Configuring with a Web Browser¶

There are three ways to configure Welotec’s Industrial Managed Ethernet Switch: Web browser, Telnet console, and Serial console. How to access the industrial managed switch through web browser is explained in Chapter 2 through Chapter 5. There are only a few differences among these three methods. The web browser and the telnet console methods allow users to access the switch over the Internet or the Ethernet LAN, while the serial console method requires a serial cable connection between the console and the switch. Users are recommended to configure the switch via a web browser because of its user-friendly interface.

Next, we will proceed to use a web browser to introduce the managed switch’s functions. It is recommended to use Microsoft Edge 103, Firefox 44, Chrome 48 or later versions. Below is a list of default factory settings. This information will be used during the login process. Make sure that the computer accessing the switch are in the same subnet. That is the computer has an IP address and the subnet mask same as the switch. Please pay attention when inputting the username and password, as they are case sensitive.

IP Address: 192.168.2.1

Subnet Mask: 255.255.0.

Default Gateway: 0.0.0.0

User Name: admin

Password: Welotec@RSAES

Before users can access the configuration, they have to log in. This can simply be done in the following steps.

Launch a web browser.
Type in the switch IP address (default: http://192.168.2.1). As shown in Figure 2.1. another IP-Adress (e.g. 10.0.50.1) may be used depending on your setup.

Note: When the user name and the password are left empty, the login prompt will not show.

Figure 2.1 IP Address for Web-based Setting

The user can enter a Username and a Password to access the managed switch. Then, clicking on the Sign in button.

Figure 2.2 Login page

If the user entered wrong passwords, users can try to re-enter the new username and password again until it is correct. Or users can simply click the Cancel button to forfeit the process.
If the login process was success, the user will be presented with the Port State Overview webpage which shows the front panel of the managed switch as shown in Figure 2.3.

Figure 2.3 Webpage after a successful login

System¶

This section describes how users can configure system information in details. Figure 2.4 shows submenus under the Configuration⭢System main menu.

Figure 2.4 Submenus under Configuration⭢System Menu

Information¶

This subsection describes how users can assign system’s details to the Welotec’s switch. There are three fields in this System Information Configuration webpage: System Contact, System Name, and System Location. By entering this unique and relevant system information, it will help identifying one specific switch among all the others in the network. However, the switch must support a SNMP protocol. Figure 2.5 shows the System Information Configuration Webpage to an RSAES managed switch model. Please click the “Save” button to update the information on the switch. Clicking on the Reset button will undo any changes made locally and revert to previously save values. Table 2.1 summarizes the device information setting descriptions and corresponding default factory settings.

Figure 2.5 System Information Configuration Webpage

Table 2.1 Description of the System Information Configuration:

Label	Description	Factory Default
System Contact	Provides contact information for maintenance. Enter the name of whom to contact in case a problem occurs. The allowed string length is 0 to 255, and the allowed content is the ASCII characters from 32 to 126.	Null
System Name	Specifies a particular role or application of different switches. The name entered here will also be shown in Welotec’s Device Management Utility. By convention, this is the node’s fully-qualified domain name. A domain name is a text string drawn from the alphabet (A-Za-z), digits (0-9), minus sign (-). No space characters are permitted as part of a name. The first character must be an alpha character. And the first or last character must not be a minus sign. The allowed string length is 0 to 255.	Null
System Location	The physical location of this node (e.g.,telephone closet, 3rd floor). The allowed string length is 0 to 255, and the allowed content is the ASCII characters from 32 to 126.	Null

IP¶

In this subsection, the user may modify network settings on Internet Protocol (IP) for the managed switch. This subsection is divided into three parts: IP Configuration, IP Interfaces, and IP Routes, as shown in Table 2.7. First, the IP Configuration part is related to how the managed switch will be operated as Host. The IP Interfaces part is related to IP Address configuration and DHCP configuration for both IPv4 and IPv6. Finally, the IP Routes part contains the routing table that provides information about the network destination, gateway, next hop, and distance.

Figure 2.6 Webpage to Configure System's IP Information.

The first part as shown in Figure 2.6 allows the user to set the operating mode of the managed switch. The user can enter up to four DNS Servers. A DNS (domain name system) proxy allows clients to set up device as a DNS proxy server. A DNS proxy improves domain lookup performance by caching previous lookups. A typical DNS proxy processes DNS queries by issuing a new DNS resolution query to each name server that it has detected until the hostname is resolved. Table 2.2 provides detailed description of each option in this part which is also called basic setting.

Figure 2.7 Webpage to Configure System's IP Configuration

Table 2.2 Description of Basic Settings:

Label	Description
Mode	Configure the IP stack to act as a Host, where IP traffic between interfaces will not be routed.
DNS Server	This setting controls the DNS name resolution done by the switch. There are four servers available for configuration, and the index of the server presents the preference (less index has higher priority) in doing DNS name resolution. The following modes are supported: - No DNS server: No DNS Server will be used. - Configured IPv4: Explicitly provide the valid IPv4 unicast address of the DNS Server in dotted decimal notation. Make sure the configured DNS server could be reachable (e.g. via PING) for activating DNS service. - Configured IPv6: Explicitly provide the valid IPv6 unicast (except local link) address of the DNS Server. Make sure the configured DNS server could be reachable (e.g. via PING6) for activating DNS service. - From any DHCPv4 interfaces: The first DNS server offered from a DHCPv4 lease to a DHCPv4-enabled interface will be used. - From this DHCPv4 interface: Specify from which DHCPv4-enabled interface a provided DNS server should be preferred. - From any DHCPv6 interfaces: The first DNS server offered from a DHCPv6 lease to a DHCPv6-enabled interface will be used. - From this DHCPv6 interface: Specify from which DHCPv6-enabled interface a provided DNS server should be preferred.
DNS Proxy	When DNS proxy is enabled, system will relay DNS requests to the currently configured DNS server, and reply as a DNS resolver to the client devices on the network. Only IPv4 DNS proxy is now supported.

The second part of IP Setting section is the IP Interface part as shown in Figure 2.8. The user can choose to enable DHCP (Dynamic Host Configuration Protocol) for DHCPv4 and/or DHCPv6 by checking the box behind it. That is the IP address and related information can be automatically obtained from a DHCP server in the local network thus reducing the work for an administrator. By disabling this function (DHCP’s box is unchecked), the user has an option to setup the static IP address and related fields manually. If DHCP is disabled, the user should enter the IP addresses and Max Length (subnet mask) under IPv4 and/or IPv6 columns. Table 2.3 provides detailed description of each option in this part of IP Interfaces.

Figure 2.8 Webpage to Configure System's IP Interfaces

Table 2.3 Description of IP Interfaces’ Options:

Label	Description
Delete	Select this option to delete an existing IP interface.
IF	The VLAN associated with the IP interface. Only ports in this VLAN will be able to access the IP interface. This field is only available for input when creating a new interface
DHCPv4 Enabled	Enable the DHCPv4 client by checking this box. If this option is enabled, the system will configure the IPv4 address and mask of the interface using the DHCPv4 protocol.
DHCPv4 Client ID Type	This specified which of the three types below, i.e. IfMac, ASCII or HEX, shall be used for the Client Identifier. See RFC-2132 section 9.14.
DHCPv4 Client ID ifMac	The interface name of DHCP client identifier. When DHCPv4 client is enabled and the client identifier type is ‘ifmac’, the configured interface’s hardware MAC address will be used in the DHCP option 61 field.
DHCPv4 Client ID ASCII	The ASCII string of DHCP client identifier. When DHCPv4 client is enabled and the client identifier type is ‘ascii’, the ASCII string will be used in the DHCP option 61 field.
DHCPv4 Client ID HEX	The hexadecimal string of DHCP client identifier. When DHCPv4 client is enabled and the client identifier type ‘hex’, the hexadecimal value will be used in the DHCP option 61 field.
DHCPv4 Hostname	The hostname of DHCP client. If DHCPv4 client is enabled, the configured hostname will be used in the DHCP option 12 field. When this value is empty string, the field use the configured system name plus the latest three bytes of system MAC addresses as the hostname.
DHCPv4 Fallback	The number of seconds for trying to obtain a DHCP lease. After this period expires, a configured IPv4 address will be used as IPv4 interface address. A value of zero disables the fall-back mechanism, such that DHCP will keep retrying until a valid lease is obtained. Legal values are 0 to 4294967295 seconds.
DHCPv4 Current Lease	For DHCP interfaces with an active lease, this column shows the current interface address, as provided by the DHCP server.
IPv4 Address	The IPv4 address of the interface in dotted decimal notation. If DHCP is enabled, this field configures the fall-back address. The field may be left blank if IPv4 operation on the interface is not desired - or no DHCP fall-back address is desired.
IPv4 Mask Length	The IPv4 network mask, in number of bits (prefix length). Valid values are between 0 and 30 bits for an IPv4 address. If DHCP is enabled, this field configures the fall-back address network mask. The field may be left blank if IPv4 operation on the interface is not desired - or no DHCP fallback address is desired.
DHCPv6 Enable	Enable the DHCPv6 client by checking this box. If this option is enabled, the system will configure the IPv6 address of the interface using the DHCPv6 protocol.
DHCPv6 Rapid Commit	Enable the DHCPv6 Rapid-Commit option by checking this box. If this option is enabled, the DHCPv6 client terminates the waiting process as soon as a Reply message with a Rapid Commit option is received. This option is only manageable when DHCPv6 client is enabled.
DHCPv6 Current Lease	For DHCPv6 interface with an active lease, this column shows the interface address provided by the DHCPv6 server.
IPv6 Address	The IPv6 address of the interface. An IPv6 address is in 128-bit records represented as eight fields of up to four hexadecimal digits with a colon separating each field (:). For example, fe80::215:c5ff:fe03:4dc7. The symbol :: is a special syntax that can be used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can appear only once. System accepts the valid IPv6 unicast address only, except IPv4-Compatible address and IPv4-Mapped address. The field may be left blank if IPv6 operation on the interface is not desired.
IPv6 Mask Length	The IPv6 network mask, in number of bits (prefix length). Valid values are between 1 and 128 bits for an IPv6 address. The field may be left blank if IPv6 operation on the interface is not desired.

The third part of IP Setting section is the IP Routes part as shown in Figure 2.9. Description of each field or option is summarized in Table 2.4. Please click on the Save button to update the IP configuration on the switch. A system reboot is required after each update, so the new network settings can take effect. The user will need to manually update the new IP address in the URL field of the web browser if the IP address of the managed switch is changed.

Figure 2.9 Webpage to Configure System's IP Routes

Table 2.4 Description of IP Routes’ Options:

Label	Description
Delete	Select this option to delete an existing IP route.
Network	The destination IP network or host address of this route. Valid format is dotted decimal notation or a valid IPv6 notation. A default route can use the value 0.0.0.0or IPv6 :: notation.
Mask Length	The destination IP network or host mask, in number of bits (prefix length). It defines how much of a network address that must match, in order to qualify for this route. Valid values are between 0 and 32 bits respectively 128 for IPv6 routes. Only a default route will have a mask length of 0 (as it will match anything).
Gateway	The IP address of the IP gateway. Valid format is dotted decimal notation or a valid IPv6 notation. Gateway and Network must be of the same type.
Next Hop VLAN (IPv6)	The VLAN ID (VID) of the specific IPv6 interface associated with the gateway. - The give VID ranges from 1 to 4095 and will be effective only when the corresponding IPv6 interface is valid. - If the IPv6 gateway address is link-local, it must specify the next hop VLAN for the gateway. - If the IPv6 gateway address is not link-local, system ignores the next hop VLAN for the gateway.
Distance	The distance value of the route entry is used to provide the priority information routing protocols to routers. When two or more different routing protocols are involved and have the same destination, the distance value can be used to select the best path.

NTP¶

Welotec’s industrial managed switch has internal calendar (date) and clock (or system time) which can be set manually or automatically. Figure 2.10 shows the Network Time Protocol (NTP) configuration webpage. Here, users can automatically set the device’s time by first selecting Enabled from the drop-down menu of Mode field. Then, users must enter the IP or Domain address of up to the total of five NTP servers: Server1, Server2, Server3, Server4, and Server 5. This allows the device to synchronise date and time with one of the NTP server. First, it will be synchronized with the Server 1. If it failed to respond, the device will select the second priority server or Server 2 to synchronize time with. If the Server 2 failed to respond, the device will then contact the third priority server or Server 3. This goes on until the device gets the respond from the NTP server, or none of them is respond. If any field is NULL, the device will not contact that server and continue contacting other lower priority servers instead.

Figure 2.10 Webpage to Configure System NTP

The detailed description of each field is provided in Table 2.5.

Table 2.5 Descriptions of the NTP Settings:

Label	Description	Factory Default
Mode	Select to enable or disable an automatically setting of the device time. This option will disable or enable network time protocol (NTP) daemon inside the managed switch which allows this managed device to synchronize its clock with other NTP servers.	Disabled
Server 1	Sets the first IP or Domain address of NTP Server; e.g., time.nist.gov.	NULL
Server 2	Sets the second IP or Domain address of NTP Server. Switch will locate the 2nd NTP Server if the 1st NTP Server fails to connect; e.g., time-A.timefreq.bldrdoc.gov	NULL
Server 3	Sets the third IP or Domain address of NTP Server. Switch will locate the 3rd NTP Server if the 2nd NTP Server fails to connect.	NULL
Server 4	Sets the fourth IP or Domain address of NTP Server. Switch will locate the 4th NTP Server if the 3rd NTP Server fails to connect.	NULL
Server 5	Sets the fifth IP or Domain address of NTP Server. Switch will locate the 5th NTP Server if the 4th NTP Server fails to connect.	NULL

Time¶

This Time webpage allows the user to configure the time zone and daylight saving for the managed switch. There are three setting parts within this webpage: System Time Configuration, Time Zone Configuration, and Daylight Saving Time Configuration.

The first part : System Time Configuration, users are allowed to set the device’s system time by manual. Table 2.6 summarizes the descriptions of options in system time configuration.

The second part : Time Zone Configuration, users are allowed to set the device’s time zone. By clicking the drop-down list of Time Zone field, users can select the device’s local time zone or Manual Setting option*.* In the Hours and Minutes fields, users can enter the number of hours and minutes of the device’s time that is offset from the local time zone when users selected Manual Setting option. Table 2.7 summarizes the descriptions of options in time zone configuration.

The third part : Daylight-Saving Time Configuration, if the switch is deployed in a region where daylight saving time is practiced (see note below for explanation), please select the Recurring or Non-Recurring options for Daylight Saving Time field within the Daylight-Saving Time Configuration box. Then, users will have to enter the Start Time settings, End Time settings, and Offset settings in minute(s). Note that the Start Time settings and End Time setting will be different between the Recurring and Non-Recurring options. Recurring option means that the configuration of daylight saving will be repeated very year. On the other hand, non-recurring option means that the daylight saving will be repeated only on the specified years. Table 2.8 summarizes the descriptions of options in daylight saving time configuration.

Note:

Daylight Saving Time: In certain regions (e.g., US), local time is adjusted during the summer season in order to provide an extra hour of daylight in the afternoon, and one hour is usually shifted forward or backward.
NTP: Network Time Protocol is used to synchronize the computer systems’ clocks with a standard NTP server: Examples of two NTP servers are time.nist.gov and time-A.timefreq.bldrdoc.gov.

Figure 2.11 Webpage to Configure System Time

Table 2.6 Description of System Time Configuration:

Label	Description
Month	Select the month of system time
Date	Select the date of system time
Year	Select the year of system time
Hours	Select the starting hour of system time
Minutes	Select the starting minute of system time
Seconds	Select the starting second of system time

Table 2.7 Description of Time Zone Configuration:

Label	Description
Time Zone	Lists various Time Zones worldwide. Select appropriate Time Zone from the drop down and click Save to set. The ‘Manual Setting’ options is used for the specific time zone which is excluded from the options list.
Hours	Number of hours offset from UTC. The field only available when Time Zone is set to Manual Setting.
Minutes	Number of minutes offset from UTC. The field only available when Time Zone is set to Manual Setting.
Acronym	User can set the acronym of the time zone. This is a User configurable acronym to identify the time zone. (Range: Up to 16 characters) Notice the string ‘’ is a special syntax that is reserved for null input.

Table 2.8 Description of Daylight-Saving Time Configuration:

Label	Description
Daylight Saving Time	This is used to set the clokc forward or backward according to the configurations set below for a defined Daylight-Saving Time duration. - Select ‘Disable’ to disable the Daylight-Saving Time configuration. - Select ‘Recurring’ and configure the Daylight-Saving Time duration to repeat the configuration every year. - Select ‘Non-Recurring’ and configure the Daylight-Saving Time duration for single time configuration. (Default: Disabled)
Recurring Configuration
Start Time settings	Week - Select the starting week number. Day - Select the starting day. Month - Select the starting month. Hours - Select the starting hour. Minutes - Select the starting minute.
End time settings	Week - Select the ending week number. Day - Select the ending day. Month - Select the ending month. Hours - Select the ending hour. Minutes - Select the ending minute.
Offset settings	Offset - Enter the number of minutes to add during Daylight Saving Time. (Range: 1 to 1439)
Non-Recurring Configuration
Start Time settings	Month - Select the starting month. Date - Select the starting date. Year - Select the starting year. Hours - Select the starting hour. Minutes - Select the starting minute.
End time settings	Month - Select the ending month. Date - Select the ending date. Year - Select the ending year. Hours - Select the ending hour. Minutes - Select the ending minute.
Offset settings	Offset - Enter the number of minutes to add during Daylight Saving Time. (Range: 1 to 1439)

Log¶

Figure 2.12 shows System Log configuration setting webpage. System Log or syslog keeps records of messages or events that are related to the overall functionalities of the managed switch. Here the users can enable how the log will be delivered to other system. It can be sent to a remote log server. Select Enabled from the drop-down list of the Server Mode field if users want the system log to be saved in the remote log server, or select Disabled to disable server mode operation. The users need to select the log level and provide the IP address of a remote log server. Please click on the Save button after finishing the setup or Reset button to disregard all changes made locally and revert to previously saved values. Table 2.9 describes the details of parameters setting for the system log. Type of syslog level include: Error, Warning, Notice, and Informational.

Figure 2.12 Webpage to Configure System Log

Table 2.9 Descriptions of the System Zone Configuration:

Field	Detailed description of mode
Server Mode	Indicates the server mode operation. When the mode is enabled, the syslog message will send out to syslog server. The syslog protocol is based on UDP communication and received on UDP port 514 and the syslog server will not send acknowledgments back sender since UDP is a connectionless protocol and it does not provide acknowledgments. The syslog packet will always send out even if the syslog server does not exist. Possible modes are: Enabled: Enable server mode operation. Disabled: Disable server mode operation.
Server Address	Indicates the IPv4 host address of syslog server. If the switch provides DNS feature, it also can be a domain name.
Syslog Level	Indicates what kind of message will send to syslog server. Possible modes are: - Error: Send the specific messages which severity code is less or equal than Error(3). - Warning: Send the specific messages which severity code is less or equal than Warning(4). - Notice: Send the specific messages which severity code is less or equal than Notice(5). - Informational: Send the specific messages which severity code is less or equal than Informational(6).

DIP Switch¶

This section describes the DIP Switch Configuration. Click the Enable DIP Switch Control box to enable it. The DIP switch 1 on/off means Ring is activated/deactivated. The DIP switch 2 on/off means Master is selected/deselected, and Slave is deselected/selected. When the DIP Switch 3 and 4 are on, nothing (N/A) is selected. When the DIP switch 3 and 4 are off, ERPS is selected. Webpage for configuring the system DIP switch is shown in Figure 2.13. Click Save button to update the DIP Switch Configuration.

Figure 2.13 Webpage to Configure System DIP Switch

Alert¶

This webpage allows the users to configure how each type of the power status alarm events will be sent or notify the users. Power Status Alarms keep track of power status of the switch based on the available input connectors.

RSAES supports two to three power sources. In the example, Power1 and Power2 are illustrated as shown in Figure 2.14. Users can enable a notification of each power source separately. Also, they can get notifications through many methods including Relay, Alarm LED, and E-mail by selecting Enabled in any of these fields. Click Save button to let the setting take effect, or click Reset button to change back to the previously saved values.

Figure 2.14 Webpage to Configure System Alert

Table 2.10 summarizes the Power Status Alarm event selection.

Table 2.10 Descriptions of Power Status Alarm Event Selection:

Label	Description	Factory Default
Power	Indicate specific power supply such as Power 1 and Power 2	-
Relay	Options: Disabled, Power On, or Power Off	Disabled
Alarm LED	Options: Disabled, Power On, or Power Off	Disabled
E-mail	Options: Disabled, Power On, or Power Off	Disabled

SMTP Setting¶

Simple Mail Transfer Protocol (SMTP) is an internet standard for e-mail transmission across IP networks. In case any warning events occur, the system can send an alarm message (e.g., Link Status and System Log) to users by e-mail. As shown in Figure 2.15, users can enable/disable server’s authentication, input user name and password if enabled, and edit email address of the sender and four recipients. The total of four recipients are allowed to receive an e-mail.

Figure 2.15 Webpage to Configure System SMTP Setting

An example of SMTP Setting is shown in Figure 2.16. When users select the box behind the Authentication field, TLS field as well as User Name and Change Password fields are enabled. Users can configure e-mail address of sender, so that the recipient can reply back to the correct person in charge. Also, users can configure the subject of email, so that it can be easily distinguishable from the other e-mails. At last, users can edit e-mail addresses of all four recipients in the order shown in the e-mail. After entering all the necessary fields, please click on the Save button to allow the setting to take effect. Note that users can test sending an e-mail by simply clicking on the Send Test E-mail button. The description of each SMTP Setting parameter is summarized in Table 2.11.

