operation of the relay port list can be specified. When "Recovery Sync" is set as "Enable", by synchronization operation before the port link up, the relayed ports will stand by in block state by Link Down Relay. When "Recovery Sync" is set as "Disable", the synchronization operation will not be done. ICMP Watching IP Address Please specify the destination IP address to monitor when using monitor function. ICMP ECHO packets will be sent from the ether port to the specified destination IP address, and existence can be confirmed by the response. Please do not set it as the IP address of the device itself. Please also confirm that the specified IP address is in the same subnet, or the monitor function may not operate normally. ICMP Watching Interval Specify the normal sending interval of ICMP ECHO packets within the range of 1 second ~ 60 seconds(1 minute). ICMP Watching Timeout Specify the timeout interval within the range of 5 seconds ~ 180 seconds(3 minutes). It is considered that monitor fails when reaching the timeout interval. ICMP Watching Retry 67/328
When there is no response for the normal sending ICMP ECHO packets, the ICMP ECHO packets will be resent. Specify the resend interval within the range of 1 second ~ (ICMP Watching Timeout) - 1 seconds. Converged Enhanced Ethernet mode Select whether to use Converged Enhanced Ethernet. Priority group Set the Priority group number. Weight Set the Weight within the range of 1-100. Priority-based Flow Control Select whether to use Priority-based Flow Control. Priority map Set Priority group to each priority. Buffer optimization mode Select whether to enable the buffer optimization appropriate for the situation where PFC enabled traffic is excessively congested. FCoE Priority Set the priority of FCoE. FCoE use Select whether to use FCoE. iSCSI-Priority Set the priority of iSCSI. iSCSI use Select whether to use iSCSI.
Caution: - If total weight exceeds 100, Converged Enhanced Ethernet is invalid. - If more than 1 Priority-based Flow Control exist, port is disabled. - If Converged Enhanced Ethernet mode is "Disable" even if Priority group and Priority map are set, Converged Enhanced Ethernet is invalid. - If Priority group, Weight or Priority map is not set even if Converged Enhanced Ethernet mode is "Enable", Converged Enhanced Ethernet is invalid.
68/328
1.3.11. Spanning Tree 1.3.11.1.Switch Config/Status
Figure 68
Spanning Tree Mode Set the operation mode of Spanning Tree Protocol. Disable Select it when not using STP. STP Select it when using STP(802.1d). RSTP Select it when using RSTP(802.1w). MSTP Select it when using MSTP(802.1s). Spanning Tree Forward BPDU Set whether to forward BPDU frame when STP function is disabled. Region Name Set the MST region name of MST Structure Information. It is effective only for the MSTP operation mode. Revision Level Set the revision level of MST Structure Information. It is effective only for the MSTP operation mode. Spanning Tree Maximum Hops It displays valid hop count of the BPDU sent by Root Bridge. It is effective only for the MSTP operation mode. If hop count of the received BPDU is 0, it starts to send BPDU set with maximum hop count and this device operates as the Root Bridge of itself. The hop count will be subtracted each time it passed neighbor device. So if this device has Root Bridge and hop count is set as 1, Spanning Tree can be made only between this device and neighbor device. 1.3.11.2.CST 69/328
Figure 69
Bridge Priority Specify the priority of this device in bridge network in decimal number within the range of 0 ~ 61440. The smaller value has higher priority. Please specify the value which can be divided by 4096(valid values). Valid Values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 If the values other than the valid values are specified, the setting is ineffective. Bridge Max Age (secs) Specify the effective period of the BPDU information sent from Root Bridge within the range of 6 seconds ~ 40 seconds. Bridge Max Age will be checked with Bridge Hello Time and Bridge Forward Delay, the rules are as follows. Check with Bridge Forward Delay Bridge Max Age <= 2 × (Bridge Forward Delay - 1 second) Check with Bridge Hello Time Bridge Max Age >= 2 × (Bridge Hello Time + 1 second) If any one of the above rules is not matched, it becomes invalid definition and the settings of Bridge Max Age, Bridge Hello Time and Bridge Forward Delay become invalid. Bridge Hello Time (secs) Specify the sending interval of BPDU Structure Information when this device becomes Root Bridge within the range of 1 second ~ 10 seconds. If this device is not Root Bridge, the setting is ineffective. Bridge Forward Delay (secs) Set the maximum forward delay within the range of 4 seconds ~ 30 seconds. If this device is not Root Bridge, the setting is ineffective. Bridge ID It displays the Spanning Tree Bridge information of self device. Priority 70/328
It displays the bridge priority which is used to identify the bridge of this device. Address It displays the MAC address which is used to identify the bridge of this device. Hello Time It displays the sending interval(seconds) of BPDU Structure Information. Max Age It displays the maximum meeting time(seconds) of BPDU Structure Information. Forward Delay It displays the maximum forward delay time(seconds). BPDU Mode It displays BPDU Forwarding function(on/off). STP Mode It displays STP operation mode(disable/stp/rstp/mstp). Root ID It displays Spanning Tree information of Root Bridge. Priority It displays priority of Root Bridge. Address It displays MAC address of Root Bridge. Cost It displays the path cost value to Root Bridge. Port It displays interface name of root port. It displays as follows when this device is Root Bridge. Port 0 (This bridge is the root) Hello Time It displays the sending interval(seconds) of BPDU Structure Information. Max Age It displays the maximum meeting time(seconds) of BPDU Structure Information. Forward Delay It displays the maximum forward delay time(seconds).
71/328
1.3.11.3.MST
Figure 70
MST Select instance ID. Priority Specify the priority of bridge used in algorithm to decide the Root Bridge. Please specify the minimum value to set the bridge as Root Bridge. Please specify the value which can be divided by 4096(valid values). Valid Values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 If the values other than the valid values are specified, the setting is ineffective. VLAN ID Specify the VLAN ID allocated to MSTP instance within the range of 1 ~ 4094 in decimal number. If you want to set two or more VLAN ID, delimit them by ","(comma). If you want to set consecutive numbers, delimit them by "-"(hyphen)(Example:"1-10,100,200"). MSTP Configuration Information It displays detail information of Spanning Tree of the instance. Region Name It displays Region Name. Revision Level It displays Revision Level. Instance ID It displays Instance ID. Vlans It displays Vlan ID which belongs to the instance. Root ID It displays Spanning Tree information of Root Bridge. 72/328
Priority It displays priority of Root Bridge. Address It displays MAC address of Root Bridge. Cost It displays the path cost value to Root Bridge. Port It displays interface name of root port. It displays as follows when this device is Root Bridge. Port 0 (This bridge is the root) Hello Time It displays the sending interval(seconds) of BPDU Structure Information. Max Age It displays the maximum meeting time(seconds) of BPDU Structure Information. Forward Delay It displays the maximum forward delay time(seconds). Remaining Hops It displays remaining hop count from Root Bridge. Bridge ID It displays the Spanning Tree Bridge information of self device. Priority It displays the bridge priority which is used to identify the bridge of this device. Address It displays the MAC address which is used to identify the bridge of this device. Hello Time It displays the sending interval(seconds) of BPDU Structure Information. Max Age It displays the maximum meeting time(seconds) of BPDU Structure Information. Forward Delay It displays the maximum forward delay time(seconds). Hop count It displays the hop count of maximum forward delay. BPDU Mode It displays BPDU Forwarding function(on/off). STP Mode It displays STP operation mode(disable/stp/rstp/mstp). Interface It only displays the interface in action. Port ID It displays the port ID of the specified instance and the port ID of the designated bridge of the specified instance. Cost It displays path cost (it displays "*" behind numbers when calculated automatically) of the port of the specified instance and the designated path cost of the BPDU of specified instance. Status It displays port state with one of the follows. Disabled STP is disabled 73/328
Discarding Blocking Listening Learning Forwarding
Discarding State Blocking State Listening State Learning State Forwarding State
(Role) It displays port role state with one of the follows. Disabled STP is disabled Root Root Port Designated Designated Port Blocking Blocking Port Alternate Alternate Port Backup Backup Port Enable It displays the operation state of port(displays as "*" when effective). Designated Bridge ID It displays designated Bridge ID(priority and MAC address) of specified instance. 1.3.11.4.CST Port
Figure 71
Port Priority Set the priority of the port. Please specify the value which can be divided by 16.(valid value) Valid Values: 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240 If the values other than the valid values are specified, the setting is ineffective. Port Path Cost 74/328
Set the path cost of the STP port. Specify the path cost within the range of 1 ~ 200000000 in decimal number. When "auto" is set, the cost is decided automatically. Port STP Mode Set the STP operation mode of port. When the device is in MSTP(STP version(3)) operation mode, it can operate in STP/RSTP/MSTP. When the device is in RSTP(STP version(2)) operation mode, it can operate in STP/RSTP. When the device is in STP(STP version(0)) operation mode, it can operate in STP. When it is set other than the possible operation mode, the setting is ineffective. STP Port Information It displays Spanning Tree Information of port. 1.3.11.5.MST Port
Figure 72
Port Priority Set the priority of the port. Please specify the value which can be divided by 16.(valid value) Valid Values: 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240 If the values other than the valid values are specified, the setting is ineffective. Port Path Cost Set the path cost of the STP port. Specify the path cost within the range of 1 ~ 200000000 in decimal number. When "auto" is set, the cost is decided automatically. MSTP Configuration Information It displays Spanning Tree Information of instance.
75/328
1.3.11.6.Statistics
Figure 73
BPDU statistics It displays the statistics of received and sent BPDU.
76/328
1.3.12. Port Backup 1.3.12.1.Configuration
Figure 74
Group ID Set the backup group id. Group Mode Set the method for selecting the port to use when both ports can be used. Master Make use of the master port in preference. Earlier Make use of the port which is link up (become usable) first. Standby Mode Set the standby state of the backup ports. Link Up The backup port will standby in link up state. Link Down The backup port will be link down to standby. Change Notify Use this field to configure change notify. 1.3.12.2.Status
Figure 75
It displays the information of the ports
77/328
1.3.13. IEEE802.1Q Tunneling 1.3.13.1.IEEE802.1Q Tunneling Configuration
Figure 76
Select whether to use IEEE802.1Q Tunneling. If "Enable" is selected, the IEEE802.1Q Tunneling will be done. If "Disable" is selected,the IEEE802.1Q Tunneling will not be done. Caution: - Even if "Enable" is selected here, IEEE802.1Q Tunneling will be disabled if IEEE802.1Q Tunneling Mode is set as "Disable" in IEEE802.1Q Tunneling Mode of [Switching]-[Port]-[Config].
78/328
1.3.14. MAC Filter 1.3.14.1.Config
Figure 77
Filter Address Set the MAC Filtering. The filtering operation specified in "Action" will be done to the packets corresponding to the MAC address, VLAN ID, IP, ICMP, TCP or UDP definition of the specified Access Control List. 1.3.14.2.IPv6 Config
Figure 78
IPv6 Filter Address Set the IPv6 Filtering.
79/328
The filtering operation specified in "Action" will be done to the packets corresponding to the MAC address, VLAN ID, IPv6, ICMP, TCP or UDP definition of the specified Access Control List.
80/328
1.4. Security Menu 1.4.1. Port Access Control 1.4.1.1. Config – IEEE802.1X
Figure 79
IEEE802.1X Authentication Select whether to use IEEE802.1X authentication for the device. If "Use" is selected, the IEEE802.1X authentication of the transmission source terminal will be done. If the result of the terminal authentication is success, the packets will be relayed; otherwise the packets will be discarded. If "Disuse" is selected, the IEEE802.1X authentication will not be done. Caution: - Even if "Use" is selected here, IEEE802.1X authentication will be disabled if IEEE802.1X Authentication is set as "Disuse" in IEEE802.1X of [Security]-[Port Access Control]-[Port Config]. Authentication Method Select the system default authentication unit as the authentication method. Caution: - When "Each Port" is selected as the authentication method, if one terminal (Supplicant) connected to that port has been successfully authenticated, all the access from other terminals connected to the same port will be passed. - When the port in which WEB Authentication or MAC Address Authentication is also enabled exists, please set the same Authentication Method for all the authentication function. EAPOL Transfer Mode Select the transfer mode of EAPOL frames which is used for IEEE802.1X authentication. Transmit When EAPOL frames are received, the frames will be transmitted to the ports with the same VLAN ID as the "untagged" VLAN ID set in the port where the frames are received. Don't Transmit 81/328
EAPOL frames are not transmitted. Caution: - EAPOL frame is forbidden to be transmitted in IEEE 802.1D. - EAPOL frame can not be transmitted when IEEE802.1X authentication is used. Please don't select "Transmit". 1.4.1.2. Config – Web Authentication
Figure 80
Authentication Function Select whether to use Web authentication for the device. If "Use" is selected, the authentication will be done for the terminals where Web browser is used and only the communication of the successfully authenticated terminal is allowed. If "Disuse" is selected, Web authentication will not be done. Caution: - Even if "Use" is selected here, WEB authentication will be disabled in the port where Web Authentication is set as "Disuse" in Web Authentication of [Security]-[Port Access Control]-[Port Config]. Authentication Protocol Select authentication protocol of Web authentication.
82/328
1.4.1.3. Config – MAC Address Authentication
Figure 81
Authentication Function Select whether to use MAC address authentication for the device. If "Use" is selected, the MAC address authentication of the transmission source terminal will be done. If the result of the MAC address authentication is success, the packets will be relayed; otherwise the packets will be discarded. If "Disuse" is selected, the MAC address authentication will not be done. Caution: - Even if "Use" is selected here, MAC address authentication will be disabled if MAC Address Authentication is set as "Disuse" in MAC Address Authentication of [Security]-[Port Access Control]-[Port Config]. Password Specify the authentication password used for MAC address authentication. Specify it with a string composed of 0x21, 0x23~0x7e within 128 characters. If it is omitted, the MAC address of authentication terminal will be used as password. Confirm Password Specify the password above once more. Authentication Protocol Select authentication protocol of MAC address authentication.
83/328
1.4.1.4. Port Config – IEEE802.1X
Figure 82
IEEE802.1X Authentication Select whether to use IEEE802.1X authentication. If "Use" is selected, IEEE802.1X authentication of the source terminal of packets will be done. If the result is success, the packets will be relayed; otherwise the packets will be discarded. For the port where "Disuse" is selected, IEEE802.1X authentication will not be done. Even if "Use" is selected here, IEEE802.1X authentication will be disabled if authentication function is set as "Disuse" for the device. Authentication Method Select the system default authentication unit as the authentication method. When "Each Port" is selected as the authentication method, if one terminal (Supplicant) connected to that port has been successfully authenticated, all the access from other terminals connected to the same port will be passed. When the port in which WEB Authentication or MAC Address Authentication is also enabled exists, please set the same authentication method for all the authentication function. AAA Group Specify AAA group ID within the range of 0 ~ 9 in decimal number used as reference when doing IEEE802.1X authentication. Default VLAN ID Specify default VLAN ID allocated to supplicant when the result of IEEE802.1X authentication is success. If VLAN ID allocated to terminal (Supplicant) is notified from AAA/RADIUS server, the VLAN ID notified from AAA/RADIUS server will be allocated instead of the VLAN ID defined here. Please make sure that the interface with the same VLAN ID set here needs to be set to other ports. If the interface with the same VLAN ID does not exist, authentication fails regardless of the authentication result. Wakeup On LAN Packet Mode Set forward mode of Wake On LAN packet. Only the Wake On LAN packet to Directed Broadcast Address can be forwarded. 84/328
EAPOL MAC Address Set the permitted destination MAC address of EAPOL frame. Quiet Period Set the time it waits to begin re-authentication after first authentication of the terminal(Supplicant) failed. Set it within the range of 0 ~ 600 seconds. If 0 second is specified, after first authentication failed, authentication will not be restrained and it will access second authentication request immediately. Transmit Period Set the sending interval of user ID request within the range of 1 ~ 600 seconds. Supplicant Timeout Set the waiting time for EAP response from terminal(Supplicant) within the range of 1 ~ 600 seconds. Maximum Requests Specify the EAP resending count when EAP response is not received. Specify the count within the range of 1 ~ 10. Reauthentication Period Specify the re-authentication interval for terminal(Supplicant) within the range of 15 seconds ~ 18000 seconds. If 0 is specified, the re-authentication will not be done. 1.4.1.5. Port Config – Web Authentication
Figure 83
Web Authentication Select whether to use Web authentication. If "Use" is selected, WEB authentication of the terminal using WEB browser will be done, only the terminal whose authentication result is success is permitted to do communication. For the port where "Disuse" is selected, WEB authentication will not be done. Even if "Use" is selected here, WEB authentication will be disabled if authentication function is set as "Disuse" for the device. Authentication Method Select the system default authentication unit as the authentication method. 85/328
When "Each Port" is selected as the authentication method, if one terminal (Supplicant) connected to that port has been successfully authenticated, all the access from other terminals connected to the same port will be passed. When the port in which IEEE802.1X Authentication or MAC Address Authentication is also enabled exists, please set the same authentication method for all the authentication function. AAA Group Specify AAA group ID within the range of 0 ~ 9 in decimal number used as reference when doing WEB authentication. Default VLAN ID Specify default VLAN ID allocated to supplicant when the result of WEB authentication is success. If VLAN ID allocated to terminal (Supplicant) is notified from AAA/RADIUS server, the VLAN ID notified from AAA/RADIUS server will be allocated instead of the VLAN ID defined here. Please make sure that the interface with the same VLAN ID set here needs to be set to other ports. If the interface with the same VLAN ID does not exist, authentication fails regardless of the authentication result. Wakeup On LAN Packet Mode Set forward mode of Wake On LAN packet. Only the Wake On LAN packet to Directed Broadcast Address can be forwarded. Web Authentication Auto Logout Specify the valid time for Web authentication. If "Absolute" is selected, after authentication is done, the authentication will be released after the specified time (time unit is minute). If "Disable" is selected, Web authentication will not be released. Because it checks for Web authentication auto logout time every 30 seconds, the maximum difference with the real Web authentication auto logout time is 30 seconds. If physical port of this device is connected to switching HUB, etc, and two or more terminals are authenticated at one physical port, please set the Web authentication auto logout time. If "Disable"(not to release WEB authentication) is selected here, unless Link Down occurs at the physical port where authentication has completed for authenticated terminal, it can not access network through this device if the terminal is moved to other physical ports of this device. After authentication is released according to the settings of the Web authentication auto logout time, please connect the terminal to other physical ports of this device. If the terminal is connected to other physical ports of this device before authentication is released, it can not access network through this device until the authentication is released, or it needs to re-acquire the IP address of the connected terminal. Authenticated Terminal Set the terminal which is permitted to do communication without WEB authentication. If "Disuse" is selected for "Web Authentication" or "Each Port" is selected for "Authentication Method", the settings here are ineffective. 00:00:00:00:00:00, broadcast or multicast can not be specified in MAC Address. If the VLAN specified by VLAN ID is unregistered, the settings are ineffective. The same address can not be registered to two or more ports. It is possible that the specified Authenticated Terminal can not do communication normally when it is connected to other ports.
86/328
1.4.1.6. Port Config – MAC Address Authentication
Figure 84
MAC Address Authentication Select whether to use MAC Address authentication. If "Use" is selected, MAC address authentication of the source terminal of packets will be done. If it has the authenticated MAC address, the packets will be relayed; otherwise the packets will be discarded. For the port where "Disuse" is selected, MAC address authentication will not be done. Even if "Use" is selected here, MAC address authentication will be disabled if authentication function is set as "Disuse" for the device. Authentication Method Select the system default authentication unit as the authentication method. When "Each Port" is selected as the authentication method, if one terminal (Supplicant) connected to that port has been successfully authenticated, all the access from other terminals connected to the same port will be passed. When the port in which IEEE802.1X Authentication or WEB Authentication is also enabled exists, please set the same authentication method for all the authentication function. AAA Group Specify AAA group ID within the range of 0 ~ 9 in decimal number used as reference when doing MAC address authentication. Default VLAN ID Specify default VLAN ID allocated to supplicant when the result of MAC address authentication is success. If VLAN ID allocated to terminal (Supplicant) is notified from AAA/RADIUS server, the VLAN ID notified from AAA/RADIUS server will be allocated instead of the VLAN ID defined here. Please make sure that the interface with the same VLAN ID set here needs to be set to other ports. If the interface with the same VLAN ID does not exist, authentication fails regardless of the authentication result. Wakeup On LAN Packet Mode Set forward mode of Wake On LAN packet. Only the Wake On LAN packet to Directed Broadcast Address can be forwarded. 87/328
Authentication Result Hold Time Specify the result hold time of MAC address authentication. The re-authentication of successfully authenticated terminal will be done after the time specified in "Success" passed. The re-authentication of authentication failed terminal will not be done until the time specified in "Failure" passed. Because it checks for authentication result hold time every 30 seconds, the maximum difference with the real authentication result hold time is 30 seconds. Authenticated Terminal Set the terminal which is permitted to do communication without MAC address authentication. If "Disuse" is selected for "MAC Address Authentication" or "Each Port" is selected for "Authentication Method", the settings here are ineffective. 00:00:00:00:00:00, broadcast or multicast can not be specified in MAC Address. If the VLAN specified by VLAN ID is unregistered, the settings are ineffective. The same address can not be registered to two or more ports. It is possible that the specified Authenticated Terminal can not do communication normally when it is connected to other ports. 1.4.1.7. Port Status – IEEE802.1X
Figure 85
It displays authentication information, including user name, authentication method, authentication state and statistics of authenticated successfully terminal(Supplicant). Port Port Number User User Name EAP-Type Authentication method Authentication Authentication State -
Means that the port has not been set or is not connected.
Authenticating In authentication processing Authenticated Authentication Complete 88/328
Failure OK times NG times Status
Authentication Failed
Success times of Authentication Failure times of Authentication Displays internal state of IEEE802.1X authentication. S0: Before Authentication State S1: In Authentication State S2: Charge Starting State S3: Normal State S4: Charge Stopping State
VLAN VLAN ID MAC address MAC address of terminal(Supplicant) Since Time when authentication succeeded(Not update when re-authentication) 1.4.1.8. Port Status – Web Authentication
Figure 86
It displays Web authentication state. PORT Physical port number USER User Name MAC Authentication terminal number and MAC address STATUS Web authentication status Displays as one of the follows. response Wait for authentication result after input ID and password idle Wait for ID and password of Web authentication success Web authentication succeed and VLAN ID has been allocated VLAN TYPE
VLAN ID Authentication method 89/328
Displays as one of the follows.
DATE
mac
Authenticate for each MAC address
port
Authenticate for each port
-
VLAN has not been set
Time when authentication succeeded
1.4.1.9. Port Status – MAC Address Authentication
Figure 87
It displays MAC address authentication state. Port Port number Mode Authentication method mac port
Authenticate for each MAC address Authenticate for each port
MAC Address MAC Address Status Authentication State idle response success permanent
No authentication terminal detected Wait for authentication result authentication succeed Authenticated Terminal authentication failed or surpass authentication limit failure times Note: Before authentication, it displays as "idle" VLAN Since
VLAN ID Time when authentication started, succeeded or failed 90/328
1.4.1.10.Port Summary – Authentication Information It displays successfully authenticated terminal information of each authentication function(IEEE802.1X authentication , WEB authentication , MAC address authentication). Port Port Number Mode Authentication Method(at first line of each port) mac port
Authenticate for each MAC address Authenticate for each port
MAC Address MAC Address Function successfully authenticated function dot1x webauth macauth
IEEE802.1X authentication Web authentication MAC address authentication
VLAN VLAN ID Note: For the port where successfully authenticated terminal does not exits, the items other than Port Number displays as "-".
91/328
1.4.1.11.Statistics – IEEE802.1X It displays statistics information of IEEE802.1X authentication. 1.4.1.12.Statistics – Web Authentication It displays statistics information of WEB authentication.
1.4.1.13.Statistics – MAC Address Authentication It displays statistics information of MAC address authentication.
1.4.2. RADIUS 1.4.2.1. Config
Figure 88
AAA Group ID Specify AAA group ID with the decimal number less than 10. Authentication Mode Specify whether to use RADIUS authentication function. Authentication Source IP Address Set self IP address used to communicate with the RADIUS authentication server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Message-Authenticator Set whether to do authentication by Message-Authenticator. When doing IEEE802.1X authentication, it will do authentication by Message-Authenticator regardless of this setting. 92/328
It can only be used for authentication request message in this device. Accounting Mode Set whether to use RADIUS accounting function. Accounting Source IP Address Set self IP address used to communicate with the RADIUS accounting server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Retry Interval Set packets resent interval when there is no response from RADIUS server. The valid ranges are as follows. 1 ~ 10(seconds) Retry Times Set packets resent count when there is no response from RADIUS server. The valid ranges are as follows. 1 ~ 10(times) Security Mode Set security level when there is no response from RADIUS server. When "High" is selected, it operates as authentication failed. When "Normal" is selected, it operates as authentication succeeded.
