Main
Table of Contents
Chapter 5: Administration: Stack Management 58
Chapter 6: Administration 98
Chapter 7: Administration: Time Settings 126
Chapter 8: Administration: Diagnostics 140
Chapter 9: Administration: Discovery 148
Chapter 10: Administration: Unidirectional Link Detection 183
Chapter 11: Port Management 194
Chapter 12: Smartport 216
Chapter 13: Port Management: PoE 248
Chapter 14: VLAN Management 256
Chapter 15: Spanning Tree 292
Page
Chapter 21: Security 428
Chapter 22: Security: 802.1X Authentication 482
Chapter 23: Security: First Hop Security 515
Chapter 24: Security: SSH Client 544
Chapter 25: Security: SSH Server 556
Page
Page
Getting Started
Starting the Web-based Configuration Utilit y
Browser Restrictions
Launching the Configuration Utility
Logging In
HTTP/HTTPS
Password Expiration
Logging Out
Page
Quick Start Device Configuration
Interface Naming Conventions
Differences Betwe en 500 Devices
Page
Window Navigation
Application Header
Page
Management Buttons
Page
Page
Status and Statistics
System Summary
Viewing Ethernet Interfaces
Page
Viewing Etherlike Statistics
Viewing GVRP Statistics
Viewing 802.1X EAP Statistics
Viewing TCAM Utilization
Health
Managing RMON
Viewing RMON Statistics
Page
Configuring RMON History
,
Viewing the RMON History Table
Defining RMON Events Control
Viewing the RMON Events Logs
Defining RMON Alarms
View Log
Page
Administration: System Log
Setting System Log Settings
Page
Setting Remote Logging Settings
Page
Viewing Memory Logs
RAM Memory
Flash Memory
Page
Administration: File Management
System Files
Files and File Type s
File Actions
Upgrade/Backup Firmware/Language
Upgrade/Backing Firmware or Language File
Page
Page
Active Image
Download/Backup Configuration/Log
Configuration File Backwards Compatibility
Downloading or Backing-up a Configuration or Log File
Page
Page
Page
Page
Configuration Files Properties
Copy/Save Configuration
Auto Configuration via DHCP
DHCP Server Options
Auto Configuration Download Protocol (TFTP or SCP)
SSH Client Authentication Parameters
Auto Configuration Process
Configuring DHCP Auto Configuration
Web Configuration
Auto By File Extension
File Extension for SCP
SSH Client Authentication
Remote SSH Server Authentication
SCP Only
Page
Administration: Stack Management
Page
Types of Units in Stack
Backward Compatibility of Number of Units in Stack
Unit LEDs
Stack Topology
Types of Stack Topology
Topology Discovery
Unit ID Assignment
Duplicate Unit IDs
Page
Master Selection Process
Stack Changes
Connecting a New Unit
Page
Unit Failure in Stack
Failure of Master Unit
Master/Backup Switchover
Slave Unit Handling
Reconnecting the Original Master Unit After Failover
Software Auto Synchronization in Stack
Stack Unit Mode
Stack Configuration Options
Consistency of Stack Unit Modes in the Stack
Changing the Stack Unit Mode
System Mode (500 Devices) After Reboot
Configuration After Reboot
Stack Ports
Default Stack and Network Ports
Page
Pairs of Ports
Port Speeds
Auto Selection of Port Speed
Connecting Units
Cables Types
Page
Page
Default Configuration
Interactions With Other Features
System Modes
System Mode Backwards Compatibility
System Mode and Stack Management
Page
Page
Administration
Device Models
Page
Displaying the System Summary
System Information:
Software Information:
TCP/UDP Services Status:
PoE Power Information on Master Unit:
Detail
System Settings
Console Settings (Autobaud Rate Support)
Management Interface
System Mode and Stack Management
Idle Session Timeout
User Accounts
Defining Idle Session Timeout