Figure 2.16 Example of SMTP Setting

Table 2.11 Descriptions of SMTP Setting:

Label	Description	Factory Default
SMTP Server	Configure the IP address of an out-going e-mail server	NULL
Authentication	By checking on the box, users Enable or disable an authentication login. If enabled, users need an authentication to access the SMTP server. Thus, the users will also need to setup User Name and Password to connect to the SMTP server	Disable (Unchecked)
TLS/SSL	Enable or disable Transport Layer Security (TLS)/ Secure Sockets Layer (SSL) which is an encryption mechanism for communication with the SMTP Server	Disable (Unchecked)
User Name	Set the user name (or account name) to login for authentication. Max. 31 characters.	NULL
Change Password	Enable the checkbox if user need to set or change account password. If the checkbox is disabled, the account password will remain the old one. (If the password has not be set before, it will be NULL)	Disable (Unchecked)
Password	Set the account password for login/authentication. Max. 31 characters.	NULL
E-mail Address of Sender	Configure the sender E-mail address	NULL
Subject of Mail	Type the subject of this warning message. Max. 63 characters.	NULL
E-mail Address of 1st Recipient	Set the first receiver’s E-mail address.	NULL
E-mail Address of 2nd Recipient	Set the second receiver’s E-mail address.	NULL
E-mail Address of 3rd Recipient	Set the third receiver’s E-mail address.	NULL
E-mail Address of 4th Recipient	Set the fourth receiver’s E-mail address.	NULL
Save	Save these modifications on the managed switch.	-
Send Test E-mail	Send a test email to recipient(s) above to check accuracy.	-

Ports¶

Port Setting webpage is shown in Figure 2.17. The users can check the state of each port through Link column. Red color means port is down while green color means port is up. Users can also check the Warning status of the port. In the speed column, users can check the Current speed and configure a new speed through Configured column. The possible physical layer connections of each port are listed on the Adv Duplex and Adv speed column. The port’s duplexing (Duplex) can be either Full duplex (Fdx) or Half duplex (Hdx). The Half duplex option allows one-way communication at a time, while the Full duplex option allows simultaneous two-way communication. The transmission Speed of each port can be chosen from the dropdown list which could be 10, 100, and 1000 Mbps.

On the next column, user can select to enable/disable Flow Control for each port. The Flow Control mechanism can be enabled to avoid packet loss when congestion occurs. Within this column, there are Curr Rx and Curr Tx sub-columns, where users can check the status of flow control on the receiving and transmitting link, respectively.

Figure 2.17 Webpage to Configure Ports

Table 2.12 Descriptions of Port Configuration:

Field label	Subfield Label	Description	Factory Default
Port		Indicate port number. e.g., ranging from 1 to 11. In the first row, port * will show all possible configurable options for the device.	-
Link		Show link status. Red colour for port down, and green colour for port up.	-
Warning		Indicate a warning when there is a problem with the port. Different colours are used to indicate the severity of port problem. grey colour: No warnings yellow colour: There are warnings, use tooltip to see.	Grey colour
Speed	Current	Show current speed of the port. e.g., 100 fdx for 100 Mbps full duplex. If port is currently down, this field will show “down”.	-
Speed	Configured	Select any available link speed for the given siwtch port. Only speeds supported by the specific port is shown. Possible speeds are: - Disabled - Disables the switch port operation. - Automatic - Port auto negotiating speed and duplex with the link partner and selects the highest speed that is compatible with the link partner. - 10Mbps HDX - Fores the port in 10Mbps half-duplex mode. - 10Mbps FDX - Fores the port in 10Mbps full-duplex mode. - 100Mbps HDX - Fores the port in 100Mbps half-duplex mode. - 100Mbps FDX - Fores the port in 100Mbps full-duplex mode. - 1Gbps FDX - Fores the port in 1Gbps full-duplex mode.	Automatic
Adv Duplex	Auto	When duplex is set as auto i.e. auto negotiation, the port will only advertise the specified duplex as either Fdx or Hdx to the link partner. By default, port will advertise all the supported duplexes if the Duplex is Auto.
Adv Duplex	Fdx	Full-duplex mode of the link. Click a checkbox to enable the option.	-
Adv Duplex	Hdx	Half-duplex mode of the link. Click a checkbox to enable the option.	-
Adv Speed	Auto	When speed is set as auto i.e. auto negotiation, the port will only advertise the specified speeds (10M, 100M, 1G) to the link partner. By default, port will advertise alle supported speeds if speed is set as Auto.
Adv Speed	10M	Click to enable 10 Mbps link speed for this port.	-
Adv Speed	100M	Click to enable 100 Mbps link speed for this port.	-
Adv Speed	1G	Click to enable 1 Gbps link speed for this port.	-
Flow Control	Auto	When Auto speed is selected on a port, this section indicates the flow control capability that is a vertised to the link partner. When a fixed-speed setting is selected, that is what is used. The Current Rx column indicates whether pause frames on the port are obeyed, and the Current Tx column indicates whether pause frames on the port are transmitted. The Rx and Tx settings are determined by the result of the last Auto Negotiation. Check the configured column to use flow control. This setting is related to the configured setting for Configured Link Speed. NOTICE: The 100FX stadard does not supoort Auto Negotiation, so when in 100FX mode the flow control capabilities will always be shown as “disabled”.
Flow Control	Enable	The Flow Control mechanism can be enabled to avoid packet loss when congestion occurs.
Flow Control	Curr Rx	Symbol √ for showing that flow control is active on the receiving traffic. Symbol for showing that flow control is not active on the receiving traffic.
Flow Control	Curr Tx	Symbol √ for showing that flow control is active on the transmitting traffic. Symbol for showing that flow control is not active on the transmitting traffic.

ERPS¶

Ethernet Ring Protection Switching (ERPS) is a protocol for Ethernet layer network rings. The protocol specifies the protection mechanism for sub-50 ms delay time. ERPS provides highly reliable and stable protection in the ring topology, and it never forms loops, which can affect network operation and service availability.

An ERPS ring consists of interconnected Layer 2 switching devices configured with the same control VLAN. The major ring is a closed ring, whereas a sub-ring is a non-closed ring. The major ring and sub-ring can be configured through type field.

In the Ethernet ring, loops can be avoided by guaranteeing that traffic may flow on all but one of the ring links at any time. This particular link is called Ring Protection Link (RPL). A control message called Ring Automatic Protection Switch (RAPS) coordinates the activities of switching on/off the RPL. Under normal conditions, this link is blocked by the designated Ethernet Ring Node called RPL Owner Node to ensure that there is no loop formed for the Ethernet traffic. The node at the other end of the RPL is known as RPL Neighbor Node. In case an Ethernet ring failure occurs, the RPL Owner Node will be responsible for unblocking its end of the RPL to allow RPL to be used as a backup link. The RPL is the backup link when one link failure occurs. Other ring ports called common port will help monitoring the status of the directly connected ERPS link and send RAPS PDUs to notify the other ports of its link status changes.

In case that users do not want their clients to detect the fault and would like sometimes to rectify the problem, users may use the Holdoff timer. If the fault occurs, the fault is not immediately sent to ERPS until the Holdoff timer expires.

If an RPL owner port is unblocked due to a link or node recovery after its faulty, the involved port may not be changed to Up state immediately since it may cause network flapping. To prevent this problem, in revertive switching, the node where the RPL owner port resides starts the wait to restore (WTR) timer after receiving a RAPS No Request (NR) message. If the node receives a RAPS Signal Fail (SF) message before the timer expires, it will terminate the WTR timer. Otherwise, the RPL owner will block its own port, and send out RAPS (no request or NR, root blocked or RB) messages to inform the other nodes of the link or node recovery and starts the Guard timer. Before the Guard timer expires, other nodes do not process any RAPS (NR) messages to avoid receiving out-of-date RAPS (NR) messages. After the Guard timer expires, if the other nodes still receive RAPS (NR) messages, the nodes set their recovered ports on the ring to the Forwarding state. In non-revertive switching, the WTR timer is not started, and the original faulty link is still blocked. ERPSv1 supports only revertive switching. ERPSv2 supports both revertive and non-revertive switching.

Control messages of each ERPS ring (e.g., R-APS PDUs) are transmitted through a configuration of a control VLAN. For an ERPS ring that is already configured a control VLAN, when users add a port to the ERPS ring, the port is automatically added to the control VLAN. Different ERPS rings cannot be configured with the same control VLAN ID. The control VLAN must be mapped to an Ethernet Ring Protection (ERP) instance, so that ERPS forwards or blocks the VLAN packets based on blocking rules, protecting the ring network from broadcast storms.

Figure 2.19 shows the ERPS Configuration webpage. Table 2.13 summarizes the descriptions of columns in EPRS Configuration’s table.

Figure 2.19 Webpage to Configure ERPS Table 2.13 Description of EPRS Configuration Table

Label	Description
ERPS	The ID of ERPS. Valid range 1 - 64.
RPL Mode	Ring Protection Link mode. Possible values: None: This switch doesn’t have the RPL port in the ring. Owner: This switch doesn’t have the RPL port in the ring. Neighbor: This switch is RPL neighbor for the ring.
RPL Port	Indicates whether it is port0 or port1 that is the Ring Protection Link. Not used if RPL Mode is None.
Ver	ERPS protocol version. v1 and v2 are supported.
Type	Type of ring. Possible values: Major: ERPS major ring (G.8001-2016, clause 3.2.39) Sub: ERPS sub-ring (G.8001-2016, clause 3.2.66) InterSub: ERPS sub-ring on an interconnection node (G.8001-2016, clause 3.2.66)
VC	Controls whether to use a Virtual Channel with a sub-ring.
Interconnect Instance	For a sub-ring on an interconnection node, this must reference the instance ID of the ring to which this sub-ring is connected.
Interconnect Prop	Controls whether the ring referenced by Interconnect Instance shall propagate R-APS flush PDUs whenever this sub-ring’s topology changes.
Port0/Port1 Interface	Interface index of ring protection Port0/Port1.
Port0/Port1 SF	Selects whether Signal Fail (SF) comes from the link state of a given interface, or from a Down-MEP. Possible values: MEP: Down-MEP Link: Link
Ring Id	The Ring ID is used - along with the control VLAN - to identify R-APS PDUs as belonging to a particular ring.
Node Id	The Node ID is used inside the R-APS specific PDU to uniquely identify this node (switch) on the ring.
Level	MD/MEG Level of R-APS PDUs we transmit.
Control VLAN	The VLAN on which R-APS PDUs are transmitted and received on the ring ports.
Control PCP	The PCP value used in the VLAN tag of the R-APS PDUs.
Rev	Revertive (true) or Non-revertive (false) mode.
Guard	Guard time in ms. Valid range is 10 - 2000 ms.
WTR	Wait-to-Restore time (WTR) in seconds. Valid range 1 - 720 sec.
Hold Off	Hold off time in ms. Value is rounded down to 100ms precision. Valid range is 0 - 10000 ms.
Enable	The administrative state of this APS ERPS. Check to make it function normally and uncheck to make it cease functioning.
Oper	The operational state of ERPS instance. green colour: Active red colour: Disabled or Internal error.
Warning	Operational warnings of ERPS instance. grey colour: No warnings yellow colour: There are warnings, use tooltip to see.

Please click blue plus to start configuring the ERPS. After clicking the , Figure 2.20 below will be appeared.

Figure2.20AfterClickingtoConfigureERPS

Table 2.14 shows the descriptions of each field and subfields in the ERPs configuration webpage in details.

Table 2.14 Descriptions of ERPS Configuration Webpage:

Field Label	Subfield Label	Description	Factory Default
ERPS		Configure ERPS number to indicate a ring. Ranging from 1 to 64.	0
Version		Indicate the version that ERPS protocol is using. Two options are available: v1 and v2.	V2
Type		Indicate type of ERPS ring. There are three options: Major, Sub, Intersub.	Major
VC		Controls whether to use a Virtual Channel with a sub-ring. The Virtual Channel that’s used to pass through R-APS message packet of subring. User must add control VLAN of sub-ring to each ring ports of Major-ring. If selected, the virtual channel is enabled.	Clicked
Interconnect	Instance	For a sub-ring on an interconnection node, this must reference the instance ID of the ring to which this sub-ring is connected. Ethernet Ring Protection (ERP) Instance to forwards or blocks the VLAN packets based on blocking rules.	0
Interconnect	Prop	Controls whether the ring referenced by Interconnect Instance shall propagate R-APS flush PDUs whenever this sub-ring’s topology changes.	Unclicked
Port If	Port0	Select which port on the managed switch will be on Ring Port0. Ranging from 1 to maximum number of ports.	1
Port If	Port1	Select which port on the managed switch will be on Ring Port1. Ranging from 1 to maximum number of ports.	1
RingID		Indicate ring identification number, ranging from 1 to 9999. The Ring ID is used - along with the control VLAN - to identify R-APS PDUs as belonging to a particular ring.	1
NodeID		The Node ID is used inside the R-APS specific PDU to uniquely identify this node (switch) on the ring. Enter a MAC address manually.	00:00:00:00:00:00
Level		MD/MEG Level of R-APS PDUs we transmit. Ranging from 0 to 7.	7
Control	VLAN	The VLAN on which R-APS PDUs are transmitted and received on the ring ports. Specify the virtual local area network that this static MAC belongs to, ranging from 1 to 4096.	1
Control	PCP	The PCP value used in the VLAN tag of the R-APS PDUs. Priority Code Point within the Ethernet frame header. PCP 0 is the lowest priority and 7 is the highest priority.	7
Rev		Revertive (true) or Non-revertive (false) mode. Click/Unclick to enable the revertive/non-revertive switching.	Clicked
Guard		Set the guard time of the ring. Range is from 10 to 2000 ms.	500
WTR		Set the wait-to-restore (WTR) time of the ring in seconds. Lower value has lower protection time. Range of the WTR Timer is from 1 to 720 seconds.	300
HoldOff		Set the holdoff time of the ring. Range is from 0 to 10000 ms.	0
Enable		The administrative state of this ERPS. Check to make it function normally and uncheck to make it cease functioning.	Unclicked
VLAN ID		Indicate Identification number of VLAN (Virtual Local Area Network). VLANs which are protected by this ring instance. At least one VLAN must be protected. Specify as a comma separated list of vlan numbers or vlan ranges. Ex.: 1,4,7,30-70.	NULL
RPL Mode		There are three types of Ring Protection Link (RPL0 mode: None, Owner, Neighbour) where: - None is RPL common port. This switch doesn´t have the RPL port in the ring. - Owner is RPL owner port. This switch is RPL owner for the ring. - Neighbour is RPL neighbour port (only in ERPSv2). This switch is RPL neighbour for the ring.	None
RPL Port		Indicates whether it is port0 or port1 that is the Ring Protection Link. Not used if RPL Mode is None.	RingPort0

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values. Click Cancel button to return to the previous page; any changes made locally will be undone.

DHCPv4¶

Welotec’s RSAES managed switch can act as a DHCPv4 (Dynamic Host Configuration Protocol over IP version 4) server in the local network. By enabling this function in the managed switch, an IPv4 addresses and related fields will be automatically assigned and delivered by the DHCPv4 server running inside the managed switch to other network devices connected to the managed switch. Under this Configuration⭢DHCPv4 menu, there are two submenus, Snooping and Relay as shown in Figure 2.21. The following subsections will describe them in more details.

Figure 2.21 Submenus under the DHCP Main Configuration Menu

Snooping¶

A rogue DHCP (Dynamic Host Control Protocol) server may be set up by an attacker in the network to provide falsify network configuration to a DHCP client such as wrong IP address, in-correct subnet mask, malicious gateway, and malicious DNS server. The purpose of DHCP spoofing attack may be to redirect the traffic of the DHCP client to a malicious domain and try to eavesdrop the traffic or simply try to prevent a successful network connection establishment. To protect against a network security attack of rogue DHCP server or DHCP spoofing attack, Welotec’s RSAES provide DHCP Snooping feature. When this feature is enabled on specific port(s) of RSAES managed switch, the RSAES will allow the DHCP messages from trusted ports to pass through while it will discard or filter the DHCP messages from untrusted ports. To enable the DHCP Snooping feature, select the Enabled option from the dropdown menu behind the Snooping Mode option under the DHCP Snooping Configuration webpage as shown in Figure 2.22. By default, all interfaces of RSAES are untrusted for DHCP Snooping. To configure specific port(s) as trusted port(s), simply select the Trusted option under the Mode column for that particular Port(s). Finally, click the Save button at the bottom of the webpage to activate the DHCP Snooping on the selected port(s). Click Reset button to undo any change made locally and revert to previously saved values. Table 2.15 describes the options of DHCP Snooping Configuration.

Figure 2.22 Webpage to Configure DHCPv4 Snooping

Table 2.15 Description of DHCP Snooping Configuration:

Field Label	Description	Factory Default
Snooping Mode	Indicates the DHCP snooping mode operation. Possible modes are: Enabled: Enable DHCP snooping mode operation. When DHCP snooping mode operation is enabled, the DHCP request messages will be forwarded to trusted ports and only allow reply packets from trusted ports. Disabled: Disable DHCP snooping mode operation.	Disabled
Port Mode Configuration	Indicates the DHCP snooping port mode. Possible port modes are: Trusted: Configures the port as trusted source of the DHCP messages. Untrusted: Configures the port as untrusted source of the DHCP messages.	Trusted

Relay¶

A DHCP relay agent is a small program that relays DHCP/BOOTP messages between clients and servers on different subnets. DHCP/BOOTP relay agents are parts of the DHCP and BOOTP standards and function according to the Request for Comments (RFCs). It stores the incoming interface IP address in the GIADDR field of the DHCP packet. The DHCP server can use the value of GIADDR field to determine the assigned subnet. For such condition, please make sure the switch configuration of VLAN interface IP address and PVID (Port VLAN ID) correctly.

A relay agent relays DHCP/BOOTP messages that are broadcast on one of its connected physical interfaces, such as a network adapter, to other remote subnets to which it is connected by other physical interfaces. Figure 2.23 shows the DHCP Relay configuration webpage. Users can enable the DHCP Relay by selecting the Enabled box behind the Relay Mode option. Then, users can enter a Relay server’s IP address in the Relay Server field.

Users also have a choice to enable the DHCP Relay Information Mode. If it is enabled, the switch will insert information about the client’s network location into the packet header of the DHCP request, which is coming from the client on an untrusted interface. Then, the switch will send the modified request to the DHCP server. The DHCP server will inspect the information in the packet header and use it to generate the IP address or other parameters for the client. When the DHCP server returns the response to the switch, the switch will have an option to Replace, Keep, and Drop the information from the response packet and forward it to the client. After finishing the DHCP Relay setup, please click on the Save button to allow the change to take effect.

Figure 2.23 Webpage to Configure DHCPv4 Relay

Table 2.16 Description of DHCP Relay Configuration:

Field Label	Description	Factory Default
Relay Mode	There are two modes here: Disabled or Enabled. Click the dropdown box to deactivate or activate the relay mode. Enabled: Enable DHCP relay mode operation. When DHCP relay mode operation is enabled, the agent forwards and transfers DHCP messages between the clients and the server when they are not in the same subnet domain. And the DHCP broadcast message won’t be flooded for security considerations. Disabled: Disable DHCP relay mode operation.	Disabled
Relay server	Enter an IPv4 address of the DHCP relay server.	0.0.0.0
Relay Information Mode	There are two modes here: Disabled and Enabled. Click the dropdown list to deactivate or activate the information mode of the DHCP relay server. Enabled: Enable DHCP relay information mode operation. When DHCP relay information mode operation is enabled, the agent inserts specific information (option 82) into a DHCP message when forwarding to DHCP server and removes it from a DHCP message when transferring to DHCP client. It only works when DHCP relay operation mode is enabled. Disabled: Disable DHCP relay information mode operation.	Disabled
Relay Information Policy	Set the information policy for the DHCP relay server. There are three modes here: Replace, Keep, and Drop. When DHCP relay information mode operation is enabled, if the agent receives a DHCP message that already contains relay agent information it will enforce the policy. The ‘Replace’ policy is invalid when relay information mode is disabled. Replace: Replace the original relay information when a DHCP message that already contains it is received. Keep: Keep the original relay information when a DHCP message that already contains it is received. Drop: Drop the package when a DHCP message that already contains relay information is received.	Keep

Security¶

Security Configuration of Welotec’s RSAES managed switch consists of three main parts: Switch, Network, and AAA. There are a number of submenus for each of these main security configuration parts as shown in Figure 2.24.

Figure 2.24 Configuration ⭢ Security Menu

Switch¶

The first submenu under Configuration⭢Security is the Switch menu as shown in Figure 2.25. There are other submenus under this Switch menu which are Users, Privilege Levels, Auth Method, SSH, HTTPS, SNMP, and RMON. The following subsections will explain each of these menus in more details.

Figure 2.25 Configuration ⭢ Security ⭢ Switch Menu

Switch Users¶

A simple way of providing terminal access control in your network device (managed switch) is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. RSAES managed switch uses privilege levels to provide password security for different levels of switch operation. The privilege level of the user is ranging from 0 to 15. If the user has the privilege level value of 15, it means that the user is granted the full control of the device, which is being an administrator. The system maintenance, such as software upload and factory defaults, need a user privilege level of 15. Guest account usually is assigned with the privilege level 5, and has the read-only access. Whereas, a standard user usually is assigned with the privilege level of 10 and has the read-write access.

When users first enter this Users Configuration webpage, users will see an overview of the current users. The user overview webpage consists of User Name and Privilege Level columns, as shown in Figure 2.26. Currently the only way to login as another user on the web server of the managed switch is to close and reopen the web browser. Table 2.17 provides explanation for the User Configuration webpage.

Figure 2.26 Webpage to Configure Security Switch Users

Table 2.17 Description of Users Configuration:

Field Label

Description

User Name

The name identifying the user. This is also a link to Add/Edit User.

Privilege Level

The privilege level of the user. The allowed range is 0 to 15. If the privilege level value is 15, it can access all groups, i.e., that is granted the fully control of the device. But other values need to refer to each group privelege level. User`s privilege should be same or greater than the group privilege level to have the access of that group. By default setting, most groups privilege level 5 has the read-only access and privilege level 10 has the read-write access. And the system maintence (software upload, factory defaults and etc.) need user privilege level 15. Generally, the privilege levl 15 can be used for an administrator account, privilege level 10 for a standard user account and privilege level 5 for a guest account.

There is also a hyperlink to Add/Edit User in each username. Users can also click Add New User button to add a new user. After clicked, the webpage in Figure 2.27 will be shown. Table 2.18 summarizes the descriptions of the Add User webpage. Figure 2.28 shows an example of Edit User webpage.

Figure 2.27 Webpage to Configure Security Switch Users -- After Clicked Add New User Button

Table 2.18 Descriptions of Users Configuration – After Clicked Add New User Button:

Label	Description	Factory Default
Username	A string identifying the user name that this entry should belong to. The allowed string length is 1 to 31. The valid username allows letters, numbers and underscores.	NULL
Password	The password of the user. The allowed string length is 0 to 31. Any printable characters including space is accepted.	NULL
Password (again)	Re-enter the password for the user.	NULL
Privilege Level	The privilege level of the user. The allowed range is 0 to 15. If the privilege level value is 15, it can access all groups, i.e., that is granted the fully control of the device. But other values need to refer to each group privelege level. User`s privilege should be same or greater than the group privilege level to have the access of that group. By default setting, most groups privilege level 5 has the read-only access and privilege level 10 has the read-write access. And the system maintence (software upload, factory defaults and etc.) need user privilege level 15. Generally, the privilege levl 15 can be used for an administrator account, privilege level 10 for a standard user account and privilege level 5 for a guest account.	0

Figure 2.28 Webpage to Edit User

Switch Privilege Levels¶

This subsection describes on the Privilege Level Configuration webpage as shown in Figure 2.29. The user can customize the privilege level in the table on this webpage.