93/328
1.4.2.2. Server Config
Figure 89
IP Address Set IP address of RADIUS authentication server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key(RADIUS secret) between this device and RADIUS authentication server. Priority Specify the priority used to decide which RADIUS server to use for authentication when there are several RADIUS servers in the same group. In the same group, the highest priority RADIUS server which is not in "dead" status will be used. If there is more than one RADIUS server with the highest priority, the RADIUS server to be used will be randomly decided. Dead Time Specify the recover time it waits to recover to "alive" status automatically after RADIUS server enters "dead" status. If the response from RADIUS server is not received, that RADIUS server will be set as "dead" status and set as the lowest priority. The RADIUS server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed
94/328
- After all the possible server enters "dead" status, the packets are sent to the RADIUS server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. 1.4.2.3. Accounting Server Config
Figure 90
IP Address Set IP address of RADIUS accounting server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key(RADIUS secret) between this device and RADIUS accounting server. Priority Specify the priority used to decide which RADIUS server to use for authentication when there are several RADIUS servers in the same group. In the same group, the highest priority RADIUS server which is not in "dead" status will be used. If there is more than one RADIUS server with the highest priority, the RADIUS server to be used will be randomly decided. Dead Time Specify the recover time it waits to recover to "alive" status automatically after RADIUS server enters "dead" status. If the response from RADIUS server is not received, that RADIUS server will be set as "dead" status and set as the lowest priority. The RADIUS server in "dead" status can not be used as 95/328
long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the RADIUS server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. 1.4.2.4. Summary It displays the status of RADIUS server. Type Server Type Auth Acct No. Server Address Port Pri State
Server definition Number Server IP Address Server Port Number Priority Server status alive dead
recover
Authentication Server Accounting Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
96/328
1.4.3. TACACS+ 1.4.3.1. Config
Figure 91
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. TACACS+ Service Specify whether to use TACACS+ function. Timeout Set timeout when there is no response from TACACS+ server. The valid ranges are as follows. 1 ~ 300(seconds) Authentication Security Mode Set TACACS+ Authentication security operation when there is no response from server. When "High", it operates as a failure to authenticate. When "Normal", it operates as a success to authenticate. Authorization Security Mode Set TACACS+ Authorization security operation when there is no response from server. When "High", it operates as a failure to authorize. When "Normal", it operates as a success to authorize.
97/328
1.4.3.2. Server Config
Figure 92
IP Address To set the IP address of the TACACS+ authentication server. The IP Address of authentication server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key between this device and TACACS+ authentication server. It is considered that the share key is not set when omitted. Moreover, when it is not set, the communication between TACACS+ servers is not encrypted. Priority To specify the priority of some TACACS+ servers in the same group, which decides which TACACS+ server to use at the time of authentication. In the same group, the highest priority TACACS+ server not in dead status will be used. If there are multiple TACACS+ servers with the highest priority, the used TACACS+ server will be decided randomly. Dead Time Specify the recover time it waits to recover to "alive" status automatically after TACACS+ server enters "dead" status. If the response from TACACS+ server is not received, that TACACS+ server will be set as "dead" status and set as the lowest priority. The TACACS+ server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it
98/328
enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the TACACS+ server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. Source IP Address Source IP address used to communicate with the TACACS+ authentication server is set. Source IP address used to communicate with the authentication server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 1.4.3.3. Authorization Server Config
Figure 93
IP Address To set the IP address of the TACACS+ authorization server. The IP Address of authorization server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 99/328
128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key between this device and TACACS+ authorization server. It is considered that the share key is not set when omitted. Moreover, when it is not set, the communication between TACACS+ servers is not encrypted. Priority To specify the priority of some TACACS+ servers in the same group, which decides which TACACS+ server to use at the time of authorization. In the same group, the highest priority TACACS+ server not in dead status will be used. If there are multiple TACACS+ servers with the highest priority, the used TACACS+ server will be decided randomly. Dead Time Specify the recover time it waits to recover to "alive" status automatically after TACACS+ server enters "dead" status. If the response from TACACS+ server is not received, that TACACS+ server will be set as "dead" status and set as the lowest priority. The TACACS+ server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the TACACS+ server in "dead" status, and response is received - Recover manually The value range can be specified as followed. 0~86400(second) If specified 0, it does not automatically restore the alive status. Source IP Address Source IP address used to communicate with the TACACS+ authorization server is set. Source IP address used to communicate with the authorization server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
100/328
1.4.3.4. Summary It displays the status of TACACS+ server. Type Server Type Authen Author No. Server Address Pri State
Server definition Number Server IP Address Priority Server status alive dead
recover
Authentication Server Authorization Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
101/328
1.4.4. LDAP 1.4.4.1. Config
Figure 94
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. LDAP Service Specify whether to use LDAP Client function. Timeout Set timeout when there is no response from LDAP server. The valid ranges are as follows. 1 ~ 300(seconds) Authentication Security Mode Set LDAP Authentication security operation when there is no response from server. When "High", it operates as a failure to authenticate. When "Normal", it operates as a success to authenticate.
102/328
1.4.4.2. Server Config
Figure 95
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. Server Specify Server number within the range of 0 ~ 3 in decimal number. LDAP Server IP Address Specify the IP address of LDAP authentication server. The IP Address of LDAP authentication server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff RDN attribute Specify RDN attribute of Bind DN, default is empty string. Bind DN without RDN Specify Partial Bind DN exclude RDN with it, default is empty string. Class attribute Specify user class attribute, default is empty string. Admin class value Specify Admin class value, default is empty string. If you want to specify two or more values, delimit them by ","(comma). Priority Specify the priority of some LDAP servers in the same group, which decides which LDAP server to use at the time of authentication. In the same group, the highest priority LDAP server not in dead status will be used. If there are multiple LDAP servers with the highest priority, the used LDAP server will be decided randomly. 103/328
Dead Time Specify the recover time it waits to recover to "alive" status automatically after LDAP server enters "dead" status. If the response from LDAP server is not received, that LDAP server will be set as "dead" status and set as the lowest priority. The LDAP server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the LDAP server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. Source IP Address Source IP address used to communicate with the LDAP authentication server is set. Source IP address used to communicate with the authentication server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Caution: - For example, if RDN(Relative Distinguished Name) attribute is set as "cn"(common name), and Bind DN(Distinguished Name) without RDN is set as "dc=test,dc=com". When input user name is "root", and input password is "1234", then Bind DN sent to LDAP server will be "cn=root,dc=test,dc=com", and password sent to LDAP server will be "1234". - For example, If Class attribute is set as "uidNumber", and Admin class value is set as "1,2". According to LDAP search result, if value of "uidNumber" exists and equals to "1" or "2", it becomes "Administrator" class, otherwise it becomes "General User" class.
104/328
1.4.4.3. Summary It displays the status of LDAP server. Type Server Type Authen No. Server Address Pri State
Server definition Number Server IP Address Priority Server status alive dead
recover
Authentication Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
105/328
1.4.5. AAA 1.4.5.1. Config
Figure 96
AAA Group ID Specify AAA Group ID within 0 ~ 9 in decimal number. User Number Specify definition number of AAA user information with decimal number of less than 1000. User ID Specify user ID by characters of 0x21,0x23 ~ 0x7e within 128 characters. If it is used for MAC address authentication, please specify it as the MAC address of the terminal which is permitted to access with 12 digits of hexadecimal numbers(using lower case letters while not using ":" ,etc). User Password Specify password for authentication by characters of 0x21,0x23 ~ 0x7e within 128 characters. If MAC address authentication is used and password has been set in MAC Address Authentication, please also set the same password here. If password has not been set in MAC Address Authentication, specify it as the MAC address of the terminal which is permitted to access with 12 digits of hexadecimal numbers(using lower case letters while not using ":" ,etc). User Role Specify authority class of user as the login user information. VLAN ID Specify VLAN ID allocated to supplicant(user terminal).
106/328
1.4.5.2. Summary It displays the contents of AAA local database. No. User Definition Number User ID User ID User Role Authority Class of User VLAN ID VLAN ID of User
1.4.6. Access Control List 1.4.6.1. IP Config
Figure 97
ACL ID Specify ACL definition number with decimal number of less than 700. Source IP Address Specify source IP address and mask bits to be the object of ACL. - IP address/mask bits(or mask value) Specify the combination of source IP address and mask bits to be the object of ACL. Please set the mask value with consecutive 1 from the highest bit. - any All the source IP address become the object of ACL. Destination IP Address Specify destination IP address and mask bits to be the object of ACL. - IP address/mask bits(or mask value) Specify the combination of destination IP address and mask bits to be the object of ACL. Please set the mask value with consecutive 1 from the highest bit. - any All the destination IP address become the object of ACL. Protocol Specify protocol number to be the object of ACL.
107/328
- Protocol number Specify protocol number within 0 ~ 255 in decimal number to be the object of ACL. If "0" is specified, it displays as "any". (Example: ICMP:1, TCP:6, UDP:17 etc). - any All the protocol number become the object of ACL. Type Of Service Specify the judging method of QoS to be the object of ACL. - ToS Specify it when judge ACL object by ToS value. Specify ToS value within 0 ~ ff in hexadecimal number to be the object of ACL. - DSCP Specify it when judge ACL object by DSCP value. Specify DSCP value within 0 ~ 63 in decimal number to be the object of ACL. - Any All the ToS values and DSCP values become the object of ACL.
108/328
1.4.6.2. IPv6 Config
Figure 98
ACL ID Specify ACL definition number with decimal number of less than 700. Source IPv6 Address Specify source IPv6 address and prefix length to be the object of ACL. - IPv6 address/prefix length Specify the combination of source IPv6 address and prefix length to be the object of ACL. - any All the source IPv6 address become the object of ACL. Destination IPv6 Address Specify destination IPv6 address and prefix length to be the object of ACL. - IPv6 address/prefix length Specify the combination of destination IPv6 address and prefix length to be the object of ACL. - any All the destination IPv6 address become the object of ACL. Protocol Specify protocol number to be the object of ACL. - Protocol number Specify protocol number within 0 ~ 255 in decimal number to be the object of ACL. If "255" is specified, it displays as "any". (Example: ICMP:1, TCP:6, UDP:17 etc). - any All the protocol number become the object of ACL. Traffic Class Specify the judging method of QoS to be the object of ACL. - TC Specify it when judge ACL object by Traffic Class value. Specify TC value within 0 ~ ff in hexadecimal number to be the object of ACL.
109/328
- DSCP Specify it when judge ACL object by DSCP value. Specify DSCP value within 0 ~ 63 in decimal number to be the object of ACL. - Any All the TC values and DSCP values become the object of ACL. 1.4.6.3. TCP Config
Figure 99
ACL ID Specify ACL definition number with decimal number of less than 700. IP Protocol Specify IP protocol to be the object of ACL. Source Port Number Specify source port number to be the object of ACL. - Port number Specify source port number within 1 ~ 65535 in decimal number to be the object of ACL. If you want to specify two or more ports, delimit them by ","(comma). By using ","(comma), the total number of source port and destination port can be set up to 10. The valid formats are as follows. - decimal number within 1 ~ 65535 (Example: 65535 = 65535 port) - port number,port number, ... (Example: 10,20,30 = port of 10 and 20 and 30) - any All the source port number become the object of ACL. Destination Port Number Specify destination port number within 1 ~ 65535 in decimal number to be the object of ACL. The format is the same as source port number. - any All the destination port number become the object of ACL.
110/328
1.4.6.4. UDP Config
Figure 100
ACL ID Specify ACL definition number with decimal number of less than 700. IP Protocol Specify IP protocol to be the object of ACL. Source Port Number Specify source port number to be the object of ACL. - Port number Specify source port number within 1 ~ 65535 in decimal number to be the object of ACL. If you want to specify two or more ports, delimit them by ","(comma). By using ","(comma), the total number of source port and destination port can be set up to 10. The valid formats are as follows. - decimal number within 1 ~ 65535 (Example: 65535 = 65535 port) port number,port number, ... (Example: 10,20,30 = port of 10 and 20 and 30) - any All the source port number become the object of ACL. Destination Port Number Specify destination port number within 1 ~ 65535 in decimal number to be the object of ACL. The format is the same as source port number. - any All the destination port number become the object of ACL.
111/328
1.4.6.5. ICMP Config
Figure 101
ACL ID Specify ACL definition number with decimal number of less than 700. IP Protocol Specify IP protocol to be the object of ACL. ICMP Type Specify ICMP TYPE to be the object of ACL. - ICMP TYPE Specify ICMP TYPE within 0 ~ 255 in decimal number to be the object of ACL. If you want to specify two or more ICMP TYPE, delimit them by ","(comma). By using ","(comma), the total number of ICMP TYPE can be set up to 10. The valid formats are as follows. - decimal number within 0 ~ 255 (Example: 8 = ICMP TYPE 8) - ICMP TYPE,ICMP TYPE, ... (Example: 0,8,30 = ICMP TYPE of 0 and 8 and 30) - any All the ICMP TYPE become the object of ACL. ICMP CODE Specify ICMP CODE to be the object of ACL. - ICMP CODE Specify ICMP CODE within 0 ~ 255 in decimal number to be the object of ACL. If you want to specify two or more ICMP CODE, delimit them by ","(comma). By using ","(comma), the total number of ICMP CODE can be set up to 10. The valid formats are as follows. - decimal number within 0 ~ 255 (Example: 8 = ICMP CODE 8) - ICMP CODE,ICMP CODE, ... (Example: 0,8,30 = ICMP CODE of 0 and 8 and 30) - any All the ICMP CODE become the object of ACL.
112/328
1.4.6.6. MAC Config
Figure 102
ACL ID Specify ACL definition number with decimal number of less than 700. Source MAC Address Specify source MAC address to be the object of ACL. - Unicast Specify the source MAC address to be the object. Specify it with the format of xx:xx:xx:xx:xx:xx(xx is hexadecimal of 2 digits) or "any". - Broadcast Select it when broadcast MAC address is the object. - Multicast Select it when multicast MAC address is the object. Destination MAC Address Specify destination MAC address to be the object of ACL. - Unicast Specify the destination MAC address to be the object. Specify it with the format of xx:xx:xx:xx:xx:xx(xx is hexadecimal of 2 digits) or "any". - Broadcast Select it when broadcast MAC address is the object. - Multicast Select it when multicast MAC address is the object. Format Specify the frame format to be the object of ACL. - Ether Specify it when the frame in Ethernet format is the object. Specify it within 5dd ~ ffff in hexadecimal number or "any". If it is specified as "any", or it is omitted, all the frame in Ethernet format become the object. - LLC Specify it when the frame in LLC format is the object. 113/328
Specify it within 0 ~ ffff in hexadecimal number or "any". If it is specified as "any", or it is omitted, all the frame in LLC format become the object. - Any All the frame become the object.
1.4.6.7. VLAN Config
Figure 103
ACL ID Specify ACL definition number with decimal number of less than 700. VLAN ID Specify VID as the object. The range of VID for ACL object is 1 ~ 4094 or "any". COS Specify COS to be the object of ACL. - Any All the COS become the object. - Others Specify COS to be the object. The range of COS for ACL object is 0 ~ 7.
114/328
1.4.7. IP Filter 1.4.7.1. Config
Figure 104
Filter Address Set IP Filter for the LAN interface. IP Filter is used to pass or reject the packets which match the address, protocol, TOS value, DSCP value, port number, ICMP TYPE or ICMP CODE in ACL. It will be checked whether it is matched in the priority order set before, when it is matched the filtering operation will be done, and the following conditions will not be referred to. If none of the conditions is matched, the packets will be passed. 1.4.7.2. IPv6 Config
Figure 105
115/328
IPv6 Filter Address Set IPv6 Filter for the LAN interface. IP Filter is used to pass or reject the packets which match the IPv6 address, protocol, Traffic Class, DSCP value, port number, ICMP TYPE or ICMP CODE in ACL. It will be checked whether it is matched in the priority order set before, when it is matched the filtering operation will be done, and the following conditions will not be referred to. If none of the conditions is matched, the packets will be passed.
1.4.8. VLAN Filter 1.4.8.1. Config
Figure 106
Filter Address Set the MAC filtering for each VLAN. The filtering operation specified in "Action" will be done to the input packets corresponding to the MAC address, VLAN ID, IP address, ICMP, TCP or UDP definition in the Access Control List specified by ACL.
116/328
1.4.8.2. IPv6 Config
Figure 107
IPv6 Filter Address Set the IPv6 filtering for each VLAN. The filtering operation specified in "Action" will be done to the input packets corresponding to the VLAN ID, IPv6 address, ICMP, TCP or UDP definition in the Access Control List specified by ACL.
1.4.9. Application Filter 1.4.9.1. FTP config
Figure 108
117/328
FTP IPv4 Server Set whether to enable IPv4 of FTP server function. FTP IPv6 Server Set whether to enable IPv6 of FTP server function. Filter Address Set application filter for FTP server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored. 1.4.9.2. SFTP config
Figure 109
SFTP IPv4 Server Set whether to enable IPv4 of SFTP server function. SFTP IPv6 Server Set whether to enable IPv6 of SFTP server function. Filter Address Set application filter for SFTP server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If IP value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If IPv6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored. *Note:
118/328
This definition is effective for both SSH server function and SFTP server function. Different filter settings can not be set in SSH server function and SFTP server function. 1.4.9.3. TELNET config
Figure 110
TELNET IPv4 Server Set whether to enable IPv4 of TELNET server function. TELNET IPv6 Server Set whether to enable IPv6 of TELNET server function. Filter Address Set application filter for TELNET server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
119/328
1.4.9.4. SSH config
Figure 111
SSH IPv4 Server Set whether to enable IPv4 of SSH server function. SSH IPv6 Server Set whether to enable IPv6 of SSH server function. Filter Address Set application filter for SSH server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored. *Note: This definition is effective for both SSH server function and SFTP server function. Different filter settings can not be set in SSH server function and SFTP server function.
120/328
1.4.9.5. HTTP config
Figure 112
HTTP IPv4 Server Set whether to enable IPv4 of HTTP server function. HTTP IPv6 Server Set whether to enable IPv6 of HTTP server function. Filter Address Set application filter for HTTP server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
121/328
1.4.9.6. HTTPS config
Figure 113
HTTPS IPv4 Server Set whether to enable IPv4 of HTTPS server function. HTTPS IPv6 Server Set whether to enable IPv6 of HTTPS server function. Filter Address Set application filter for HTTPS server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
122/328
1.4.9.7. SNTP config
Figure 114
SNTP IPv4 Server Set whether to enable IPv4 of SNTP server function. SNTP IPv6 Server Set whether to enable IPv6 of SNTP server function. Filter Address Set application filter for SNTP server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
123/328
1.4.9.8. TIME config
Figure 115
TIME IPv4 Server(UDP) Set whether to enable IPv4 of TIME server function by UDP. TIME IPv4 Server(TCP) Set whether to enable IPv4 of TIME server function by TCP. TIME IPv6 Server(UDP) Set whether to enable IPv6 of TIME server function by UDP. TIME IPv6 Server(TCP) Set whether to enable IPv6 of TIME server function by TCP. Filter Address Set application filter for TIME server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
124/328
1.5. QoS Menu 1.5.1. Port Configuration 1.5.1.1. Queue Config
Figure 116
Untagged Priority Set tag priority value assigned to the untagged received packets of ether port. Output Mode Set the QoS sending algorithm of ether port. Select from STRICT(send from higher priority sequentially) and DRR(Deficit round robin) method. If DRR is selected, specify lowest guarantee band for each queue. Please set it so that the total of specified band is 10Gbps. Queue Mapping Specify which COS value the packets have and in which output queue the packets will be output. The queue with larger queue number has higher output priority.
1.5.1.2. Queue Summary
Figure 117
It displays the correspondence of packets COS value and storage queue. 1.5.1.3. Classification
Figure 118
IPv4 Type of Service field Priority is decided by the value of IP Precedence field of the Type of Service field of IPv4. IPv6 Traffic Class field Priority is decided by the value of upper 3 bits of Traffic Class field of IPv6.
126/328
1.5.1.4. Diffserve/COS Config
Figure 119
Packet Pattern Set the packet pattern for QoS within the range of 0 to 63. The smaller number has higher priority. When some packet patterns are omitted or deleted, the packet patterns which have not been set will be omitted and only the ones with value will be set. IP protocol Specify the protocol. ACL Specify the ACL definition number of the Access Control List in which the packet pattern to be set for QoS is defined. Action DSCP When corresponded packets in Access Control List are IP packets, rewrite with DSCP value(upper 6 bits of TOS field in IP header). ToS When corresponded packets in Access Control List are IP packets, rewrite with ip precedence value(upper 3 bits of TOS field in IP header). Queue Change the queue of the output port used when corresponded input packets in Access Control List are output. Value Rewrite Value When DSCP is selected in "Action": Set the DSCP value after rewriting within 0 ~ 63 in decimal number. When ToS is selected in "Action": Set the ip precedence value after rewriting within 0 ~ 7 in decimal number. When Queue is selected in "Action": Set the queue number of the used output port within 0 ~ 7 in decimal number. The queue with larger value has higher output priority. 127/328
Change Queue It can be specified when DSCP or ToS is selected in "Action". After rewrite with DSCP value or ip precedence value, the queues with the value corresponding to the upper 3 bits of DSCP value or ip precedence value will be the output queue.
1.5.2. VLAN Configuration 1.5.2.1. Diffserve/COS Config
Figure 120
Packet Pattern Set the packet pattern for QoS within the range of 0 to 63. The smaller number has higher priority. IP protocol Specify the protocol. ACL Specify the ACL definition number of the Access Control List in which the packet pattern to be set for QoS is defined. Action DSCP When corresponded packets in Access Control List are IP packets, rewrite with DSCP value(upper 6 bits of TOS field in IP header). ToS When corresponded packets in Access Control List are IP packets, rewrite with ip precedence value(upper 3 bits of TOS field in IP header). Queue Change the queue of the output port used when corresponded input packets in Access Control List are output. Value Rewrite Value When DSCP is selected in "Action": Set the DSCP value after rewriting within 0 ~ 63 in decimal number. 128/328
When ToS is selected in "Action": Set the ip precedence value after rewriting within 0 ~ 7 in decimal number. When Queue is selected in "Action": Set the queue number of the used output port within 0 ~ 7 in decimal number. The queue with larger value has higher output priority. Change Queue It can be specified when DSCP or ToS is selected in "Action". After rewrite with DSCP value or ip precedence value, the queues with the value corresponding to the upper 3 bits of DSCP value or ip precedence value will be the output queue.
1.5.3. DSCP Rewriting 1.5.3.1. Config
Figure 121
DSCP Rewriting Address Set DSCP rewriting values for LAN interface. The specified DSCP values between 0 ~ 63 will be rewrote to the packets corresponding to the address, protocol, TOS value, DSCP value, port number, ICMP TYPE or ICMP CODE specified in ACL.
129/328
1.5.3.2. IPv6 Config
Figure 122
IPv6 DSCP Rewriting Address Set DSCP rewriting values for LAN interface. The specified DSCP values between 0 ~ 63 will be rewrote to the packets corresponding to the IPv6 address, protocol, TOS value, DSCP value, port number, ICMP TYPE or ICMP CODE specified in ACL.
130/328
2. End Host mode Web Interface 2.1. Overview PRIMERGY 10 Gigabit Ethernet Connection Blade 18/8 provides a built-in browser software interface that lets you configure and manage it remotely using a standard Web browser. This software interface also allows for system monitoring and management of this connection blade. When you configure this for the first time from the console, you have to assign an IP address and subnet mask to this connection blade. Thereafter, you can access this Web software interface directly using your Web browser by entering its IP address into the address bar. In this way, you can use your Web browser to manage this connection blade form any remote PC station, just as if you ware directly connected to its console port.
Figure 123
131/328
2.1.1. Menu Options There are following Menu options in Web Interface in EHM: Management, Switching, Security, and QoS. 1. Management Menu: This section provides information for configuring SNMP and trap manager, Ping, DHCP client, SNTP, system parameters including Hostname, in-band/out-of-band network management setting, Log setting, User management, configure file backup and so on.