Time Settings
System Log
File Management
Rebooting the Device
Administration > File Management > Copy/Save Configuration
Page
Routing Resources
Page
Page
Health
Diagnostics
Discovery - Bonjour
Discovery - LLDP
Discovery - CDP
Ping
Page
Traceroute
Page
Page
Page
Page
Page
Page
Page
Page
Page
Administration: Time Settings
System Time Options
Time
Time Zone and Daylight Savings Time (DST)
SNTP Modes
Configuring System Time
Selecting Source of System Time
USA
European
By Dates
Recurring
By Dates
Adding a Unicast SNTP Server
In Process
Page
Configuring the SNTP Mode
Defining SNTP Authentication
Time Range
Absolute Time Range
Recurring Time Range
Page
Administration: Diagnostics
Testing Copper Ports
Preconditions to Running the Copper Port Test
Page
Displaying Optical Module Status
MSA-compatible SFPs
Page
Configuring Port and VLAN Mirroring
Viewing CPU Utilization and Secure Core Technology
Page
Administration: Discovery
Bonjour
Bonjour in Layer 2 System Mode
Bonjour in Layer 3 System Mode
LLDP and CDP
Configuring LLDP
LLDP Overview
LLDP Configuration Workflow
Setting LLDP Properties
Flooding
Filtering
MAC Address
Editing LLDP Port Settings
Page
LLDP MED Network Policy
LLDP Media Endpoint Discovery
Setting LLDP MED Network Policy
Configuring LLDP MED Port Settings
.
Network Policy
Displaying LLDP Port Status
Displaying LLDP Local Information
Global
Management Address
MAC/PHY Details
802.3 Details
802.3 Link Aggregation
802.3 Energy Efficient Ethernet (EEE) (If device supports EEE)
MED Details
Location Information
Network Policy Table
Tag g e d
Untagged
Displaying LLDP Neighbors Information
Port Details
Basic Details
Management Address Table
MAC/PHY Details
802.3 Power via MDI
802.3 Details
802.3 Link Aggregation
802.3 Energy Efficient Ethernet (EEE)
MED Details
Page
Accessing LLDP Statistics
Unrecognized
Discarded
Errors
Status
Configuring CDP
Setting CDP Properties
CDP Configuration Workflow
Flooding
Filtering
Bridging
Page
Editing CDP Interface Settings
Displaying CDP Local Information
Page
Displaying CDP Neighbors Information
Page
Viewing CDP Statistics
Page
Page
Port Management
Configuring Ports
Setting Port Configuration
Port Settings
Page
Page
Error Recovery Settings
Link Aggregation
Link Aggregation Overview
Load Balancing
LAG Management
Default Settings and Configuration
Static and Dynamic LAG Workflow
Defining LAG Management
Configuring LAG Settings
Page
Configuring LACP
LACP Priority and Rules
LACP With No Link Partner
Setting LACP Parameter Settings
UDLD
PoE
Configuring Green Ethernet
Green Ethernet Overview
Page
Power Saving by Disabling Port LEDs
802.3az Energy Efficient Ethernet Feature
802.3az EEE Overview
Advertise Capabilities Negotiation
Link Level Discovery for 802.3az EEE
Availability of 802.3az EEE
Default Configuration
Interactions Between Features
802.3az EEE Configuration Workflow
Setting Global Green Ethernet Properties
Setting Green Ethernet Properties for Ports
Page
Page
Port Management: Unidirectional Link Detection
UDLD Overview
UDLD Operation
UDLD States and Modes
How UDLD Works
UDLD Not Supported or is Disabled on a Neighbor
Inconsistent UDLD Mode in Local and Neighboring Device
Reactivating a Shutdown Port
Usage Guidelines
Dependencies On Other Features
Default Settings and Configuration
Before You Start
Common UDLD Tasks
Workflow1: To globally enable UDLD on fiber ports, perform the following steps:
Configuring UDLD
UDLD Global Settings
UDLD Interface Settings
UDLD Neighbors
Page
Smartport
Page
What is a Smartport
Smartport Types