Group Name is the name identifying the privilege group. In most cases, a privilege level group consists of a single module (e.g., LACP, RSTP or QoS), but a few of them contains more than one. Table 2.19 shows examples of some group name in details:

Table 2.19 Examples of Group Name:

Label	Description
System	Contact, Name, Location, Time zone, Daylight Saving Time, Log.
Security	Authentication, System Access Management, Port (contains Dot1x port, MAC based and the MAC Address Limit), ACL, HTTPS, SSH, ARP Inspection, IP source guard.
IP	Everything except ‘ping’.
Port	Everything except ‘VeriPHY’.
Diagnostics	‘ping’ and ‘VeriPHY’.
Maintenance	CLI- System Reboot, System Restore Default, System Password, Configuration Save, Configuration Load and Firmware Load. Web- Users, Privilege Levels and everything in Maintenance.
Debug	Only present in CLI.

Privilege Levels in every group has an authorization Privilege level for the following sub groups: Configuration Read only, Configuration/Execute Read-Write, Status/Statistics Read-only, Status/Statistics Read-Write (e.g., for clearing of statistics). User Privilege should be the same or greater than the authorization Privilege level to have the access to that group.

Figure 2.29 Webpage to Configure Privilege Levels of the Switch

Switch Auth Method¶

The authentication section allows you to configure how a user is authenticated when he/she logs into the switch via one of the management client interfaces. Note that management client interfaces are console, telnet, ssh, and http. There are three separated tables in this webpage: Authentication Method Configuration, Command Authorization Method configuration, and Accounting Method Configuration webpage, as shown in Figure 2.30. In the Authentication Method Configuration, users can configure how a user is authenticated when he/she logs into the switch via one of the management client interfaces. In Command Authorization Method configuration, users can configure the limitation of the CLI commands available to a user. In the Accounting Method Configuration webpage, users can configure command and exec (login) accounting. Table 2.20 shows descriptions of these methods in details. Please click Save button for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.30 Webpage to Configure Switch Authentication Method

Table 2.20 Descriptions of Switch Authentication Method:

Label	Description	Factory Default
Authentication Method Configuration
Client	The management client for which the configuration below applies, which consists of console, telnet, ssh.	-
Methods	Set to one of the following values: - No: Authentication is disabled and login is not possible. - Local: Use the local user database on the switch for authentication.Radius: Use remote RADIUS server(s) for authentication. - Tacacs: Use remote TACACS+ server(s) for authentication.Methods that involve remote servers are timed out if the remote servers are offline. In this case the next method is tried. Each method is tried from left to right and continues until a method either approves or rejects a user. If a remote server is used for primary authentication it is recommended to configure secondary authentication as ‘local’. This will enable the management client to login via the local user database if none of the configured authentication servers are alive.	local, no, no
Command Authorization Method configuration
Client	The management client for which the configuration below applies.	-
Method	Method can be set to one of the following values: - No: Command authorization is disabled. User is granted access to CLI commands according to his privilege level. - Tacacs: Use remote TACACS+ server(s) for command authorization. If all remote servers are offline, the user is granted access to CLI commands according to his privilege level.	no
Cmd Lvl	Authorize all commands with a privilege level higher than or equal to this level. Valid values are in the range 0 to 15.	0
Cfg Cmd	Also authorize configuration commands.	Unclicked
Accounting Method Configuration webpage
Client	The management client for which the configuration below applies.	-
Method	Method can be set to one of the following values: - No: Accounting is disabled. - Tacacs: Use remote TACACS+ server(s) for accounting.	no
Cmd Lvl	Enable accounting of all commands with a privilege level higher than or equal to this level. Valid values are in the range 0 to 15. Leave the field empty to disable command accounting.	NULL
Exec	Enable exec (login) accounting.	Unclicked

Switch SSH¶

Users can enabled/disabled SSH (Secure Shell) mode through SSH Configuration webpage, as shown in Figure 2.31. Here, users can select Enabled/Disabled from the drop-down list of Mode field. Please click Save button for a change to take effect or Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.31 Webpage to Configure SSH

HTTPS¶

Users can enabled/disabled HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) mode through HTTPS Configuration Webpage, as shown in Figure 2.32. HTTPS provide authentication and encrypted communication and is widely used on the World Wide Web for security-sensitive communication such as payment transactions and corporate logons. HTTPS is really just the use of Secure Socket Layer (SSL) as a sublayer under its regular HTTP application layering. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.) SSL uses a 40-bit key size for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange.

There are total of four fields: Mode, Automatic Redirect, Certificate Maintain, and Certificate Status. In the Mode field, users can select Enabled/Disabled the HTTPs mode. In the Automatic Redirect field, users can select to Enabled/Disabled this mode. When it is enabled, a HTTP connection will be automatically redirected to be a HTTPS connection. Note here that the browser may not allow to redirection if the browser does not trust the switch certificate. In such case, users need to initialize the HTTPS connection manually. For the Certificate Maintain field, users can choose type of operation whether to do nothing (None), delete the current certificate (Delete), upload a new certificate (Upload), and generate a new certificate (Generate). In the last field, Certificate Status, it displays the current status of certificate on the switch. Please click Save button for a change to take effect or Reset button to undo any changes made locally and revert to previously saved values.

If the user selects the Upload option for Certificate Maintain field, the webpage will be updated with additional fields which are Certificate Pass Phrase, Certificate Upload, and File Upload as shown in Figure 2.33. Table 2.21 summarizes the descriptions of fields in HTTPS Configuration webpage.

Note that to upload a certificate PEM file into the switch, the file should contain the certificate and private key together. If users have two separated files for saving certificate and private key, users can use the Linux cat command to combine them into a single PEM file. For example, cat my.cert my.key > my.pem. The RSAES certificate is recommended since most of the new version of browsers has removed support for DSA in certificate

Figure 2.32 Webpage to HTTPS Configuration

Figure 2.33 Webpage to HTTPS Configuration with Certificate Uploading

Table 2.21 Description of HTTPS Configuration Webpage:

Label	Description	Factory Default
Mode	Indicate the HTTPS mode operation. Enabled: Enable HTTPS mode operation. Disabled: Disable HTTPS mode operation.	Disabled
Automatic Redirect	Indicate the HTTPS redirect mode operation. It is only significant when “HTTPS Mode Enabled” is selected. When the redirect mode is enabled, the HTTP connection will be redirected to HTTPS connection automatically. Note that the browser may not allow the redirect operation due to the security consideration unless the switch certificate is trusted to the browser. You need to initialize the HTTPS connection manually for this case. Possible Modes are: Enabled: Enable HTTPS redirect mode operation. Disabled: Disable HTTPS redirect mode operation.	Disabled
Certificate Maintain	Indicate the operation of certificate maintenance. None: No operation. Delete: Delete the current certificate. Upload: Upload a certificate PEM file. Possible methods are: Web Browser or URL. Generate: Generate a new self-signed RSAES certificate.	None
Certificate Pass Phrase	Enter the pass phrase in this field if your uploading certificate is protected by a specific passphrase.	-
Certificate Upload	Upload a certificate PEM file into the switch. The file should contain the certificate and private key together. If you have two separated files for saving certificate and private key. Use the Linux cat command to combine them into a single PEM file. For example, cat my.cert my.key > my.pem. Note that the RSAES certificate is recommended since most of the new version of browsers has removed support for DSA in certificate, e.g. Firefox v37 and Chrome v39. Possible modes are: Web Browser: Upload a certificate via Web browser. URL: Upload a certificate via URL, the supported protocols are HTTP, HTTPS, TFTP and FTP. The URL format is ://[[:]@][:][/]/<file_name>. For example, tftp://10.10.10.10/new_image_path/new_image.dat. A valid file name is a text string drawn from alphabet (A-Za-z), digits (0-9), dot (.), hyphen (-), underscore (_). The maximum length is 63 and hyphen must not be first character. The file name content that only cantains ‘.’ is not allowed.
Certificate Status	Display the current status of certificate on the switch. Possible statuses are: Switch secure HTTP certificate is presented. Switch secure HTTP certificate is not presented. Switch secure HTTP certificate is generating…	Switch secure HTTP certificate is presented.

SNMP System¶

Simple Network Management Protocol (SNMP) is a protocol for managing devices on IP networks. It exposes management data in the form of variables on the managed systems which describe the system configuration. These variables can then be queried or defined by the users. The SNMP is used by network management system or third-party software to monitor devices such as managed switches in a network to retrieve network status information and to configure network parameters. The Welotec’s managed switch support SNMP and can be configured in this section.

In this submenu, SNMP system can be configured as shown in Figure 2.34. There are two fields here: Mode and Engine ID. In Mode, users can select Enabled/Disabled from the dropdown list to enable SNMP mode operation. In Engine ID, it indicates the SNMPv3 engine ID. The string must contain an even number (in hexadecimal format) with number of digits between 10 and 64, but all-zeros and all-‘F’s are not allowed. Change of the Engine ID will clear all original local users. The default setting is 80000eab030200c14df2e0.

Please click Save button for a change to take effect or Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.34 Webpage to Configure SNMP System

SNMP Trap Destinations¶

The managed switch provides a trap function that allows switch to send notification to agents with SNMP traps or inform. The notifications are based on the status changes of the switch such as link up, link down, warm start, and cold start. For inform mode, after sending SNMP inform requests, switch will resends inform request if it does not receive response within 10 seconds. The switch will try re-send three times. This option allows users to configure SNMP Trap Setting by setting the destination IP Address of the Trap server, Port Number of the Trap server, and SNMP version for authentication. Figure 2.35 shows these Trap Setting’s options. Please click on the Add New Entry button to input new entry as shown in Figure 2.36. Table 2.22 summarizes the descriptions of trap destination settings. Please click on the Save button afterwards for a change to take effect, or Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.35 Webpage to Configure SNMP Trap Destinations

Figure 2.36 Adding New Entry to SNMP Trap Destination Table

Table 2.22 Descriptions of SNMP Trap Destination Configurations

Label	Description
Mode	Users are allowed to delete each entry separately.
Name	Indicates the trap Configuration’s name. Indicates the trap destination’s name.
Enable	Indicates the trap destination mode operation. Possible modes are: Enabled: Enable SNMP trap mode operation. Disabled: Disable SNMP trap mode operation.
Version	Indicates the SNMP trap supported version. Possible versions are: SNMPv1: Set SNMP trap supported version 1. SNMPv2c: Set SNMP trap supported version 2c. SNMPv3: Set SNMP trap supported version 3.
Destination Address	Indicates the SNMP trap destination address. It allows a valid IPv4 address in dotted decimal notation (‘x.y.z.w’). It also allows a valid hostname. A valid hostname is a string drawn from the alphabet (AZa-z), digits (0-9), dot (.), dash (-). Spaces are not allowed, the first character must be an alpha character, and the first and last characters must not be a dot or a dash. Indicates the SNMP trap destination IPv6 address. IPv6 address is in 128-bit records represented as eight fields of up to four hexadecimal digits with a colon separating each field (:). For example, ‘fe80::215:c5ff:fe03:4dc7’. The symbol ‘::’ is a special syntax that can be used as a shorthand way of representing multiple 16-bit groups of contiguous zeros; but it can appear only once. It can also represent a legally valid IPv4 address. For example, ‘::192.1.2.34’.
Destination Port	Indicates the SNMP trap destination port. SNMP Agent will send SNMP message via this port. The port range is 1~65535.

SNMP Trap Sources¶

This page provides SNMP Trap Source configurations. A trap is sent for the given trap source if at least one filter with filter type included matches the filter, and no filters with filter type excluded matches. Figure 2.37 shows the webpage when there is no entry in the trap source configurations. When users click on the Add New Entry button, the webpage will be updated to Figure 2.38. The users can select Name for trap source from the drop-down list and select the type from the second drop-down list. Then, enter the Subset OID in the text field. Click on the Save button to save the changes or click on the Reset button to undo any changes made locally and revert to previously saved values. Table 2.23 provides descriptions of the SNMP Trap Source Configurations.

Figure 2.37 Webpage to Configure SNMP Trap Sources

Figure 2.38 Adding New Entry to SNMP Trap Sources

Table 2.23 Description of SNMP Trap Source Configurations:

Label	Description
Delete	Check to delete the entry. It will be deleted during the next save. Users are allowed to delete each entry separately.
Name	Indicates the name for the entry. Selectable from the following list. - coldStart - warmStart - linkUp - linkDown - newRoot - topologyChange - psecTrapInterfaces
Type	The filter type for the entry. Possible types are: included: An optional flag to indicate a trap is sent for the given trap source is matched. excluded: An optional flag to indicate a trap is not sent for the given trap source is matched.
Subset OID	The subset OID for the entry. The value should depend on the want kind of trap name. For example, the ifIdex is the subset OID of linkUp and linkDown. A valid subset OID is one or more digital number (0-4294967295) or asterisk () which are separated by dots (.). The first character must not begin with asterisk () and the maximum of OID count must not exceed 128.

SNMP Communities¶

This submenu allows users to configure SNMP community table as shown in Figure 2.39. The entry index key is Community. This community string option allows the users to set a community string (Community name and Community secret) for authentication by adding new entry to the table. The users can remove existing community string from the list by clicking on the checkbox of Delete column at the beginning of each community string item**.** The users can specify the string names on the Community Name field by clicking Add New Entry button, as shown in Figure 2.40. Table 2.24 briefly provides descriptions of SNMP’s community setting.

Please click on the Save button afterwards for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Typically, an SNMP agent, which is a network management software module residing on the managed switch, can access all objects with read-all-only permissions using the string public. Another setting example is that the string private has permission of read-write-all.

Figure 2.39 Webpage to Configure SNMP Communities

Figure 2.40 Adding New Entry to SNMP Community Configuration

Table 2.24 Descriptions of SNMP Community Configurations:

Label	Description
Delete	Check to delete the entry. It will be deleted during the next save.
Community Name	Indicates the community access string to permit access to SNMPv3 agent. The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126. The community string will be treated as security name and map a SNMPv1 or SNMPv2c community string.
Community Secret	Indicates the community secret (access string) to permit access using SNMPv1 and SNMPv2c to the SNMP agent. The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Source IP	Indicates the SNMP access source address. A particular range of source addresses can be used to restrict source subnet when combined with source mask.
Source Prefix	Indicates the SNMP access source address mask.

SNMP Users¶

This submenu allows users to configure SNMPv3 user table on this page. The entry index keys are Engine ID and User Name. As mentioned earlier, SNMPv3 is a more secure SNMP protocol than earlier versions. In this part, the users will be able to set a password and an encryption key to enhance the data security. When choosing this option, the users can configure SNMPv3’s authentication and encryption. MD5 (Message-Digest algorithm 5) is used for authentication password and DES (Data Encryption Standard) is used for data encryption algorithm. Figure 2.41 shows the SNMPv3 Authentication Setting’s options. The users can view existing SNMPv3 users’ setting on the upper table where it provides information about user name, authentication type, and data encryption (or privacy protocol). The users have an option to remove existing SNMPv3 user by clicking on the Delete button under the Delete column of each entry. To add a new SNMPv3 user, the users have to click Add New Entry button, and enter Engine ID, User Name, Security Level, Authentication Protocol, Authentication Password, Privacy Protocol, and Privacy Password. The authentication password has the maximum length of 31 characters. Note that if no password is provided, there will be no authentication for SNMPv3. Table 2.25 lists the descriptions of SNMPv3 User settings.

Figure 2.41 Webpage to Configure SNMP Users

Table 2.25 Descriptions of SNMP Users:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.
Engine ID	An octet string identifying the engine ID that this entry should belong to. The string must contain an even number (in hexadecimal format) with number of digits between 10 and 64, but all-zeros and all-‘F’s are not allowed. The SNMPv3 architecture uses the User-based Security Model (USM) for message security and the View-based Access Control Model (VACM) for access control. For the USM entry, the usmUserEngineID and usmUserName are the entry’s keys. In a simple agent, usmUserEngineID is always that agent’s own snmpEngineID value. The value can also take the value of the snmpEngineID of a remote SNMP engine with which this user can communicate. In other words, if user engine ID equal system engine ID then it is a local user; otherwise it is a remote user.	Follow DUT’s MAC address to create Engine ID
User Name	A string identifying the user name that this entry should belong to. The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.
Security Level	Indicates the security model that this entry should belong to. Possible security models are: NoAuth, NoPriv: No authentication and no privacy. Auth, NoPriv: Authentication and no privacy. Auth, Priv: Authentication and privacy. The value of security level cannot be modified if entry already exists. That means it must first be ensured that the value is set correctly.	Auth, Priv
Authentication Protocol	Indicates the authentication protocol that this entry should belong to. Possible authentication protocols are: None: No authentication protocol. MD5: An optional flag to indicate that this user uses MD5 authentication protocol. SHA: An optional flag to indicate that this user uses SHA authentication protocol. The value of security level cannot be modified if entry already exists. That means must first ensure that the value is set correctly.
Authentification Password	A string identifying the authentication password phrase. For MD5 authentication protocol, the allowed string length is 8 to 32. For SHA authentication protocol, the allowed string length is 8 to 40. The allowed content is ASCII characters from 33 to 126.	Null
Privacy Ptrotocol	Indicates the privacy protocol that this entry should belong to. Possible privacy protocols are: None: No privacy protocol. DES: An optional flag to indicate that this user uses DES authentication protocol AES: NAn optional flag to indicate that this user uses AES authentication protocol	DES
Privacy Password	A string identifying the privacy password phrase. The allowed string length is 8 to 32, and the allowed content is ASCII characters from 33 to 126.	Null

SNMP Groups¶

Figure 2.42 shows SNMPv3 Group Configuration webpage. It contains SNMPv3 group table. The entry index keys are Security Model and Security Name. Click Add New Entry button to add a new group entry to the table. Table 2.26 describes the column labels of the SNMPv3 group table.

Figure 2.42 Webpage to Configure SNMP Groups

Table 2.26 Descriptions of SNMP Groups:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.
Security Model	Indicates the security model that this entry should belong to. Possible security models are: v1: Reserverd for SNMPv1. v2c: Reserved for SNMPv2c. usm: SNMPv3, User-based Security Model (USM).	v1
Security Name	A string identifying the security name that this entry should belong to. The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.	public
Group Name	A string identifying the security name that this entry should belong to. The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.	Null

SNMP Views¶

Figure 2.43 shows SNMPv3 View Configuration webpage. It contains SNMPv3 view table. The entry index keys are View Name and OID Subtree. Click Add New Entry button to add a new view entry to the table. Table 2.27 describes the column labels of the SNMPv3 view table. Please click on the Save button afterwards for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.43 Webpage to Configure SNMP Views

Table 2.27 Descriptions of SNMP Views:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.
View Name	A string identifying the view name that this entry should belong to. The allowed string length is 1 to 32, and the allowed content is ASCII characters from 33 to 126.	Null
View Type	Indicates the view type that this entry should belong to. Possible view types are: included: An optional flag to indicate that this view subtree should be included. excluded: An optional flag to indicate that this view subtree should be excluded.	included
OID Subtree	The OID defining the root of the subtree to add to the named view. The allowed OID length is 1 to 128. The allowed string content is digital number or asterisk (*).	Null

SNMP Access¶

Figure 2.44 shows SNMPv3 Access Configuration webpage. It contains SNMPv3 access table. The entry index keys are Group Name, Security Model and Security Level. Click Add New Entry button to add a new access entry to the table. Table 2.28 describes the column labels of the SNMPv3 access table. Please click on the Save button afterwards for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.44 Webpage to Configure SNMP Access

Table 2.28 Descriptions of SNMP Access Configuration:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.
Group Name	A string identifying the group name that this entry should belong to.	Default_ro_group
Security Model	Indicates the security model that this entry should belong to. Possible security models are: v1: Reserverd for SNMPv1. v2c: Reserved for SNMPv2c. usm: SNMPv3, User-based Security Model (USM).	any
Security Level	Indicates the security model that this entry should belong to. Possible security models are: NoAuth, NoPriv: No authentication and no privacy. Auth,NoPriv: Authentication and no privacy. Auth, Priv: Authentication and privacy.	NoAuth, NoPriv
Read View Name	The name of the MIB view defining the MIB objects for which this request may request the current values.	None
Group Name	The name of the MIB view defining the MIB objects for which this request may potentially set the new values.	None

RMON Statistics¶

Figure 2.45 shows RMON (Remote Network Monitoring) Statistics Configuration. Welotec’s managed switch can monitoring network traffic on remote Ethernet segment to detect problem inside the network. The entry index key is ID for RMON Statistics table. Click Add New Entry button to add a new RMON Statistics entry to the table as shown in Figure 2.46. Table 2.29 describes the column labels of the RMON Statistics table. Please click on the Save button afterwards for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.45 Webpage to Configure RMON Statistics

Figure 2.46 Adding New Entry to RMON Statistics Configuration

Table 2.29 Descriptions of RMON Statistics:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.
ID	Indicates the index of the entry. The range is from 1 to 65535.	Null
Data Source	Indicates the port ID which wants to be monitored. If in stacking switch, the value must add 1000000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2000005.	.1.3.6.1.2.1.2.2.1.1.0

RMON History¶

Figure 2.47 shows RMON (Remote Network Monitoring) History Configuration. It displays RMON history table. The entry index key is ID for RMON history table. Click Add New Entry button to add a new RMON history entry to the table as shown in Figure 2.48. Table 2.30 describes the column labels of the RMON Statistics table. Please click on the Save button afterwards for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.47 Webpage to Configure RMON History

Figure 2.48 Adding New Entry to RMON History Table

Table 2.30 Descriptions of RMON History:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.
ID	Indicates the index of the entry. The range is from 1 to 65535.	Null
Data Source	Indicates the port ID which wants to be monitored. If in stacking switch, the value must add 1000000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2000005.	.1.3.6.1.2.1.2.2.1.1.0
Interval	Indicates the interval in seconds for sampling the history statistics data. The range is from 1 to 3600, default value is 1800 seconds.	1800
Buckets	Indicates the maximum data entries associated this History control entry stored in RMON. The range is from 1 to 3600, default value is 50.	50
Buckets Granted	The number of data shall be saved in the RMON.