Figure 124
2. Switching Menu: This section provides the setting that related to switching functions, such as forwarding mode, port configuration, VLAN, IGMP, Link Aggregation, and Port Backup etc,
Figure 125
132/328
3. Security Menu: This section provides users to configure security including IEEE802.1x, Radius, TACACS, LDAP, Access Control Lists, IP filter, VLAN filter etc.
Figure 126
4. QoS Menu: This section provides users to configure QoS setting like queue configuration, Diffserve/CoS configuration of port and vlan.
Figure 127
133/328
2.2. Management Menu 2.2.1.
Information
2.2.1.1. Inventory Info
Figure 128
System Description It displays the device name. Base MAC Address It displays the MAC address in hexadecimal number of 12 digits. Boot ROM Version It displays the ROM version. Runtime Version It displays the firmware version and the time when the firmware is made. Memory It displays the memory size of the device. ASIC Firmware It displays the ASIC firmware version. Port It displays the port number. Media type It displays the module type. Vendor PN It displays the vendor PN of the module. Status It displays the module status.
134/328
2.2.1.2. ARP Cache
Figure 129
It displays the entry of ARP table. 2.2.1.3. NDP Cache
Figure 130
It displays the entries of NDP table.
135/328
2.2.2. Configuration 2.2.2.1. System Description
Figure 131
System Description It displays the device name. Host Name Please set the Host Name of this device within 32 characters. It cannot be deleted. System Name Please set MIB variable "sysName" which means the machine name of this device within 32 characters. When it is omitted, it is considered that the "sysName" is not set. System Location Please set MIB variable "sysLocation" which means the location of this device within 72 characters. When it is omitted, it is considered that the "sysLocation" is not set. System Contact Please set MIB variable "sysContact" which means the admin name of this device within 40 characters. When it is omitted, it is considered that the "sysContact" is not set. Engine ID Please set SNMP engine ID for SNMPv3 within 27 characters. When it is omitted, the engine ID will be generated automatically. The value of SNMP engine ID set to the device is as follows. When it is set 1st ~ 5th octet : Fixed as 0x800000d304 6th octet ~ after : Engine ID of this setting When it is omitted 1st ~ 5th octet : Fixed as 0x800000d380 6th octet ~ after : Random value IP Address Set the address of SNMP agent. When it is omitted, it is considered that the agent address is not set. The range that can be specified is as follows. Valid Range) IPv4 address: 136/328
1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6 address: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff System Object ID It displays the Object ID of the device. System Up Time It displays the startup time of the device. 2.2.2.2. In-Band Mgmt
Figure 132
IPv4 Address Please set the IPv4 address. Please set it as DHCP client or set a static IPv4 address. When IPv4 address is changed, you have to input user/password again to login to WEB page. IPv4 Static Route Please set the IPv4 Static Route. It can be set up to 4. IPv6 Please set whether to use IPv6. IPv6 Address Please set the IPv6 address when IPv6 is used. Please set to use the prefix distributed by RA or set a static IPv6 address. When IPv6 address is changed, you have to input user/password again to login to WEB page. IPv6 DHCP Please set whether to use IPv6 DHCP. IPv6 Static Route Please set the IPv6 Static Route. It can be set up to 4. Burned-in MAC Address It displays the MAC address used in In-Band Mgmt LAN. Management VLAN ID Please set VLAN ID by integer within 1~4094. 137/328
2.2.2.3. Out-of-Band Mgmt
Figure 133
IPv4 Address Please set the IPv4 address. Please set it as DHCP client or set a static IPv4 address. When IPv4 address is changed, you have to input user/password again to login to WEB page. IPv4 Static Route Please set the IPv4 Static Route. It can be set up to 4. IPv6 Please set whether to use IPv6. IPv6 Address Please set the IPv6 address when IPv6 is used. Please set to use the prefix distributed by RA or set a static IPv6 address. When IPv6 address is changed, you have to input user/password again to login to WEB page. IPv6 DHCP Please set whether to use IPv6 DHCP. IPv6 Static Route Please set the IPv6 Static Route. It can be set up to 4. Burned-in MAC Address It displays the MAC address used in Out-of-Band Mgmt LAN.
138/328
2.2.2.4. Telnet Session
Figure 134
Auto Logout Specify the length of the auto logout time within the range of 0 second ~ 86400 seconds(1 day). If the command input/output is not done from the client connected by telnet, after the period of the auto logout time, the telnet connection will be cut off automatically. The time unit can be specified as any of the (day), (hour), (minute), or (second). 2.2.2.5. Serial Port
Figure 135
Auto Logout Specify the length of the auto logout time within the range of 0 second ~ 86400 seconds(1 day). During the login state, if the command input/output is not done from the serial port, after the period of the auto logout time, it will be forced to logout. The time unit can be specified as any of the (day), (hour), (minute), or (second). 139/328
2.2.3. System Utilities 2.2.3.1. Save All Changes Saving all applied changes will cause all changes to configuration panels that were applied but not saved, to be saved, thus retaining their new values across a system reboot. 2.2.3.2. System Reset Resetting the switch will cause all operations of this switch to stop. This session will be broken and you will have to login again after the switch has rebooted. Any unsaved changes will be lost. 2.2.3.3. Set Config to Default Initialize the configuration and reboot the switch. 2.2.3.4. Set Passwords to Default Set the password of admin and user to default. 2.2.3.5. Ping
Figure 136
IPv4/IPv6 Address Specify the IPv4 address or IPv6 address of sending destination. 2.2.3.6. DDNS Summary It displays summary of dynamic DNS action.
140/328
2.2.4. File Management 2.2.4.1. Download to Switch
Figure 137
TFTP server IP Address Set IPv4 or IPv6 address of TFTP server. TFTP File Path(Source) Set the path on the TFTP server where to download the file. TFTP File Name(Source) Set the name of the file to download. TFTP File Name(Target) Set the file name of the downloaded file on this device. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2 switch_firmware Switch Firmware ibp_firmware IBP Firmware sshkey SSH Key Information
141/328
2.2.4.2. Upload from Switch
Figure 138
TFTP server IP Address Set IPv4 or IPv6 address of TFTP server. TFTP File Path(Target) Set the path on the TFTP server where to upload the file. TFTP File Name(Target) Set the file name of the uploaded file on TFTP server. TFTP File Name(Source) Set the file name on this device to upload. Set it from the follows. running-config Config Definition in use startup-config Config Definition when start up config1 Config Definition 1 config2 Config Definition 2 switch_firmware Switch Firmware ibp_firmware IBP Firmware
142/328
2.2.4.3. Start-Up File
Figure 139
Change config definition or firm and then reset the device. Current Runtime File It displays the name of the firm which is being used. Current Configuration File It displays the name of the current configuration file, which is being used. Runtime File Set the firm to be used when the device is started next time. Set it from the follows. switch_firm Switch Firm ehm_firm EHM Firm ibp_firm IBP Firm Configuration File Set the name of configuration file which will be used as Startup-config when the device is started next time. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2 Caution: - "Save" button is disabled when "Configuration File" is different from "Current Configuration File". - When "Save" button is clicked, the selected "Runtime File" will be saved. - When "Save and Reset" button is clicked, the device will be reset with the selected parameter
143/328
2.2.4.4. Copy File
Figure 140
File Name Set the name of configuration file which will be used to save running-config. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2 2.2.4.5. Clear SSH Key Delete SSH user public key.
2.2.5. User Management 2.2.5.1. User Accounts
Figure 141
144/328
Please set the password used for operating the device. The admin password is the password used when the user name is "admin", and the user password is the password used when the user name is "user". The authority class is decided by login user, and the web pages which can be executed are different according to the authority class. It becomes the administrator class when login with "admin" and it becomes the general user class when login with "user". When login by console, TELNET or SSH, the admin password and the user password are used. When login by FTP or SFTP, the admin password is used. After input password it can be operated for 10 minutes. After that it needs to input password again to operate. Admin Password Set the password within 64 characters. It is the password when user name is "admin". The authority class is administrator class when login with "admin". User Password Set the password within 64 characters. It is the password when user name is "user". The authority class is general user class when login with "user". Caution: - If the password is set less than 7 characters, English letters only or numbers only, or if the admin password is deleted, it can be set or deleted normally. However, the warning message of weak password will be displayed. User Account Extension Please set whether to extend user accounts besides the fixed accounts(admin/user). enable Extend it. disable Do not extend it. AAA Group Index Specify the group ID of AAA which is referred to when user authentication is done. Specify the group ID of AAA in decimal number of less than 10.
145/328
2.2.5.2. Login Session
Figure 142
It displays the information of login user. Line It displays the connection type(console, http, ssh) and connection line. User Name It displays the user name. Class It displays the authority class of user. Remote Host It displays the information of remote host. Since It displays the login time. Idle It displays the period of time without any operation.
2.2.6. Logging 2.2.6.1. Configuration – Syslog
Figure 143
146/328
Server Address Set IP address of the server where the system log information(message) will be sent. Priority Specify the priority level from the follows for the system log information to be output. error Check it when priority LOG_ERROR is included in the ouput object. warn Check it when priority LOG_WARNING is included in the ouput object. notice Check it when priority LOG_NOTICE is included in the ouput object. info Check it when priority LOG_INFO is included in the ouput object. Facility Set the facility of system log information within the range of 0~23 in decimal number. Duplication Abbreviation Specify whether to abbreviate the message which is duplicated to the message output before, when output message to system log. Command Logging Specify whether to output the command execution history to system log. As for the parameter of encrypted object, the log will be encrypted before output for security consideration. 2.2.6.2. View - System Log
Figure 144
It displays the system log information.
147/328
2.2.6.3. View - Error Log
Figure 145
It displays the hard error diagnosed in ROM or I/O driver and the error log information of system down.
2.2.7. Statistics 2.2.7.1. Port Summary
Figure 146
[Input Statistics] Octets The number of octets of the data received bits/sec The number of received bits per second(bits/sec) Frames The total number of frames received frames/sec 148/328
The number of received frames per second(frames/sec) Unicast The number of unicast frames received frames/sec The number of received unicast frames per second(frames/sec) Multicast/Broadcast The number of multicast/broadcast frames received frames/sec The number of received multicast/broadcast frames per second(frames/sec) Discards DiscardsPkts The total number of discarded frames after received Errors Oversize The number of oversize frames received(more than 1519 bytes without TAG, more than 1523 bytes with TAG). FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes AlignmentErrors The number of received frames where Alignment errors are detected [Output Statistics] Octets The number of octets of the data sent bits/sec The number of sent bits per second(bits/sec) Frames The total number of frames sent frames/sec The number of sent frames per second(frames/sec) Unicast The number of unicast frames sent frames/sec The number of sent unicast frames per second(frames/sec) Multicast/Broadcast The number of multicast/broadcast frames sent frames/sec The number of sent multicast frames per second(frames/sec) Discards DiscardsPkts The total number of discarded frames after sent Errors CarrierSenseErrors The total number of error frames due to undetected carrier ExcessiveCollisions The total number of error frames that failed to send due to a lot of collision 149/328
LateCollisions The total number of late collisions SingleCollisionFrames The total number of frames succeeded to send after one collision occurred. MultipleCollisionFrames The total number of frames succeeded to send after several collisions occurred. DeferredTransmissions The total number of frames delayed to send due to busy of transmission path. 2.2.7.2. Port Detailed
Figure 147
[Input Statistics] Octets The number of octets of the data received bits/sec The number of received bits per second(bits/sec) Frames The total number of frames received frames/sec The number of received frames per second(frames/sec) Unicast The number of unicast frames received frames/sec The number of received unicast frames per second(frames/sec) Multicast The number of multicast frames received frames/sec The number of received multicast frames per second(frames/sec) Broadcast The number of broadcast frames received frames/sec 150/328
The number of received broadcast frames per second(frames/sec) Pause frames The number of PAUSE frames received Mac Control frames The number of MAC control frames received Priority pause 0 frames The number of received pause frames for priority 0 Priority pause 1 frames The number of received pause frames for priority 1 Priority pause 2 frames The number of received pause frames for priority 2 Priority pause 3 frames The number of received pause frames for priority 3 Priority pause 4 frames The number of received pause frames for priority 4 Priority pause 5 frames The number of received pause frames for priority 5 Priority pause 6 frames The number of received pause frames for priority 6 Priority pause 7 frames The number of received pause frames for priority 7 Discards All DiscardsPkts The total number of discarded frames after received Resource Full The number of discarded received frames due to insufficient resource Policy Discards The number of discarded received frames due to discards policy VLAN dropped The number of discarded received unicast frames due to no member of setting vlan Errors Undersize The number of undersize frames received(under 64 bytes) FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes AlignmentErrors The number of received frames where Alignment errors are detected FragmentErrors The number of frames with short size(under 64 bytes) where FCS errors or alignment errors are detected Jabbers Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) SymbolErrors Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) UnknownOpcodes Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) 151/328
[Output Statistics] Octets The number of octets of the data sent bits/sec The number of sent bits per second(bits/sec) Frames The total number of frames sent frames/sec The number of sent frames per second(frames/sec) Unicast The number of unicast frames sent frames/sec The number of sent unicast frames per second(frames/sec) Multicast The number of multicast frames sent frames/sec The number of sent multicast frames per second(frames/sec) Broadcast The number of broadcast frames sent frames/sec The number of sent broadcast frames per second(frames/sec) Pause frames The number of PAUSE frames sent Mac Control frames The number of MAC control frames sent Priority pause 0 frames The number of sent pause frames for priority 0 Priority pause 1 frames The number of sent pause frames for priority 1 Priority pause 2 frames The number of sent pause frames for priority 2 Priority pause 3 frames The number of sent pause frames for priority 3 Priority pause 4 frames The number of sent pause frames for priority 4 Priority pause 5 frames The number of sent pause frames for priority 5 Priority pause 6 frames The number of sent pause frames for priority 6 Priority pause 7 frames The number of sent pause frames for priority 7 Discards DiscardsPkts The total number of discarded frames after received DelayExceededDiscards The number of discarded frames due to exceeded delay 152/328
Errors Undersize The number of undersize frames received(under 64 bytes) FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes FragmentErrors The number of frames with short size(under 64 bytes) where FCS errors or alignment errors are detected [Detail Statistics] The number of frames per second accumulated by different frame size. 2.2.7.3. IP
Figure 148
It displays the statistics of IPv4 packets.
2.2.7.4. LACP It displays the statistics of LACP packets. The items won't be displayed if the Count is 0. 2.2.7.5. Net Time It displays the statistics of SNTP/TIME client. 2.2.7.6. SNMP It displays the statistics of SNMP.
153/328
2.2.8. SNMP 2.2.8.1. Community Config
Figure 149
SNMP Agent Set whether to enable SNMP Agent function and SNMP Trap function. RMON Set whether to use RMON function. Community Name Specify the community name within 1~32 characters used when sending trap. Specify it as "public" for it to communicate with any SNMP manager. IP Address Specify the address of the SNMP manager. Valid Range) IPv4 address: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6 address: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Access Mode Specify whether writing from SNMP manager is permitted. Trap Mode Specify whether to send trap. Off Select it when not sending trap. V1 Select it when sending SNMPv1 trap. V2c Select it when sending SNMPv2 trap.
154/328
2.2.8.1.1. Trap Flags
Figure 150
Cold Start Set to enable or disable the coldStart trap. Link Down Set to enable or disable the linkDown trap. Link Up Set to enable or disable the linkUp trap. Authentication Set to enable or disable the authenticationFailure trap. Rising Alarm Set to enable or disable the risingAlarm trap. Falling Alarm Set to enable or disable the fallingAlarm trap. New Root Set to enable or disable the newRoot trap. Topology Change Set to enable or disable the topologyChange trap. LLDP Remote Tables Change Set to enable or disable the lldpRemTablesChange trap. LLDP DCBX Set to enable or disable all the following lldpXdcbx traps. lldpXdcbxMiscControlError lldpXdcbxMiscFeatureError lldpXdcbxMultiplePeers lldpXdcbxLldpTxDisabled lldpXdcbxLldpRxDisabled lldpXdcbxDupControlTlv lldpXdcbxDupFeatureTlv lldpXdcbxPeerNoFeat lldpXdcbxPeerNoResp lldpXdcbxPeerConfigMismatch 155/328
2.2.9. RMON 2.2.9.1. Alarm Config
Figure 151
Alarm ID Specify ID of the RMON alarm group in decimal number value of 1 ~ 64. Sampling Variable Specify the object identifier of MIB that will be checked with the threshold in the dot form or the alphanumeric character. The range that can be specified is as follows. 1 ~ 63(characters) The object identifier can only be specified with the following types. INTEGER Integer32 Counter32 Counter64 Gauge32 TimeTicks Sampling Interval Please set the interval time of checking the threshold within the range of 1 ~ 43200 (seconds). The unit can be specified as hour, minute or second. Sampling Type Specify the type of checking threshold. Absolute(default value) The current value is compared directly with the threshold. Delta The difference between the current value and the value when sampling it last time is compared with the threshold. Rising-Threshold Specify the upper threshold of the RMON alarm group. The range that can be specified is as follows. 156/328
0 ~ 4294967295 Rising-Threshold Event ID Specify the corresponding RMON event group id in decimal number which has been set in "Event ID" of [Event Config]. It is used as the event definition number which will be generated when the upper threshold is exceeded. The alarm event will not be generated when there is no specified definition number. Falling-Threshold Specify the lower threshold of the RMON alarm group. The range that can be specified is as follows. 0 ~ 4294967295 Falling-Threshold Event ID Specify the corresponding RMON event group id in decimal number which has been set in "Event ID" of [Event Config]. It is used as the event definition number which will be generated when the lower threshold is surpassed. The alarm event will not be generated when there is no specified definition number. 2.2.9.2. Event Config
Figure 152
Event ID Specify ID of the RMON event group in decimal number value of 1 ~ 64. Type Specify the notification method of this event(alarm). Blank No event processing. Log The log of the event will be kept. Trap The trap will be transmitted to the SNMP host who has the community name specified in "Community" of [Event Config]. Log-Trap The log of the event will be kept while the trap will be transmitted to the SNMP host who has the community name specified in "Community" of [Event Config]. 157/328
Description Set the description of the RMON event group. Specify the explanation of the event (the note related to the content of the event) by the character string of 0x21, 0x23 ~ 0x7e. The range that can be specified is as follows. 1~ 127 (characters) Community Specify the community name which will be set to the trap packets when the trap is sent. This setting is effective when the notification method specified in "Type" of [Event Config] is "Trap" or "Log-Trap". And the trap will be sent in the following case. When the community name specified here has been set in [Community Config] of [SNMP]. The range that can be specified is as follows. 1 ~ 32(characters)
2.2.10. SNTP 2.2.10.1.Server Config
Figure 153
Client Mode Please set the protocol when time information is acquired from the time server. Disable Time information is not acquired. SNTP Select it when the simple NTP protocol(UDP) is used. TIME Select it when the TIME protocol(TCP) is used. DHCP Select it when the protocol notified by DHCP is used. IP Address IPv4 Address Specify the IPv4 address of the server that offers time information. The range that can be specified is as follows. 0.0.0.0 (from DHCP server) 158/328
1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 224.0.0.1 ~ 239.255.255.254 (Multicast) 255.255.255.255 (Broadcast) IPv6 Address Specify the IPv6 address of the server that offers time information. The range that can be specified is as follows. ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface Please set the interface used to communicate with time server. When IPv4 address of server is multicast or broadcast address and protocol is SNTP, please set it other than "Auto". Otherwise, set it as "Auto". Auto Interface is auto-selected. Out-of-Band Use Out-of-Band interface(oob0). In-Band Use In-Band interface(lan0). Interval Please set the acquisition cycle within the range of 0~10 day, when acquiring time information from the time server periodically. The time unit can be specified as any of the day, hour, minute or second. If it is omitted or 0 is set, time information will be acquired only when the device starts (restarts). 2.2.10.2.Server Status
Figure 154
Protocol It displays the protocol when time information is acquired from the time server. Version 159/328
It displays the version of protocol. Last Update Time It displays the last time when time information is acquired from server. Server IP Address It displays the IP address of time server. Unicast Server Max Entries It displays the maximum number of time server. 2.2.10.3.Current Time
Figure 155
Current Time Set the current time. Please select from the following 3 methods. Set it as the time of PC used for setting. Set it from the SNTP/TIME server. Set it manually.
160/328
2.2.10.4.Time Zone Settings
Figure 156
Time Zone Hours Please set the time difference(hour) from GMT(Greenwich Standard Time) in decimal number from 0 to 12. Time Zone Minutes Please set the time difference(minute) from GMT in decimal number from 0 to 59. Direction Please set whether it is before GMT or after GMT. Before GMT It means it is ahead of GMT. After GMT It means it is late than GMT.
2.2.11. LLDP 2.2.11.1.Configuration – Global Config
Figure 157
161/328
Transmit Interval Specify a fixed time interval to transmit LLDP information by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 5 seconds ~ 32768 seconds. This setting is corresponding to the variable "msgTxInterval" of 802.1AB. Transmit Delay Specify the minimum time interval to transmit LLDP information by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 1 second ~ 0.25 * (no more than 8192 seconds). This setting is corresponding to the variable "txDelay" of 802.1AB. Transmit Hold As for the time length that adjacent device should maintain LLDP information of this device, specify it by the count of "Transmit Interval" of LLDP. The range that can be specified is 2 times ~ 10 times, specify it by decimal number within the range of 2~10. TTL(no more than 65535 seconds) which is calculated by the method of [LLDP Transmit Interval * LLDP Transmit Hold] will be notified to the adjacent device. This setting is corresponding to the variable "msgTxHold" of 802.1AB. Reinitialize Delay When the LLDP transmission is set to be disabled, after sending LLDP information with TTL value of 0, the internal state will be re-initialized. Specify the delay time of re-initialized by decimal number and time unit. The range that can be specified is 1second ~ 10seconds. This setting is corresponding to the variable "reinitDelay" of 802.1AB. SNMP Notification Interval Specify the minimum time interval of the transmission of SNMP Notification Trap by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 5 seconds ~ 3600 seconds. This setting is corresponding to the variable "NotificationInterval" of 802.1AB.
162/328
2.2.11.2.Configuration – Interface Config
Figure 158
Slot/Port Select a port to set. Mode Specify the action mode of the LLDP function at the specified port. Port Description Specify whether to transmit Port Description TLV. System Name Specify whether to transmit System Name TLV. System Description Specify whether to transmit System Description TLV. System Capabilities Specify whether to transmit System Capabilities TLV. Management Address Specify whether to transmit Management Address TLV. Port VLAN ID Specify whether to transmit IEEE802.1 Port VLAN ID TLV. Port and Protocol VLAN ID Specify whether to transmit Protocol VLAN ID information. VLAN Name Specify whether to transmit IEEE802.1 VLAN Name TLV. Protocol Identity Specify whether to transmit IEEE802.1 Protocol VLAN Identity TLV. MAC PHY Configuration Status Specify whether to transmit IEEE802.3 MAC/PHY Configuration/Status TLV. Power via MDI Specify whether to transmit IEEE802.3 Power Via MDI TLV. Link Aggregation Specify whether to transmit IEEE802.3 Link Aggregation TLV. Maximum Frame Size Specify whether to transmit IEEE802.3 Maximum Frame Size TLV. 163/328
2.2.11.3.Information – Interface Summary
Figure 159
It displays the LLDP setup information at all physical ports where the LLDP function is enabled. The content of "Info" is as follows. About TLV P Port Description TLV is transmitted N System Name TLV is transmitted D System Description TLV is transmitted C System Capabilities TLV is transmitted A Management Address TLV is transmitted No Transmit (disable) Blank No Transmit (receive only) About VLAN P Port VLAN ID p Port And Protocol VLAN ID N VLAN Name I Protocol Identity No Transmit (disable) Blank No Transmit (receive only) About Configration M MAC/PHY Configuration/Status P Power Via MDI L Link Aggregation F Maximum Frame Size 164/328
No Transmit (disable) Blank No Transmit (receive only) About SNMP T SNMP Notification Trap No Transmit (disable) Blank No Transmit (receive only)
2.2.11.4.Information – Statistics It displays the LLDP statistics information. 2.2.11.5.Information – Local Info
Figure 160
It displays the LLDP setup information and LLDP transmission information at all physical ports where the LLDP function is enabled.
165/328
2.2.11.6.Information – Local Summary
Figure 161
It displays the number of physical ports where the LLDP function is enabled. 2.2.11.7.Information – Remote Info It displays the detail information of adjacent device. 2.2.11.8.Information – Remote Summary It displays the LLDP adjacent device information at all physical ports where the LLDP function is enabled.