Special Smartport Type s
Smartport Macros
Applying a Smartport Type to an Interface
Macro Failure and the Reset Operation
How the Smartport Feature Works
Auto Smartport
Enabling Auto Smartport
Identifying Smartport Type
Using CDP/LLDP Information to Identify Smartport Types
Page
Multiple Devices Attached to the Port
Switch
Persistent Auto Smartport Interface
Error Handling
Default Configuration
Relationships with Other Features and Backwards Compatibility
Common Smartport Tasks
Workflow2: To configure an interface as a static Smartport, perform the following steps:
Workflow4: To rerun a Smartport macro after it has failed, perform the following step s:
Unknown
Configuring Smartport Using The Web-b ased Interface
Smartport Properties
Smartport Type Settings
Smartport Interface Settings
Port Type
Unknown
Built-in Smartport Macros
desktop
no_desktop
printer
no_printer
guest
no_guest]]
server
no_server
host
no_host
ip_camera
no_ip_camera
ip_phone
no_ip_phone
ip_phone_desktop
no_ip_phone_desktop
switch
no_switch
router
no_router
ap
Port Management: PoE
PoE on the Device
PoE Features
PoE Operation
PoE Configuration Considerations
Page
Configuring PoE Properties
Class Limit
Port Limit
Configuring PoE Settings
PoE priority example:
Page
Page
VLAN Management
VLANs
VLAN Description
VLAN Roles
QinQ
VLAN Configuration Workflow
Configuring Default VLAN Settings
Creating VLANs
Configuring VLAN Interface Settings
Defining VLAN Membership
Configuring Port to VLAN
Configuring VLAN Membership
GVRP Settings
Defining GVRP Settings
VLAN Groups
MAC-based Groups
Assigning MAC-based VLAN Groups
Mapping VLAN Group to VLAN Per Interface
Protocol-based VLANs
Protocol-Based Groups
Protocol-Based Groups to VLAN Mapping
Voice VLAN
Voice VLAN Overview
Dynamic Voice VLAN Modes
Voice End-Points
Auto Voice VLAN, Auto Smartports, CDP, and LLDP Defaults
Voice VLAN Triggers
Auto Voice VLAN
Voice VLAN QoS
Voice VLAN Constraints
Voice VLAN Workflows
Workflow1: To configure Auto Voice VLAN:
Workflow2: To configure the Telephony OUI Method
Configuring Voice VLAN
Configuring Voice VLAN Properties
Enable Auto Voice VLAN
Auto Voice VLAN Activation
Administration > Discovery > LLDP > LLDP MED Network Policy
Enable Telephony OUI
Displaying Auto Voice VLAN Settings
Page
Configuring Telephony OUI
Adding OUIs to the Telephony OUI Table
Page
Adding Interfaces to Voice VLAN on Basis of OUIs
Access Port Multicast T V VLAN
IGMP Snooping
Differences Between Regular and Multicast T V VLANs
Configuration
Multicast TV Group to VLAN
Port Multicast VLAN Membership
Customer Port Multicast TV VL AN
Mapping CPE VLANs to Multicast TV VLANs
CPE Port Multicast VLAN Membership
Spanning Tree
STP Flavors
Configuring STP Status and Global Settings
Page
Defining Spanning Tree Interface Settings
Page
Configuring Rapid Spanning Tree Settings
Enable
Root
Auto
Disable
Page
Multiple Spanning Tree
Defining MSTP Properties
Mapping VLANs to a MSTP Instance
Defining MSTP Instance Settings
Defining MSTP Interface Settings
Boundary
Page
Managing MAC Address Tables
Types of MAC Addresses
Configuring Static MAC Addresses
Managing Dynamic MAC Addresses
Configuring Dynamic MAC Address Aging Time
Querying Dynamic Addresses
Defining Reserved MAC Addres ses
Bridge
Discard
All
LLC-SNAP
Multicast
Multicast Forwarding
Typical Multicast Setup
Page
Multicast Address Properties
Defining Multicast Properties
Page
Adding MAC Group Address
Page
Adding IP Multicast Group Addresses
Configuring IGMP Snooping
Page
Page
MLD Snooping
Page
Querying IGMP/MLD IP Multicast Group