RMON Alarm¶

Figure 2.49 shows RMON Alarm Configuration. It displays RMON alarm table. The entry index key is ID for RMON alarm table. Click Add New Entry button to add a new RMON alarm entry to the table as shown in Figure 2.49. Table 2.31 describes the column labels of the RMON alarm table. Please click on the Save button afterwards for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.49 Webpage to Configure RMON Alarm

Table 2.31 Descriptions of RMON Alarm:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.
ID	Indicates the index of the entry. The range is from 1 to 65535.	Null
Interval	Indicates the interval in seconds for sampling the history statistics data. The range is from 1 to 3600, default value is 1800 seconds.	30
Variable	Indicates the port ID which wants to be monitored. If in stacking switch, the value must add 1000000*(switch ID-1), for example, if the port is switch 3 port 5, the value is 2000005.	.1.3.6.1.2.1.2.2.1.0.0
Buckets	Indicates the particular variable to be sampled, the possible variables are: InOctets: The total number of octets received on the interface, including framing characters. InUcastPkts: The number of uni-cast packets delivered to a higher-layer protocol. InNUcastPkts: The number of broad-cast and multi-cast packets delivered to a higher layer protocol. InDiscards: The number of inbound packets that are discarded even the packets are normal. InErrors: The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. InUnknownProtos: The number of the inbound packets that were discarded because of the unknown or un-supported protocol. OutOctets: The number of octets transmitted out of the interface, including framing characters. OutUcastPkts: The number of uni-cast packets that request to transmit. OutNUcastPkts: The number of broad-cast and multi-cast packets that request to transmit. OutDiscards: The number of outbound packets that are discarded even the packets are normal. OutErrors: The number of outound packets that could not be transmitted because of errors. OutQLen: The length of the output packet queue (in packets).
Sample Type	The method of sampling the selected variable and calculating the value to be compared against the thresholds, possible sample types are: Absolute: Get the sample directly. Delta: Calculate the difference between samples (default).	Delta
Value	The value of the statistic during the last sampling period.	0
Start-up Alarm	The method of sampling the selected variable and calculating the value to be compared against the thresholds, possible sample types are: Rising: Trigger alarm when the first value is larger than the rising threshold. Falling: Trigger alarm when the first value is less than the falling threshold. RisingOrFalling: Trigger alarm when the first value is larger than the rising threshold or less than the falling threshold (default).	RisingOrFalling
Rising Threshold	Rising threshold value (-2147483648-2147483647).	0
Rising Index	Rising event index (0-65535). If this value is zero, no associated event will be generated, as zero is not a valid event index.	0
Falling Threshold	Falling threshold value (-2147483648-2147483647).	0
Falling Index	Falling event index (0-65535). If this value is zero, no associated event will be generated, as zero is not a valid event index.	0

RMON Event¶

Figure 2.50 shows RMON Event Configuration. It displays RMON event table. The entry index key is ID for RMON event table. Click Add New Entry button to add a new RMON event entry to the table as shown in Figure 2.50. Table 2.32 describes the column labels of the RMON alarm table. Please click on the Save button afterwards for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.50 Webpage to Configure RMON Event

Table 2.32 Descriptions of RMON Event:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.
ID	Indicates the index of the entry. The range is from 1 to 65535.	Null
Desc	Indicates this event, the string length is from 0 to 127, default is a null string.	Null
Type	Indicates the notification of the event, the possible types are: none: No SNMP log is created, no SNMP trap is sent. log: Create SNMP log entry when event is triggered. snmptrap: Send SNMP trap when the event is triggered. logandtrap: Create SNMP log entry and sent SNMP trap when the event is triggered.	None
Event Last Time	Indicates the value of sysUpTime at the time this event entry last generated an event.	0

Network¶

Under this Security⭢Network submenus, the users can configure network security for the RSAES managed switch. Figure 2.51 shows list of menus under the Security⭢Network. Under this section, the users can setup security for port, network access server (NAS), access control list (ACL), IP source guard, and ARP (Address Resolution Protocol) inspection.

Figure 2.51 Configuration⭢Security⭢Network Menu

Port Security Configuration¶

Global and per-port security of the managed switch can be configured in this webpage as shown in Figure 2.52. Port Security allows for limiting the number of users on a given port. A user is identified by a MAC address and VLAN ID. If Port Security is enabled on a port, the limit specifies the maximum number of users on the port. If this number is exceeded, an action is taken depending on violation mode. The violation mode can be one of the four different described below. The Port Security Configuration on this page consists of two sections: Global Configuration and Port Configuration. Table 2.33 summarizes the description of options for global and per-port configuration settings.

Please click on the Save button afterwards for a change to take effect, or click Reset button to undo any changes made locally and revert to previously saved values.

Figure 2.52 Webpage to Configure Network Port Security

Table 2.33 Descriptions of Port Security Configuration:

Label	Description	Factory Default
Port	The port number to which the configuration below applies.	Port no. 1 ~ 11
Mode	Controls whether Port Security is enabled on this port. Notice that other modules may still use the underlying port security features without enabling Port Security on a given port.	Disabled
Limit	The maximum number of MAC addresses that can be secured on this port. This number cannot exceed 1023. Default is 4. If the limit is exceeded, an action is taken corresponding to the violation mode. The switch is “born” with a total number of MAC addresses from which all ports draw whenever a new MAC address is seen on a Port Security-enabled port. Since all ports draw from the same pool, it may happen that a configured maximum cannot be granted, if the remaining ports have already used all available MAC addresses.	4
Violation Mode	If Limit is reached, the switch can take one of the following actions: Protect: Do not allow more than Limit MAC addresses on the port, but take no further action. Restrict: If Limit is reached, subsequent MAC addresses on the port will be counted and marked as violating. Such MAC addresses are removed from the MAC table when the hold time expires. At most Violation Limit MAC addresses can be marked as violating at any given time. Shutdown: If Limit is reached, one additional MAC address will cause the port to be shut down. This implies that all secured MAC addresses be removed from the port, and no new addresses be learned. There are three ways to re-open the port: 1) In the “Configuration⭢Ports” page’s “Configured” column, first disable the port, then restore the original mode. 2) Make a Port Security configuration change on the port. 3) Boot the switch.	Protect
Violation Limit	The maximum number of MAC addresses that can be marked as violating on this port. This number cannot exceed 1023. Default is 4. It is only used when Violation Mode is Restrict.	4
Sticky	Enables sticky learning of MAC addresses on this port. When the port is in sticky mode, all MAC addresses that would otherwise have been learned as dynamic are learned as sticky. Sticky MAC addresses are part of the running-config and can therefore be saved to start-up-config. Sticky MAC addresses survive link changes (in contrast to Dynamic, which will have to be learned again). They also survive reboots if running-config is saved to startup-config. A port can be Sticky-enabled whether or not Port Security is enabled on that interface. In that way, it is possible to add sticky MAC addresses managementwise before enabling Port Security. To do that, use the “Configuration⭢Security⭢Port Security⭢MAC Addresses” page	Unclicked
State	This column shows the current Port Security state of the port. The state takes one of four values: Disabled: Port Security is disabled at the port. Ready: The limit is not reached. This can be shown for all violation modes. Disabled: Indicates that the limit is reached on this port. This can be shown for all violation modes. Shutdown: Indicates that the port is shut down by Port Security. This state can only be shown if violation mode is set to Shutdown.	Disabled

Port Security MAC Addresses¶

In this webpage as shown in Figure 2.53, the users may add and delete static and sticky MAC addresses managed by Port Security. The port security defines three types of MAC addresses, of which static and sticky can be added and removed on this page:

Static: A MAC address added by end-user through management. Static MAC addresses are not subject to aging and will be added to the MAC address table once Port Security gets enabled on the interface. Static entries are part of the running-config and will survive interface link state changes and reboots if saved to startupconfig. Static entries can be added to the running-config at any time whether or not Port Security is enabled.
Sticky: When the interface is in sticky mode, all entries that would otherwise have been learned as dynamic are learned as sticky. Like static entries, sticky entries are part of the running-config and will survive interface link state changes and reboots if saved to the startup-config. Though not the intention with Sticky entries, they can be added by management to the running-config at any time whether or not Port Security is enabled on the interface, as long as the interface is in Sticky mode. Sticky entries will disappear if the interface is taken out of Sticky mode.

To add a new entry to the table of Port Security Static and Sticky MAC Addresses, click on Add New MAC Entry button. The new entry as shown in Figure 2.53 allows for adding static or sticky MAC address to a particular interface. When adding is finished, click the Save button to save the changes to running-config. Notice that sticky entries are normally added automatically through learning on the interface. Table 2.34 provides descriptions of the fields for Port Security Static and Sticky MAC Addresses.

Figure 2.53 Webpage to Configure Network Port Security MAC Addresses

Table 2.34 Descriptions of RMON Event:

Label	Description	Factory Default
Delete	Press this button to remove the entry from the MAC address table (if present) and the running-config. Notice that dynamic entries may be removed all-together on an interface through “Monitor->Security->Port Security->Switch” and one-by-one through “Monitor->Security->Port Security->Port”
Port	The port number to which this MAC address is bound.	Select…
VLAN ID	The VLAN ID in question.	1
MAC Address	The MAC address in question.	00:00:00:00:00:00
Type	Indicates the type of entry and may be either Static or Sticky (see description above).	Static

NAS¶

NAS is an acronym for Network Access Server. The NAS is meant to act as a gateway to guard access to a protected source. A client connects to the NAS, and the NAS connects to another resource asking whether the client’s supplied credentials are valid. Based on the answer, the NAS then allows or disallows access to the protected resource. An example of a NAS implementation is IEEE 802.1X.

The IEEE 802.1X standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. One or more central servers, the backend servers, determine whether the user is allowed access to the network. These backend (RADIUS) servers are configured on the “Configuration⭢Security⭢AAA” webpage. The IEEE802.1X standard defines port-based operation, but non-standard variants overcome security limitations.

MAC-based authentication allows for authentication of more than one user on the same port, and doesn’t require the user to have special 802.1X supplicant software installed on his/her system. The switch uses the user’s MAC address to authenticate against the backend server. Intruders can create counterfeit MAC addresses, which makes MAC-based authentication less secure than 802.1X authentication.

This feature provides access control on a port basis. There are two types of authentications: IEEE 802.1X and MAC-based. The 802.1X supports Port-based 802.1X authentication type. The following three terms are used in the 802.1X context: Supplicant, Authenticator, and the Authentication server. The Supplicant is the client (PC) with some 801.1X software, where the Authenticator is the switch, and the Authentication server is such as a RADIUS server. The supplicant/client is connected to the authenticator/switch on some port, and the authenticator can reach an authentication server. The idea is that the supplicant wants access to the port, so it sends an Extensible Authentication Protocol over LAN (EAPoL) message to the authenticator, which in turn asks the authenticator server if this supplicant can be accepted. Then the authenticator opens the port for the supplicant, and communication can begin. Depending on how the authenticator is configured, this process bRSAESaves in different ways.

In Port-based 802.1X, if the supplicant S is on network N (connected to the authenticator on Port A) and S opens Port A, then everyone on network N will have access. However, only the supplicant that opened the port on the authenticator is allowed to transmit and receive packets. This is done through the MAC address of the supplicant.

A supplicant can be seen as a combination of a client and a supplicant component (that takes care of negotiating the port opening when the client transmits the first packet). This embedded supplicant component then uses the MAC address of the client as the username and password in the form aa-bb-cc-dd-ee-ff. This has the advantage that the client does not need to have supplicant software.

The Configuration -> Security -> Network -> NAS (Network Access Server) webpage as shown in Figure 2.54 allows the user to configure the IEEE 802.1X and MAC-based authentication system and port settings. The NAS configuration consists of two sections: a system- (System Configuration) and a port-wide (Port Configuration). Table 2.35 provides detailed descriptions of options for both System Configuration and Port Configuration.

Figure 2.54 Webpage to Configure Network NAS

Table 2.35 Descriptions of Network NAS:

C	Description	Factory Default
System Configuration
Mode	Indicates if NAS is globally enabled or disabled on the switch. If globally disabled, all ports are allowed forwarding of frames.	Disabled
Reauthentication Enabled	If checked, successfully authenticated supplicants/clients are reauthenticated after the interval specified by the Reauthentication Period. Reauthentication for 802.1X-enabled ports can be used to detect if a new	Unclicked

Label	Description	Factory Default
	device is plugged into a switch port or if a supplicant is no longer attached. For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has changed. It does not involve communication between the switch and the client, and therefore doesn’t imply that a client is still present on a port (see Aging Period below).
Reauthentication Period	Determines the period, in seconds, after which a connected client must be reauthenticated. This is only active if the Reauthentication Enabled checkbox is checked. Valid values are in the range 1 to 3600 seconds.	3600
EAPOL Timeout	Determines the time for retransmission of Request Identity EAPOL frames. Valid values are in the range 1 to 65535 seconds. This has no effect for MAC-based ports.	30
Aging Period	This setting applies to the following modes, i.e. modes using the Port Security functionality to secure MAC addresses: • MAC-Based Auth. When the NAS module uses the Port Security module to secure MAC addresses, the Port Security module needs to check for activity on the MAC address in question at regular intervals and free resources if no activity is seen within a given period of time. This parameter controls exactly this period and can be set to a number between 10 and 1000000 seconds. If reauthentication is enabled and the port is in an 802.1X-based mode, this is not so critical, since supplicants that are no longer attached to the port will get removed upon the next reauthentication, which will fail. But if reauthentication is not enabled, the only way to free resources is by aging the entries. For ports in MAC-based Auth. mode, reauthentication doesn’t cause direct communication between the switch and the client, so this will not detect whether the client is still attached or not, and the only way to free any resources is to age the entry.	300
Hold Time	This setting applies to the following modes, i.e. modes using the Port Security functionality to secure MAC addresses: • MAC-Based Auth. If a client is denied access - either because the RADIUS server denies the client access or because the RADIUS server request times out (according to the timeout specified on the “Configuration→Security→AAA” page) - the client is put on hold in the Unauthorized state. The hold timer does not count during an on-going authentication. In MAC-based Auth. mode, the switch will ignore new frames coming from the client during the hold time. The Hold Time can be set to a number between 10 and 1000000 seconds.	10
RADIUS-Assigned QoS Enabled	RADIUS-assigned QoS provides a means to centrally control the traffic class to which traffic coming from a successfully authenticated supplicant is assigned on the switch. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature (see RADIUS-Assigned QoS Enabled below for a detailed description). The “RADIUS-Assigned QoS Enabled” checkbox provides a quick way to globally enable/disable RADIUS-server assigned QoS Class functionality. When checked, the individual ports’ ditto setting determines whether RADIUS-assigned QoS Class is enabled on that port. When unchecked, RADIUS-server assigned QoS Class is disabled on all ports.	Unclicked
RADIUS-Assigned VLAN Enabled	RADIUS-assigned VLAN provides a means to centrally control the VLAN on which a successfully authenticated supplicant is placed on the switch. Incoming traffic will be classified to and switched on the RADIUSassigned VLAN. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature (see RADIUSAssigned VLAN Enabled below for a detailed description).	Unclicked

Label	Description	Factory Default
	The “RADIUS-Assigned VLAN Enabled” checkbox provides a quick way to globally enable/disable RADIUS-server assigned VLAN functionality. When checked, the individual ports’ ditto setting determines whether RADIUS-assigned VLAN is enabled on that port. When unchecked, RADIUS-server assigned VLAN is disabled on all ports.
Guest VLAN Enabled	A Guest VLAN is a special VLAN - typically with limited network access - on which 802.1X-unaware clients are placed after a network administrator-defined timeout. The switch follows a set of rules for entering and leaving the Guest VLAN as listed below. The “Guest VLAN Enabled” checkbox provides a quick way to globally enable/disable Guest VLAN functionality. When checked, the individual ports’ ditto setting determines whether the port can be moved into Guest VLAN. When unchecked, the ability to move to the Guest VLAN is disabled on all ports.	Unclicked
Guest VLAN ID	This is the value that a port’s Port VLAN ID is set to if a port is moved into the Guest VLAN. It is only changeable if the Guest VLAN option is globally enabled. Valid values are in the range [1; 4095].	1
Max. Reauth. Count	The number of times the switch transmits an EAPOL Request Identity frame without response before considering entering the Guest VLAN is adjusted with this setting. The value can only be changed if the Guest VLAN option is globally enabled. Valid values are in the range [1; 255].	2
Allow Guest VLAN if EAPOL Seen	The switch remembers if an EAPOL frame has been received on the port for the life-time of the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option is enabled or disabled. If disabled (unchecked; default), the switch will only enter the Guest VLAN if an EAPOL frame has not been received on the port for the life-time of the port. If enabled (checked), the switch will consider entering the Guest VLAN even if an EAPOL frame has been received on the port for the lifetime of the port. The value can only be changed if the Guest VLAN option is globally enabled.	Unclicked
Port Configuration
Port	The port number for which the configuration below applies.
Admin State	If NAS is globally enabled, this selection controls the port’s authentication mode. The following modes are available: Force Authorized In this mode, the switch will send one EAPOL Success frame when the port link comes up, and any client on the port will be allowed network access without authentication. Force Unauthorized In this mode, the switch will send one EAPOL Failure frame when the port link comes up, and any client on the port will be disallowed network access. Port-based 802.1X In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the RADIUS server is the authentication server. The authenticator acts as the man-in-the-middle, forwarding requests and responses between the supplicant and the authentication server. Frames sent between the supplicant and the switch are special 802.1X frames, known as EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together with other attributes like the switch’s IP address, name, and the supplicant’s port number on the switch. EAP is very flexible, in that it allows for different authentication methods, like MD5-Challenge, PEAP,	Force Authorized

Label	Description	Factory Default
	and TLS. The important thing is that the authenticator (the switch) doesn’t need to know which authentication method the supplicant and the authentication server are using, or how many information exchange frames are needed for a particular method. The switch simply encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it. When authentication is complete, the RADIUS server sends a special packet containing a success or failure indication. Besides forwarding this decision to the supplicant, the switch uses it to open up or block traffic on the switch port connected to the supplicant. Note: Suppose two backend servers are enabled and that the server timeout is configured to X seconds (using the AAA configuration page), and suppose that the first server in the list is currently down (but not considered dead). Now, if the supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it will never get authenticated, because the switch will cancel on-going backend authentication server requests whenever it receives a new EAPOL Start frame from the supplicant. And since the server hasn’t yet failed (because the X seconds haven’t expired), the same server will be contacted upon the next backend authentication server request from the switch. This scenario will loop forever. Therefore, the server timeout should be smaller than the supplicant’s EAPOL Start frame retransmission rate. MAC-based Auth. Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-practices method adopted by the industry. In MACbased authentication, users are called clients, and the switch acts as the supplicant on bRSAESalf of clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client’s MAC address as both username and password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly. When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open up or block traffic for that particular client, using the Port Security module. Only then will frames from the client be forwarded on the switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X standard. The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don’t need special supplicant software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users - equipment whose MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum number of clients that can be attached to a port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS Enabled	When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, traffic received on the supplicant’s port will be classified to the given QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it’s invalid, or the supplicant is otherwise no longer present on the port, the port’s QoS Class is immediately reverted to the original QoS Class (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned).	Unclicked

Label	Description	Factory Default
	This option is only available for single-client modes, i.e. Port-based 802.1X Single 802.1X RADIUS attributes used in identifying a QoS Class: The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet. Only the first occurrence of the attribute in the packet will be considered, and to be valid, it must follow this rule: All 8 octets in the attribute’s value must be identical and consist of ASCII characters in the range ‘0’ - ‘7’, which translates into the desired QoS Class in the range [0; 7].
RADIUS-Assigned VLAN Enabled	When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, the port’s Port VLAN ID will be changed to this VLAN ID, the port will be set to be a member of that VLAN ID, and the port will be forced into VLAN unaware mode. Once assigned, all traffic arriving on the port will be classified and switched on the RADIUS-assigned VLAN ID. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it’s invalid, or the supplicant is otherwise no longer present on the port, the port’s VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned). This option is only available for single-client modes, i.e. Port-based 802.1X Single 802.1X For trouble-shooting VLAN assignments, use the “Monitor->VLANs->VLAN Membership and VLAN Port” pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration. RADIUS attributes used in identifying a VLAN ID: RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following criteria are used: The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group- ID attributes must all be present at least once in the Access-Accept packet. The switch looks for the first set of these attributes that have the same Tag value and fulfil the following requirements (if Tag == 0 is used, the Tunnel-Private-Group-ID does not need to include a Tag): Value of Tunnel-Medium-Type must be set to “IEEE-802” (ordinal 6). Value of Tunnel-Type must be set to “VLAN” (ordinal 13). Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range ‘0’ - ‘9’, which is interpreted as a decimal string representing the VLAN ID. Leading ‘0’s are discarded. The final value must be in the range [1; 4095].	Unclicked
Guest VLAN Enabled	When Guest VLAN is both globally enabled and enabled (checked) for a given port, the switch considers moving the port into the Guest VLAN according to the rules outlined below. This option is only available for EAPOL-based modes, i.e.: Port-based 802.1X Single 802.1X Multi 802.1X For trouble-shooting VLAN assignments, use the “Monitor→VLANs→VLAN Membership and VLAN Port” pages. These pages show which modules have (temporarily) overridden the current Port	Unclicked
Label	Description	Factory Default
	VLAN configuration. Guest VLAN Operation: When a Guest VLAN enabled port’s link comes up, the switch starts transmitting EAPOL Request Identity frames. If the number of transmissions of such frames exceeds Max. Reauth. Count and no EAPOL frames have been received in the meanwhile, the switch considers entering the Guest VLAN. The interval between transmission of EAPOL Request Identity frames is configured with EAPOL Timeout. If Allow Guest VLAN if EAPOL Seen is enabled, the port will now be placed in the Guest VLAN. If disabled, the switch will first check its history to see if an EAPOL frame has previously been received on the port (this history is cleared if the port link goes down or the port’s Admin State is changed), and if not, the port will be placed in the Guest VLAN. Otherwise it will not move to the Guest VLAN, but continue transmitting EAPOL Request Identity frames at the rate given by EAPOL Timeout. Once in the Guest VLAN, the port is considered authenticated, and all attached clients on the port are allowed access on this VLAN. The switch will not transmit an EAPOL Success frame when entering the Guest VLAN. While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such frame is received, the switch immediately takes the port out of the Guest VLAN and starts authenticating the supplicant according to the port mode. If an EAPOL frame is received, the port will never be able to go back into the Guest VLAN if the “Allow Guest VLAN if EAPOL Seen” is disabled.
Port Status	The current state of the port. It can undertake one of the following values: Globally Disabled: NAS is globally disabled. Link Down: NAS is globally enabled, but there is no link on the port. Authorized: The port is in Force Authorized or a single-supplicant mode and the supplicant is authorized. Unauthorized: The port is in Force Unauthorized or a single-supplicant mode and the supplicant is not successfully authorized by the RADIUS server. X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are authorized and Y are unauthorized.	Globally Disabled
Restart	Two buttons are available for each row. The buttons are only enabled when authentication is globally enabled and the port’s Admin State is in an EAPOL-based mode. Clicking these buttons will not cause settings changed on the page to take effect. Reauthenticate: Schedules a reauthentication whenever the quiet-period of the port runs out (EAPOL-based authentication). The button only has effect for successfully authenticated clients on the port and will not cause the clients to get temporarily unauthorized. Reinitialize: Forces a reinitialization of the clients on the port and thereby a reauthentication immediately. The clients will transfer to the unauthorized state while the reauthentication is in progress.	-

Click Refresh button to refresh the page. Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

ACL¶

ACL is an acronym for Access Control List. It is the list table of ACEs, containing Access Control Entries that specify individual users or groups permitted or denied to specific traffic objects, such as a process or a program. Each accessible traffic object contains an identifier to its ACL. The privileges determine whether there are specific traffic object access rights. ACL implementations can be quite complex, for example, when the ACEs are prioritized for the various situation. In networking, the ACL refers to a list of service ports or network services that are available on a host or server, each with a list of hosts or servers permitted or denied to use the service. ACL can generally be configured to control inbound traffic, and in this context, they are similar to firewalls. There are 3 web-pages associated with the manual ACL configuration: ACL Ports, ACL Rate Limiters, and ACL Access Control List. Figure 2.55 shows the list of ACL menus. The following subsections will describe each ACL configuration.