2.2.12. DHCP Client 2.2.12.1.DHCP Restart Issues a DHCP client request for any IP interface that has been set to DHCP mode. 2.2.12.2.DHCPv6 Restart Issues a DHCPv6 client request for any IPv6 interface that has been set to DHCP mode.
166/328
2.2.13. IPv6 2.2.13.1.Statistics
Figure 162
It displays statistics information of IPv6 packets.
167/328
2.3. Switching Menu 2.3.1. Forwarding Database 2.3.1.1. Config
Figure 163
Forwarding Mode Set the switching method. Buffering Mode Set the mode of buffer control. When "max mode" is set, the buffer control mode of using maximum buffer will be used and it is possible that it will not operate according to the QoS operation settings. When "QoS mode" is set, the buffer control mode of using QoS priority will be used and the possibility of discarding frame becomes higher. Aging Interval Specify Age Out Time of MAC Address Learning Table within the range of 10~ 3500 seconds.
168/328
2.3.1.2. Search
Figure 164
It displays the contents of Learning Table. You can specify a certain part of MAC address, VLAN ID or port name to display. 2.3.1.3. Clear To delete the Forwarding Database.
2.3.2. Port 2.3.2.1. Config
Figure 165
Enable/Disable Port Specify whether to use ether port. Pin-Group Specify the group number of Pin-Group to be used. 169/328
Link Aggregation Group Specify the group number of Link Aggregation group to be used. LACP Port Priority Specify the LACP Port Priority. When LACP is not used, this definition means nothing. Flow Control Set the action of "send" and "receive" for the Flow Control Function. Link Recovery Limit Specify the limit of Link Down frequency. It is the upper limit for the corresponding port to enter block state. When the Link Down frequency reaches the limit, the port which displays in system log will enter the block state. ICMP Watching IP Address Please specify the destination IP address to monitor when using monitor function. ICMP ECHO packets will be sent from the ether port to the specified destination IP address, and existence can be confirmed by the response. Please do not set it as the IP address of the device itself. Please also confirm that the specified IP address is in the same subnet, or the monitor function may not operate normally. ICMP Watching Interval Specify the normal sending interval of ICMP ECHO packets within the range of 1 second ~ 60 seconds(1 minute). ICMP Watching Timeout Specify the timeout interval within the range of 5 seconds ~ 180 seconds(3 minutes). It is considered that monitor fails when reaching the timeout interval. ICMP Watching Retry When there is no response for the normal sending ICMP ECHO packets, the ICMP ECHO packets will be resent. Specify the resend interval within the range of 1 second ~ (ICMP Watching Timeout) - 1 seconds. Broadcast Storm Control Set the threshold of the traffic for broadcast storm. Set the data amount in 1 second within the range of 8Kbps~8Gbps. When the threshold is not set(text box is blank), the storm observation will not be done. Multicast Storm Control Set the threshold of the traffic for multicast storm. Set the data amount in 1 second within the range of 8Kbps~8Gbps. When the threshold is not set(text box is blank), the storm observation will not be done. Storm Control Action Specify the action when broadcast/multicast storm occurs. Link down Block the port Discard Discard the data that surpasses threshold Output Rate Control The output rate is set by the unit of bps. The actual operation for the device is controlled by the value rounded down to the unit of 1/256 of 10Gbps (About 40Mbps). LLDP Notification Trap Set whether to send SNMP Notification Trap when LLDP information is changed. IEEE802.1Q Tunneling Mode Select whether to use IEEE802.1Q Tunneling. 170/328
Even if "Enable" is set here, this setting is invalid when the IEEE802.1Q Tunneling mode of this device is "Disable". Edge Relay Reflective Relay Mode Select the port reflective relay mode. Converged Enhanced Ethernet mode Select whether to use Converged Enhanced Ethernet. Priority group Set the Priority group number. Weight Set the Weight within the range of 1~100. Priority-based Flow Control Select whether to use Priority-based Flow Control. Priority map Set Priority group to each priority. Buffer optimization mode Select whether to enable the buffer optimization appropriate for the situation where PFC enabled traffic is excessively congested. FCoE Priority Set the priority of FCoE. FCoE use Select whether to use FCoE. iSCSI-Priority Set the priority of iSCSI. iSCSI use Select whether to use iSCSI. Caution: - If total weight exceeds 100, Converged Enhanced Ethernet is invalid. - If more than 1 Priority-based Flow Control exist, port is disabled. - If Converged Enhanced Ethernet mode is "Disable" even if Priority group and Priority map are set, Converged Enhanced Ethernet is invalid. - If Priority group, Weight or Priority map is not set even if Converged Enhanced Ethernet mode is "Enable", Converged Enhanced Ethernet is invalid.
171/328
2.3.2.2. Summary
Figure 166
It displays the port information simply.
172/328
2.3.2.3. Mirroring
Figure 167
Target Port Set the target port number. Source Port Set the source port number in decimal number. If you want to specify two or more ports, delimit them by ","(comma). Source Link Aggregation Group Set the source Link Aggregation Group number in decimal number. If you want to specify two or more Link Aggregation Groups, delimit them by ","(comma).
2.3.3. VLAN 2.3.3.1. Config
Figure 168
173/328
VLAN ID and Name Select existing VLAN or newly created VLAN. Select "Create" to create a new one. However, if "Create" is selected but the port belongs to the new VLAN is not set, the VLAN will not be created. VLAN ID Specify VLAN ID within the range of 1~4094 in decimal number. VLAN Name Specify VLAN name with no more than 32 ASCII characters within the range of 0x21,0x23 ~ 0x7e. VLAN Type It displays VLAN type. The contents are as follows. Default It displays "Default" when VLAN ID is 1. Static It displays "Static" for defined VLAN. Participation It is set whether each port belongs to current VLAN or not. Include The corresponding port belongs to the VLAN. Exclude The corresponding port does not belong to the VLAN. And if there is no corresponding port which belongs to the VLAN, the VLAN will be deleted. Tagging Set the tag of each port. Tagged Add tag to the corresponding port. Untagged Remove tag from the corresponding port. 2.3.3.2. Status
Figure 169
VLAN ID It displays VLAN ID. VLAN Name It displays VLAN NAME. 174/328
VLAN Type It displays VLAN type. The contents are as follows. Default It displays "Default" when VLAN ID is 1. Static It displays "Static" for defined VLAN. Slot/Port It displays the ports which belong to the corresponding VLAN. 2.3.3.3. Forward Database Config
Figure 170
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. MAC Address Set the destination MAC address. Specify it in the format of xx:xx:xx:xx:xx:xx(xx is hexadecimal of 2 digits). 00:00:00:00:00:00, broadcast or multicast can not be specified. Slot/Port Select the corresponding port for the destination MAC address. If the selected port is a Link Aggregation member port, the settings are effective for the Link Aggregation Group. If the selected port is a Backup port, the settings are effective for the working port of the Backup Port Group.
175/328
2.3.3.4. Forward Database Summary
Figure 171
It displays the contents of VLAN forward database. VLANID Number MAC Address Slot/Port
VLANID Destination MAC Address number Destination MAC Address Corresponding forwarding port
2.3.3.5. Reset Config Exercising this function will cause all VLAN configuration parameters to be reset to their default values.
176/328
2.3.4. Protocol-based VLAN Config 2.3.4.1. Config
Figure 172
VLAN ID and Name Select existing protocol VLAN or newly created protocol VLAN. Select "Create" to create a new one. VLAN Name Specify VLAN name of protocol VLAN with no more than 32 ASCII characters within the range of 0x21,0x23 ~ 0x7e. VLAN ID Specify VLAN ID of protocol VLAN within the range of 2 ~ 4094 in decimal number. Protocol IPv4 Specify it as IPv4 protocol. It is the packets of EthernetII Ethertype=0800,0806,8035. IPv6 Specify it as IPv6 protocol. It is the packets of EthernetII Ethertype=86dd.
177/328
2.3.4.2. Summary VLAN Name It displays VLAN name of protocol VLAN. VLAN ID It displays VLAN ID of protocol VLAN. Protocol IPv4 It is specified as IPv4 protocol. It is the packets of EthernetII Ethertype=0800,0806,8035. IPv6 It is specified as IPv6 protocol. It is the packets of EthernetII Ethertype=86dd.
178/328
2.3.5. GVRP 2.3.5.1. GVRP - Global Config
Figure 173
GVRP Mode Specify whether to use GVRP on this device. - Disable GVRP is not to be used on this device. - Enable GVRP is to be used on this device. 2.3.5.2. GVRP - Port Config
Figure 174
GVRP Mode Specify whether to use GVRP on this port. - Disable GVRP is not to be used on this device. - Enable GVRP is to be used on this device. Registration Specify Registrar Administrative Control value of GVRP on this port. - Normal Specify Registrar as Normal Registration on this port. The Registrar responds normally to incoming GVRP messages. Dynamic VLAN can be added or deleted on this port. Static VLAN can not be configured through CLI command on this port. - Fixed Specify Registrar as Registration Fixed on this port. 179/328
The Registrar transmit GVRP messages, but Dynamic VLAN can not be added or deleted on this port. Dynamic VLANs which have been configed on this port must be deleted. Static VLAN can be configed through CLI command on this port. - Forbidden Specify Registrar as Registration Forbidden on this port. The Registrar transmit GVRP messages, but Dynamic VLAN can not be added or deleted on this port. Dynamic VLANs and static VLANs (exclude default VLAN) which have been configed on this port must be deleted. Static VLAN can not be configed through CLI command on this port. Join Time Specify interval between transmitting of GVRP messages, within the range of 20 centiseconds to 16375 centiseconds. Default value is 20 centiseconds. If not set, default value will be used. Leave Time Specify the time to wait after receiving an unregister request for a VLAN before deleting the associated entry, within the range of 45 centiseconds to 32760 centiseconds. Default value is 60 centiseconds. If not set, default value will be used. Leaveall Time The Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. Specify GVRP leaveall timer within the range of 50 centiseconds to 32765 centiseconds. Default value is 1000 centiseconds. If not set, default value will be used.
180/328
2.3.5.3. GVRP - Port Status
Figure 175
If GVRP is enabled, GVRP information will be displayed here. Port Port number. Gvrp GVRP is enabled or disabled on this port. Regist Registrar Administrative Control value of GVRP on this port. join timer The time between the transmission of GARP PDUs registering (or re-registering) membership for a VLAN. leave timer The time to wait after receiving an unregister request for a VLAN before deleting the associated entry. leaveall timer The Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. Vlan Dynamic VLAN registered by GVRP.
181/328
2.3.5.4. GVRP - Port Statistics
Figure 176
It displays the statistics of received and sent GVRP BPDU of the port which is selected.
2.3.5.5. GVRP – Clear Statistics GVRP statistics of all ports will be cleared when "clear" button be clicked.
182/328
2.3.6. GMRP 2.3.6.1. GMRP - Global Config
Figure 177
GMRP Mode Specify whether to use GMRP on this device. - Disable GMRP is not to be used on this device. - Enable GMRP is to be used on this device.
2.3.6.2. GMRP – Port Config
Figure 178
GMRP Mode Specify whether to use GMRP on this port. - Disable GMRP is not to be used on this port. - Enable GMRP is to be used on this port. Forward All Specify whether to forward all multicast packets through this port when GMRP is used on this device. Please set Forward All option as Enable when the port is connected to multicast router. Join Time Specify interval between transmitting of GMRP messages, within the range of 20 centiseconds to 16375 centiseconds. Default value is 20 centiseconds. If not set, default value will be used. 183/328
Leave Time Specify the time to wait after receiving an unregister request for a multicast MAC address before deleting the associated entry, within the range of 45 centiseconds to 32760 centiseconds. Default value is 60 centiseconds. If not set, default value will be used. Leaveall Time The Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. Specify GMRP leaveall timer within the range of 50 centiseconds to 32765 centiseconds. Default value is 1000 centiseconds. If not set, default value will be used. 2.3.6.3. GMRP – Port Status
Figure 179
If GMRP is enabled, GMRP information will be displayed here. Port Port number. Gmrp GMRP is enabled or disabled on this port. forward-all Forward all option is enabled or disabled on this port. join timer The time between the transmission of GARP PDUs registering (or re-registering) membership for a multicast MAC address. leave timer 184/328
The time to wait after receiving an unregister request for a multicast MAC address before deleting the associated entry. leaveall timer The Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. 2.3.6.4. GMRP – GMRP Registration Table
Figure 180
It displays multicast MAC address registered by GMRP and the corresponding port for each multicast MAC address.
2.3.6.5. GMRP – Port Statistics
Figure 181
It displays the statistics of received and sent GMRP BPDU of the port which is selected. 2.3.6.6. GMRP – Clear Statistics GMRP statistics of all ports will be cleared when "clear" button be clicked.
185/328
186/328
2.3.7. IGMP 2.3.7.1. IGMP Snooping – Config and Status
Figure 182
Admin Mode Specify the operation mode of IGMP Snoop Function. Enable Enable IGMP Snoop Function. Disable Disable IGMP Snoop Function. Local Multicast Group Set the action when receiving packets of Local Multicast Group. Auto Join Multicast packets of local group can be transferred when it is received. Watch Join When Membership Report of local group is received, it can be transferred. Flooding Multicast packets of local group can be transferred.
187/328
2.3.7.2. IGMP Snooping – VLAN Config
Figure 183
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. Multicast Router Port Specify the judging method of Multicast Router Port. Auto Multicast Router Port is judged dynamically. Yes Multicast Router Port is specified statically. Only the specified port is set as router port. 2.3.7.3. Snooping Querier – VLAN Config
Figure 184
188/328
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. Querier Specify the operation mode of querier. Enable Operates as querier when multicast router does not exist. Disable Do not operate as querier regardless of the existence of multicast router. IP Address Specify the source IP address for using IGMP snoop. The IP address set here will be set as source address in the IGMP packets sent from this device. The valid range is as follows. 0.0.0.0 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IGMP Proxy Specify the mode of sending IGMP proxy response. Disable IGMP proxy response will not be sent. Enable IGMP proxy response will be sent. Please specify it as "Disable" when the device using IGMP V1 exists. If querier operation mode is disabled, when multicast router does not exist, multicast transfer will be stopped.
2.3.7.4. Snooping Querier – VLAN Status It displays the information of IGMP snoop port.
189/328
2.3.8. MLD 2.3.8.1. MLD Snooping – Config and Status
Figure 185
Admin Mode Specify the operation mode of MLD Snoop Function. Enable Enable MLD Snoop Function. Disable Disable MLD Snoop Function. Local Multicast Group Set the action when receiving packets of Local Multicast Group. Flooding Multicast packets of local group can be transferred. Watch Join When Membership Report of local group is received, it can be transferred. 2.3.8.2. MLD Snooping – VLAN Config
Figure 186
190/328
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. Multicast Router Port Specify the judging method of Multicast Router Port. Auto Multicast Router Port is judged dynamically. Yes Multicast Router Port is specified statically. Only the specified port is set as router port. 2.3.8.3. Snooping Querier – VLAN Config
Figure 187
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. Querier Specify the operation mode of querier. Enable Operates as querier when multicast router does not exist. Disable Do not operate as querier regardless of the existence of multicast router. IP Address Specify the source IP address for using MLD snoop. The IP address set here will be set as source address in the MLD packets sent from this device. The valid range is as follows. FE80::/10 ... Link-Local Unicast address MLD Proxy Specify the mode of sending MLD proxy response. Disable MLD proxy response will not be sent. Enable MLD proxy response will be sent. 191/328
If querier operation mode is disabled, when multicast router does not exist, multicast transfer will be stopped. 2.3.8.4. Snooping Querier – VLAN Status It displays the information of MLD snoop port.
2.3.9. Multicast Forwarding Database 2.3.9.1. IGMP – IGMP Snooping Table It displays the multicast listener information of IGMP Snoop. 2.3.9.2. IGMP – IGMP Statistics It displays the statistics information of IGMP Snoop. 2.3.9.3. MLD – MLD Snooping Table It displays the multicast listener information of MLD Snoop. 2.3.9.4. MLD – MLD Statistics It displays the statistics information of MLD Snoop.
2.3.10. Link Aggregation 2.3.10.1.LACP Config
Figure 188
System Priority Set the LACP system priority. The Link Aggregation Group will exchange information with other Link Aggregation Group, then use the system priority to decide which one has higher priority. When they have the same system priority, the one with smaller system ID(Designated MAC Address + 1) has higher priority. When LACP is not used, this definition is meaningless.
192/328
2.3.10.2.Group Config
Figure 189
Group Set the Link Aggregation group id. Pin-Group Specify the group number of Pin-Group to be used. Algorithm Specify the load-balance algorithm. Source MAC Address Divide by source MAC address Destination MAC Address Divide by destination MAC address Both MAC Address Divide by both source and destination MAC address Source IP Address Divide by source IP address Destination IP Address Divide by destination IP address Both IP Address Divide by XOR of source and destination IP address Received Ethernet Port Divide by received Ethernet port Mode Set the operation mode of Link Aggregation. When "Static" is set, it will compose the static Link Aggregation without using LACP. When "Active" or "Passive" is set, it is the dynamic Link Aggregation using LACP. In the "Active" mode, the LACPDU periodical transmission to remote LACP device will start voluntarily. In the "Passive" mode, as long as LACPDU is not received from remote LACP, LACPDU periodical transmission will not be done. In other words, Link Aggregation is not composed when both devices are in "Passive" mode. Minimum Link Set the Minimum number of member ports for Link Aggregation communication within the range of 1 ~ 10 in decimal number. If the number of ports united by Link Aggregation is less than the specified Minimum Link, communication can not be done in the Link Aggregation.
193/328
And when the number of member ports falls below the specified Minimum Link because of trouble, etc, communication can not be done in the Link Aggregation. ICMP Watching IP Address Please specify the destination IP address to monitor when using monitor function. ICMP ECHO packets will be sent from the ether port to the specified destination IP address, and existence can be confirmed by the response. Please do not set it as the IP address of the device itself. Please also confirm that the specified IP address is in the same subnet, or the monitor function may not operate normally. ICMP Watching Interval Specify the normal sending interval of ICMP ECHO packets within the range of 1 second ~ 60 seconds(1 minute). ICMP Watching Timeout Specify the timeout interval within the range of 5 seconds ~ 180 seconds(3 minutes). It is considered that monitor fails when reaching the timeout interval. ICMP Watching Retry When there is no response for the normal sending ICMP ECHO packets, the ICMP ECHO packets will be resent. Specify the resend interval within the range of 1 second ~ (ICMP Watching Timeout) - 1 seconds. Converged Enhanced Ethernet mode Select whether to use Converged Enhanced Ethernet. Priority group Set the Priority group number. Weight Set the Weight within the range of 1-100. Priority-based Flow Control Select whether to use Priority-based Flow Control. Priority map Set Priority group to each priority. Buffer optimization mode Select whether to enable the buffer optimization appropriate for the situation where PFC enabled traffic is excessively congested. FCoE Priority Set the priority of FCoE. FCoE use Select whether to use FCoE. iSCSI-Priority Set the priority of iSCSI. iSCSI use Select whether to use iSCSI. Caution: - If total weight exceeds 100, Converged Enhanced Ethernet is invalid. - If more than 1 Priority-based Flow Control exist, port is disabled. - If Converged Enhanced Ethernet mode is "Disable" even if Priority group and Priority map are set, Converged Enhanced Ethernet is invalid. - If Priority group, Weight or Priority map is not set even if Converged Enhanced Ethernet mode is "Enable", Converged Enhanced Ethernet is invalid. 194/328
2.3.11. Port Backup 2.3.11.1.Configuration
Figure 190
Group ID Set the backup group id. Group Mode Set the method for selecting the port to use when both ports can be used. Master Make use of the master port in preference. Earlier Make use of the port which is link up (become usable) first. Standby Mode Set the standby state of the backup ports. Link Up The backup port will standby in link up state. Link Down The backup port will be link down to standby. Change Notify Use this field to configure change notify. 2.3.11.2.Status
Figure 191
It displays the information of the ports
195/328
2.3.12. IEEE802.1Q Tunneling 2.3.12.1.IEEE802.1Q Tunneling Configuration
Figure 192
Select whether to use IEEE802.1Q Tunneling. If "Enable" is selected, the IEEE802.1Q Tunneling will be done. If "Disable" is selected,the IEEE802.1Q Tunneling will not be done. Caution: - Even if "Enable" is selected here, IEEE802.1Q Tunneling will be disabled if IEEE802.1Q Tunneling Mode is set as "Disable" in IEEE802.1Q Tunneling Mode of [Switching]-[Port]-[Config].
196/328
2.3.13. MAC Filter 2.3.13.1.Config
Figure 193
Filter Address Set the MAC Filtering. The filtering operation specified in "Action" will be done to the packets corresponding to the MAC address, VLAN ID, IP, ICMP, TCP or UDP definition of the specified Access Control List. 2.3.13.2.IPv6 Config
Figure 194
IPv6 Filter Address Set the IPv6 Filtering.
197/328
The filtering operation specified in "Action" will be done to the packets corresponding to the MAC address, VLAN ID, IPv6, ICMP, TCP or UDP definition of the specified Access Control List.
198/328
2.4. Security Menu 2.4.1. Port Access Control 2.4.1.1. Config – IEEE802.1X
Figure 195
IEEE802.1X Authentication Select whether to use IEEE802.1X authentication for the device. If "Use" is selected, the IEEE802.1X authentication of the transmission source terminal will be done. If the result of the terminal authentication is success, the packets will be relayed; otherwise the packets will be discarded. If "Disuse" is selected, the IEEE802.1X authentication will not be done. Caution: - Even if "Use" is selected here, IEEE802.1X authentication will be disabled if IEEE802.1X Authentication is set as "Disuse" in IEEE802.1X of [Security]-[Port Access Control]-[Port Config]. Authentication Method Select the system default authentication unit as the authentication method. Caution: - When "Each Port" is selected as the authentication method, if one terminal (Supplicant) connected to that port has been successfully authenticated, all the access from other terminals connected to the same port will be passed. - When the port in which WEB Authentication or MAC Address Authentication is also enabled exists, please set the same Authentication Method for all the authentication function. EAPOL Transfer Mode Select the transfer mode of EAPOL frames which is used for IEEE802.1X authentication. Transmit When EAPOL frames are received, the frames will be transmitted to the ports with the same VLAN ID as the "untagged" VLAN ID set in the port where the frames are received. Don't Transmit 199/328
EAPOL frames are not transmitted. Caution: - EAPOL frame is forbidden to be transmitted in IEEE 802.1D. - EAPOL frame can not be transmitted when IEEE802.1X authentication is used. Please don't select "Transmit". 2.4.1.2. Config – Web Authentication
Figure 196
Authentication Function Select whether to use Web authentication for the device. If "Use" is selected, the authentication will be done for the terminals where Web browser is used and only the communication of the successfully authenticated terminal is allowed. If "Disuse" is selected, Web authentication will not be done. Caution: - Even if "Use" is selected here, WEB authentication will be disabled in the port where Web Authentication is set as "Disuse" in Web Authentication of [Security]-[Port Access Control]-[Port Config]. Authentication Protocol Select authentication protocol of Web authentication.
200/328
2.4.1.3. Config – MAC Address Authentication
Figure 197
Authentication Function Select whether to use MAC address authentication for the device. If "Use" is selected, the MAC address authentication of the transmission source terminal will be done. If the result of the MAC address authentication is success, the packets will be relayed; otherwise the packets will be discarded. If "Disuse" is selected, the MAC address authentication will not be done. Caution: - Even if "Use" is selected here, MAC address authentication will be disabled if MAC Address Authentication is set as "Disuse" in MAC Address Authentication of [Security]-[Port Access Control]-[Port Config]. Password Specify the authentication password used for MAC address authentication. Specify it with a string composed of 0x21, 0x23~0x7e within 128 characters. If it is omitted, the MAC address of authentication terminal will be used as password. Confirm Password Specify the password above once more. Authentication Protocol Select authentication protocol of MAC address authentication.