Defining Multicast Router Ports
Defining Forward All Multicast
Defining Unregistered Multicast Settings
Page
Page
IP Configuration
Layer 2 IP Addressing
Layer 3 IP Addressing
Loopback Interface
Overview
Configuring a Loopback Interface
IPv4 Management and Interfaces
IPv4 Interface
Defining an IPv4 Interface in Layer 2 System Mode
Page
Administration
File Management
DHCP Auto Configuration
Defining IPv4 Interface in Layer 3 System Mode
Dynamic IP Address
Static IP Address
IPv4 Routes
Reject
Remote
RIPv2
Access List
VRRP
ARP
All
Normal Age Out
ARP Proxy
UDP Relay/IP Helper
DHCPv4 Snooping/Relay
DHCPv4 Snooping
DHCPv4 Relay
DHCPv4 in Layer 2 and Layer 3
Transparent DHCP Relay
Option 82
Interactions Between DHCPv4 Snooping, DHCP v4 Relay and Option 82
Page
Page
Page
DHCP Snooping Binding Database
DHCP Trusted Ports
How the DHCP Snooping Binding Database is Built
Page
DHCP Snooping Along With DHCP Relay
DHCP Default Configuration
Configuring DHCP Work Flow
DHCP Snooping/Relay
Properties
Backup Database Update Interval
Backup Database
Verify MAC Address
Interface Settings
DHCP Snooping Trusted Interfaces
DHCP Snooping Binding Database
Static
DHCP Server
Dependencies Between Features
Default Settings and Configurations
Workflow for Enabling the DHCP Server Feature
DHCPv4 Server
Network Pool
Page
Excluded Addresses
Static Hosts
Page
DHCP Options
Page
Address Binding
IPv6 Management and Interfaces
IPv6 Static Routing
IPv6 Global Configuration
IPv6 Interface
Page
DHCPv6 Client Details
IPv6 Tunnel
Types of Tunnels
Configuring Tunnels
Auto
Interface
IPv4 Address
Defining IPv6 Addresses
IPv6 Router Configuration
Router Advertisement
Page
IPv6 Prefixes
Page
IPv6 Default Router List
Defining IPv6 Neighbors Information
Incomplete
Probe
Delay
Stale
IPv6 Prefix List
Page
Viewing IPv6 Route Tables
Local
DHCPv6 Relay
Dependencies with Other Features
Global Destinations
Interface Settings
Domain Name
DNS Settings
Page
Search List
Host Mapping
OK
Negative Cache
No Response
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
IP Configuration: RIPv2
How Rip Operates on the Device
Enabling RIP
Enabling RIP
Offset Configuration
Passive Mode
Filtering Routing Updates
Advertising Default Route Entries on IP Interfaces
Redistribution Feature
Page
Using RIP in Network with Non-Rip Devices
RIP Authentication
RIP Statistical Counters
RIP Peers Database
Configuring RIP
RIPv2 Properties
Page
RIPv2 Settings on an IP Interface
Displaying RIPv2 Statistic Counters
Displaying the RIPv2 Peers Database
Access Lists
Creating an Access List
Populate an Access List
Page
IP Configuration: VRRP
Constraints
VRRP Topology
Page
Page
Configurable Elements of VRRP
Virtual Router Identification
VRRP Versions
Virtual Router IP Addresses
Source IP Address In a VRRP Router
VRRP Router Priority and Preemption
VRRP Advertisements
Configuring VRRP
Virtual Routers
Page
VRRP Statistics
Page
Security
Defining Users
Setting User Accounts
Page
Setting Password Complexity Rules
Configuring TACACS+
Accounting Using a TACACS+ Server
Defaults
Interactions With Other Features
Workflow
Configuring a TACACS+ Server
Page
Page
Configuring RADIUS
Accounting Using a RADIUS Server
Defaults
Interactions With Other Features
Radius Workflow
Page
Page
Key Manag ement
Key Management
Creating a Key Chain
Page
Creating a Key Settings
Management Access Method
Active Access Profile
Page
Network Mask
Prefix Length
Defining Profile Rules
Page
Management Access Authentication
Secure Sensitive Data Management
SSL Server
SSL Overview