Figure 2.55 Access Control List's Submenus

ACL Ports¶

The ACL⭢Ports webpage is depicted in Figure 2.56. The ACL Ports configuration is used to assign a Policy ID to an ingress port. This is useful to group ports to obey the same traffic rules. Traffic Policy is created under the “Access Control List” - page. You can also set up specific traffic properties (Action / Rate Limiter / Port copy, etc) for each ingress port. They will though only apply if the frame gets past the ACE (Access Control Entry) matching without getting matched. In that case a counter associated with that port is incremented. Table 2.36 summarizes description for each specific port property.

Figure 2.56 Webpage to Configure Network ACL Ports

Table 2.36 Descriptions of Network ACL Ports:

Label	Description	Factory Default
Port	The logical port for the settings contained in the same row.	Port ID from 1 to 11
Policy ID	Select the policy to apply to this port. The allowed values are 0 through 255. The default value is 0.	0
Action	Select whether forwarding is permitted (“Permit”) or denied (“Deny”). The default value is “Permit”.	Permit
Rate Limiter ID	Select which rate limiter to apply on this port. The allowed values are Disabled or the values 1 through 16. The default value is “Disabled”.	Disabled
Port Redirect	Select which port frames are redirected on. The allowed values are Disabled or a specific port number and it can’t be set when action is permitted. The default value is “Disabled”.	Disabled
Mirror	Specify the mirror operation of this port. The allowed values are: Enabled: Frames received on the port are mirrored. Disabled: Frames received on the port are not mirrored. The default value is “Disabled”.	Disabled
Logging	Specify the logging operation of this port. Notice that the logging message doesn’t include the 4 bytes CRC. The allowed values are: Enabled: Frames received on the port are stored in the System Log. Disabled: Frames received on the port are not logged. The default value is “Disabled”. Note: The logging feature only works when the packet length is less than 1518 (without VLAN tags) and the System Log memory size and logging rate is limited.	Disabled
Shutdown	Specify the port shut down operation of this port. The allowed values are: Enabled: If a frame is received on the port, the port will be disabled. Disabled:Port shut down is disabled. The default value is “Disabled”. Note: The shutdown feature only works when the packet length is less than 1518(without VLAN tags).	Disabled
State	Specify the port state of this port. The allowed values are: Enabled: To reopenports by changing the volatile port configuration of the ACL user module. Disabled: To close ports by changing the volatile port configuration of the ACL user module. The default value is “Enabled”.	Disabled
Counter	Counts the number of frames that match this ACE.	0

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

ACL Rate Limiters¶

The ACL⭢Rate Limiters webpage is shown in Figure 2.57. Under this page, the users can configure the rate limiters. There can be 15 different rate limiters, each ranging from 1-1024K packets per seconds. Under “Ports” and “Access Control List” web-pages you can assign a Rate Limiter ID to the ACE(s) or ingress port(s). Table 2.37 describes the labels of ACL Rate Limiters Configuration.

Figure 2.57 Webpage to Configure Network ACL Rate Limiters

Table 2.37 Descriptions of Network ACL Rate Limiters:

Label	Description	Factory Default
Rate Limiter ID	The rate limiter ID for the settings contained in the same row and its range is 1 to 16.	Limiter ID 1 to 16
Rate	The valid rate is 0 - 99, 100, 200, 300, …, 1092000 in pps or 0, 100, 200, 300, …, 1000000 in kbps	1
Unit	Specify the rate unit. The allowed values are: pps: packets per second. kbps: Kbits per second	pps

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

ACL Access Control List¶

The ACL -> Access Control List webpage shows the ACEs in a prioritized way, highest (top) to lowest (bottom). By default, the table is empty as shown in Figure 2.58. When click on the plus sign icon blue plus at the end of the table, a set of parameters are listed as three tables under the ACE Configuration webpage as shown in Figure 2.59.

In Figure 2.58, users can select auto-refresh option by checking the Auto-refresh box to refresh the page automatically. Automatic refresh occurs every 3 seconds. Users can click Refresh button to refresh the page; any changes made locally will be undone. Users can click Clear button to clear the counters. Lastly, users can click Remove All button to remove all ACEs.

An ingress frame will only get a hit on one ACE even though there are more matching ACEs. The first matching ACE will act (permit/deny) on that frame and a counter associated with that ACE is incremented. An ACE can be associated with a Policy, 1 ingress port, or any ingress port (the whole switch). If an ACE Policy is created then that Policy can be associated with a group of ports under the “Ports” web-page. There are number of parameters that can be configured with an ACE. Table 2.38 provides additional information for each parameter to configure the ACL. The maximum number of ACEs is 64.

Figure 2.58 Webpage to Configure Network ACL Access Control

Table 2.38 Summary of Label, Description, and Factory Default for ACL (Access Control List):

Label	Description	Factory Default
ACE Configuration
ACE	Indicates the ACE ID.	Disabled
Ingress Port	Indicates the ingress port of the ACE. Possible values are: All: The ACE will match all ingress port. Port: The ACE will match a specific ingress port.	All
Policy/Bitmask	Indicates the policy number and bitmask of the ACE.	Any
Frame Type	Indicates the frame type of the ACE. Possible values are: Any: The ACE will match any frame type. EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based ACE will not get matched by IP and ARP frames. ARP: The ACE will match ARP/RARP frames. IPv4: The ACE will match all IPv4 frames. IPv4/ICMP: The ACE will match IPv4 frames with ICMP protocol. IPv4/UDP: The ACE will match IPv4 frames with UDP protocol. IPv4/TCP: The ACE will match IPv4 frames with TCP protocol. IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP. IPv6: The ACE will match all IPv6 standard frames.	Any
Action	Indicates the forwarding action of the ACE. Permit: Frames matching the ACE may be forwarded and learned. Deny: Frames matching the ACE are dropped. Filter: Frames matching the ACE are filtered.	Permit
Rate Limiter	Indicates the rate limiter number of the ACE. The allowed range is 1 to 16. When Disabled is displayed, the rate limiter operation is disabled.	Disabled
Port Redirect	Indicates the port redirect operation of the ACE. Frames matching the ACE are redirected to the port number. The allowed values are Disabled or a specific port number. When Disabled is displayed, the port redirect operation is disabled.	Disabled
Mirror	Specify the mirror operation of this port. Frames matching the ACE are mirrored to the destination mirror port. The allowed values are: Enabled: Frames received on the port are mirrored. Disabled: Frames received on the port are not mirrored. The default value is “Disabled”.	Disabled
Counter	The counter indicates the number of times the ACE was hit by a frame.	Disabled
Modification Buttons	You can modify each ACE (Access Control Entry) in the table using the following buttons: : Inserts a new ACE before the current row. e: Edits the ACE row. : Moves the ACE up the list. : Moves the ACE down the list. : Deletes the ACE. : The lowest plus sign adds a new entry at the bottom of the ACE listings.	Disabled

After clicking on the plus sign to insert a new ACE (Access Control Entry), the users can configure an ACE on the webpage as shown in Figure 2.59. An ACE consists of several parameters. These parameters vary according to the frame type that you select. First select the ingress port for the ACE, and then select the frame type. Different parameter options are displayed depending on the frame type selected. That is additional table and parameters will be available for settings. A frame that hits this ACE matches the configuration that is defined here. Table 2.39 to Table 2.47 summarizes description of all ACL Configuration with different frame types.

Click Save button to save the setting. Click Reset button to change the setting back to factory default. Click Cancel button to keep the current setting.

Figure 2.59 Webpage to Configure Network ACL Access Control After Clicked + to add new entry

Table 2.39 Description of ACL Configuration:

Label	Description
Second Lookup	Specify the second lookup operation of the ACE.
Ingress Port	Select the ingress port for which this ACE applies. All: The ACE applies to all port. Port n: The ACE applies to this port number, where n is the number of the switch port.
Policy Filter	Specify the policy number filter for this ACE. Any: No policy filter is specified. (policy filter status is “don’t-care”.) Specific: If you want to filter a specific policy with this ACE, choose this value. Two field for entering a policy value and bitmask appears.
Policy Value	When “Specific” is selected for the policy filter, you can enter a specific policy value. The allowed range is 0 to 63.
Policy Bitmask	When “Specific” is selected for the policy filter, you can enter a specific policy bitmask. The allowed range is 0x0 to 0x3f. Notice the usage of bitmask, if the binary bit value is “0”, it means this bit is “don’t-care”. The real matched pattern is [policy_value & policy_bitmask]. For example, if the policy value is 3 and the policy bitmask is 0x10(bit 0 is “don’t-care” bit), then policy 2 and 3 are applied to this rule.
Frame Type	Select the frame type for this ACE. These frame types are mutually exclusive. Any: Any frame can match this ACE. Ethernet Type: Only Ethernet Type frames can match this ACE. The IEEE 802.3 describes the value of Length/Type Field specifications to be greater than or equal to 1536 decimal (equal to 0600 hexadecimal) and the value should not be equal to 0x800(IPv4), 0x806(ARP) or 0x86DD(IPv6). ARP: Only ARP frames can match this ACE. Notice the ARP frames won’t match the ACE with ethernet type. IPv4: Only IPv4 frames can match this ACE. Notice the IPv4 frames won’t match the ACE with ethernet type. IPv6: Only IPv6 frames can match this ACE. Notice the IPv6 frames won’t match the ACE with Ethernet type.
Action	Specify the action to take with a frame that hits this ACE. Permit: The frame that hits this ACE is granted permission for the ACE operation. Deny: The frame that hits this ACE is dropped. Filter: Frames matching the ACE are filtered.
Rate Limiter	Specify the rate limiter in number of base units. The allowed range is 1 to 16. Disabled indicates that the rate limiter operation is disabled.
Port Redirect	Frames that hit the ACE are redirected to the port number specified here. The rate limiter will affect these ports. The allowed range is the same as the switch port number range. Disabled indicates that the port redirect operation is disabled and the specific port number of ‘Port Redirect’ can’t be setwhen action is permitted.
Mirror	Specify the mirror operation of this port. Frames matching the ACE are mirrored to the destination mirror port. The rate limiter will not affect frames on the mirror port. The allowed values are: Enabled: Frames received on the port are mirrored. Disabled: Frames received on the port are not mirrored. The default value is “Disabled”.
Logging	Specify the logging operation of the ACE. Notice that the logging message doesn’t include the 4 bytes CRC information. The allowed values are: Enabled: Frames matching the ACE are stored in the System Log. Disabled: Frames matching the ACE are not logged. Note: The logging feature only works when the packet length is less than 1518(without VLAN tags) and the System Log memory size and logging rate is limited.
Shutdown	Specify the port shut down operation of the ACE. The allowed values are:br>Enabled: If a frame matches the ACE, the ingress port will be disabled. Disabled: Port shut down is disabled for the ACE. Note: The shutdown feature only works when the packet length is less than 1518(without VLAN tags).
Counter	The counter indicates the number of times the ACE was hit by a frame.

Table 2.40 Description of ACL Configuration with MAC Parameters:

Label	Description
SMAC Filter	(Only displayed when the frame type is Ethernet Type or ARP.) Specify the source MAC filter for this ACE. Any: No SMAC filter is specified. (SMAC filter status is “don’t-care”.) Specific: If you want to filter a specific source MAC address with this ACE, choose this value. A field for entering a SMAC value appears.
SMAC Value	When “Specific” is selected for the SMAC filter, you can enter a specific source MAC address. The legal format is “xx-xx-xx-xx-xx-xx” or “xx.xx.xx.xx.xx.xx” or “xxxxxxxxxxxx” (x is a hexadecimal digit). A frame that hits this ACE matches this SMAC value.
DMAC Filter	Specify the destination MAC filter for this ACE. Any: No DMAC filter is specified. (DMAC filter status is “don’t-care”.) MC: Frame must be multicast. BC: Frame must be broadcast. UC: Frame must be unicast. Specific: If you want to filter a specific destination MAC address with this ACE, choose this value. A field for entering a DMAC value appears
DMAC Value	When “Specific” is selected for the DMAC filter, you can enter a specific destination MAC address. The legal format is “xx-xx-xx-xx-xx-xx” or “xx.xx.xx.xx.xx.xx” or “xxxxxxxxxxxx” (x is a hexadecimal digit). A frame that hits this ACE matches this DMAC value.

Table 2.41 Description of ACL Configuration with VLAN Parameters

Label	Description	Factory Default
802.1Q Tagged	Specify whether frames can hit the action according to the 802.1Q tagged. The allowed values are: Any: Any value is allowed (“don’t-care”). Enabled: Tagged frame only. Disabled: Untagged frame only. The default value is “Any”.	Any
VLAN ID Filter	Specify the VLAN ID filter for this ACE. Any: No VLAN ID filter is specified. (VLAN ID filter status is “don’t-care”.) Specific: If you want to filter a specific VLAN ID with this ACE, choose this value. A field for entering a VLAN ID number appears.	Any
VLAN ID	When “Specific” is selected for the VLAN ID filter, you can enter a specific VLAN ID number. The allowed range is 1 to 4095. A frame that hits this ACE matches this VLAN ID value.	1
Tag Priority	Specify the tag priority for this ACE. A frame that hits this ACE matches this tag priority. The allowed number range is 0 to 7 or range 0-1, 2-3, 4-5, 6-7, 0-3 and 4-7. The value Any means that no tag priority is specified (tag priority is “don’t-care”.)	Any

Table 2.42 Description of ACL Configuration with ARP Parameters

Label	Description	Factory Default
ARP/RARP	Specify the available ARP/RARP opcode (OP) flag for this ACE. Any: No ARP/RARP OP flag is specified. (OP is “don’t-care”.) ARP: Frame must have ARP opcode set to ARP. RARP: Frame must have RARP opcode set to RARP. Other: Frame has unknown ARP/RARP Opcode flag.	Any
Request/Reply	Specify the available Request/Reply opcode (OP) flag for this ACE. Any: No Request/Reply OP flag is specified. (OP is “don’t-care”.) Request: Frame must have ARP Request or RARP Request OP flag set. Reply: Frame must have ARP Reply or RARP Reply OP flag.	Any
Sender IP Filter	Specify the sender IP filter for this ACE. Any: No sender IP filter is specified. (Sender IP filter is “don’t-care”.) Host: Sender IP filter is set to Host. Specify the sender IP address in the SIP Address field that appears. Network: Sender IP filter is set to Network. Specify the sender IP address and sender IP mask in the SIP Address and SIP Mask fields that appear.	Any
Sender IP Address	When “Host” or “Network” is selected for the sender IP filter, you can enter a specific sender IP address in dotted decimal notation. Notice the invalid IP address configuration is acceptable too, for example, 0.0.0.0. Normally, an ACE with invalid IP address will explicitly adding deny action.	-
Sender IP Mask	When “Network” is selected for the sender IP filter, you can enter a specific sender IP mask in dotted decimal notation.	-
Target IP Filter	Specify the target IP filter for this ACE. Any: No target IP filter is specified. (Target IP filter is “don’t-care”.) Host: Target IP filter is set to Host. Specify the target IP address in the SIP Address field that appears. Network: Target IP filter is set to Network. Specify the target IP address and target IP mask in the SIP Address and SIP Mask fields that appear.	Any
Target IP Address	When “Host” or “Network” is selected for the target IP filter, you can enter a specific target IP address in dotted decimal notation. Notice the invalid IP address configuration is acceptable too, for example, 0.0.0.0. Normally, an ACE with invalid IP address will explicitly adding deny action.	-
Target IP Mask	When “Network” is selected for the target IP filter, you can enter a specific target IP mask in dotted decimal notation.	-
ARP Sender MAC Match	Specify whether frames can hit the action according to their sender hardware address field (SHA) settings. 0: ARP frames where SHA is not equal to the SMAC address. 1: ARP frames where SHA is equal to the SMAC address. Any: Any value is allowed (“don’t-care”).	Any
RARP Target MAC Match	Specify whether frames can hit the action according to their target hardware address field (THA) settings. 0: RARP frames where THA is not equal to the target MAC address. 1: RARP frames where THA is equal to the target MAC address. Any: Any value is allowed (“don’t-care”).	Any
IP/Ethernet Length	Specify whether frames can hit the action according to their ARP/RARP hardware address length (HLN) and protocol address length (PLN) settings. 0: ARP/RARP frames where the HLN is not equal to Ethernet (0x06) or the (PLN) is not equal to IPv4 (0x04). 1: ARP/RARP frames where the HLN is equal to Ethernet (0x06) and the (PLN) is equal to IPv4 (0x04). Any: Any value is allowed (“don’t-care”).	Any
IP	Specify whether frames can hit the action according to their ARP/RARP hardware address space (HRD) settings. 0: ARP/RARP frames where the HLD is not equal to Ethernet (1). 1: ARP/RARP frames where the HLD is equal to Ethernet (1). Any: Any value is allowed (“don’t-care”).	Any
Ethernet	Specify whether frames can hit the action according to their ARP/RARP protocol address space (PRO) settings. 0: ARP/RARP frames where the PRO is not equal to IP (0x800). 1: ARP/RARP frames where the PRO is equal to IP (0x800). Any: Any value is allowed (“don’t-care”).	Any

Table 2.43 Description of ACL Configuration with IPv4 Parameters:

Label	Description	Factory Default
IP Protocol Value	When “Specific” is selected for the IP protocol value, you can enter a specific value. The allowed range is 0 to 255. A frame that hits this ACE matches this IP protocol value.	-
IP TTL	Specify the Time-to-Live settings for this ACE. zero: IPv4 frames with a Time-to-Live field greater than zero must not be able to match this entry. non-zero: IPv4 frames with a Time-to-Live field greater than zero must be able to match this entry. Any Any value is allowed (“don’t-care”).	Any
IP Fragment	Specify the fragment offset settings for this ACE. This involves the settings for the More Fragments (MF) bit and the Fragment Offset (FRAG OFFSET) field for an IPv4 frame. No: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero must not be able to match this entry. Yes: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any
IP Option	Specify the options flag setting for this ACE. No: IPv4 frames where the options flag is set must not be able to match this entry. Yes: IPv4 frames where the options flag is set must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any
SIP Filter	Specify the source IP filter for this ACE. Any: No source IP filter is specified. (Source IP filter is “don’t-care”.) Host: Source IP filter is set to Host. Specify the source IP address in the SIP Address field that appears. Network:Source IP filter is set to Network. Specify the source IP address and source IP mask in the SIP Address and SIP Mask fields that appear.	Any
SIP Address	When “Host” or “Network” is selected for the source IP filter, you can enter a specific SIP address in dotted decimal notation. Notice the invalid IP address configuration is acceptable too, for example, 0.0.0.0. Normally, an ACE with invalid IP address will explicitly adding deny action.	-
SIP Mask	When “Network” is selected for the source IP filter, you can enter a specific SIP mask in dotted decimal notation.	-
DIP Filter	Specify the destination IP filter for this ACE. Any: No destination IP filter is specified. (Destination IP filter is “don’t-care”.) Host: Destination IP filter is set to Host. Specify the destination IP address in the DIP Address field that appears. Network: Destination IP filter is set to Network. Specify the destination IP address and destination IP mask in the DIP Address and DIP Mask fields that appear.	Any
DIP Address	When “Host” or “Network” is selected for the destination IP filter, you can enter a specific DIP address in dotted decimal notation. Notice the invalid IP address configuration is acceptable too, for example, 0.0.0.0. Normally, an ACE with invalid IP address will explicitly adding deny action.	-
DIP Mask	When “Network” is selected for the destination IP filter, you can enter a specific DIP mask in dotted decimal notation.	-

Table 2.44 Description of ACL Configuration with IPv6 Parameters

Next Header Filter	Specify the IPv6 next header filter for this ACE. Any: No IPv6 next header filter is specified (“don’t-care”). Specific: If you want to filter a specific IPv6 next header filter with this ACE, choose this value. A field for entering an IPv6 next header filter appears. ICMP: Select ICMP to filter IPv6 ICMP protocol frames. Extra fields for defining ICMP parameters will appear. These fields are explained later in this help file. UDP: Select UDP to filter IPv6 UDP protocol frames. Extra fields for defining UDP parameters will appear. These fields are explained later in this help file. TCP: Select TCP to filter IPv6 TCP protocol frames. Extra fields for defining TCP parameters will appear. These fields are explained later in this help file.	Any
Next Header Value	When “Specific” is selected for the IPv6 next header value, you can enter a specific value. The allowed range is 0 to 255. A frame that hits this ACE matches this IPv6 protocol value.	-
SIP Filter	Specify the source IPv6 filter for this ACE. Any: No source IPv6 filter is specified. (Source IPv6 filter is “don’t-care”.) Specific: Source IPv6 filter is set to Network. Specify the source IPv6 address and source IPv6 mask in the SIP Address fields that appear.	Any
SIP Address	When “Specific” is selected for the source IPv6 filter, you can enter a specific SIPv6 address. The field only supported last 32 bits for IPv6 address.	-
SIP BitMask	When “Specific” is selected for the source IPv6 filter, you can enter a specific SIPv6 mask. The field only supported last 32 bits for IPv6 address. Notice the usage of bitmask, if the binary bit value is “0”, it means this bit is “don’t-care”. The real matched pattern is [sipv6_address & sipv6_bitmask] (last 32 bits). For example, if the SIPv6 address is 2001::3 and the SIPv6 bitmask is 0xFFFFFFFE (bit 0 is “don’t-care” bit), then SIPv6 address 2001::2 and 2001::3 are applied to this rule	-
Hop Limit	Specify the hop limit settings for this ACE. zero: IPv6 frames with a hop limit field greater than zero must not be able to match this entry. non-zero: IPv6 frames with a hop limit field greater than zero must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any