201/328
2.4.1.4. Port Config – IEEE802.1X
Figure 198
IEEE802.1X Authentication Select whether to use IEEE802.1X authentication. If "Use" is selected, IEEE802.1X authentication of the source terminal of packets will be done. If the result is success, the packets will be relayed; otherwise the packets will be discarded. For the port where "Disuse" is selected, IEEE802.1X authentication will not be done. Even if "Use" is selected here, IEEE802.1X authentication will be disabled if authentication function is set as "Disuse" for the device. Authentication Method Select the system default authentication unit as the authentication method. When "Each Port" is selected as the authentication method, if one terminal (Supplicant) connected to that port has been successfully authenticated, all the access from other terminals connected to the same port will be passed. When the port in which WEB Authentication or MAC Address Authentication is also enabled exists, please set the same authentication method for all the authentication function. AAA Group Specify AAA group ID within the range of 0 ~ 9 in decimal number used as reference when doing IEEE802.1X authentication. Default VLAN ID Specify default VLAN ID allocated to supplicant when the result of IEEE802.1X authentication is success. If VLAN ID allocated to terminal (Supplicant) is notified from AAA/RADIUS server, the VLAN ID notified from AAA/RADIUS server will be allocated instead of the VLAN ID defined here. Please make sure that the interface with the same VLAN ID set here needs to be set to other ports. If the interface with the same VLAN ID does not exist, authentication fails regardless of the authentication result. Wakeup On LAN Packet Mode Set forward mode of Wake On LAN packet. Only the Wake On LAN packet to Directed Broadcast Address can be forwarded. 202/328
EAPOL MAC Address Set the permitted destination MAC address of EAPOL frame. Quiet Period Set the time it waits to begin re-authentication after first authentication of the terminal(Supplicant) failed. Set it within the range of 0 ~ 600 seconds. If 0 second is specified, after first authentication failed, authentication will not be restrained and it will access second authentication request immediately. Transmit Period Set the sending interval of user ID request within the range of 1 ~ 600 seconds. Supplicant Timeout Set the waiting time for EAP response from terminal(Supplicant) within the range of 1 ~ 600 seconds. Maximum Requests Specify the EAP resending count when EAP response is not received. Specify the count within the range of 1 ~ 10. Reauthentication Period Specify the re-authentication interval for terminal(Supplicant) within the range of 15 seconds ~ 18000 seconds. If 0 is specified, the re-authentication will not be done. 2.4.1.5. Port Config – Web Authentication
Figure 199
Web Authentication Select whether to use Web authentication. If "Use" is selected, WEB authentication of the terminal using WEB browser will be done, only the terminal whose authentication result is success is permitted to do communication. For the port where "Disuse" is selected, WEB authentication will not be done. Even if "Use" is selected here, WEB authentication will be disabled if authentication function is set as "Disuse" for the device. Authentication Method Select the system default authentication unit as the authentication method. 203/328
When "Each Port" is selected as the authentication method, if one terminal (Supplicant) connected to that port has been successfully authenticated, all the access from other terminals connected to the same port will be passed. When the port in which IEEE802.1X Authentication or MAC Address Authentication is also enabled exists, please set the same authentication method for all the authentication function. AAA Group Specify AAA group ID within the range of 0 ~ 9 in decimal number used as reference when doing WEB authentication. Default VLAN ID Specify default VLAN ID allocated to supplicant when the result of WEB authentication is success. If VLAN ID allocated to terminal (Supplicant) is notified from AAA/RADIUS server, the VLAN ID notified from AAA/RADIUS server will be allocated instead of the VLAN ID defined here. Please make sure that the interface with the same VLAN ID set here needs to be set to other ports. If the interface with the same VLAN ID does not exist, authentication fails regardless of the authentication result. Wakeup On LAN Packet Mode Set forward mode of Wake On LAN packet. Only the Wake On LAN packet to Directed Broadcast Address can be forwarded. Web Authentication Auto Logout Specify the valid time for Web authentication. If "Absolute" is selected, after authentication is done, the authentication will be released after the specified time (time unit is minute). If "Disable" is selected, Web authentication will not be released. Because it checks for Web authentication auto logout time every 30 seconds, the maximum difference with the real Web authentication auto logout time is 30 seconds. If physical port of this device is connected to switching HUB, etc, and two or more terminals are authenticated at one physical port, please set the Web authentication auto logout time. If "Disable"(not to release WEB authentication) is selected here, unless Link Down occurs at the physical port where authentication has completed for authenticated terminal, it can not access network through this device if the terminal is moved to other physical ports of this device. After authentication is released according to the settings of the Web authentication auto logout time, please connect the terminal to other physical ports of this device. If the terminal is connected to other physical ports of this device before authentication is released, it can not access network through this device until the authentication is released, or it needs to re-acquire the IP address of the connected terminal. Authenticated Terminal Set the terminal which is permitted to do communication without WEB authentication. If "Disuse" is selected for "Web Authentication" or "Each Port" is selected for "Authentication Method", the settings here are ineffective. 00:00:00:00:00:00, broadcast or multicast can not be specified in MAC Address. If the VLAN specified by VLAN ID is unregistered, the settings are ineffective. The same address can not be registered to two or more ports. It is possible that the specified Authenticated Terminal can not do communication normally when it is connected to other ports.
204/328
2.4.1.6. Port Config – MAC Address Authentication
Figure 200
MAC Address Authentication Select whether to use MAC Address authentication. If "Use" is selected, MAC address authentication of the source terminal of packets will be done. If it has the authenticated MAC address, the packets will be relayed; otherwise the packets will be discarded. For the port where "Disuse" is selected, MAC address authentication will not be done. Even if "Use" is selected here, MAC address authentication will be disabled if authentication function is set as "Disuse" for the device. Authentication Method Select the system default authentication unit as the authentication method. When "Each Port" is selected as the authentication method, if one terminal (Supplicant) connected to that port has been successfully authenticated, all the access from other terminals connected to the same port will be passed. When the port in which IEEE802.1X Authentication or WEB Authentication is also enabled exists, please set the same authentication method for all the authentication function. AAA Group Specify AAA group ID within the range of 0 ~ 9 in decimal number used as reference when doing MAC address authentication. Default VLAN ID Specify default VLAN ID allocated to supplicant when the result of MAC address authentication is success. If VLAN ID allocated to terminal (Supplicant) is notified from AAA/RADIUS server, the VLAN ID notified from AAA/RADIUS server will be allocated instead of the VLAN ID defined here. Please make sure that the interface with the same VLAN ID set here needs to be set to other ports. If the interface with the same VLAN ID does not exist, authentication fails regardless of the authentication result. Wakeup On LAN Packet Mode Set forward mode of Wake On LAN packet. Only the Wake On LAN packet to Directed Broadcast Address can be forwarded. 205/328
Authentication Result Hold Time Specify the result hold time of MAC address authentication. The re-authentication of successfully authenticated terminal will be done after the time specified in "Success" passed. The re-authentication of authentication failed terminal will not be done until the time specified in "Failure" passed. Because it checks for authentication result hold time every 30 seconds, the maximum difference with the real authentication result hold time is 30 seconds. Authenticated Terminal Set the terminal which is permitted to do communication without MAC address authentication. If "Disuse" is selected for "MAC Address Authentication" or "Each Port" is selected for "Authentication Method", the settings here are ineffective. 00:00:00:00:00:00, broadcast or multicast can not be specified in MAC Address. If the VLAN specified by VLAN ID is unregistered, the settings are ineffective. The same address can not be registered to two or more ports. It is possible that the specified Authenticated Terminal can not do communication normally when it is connected to other ports. 2.4.1.7. Port Status – IEEE802.1X
Figure 201
It displays authentication information, including user name, authentication method, authentication state and statistics of authenticated successfully terminal(Supplicant). Port Port Number User User Name EAP-Type Authentication method Authentication Authentication State -
Means that the port has not been set or is not connected.
Authenticating In authentication processing Authenticated Authentication Complete 206/328
Failure OK times NG times Status
Authentication Failed
Success times of Authentication Failure times of Authentication Displays internal state of IEEE802.1X authentication. S0: Before Authentication State S1: In Authentication State S2: Charge Starting State S3: Normal State S4: Charge Stopping State
VLAN VLAN ID MAC address MAC address of terminal(Supplicant) Since Time when authentication succeeded(Not update when re-authentication) 2.4.1.8. Port Status – Web Authentication
Figure 202
It displays Web authentication state. PORT Physical port number USER User Name MAC Authentication terminal number and MAC address STATUS Web authentication status Displays as one of the follows. response Wait for authentication result after input ID and password idle Wait for ID and password of Web authentication success Web authentication succeed and VLAN ID has been allocated VLAN TYPE
VLAN ID Authentication method 207/328
Displays as one of the follows.
DATE
mac
Authenticate for each MAC address
port
Authenticate for each port
-
VLAN has not been set
Time when authentication succeeded
2.4.1.9. Port Status – MAC Address Authentication
Figure 203
It displays MAC address authentication state. Port Port number Mode Authentication method mac port
Authenticate for each MAC address Authenticate for each port
MAC Address MAC Address Status Authentication State idle response success permanent
No authentication terminal detected Wait for authentication result authentication succeed Authenticated Terminal authentication failed or surpass authentication limit failure times Note: Before authentication, it displays as "idle" VLAN Since
VLAN ID Time when authentication started, succeeded or failed 208/328
2.4.1.10.Port Summary – Authentication Information It displays successfully authenticated terminal information of each authentication function(IEEE802.1X authentication , WEB authentication , MAC address authentication). Port Port Number Mode Authentication Method(at first line of each port) mac port
Authenticate for each MAC address Authenticate for each port
MAC Address MAC Address Function successfully authenticated function dot1x webauth macauth
IEEE802.1X authentication Web authentication MAC address authentication
VLAN VLAN ID Note: For the port where successfully authenticated terminal does not exits, the items other than Port Number displays as "-".
209/328
2.4.1.11.Statistics – IEEE802.1X It displays statistics information of IEEE802.1X authentication. 2.4.1.12.Statistics – Web Authentication It displays statistics information of WEB authentication.
2.4.1.13.Statistics – MAC Address Authentication It displays statistics information of MAC address authentication.
2.4.2. RADIUS 2.4.2.1. Config
Figure 204
AAA Group ID Specify AAA group ID with the decimal number less than 10. Authentication Mode Specify whether to use RADIUS authentication function. Authentication Source IP Address Set self IP address used to communicate with the RADIUS authentication server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Message-Authenticator Set whether to do authentication by Message-Authenticator. 210/328
When doing IEEE802.1X authentication, it will do authentication by Message-Authenticator regardless of this setting. It can only be used for authentication request message in this device. Accounting Mode Set whether to use RADIUS accounting function. Accounting Source IP Address Set self IP address used to communicate with the RADIUS accounting server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Retry Interval Set packets resent interval when there is no response from RADIUS server. The valid ranges are as follows. 1 ~ 10(seconds) Retry Times Set packets resent count when there is no response from RADIUS server. The valid ranges are as follows. 1 ~ 10(times) Security Mode Set security level when there is no response from RADIUS server. When "High" is selected, it operates as authentication failed. When "Normal" is selected, it operates as authentication succeeded.
211/328
2.4.2.2. Server Config
Figure 205
IP Address Set IP address of RADIUS authentication server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key(RADIUS secret) between this device and RADIUS authentication server. Priority Specify the priority used to decide which RADIUS server to use for authentication when there are several RADIUS servers in the same group. In the same group, the highest priority RADIUS server which is not in "dead" status will be used. If there is more than one RADIUS server with the highest priority, the RADIUS server to be used will be randomly decided. Dead Time Specify the recover time it waits to recover to "alive" status automatically after RADIUS server enters "dead" status. If the response from RADIUS server is not received, that RADIUS server will be set as "dead" status and set as the lowest priority. The RADIUS server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed
212/328
- After all the possible server enters "dead" status, the packets are sent to the RADIUS server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. 2.4.2.3. Accounting Server Config
Figure 206
IP Address Set IP address of RADIUS accounting server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key(RADIUS secret) between this device and RADIUS accounting server. Priority Specify the priority used to decide which RADIUS server to use for authentication when there are several RADIUS servers in the same group. In the same group, the highest priority RADIUS server which is not in "dead" status will be used. If there is more than one RADIUS server with the highest priority, the RADIUS server to be used will be randomly decided. Dead Time Specify the recover time it waits to recover to "alive" status automatically after RADIUS server enters "dead" status. If the response from RADIUS server is not received, that RADIUS server will be set as "dead" status and set as the lowest priority. The RADIUS server in "dead" status can not be used as 213/328
long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the RADIUS server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. 2.4.2.4. Summary It displays the status of RADIUS server. Type Server Type Auth Acct No. Server Address Port Pri State
Server definition Number Server IP Address Server Port Number Priority Server status alive dead
recover
Authentication Server Accounting Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
214/328
2.4.3. TACACS+ 2.4.3.1. Config
Figure 207
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. TACACS+ Service Specify whether to use TACACS+ function. Timeout Set timeout when there is no response from TACACS+ server. The valid ranges are as follows. 1 ~ 300(seconds) Authentication Security Mode Set TACACS+ Authentication security operation when there is no response from server. When "High", it operates as a failure to authenticate. When "Normal", it operates as a success to authenticate. Authorization Security Mode Set TACACS+ Authorization security operation when there is no response from server. When "High", it operates as a failure to authorize. When "Normal", it operates as a success to authorize.
215/328
2.4.3.2. Server Config
Figure 208
IP Address To set the IP address of the TACACS+ authentication server. The IP Address of authentication server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key between this device and TACACS+ authentication server. It is considered that the share key is not set when omitted. Moreover, when it is not set, the communication between TACACS+ servers is not encrypted. Priority To specify the priority of some TACACS+ servers in the same group, which decides which TACACS+ server to use at the time of authentication. In the same group, the highest priority TACACS+ server not in dead status will be used. If there are multiple TACACS+ servers with the highest priority, the used TACACS+ server will be decided randomly. Dead Time Specify the recover time it waits to recover to "alive" status automatically after TACACS+ server enters "dead" status. If the response from TACACS+ server is not received, that TACACS+ server will be set as "dead" status and set as the lowest priority. The TACACS+ server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it
216/328
enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the TACACS+ server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. Source IP Address Source IP address used to communicate with the TACACS+ authentication server is set. Source IP address used to communicate with the authentication server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 2.4.3.3. Authorization Server Config
Figure 209
IP Address To set the IP address of the TACACS+ authorization server. The IP Address of authorization server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 217/328
128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key between this device and TACACS+ authorization server. It is considered that the share key is not set when omitted. Moreover, when it is not set, the communication between TACACS+ servers is not encrypted. Priority To specify the priority of some TACACS+ servers in the same group, which decides which TACACS+ server to use at the time of authorization. In the same group, the highest priority TACACS+ server not in dead status will be used. If there are multiple TACACS+ servers with the highest priority, the used TACACS+ server will be decided randomly. Dead Time Specify the recover time it waits to recover to "alive" status automatically after TACACS+ server enters "dead" status. If the response from TACACS+ server is not received, that TACACS+ server will be set as "dead" status and set as the lowest priority. The TACACS+ server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the TACACS+ server in "dead" status, and response is received - Recover manually The value range can be specified as followed. 0~86400(second) If specified 0, it does not automatically restore the alive status. Source IP Address Source IP address used to communicate with the TACACS+ authorization server is set. Source IP address used to communicate with the authorization server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
218/328
2.4.3.4. Summary It displays the status of TACACS+ server. Type Server Type Authen Author No. Server Address Pri State
Server definition Number Server IP Address Priority Server status alive dead
recover
Authentication Server Authorization Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
219/328
2.4.4. LDAP 2.4.4.1. Config
Figure 210
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. LDAP Service Specify whether to use LDAP Client function. Timeout Set timeout when there is no response from LDAP server. The valid ranges are as follows. 1 ~ 300(seconds) Authentication Security Mode Set LDAP Authentication security operation when there is no response from server. When "High", it operates as a failure to authenticate. When "Normal", it operates as a success to authenticate.
220/328
2.4.4.2. Server Config
Figure 211
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. Server Specify Server number within the range of 0 ~ 3 in decimal number. LDAP Server IP Address Specify the IP address of LDAP authentication server. The IP Address of LDAP authentication server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff RDN attribute Specify RDN attribute of Bind DN, default is empty string. Bind DN without RDN Specify Partial Bind DN exclude RDN with it, default is empty string. Class attribute Specify user class attribute, default is empty string. Admin class value Specify Admin class value, default is empty string. If you want to specify two or more values, delimit them by ","(comma). Priority Specify the priority of some LDAP servers in the same group, which decides which LDAP server to use at the time of authentication. In the same group, the highest priority LDAP server not in dead status will be used. If there are multiple LDAP servers with the highest priority, the used LDAP server will be decided randomly. 221/328
Dead Time Specify the recover time it waits to recover to "alive" status automatically after LDAP server enters "dead" status. If the response from LDAP server is not received, that LDAP server will be set as "dead" status and set as the lowest priority. The LDAP server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the LDAP server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. Source IP Address Source IP address used to communicate with the LDAP authentication server is set. Source IP address used to communicate with the authentication server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Caution: - For example, if RDN(Relative Distinguished Name) attribute is set as "cn"(common name), and Bind DN(Distinguished Name) without RDN is set as "dc=test,dc=com". When input user name is "root", and input password is "1234", then Bind DN sent to LDAP server will be "cn=root,dc=test,dc=com", and password sent to LDAP server will be "1234". - For example, If Class attribute is set as "uidNumber", and Admin class value is set as "1,2". According to LDAP search result, if value of "uidNumber" exists and equals to "1" or "2", it becomes "Administrator" class, otherwise it becomes "General User" class.
222/328
2.4.4.3. Summary It displays the status of LDAP server. Type Server Type Authen No. Server Address Pri State
Server definition Number Server IP Address Priority Server status alive dead
recover
Authentication Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
223/328
2.4.5. AAA 2.4.5.1. Config
Figure 212
AAA Group ID Specify AAA Group ID within 0 ~ 9 in decimal number. User Number Specify definition number of AAA user information with decimal number of less than 1000. User ID Specify user ID by characters of 0x21,0x23 ~ 0x7e within 128 characters. If it is used for MAC address authentication, please specify it as the MAC address of the terminal which is permitted to access with 12 digits of hexadecimal numbers(using lower case letters while not using ":" ,etc). User Password Specify password for authentication by characters of 0x21,0x23 ~ 0x7e within 128 characters. If MAC address authentication is used and password has been set in MAC Address Authentication, please also set the same password here. If password has not been set in MAC Address Authentication, specify it as the MAC address of the terminal which is permitted to access with 12 digits of hexadecimal numbers(using lower case letters while not using ":" ,etc). User Role Specify authority class of user as the login user information. VLAN ID Specify VLAN ID allocated to supplicant(user terminal).
224/328
2.4.5.2. Summary It displays the contents of AAA local database. No. User Definition Number User ID User ID User Role Authority Class of User VLAN ID VLAN ID of User
2.4.6. Access Control List 2.4.6.1. IP Config
Figure 213
ACL ID Specify ACL definition number with decimal number of less than 700. Source IP Address Specify source IP address and mask bits to be the object of ACL. - IP address/mask bits(or mask value) Specify the combination of source IP address and mask bits to be the object of ACL. Please set the mask value with consecutive 1 from the highest bit. - any All the source IP address become the object of ACL. Destination IP Address Specify destination IP address and mask bits to be the object of ACL. - IP address/mask bits(or mask value) Specify the combination of destination IP address and mask bits to be the object of ACL. Please set the mask value with consecutive 1 from the highest bit. - any All the destination IP address become the object of ACL. Protocol Specify protocol number to be the object of ACL.
225/328
- Protocol number Specify protocol number within 0 ~ 255 in decimal number to be the object of ACL. If "0" is specified, it displays as "any". (Example: ICMP:1, TCP:6, UDP:17 etc). - any All the protocol number become the object of ACL. Type Of Service Specify the judging method of QoS to be the object of ACL. - ToS Specify it when judge ACL object by ToS value. Specify ToS value within 0 ~ ff in hexadecimal number to be the object of ACL. - DSCP Specify it when judge ACL object by DSCP value. Specify DSCP value within 0 ~ 63 in decimal number to be the object of ACL. - Any All the ToS values and DSCP values become the object of ACL.
226/328
2.4.6.2. IPv6 Config
Figure 214
ACL ID Specify ACL definition number with decimal number of less than 700. Source IPv6 Address Specify source IPv6 address and prefix length to be the object of ACL. - IPv6 address/prefix length Specify the combination of source IPv6 address and prefix length to be the object of ACL. - any All the source IPv6 address become the object of ACL. Destination IPv6 Address Specify destination IPv6 address and prefix length to be the object of ACL. - IPv6 address/prefix length Specify the combination of destination IPv6 address and prefix length to be the object of ACL. - any All the destination IPv6 address become the object of ACL. Protocol Specify protocol number to be the object of ACL. - Protocol number Specify protocol number within 0 ~ 255 in decimal number to be the object of ACL. If "255" is specified, it displays as "any". (Example: ICMP:1, TCP:6, UDP:17 etc). - any All the protocol number become the object of ACL. Traffic Class Specify the judging method of QoS to be the object of ACL. - TC Specify it when judge ACL object by Traffic Class value. Specify TC value within 0 ~ ff in hexadecimal number to be the object of ACL.
227/328
- DSCP Specify it when judge ACL object by DSCP value. Specify DSCP value within 0 ~ 63 in decimal number to be the object of ACL. - Any All the TC values and DSCP values become the object of ACL. 2.4.6.3. TCP Config
Figure 215
ACL ID Specify ACL definition number with decimal number of less than 700. IP Protocol Specify IP protocol to be the object of ACL. Source Port Number Specify source port number to be the object of ACL. - Port number Specify source port number within 1 ~ 65535 in decimal number to be the object of ACL. If you want to specify two or more ports, delimit them by ","(comma). By using ","(comma), the total number of source port and destination port can be set up to 10. The valid formats are as follows. - decimal number within 1 ~ 65535 (Example: 65535 = 65535 port) - port number,port number, ... (Example: 10,20,30 = port of 10 and 20 and 30) - any All the source port number become the object of ACL. Destination Port Number Specify destination port number within 1 ~ 65535 in decimal number to be the object of ACL. The format is the same as source port number. - any All the destination port number become the object of ACL.
228/328
2.4.6.4. UDP Config
Figure 216
ACL ID Specify ACL definition number with decimal number of less than 700. IP Protocol Specify IP protocol to be the object of ACL. Source Port Number Specify source port number to be the object of ACL. - Port number Specify source port number within 1 ~ 65535 in decimal number to be the object of ACL. If you want to specify two or more ports, delimit them by ","(comma). By using ","(comma), the total number of source port and destination port can be set up to 10. The valid formats are as follows. - decimal number within 1 ~ 65535 (Example: 65535 = 65535 port) port number,port number, ... (Example: 10,20,30 = port of 10 and 20 and 30) - any All the source port number become the object of ACL. Destination Port Number Specify destination port number within 1 ~ 65535 in decimal number to be the object of ACL. The format is the same as source port number. - any All the destination port number become the object of ACL.
229/328
2.4.6.5. ICMP Config
Figure 217
ACL ID Specify ACL definition number with decimal number of less than 700. IP Protocol Specify IP protocol to be the object of ACL. ICMP Type Specify ICMP TYPE to be the object of ACL. - ICMP TYPE Specify ICMP TYPE within 0 ~ 255 in decimal number to be the object of ACL. If you want to specify two or more ICMP TYPE, delimit them by ","(comma). By using ","(comma), the total number of ICMP TYPE can be set up to 10. The valid formats are as follows. - decimal number within 0 ~ 255 (Example: 8 = ICMP TYPE 8) - ICMP TYPE,ICMP TYPE, ... (Example: 0,8,30 = ICMP TYPE of 0 and 8 and 30) - any All the ICMP TYPE become the object of ACL. ICMP CODE Specify ICMP CODE to be the object of ACL. - ICMP CODE Specify ICMP CODE within 0 ~ 255 in decimal number to be the object of ACL. If you want to specify two or more ICMP CODE, delimit them by ","(comma). By using ","(comma), the total number of ICMP CODE can be set up to 10. The valid formats are as follows. - decimal number within 0 ~ 255 (Example: 8 = ICMP CODE 8) - ICMP CODE,ICMP CODE, ... (Example: 0,8,30 = ICMP CODE of 0 and 8 and 30) - any All the ICMP CODE become the object of ACL.