Default Settings and Configuration
SSL Server Authentication Settings
Page
SSH Server
SSH Client
Configuring TCP/UDP Services
Page
Defining Storm Control
Configuring Port Security
Page
802.1X
Denial of Service Prevention
Secure Core Technology (SCT )
Types of DoS Attacks
Defense Against DoS Attacks
Dependencies Between Features
Default Configuration
Configuring DoS Prevention
Security Suite Settings
Page
SYN Protection
Martian Addresses
From Reserved List
New IP Address
Prefix Length
SYN Filtering
SYN Rate Protection
ICMP Filtering
IP Fragmented Filtering
DHCP Snooping
IP Source Guard
Interactions with Other Features
Filtering
Configuring IP Source Guard Work Flow
Enabling IP Source Guard
Configuring IP Source Guard on Interfaces
Binding Database
ARP Inspection
ARP Cache Poisoning
How ARP Prevents Cache Poisoning
Page
Interaction Between ARP Inspection and DHCP Snooping
ARP Defaults
ARP Inspection Work Flow
Defining ARP Inspection Properties
Defining Dynamic ARP Inspection Interfaces S ettings
Defining ARP Inspection Access Control
Defining ARP Inspection Access C ontrol Rules
Defining ARP Inspection VLAN Settings
First Hop Security
Page
Security: 802.1X Authentication
Overview of 802.1X
Client or Supplicant
Authenticator
Authentication Server
Authenticator Overview
Port Administrative Authentication States
Port Host Modes
Page
Multiple Authentication Methods
802.1x-Based Authentication
MAC-Based Authentication
WEB-Based Authentication
Page
Unauthenticated VLANs and the Guest VLAN
Host Modes with Guest VLAN
RADIUS VLAN Assignment or Dynamic VLAN A ssignment
Page
Violation Mode
Quiet Period
Workflow 1: To enable 802.1x authentication on a port:
Workflow 2: To configure traps
Workflow 3: To configure 802.1x-based or Web-based authentication
Workflow 4: To configure the quiet period
Workflow 5: To configure the guest VLAN:
Workflow 6: To configure unauthenticated VLANs
802.1X Configuration Through the GUI
Defining 802.1X Properties
Defining 802.1X Port Authentication
Page
Page
Defining Host and Session Authentication
Page
Viewing Authenticated Hosts
Locked Clients
Web Authentication Customization
Page
Page
Page
Defining Time Ranges
Authentication Method and Port Mode Support
Legend:
Security: 802.1X Authentication
Mode Behavior
Single- host
Multi- host
Lite multi- sessions
Security: 802.1X Authentication
Full multi- sessions
Page
Security: IPV6 First Hop Security
First Hop Security Overview
Abbreviations
IPv6 First Hop Security Components
IPv6 First Hop Security Pipe
Page
IPv6 First Hop Security Perimeter
Router Advertisement Guard
Filtering of Received RA, CPA, and IPCMv6 redirect Messages
Validation of RA messages
Neighbor Discovery Inspe ction
Message Validation
DHCPv6 Guard
Neighbor Binding Integrity
Learning Advertised IPv6 Prefixes
Neighbor Binding Table Overflow
Establishing Binding of Neighbors
NBI-NDP method
NB Integrity Policy
Attack Protection
Protection against IPv6 Router Spoofing
Protection against IPv6 Address Resolution Sp oofing
Protection against IPv6 Duplication Address Detection Spoofing
Protection against DHCPv6 Server Spoofing
Protection Against NBD Cache Spoofing
Policies, Global Parameters and System Defaults
Policies
Default Policies
User-Defined Policies
Levels of Verification Rules
First Hop Security Common Work Flow
Router Advertisement Guard Work Flow
DHCPv6 Guard Work Flow
Neighbor Discovery Inspection Work Flow
Neighbor Binding Work Flow
Default Settings and Configuration
Before You Start
Configuring First Hop Security through Web GUI
FHS Common Settings