Table 2.45 Description of ACL Configuration with ICMP Parameters

Label	Description	Factory Default
ICMP Type Filter	Specify the ICMP filter for this ACE. Any: No ICMP filter is specified (ICMP filter status is “don’t-care”). Specific: If you want to filter a specific ICMP filter with this ACE, you can enter a specific ICMP value. A field for entering an ICMP value appears.	Any
ICMP Type Value	When “Specific” is selected for the ICMP filter, you can enter a specific ICMP value. The allowed range is 0 to 255. A frame that hits this ACE matches this ICMP value.	-
ICMP Code Filer	Specify the ICMP code filter for this ACE. Any: No ICMP code filter is specified (ICMP code filter status is “don’t-care”). Specific: If you want to filter a specific ICMP code filter with this ACE, you can enter a specific ICMP code value. A field for entering an ICMP code value appears.	Any
ICMP Code Value	When “Specific” is selected for the ICMP code filter, you can enter a specific ICMP code value. The allowed range is 0 to 255. A frame that hits this ACE matches this ICMP code value.	-

Table 2.46 Description of ACL Configuration with TCP/UDP Parameters

Label	Description	Factory Default
TCP/UDP Source Filter	Specify the TCP/UDP source filter for this ACE. Any: No TCP/UDP source filter is specified (TCP/UDP source filter status is “don’t care”). Specific: If you want to filter a specific TCP/UDP source filter with this ACE, you can enter a specific TCP/UDP source value. A field for entering a TCP/UDP source value appears. Range: If you want to filter a specific TCP/UDP source range filter with this ACE, you can enter a specific TCP/UDP source range value. A field for entering a TCP/UDP source value appears.	Any
TCP/UDP Source No.	When “Specific” is selected for the TCP/UDP source filter, you can enter a specific TCP/UDP source value. The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP source value.	-
TCP/UDP Source Range	When “Range” is selected for the TCP/UDP source filter, you can enter a specific TCP/UDP source range value. The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP source value.	-
TCP/UDP Destination Filter	Specify the TCP/UDP destination filter for this ACE. Any: No TCP/UDP destination filter is specified (TCP/UDP destination filter status is “don’t-care”). Specific: If you want to filter a specific TCP/UDP destination filter with this ACE, you can enter a specific TCP/UDP destination value. A field for entering a TCP/UDP destination value appears. Range: If you want to filter a specific range TCP/UDP destination filter with this ACE, you can enter a specific TCP/UDP destination range value. A field for entering a TCP/UDP destination value appears.	Any
TCP/UDP Destination Number	When “Specific” is selected for the TCP/UDP destination filter, you can enter a specific TCP/UDP destination value. The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP destination value.	-
TCP/UDP Destination Rang	When “Range” is selected for the TCP/UDP destination filter, you can enter a specific TCP/UDP destination range value. The allowed range is 0 to 65535. A frame that hits this ACE matches this TCP/UDP destination value.	-
TCP FIN	Specify the TCP “No more data from sender” (FIN) value for this ACE. 0: TCP frames where the FIN field is set must not be able to match this entry. 1: TCP frames where the FIN field is set must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any
TCP SYN	Specify the TCP “”Synchronize sequence numbers” (SYN) value for this ACE. 0: TCP frames where the SYN field is set must not be able to match this entry. 1: TCP frames where the SYN field is set must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any
TCP RST	Specify the TCP “Reset the connection” (RST) value for this ACE. 0: TCP frames where the RST field is set must not be able to match this entry. 1: TCP frames where the RST field is set must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any
TCP PSH	Specify the TCP P “Push Function” (PSH) value for this ACE. 0: TCP frames where the PSH field is set must not be able to match this entry. 1: TCP frames where the PSH field is set must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any
TCP ACK	Specify the TCP “Acknowledgment field significant” (ACK) value for this ACE. 0: TCP frames where the ACK field is set must not be able to match this entry. 1: TCP frames where the ACK field is set must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any
TCP URG	Specify the TCP “Urgent Pointer field significant” (URG) value for this ACE. 0: URG frames where the FIN field is set must not be able to match this entry. 1: URG frames where the FIN field is set must be able to match this entry. Any: Any value is allowed (“don’t-care”).	Any

Table 2.47 Description of ACL Configuration with Ethernet Type Parameters:

Label	Description	Factory Default
EtherType Filter	Specify the Ethernet type filter for this ACE. Any: No EtherType filter is specified (EtherType filter status is “don’t-care”). Specific: If you want to filter a specific EtherType filter with this ACE, you can enter a specific EtherType value. A field for entering an EtherType value appears.	-
Ethernet Type Value	When “Specific” is selected for the EtherType filter, you can enter a specific EtherType value. The allowed range is 0x600 to 0xFFFF but excluding 0x800(IPv4), 0x806(ARP) and 0x86DD(IPv6). A frame that hits this ACE matches this EtherType value.	-

IP Source Guard¶

IP Source Guard is a secure feature used to restrict IP traffic on DHCP snooping untrusted ports by filtering traffic based on the DHCP Snooping Table or manually configured IP Source Bindings. It helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host. This is to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address.

IP Source Guard Configuration¶

IP Source Guard Configuration webpage is shown in Figure 2.60. For each port, select the option for Mode and Max Dynamic Clients under the Port Mode Configuration table. Table 2.48 describe the options under IP Source Guard Configuration.

Figure 2.60 Webpage to IP Source Guard Configuration

Table 2.48 Descriptions of Network IP Source Guard Configuration:

Label	Description	Factory Default
IP Source Guard Configuration
Mode	Enable the Global IP Source Guard or disable the Global IP Source Guard. All configured ACEs will be lost when the mode is enabled.	Disabled
Port Mode Configuration
Mode	Specify IP Source Guard is enabled on which ports. Only when both Global Mode and Port Mode on a given port are enabled, IP Source Guard is enabled on this given port.	Disabled
Max Dynamic Clients	Specify the maximum number of dynamic clients that can be learned on given port. This value can be 0, 1, 2 or unlimited. If the port mode is enabled and the value of max dynamic client is equal to 0, it means only allow the IP packets forwarding that are matched in static entries on the specific port.	Unlimited

Click the Save buttons to save changes. Click Reset buttons to undo any changes made locally and revert to previously saved values. Click Translate dynamic to static button to translate all dynamic entries to static entries.

IP Source Guard Static Table¶

The user can configure staic IP Source Guard Static rules in this webpage. The user can add a new entry to the IP Soruce Guard table as shown in Figure 2.61. The maximum number of rules is 112 on the switch. Table 2.49 summarizes the column labels for Static IP Source Guard Table.

Figure 2.61 Webpage to Configure Network IP Source Guard Static Table

Table 2.49 Descriptions of Network IP Source Guard Static

Label	Description	Factory Default
Delete	Click entry Delete button to delete the entry. It will be deleted during the next save.
Port	The logical port for the settings.	1
VLAN ID	The VLAN Id for the entry.	Null
IP Address	Allowed Source IP address.	Null
MAC Address	Allowed Source MAC address.	Null

Click Add New Entry button to add a new entry to the Static IP Source Guard table. Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

ARP Inspection¶

ARP Inspection is a secure feature. Several types of attacks can be launched against a host or devices connected to Layer 2 networks by “poisoning” the ARP caches. For example, man-in-the-middle attack occurs when a malicious node intercepts packets intended for other nodes by poisoning the ARP caches of its unsuspecting neighbours. To create the attack, the malicious node sends ARP requests or responses mapping another node’s IP address to its own MAC address. This feature is used to block such attacks. Only valid ARP requests and responses can go through the switch device. Figure 2.62 shows the list of submenus under the Security⭢Network⭢ARP Inspection. It contains Port Configuration, VLAN Configuration, Static Table and Dynamic Table.

Figure 2.62 ARP Inspection Menu

Port Configuration¶

To configure ARP Inspection for port(s) on the managed switch, the users can use the webpage shown in Figure 2.63. First, enable the ARP Inspection by selecting the Mode option. Then, configure the Mode, Check VLAN and Log Type for each port in the table below. Table 2.50 summarizes the descriptions of column labels of Port Mode Configuration.

Figure 2.63 Webpage to Configure Network ARP Inspection Port

Table 2.50 Descriptions of ARP Inspection Port Configuration:

Label	Description	Factory Default
ARP Inspection Configuration
Mode	Enable the Global ARP Inspection or disable the Global ARP Inspection.	Disabled
Port Mode Configuration
Port	Port Number	-
Mode	Specify ARP Inspection is enabled on which ports. Only when both Global Mode and Port Mode on a given port are enabled, ARP Inspection is enabled on this given port. Possible modes are: Enabled: Enable ARP Inspection operation. Disabled: Disable ARP Inspection operation.	Disabled
Check VLAN	If you want to inspect the VLAN configuration, you have to enable the setting of “Check VLAN”. The default setting of “Check VLAN” is disabled. When the setting of “Check VLAN” is disabled, the log type of ARP Inspection will refer to the port setting. And the setting of “Check VLAN” is enabled, the log type of ARP Inspection will refer to the VLAN setting. Possible setting of “Check VLAN” are: Enabled: Enable check VLAN operation. Disabled: Disable check VLAN operation.	Disabled
Log Type	Only the Global Mode and Port Mode on a given port are enabled, and the setting of “Check VLAN” is disabled, the log type of ARP Inspection will refer to the port setting. There are four log types and possible types are: None: Log nothing. Deny: Log denied entries. Permit: Log permitted entries. ALL: Log all entries.	None

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values. Click Translate dynamic to static button to translate all dynamic entries to static entries.

VLAN Configuration¶

Figure 2.64 illustrates the ARP Inspection VLAN Configuration webpage. Each page can show up to 9999 entries from the VLAN table, default being 20. The user can change the number of visible entries through the “entries per page” input field. When first visited, the web page will show the first 20 entries from the beginning of the VLAN Table. The first displayed will be the one with the lowest VLAN ID found in the VLAN Table. The “VLAN” input fields allow the user to select the starting point in the VLAN Table.

Clicking the refresh button will update the displayed table starting from that or the closest next VLAN Table match. The right arrow button will use the next entry of the currently displayed VLAN entry as a basis for the next lookup. When the end is reached the warning, message is shown in the displayed table. Use the left arrow button to start over. Table 2.51 summarizes the column labels of the ARP Inspection VLAN table.

Figure 2.64 Webpage to Configure Network ARP Inspection VLAN

Table 2.51 Descriptions of ARP Inspection VLAN Table:

Label	Description	Factory Default
Delete	Click entry Delete button to delete the entry.	-
VLAN ID	Specify ARP Inspection is enabled on which VLANs. First, you have to enable the port setting on Port mode configuration webpage (previous subsection). Only when both Global Mode and Port Mode on a given port are enabled, ARP Inspection is enabled on this given port. Second, you can specify which VLAN will be inspected on VLAN mode configuration web page.	-
Log Type	The log type also can be configured on per VLAN setting. Possible types are: None: Log nothing. Deny: Log denied entries. Permit: Log permitted entries. ALL: Log all entries.	None

Click Add New Entry button to add a new entry to the ARP Inspection VLAN Table. Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

Static Table¶

To configure Static ARP Inspection for port(s) on the managed switch, the users can use the webpage shown in Figure 2.65. After click the Add New Entry button, select the Port number from the drop down. Then, enter the VLAN ID, MAC Address and IP Address for each port to have static ARP Inspection. Table 2.52 summarizes the descriptions of column labels of Static ARP Inspection Table.

Figure 2.65 Webpage to Configure Network ARP Inspection Static Table

Table 2.52 Descriptions of Static ARP Inspection Table:

Label	Description	Factory Default
Delete	Check to delete the entry. It will be deleted during the next save.	-
Port	The logical port for the settings.	1
VLAN ID	The VLAN ID for the settings.	Null
MAC Address	Allowed Source MAC address in ARP request packets.	Null
IP Address	Allowed Source IP address in ARP request packets.	Null

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

Dynamic Table¶

To configure Dynamic ARP Inspection for port(s) on the managed switch, the users can use the webpage shown in Figure 2.66. Entries in the Dynamic ARP Inspection Table are shown on this page. The Dynamic ARP Inspection Table contains up to 256 entries, and is sorted first by port, then by VLAN ID, then by MAC address, and then by IP address. All dynamic entries are learning from DHCP Snooping. Table 2.53 summarizes the descriptions of column labels of Dynamic ARP Inspection Table. Each webpage can show up to 99 entries from the Dynamic ARP Inspection table. The default maximum entries per page is 20. This can be selected through the “entries per page” input field. When first visited, the web page will show the first 20 entries from the beginning of the Dynamic ARP Inspection Table.

The “Start from port address”, “VLAN”, “MAC address” and “IP address” input fields allow the user to select the starting point in the Dynamic ARP Inspection Table. Clicking the Refresh button will update the displayed table starting from that or the closest next Dynamic ARP Inspection Table match. In addition, the two input fields will - upon a Refresh button click - assume the value of the first displayed entry, allowing for continuous refresh with the same start address. The >> button will use the last entry of the currently displayed table as a basis for the next lookup. When the end is reached the text “No more entries” is shown in the displayed table. Use the |<< button to start over.

Figure 2.66 Webpage to Configure Network ARP Inspection Dynamic Table

Table 2.53 Descriptions of ARP Inspection Dynamic Table:

Label	Description	Factory Default
Port	Switch Port Number for which the entries are displayed.	Port1
VLAN ID	VLAN-ID in which the ARP traffic is permitted.	1
MAC Address	User MAC address of the entry.	00-00-00-00-00-00
IP Address	User IP address of the entry.	0.0.0.0
Translate to static	Select the checkbox to translate the entry to static entry.	-

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

AAA¶

The authentication, authorization, and accounting (AAA) features allows you to verify the identity of, grant access to, and track the actions of users managing RSAES switches. The RSAES switches support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System Plus (TACACS+) protocols. Based on the user ID and password combination that users provide, the RSAES switches perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the switch and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.

AAA security provides the following services:

Authentication—Identifies users, including login and password dialog, challenge and response, messaging support, and encryption depending on the security protocol that you select. Authentication is the process of verifying the identity of the person or device accessing the RSAES switches. This process is based on the user ID and password combination provided by the entity trying to access the switch. The RSAES switches allow user to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
Authorization—Provides access control. AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in RSAES switches is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
Accounting—Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting. The accounting feature tracks and maintains a log of every management session used to access RSAES switches. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.

AAA increases flexibility and control of access configuration, scalability, standardized authentication methods, such as RADIUS and TACACS+, and multiple backup devices.

RADIUS¶

RADIUS (Remote Authentication Dial in User Service) is an access server that uses authentication, authorization, and accounting (AAA) protocol for authentication and authorization. It is a distributed security system that secures remote access to networks and network services against unauthorized access. The RADIUS specification is described in [RFC 2865,] which obsoletes [RFC 2138.] Figure 2.67 shows the RADIUS Server Configuration webpage which allows the users to configure up to 5 RADIUS servers. It is divided into two parts: Global Configuration and Server Configuration. Table 2.54 summarizes the parameters for the RADIUS Server Configuration.

Figure 2.67 Webpage to Configure AAA RADIUS

Table 2.54 Descriptions of AAA RADIUS:

Label	Description	Factory Default
Global Configuration
Timeout	Timeout is the number of seconds, in the range 1 to 1000, to wait for a reply from a RADIUS server before retransmitting the request.	5
Retransmit	Retransmit is the number of times, in the range 1 to 1000, a RADIUS request is retransmitted to a server that is not responding. If the server has not responded after the last retransmit it is considered to be dead.	3
Deadtime	Deadtime, which can be set to a number between 0 to 1440 minutes, is the period during which the switch will not send new requests to a server that has failed to respond to a previous request. This will stop the switch from continually trying to contact a server that it has already determined as dead. Setting the Deadtime to a value greater than 0 (zero) will enable this feature, but only if more than one server has been configured.	0
Change Secret Key	Specify to change the secret key or not. When “Yes” is selected for the option, you can change the secret key - up to 63 characters long - shared between the RADIUS server and the switch.	No
NAS-IP-Address	The IPv4 address to be used as attribute 4 in RADIUS Access-Request packets. If this field is left blank, the IP address of the outgoing interface is used.	Null
NAS-IPv6-Address	The IPv6 address to be used as attribute 95 in RADIUS Access-Request packets. If this field is left blank, the IP address of the outgoing interface is used.	Null
NAS-Identifier	The identifier - up to 253 characters long - to be used as attribute 32 in RADIUS Access-Request packets. If this field is left blank, the NAS-Identifier is not included in the packet.	Null
Server Configuration
Delete	To delete a RADIUS server entry, check this box. The entry will be deleted during the next Save.
Hostname	The IPv4/IPv6 address or hostname of the RADIUS server.	Null
Auth Port	The UDP port to use on the RADIUS server for authentication. Set to 0 to disable authentication.	1812
Acct Port	The UDP port to use on the RADIUS server for accounting. Set to 0 to disable authentication.	1813
Timeout	This optional setting overrides the global timeout value. Leaving it blank will use the global timeout value.	Null
Retransmit	This optional setting overrides the global retransmit value. Leaving it blank will use the global retransmit value.	Null
Change Secret Key	Specify to change the secret key or not. When the checkbox is checked, you can change the setting overrides the global key. Leaving it blank will use the global key.	Null

After clicking on the Add New Server button to add a new RADIUS server, an empty row is added to the table, and the RADIUS server can be configured as needed. Up to 5 servers are supported. The Delete button can be used to undo the addition of the new server. Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

TACACS+¶

TACACS+ is an acronym for Terminal Access Controller Access Control System Plus. It is a networking protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.

TACACS+ (Terminal Access Controller Access-Control System Plus) is a remote authentication protocol, which allows a remote access server to communicate with an authentication server to validate user access onto the network. TACACS+ allows a client to accept a username and password, and pass a query to a TACACS+ authentication server. Table 2.55 compares the differences between the RADIUS and TACACS+.

Table 2.55 Comparison of Authentication Server Settings between RADIUS and TACACS+:

	RADIUS	TACACS+
Transport Protocol	UDP	TCP
Authentication and Authorization	Separates AAA	Combines authentication and authorization
Multiprotocol Support	No	Yes, support AppleTalk Remote Access (ARA) and NetBIOS protocol
Confidentiality	Only password is encrypted	Entire packet is encrypted

Figure 2.68 shows the TACACS+ Server Configuration webpage. It consists of Global Configuration and Server Configuration parts. Table 2.56 summarizes descriptions of parameters for setting up the TACACS+ Server.

Figure 2.68 Webpage to Configure AAA TACACS+

Table 2.56 Descriptions of AAA RADIUS:

Label	Description	Factory Default
Global Configuration
Timeout	Timeout is the number of seconds, in the range 1 to 1000, to wait for a reply from a TACACS+ server before it is considered to be dead.	5
Deadtime	Deadtime, which can be set to a number between 0 to 1440 minutes, is the period during which the switch will not send new requests to a server that has failed to respond to a previous request. This will stop the switch from continually trying to contact a server that it has already determined as dead. Setting the Deadtime to a value greater than 0 (zero) will enable this feature, but only if more than one server has been configured.	0
Change Secret Key	Specify to change the secret key or not. When “Yes” is selected for the option, you can change the secret key - up to 63 characters long - shared between the TACACS+ server and the switch.	No
Server Configuration
Delete	To delete a TACACS+ server entry, check this box. The entry will be deleted during the next Save.
Hostname	The IPv4/IPv6 address or hostname of the TACACS+ server.	Null
Port	The TCP port to use on the TACACS+ server for authentication.	49
Timeout	This optional setting overrides the global timeout value. Leaving it blank will use the global timeout value.	Null
Change Secret Key	Specify to change the secret key or not. When the checkbox is checked, you can change the setting overrides the global key. Leaving it blank will use the global key.	Null

After clicking on the Add New Server button to add a new TACACS+ server, an empty row is added to the table, and the TACACS+ server can be configured as needed. Up to 5 servers are supported. The Delete button can be used to undo the addition of the new server. Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

Aggregation¶

Aggregation is a technique to use multiple ports in parallel to increase the link speed beyond the limits of a port and to increase the redundancy for higher availability. Welotec’s RSAES allows the aggregation on its ports. Figure 2.69 lists the submenus under the Configuration⭢Aggregation.

Figure 2.69 Aggregation Submenus

Common¶

The webpage in Figure 2.70 is used to configure the Aggregation hash mode. The configured mode is applied to the whole network elements. Four contributors can be selected and used to create the hash code which are Source MAC Address, Destination MAC Address, IP Address, and TCP/UDP Port Number. Table 2.57 summarizes the descriptions of hash code contributors under the Common Aggregation Configuration.

Figure 2.70 Webpage to Configure Common Aggregation

Table 2.57 Descriptions of Common Aggregation Configuration:

Label	Description	Factory Default
Hash Code Contributors
Source MAC Address	The Source MAC address can be used to calculate the destination port for the frame. Check to enable the use of the Source MAC address, or uncheck to disable. By default, Source MAC Address is enabled.	Checked
Destination MAC Address	The Destination MAC Address can be used to calculate the destination port for the frame. Check to enable the use of the Destination MAC Address, or uncheck to disable. By default, Destination MAC Address is disabled.	Unchecked
IP Address	The IP address can be used to calculate the destination port for the frame. Check to enable the use of the IP Address, or uncheck to disable. By default, IP Address is enabled.	Checked
TCP/UDP Port Number	The TCP/UDP port number can be used to calculate the destination port for the frame. Check to enable the use of the TCP/UDP Port Number, or uncheck to disable. By default, TCP/UDP Port Number is enabled.	Checked

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

Groups¶

This webpage allows the user to aggregate different port(s) to an aggregation group. The Aggregation Group Configuration is shown in Figure 2.71. After selecting which port number(s) belong to which aggregation group ID, the user can choose the mode of aggregation group from Disabled, Static, LACP (Active), LACP (Passive). Table 2.58 summarizes the descriptions of Aggregation Group Configuration.