230/328
2.4.6.6. MAC Config
Figure 218
ACL ID Specify ACL definition number with decimal number of less than 700. Source MAC Address Specify source MAC address to be the object of ACL. - Unicast Specify the source MAC address to be the object. Specify it with the format of xx:xx:xx:xx:xx:xx(xx is hexadecimal of 2 digits) or "any". - Broadcast Select it when broadcast MAC address is the object. - Multicast Select it when multicast MAC address is the object. Destination MAC Address Specify destination MAC address to be the object of ACL. - Unicast Specify the destination MAC address to be the object. Specify it with the format of xx:xx:xx:xx:xx:xx(xx is hexadecimal of 2 digits) or "any". - Broadcast Select it when broadcast MAC address is the object. - Multicast Select it when multicast MAC address is the object. Format Specify the frame format to be the object of ACL. - Ether Specify it when the frame in Ethernet format is the object. Specify it within 5dd ~ ffff in hexadecimal number or "any". If it is specified as "any", or it is omitted, all the frame in Ethernet format become the object. - LLC Specify it when the frame in LLC format is the object. 231/328
Specify it within 0 ~ ffff in hexadecimal number or "any". If it is specified as "any", or it is omitted, all the frame in LLC format become the object. - Any All the frame become the object.
2.4.6.7. VLAN Config
Figure 219
ACL ID Specify ACL definition number with decimal number of less than 700. VLAN ID Specify VID as the object. The range of VID for ACL object is 1 ~ 4094 or "any". COS Specify COS to be the object of ACL. - Any All the COS become the object. - Others Specify COS to be the object. The range of COS for ACL object is 0 ~ 7.
232/328
2.4.7. IP Filter 2.4.7.1. Config
Figure 220
Filter Address Set IP Filter for the LAN interface. IP Filter is used to pass or reject the packets which match the address, protocol, TOS value, DSCP value, port number, ICMP TYPE or ICMP CODE in ACL. It will be checked whether it is matched in the priority order set before, when it is matched the filtering operation will be done, and the following conditions will not be referred to. If none of the conditions is matched, the packets will be passed. 2.4.7.2. IPv6 Config
Figure 221
233/328
IPv6 Filter Address Set IPv6 Filter for the LAN interface. IP Filter is used to pass or reject the packets which match the IPv6 address, protocol, Traffic Class, DSCP value, port number, ICMP TYPE or ICMP CODE in ACL. It will be checked whether it is matched in the priority order set before, when it is matched the filtering operation will be done, and the following conditions will not be referred to. If none of the conditions is matched, the packets will be passed.
2.4.8. VLAN Filter 2.4.8.1. Config
Figure 222
Filter Address Set the MAC filtering for each VLAN. The filtering operation specified in "Action" will be done to the input packets corresponding to the MAC address, VLAN ID, IP address, ICMP, TCP or UDP definition in the Access Control List specified by ACL.
234/328
2.4.8.2. IPv6 Config
Figure 223
IPv6 Filter Address Set the IPv6 filtering for each VLAN. The filtering operation specified in "Action" will be done to the input packets corresponding to the VLAN ID, IPv6 address, ICMP, TCP or UDP definition in the Access Control List specified by ACL.
2.4.9. Application Filter 2.4.9.1. FTP config
Figure 224
FTP IPv4 Server 235/328
Set whether to enable IPv4 of FTP server function. FTP IPv6 Server Set whether to enable IPv6 of FTP server function. Filter Address Set application filter for FTP server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored. 2.4.9.2. SFTP config
Figure 225
SFTP IPv4 Server Set whether to enable IPv4 of SFTP server function. SFTP IPv6 Server Set whether to enable IPv6 of SFTP server function. Filter Address Set application filter for SFTP server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If IP value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If IPv6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored. *Note: This definition is effective for both SSH server function and SFTP server function. Different filter settings can not be set in SSH server function and SFTP server function. 236/328
2.4.9.3. TELNET config
Figure 226
TELNET IPv4 Server Set whether to enable IPv4 of TELNET server function. TELNET IPv6 Server Set whether to enable IPv6 of TELNET server function. Filter Address Set application filter for TELNET server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
237/328
2.4.9.4. SSH config
Figure 227
SSH IPv4 Server Set whether to enable IPv4 of SSH server function. SSH IPv6 Server Set whether to enable IPv6 of SSH server function. Filter Address Set application filter for SSH server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored. *Note: This definition is effective for both SSH server function and SFTP server function. Different filter settings can not be set in SSH server function and SFTP server function.
238/328
2.4.9.5. HTTP config
Figure 228
HTTP IPv4 Server Set whether to enable IPv4 of HTTP server function. HTTP IPv6 Server Set whether to enable IPv6 of HTTP server function. Filter Address Set application filter for HTTP server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
239/328
2.4.9.6. HTTPS config
Figure 229
HTTPS IPv4 Server Set whether to enable IPv4 of HTTPS server function. HTTPS IPv6 Server Set whether to enable IPv6 of HTTPS server function. Filter Address Set application filter for HTTPS server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
240/328
2.4.9.7. SNTP config
Figure 230
SNTP IPv4 Server Set whether to enable IPv4 of SNTP server function. SNTP IPv6 Server Set whether to enable IPv6 of SNTP server function. Filter Address Set application filter for SNTP server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
241/328
2.4.9.8. TIME config
Figure 231
TIME IPv4 Server(UDP) Set whether to enable IPv4 of TIME server function by UDP. TIME IPv4 Server(TCP) Set whether to enable IPv4 of TIME server function by TCP. TIME IPv6 Server(UDP) Set whether to enable IPv6 of TIME server function by UDP. TIME IPv6 Server(TCP) Set whether to enable IPv6 of TIME server function by TCP. Filter Address Set application filter for TIME server function. The following definitions of ACL are used in application filter. - ip Only use the source IP address and mask bits. If ip value is not set, the definition of filter is invalid and it will be ignored. - ip6 Only use the source IPv6 address and prefix length. If ip6 value is not set, the definition of filter for IPv6 is invalid and it will be ignored.
242/328
2.5. QoS Menu 2.5.1. Port Configuration 2.5.1.1. Queue Config
Figure 232
Untagged Priority Set tag priority value assigned to the untagged received packets of ether port. Output Mode Set the QoS sending algorithm of ether port. Select from STRICT(send from higher priority sequentially) and DRR(Deficit round robin) method. If DRR is selected, specify lowest guarantee band for each queue. Please set it so that the total of specified band is 10Gbps. Queue Mapping Specify which COS value the packets have and in which output queue the packets will be output. The queue with larger queue number has higher output priority.
2.5.1.2. Queue Summary
Figure 233
It displays the correspondence of packets COS value and storage queue. 2.5.1.3. Classification
Figure 234
IPv4 Type of Service field Priority is decided by the value of IP Precedence field of the Type of Service field of IPv4. IPv6 Traffic Class field Priority is decided by the value of upper 3 bits of Traffic Class field of IPv6.
244/328
2.5.1.4. Diffserve/COS Config
Figure 235
Packet Pattern Set the packet pattern for QoS within the range of 0 to 63. The smaller number has higher priority. When some packet patterns are omitted or deleted, the packet patterns which have not been set will be omitted and only the ones with value will be set. IP protocol Specify the protocol. ACL Specify the ACL definition number of the Access Control List in which the packet pattern to be set for QoS is defined. Action DSCP When corresponded packets in Access Control List are IP packets, rewrite with DSCP value(upper 6 bits of TOS field in IP header). ToS When corresponded packets in Access Control List are IP packets, rewrite with ip precedence value(upper 3 bits of TOS field in IP header). Queue Change the queue of the output port used when corresponded input packets in Access Control List are output. Value Rewrite Value When DSCP is selected in "Action": Set the DSCP value after rewriting within 0 ~ 63 in decimal number. When ToS is selected in "Action": Set the ip precedence value after rewriting within 0 ~ 7 in decimal number. When Queue is selected in "Action": Set the queue number of the used output port within 0 ~ 7 in decimal number. The queue with larger value has higher output priority. 245/328
Change Queue It can be specified when DSCP or ToS is selected in "Action". After rewrite with DSCP value or ip precedence value, the queues with the value corresponding to the upper 3 bits of DSCP value or ip precedence value will be the output queue.
2.5.2. VLAN Configuration 2.5.2.1. Diffserve/COS Config
Figure 236
Packet Pattern Set the packet pattern for QoS within the range of 0 to 63. The smaller number has higher priority. IP protocol Specify the protocol. ACL Specify the ACL definition number of the Access Control List in which the packet pattern to be set for QoS is defined. Action DSCP When corresponded packets in Access Control List are IP packets, rewrite with DSCP value(upper 6 bits of TOS field in IP header). ToS When corresponded packets in Access Control List are IP packets, rewrite with ip precedence value(upper 3 bits of TOS field in IP header). Queue Change the queue of the output port used when corresponded input packets in Access Control List are output. Value Rewrite Value When DSCP is selected in "Action": Set the DSCP value after rewriting within 0 ~ 63 in decimal number. 246/328
When ToS is selected in "Action": Set the ip precedence value after rewriting within 0 ~ 7 in decimal number. When Queue is selected in "Action": Set the queue number of the used output port within 0 ~ 7 in decimal number. The queue with larger value has higher output priority. Change Queue It can be specified when DSCP or ToS is selected in "Action". After rewrite with DSCP value or ip precedence value, the queues with the value corresponding to the upper 3 bits of DSCP value or ip precedence value will be the output queue.
2.5.3. DSCP Rewriting 2.5.3.1. Config
Figure 237
DSCP Rewriting Address Set DSCP rewriting values for LAN interface. The specified DSCP values between 0 ~ 63 will be rewrote to the packets corresponding to the address, protocol, TOS value, DSCP value, port number, ICMP TYPE or ICMP CODE specified in ACL.
247/328
2.5.3.2. IPv6 Config
Figure 238
IPv6 DSCP Rewriting Address Set DSCP rewriting values for LAN interface. The specified DSCP values between 0 ~ 63 will be rewrote to the packets corresponding to the IPv6 address, protocol, TOS value, DSCP value, port number, ICMP TYPE or ICMP CODE specified in ACL.
248/328
3. IBP mode Web Interface 3.1. Overview PRIMERGY 10 Gigabit Ethernet Connection Blade 18/8 provides a built-in browser software interface that lets you configure and manage it remotely using a standard Web browser. This software interface also allows for system monitoring and management of this connection blade. When you configure this for the first time from the console, you have to assign an IP address and subnet mask to this connection blade. Thereafter, you can access this Web software interface directly using your Web browser by entering its IP address into the address bar. In this way, you can use your Web browser to manage this connection blade form any remote PC station, just as if you ware directly connected to its console port.
Figure 239
3.1.1. Menu Options There are following Menu options in Web Interface In IBP: Management, Group Administration, Security, and QoS. 1. Management Menu: This section provides information for configuring SNMP and trap manager, Ping, DHCP client, SNTP, system parameters including Hostname, in-band/out-of-band network management setting, Log setting, User management, configure file backup and so on.
Figure 240
2. Group Administration Menu: This section provides the users to configure Uplink Set, Port Group, VLAN Port Group, Service LAN, Service VLAN, Port, Link Aggregation, and Port Backup
Figure 241
250/328
3. Security Menu: This section provides users to configure IBP security including IEEE802.1x, Radius, TACACS, LDAP, Access Control Lists, IP filter, VLAN filter etc.
Figure 242
4. QoS Menu: This section provides users to configure port QoS setting like queue configuration.
Figure 243
251/328
3.2. Management Menu 3.2.1. Information 3.2.1.1. Inventory info
Figure 244
System Description It displays the device name. Base MAC Address It displays the MAC address in hexadecimal number of 12 digits. Boot ROM Version It displays the ROM version. Runtime Version It displays the firmware version and the time when the firmware is made. Memory It displays the memory size of the device. ASIC Firmware It displays the ASIC firmware version. Port It displays the port number. Media type It displays the module type. Vendor PN It displays the vendor PN of the module. Status It displays the module status. 3.2.1.2. ARP Cache
Figure 245
It displays the entry of ARP table. 3.2.1.3. NDP Cache
Figure 246
It displays the entries of NDP table.
3.2.2. Configuration 3.2.2.1. System Description
253/328
Figure 247
System Description It displays the device name. Host Name Please set the Host Name of this device within 32 characters. It cannot be deleted. System Name Please set MIB variable "sysName" which means the machine name of this device within 32 characters. When it is omitted, it is considered that the "sysName" is not set. System Location Please set MIB variable "sysLocation" which means the location of this device within 72 characters. When it is omitted, it is considered that the "sysLocation" is not set. System Contact Please set MIB variable "sysContact" which means the admin name of this device within 40 characters. When it is omitted, it is considered that the "sysContact" is not set. Engine ID Please set SNMP engine ID for SNMPv3 within 27 characters. When it is omitted, the engine ID will be generated automatically. The value of SNMP engine ID set to the device is as follows. When it is set 1st ~ 5th octet : Fixed as 0x800000d304 6th octet ~ after : Engine ID of this setting When it is omitted 1st ~ 5th octet : Fixed as 0x800000d380 6th octet ~ after : Random value IP Address Set the address of SNMP agent. When it is omitted, it is considered that the agent address is not set. The range that can be specified is as follows. Valid Range) IPv4 address: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6 address: 254/328
::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff System Object ID It displays the Object ID of the device. System Up Time It displays the startup time of the device. 3.2.2.2. In-Band Mgmt
Figure 248
IPv4 Address Please set the IPv4 address. Please set it as DHCP client or set a static IPv4 address. When IPv4 address is changed, you have to input user/password again to login to WEB page. IPv4 Static Route Please set the IPv4 Static Route. It can be set up to 4. IPv6 Please set whether to use IPv6. IPv6 Address Please set the IPv6 address when IPv6 is used. Please set to use the prefix distributed by RA or set a static IPv6 address. When IPv6 address is changed, you have to input user/password again to login to WEB page. IPv6 DHCP Please set whether to use IPv6 DHCP. IPv6 Static Route Please set the IPv6 Static Route. It can be set up to 4. Burned-in MAC Address It displays the MAC address used in In-Band Mgmt LAN. Management VLAN ID Please set VLAN ID by integer within 1~4094.
3.2.2.3. Out-of-Band Mgmt
255/328
Figure 249
IPv4 Address Please set the IPv4 address. Please set it as DHCP client or set a static IPv4 address. When IPv4 address is changed, you have to input user/password again to login to WEB page. IPv4 Static Route Please set the IPv4 Static Route. It can be set up to 4. IPv6 Please set whether to use IPv6. IPv6 Address Please set the IPv6 address when IPv6 is used. Please set to use the prefix distributed by RA or set a static IPv6 address. When IPv6 address is changed, you have to input user/password again to login to WEB page. IPv6 DHCP Please set whether to use IPv6 DHCP. IPv6 Static Route Please set the IPv6 Static Route. It can be set up to 4. Burned-in MAC Address It displays the MAC address used in Out-of-Band Mgmt LAN. 3.2.2.4. Telnet Session
256/328
Figure 250
Auto Logout Specify the length of the auto logout time within the range of 0 second ~ 86400 seconds(1 day). If the command input/output is not done from the client connected by telnet, after the period of the auto logout time, the telnet connection will be cut off automatically. The time unit can be specified as any of the (day), (hour), (minute), or (second). 3.2.2.5. Serial Port
Figure 251
Auto Logout Specify the length of the auto logout time within the range of 0 second ~ 86400 seconds(1 day). During the login state, if the command input/output is not done from the serial port, after the period of the auto logout time, it will be forced to logout. The time unit can be specified as any of the (day), (hour), (minute), or (second).
3.2.3. System Utilities 3.2.3.1. Save All Changes Saving all applied changes will cause all changes to configuration panels that were applied but not saved, to be saved, thus retaining their new values across a system reboot. 257/328
3.2.3.2. System Reset Resetting the switch will cause all operations of this switch to stop. This session will be broken and you will have to login again after the switch has rebooted. Any unsaved changes will be lost. 3.2.3.3. Set Config to Default Initialize the configuration and reboot the switch. 3.2.3.4. Set Passwords to Default Set the password of admin and user to default. 3.2.3.5. Ping
Figure 252
IPv4/IPv6 Address Specify the IPv4 address or IPv6 address of sending destination. 3.2.3.6. DDNS Summary It displays summary of dynamic DNS action.
3.2.4. File Management 3.2.4.1. Download to IBP
258/328
Figure 253
TFTP server IP Address Set IPv4 or IPv6 address of TFTP server. TFTP File Path(Source) Set the path on the TFTP server where to download the file. TFTP File Name(Source) Set the name of the file to download. TFTP File Name(Target) Set the file name of the downloaded file on this device. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2 switch_firmware Switch Firmware ibp_firmware IBP Firmware sshkey SSH Key Information 3.2.4.2. Upload from IBP
Figure 254
TFTP server IP Address 259/328
Set IPv4 or IPv6 address of TFTP server. TFTP File Path(Target) Set the path on the TFTP server where to upload the file. TFTP File Name(Target) Set the file name of the uploaded file on TFTP server. TFTP File Name(Source) Set the file name on this device to upload. Set it from the follows. running-config Config Definition in use startup-config Config Definition when start up config1 Config Definition 1 config2 Config Definition 2 switch_firmware Switch Firmware ibp_firmware IBP Firmware 3.2.4.3. Start-Up File
Figure 255
Change config definition or firm and then reset the device. Current Runtime File It displays the name of the firm which is being used. Current Configuration File It displays the name of the current configuration file, which is being used. Runtime File Set the firm to be used when the device is started next time. Set it from the follows. switch_firm Switch Firm ehm_firm EHM Firm ibp_firm IBP Firm Configuration File Set the name of configuration file which will be used as Startup-config when the device is started next time. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2 260/328
Caution: - "Save" button is disabled when "Configuration File" is different from "Current Configuration File". - When "Save" button is clicked, the selected "Runtime File" will be saved. - When "Save and Reset" button is clicked, the device will be reset with the selected parameter 3.2.4.4. Copy File
Figure 256
File Name Set the name of configuration file which will be used to save running-config. Set it from the follows. config1 Config Definition 1 config2 Config Definition 2
3.2.4.5. Clear SSH Key Delete SSH user public key.
3.2.5. User Management 3.2.5.1. User Accounts
261/328
Figure 257
Please set the password used for operating the device. The admin password is the password used when the user name is "admin", and the user password is the password used when the user name is "user". The authority class is decided by login user, and the web pages which can be executed are different according to the authority class. It becomes the administrator class when login with "admin" and it becomes the general user class when login with "user". When login by console, TELNET or SSH, the admin password and the user password are used. When login by FTP or SFTP, the admin password is used. After input password it can be operated for 10 minutes. After that it needs to input password again to operate. Admin Password Set the password within 64 characters. It is the password when user name is "admin". The authority class is administrator class when login with "admin". User Password Set the password within 64 characters. It is the password when user name is "user". The authority class is general user class when login with "user". Caution: - If the password is set less than 7 characters, English letters only or numbers only, or if the admin password is deleted, it can be set or deleted normally. However, the warning message of weak password will be displayed. User Account Extension Please set whether to extend user accounts besides the fixed accounts(admin/user). enable Extend it. disable Do not extend it. AAA Group Index Specify the group ID of AAA which is referred to when user authentication is done. Specify the group ID of AAA in decimal number of less than 10.
262/328
3.2.5.2. Login Session
Figure 258
It displays the information of login user. Line It displays the connection type(console, http, ssh) and connection line. User Name It displays the user name. Class It displays the authority class of user. Remote Host It displays the information of remote host. Since It displays the login time. Idle It displays the period of time without any operation.
3.2.6. Logging 3.2.6.1. Configuration – Syslog
Figure 259
Server Address Set IP address of the server where the system log information(message) will be sent. Priority 263/328
Specify the priority level from the follows for the system log information to be output. error Check it when priority LOG_ERROR is included in the ouput object. warn Check it when priority LOG_WARNING is included in the ouput object. notice Check it when priority LOG_NOTICE is included in the ouput object. info Check it when priority LOG_INFO is included in the ouput object. Facility Set the facility of system log information within the range of 0~23 in decimal number. Duplication Abbreviation Specify whether to abbreviate the message which is duplicated to the message output before, when output message to system log. Command Logging Specify whether to output the command execution history to system log. As for the parameter of encrypted object, the log will be encrypted before output for security consideration. 3.2.6.2. View – System Log
Figure 260
It displays the system log information. 3.2.6.3. View – Error Log
264/328
Figure 261
It displays the hard error diagnosed in ROM or I/O driver and the error log information of system down.
3.2.7. Statistics 3.2.7.1. Port Summary
Figure 262
[Input Statistics] Octets The number of octets of the data received bits/sec The number of received bits per second(bits/sec) Frames The total number of frames received frames/sec The number of received frames per second(frames/sec) Unicast The number of unicast frames received frames/sec The number of received unicast frames per second(frames/sec) 265/328
Multicast/Broadcast The number of multicast/broadcast frames received frames/sec The number of received multicast/broadcast frames per second(frames/sec) Discards DiscardsPkts The total number of discarded frames after received Errors Oversize The number of oversize frames received(more than 1519 bytes without TAG, more than 1523 bytes with TAG) FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes AlignmentErrors The number of received frames where Alignment errors are detected [Output Statistics] Octets The number of octets of the data sent bits/sec The number of sent bits per second(bits/sec) Frames The total number of frames sent frames/sec The number of sent frames per second(frames/sec) Unicast The number of unicast frames sent frames/sec The number of sent unicast frames per second(frames/sec) Multicast/Broadcast The number of multicast/broadcast frames sent frames/sec The number of sent multicast frames per second(frames/sec) Discards DiscardsPkts The total number of discarded frames after sent Errors CarrierSenseErrors The total number of error frames due to undetected carrier ExcessiveCollisions The total number of error frames that failed to send due to a lot of collision LateCollisions The total number of late collisions SingleCollisionFrames The total number of frames succeeded to send after one collision occurred. 266/328
MultipleCollisionFrames The total number of frames succeeded to send after several collisions occurred. DeferredTransmissions The total number of frames delayed to send due to busy of transmission path.
3.2.7.2. Port Detailed
Figure 263
[Input Statistics] Octets The number of octets of the data received bits/sec The number of received bits per second(bits/sec) Frames The total number of frames received frames/sec The number of received frames per second(frames/sec) Unicast The number of unicast frames received frames/sec The number of received unicast frames per second(frames/sec) Multicast The number of multicast frames received frames/sec The number of received multicast frames per second(frames/sec) Broadcast The number of broadcast frames received frames/sec The number of received broadcast frames per second(frames/sec) Pause frames The number of PAUSE frames received Mac Control frames The number of MAC control frames received Priority pause 0 frames 267/328
The number of received pause frames for priority 0 Priority pause 1 frames The number of received pause frames for priority 1 Priority pause 2 frames The number of received pause frames for priority 2 Priority pause 3 frames The number of received pause frames for priority 3 Priority pause 4 frames The number of received pause frames for priority 4 Priority pause 5 frames The number of received pause frames for priority 5 Priority pause 6 frames The number of received pause frames for priority 6 Priority pause 7 frames The number of received pause frames for priority 7 Discards All DiscardsPkts The total number of discarded frames after received Resource Full The number of discarded received frames due to insufficient resource Policy Discards The number of discarded received frames due to discards policy VLAN dropped The number of discarded received unicast frames due to no member of setting vlan Errors Undersize The number of undersize frames received(under 64 bytes) FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes AlignmentErrors The number of received frames where Alignment errors are detected FragmentErrors The number of frames with short size(under 64 bytes) where FCS errors or alignment errors are detected Jabbers Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) SymbolErrors Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) UnknownOpcodes Over size(more than 1519 bytes without TAG, or more than 1523 bytes with TAG) [Output Statistics] Octets The number of octets of the data sent bits/sec The number of sent bits per second(bits/sec) 268/328
Frames The total number of frames sent frames/sec The number of sent frames per second(frames/sec) Unicast The number of unicast frames sent frames/sec The number of sent unicast frames per second(frames/sec) Multicast The number of multicast frames sent frames/sec The number of sent multicast frames per second(frames/sec) Broadcast The number of broadcast frames sent frames/sec The number of sent broadcast frames per second(frames/sec) Pause frames The number of PAUSE frames sent Mac Control frames The number of MAC control frames sent Priority pause 0 frames The number of sent pause frames for priority 0 Priority pause 1 frames The number of sent pause frames for priority 1 Priority pause 2 frames The number of sent pause frames for priority 2 Priority pause 3 frames The number of sent pause frames for priority 3 Priority pause 4 frames The number of sent pause frames for priority 4 Priority pause 5 frames The number of sent pause frames for priority 5 Priority pause 6 frames The number of sent pause frames for priority 6 Priority pause 7 frames The number of sent pause frames for priority 7 Discards DiscardsPkts The total number of discarded frames after received DelayExceededDiscards The number of discarded frames due to exceeded delay Errors Undersize The number of undersize frames received(under 64 bytes) FCSErrors The number of frames where FCS errors are detected with the data size of 64~1518 bytes 269/328
FragmentErrors The number of frames with short size(under 64 bytes) where FCS errors or alignment errors are detected [Detail Statistics] The number of frames per second accumulated by different frame size. 3.2.7.3. IP
Figure 264
It displays the statistics of IPv4 packets. 3.2.7.4. LACP It displays the statistics of LACP packets. The items won't be displayed if the Count is 0. 3.2.7.5. Net Time It displays the statistics of SNTP/TIME client. 3.2.7.6. SNMP It displays the statistics of SNMP.