RA Guard Settings
Page
DHCPv6 Guard Settings
Neighbor Discovery Inspection S ettings
Page
Neighbor Binding Settings
Policy Attachment (VLAN)
Policy Attachment (Port)
Neighbor Binding Table
FHS Status
Page
FHS Statistics
Page
Security: SSH Client
Secure Copy (SCP) and SSH
Protection Methods
Passwords
Public/Private Keys
Import Keys
SSH Server Authentication
SSH Client Authentication
Supported Algorithms
Before You Begin
Workflow2: To import the public/private keys from one device to another:
Workflow3: To change your password on an SSH server:
SSH Client Configuration Through the GUI
SSH User Authentication
SSH Server Authentication
Changing the User Password on the SSH Server
Page
Security: Secure Sensitive Data Management
Introduction
SSD Management
SSD Rules
Elements of an SSD Rule
Page
SSD Rules and User Authentication
Default SSD Rules
SSD Default Read Mode Session Override
SSD Properties
Passphrase
Default and User-defined Passphrases
Local Passphrase
Configuration File Passphrase Control
Configuration File Integrity Control
Read Mode
Configuration Files
File SSD Indicator
SSD Control Block
Startup Configuration File
Running Configuration File
Backup and Mirror Configuration File
Sensitive Data Zero-Touch Auto Configuration
SSD Management Channels
Menu CLI and Password Recovery
Configuring SSD
SSD Properties
SSD Rules
Page
Page
Security: SSH Server
Workflow3: To import an RSA or DSA key from device A to device B, perform the following steps:
SSH Server Configuration Pages
SSH User Authentication
Automatic Login
SSH Server Authentication
Page
Page
Access Control
Access Control Lists
Defining IPv6-Based ACL
Creating ACLs Workflow
Modifying ACLs Workflow
Defining MAC-based ACLs
Adding Rules to a MAC-based ACL
Permit
Shutdown
Deny
Page
IPv4-based ACLs
Defining an IPv4-based ACL
Adding Rules (ACEs) to an IPv4-Based ACL
TCP
IP in IP
IGMP
ICMP
Page
Any
DSCP to Matc h
IP Precedence to match
IPv6-Based ACLs
Defining an IPv6-based ACL
Adding Rules (ACEs) for an IPv6-Based ACL
Page
Page
Defining ACL Binding
Page
Quality of Service
QoS Features and Components
QoS Operation
QoS Modes
QoS Workflow
Configuring QoS - General
Setting QoS Properties
Configuring QoS Queues
Strict Priority
WRR
% of WRR Bandwidth
WRR Weight
Mapping CoS/802.1p to a Queue
Page
Mapping DSCP to Queue
Page
Page
Page
Page
Configuring Bandwidth
Configuring Egress Shaping per Queue
VLAN Ingress Rate Limit
TCP Congestion Avoidance
QoS Basic Mode
Workflow to Configure Basic QoS Mode
Configuring Global Settings
Interface QoS Settings
QoS Advanced Mode
Notes:
Workflow to Configure Advanced QoS Mode
Configuring Global Settings
Configuring Out-of-Profile DSCP Mapping
Defining Class Mapping
IP
MAC
IP or MAC
IP and MAC
QoS Policers
Page
Defining Aggregate Policers
Configuring a Policy
Policy Class Maps
Use default trust mode
Always Trust
Set
Policy Binding
Managing QoS Statistics
Policer Statistics
Viewing Single Policer Statistics
Viewing Aggregated Policer Statistics
Viewing Queues Statistics
Page
Unit No
Page
Page
SNMP
SNMP Versions and Workflow
SNMPv1 and v2
SNMPv3
SNMP Workflow
If you decide to use SNMPv1 or v2:
If you decide to use SNMPv3:
,
.
Supported MIBs
Model OIDs
SNMP Engine ID
Page
Configuring SNMP Views
Creating SNMP Groups
To create an SNMP group:
Managing SNMP Users
Page
Defining SNMP Communities
Page
Defining Trap Settings
Notification Recipients
Defining SNMPv1,2 Notification Recipients
Page
Defining SNMPv3 Notification Recipients
Page
No Authentication
Authentication
Privacy
SNMP Notification Filters