Figure 2.71 Webpage to Configure Group Aggregation

Table 2.58 Descriptions of Aggregation Group Configuration:

Label	Description	Factory Default
Group ID	Indicates the aggregation group ID for the settings contained in the same row. Group ID “Normal” indicates there is no aggregation. Only one group ID is valid per port.	-
Port Members	Each switch port is listed for each group ID. Select a radio button to include a port in an aggregation, or clear the radio button to remove the port from the aggregation. By default, no ports belong to any aggregation group. Only full duplex ports can join an aggregation and ports must be in the same speed in each group.	Unclicked
Mode	This parameter determines the mode for the aggregation group. Disabled: The group is disabled. Static: The group operates in static aggregation mode. LACP (Active): The group operates in LACP active aggregation mode. See IEEE 801.AX-2014, Section 6.4.1 for details. LACP (Passive): The group operates in LACP passive aggregation mode. See IEEE 801.AX-2014, Section 6.4.1 for details.	Disabled

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

LACP¶

The users have an option to enable Link Aggregation Control Protocol (LACP) which is an IEEE standard (IEEE 802.3ad, IEEE 802.1AX-2008) by selecting on LACP aggregation mode in previous subsection. LACP allows the managed switch to negotiate an automatic bundling of links by sending LACP packets to the LACP partner or another device that is directly connected to the managed switch and also implements LACP. The LACP packets will be sent within a multicast group MAC address. If LACP finds a device on the other end of the link that also has LACP enabled, it will also independently send packets along the same links enabling the two units to detect multiple links between themselves and then combine them into a single logical link. During the detection period LACP packets are transmitted every second. Subsequently, keep alive mechanism for link membership will be sent periodically. Each port in the group can also operate in either LACP active or LACP passive modes. The LACP active mode means that the port will enable LACP unconditionally, while LACP passive mode means that the port will enable LACP only when an LACP partner is detected. Note that in active mode LACP port will always send LACP packets along the configured links. In passive mode however, LACP port acts as “speak when spoken to”, and therefore can be used as a way of controlling accidental loops (as long as the other device is in active mode).

Figure 2.72 shows the LACP System Configuration webpage. It allows the user to configure the System Priority and LACP System Configuration. Table 2.59 summarizes the descriptions of LACP Aggregation Configuration.

Figure 2.72 Webpage to Configure LACP Aggregation

Table 2.59 Descriptions of LACP Aggregation Configuration:

Label	Description	Factory Default
Port	The switch port number.	-
LACP	Show whether LACP is currently enabled on this switch port.	No
Timeout	The Timeout controls the period between BPDU transmissions. Fast will transmit LACP packets each second, while Slow will wait for 30 seconds before sending a LACP packet.	Fast

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

Spanning Tree¶

IEEE 802.1D Standard spanning tree functionality is supported by Welotec’s RSAES managed switches.

Spanning Tree Protocol (STP) provides a function to prevent switching loops and broadcast radiation at the OSI layer 2. A switching loop occurs in a network when there are multiple connections or redundant paths between two network switches or at least two ports are connected on both sides of the two network switches. The switching loop can create a broadcast radiation, which is the accumulation of broadcast and multicast traffics in a computer network. As broadcast and multicast messages are forwarded by bridges/switches to every port, the bridges/switches will repeatedly rebroadcast the broadcast messages, and this accumulation of traffic can flood the network. STP creates a spanning tree topology and disables those links of the network that are not part of the spanning tree, which leaves only a single active path between two nodes. This function can avoid flooding and increase network efficiency. Therefore, Welotec’s managed switches deploy spanning tree as a tool when the users set up connection or port redundancy or fault-tolerance in their network.

RSTP (Rapid Spanning Tree Protocol), IEEE 802.1W, is also supported in Welotec’s managed switches. It is an evolution of the STP, but it is still backwards compatible with standard STP. RSTP has the advantage over the STP. When there is a topology change such as link failure in the network, the RSTP will converge significantly faster to a new spanning tree topology. RSTP improves convergence on point-to-point links by reducing the Max-Age time to 3 times Hello interval, removing the STP listening state, and exchanging a handshake between two switches to quickly transition the port to forwarding state.

MSTP (Multiple Spanning Tree Protocol) is also a standard defined by the IEEE 802.1s that allows multiple VLANs to be mapped to a single spanning tree instance called MST Instance, which will provide multiple pathways across the network. It is compatible with STP and RSTP. To support lager network, MSTP groups bridges/switches into regions that appear as a single bridge to other devices. Within each region, there can be multiple MST instances. MSTP shares common parameters as RSTP such as port path costs. MSTP also help prevent switching loop and has rapid convergence when there is a topology change. It is possible to have different forwarding paths for different MST instances. This enables load balancing of network traffic across redundant links.

The following subsections describe how to setup the spanning tree protocol (STP), rapid spanning tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). The Spanning Tree menu consists of Bridge Settings, MSTI Mapping, MSTI Priorities, CIST Ports, and MSTI Ports.

Bridge Settings¶

To select a variant of Spanning Tree Protocol, the user can select the Protocol Version and set related parameters for that particular protocol version in this STP Bridge Configuration webpage as shown in Figure 2.73. The settings are grouped into Basic Settings and Advanced Settings. These settings are used by all STP Bridge instances in the managed switch. Table 2.60 summarizes the description of each parameter under the STP Bridge Configuration webpage.

Figure 2.73 Webpage to Configure Bridge Settings of Spanning Tree

Table 2.60 Descriptions of Bridge Settings Configuration of Spanning Tree:

Label	Description	Factory Default
Basic Settings
Protocol Version	The MSTP / RSTP / STP protocol version setting.	MSTP
Bridge Priority	Controls the bridge priority. Lower numeric values have better priority. The bridge priority plus the MSTI instance number, concatenated with the 6-byte MAC address of the switch forms a Bridge Identifier. For MSTP operation, this is the priority of the CIST. Otherwise, this is the priority of the STP/RSTP bridge.	32768
Hello Time	The interval between sending STP BPDU’s. Valid values are in the range 1 to 10 seconds, default is 2 seconds. Note: Changing this parameter from the default value is not recommended, and may have adverse effects on your network.	2
Forward Delay	The delay used by STP Bridges to transit Root and Designated Ports to Forwarding (used in STP compatible mode). Valid values are in the range 4 to 30 seconds.	15
Max Age	The maximum age of the information transmitted by the Bridge when it is the Root Bridge. Valid values are in the range 6 to 40 seconds, and MaxAge must be <= (FwdDelay-1)*2.	20
Maximum Hop Count	This defines the initial value of remaining Hops for MSTI information generated at the boundary of an MSTI region. It defines how many bridges a root bridge can distribute its BPDU information to. Valid values are in the range 6 to 40 hops.	20
Transmit Hold Count	The number of BPDU’s a bridge port can send per second. When exceeded, transmission of the next BPDU will be delayed. Valid values are in the range 1 to 10 BPDU’s per second.	6
Advanced Settings
Edge Port BPDU Filtering	Control whether a port explicitly configured as Edge will transmit and receive BPDUs.	Unclicked
Edge Port BPDU Guard	Control whether a port explicitly configured as Edge will disable itself upon reception of a BPDU. The port will enter the error-disabled state, and will be removed from the active topology.	Unclicked
Port Error Recovery	Control whether a port in the error-disabled state automatically will be enabled after a certain time. If recovery is not enabled, ports have to be disabled and re-enabled for normal STP operation. The condition is also cleared by a system reboot.	Unclicked
Port Error Recovery Timeout	The time to pass before a port in the error-disabled state can be enabled. Valid values are between 30 and 86400 seconds (24 hours).	Null

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

MSTI Mapping¶

MSTI Mapping webpage is shown in Figure 2.74. This page allows the user to inspect and/or change the current STP MSTI bridge VLAN Mapping configurations. The MSTI Configuration consists of Configuration Identification part and MSTI Mapping part. Table 2.61 summarizes the description of parameters under MSTI Configuration.

Figure 2.74 Webpage to Configure MSTI Mapping of Spanning Tree

Table 2.61 Descriptions of Bridge Priorities Configuration of Spanning Tree:

Label	Description	Factory Default
Configuration Identification
Configuration Name	The MSTP / RSTP / STP protocol version setting.	MSTP
Bridge Priority	The name identifying the VLAN to MSTI mapping. Bridges must share the name and revision (see below), as well as the VLAN-to MSTI mapping configuration in order to share spanning trees for MSTI’s (Intra-region). The name is at most 32 characters.	DUT’s MAC address
Configuration Revision	The revision of the MSTI configuration named above. This must be an integer between 0 and 65535.	0
MSTI Mapping
MSTI	The bridge instances. The CIST is not available for explicit mapping, as it will receive the VLANs not explicitly mapped.
VLANs Mapped	The list of VLANs mapped to the MSTI. The VLANs can be given as a single (xx, xx being between 1 and 4094) VLAN, or a range (xx-yy), each of which must be separated with comma and/or space. A VLAN can only be mapped to one MSTI. An unused MSTI should just be left empty. (I.e., not having any VLANs mapped to it.) Example: 2, 5, 20-40.	Null

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

MSTI Priorities¶

MSTI Priorities webpage is shown in Figure 2.75. This page allows the user to inspect and/or change the current STP MSTI bridge instance priority configurations. Table 2.62 summarizes the description of parameters under MSTI Configuration.

Figure 2.75 Webpage to Configure Bridge Priorities of Spanning Tree

Table 2.62 Descriptions of Bridge MSTI Priorities Configuration of Spanning Tree:

Label	Description	Factory Default
MSTI	The bridge instances. The CIST is the default instance, which is always active.	-
Priority	Controls the bridge priority. Lower numeric values have better priority. The bridge priority plus the MSTI instance number, concatenated with the 6-byte MAC address of the switch forms a Bridge Identifier	32768

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

CIST Ports¶

The CIST Ports webpage in Figure 2.76 allows the user to inspect and change the current STP CIST port configurations. This page contains settings for physical and aggregated ports. There are two tables: CIST Aggregated Port Configuration and CIST Normal Port Configuration. Table 2.63 provides the descriptions of all column labels of the two tables under the STP CIST Port Configuration.

Figure 2.76 Webpage to Configure CIST Ports of Spanning Tree

Table 2.63 Descriptions of CIST Ports Configuration of Spanning Tree:

Label		Description	Factory Default
CIST Aggregated Port Configuration
Port		The switch port number of the logical STP port.	-
STP Enabled		Controls whether STP is enabled on this switch port.	Checked
Path Cost		Controls the path cost incurred by the port. The Auto setting will set the path cost as appropriate by the physical link speed, using the 802.1D recommended values. Using the Specific setting, a user-defined value can be entered. The path cost is used when establishing the active topology of the network. Lower path cost ports are chosen as forwarding ports in favour of higher path cost ports. Valid values are in the range 1 to 200000000.	Auto
Priority		Controls the port priority. This can be used to control priority of ports having identical port cost. (See above). Lower priority is better.	128
Admin Edge		Admin Edge or State Flag. Operational flag describing whether the port is connecting directly to edge devices. (No Bridges attached). Transition to the forwarding state is faster for edge ports (having operEdge true) than for other ports. The value of this flag is based on AdminEdge and AutoEdge fields. This flag is displayed as Edge in Monitor⭢Spanning Tree ⭢ STP Detailed Bridge Status.	Non-Edge
Auto Edge		Controls whether the bridge should enable automatic edge detection on the bridge port. This allows operEdge to be derived from whether BPDU’s are received on the port or not.	Checked
Restricted	Role	If enabled, causes the port not to be selected as Root Port for the CIST or any MSTI, even if it has the best spanning tree priority vector. Such a port will be selected as an Alternate Port after the Root Port has been selected. If set, it can cause lack of spanning tree connectivity. It can be set by a network administrator to prevent bridges external to a core region of the network influence the spanning tree active topology, possibly because those bridges are not under the full control of the administrator. This feature is also known as Root Guard.	Unchecked
	TCN	If enabled, causes the port not to propagate received topology change notifications and topology changes to other ports. If set it can cause temporary loss of connectivity after changes in a spanning tree’s active topology as a result of persistently incorrect learned station location information. It is set by a network administrator to prevent bridges external to a core region of the network, causing address flushing in that region, possibly because those bridges are not under the full control of the administrator or the physical link state of the attached LANs transits frequently.	Unchecked
BPDU Guard		If enabled, causes the port to disable itself upon receiving valid BPDU’s. Contrary to the similar bridge setting, the port Edge status does not affect this setting. A port entering error-disabled state due to this setting is subject to the bridge Port Error Recovery setting as well.	Unchecked
Point-to-point		Controls whether the port connects to a point-to-point LAN rather than to a shared medium. This can be automatically determined, or forced either true or false. Transition to the forwarding state is faster for point-to-point LANs than for shared media.	Force True
CIST Normal Port Configuration
Port		The switch port number of the logical STP port.	-
STP Enabled		Controls whether STP is enabled on this switch port.	Checked
Path Cost		Controls the path cost incurred by the port. The Auto setting will set the path cost as appropriate by the physical link speed, using the 802.1D recommended values. Using the Specific setting, a user-defined value can be entered. The path cost is used when establishing the active topology of the network. Lower path cost ports are chosen as forwarding ports in favour of higher path cost ports. Valid values are in the range 1 to 200000000.	Auto
Priority		Controls the port priority. This can be used to control priority of ports having identical port cost. (See above).	128
Admin Edge		Admin Edge or State Flag. Operational flag describing whether the port is connecting directly to edge devices. (No Bridges attached). Transition to the forwarding state is faster for edge ports (having operEdge true) than for other ports. The value of this flag is based on AdminEdge and AutoEdge fields. This flag is displayed as Edge in Monitor⭢Spanning Tree ⭢ STP Detailed Bridge Status.	Non-Edge
Auto Edge		Controls whether the bridge should enable automatic edge detection on the bridge port. This allows operEdge to be derived from whether BPDU’s are received on the port or not.	Checked
Restricted	Role	If enabled, causes the port not to be selected as Root Port for the CIST or any MSTI, even if it has the best spanning tree priority vector. Such a port will be selected as an Alternate Port after the Root Port has been selected. If set, it can cause lack of spanning tree connectivity. It can be set by a network administrator to prevent bridges external to a core region of the network influence the spanning tree active topology, possibly because those bridges are not under the full control of the administrator. This feature is also known as Root Guard.	Unchecked
	TCN	If enabled, causes the port not to propagate received topology change notifications and topology changes to other ports. If set it can cause temporary loss of connectivity after changes in a spanning tree’s active topology as a result of persistently incorrect learned station location information. It is set by a network administrator to prevent bridges external to a core region of the network, causing address flushing in that region, possibly because those bridges are not under the full control of the administrator or the physical link state of the attached LANs transits frequently.	Unchecked
BPDU Guard		If enabled, causes the port to disable itself upon receiving valid BPDU’s. Contrary to the similar bridge setting, the port Edge status does not affect this setting. A port entering error-disabled state due to this setting is subject to the bridge Port Error Recovery setting as well.	Unchecked
Point-to-point		Controls whether the port connects to a point-to-point LAN rather than to a shared medium. This can be automatically determined, or forced either true or false. Transition to the forwarding state is faster for point-to-point LANs than for shared media.	Auto

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

MSTI Ports¶

The MSTI Ports webpage as shown in Figure 2.77 allows the user to inspect and/or change the current STP MSTI port configurations. An MSTI port is a virtual port, which is instantiated separately for each active CIST (physical) port for each MSTI instance configured on and applicable to the port. The MSTI instance must be selected before displaying actual MSTI port configuration options. After selecting a desired MSTI and clicking on the Get button, the webpage is updated as shown in Figure 2.78. The updated page contains MSTI port settings for physical and aggregated ports. Table 2.64 summarizes the descriptions of MSTI Port Configuration.

Figure 2.77 Webpage to Configure MSTI of Spanning Tree

Figure 2.78 Example of MST1 MSTI Port Configuration

Table 2.64 Descriptions of MSTI Configuration of Spanning Tree:

Label	Description	Factory Default
Port	The switch port number of the corresponding STP CIST (and MSTI) port.	MSTI
Path Cost	Controls the path cost incurred by the port. The Auto setting will set the path cost as appropriate by the physical link speed, using the 802.1D recommended values. Using the Specific setting, a user defined value can be entered. The path cost is used when establishing the active topology of the network. Lower path cost ports are chosen as forwarding ports in favour of higher path cost ports. Valid values are in the range 1 to 200000000.	Auto
Priority	Controls the port priority. This can be used to control priority of ports having identical port cost. Lower priority is better.	128

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

IPMC¶

IP MultiCast (IPMC) menu can be configured using the submenus as shown in Figure 2.79. The IGMP Snooping is used for IPv4, while the MLD Snooping is used for IPv6.

Figure 2.79 Configuration⭢IPMC Menu

IGMP Snooping¶

IGMP is an acronym for Internet Group Management Protocol. It is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships. It is an integral part of the IP multicast specification, like ICMP for unicast connections. IGMP can be used for online video and gaming, and allows more efficient use of resources when supporting these uses.

Basic Configuration¶

IGMP Snooping⭢Basic Configuration webpage provides IGMP Snooping related configuration as shown in Figure 2.80. The page consists of Global Configuration and Port Related Configuration. Table 2.65 summarizes the descriptions of IGMP Snooping Configuration.

Figure 2.80 Basic Configuration Webpage to IGMP Snooping of an IPMC Profile

Table 2.65 Descriptions of IGMP Snooping of an IPMC Profile:

Label	Description	Factory Default
IGMP Snooping Configuration
Snooping Enabled	Enable the Global IGMP Snooping.	Clicked
Unregistered IPMCv4 Flooding Enabled	Enable unregistered IPMCv4 traffic flooding. The flooding control takes effect only when IGMP Snooping is enabled. When IGMP Snooping is disabled, unregistered IPMCv4 traffic flooding is always active in spite of this setting.	Clicked
IGMP SSM Range	SSM (Source-Specific Multicast) Range allows the SSM-aware hosts and routers run the SSM service model for the groups in the address range. Assign valid IPv4 multicast address as prefix with a prefix length (from 4 to 32) for the range.	232.0.0.0 / 8
Leave Proxy Enabled	Enable IGMP Leave Proxy. This feature can be used to avoid forwarding unnecessary leave messages to the router side.	Unclicked
Proxy Enabled	Enable IGMP Proxy. This feature can be used to avoid forwarding unnecessary join and leave messages to the router side.	Unclicked
Port Related Configuration
Router Port	Specify which ports act as router ports. A router port is a port on the Ethernet switch that leads towards the Layer 3 multicast device or IGMP querier. If an aggregation member port is selected as a router port, the whole aggregation will act as a router port.	Unclicked
Fast Leave	Enable the fast leave on the port. System will remove group record and stop forwarding data upon receiving the IGMPv2 leave message without sending last member query messages. It is recommended to enable this feature only when a single IGMPv2 host is connected to the specific port.	Unclicked
Throttling	Enable to limit the number of multicast groups to which a switch port can belong.	unlimited

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

VLAN Configuration¶

IGMP Snooping VLAN Configuration is shown in Figure 2.81. Note that the user needs to enter IP configuration page (System⭢IP⭢Add IP interface) to setup IP interface first before the creation of IGMP VLAN interface. The IGMP Snooping VLAN table is also displayed on this webpage. Each page can show up to 99 entries from the VLAN table, default being 20, selected through the “entries per page” input field. When first visited, the web page will show the first 20 entries from the beginning of the VLAN Table. The first displayed will be the one with the lowest VLAN ID found in the VLAN Table. The “VLAN” input fields allow the user to select the starting point in the VLAN Table. Clicking the Refresh button will update the displayed table starting from that or the next closest VLAN Table match. The >> button will use the last entry of the currently displayed entry as a basis for the next lookup. When the end is reached the text “No more entries” is shown in the displayed table. Use the << button to start over. Table 2.66 summarizes the descriptions of the IGMP Snooping VLAN Configuration.

Figure 2.81 Webpage to Configure IGMP Snooping's VLAN for an IPMC Profile

Table 2.66 Descriptions of IGMP Snooping’s VLAN Configuration for an IPMC Profile:

Label	Description	Factory Default
VLAN ID	The VLAN ID of the entry.	1
Snooping Enabled	Enable the per-VLAN IGMP Snooping. Up to 8 VLANs can be selected for IGMP Snooping.	Unchecked
Querier Election	Enable to join IGMP Querier election in the VLAN. Disable to act as an IGMP Non-Querier.	Checked
Querier Address	Define the IPv4 address as source address used in IP header for IGMP Querier election. When the Querier address is not set, system uses IPv4 management address of the IP interface associated with this VLAN. When the IPv4 management address is not set, system uses the first available IPv4 management address. Otherwise, system uses a pre-defined value will be 0.0.0.0.	0.0.0.0
Compatibility	Compatibility is maintained by hosts and routers taking appropriate actions depending on the versions of IGMP operating on hosts and routers within a network. The allowed selection is IGMP-Auto, Forced IGMPv1, Forced IGMPv2, Forced IGMPv3, default compatibility value is IGMP-Auto.	IGMP-Auto
PRI	Priority of Interface. It indicates the IGMP control frame priority level generated by the system. These values can be used to prioritize different classes of traffic. The allowed range is 0 (best effort) to 7 (highest), default interface priority value is 0.	0
RV	Robustness Variable. The Robustness Variable allows tuning for the expected packet loss on a network. The allowed range is 1 to 255, default robustness variable value is 2.	2
QI (sec)	Query Interval. The Query Interval is the interval between General Queries sent by the Querier. The allowed range is 1 to 31744 seconds, default query interval is 125 seconds.	125
QRI (0.1 sec)	Query Response Interval. The Maximum Response Delay used to calculate the Maximum Response Code inserted into the periodic General Queries. The allowed range is 0 to 31744 in tenths of seconds, default query response interval is 100 in tenths of seconds (10 seconds).	100
LLQI (0.1 sec)	Last Member Query Interval. The Last Member Query Time is the time value represented by the Last Member Query Interval, multiplied by the Last Member Query Count. The allowed range is 0 to 31744 in tenths of seconds, default last member query interval is 10 in tenths of seconds (1 second).	10
URI (sec)	Unsolicited Report Interval. The Unsolicited Report Interval is the time between repetitions of a host’s initial report of membership in a group. The allowed range is 0 to 31744 seconds, default unsolicited report interval is 1 second.	1

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

MLD Snooping¶

MLD is an acronym for Multicast Listener Discovery for IPv6. MLD is used by IPv6 routers to discover multicast listeners on a directly attached link, much as IGMP is used in IPv4. The protocol is embedded in ICMPv6 instead of using a separate protocol.