270/328
3.2.8. SNMP 3.2.8.1. Community Config
Figure 265
SNMP Agent Set whether to enable SNMP Agent function and SNMP Trap function. RMON Set whether to use RMON function. Community Name Specify the community name within 1~32 characters used when sending trap. Specify it as "public" for it to communicate with any SNMP manager. IP Address Specify the address of the SNMP manager. Valid Range) IPv4 address: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6 address: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Access Mode Specify whether writing from SNMP manager is permitted. Trap Mode Specify whether to send trap. Off Select it when not sending trap. V1 Select it when sending SNMPv1 trap. V2c Select it when sending SNMPv2 trap.
271/328
3.2.8.2. Trap Flags
Figure 266
Cold Start Set to enable or disable the coldStart trap. Link Down Set to enable or disable the linkDown trap. Link Up Set to enable or disable the linkUp trap. Authentication Set to enable or disable the authenticationFailure trap. Rising Alarm Set to enable or disable the risingAlarm trap. Falling Alarm Set to enable or disable the fallingAlarm trap. New Root Set to enable or disable the newRoot trap. Topology Change Set to enable or disable the topologyChange trap. LLDP Remote Tables Change Set to enable or disable the lldpRemTablesChange trap. LLDP DCBX Set to enable or disable all the following lldpXdcbx traps. lldpXdcbxMiscControlError lldpXdcbxMiscFeatureError lldpXdcbxMultiplePeers lldpXdcbxLldpTxDisabled lldpXdcbxLldpRxDisabled lldpXdcbxDupControlTlv lldpXdcbxDupFeatureTlv lldpXdcbxPeerNoFeat lldpXdcbxPeerNoResp lldpXdcbxPeerConfigMismatch
272/328
3.2.9. RMON 3.2.9.1. Alarm Config
Figure 267
Alarm ID Specify ID of the RMON alarm group in decimal number value of 1 ~ 64. Sampling Variable Specify the object identifier of MIB that will be checked with the threshold in the dot form or the alphanumeric character. The range that can be specified is as follows. 1 ~ 63(characters) The object identifier can only be specified with the following types. INTEGER Integer32 Counter32 Counter64 Gauge32 TimeTicks Sampling Interval Please set the interval time of checking the threshold within the range of 1 ~ 43200 (seconds). The unit can be specified as hour, minute or second. Sampling Type Specify the type of checking threshold. Absolute(default value) The current value is compared directly with the threshold. Delta The difference between the current value and the value when sampling it last time is compared with the threshold. Rising-Threshold Specify the upper threshold of the RMON alarm group. The range that can be specified is as follows. 0 ~ 4294967295 Rising-Threshold Event ID
273/328
Specify the corresponding RMON event group id in decimal number which has been set in "Event ID" of [Event Config]. It is used as the event definition number which will be generated when the upper threshold is exceeded. The alarm event will not be generated when there is no specified definition number. Falling-Threshold Specify the lower threshold of the RMON alarm group. The range that can be specified is as follows. 0 ~ 4294967295 Falling-Threshold Event ID Specify the corresponding RMON event group id in decimal number which has been set in "Event ID" of [Event Config]. It is used as the event definition number which will be generated when the lower threshold is surpassed. The alarm event will not be generated when there is no specified definition number. 3.2.9.2. Event Config
Figure 268
Event ID Specify ID of the RMON event group in decimal number value of 1 ~ 64. Type Specify the notification method of this event(alarm). Blank No event processing. Log The log of the event will be kept. Trap The trap will be transmitted to the SNMP host who has the community name specified in "Community" of [Event Config]. Log-Trap The log of the event will be kept while the trap will be transmitted to the SNMP host who has the community name specified in "Community" of [Event Config]. Description Set the description of the RMON event group. Specify the explanation of the event (the note related to the content of the event) by the character string of 0x21, 0x23 ~ 0x7e. 274/328
The range that can be specified is as follows. 1~ 127 (characters) Community Specify the community name which will be set to the trap packets when the trap is sent. This setting is effective when the notification method specified in "Type" of [Event Config] is "Trap" or "Log-Trap". And the trap will be sent in the following case. When the community name specified here has been set in [Community Config] of [SNMP]. The range that can be specified is as follows. 1 ~ 32(characters)
3.2.10. SNTP 3.2.10.1.Server Config
Figure 269
Client Mode Please set the protocol when time information is acquired from the time server. Disable Time information is not acquired. SNTP Select it when the simple NTP protocol(UDP) is used. TIME Select it when the TIME protocol(TCP) is used. DHCP Select it when the protocol notified by DHCP is used. IP Address IPv4 Address Specify the IPv4 address of the server that offers time information. The range that can be specified is as follows. 0.0.0.0 (from DHCP server) 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 224.0.0.1 ~ 239.255.255.254 (Multicast) 255.255.255.255 (Broadcast) 275/328
IPv6 Address Specify the IPv6 address of the server that offers time information. The range that can be specified is as follows. ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface Please set the interface used to communicate with time server. When IPv4 address of server is multicast or broadcast address and protocol is SNTP, please set it other than "Auto". Otherwise, set it as "Auto". Auto Interface is auto-selected. Out-of-Band Use Out-of-Band interface(oob0). In-Band Use In-Band interface(lan0). Interval Please set the acquisition cycle within the range of 0~10 day, when acquiring time information from the time server periodically. The time unit can be specified as any of the day, hour, minute or second. If it is omitted or 0 is set, time information will be acquired only when the device starts (restarts). 3.2.10.2.Server Status
Figure 270
Protocol It displays the protocol when time information is acquired from the time server. Version It displays the version of protocol. Last Update Time It displays the last time when time information is acquired from server. Server IP Address It displays the IP address of time server. Unicast Server Max Entries It displays the maximum number of time server. 276/328
3.2.10.3.Current Time
Figure 271
Current Time Set the current time. Please select from the following 3 methods. Set it as the time of PC used for setting. Set it from the SNTP/TIME server. Set it manually. 3.2.10.4.Time Zone Settings
Figure 272
Time Zone Hours Please set the time difference(hour) from GMT(Greenwich Standard Time) in decimal number from 0 to 12. Time Zone Minutes Please set the time difference(minute) from GMT in decimal number from 0 to 59. Direction Please set whether it is before GMT or after GMT. 277/328
Before GMT It means it is ahead of GMT. After GMT It means it is late than GMT.
3.2.11. LLDP 3.2.11.1.Configuration – Global Config
Figure 273
Transmit Interval Specify a fixed time interval to transmit LLDP information by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 5 seconds ~ 32768 seconds. This setting is corresponding to the variable "msgTxInterval" of 802.1AB. Transmit Delay Specify the minimum time interval to transmit LLDP information by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 1 second ~ 0.25 * (no more than 8192 seconds). This setting is corresponding to the variable "txDelay" of 802.1AB. Transmit Hold As for the time length that adjacent device should maintain LLDP information of this device, specify it by the count of "Transmit Interval" of LLDP. The range that can be specified is 2 times ~ 10 times, specify it by decimal number within the range of 2~10. TTL(no more than 65535 seconds) which is calculated by the method of [LLDP Transmit Interval * LLDP Transmit Hold] will be notified to the adjacent device. This setting is corresponding to the variable "msgTxHold" of 802.1AB. Reinitialize Delay When the LLDP transmission is set to be disabled, after sending LLDP information with TTL value of 0, the internal state will be re-initialized. Specify the delay time of re-initialized by decimal number and time unit. The range that can be specified is 1second ~ 10seconds. This setting is corresponding to the variable "reinitDelay" of 802.1AB. SNMP Notification Interval 278/328
Specify the minimum time interval of the transmission of SNMP Notification Trap by decimal number and time unit. The time unit can be specified as any of the (hour), (minute) or (second). The range that can be specified is 5 seconds ~ 3600 seconds. This setting is corresponding to the variable "NotificationInterval" of 802.1AB. 3.2.11.2.Configuration – Interface Config
Figure 274
Slot/Port Select a port to set. Mode Specify the action mode of the LLDP function at the specified port. Port Description Specify whether to transmit Port Description TLV. System Name Specify whether to transmit System Name TLV. System Description Specify whether to transmit System Description TLV. System Capabilities Specify whether to transmit System Capabilities TLV. Management Address Specify whether to transmit Management Address TLV. Port VLAN ID Specify whether to transmit IEEE802.1 Port VLAN ID TLV. Port and Protocol VLAN ID Specify whether to transmit Protocol VLAN ID information. VLAN Name Specify whether to transmit IEEE802.1 VLAN Name TLV. Protocol Identity Specify whether to transmit IEEE802.1 Protocol VLAN Identity TLV. MAC PHY Configuration Status Specify whether to transmit IEEE802.3 MAC/PHY Configuration/Status TLV. Power via MDI Specify whether to transmit IEEE802.3 Power Via MDI TLV. 279/328
Link Aggregation Specify whether to transmit IEEE802.3 Link Aggregation TLV. Maximum Frame Size Specify whether to transmit IEEE802.3 Maximum Frame Size TLV. 3.2.11.3.Information – Interface Summary
Figure 275
It displays the LLDP setup information at all physical ports where the LLDP function is enabled. The content of "Info" is as follows. About TLV P Port Description TLV is transmitted N System Name TLV is transmitted D System Description TLV is transmitted C System Capabilities TLV is transmitted A Management Address TLV is transmitted No Transmit (disable) Blank No Transmit (receive only) About VLAN P Port VLAN ID p Port And Protocol VLAN ID N VLAN Name I Protocol Identity No Transmit (disable) Blank No Transmit (receive only) About Configration M MAC/PHY Configuration/Status P Power Via MDI 280/328
L Link Aggregation F Maximum Frame Size No Transmit (disable) Blank No Transmit (receive only) About SNMP T SNMP Notification Trap No Transmit (disable) Blank No Transmit (receive only)
3.2.11.4.Information – Statistics It displays the LLDP statistics information. 3.2.11.5.Information – Local Info
Figure 276
It displays the LLDP setup information and LLDP transmission information at all physical ports where the LLDP function is enabled.
281/328
3.2.11.6.Information – Local Summary
Figure 277
It displays the number of physical ports where the LLDP function is enabled. 3.2.11.7.Information – Remote Info It displays the detail information of adjacent device. 3.2.11.8.Information – Remote Summary It displays the LLDP adjacent device information at all physical ports where the LLDP function is enabled.
3.2.12. DHCP Client 3.2.12.1.DHCP Restart Issues a DHCP client request for any IP interface that has been set to DHCP mode. 3.2.12.2.DHCPv6 Restart Issues a DHCPv6 client request for any IPv6 interface that has been set to DHCP mode.
282/328
3.2.13. IPv6 3.2.13.1.Statistics
Figure 278
It displays statistics information of IPv6 packets.
283/328
3.3. Group Administration Menu 3.3.1. Group List This page displays the summary of all currently configured group of port. 3.3.1.1. Group List
Figure 279
Non-Configurable Data Slot/Port - Identifies the port. Uplink Sets - The group name of Uplink Sets. Port Groups - The group name of Port Groups. VLAN Port Groups - The group name of VLAN Port Groups. Service LAN - The group name of Service LAN. Service VLAN - The group name of Service VLAN. Command Buttons Refresh Re-fetch the configuration value again.
3.3.2. Uplink Sets 3.3.2.1. Config
Figure 280
An "Uplink Set" is defined as a set of 1 to n external (uplink) ports, which is be used in port group definitions to connect a group of server blades to the customer's LAN. The purpose of the uplink set configuration is to create groups, and to add or modify the existing external ports to groups. Link state, port backup, and IGMP snooping of the uplink set groups can be configured in this page. Selection Criteria Uplink Set Name - Use this pull-down menu to select one of the existing uplink set. Configurable Data Uplink Set Name - Input the uplink set name to create a new group. Link State - Use this field to configure link state. Port Backup - Use this field to configure port backup. Failback Time - Input the failback-time to configure port backup. Change Notify - Use this field to configure change notify. IGMP Snooping - Use this field to configure IGMP snooping. MLD Snooping - Use this field to configure MLD snooping. LACP - Use this field to configure LACP. Converged Enhanced Ethernet - Use this field to configure Converged Enhanced Ethernet. Priority group 285/328
- Set the Priority group number. Weight - Set the Weight within the range of 1~100. Priority-based Flow Control - Select whether to use Priority-based Flow Control. Priority map - Set Priority group to each priority. FCoE Priority - Set the priority of FCoE. FCoE - Select whether to use FCoE. iSCSI Priority - Set the priority of iSCSI. iSCSI - Select whether to use iSCSI. If total weight exceeds 100, Converged Enhanced Ethernet is invalid. If more than 1 Priority-based Flow Control exist, port is disabled. If Converged Enhanced Ethernet mode is "Disable" even if Priority group and Priority map are set, Converged Enhanced Ethernet is invalid. If Priority group, Weight or Priority map is not set even if Converged Enhanced Ethernet mode is "Enable", Converged Enhanced Ethernet is invalid. Participation - Use this field to specify whether an interface will participate in this uplink set. The factory default is 'Exclude'. The possible values are: Include - This interface is the member of the uplink set. Exclude - This interface is not the member of the uplink set. Non-Configurable Data Slot/Port - The interface. Type - The interface type. Type should be External. Status - The interface is belong to this uplink set or not. Command Buttons Apply - Update the IBP with the values on this screen. If you want the IBP to retain the new values across a power cycle, you must perform a save. Delete - Delete the Uplink Set. You are not allowed to delete the "default" uplink set. Cancel - Revert to the previous settings.
286/328
3.3.2.2. Status
Figure 281
This page displays the status of all currently configured Uplink Set. Non-Configurable Data Uplink Set Name - The name of the uplink set. External Active Ports - List the external active port members. External Backup Ports - List the external backup port members. Link State - The status of link state. Port Backup - The status of backup. Failback Time - The wait time of failback. Change Notify - The status of change notify. IGMP Snooping - The status of IGMP Snooping. MLD Snooping - The status of MLD Snooping. LACP - The status of LACP.
287/328
3.3.3. Port Groups 3.3.3.1. Config
Figure 282
The purpose of the port group configuration is to create port groups, and to modify the existing port groups. Only the internal ports could be defined to be the member of the port groups. The external connection is defined by specifying an Uplink Set. Selection Criteria Port Group Name - Use this pull-down menu to select one of the existing groups. Configurable Data Port Group Name - Input the group name to create a new port group. Uplink Set Name - Use this pull-down menu to specify the external connection. Isolate - Use this field to isolate downlinks of the port group. Participation - Use this field to specify whether an interface will participate in this port group. The factory default is 'Exclude'. The possible values are: Include - This interface is the member of the port group. Exclude - This interface is not the member of the port group. Non-Configurable Data Slot/Port - The interface. Type - The interface type. Type should be Internal. Status - The interface is belong to this port group or not. Command Buttons Apply
288/328
- Update the IBP with the values on this screen. If you want the IBP to retain the new values across a power cycle, you must perform a save. Delete - Delete the port group. You are not allowed to delete the "default" port group. Cancel - Revert to the previous settings. 3.3.3.2. Status
Figure 283
This page displays the status of all currently configured port group. Non-Configurable Data Port Group Name - The group name of the port group. Internal Ports - List the internal port members. Uplink Set Name - The name of the uplink set. External Ports - List the external ports of the port group. Isolate - The isolate status of the port group.
289/328
3.3.4. VLAN Port Groups 3.3.4.1. Config
Figure 284
Selection Criteria VLAN Port Group Name - You can use this screen to configure an existing VLAN Port Group, or to create a new one. Use this pulldown menu to select one of the existing VLAN Port Groups, or select 'Create' to add a new one. Configurable Data VLAN Port Group Name - Specify the name for the new VLAN Port Group. VLAN ID - Specify the VLAN Identifier for the VLAN Port Group. The range of the VLAN ID is 1 to 4094 except reserved 1006 to 1024. Uplink Set Name - Specify the uplink set for the external connection. Native VLAN - Change the behavior of the external interfaces: to process/forward untagged packets only. Enable - The external interfaces of this group will only process/forward the untagged packets. Disable - The external interfaces of this group will process/forward both tagged and untagged packets. Isolate - Use this field to isolate downlinks of the VLAN Port Group. Participation - Use this field to specify whether an interface will participate in this VLAN Port Group. The factory default is 'Exclude'. The possible values are: Include - This interface is the member of the VLAN Port Group. Exclude - This interface is not the member of the VLAN Port Group. 290/328
Tagged Option - The Tagged Option status of the VLAN Port Group. The possible values are: Tagged - This interface is set in the Tagged Option. Untagged - This interface is not set in the Tagged Option. Non-Configurable Data Slot/Port - The interface. Type - The interface type. Type should be Internal. Status - Indicates the current value of the participation parameter for the interface. Command Buttons Apply - Update the IBP with the values on this screen. If you want the switch to retain the new values across a power cycle, you must perform a save. Delete - Delete a VLAN Port Group. Cancel - Revert to the previous settings.
291/328
3.3.4.2. Status This page displays the status of all currently configured VLAN Port Groups. VLAN Port Group Name - The name for the VLAN Port Group. VLAN ID - The VLAN Identifier of the VLAN Port Group. The range of the VLAN ID is 1 to 4094 except reserved 1006 to 1024. Internal Ports - Internal interface, member of that VLAN Port Group. Uplink Set Name - Specify the Uplink Set for the external connection. External Ports - External interface, member of the specified Uplink Set. Native VLAN - Change the behavior of external interfaces: to process/forward untagged packets only. Isolate - The isolate status of the VLAN Port Group.
3.3.5. Service LAN 3.3.5.1. Config
Figure 285
Selection Criteria Service LAN Name - You can use this screen to configure an existing Service LAN, or to create a new one. Use this pulldown menu to select one of the existing Service LAN, or select 'Create' to add a new one. Configurable Data Service LAN Name - Specify the name for the new Service LAN. Service VLAN ID
292/328
- Specify the VLAN Identifier for the Service LAN. The range of the VLAN ID is 1 to 4094 except reserved 1006 to 1024. Uplink Set Name - Specify the uplink set for the external connection. Isolate - Use this field to isolate downlinks of the Service LAN. Participation - Use this field to specify whether an interface will participate in this Service LAN. The factory default is 'Exclude'. The possible values are: Include - This interface is the member of the Service LAN. Exclude - This interface is not the member of the Service LAN. Non-Configurable Data Slot/Port - The interface. Type - The interface type. Type should be Internal. Status - Indicates the current value of the participation parameter for the interface. Command Buttons Apply - Update the IBP with the values on this screen. If you want the switch to retain the new values across a power cycle, you must perform a save. Delete - Delete a Service LAN. Cancel - Revert to the previous settings. 3.3.5.2. Status This page displays the status of all currently configured Service LAN. Service LAN Name - The name for the Service LAN. Service VLAN ID - The VLAN Identifier of the Service LAN. The range of the VLAN ID is 1 to 4094 except reserved 1006 to 1024. Internal Ports - Internal interface, member of that Service LAN. Uplink Set Name - Specify the Uplink Set for the external connection. External Ports - External interface, member of the specified Uplink Set. Isolate - The isolate status of the Service LAN.
293/328
3.3.6. Service VLAN 3.3.6.1. Config
Figure 286
Selection Criteria Service VLAN Name - You can use this screen to configure an existing Service VLAN, or to create a new one. Use this pulldown menu to select one of the existing Service VLAN, or select 'Create' to add a new one. Configurable Data Service VLAN Name - Specify the name for the new Service VLAN. Service VLAN ID - Specify the VLAN Identifier for the Service VLAN. The range of the VLAN ID is 1 to 4094 except reserved 1006 to 1024. Uplink Set Name - Specify the uplink set for the external connection. Isolate - Use this field to isolate downlinks of the Service VLAN. Participation - Use this field to specify whether an interface will participate in this Service VLAN. The factory default is 'Exclude'. The possible values are: Include - This interface is the member of the Service VLAN. Exclude - This interface is not the member of the Service VLAN. Non-Configurable Data Slot/Port - The interface. Type - The interface type. Type should be Internal. Status - Indicates the current value of the participation parameter for the interface. Command Buttons Apply 294/328
- Update the IBP with the values on this screen. If you want the switch to retain the new values across a power cycle, you must perform a save. Delete - Delete a Service VLAN. Cancel - Revert to the previous settings. 3.3.6.2. Status This page displays the status of all currently configured Service VLAN. Service VLAN Name - The name for the Service VLAN. Service VLAN ID - The VLAN Identifier of the Service VLAN. The range of the VLAN ID is 1 to 4094 except reserved 1006 to 1024. Internal Ports - Internal interface, member of that Service VLAN. Uplink Set Name - Specify the Uplink Set for the external connection. External Ports - External interface, member of the specified Uplink Set. Isolate - The isolate status of the Service VLAN.
3.3.7. Port Backup 3.3.7.1. Config
Figure 287
Two link aggregation groups are associated with one port group as the port group is created. Two link aggregation groups are defined as active and backup port internally. One of two link aggregation groups will be activated at a time. For example, as active link aggregation group is link up, the backup aggregation group will be blocked (no traffic could be sent or received). Otherwise, if active aggregation group is link down (all members of the active aggregation group are link down), the backup aggregation group will be activated. As the active aggregation group is link up again, the backup aggregation group will be deactivated. 295/328
Configurable Data Active/Backup - Select field to set the interface to be in active aggregation group or backup aggregation group. Non-Configurable Data Slot/Port - The interface. Uplink Set Name - The name of uplink set that this interface belongs to. Status - Active or Backup. Command Buttons Apply - Update the IBP with the values on this screen. If you want the IBP to retain the new values across a power cycle, you must perform a save. Cancel - Revert to the previous settings. 3.3.7.2. Status
Figure 288
This page displays the status of all currently configured port-backup. Non-Configurable Data Uplink Set Name - The name of the Uplink Set. External Active Ports - The configured external active port. External Backup Ports - The configured external backup port. Port Backup - Current port backup setting for the Uplink Set. (Enable or Disable) Failback Time - The time delay for activating the active port if the link of active port is resumed. Current Activated Port - Current activated port for the Uplink Set. 296/328
Command Buttons Refresh - Re-fetch the configuration value again.
3.3.8. VLAN 3.3.8.1. Forward Database Config
Figure 289
VLAN ID Specify VLAN ID within the range of 1 ~ 4094 in decimal number. MAC Address Set the destination MAC address. Specify it in the format of xx:xx:xx:xx:xx:xx(xx is hexadecimal of 2 digits). 00:00:00:00:00:00, broadcast or multicast can not be specified. Slot/Port Select the corresponding port for the destination MAC address. If the selected port is a Link Aggregation member port, the settings are effective for the Link Aggregation Group. If the selected port is a Backup port, the settings are effective for the working port of the Backup Port Group. 3.3.8.2. Forward Database Summary
Figure 290
It displays the contents of VLAN forward database. VLAN ID Number MAC Address Slot/Port
VLAN ID Destination MAC Address number Destination MAC Address Corresponding forwarding port
297/328
3.3.9. Port 3.3.9.1. Config
Figure 291
Link Aggregation Group Specify the group number of Link Aggregation group to be used. LACP Port Priority Specify the LACP Port Priority. When LACP is not used, this definition means nothing. Flow Control Set the action of "send" and "receive" for the Flow Control Function. Link Recovery Limit Specify the limit of Link Down frequency. It is the upper limit for the corresponding port to enter block state. When the Link Down frequency reaches the limit, the port which displays in system log will enter the block state. Link Down Relay Set the list of the ports which will be relayed to Link Down(port block) when other ports Link Down. When the operation of Link Down Relay is done, it will be output in system log that the relayed port enters block state. In "Recovery Mode", the block release method can be set. It is used for the ports set in the relay port list information of the Link Down Relay function to be released from block state. When "Manual" is set as Recovery Mode, the relayed ports can be released from block state by the block release command or definition change. When "Auto" is set as Recovery Mode, besides block release command or definition change, the relayed ports can also be released from block state by Link Up of the ports set in the Link Down Relay function. In the case of "Auto" , when block release is done by Link Up, it will output to system log. In "Recovery Cause", specify block factor as the block release object of relay port list. When "Link Relay" is set, only the block factor of Link Down Relay function is the release object. When "All" is set, block release will be done for all block factors. In "Recovery Sync", the synchronization operation of the relay port list can be specified. When "Recovery Sync" is set as "Enable", by synchronization operation before the port link up, the relayed ports will stand by in block state by Link Down Relay. When "Recovery Sync" is set as "Disable", the synchronization operation will not be done. ICMP Watching IP Address 298/328
Please specify the destination IP address to monitor when using monitor function. ICMP ECHO packets will be sent from the ether port to the specified destination IP address, and existence can be confirmed by the response. Please do not set it as the IP address of the device itself. Please also confirm that the specified IP address is in the same subnet, or the monitor function may not operate normally. ICMP Watching Interval Specify the normal sending interval of ICMP ECHO packets within the range of 1 second ~ 60 seconds(1 minute). ICMP Watching Timeout Specify the timeout interval within the range of 5 seconds ~ 180 seconds(3 minutes). It is considered that monitor fails when reaching the timeout interval. ICMP Watching Retry When there is no response for the normal sending ICMP ECHO packets, the ICMP ECHO packets will be resent. Specify the resend interval within the range of 1 second ~ (ICMP Watching Timeout) - 1 seconds. Broadcast Storm Control Set the threshold of the traffic for broadcast storm. Set the data amount in 1 second within the range of 8Kbps~8Gbps. When the threshold is not set(text box is blank), the storm observation will not be done. Multicast Storm Control Set the threshold of the traffic for multicast storm. Set the data amount in 1 second within the range of 8Kbps~8Gbps. When the threshold is not set(text box is blank), the storm observation will not be done. Storm Control Action Specify the action when broadcast/multicast storm occurs. - Link down : Block the port - Discard : Discard the data that surpasses threshold Output Rate Control The output rate is set by the unit of bps. The actual operation for the device is controlled by the value rounded down to the unit of 1/256 of 10Gbps (About 40Mbps). Mac Detection Select whether to use Mac detection function. If "Enable" is selected, an illegal connection that exceeds the connection is detected. Max User Set limit the maximum number of connection within the range of 1 - 31 in decimal number. If it is omitted, max user is set to 1. Port Disable Specify the action when number of connection reaches the limit. - Don't Link down : Do nothing - Link down : Block the port LLDP Notification Trap Set whether to send SNMP Notification Trap when LLDP information is changed. MAC Learning Set the mac learning. Flooding Mode Set the flooding mode. 299/328
Edge Relay Reflective Relay Mode Select the port reflective relay mode. 3.3.9.2. Summary
Figure 292
It displays the port information simply.
3.3.9.3. Mirroring
Figure 293
Target Port Set the target port number. Source Port Set the source port number in decimal number. If you want to specify two or more ports, delimit them by ","(comma). Source Link Aggregation Group Set the source Link Aggregation Group number in decimal number. If you want to specify two or more Link Aggregation Groups, delimit them by ","(comma).
300/328
3.3.10. Link Aggregation 3.3.10.1.LACP Config
Figure 294
System Priority Set the LACP system priority. The Link Aggregation Group will exchange information with other Link Aggregation Group, then use the system priority to decide which one has higher priority. When they have the same system priority, the one with smaller system ID(Designated MAC Address + 1) has higher priority. When LACP is not used, this definition is meaningless. 3.3.10.2.Group Config
Figure 295
Group Set the Link Aggregation group id. Algorithm Specify the load-balance algorithm. Source MAC Address : Divide by source MAC address 301/328
Destination MAC Address : Divide by destination MAC address Both MAC Address : Divide by both source and destination MAC address Source IP Address : Divide by source IP address Destination IP Address : Divide by destination IP address Both IP Address : Divide by XOR of source and destination IP address Received Ethernet Port : Divide by received Ethernet port Mode Set the operation mode of Link Aggregation. When "Static" is set, it will compose the static Link Aggregation without using LACP. When "Active" or "Passive" is set, it is the dynamic Link Aggregation using LACP. In the "Active" mode, the LACPDU periodical transmission to remote LACP device will start voluntarily. In the "Passive" mode, as long as LACPDU is not received from remote LACP, LACPDU periodical transmission will not be done. In other words, Link Aggregation is not composed when both devices are in "Passive" mode. Minimum Link Set the Minimum number of member ports for Link Aggregation communication within the range of 1 ~ 10 in decimal number. If the number of ports united by Link Aggregation is less than the specified Minimum Link, communication can not be done in the Link Aggregation. And when the number of member ports falls below the specified Minimum Link because of trouble, etc, communication can not be done in the Link Aggregation. ICMP Watching IP Address Please specify the destination IP address to monitor when using monitor function. ICMP ECHO packets will be sent from the ether port to the specified destination IP address, and existence can be confirmed by the response. Please do not set it as the IP address of the device itself. Please also confirm that the specified IP address is in the same subnet, or the monitor function may not operate normally. ICMP Watching Interval Specify the normal sending interval of ICMP ECHO packets within the range of 1 second ~ 60 seconds(1 minute). ICMP Watching Timeout Specify the timeout interval within the range of 5 seconds ~ 180 seconds(3 minutes). It is considered that monitor fails when reaching the timeout interval. ICMP Watching Retry When there is no response for the normal sending ICMP ECHO packets, the ICMP ECHO packets will be resent. Specify the resend interval within the range of 1 second ~ (ICMP Watching Timeout) - 1 seconds.
302/328
3.4. Security Menu 3.4.1. Port Access Control 3.4.1.1. Config – IEEE802.1X
Figure 296
IEEE802.1X Authentication Select whether to use IEEE802.1X authentication for the device. If "Use" is selected, the IEEE802.1X authentication of the transmission source terminal will be done. If the result of the terminal authentication is success, the packets will be relayed; otherwise the packets will be discarded. If "Disuse" is selected, the IEEE802.1X authentication will not be done. Caution: - Even if "Use" is selected here, IEEE802.1X authentication will be disabled if IEEE802.1X Authentication is set as "Disuse" in IEEE802.1X of [Security]-[Port Access Control]-[Port Config]. EAPOL Transfer Mode Select the transfer mode of EAPOL frames which is used for IEEE802.1X authentication. Transmit When EAPOL frames are received, the frames will be transmitted to the ports with the same VLAN ID as the "untagged" VLAN ID set in the port where the frames are received. Don't Transmit EAPOL frames are not transmitted. Caution: - EAPOL frame is forbidden to be transmitted in IEEE 802.1D. - EAPOL frame can not be transmitted when IEEE802.1X authentication is used. Please don't select "Transmit".
3.4.1.2. Config – MAC Address Authentication
Figure 297
Authentication Function Select whether to use MAC address authentication for the device. If "Use" is selected, the MAC address authentication of the transmission source terminal will be done. If the result of the MAC address authentication is success, the packets will be relayed; otherwise the packets will be discarded. If "Disuse" is selected, the MAC address authentication will not be done. Caution: - Even if "Use" is selected here, MAC address authentication will be disabled if MAC Address Authentication is set as "Disuse" in MAC Address Authentication of [Security]-[Port Access Control]-[Port Config]. Password Specify the authentication password used for MAC address authentication. Specify it with a string composed of 0x21, 0x23~0x7e within 128 characters. If it is omitted, the MAC address of authentication terminal will be used as password. Confirm Password Specify the password above once more. Authentication Protocol Select authentication protocol of MAC address authentication.
304/328
3.4.1.3. Port Config – IEEE802.1X
Figure 298
IEEE802.1X Authentication Select whether to use IEEE802.1X authentication. If "Use" is selected, IEEE802.1X authentication of the source terminal of packets will be done. If the result is success, the packets will be relayed; otherwise the packets will be discarded. For the port where "Disuse" is selected, IEEE802.1X authentication will not be done. Even if "Use" is selected here, IEEE802.1X authentication will be disabled if authentication function is set as "Disuse" for the device. AAA Group Specify AAA group ID within the range of 0 ~ 9 in decimal number used as reference when doing IEEE802.1X authentication. Wakeup On LAN Packet Mode Set forward mode of Wake On LAN packet. Only the Wake On LAN packet to Directed Broadcast Address can be forwarded. EAPOL MAC Address Set the permitted destination MAC address of EAPOL frame. Quiet Period Set the time it waits to begin re-authentication after first authentication of the terminal(Supplicant) failed. Set it within the range of 0 ~ 600 seconds. If 0 second is specified, after first authentication failed, authentication will not be restrained and it will access second authentication request immediately. Transmit Period Set the sending interval of user ID request within the range of 1 ~ 600 seconds. Supplicant Timeout Set the waiting time for EAP response from terminal(Supplicant) within the range of 1 ~ 600 seconds. Maximum Requests Specify the EAP resending count when EAP response is not received. Specify the count within the range of 1 ~ 10. Reauthentication Period Specify the re-authentication interval for terminal(Supplicant) within the range of 15 seconds ~ 18000 seconds. 305/328
If 0 is specified, the re-authentication will not be done. 3.4.1.4. Port Config – MAC Address Authentication
Figure 299
MAC Address Authentication Select whether to use MAC Address authentication. If "Use" is selected, MAC address authentication of the source terminal of packets will be done. If it has the authenticated MAC address, the packets will be relayed; otherwise the packets will be discarded. For the port where "Disuse" is selected, MAC address authentication will not be done. Even if "Use" is selected here, MAC address authentication will be disabled if authentication function is set as "Disuse" for the device. AAA Group Specify AAA group ID within the range of 0 ~ 9 in decimal number used as reference when doing MAC address authentication. Wakeup On LAN Packet Mode Set forward mode of Wake On LAN packet. Only the Wake On LAN packet to Directed Broadcast Address can be forwarded. Authentication Result Hold Time Specify the result hold time of MAC address authentication. The re-authentication of successfully authenticated terminal will be done after the time specified in "Success" passed. The re-authentication of authentication failed terminal will not be done until the time specified in "Failure" passed. Because it checks for authentication result hold time every 30 seconds, the maximum difference with the real authentication result hold time is 30 seconds.
306/328
3.4.1.5. Port Status – IEEE802.1X
Figure 300
It displays authentication information, including user name, authentication method, authentication state and statistics of authenticated successfully terminal(Supplicant). Port User EAP-Type Authentication
Port Number User Name Authentication method Authentication State -
Means that the port has not been set or is not connected.
Authenticating In authentication processing Authenticated Authentication Complete Failure OK times NG times Status
Authentication Failed
Success times of Authentication Failure times of Authentication Displays internal state of IEEE802.1X authentication. S0: Before Authentication State S1: In Authentication State S2: Charge Starting State S3: Normal State S4: Charge Stopping State
VLAN VLAN ID MAC address MAC address of terminal(Supplicant) Since Time when authentication succeeded(Not update when re-authentication)
307/328
3.4.1.6. Port Status – MAC Address Authentication
Figure 301
It displays MAC address authentication state. Port Port number Mode Authentication method mac port
Authenticate for each MAC address Authenticate for each port
MAC Address MAC Address Status Authentication State idle response success permanent
No authentication terminal detected Wait for authentication result authentication succeed Authenticated Terminal authentication failed or surpass authentication limit failure times Note: Before authentication, it displays as "idle" VLAN Since
VLAN ID Time when authentication started, succeeded or failed
308/328
3.4.1.7. Port Summary – Authentication Information It displays successfully authenticated terminal information of each authentication function(IEEE802.1X authentication , MAC address authentication). Port Port Number MAC Address MAC Address Function successfully authenticated function dot1x macauth
IEEE802.1X authentication MAC address authentication
VLAN VLAN ID Note: For the port where successfully authenticated terminal does not exits, the items other than Port Number displays as "-". 3.4.1.8. Statistics – IEEE802.1X It displays statistics information of IEEE802.1X authentication. 3.4.1.9. Statistics – MAC Address Authentication It displays statistics information of MAC address authentication.
3.4.2. RADIUS 3.4.2.1. Config
Figure 302
AAA Group ID Specify AAA group ID with the decimal number less than 10. Authentication Mode Specify whether to use RADIUS authentication function. Authentication Source IP Address Set self IP address used to communicate with the RADIUS authentication server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 309/328
128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Message-Authenticator Set whether to do authentication by Message-Authenticator. When doing IEEE802.1X authentication, it will do authentication by Message-Authenticator regardless of this setting. It can only be used for authentication request message in this device. Accounting Mode Set whether to use RADIUS accounting function. Accounting Source IP Address Set self IP address used to communicate with the RADIUS accounting server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Retry Interval Set packets resent interval when there is no response from RADIUS server. The valid ranges are as follows. 1 ~ 10(seconds) Retry Times Set packets resent count when there is no response from RADIUS server. The valid ranges are as follows. 1 ~ 10(times) Security Mode Set security level when there is no response from RADIUS server. When "High" is selected, it operates as authentication failed. When "Normal" is selected, it operates as authentication succeeded.
310/328
3.4.2.2. Server Config
Figure 303
IP Address Set IP address of RADIUS authentication server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key(RADIUS secret) between this device and RADIUS authentication server. Priority Specify the priority used to decide which RADIUS server to use for authentication when there are several RADIUS servers in the same group. In the same group, the highest priority RADIUS server which is not in "dead" status will be used. If there is more than one RADIUS server with the highest priority, the RADIUS server to be used will be randomly decided. Dead Time Specify the recover time it waits to recover to "alive" status automatically after RADIUS server enters "dead" status. If the response from RADIUS server is not received, that RADIUS server will be set as "dead" status and set as the lowest priority. The RADIUS server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the RADIUS server in "dead" status, and response is received - Recover manually 311/328
The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. 3.4.2.3. Accounting Server Config
Figure 304
IP Address Set IP address of RADIUS accounting server. The valid ranges are as follows. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key(RADIUS secret) between this device and RADIUS accounting server. Priority Specify the priority used to decide which RADIUS server to use for authentication when there are several RADIUS servers in the same group. In the same group, the highest priority RADIUS server which is not in "dead" status will be used. If there is more than one RADIUS server with the highest priority, the RADIUS server to be used will be randomly decided. Dead Time Specify the recover time it waits to recover to "alive" status automatically after RADIUS server enters "dead" status. If the response from RADIUS server is not received, that RADIUS server will be set as "dead" status and set as the lowest priority. The RADIUS server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. 312/328
- The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the RADIUS server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically.
3.4.2.4. Summary It displays the status of RADIUS server. Type Server Type Auth Acct No. Server Address Port Pri State
Server definition Number Server IP Address Server Port Number Priority Server status alive dead
recover
Authentication Server Accounting Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
3.4.3. TACACS+ 3.4.3.1. Config
Figure 305
313/328
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. TACACS+ Service Specify whether to use TACACS+ function. Timeout Set timeout when there is no response from TACACS+ server. The valid ranges are as follows. 1 ~ 300(seconds) Authentication Security Mode Set TACACS+ Authentication security operation when there is no response from server. When "High", it operates as a failure to authenticate. When "Normal", it operates as a success to authenticate. Authorization Security Mode Set TACACS+ Authorization security operation when there is no response from server. When "High", it operates as a failure to authorize. When "Normal", it operates as a success to authorize. 3.4.3.2. Server Config
Figure 306
IP Address To set the IP address of the TACACS+ authentication server. The IP Address of authentication server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key between this device and TACACS+ authentication server. 314/328
It is considered that the share key is not set when omitted. Moreover, when it is not set, the communication between TACACS+ servers is not encrypted. Priority To specify the priority of some TACACS+ servers in the same group, which decides which TACACS+ server to use at the time of authentication. In the same group, the highest priority TACACS+ server not in dead status will be used. If there are multiple TACACS+ servers with the highest priority, the used TACACS+ server will be decided randomly. Dead Time Specify the recover time it waits to recover to "alive" status automatically after TACACS+ server enters "dead" status. If the response from TACACS+ server is not received, that TACACS+ server will be set as "dead" status and set as the lowest priority. The TACACS+ server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the TACACS+ server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. Source IP Address Source IP address used to communicate with the TACACS+ authentication server is set. Source IP address used to communicate with the authentication server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
315/328
3.4.3.3. Authorization Server Config
Figure 307
IP Address To set the IP address of the TACACS+ authorization server. The IP Address of authorization server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Secret Set the share key between this device and TACACS+ authorization server. It is considered that the share key is not set when omitted. Moreover, when it is not set, the communication between TACACS+ servers is not encrypted. Priority To specify the priority of some TACACS+ servers in the same group, which decides which TACACS+ server to use at the time of authorization. In the same group, the highest priority TACACS+ server not in dead status will be used. If there are multiple TACACS+ servers with the highest priority, the used TACACS+ server will be decided randomly. Dead Time Specify the recover time it waits to recover to "alive" status automatically after TACACS+ server enters "dead" status. If the response from TACACS+ server is not received, that TACACS+ server will be set as "dead" status and set as the lowest priority. The TACACS+ server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. 316/328
- The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the TACACS+ server in "dead" status, and response is received - Recover manually The value range can be specified as followed. 0~86400(second) If specified 0, it does not automatically restore the alive status. Source IP Address Source IP address used to communicate with the TACACS+ authorization server is set. Source IP address used to communicate with the authorization server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 3.4.3.4. Summary It displays the status of TACACS+ server. Type Server Type Authen Author No. Server Address Pri State
Server definition Number Server IP Address Priority Server status alive dead
recover
Authentication Server Authorization Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
317/328
3.4.4. LDAP 3.4.4.1. Config
Figure 308
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. LDAP Service Specify whether to use LDAP Client function. Timeout Set timeout when there is no response from LDAP server. The valid ranges are as follows. 1 ~ 300(seconds) Authentication Security Mode Set LDAP Authentication security operation when there is no response from server. When "High", it operates as a failure to authenticate. When "Normal", it operates as a success to authenticate.
318/328
3.4.4.2. Server Config
Figure 309
AAA Group ID Specify AAA group ID within the range of 0 ~ 9 in decimal number. Server Specify Server number within the range of 0 ~ 3 in decimal number. LDAP Server IP Address Specify the IP address of LDAP authentication server. The IP Address of LDAP authentication server cannot be omitted. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff RDN attribute Specify RDN attribute of Bind DN, default is empty string. Bind DN without RDN Specify Partial Bind DN exclude RDN with it, default is empty string. Class attribute Specify user class attribute, default is empty string. Admin class value Specify Admin class value, default is empty string. If you want to specify two or more values, delimit them by ","(comma). Priority Specify the priority of some LDAP servers in the same group, which decides which LDAP server to use at the time of authentication. In the same group, the highest priority LDAP server not in dead status will be used. If there are multiple LDAP servers with the highest priority, the used LDAP server will be decided randomly. Dead Time 319/328
Specify the recover time it waits to recover to "alive" status automatically after LDAP server enters "dead" status. If the response from LDAP server is not received, that LDAP server will be set as "dead" status and set as the lowest priority. The LDAP server in "dead" status can not be used as long as the server in "alive" exists. This setting is used to set the waiting time after it enters "dead" status, when the time expires, it can recover to "alive" status with the specified priority. In order to recover from "dead" status to "alive" status, one of the following conditions has to be matched. - The specified Dead Time period passed - After all the possible server enters "dead" status, the packets are sent to the LDAP server in "dead" status, and response is received - Recover manually The valid ranges are as follows. 0 ~ 86400(seconds) If 0 is specified, it will not recover to "alive" status automatically. Source IP Address Source IP address used to communicate with the LDAP authentication server is set. Source IP address used to communicate with the authentication server is automatically allotted when it is not set. The value range can be specified as followed. IPv4: 1.0.0.1 ~ 126.255.255.254 128.0.0.1 ~ 191.255.255.254 192.0.0.1 ~ 223.255.255.254 IPv6: ::2 ~ fe7f:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0:: ~ feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Caution: - For example, if RDN(Relative Distinguished Name) attribute is set as "cn"(common name), and Bind DN(Distinguished Name) without RDN is set as "dc=test,dc=com". When input user name is "root", and input password is "1234", then Bind DN sent to LDAP server will be "cn=root,dc=test,dc=com", and password sent to LDAP server will be "1234". - For example, If Class attribute is set as "uidNumber", and Admin class value is set as "1,2". According to LDAP search result, if value of "uidNumber" exists and equals to "1" or "2", it becomes "Administrator" class, otherwise it becomes "General User" class.
320/328
3.4.4.3. Summary It displays the status of LDAP server. Type Server Type Authen No. Server Address Pri State
Server definition Number Server IP Address Priority Server status alive dead
recover
Authentication Server
usable no response
recover remaining time / recover standby time When server status is "alive", displays as "-".
3.4.5. AAA 3.4.5.1. Config
Figure 310
AAA Group ID Specify AAA Group ID within 0 ~ 9 in decimal number. User Number Specify definition number of AAA user information with decimal number of less than 1000. User ID Specify user ID by characters of 0x21,0x23 ~ 0x7e within 128 characters. If it is used for MAC address authentication, please specify it as the MAC address of the terminal which is permitted to access with 12 digits of hexadecimal numbers(using lower case letters while not using ":" ,etc). User Password Specify password for authentication by characters of 0x21,0x23 ~ 0x7e within 128 characters. 321/328
If MAC address authentication is used and password has been set in MAC Address Authentication, please also set the same password here. If password has not been set in MAC Address Authentication, specify it as the MAC address of the terminal which is permitted to access with 12 digits of hexadecimal numbers(using lower case letters while not using ":" ,etc). User Role Specify authority class of user as the login user information.
3.4.5.2. Summary It displays the contents of AAA local database. No. User Definition Number User ID User ID User Role Authority Class of User
3.4.6. Application Filter 3.4.6.1. FTP config
Figure 311
FTP IPv4 Server Set whether to enable IPv4 of FTP server function. FTP IPv6 Server Set whether to enable IPv6 of FTP server function. 3.4.6.2. SFTP config
322/328
Figure 312
SFTP IPv4 Server Set whether to enable IPv4 of SFTP server function. SFTP IPv6 Server Set whether to enable IPv6 of SFTP server function.
3.4.6.3. TELNET config
Figure 313
TELNET IPv4 Server Set whether to enable IPv4 of TELNET server function. TELNET IPv6 Server Set whether to enable IPv6 of TELNET server function.
323/328
3.4.6.4. SSH config
Figure 314
SSH IPv4 Server Set whether to enable IPv4 of SSH server function. SSH IPv6 Server Set whether to enable IPv6 of SSH server function. 3.4.6.5. HTTP config
Figure 315
HTTP IPv4 Server Set whether to enable IPv4 of HTTP server function. HTTP IPv6 Server Set whether to enable IPv6 of HTTP server function.
324/328
3.4.6.6. HTTPS config
Figure 316
HTTPS IPv4 Server Set whether to enable IPv4 of HTTPS server function. HTTPS IPv6 Server Set whether to enable IPv6 of HTTPS server function. 3.4.6.7. SNTP config
Figure 317
SNTP IPv4 Server Set whether to enable IPv4 of SNTP server function. SNTP IPv6 Server Set whether to enable IPv6 of SNTP server function.
325/328
3.4.6.8. TIME config
Figure 318
TIME IPv4 Server(UDP) Set whether to enable IPv4 of TIME server function by UDP. TIME IPv4 Server(TCP) Set whether to enable IPv4 of TIME server function by TCP. TIME IPv6 Server(UDP) Set whether to enable IPv6 of TIME server function by UDP. TIME IPv6 Server(TCP) Set whether to enable IPv6 of TIME server function by TCP.
326/328
3.5. QoS Menu 3.5.1. Port Configuration 3.5.1.1. Queue Config
Figure 319
Untagged Priority Set tag priority value assigned to the untagged received packets of ether port. Output Mode Set the QoS sending algorithm of ether port. Select from STRICT(send from higher priority sequentially) and DRR(Deficit round robin) method. If DRR is selected, specify lowest guarantee band for each queue. Please set it so that the total of specified band is 10Gbps. Queue Mapping Specify which COS value the packets have and in which output queue the packets will be output. The queue with larger queue number has higher output priority. 3.5.1.2. Queue Summary
Figure 320
327/328
It displays the correspondence of packets COS value and storage queue. 3.5.1.3. Classification
Figure 321
IPv4 Type of Service field Priority is decided by the value of IP Precedence field of the Type of Service field of IPv4. IPv6 Traffic Class field Priority is decided by the value of upper 3 bits of Traffic Class field of IPv6.
328/328