Basic Configuration¶

MLD Snooping⭢Basic Configuration webpage provides IGMP Snooping related configuration as shown in Figure 2.82. The page consists of Global Configuration and Port Related Configuration. Table 2.67 summarizes the descriptions of MLD Snooping Configuration.

Figure 2.82 Basic Configuration Webpage to MLD Snooping of an IPMC Profile

Table 2.67 Descriptions of MLD Snooping Configuration for an IPMC Profile:

Label	Description	Factory Default
MLD Snooping Configuration
Snooping Enabled	Enable the Global MLD Snooping.	Clicked
Unregistered IPMCv6 Flooding Enabled	Enable unregistered IPMCv6 traffic flooding. The flooding control takes effect only when MLD Snooping is enabled. When MLD Snooping is disabled, unregistered IPMCv6 traffic flooding is always active in spite of this settin	Clicked
MLD SSM Range	SSM (Source-Specific Multicast) Range allows the SSM-aware hosts and routers run the SSM service model for the groups in the address range. Assign valid IPv6 multicast address as prefix with a prefix length (from 8 to 128) for the range.	ff3e::/96
Leave Proxy Enabled	Enable MLD Leave Proxy. This feature can be used to avoid forwarding unnecessary leave messages to the router side.	Unclicked
Proxy Enabled	Enable MLD Proxy. This feature can be used to avoid forwarding unnecessary join and leave messages to the router side.	Unclicked
Port Related Configuration
Router Port	Specify which ports act as router ports. A router port is a port on the Ethernet switch that leads towards the Layer 3 multicast device or MLD querier. If an aggregation member port is selected as a router port, the whole aggregation will act as a router port.	Unclicked
Fast Leave	Enable the fast leave on the port. System will remove group record and stop forwarding data upon receiving the MLDv1 leave message without sending last member query messages. It is recommended to enable this feature only when a single MLDv1 host is connected to the specific port.	Unclicked
Throttling	Enable to limit the number of multicast groups to which a switch port can belong.	unlimited

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

VLAN Configuration¶

MLD Snooping VLAN Configuration is shown in Figure 2.83. Note that the user needs to enter IP configuration page (System⭢IP⭢Add IP interface) to setup IP interface first before the creation of MLD VLAN interface. The MLD Snooping VLAN table is also displayed on this webpage. Each page can show up to 99 entries from the VLAN table, default being 20, selected through the “entries per page” input field. When first visited, the web page will show the first 20 entries from the beginning of the VLAN Table. The first displayed will be the one with the lowest [VLAN ID] found in the VLAN Table. The “VLAN” input fields allow the user to select the starting point in the VLAN Table. Clicking the Refresh button will update the displayed table starting from that or the next closest VLAN Table match. The >> will use the last entry of the currently displayed entry as a basis for the next lookup. When the end is reached the text “No more entries” is shown in the displayed table. Use the |<< arrow button to start over. Table 2.68 summarizes the descriptions of the MLD Snooping VLAN Configuration.

Figure 2.83 Webpage to Configure MLD Snooping's VLAN for an IPMC Profile

Table 2.68 Descriptions of MLD Snooping’s VLAN Configuration for an IPMC Profile:

Label	Description	Factory Default
VLAN ID	The VLAN ID of the entry.	1
MLD Snooping Enabled	Enable the per-VLAN IGMP Snooping. Up to 8 VLANs can be selected for MLD Snooping.	Unclicked
Querier Election	Enable to join MLD Querier election in the VLAN. Disable to act as an MLD Non-Querier.	Clicked
Compatibility	Compatibility is maintained by hosts and routers taking appropriate actions depending on the versions of MLD operating on hosts and routers within a network. The allowed selection is MLD-Auto, Forced MLDv1, Forced MLDv2, default compatibility value is MLD-Auto.	MLD-Auto
PRI	Priority of Interface. It indicates the MLD control frame priority level generated by the system. These values can be used to prioritize different classes of traffic. The allowed range is 0 (best effort) to 7 (highest), default interface priority value is 0.	0
RV	Robustness Variable. The Robustness Variable allows tuning for the expected packet loss on a link. The allowed range is 1 to 255, default robustness variable value is 2.	2
QI (sec)	Query Interval. The Query Interval is the interval between General Queries sent by the Querier. The allowed range is 1 to 31744 seconds. Default query interval is 125 seconds.	125
QRI (0.1 sec)	Query Response Interval. The Maximum Response Delay used to calculate the Maximum Response Code inserted into the periodic General Queries. The allowed range is 0 to 31744 in tenths of seconds. Default query response interval is 100 in tenths of seconds (10 seconds).	100
LLQI (0.1 sec)	Last Listener Query Interval. The Last Listener Query Interval is the Maximum Response Delay used to calculate the Maximum Response Code inserted into Multicast Address Specific Queries sent in response to Version 1 Multicast Listener Done messages. It is also the Maximum Response Delay used to calculate the Maximum Response Code inserted into Multicast Address and Source Specific Query messages. The allowed range is 0 to 31744 in tenths of seconds. Default last listener query interval is 10 in tenths of seconds (1 second).	10
URI (sec)	Unsolicited Report Interval. The Unsolicited Report Interval is the time between repetitions of a node’s initial report of interest in a multicast address. The allowed range is 0 to 31744 seconds. Default unsolicited report interval is 1 second.	1

Click Refreshes button to refresh the displayed table starting from the “VLAN” input fields. Click |<< button to update the table starting from the first entry in the VLAN Table, i.e., the entry with the lowest VLAN ID. Click >> button to update the table, starting with the entry after the last entry currently displayed. Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

LLDP¶

Link Layer Discovery Protocol (LLDP) is an IEEE802.1ab standard OSI layer-2 protocol. LLDP allows Ethernet network devices to advertise details about themselves, such as device configuration, capabilities and identification. The advertise packets are periodically sent to directly connected devices on the network that are also using LLDP or so called its neighbours. LLDP is a “one hop” unidirectional protocol in an advertising mode.

LLDP information can only be sent to and received by devices, no solicit information or state changes between nodes. The device has a choice to turn on and off sending and receiving function independently. Advertised information is not forward on to other devices on the network. LLDP is designed to be managed with SNMP. Applications that use this protocol include topology discovery, inventory management, emergency services, VLAN assignment, and inline power supply.

LLDP¶

The LLDP webpage allows the user to inspect and configure the current LLDP interface settings as shown in Figure 2.84. The page consists of LLDP Parameters and LLDP Interface Configuration. Table 2.69 summarizes the descriptions of the LLDP Configuration.

Figure 2.84 Webpage to Configure LLDP

Table 2.69 Descriptions of LLDP Configuration:

Label	Description	Factory Default
LLDP Parameters
Tx Interval	The switch periodically transmits LLDP frames to its neighbours for having the network discovery information up-to-date. The interval between each LLDP frame is determined by the Tx Interval value. Valid values are restricted to 5 - 32768 seconds.	30
Tx Hold	Each LLDP frame contains information about how long time the information in the LLDP frame shall be considered valid. The LLDP information valid period is set to Tx Hold multiplied by Tx Interval seconds. Valid values are restricted to 2 - 10 times.	4
Tx Delay	If some configuration is changed (e.g. the IP address) a new LLDP frame is transmitted, but the time between the LLDP frames will always be at least the value of Tx Delay seconds. Tx Delay cannot be larger than 1/4 of the Tx Interval value. Valid values are restricted to 1 - 8192 seconds.	2
Tx Reinit	When an interface is disabled, LLDP is disabled or the switch is rebooted, a LLDP shutdown frame is transmitted to the neighbouring units, signalling that the LLDP information isn’t valid anymore. Tx Reinit controls the number of seconds between the shutdown frame and a new LLDP initialization. Valid values are restricted to 1 - 10 seconds.	2
LLDP Interface Configuration
Interface	The switch interface name of the logical LLDP interface.	GigabitEthernet or FastEthernet
Mode	Select LLDP mode. Rx only: The switch will not send out LLDP information, but LLDP information from neighbour units is analysed. Tx only: The switch will drop LLDP information received from neighbours, but will send out LLDP information. Disabled: The switch will not send out LLDP information, and will drop LLDP information received from neighbours. Enabled: The switch will send out LLDP information, and will analyse LLDP information received from neighbours.	Disabled
CDP Aware	Select CDP awareness. The CDP operation is restricted to decoding incoming CDP frames (The switch doesn’t transmit CDP frames). CDP frames are only decoded if LLDP on the interface is enabled. Only CDP TLVs that can be mapped to a corresponding field in the LLDP neighbours’ table are decoded. All other TLVs are discarded (Unrecognized CDP TLVs and discarded CDP frames are not shown in the LLDP statistics.). CDP TLVs are mapped onto LLDP neighbours’ table as shown below. CDP TLV “Device ID” is mapped to the LLDP “Chassis ID” field. CDP TLV “Address” is mapped to the LLDP “Management Address” field. The CDP address TLV can contain multiple addresses, but only the first address is shown in the LLDP neighbours table. CDP TLV “Port ID” is mapped to the LLDP “Port ID” field. CDP TLV “Version and Platform” is mapped to the LLDP “System Description” field. Both the CDP and LLDP support “system capabilities”, but the CDP capabilities cover capabilities that are not part of the LLDP. These capabilities are shown as “others” in the LLDP neighbours’ table. If all interfaces have CDP awareness disabled the switch forwards CDP frames received from neighbour devices. If at least one interface has CDP awareness enabled all CDP frames are terminated by the switch. Note: When CDP awareness on an interface is disabled the CDP information isn’t removed immediately, but gets removed when the hold time is exceeded.	Unclicked
Port Descr	Optional TLV: When checked the “port description” is included in LLDP information transmitted.	Unclicked
Sys Name	Optional TLV: When checked the “system name” is included in LLDP information transmitted.	Clicked
Sys Descr	Optional TLV: When checked the “system description” is included in LLDP information transmitted.	Clicked
Sys Capa	Optional TLV: When checked the “system capability” is included in LLDP information transmitted.	Clicked
Mgmt Addr	Optional TLV: When checked the “management address” is included in LLDP information transmitted.	Clicked

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

SyncE¶

Synchronous Ethernet (SyncE) uses a physical layer interface to pass timing from one node to the other in the same manner as timing is passed in SONET or SDH. SyncE, as defined by ITU-T standards, such as G.8261, G.8262, G.8264, and G.781, leverages the physical layer of Ethernet to transmit frequency to remote sites. This synchronous transmission of frequency over Ethernet provides a cost-effective alternative for network designers. This functionality is used to make a network ‘clock frequency synchronized’. For SyncE to work, each network element along the synchronization path must support SyncE. Network elements use synchronization status messages (SSM) to inform the neighbouring elements about the quality level (QL) of the clock. SSM is used by non-Ethernet interfaces, such as the optical interfaces and the SONET/T1/E1 SPA framers. SSM functionality provides the following key benefits.

Prevents timing loops
Provides fast recovery when a part of the network fails
Ensures that a node derives timing from the most reliable clock source

To maintain a logical communication channel in synchronous network connections, Ethernet relies on a channel called the Ethernet synchronization messaging channel (ESMC), based on IEEE 802.3 organization-specific slow protocol standards. ESMC relays the SSM code that represents the quality level of the Ethernet equipment clock (EEC) in a physical layer.

The ESMC packets are received only for those ports configured as clock sources and transmitted on all SyncE interfaces in the system. These packets are then processed by the clock selection algorithm and used to select the best clock. The transmitted frame is generated based on the QL value of the selected clock source and sent to all the enabled SyncE ports.

The clock selection algorithm selects the best available synchronization source from the nominated sources. The clock selection algorithm has a non-revertive bRSAESaviour among clock sources with the same QL value and priority. It always selects the signal with the best QL value. The following parameters contribute to the selection process.

Quality level
Signal fail (QL-FAILED)
Priority
External commands (manual, auto-revertive, and so on)

Figure 2.85 illustrates the SyncE Configuration webpage. There are five parts on this webpage which are Clock Source Nomination and State, Clock Selection Mode and State, Station Clock Configuration and Clock hardware, SyncE Ports, and PTP Ports (8265.1).

Figure 2.85 Webpage to Configure SyncE

For each possible clock source, the user can configure the parameters under Clock Source Nomination and State part. Table 2.70 summarizes the descriptions of parameters of Clock Source Nomination and State under SyncE.

Table 2.70 Description of Clock Source Nomination and State under SyncE:

Label	Description	Factory Default
Clock Source	This is the instance number of the clock source. This has to be referenced when selecting ‘Manual’ Mode	-
Nominated	When a clock source is nominated, the clock output from the related PHY (Port) is enabled against the clock controller. This makes it available as a possible source in the clock selection process. If it is supported by the actual HW configuration, The Station clock input can be nominated as a Clock Source.	Unclicked
Port	In this dropdown box, the ports that are possible to select for this clock source, is presented. The station clock input is indicated by a port name = ‘S-CLK’.	-
Priority	The priority for this clock source. Lowest number (0) is the highest priority. If two clock sources have the same priority, the lowest clock source number gets the highest priority in the clock selection process.	0
SSM Overwrite	A selectable clock source Quality Level (QL) to overwrite any QL received in a SSM. If QL is not Received in an SSM (SSM is not enabled on this port), the SSM Overwrite QL is used as if received. The SSM Overwrite can be set to QL_NONE, indicating that the clock source is without any know quality (Lowest compared to clock source with known quality)	Disabled
Hold Off	The Hold Off timer value. Active loss of clock Source will be delayed the selected amount of time. The clock selector will not change clock source if the loss of clock condition is cleared within this time.	Disabled
ANEG Mode	This is relevant for 1000BaseT ports only. In order to recover clock from port it must be negotiated to ‘Slave’ mode. In order to distribute clock, the port must be negotiated to ‘Master’ mode. This different ANEG modes can be activated on a Clock Source port: Prefer Slave: The Port will be negotiated to ‘Slave’ mode if possible. Prefer Master: The Port will be negotiated to ‘Master’ mode if possible. Forced Slave: The Port will be forced to ‘Slave’ mode. The selected port in ‘Locked’ state will always be negotiated to ‘Slave’ if possible.	None
LOCS	Signal is lost on this clock source.	-
SSM	If SSM is enabled and not received properly. Type of SSM fail will be indicated in the ‘Rx SSM’ field	-
WTR	Wait to Restore timer is active.	-
Clear WTR	Clears the WTR timer and makes this clock source available to the clock selection process.	None

For Clock Selection Mode and State, the Clock Selector is only in one instance which is the one who selects between the nominated clock sources. Table 2.71 summarizes the descriptions of parameters of Clock Source Nomination and State under SyncE.

Table 2.71 Description of Clock Selection Mode and State under SyncE:

Label	Description	Factory Default
Mode	The definition of the ‘best’ clock source is firstly the one with the highest (QL) and secondly (the ones with equal QL) the highest priority. Clock Selector can be in different modes: Manual: Clock selector will select the clock source stated in Source (see below). If this manually selected clock source is failing, the clock selector will go into holdover state. Manual to Selected: Same as Manual mode where the pt. selected clock source will become Source. Auto NonRevertive: Clock Selection of the best clock source is only done when the selected clock fails. Auto Revertive: Clock Selection of the best clock source is constantly done. Force Hold Over: Clock Selector is forced to Hold Over State. Force Free Run: Clock Selector is forced to Free Run State.	Auto Revertive
Source	Only relevant if Manual mode is selected (see above).	1
WTR Time	WTR is the Wait-To-Restore timer value in minutes. The WTR time is activated on the falling edge of a clock source failure (in Revertive mode). This means that the clock source is first available for clock selection after WTR Time (can be cleared).	5M
SSM Hold Over	This is the transmitted SSM QL value when clock selector is in Hold Over State.	Default
SSM Free Run	This is the transmitted SSM QL value when clock selector is in Free Run State.	Default
EEC Option	The ZL30xxx based SyncE modules support both EEC1 and EEC2 option. The difference is: EEC1=> DPLL bandwidth=3,5 Hz, EEC2=> DPLL bandwidth = 0,1 Hz.	1
State	This is indicating the state of the clock selector. Possible states are: Free Run: There is no external clock sources to lock to (unlocked state). The Clock Selector has never been locked to a clock source long enough to calculate the hold over frequency offset to local oscillator. The frequency of this node is the frequency of the local oscillator. Hold Over: There is no external clock sources to lock to (unlocked state). The Clock Selector has to calculate the holdover frequency offset to local oscillator. The frequency of this node is hold to the frequency of the clock source previous locked to. Locked: Clock selector is locked to the clock source indicated (See next). Top: Clock selector is locked to Time over packets, e.g., PTP (See next).	Free Run
Clock Source	The clock source locked to when clock selector is in locked state.	-
LOL	Clock selector has raised the Los Of Lock alarm.	-
DHOLD	Clock selector has not yet calculated the holdover frequency offset to local oscillator. This becomes active for about 10 s. when a new clock source is selected	-

The SyncE module may have a station clock input and/or a station clock output. This can be configured under the Station Clock Configuration part.

Table 2.72 Description of Station Clock Configuration under SyncE:

Label	Description	Factory Default
Clock input frequency	If supported by the SyncE HW, the station clock input frequency can be configured, the possible frequencies are: 1,544 MHz, 2,048 MHz or 10 MHz	Disabled
Clock output frequency	If supported by the SyncE HW, the station clock output frequency can be configured, the possible frequencies are: 1,544 MHz, 2,048 MHz or 10 MHz	Disabled

Table 2.73 Description of SyncE Ports under SyncE:

Label	Description	Factory Default
Port	The port number to configure.	-
SSM Enable	Enable and disable of SSM functionality on this port.	Unclicked
Tx SSM	Monitoring of the transmitted SSM QL on this port. Transmitted QL should be the Quality Level of the clock generated by this node. This means the QL of the clock source this node is locked to.	-
Rx SSM	Monitoring of the received SSM QL on this port. If link is down on port, QL_LINK is indicated. If no SSM is received, QL_FAIL is indicated.	-
1000BaseT Mode	If PHY is in 1000BaseT Mode then this is monitoring the master/slave mode. In order to receive clock on a port, it has to be in slave mode. In order to transmit clock on a port, it has to be in master mode.	Master

Table 2.74 Description of PTP Ports under SyncE:

Label	Description
Instance	The instance number of switch PTP feature
Rx SSM	Monitoring of the received SSM QL on this port. If link is down on port, QL_LINK is indicated. If no SSM is received, QL_FAIL is indicated.
PTSF	PSFP is an acronym for Per Stream Filtering and Policing. PSFP functions allow filtering and policing decisions, and subsequent frame queuing decisions on a per-stream basis. PSFP is supported by a table of stream filters that determine the filtering and policing actions that are to be applied to frames received on ingress ports

Click Refresh button to refresh the page immediately. Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

MAC Table¶

Unicast and Multicast MAC addresses in the memory, which is the MAC Address Table, of the managed switch can be configured in this webpage as shown in Figure 2.86. The user can set timeouts for entries (called ageing time) in the dynamic MAC Table and configure the static MAC table. The MAC Address Table Configuration webpage consists of four parts: Aging Configuration, MAC Table Learning, VLAN Learning Configuration, and Static MAC Table Configuration.

Figure 2.86 Webpage to Configure MAC Table

Table 2.75 Description of MAC Address Table Configuration:

Label	Description	Factory Default
Aging Configuration
Disable Automatic Aging	Disable the automatic aging of dynamic entries by checking the box.	Unclicked
Aging time	Configure aging time by entering a value in this field in unit of seconds. The allowed range is 10 to 1000000 seconds. By default, dynamic entries are removed from the MAC Table after 300 seconds. This removal is also called aging.	300
MAC Table Learning Note: If the learning mode for a given port is greyed out, another module is in control of the mode, so that it cannot be changed by the user. An example of such a module is the MAC-based Authentication under 802.1X. Each port can do learning based upon the following settings:
Auto	Learning is done automatically as soon as a frame with unknown SMAC is received.	-
Disable	No learning is done.	-
Secure	Only static MAC entries are learned, all other frames are dropped. Note: Make sure that the link used for managing the switch is added to the Static Mac Table before changing to secure learning mode, otherwise the management link is lost and can only be restored by using another non-secure port or by connecting to the switch via the serial interface.	-
VLAN Learning Configuration
Learning-disabled VLANs	This field shows the Learning-disabled VLANs. When a NEW MAC arrives into a learning-disabled VLAN, the MAC won’t be learnt. By the default, the field is empty. More VLANs may be created by using a list syntax where the individual elements are separated by commas. Ranges are specified with a dash separating the lower and upper bound. The following example will create VLANs 1, 10, 11, 12, 13, 200, and 300: 1,10-13,200,300. Spaces are allowed in between the delimiters.	Null
Static MAC Table Configuration Note: The static entries in the MAC table are shown in this table. The static MAC table can contain 64 entries. The MAC table is sorted first by VLAN ID and then by MAC address.
Delete	Check to delete the entry. It will be deleted during the next save.	-
VLAN ID	The VLAN ID of the entry.	-
MAC Address	The MAC address of the entry.	-
Port Members	Checkmarks indicate which ports are members of the entry. Check or uncheck as needed to modify the entry.	-
Adding a New Static Entry	Click Add New Static Entry button to add a new entry to the static MAC table. Specify the VLAN ID, MAC address, and port members for the new entry. Click “Save”.	-

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

VLANs¶

VLAN or Virtual LAN is a method to restrict communication between switch ports. At layer 2, the network is partitioned into multiple, distinct, mutually isolated broadcast domains. A Virtual Local Area Network (VLAN) is a group of devices that can be located anywhere on a network, but all devices in the group are logically connected together. In other words, VLAN allows end stations to be grouped together even if they are not located on the same network switch. With a traditional network, users usually spend a lot of time on devices relocations, but a VLAN reconfiguration can be performed entirely through software. Also, VLAN provides extra security because devices within a VLAN group can only communicate with other devices in the same group. For the same reason, VLAN can help to control network traffic. Traditional network broadcasts data to all devices, no matter whether they need it or not. By allowing a member to receive data only from other members in the same VLAN group, VLAN avoids broadcasting and increases traffic efficiency (see Figure 2.87).

Figure 2.87 Example of VLAN Configuration

Configuration¶

VLAN⭢Configuration webpage allows the user to control VLAN configuration on the switch. The page is divided into a global section and a per-port configuration section as shown in

Figure 2.88. Table 2.76 and Table 2.77 provide descriptions of the options on Global VLAN Configuration and Port VLAN Configuration, respectively.

Figure 2.88 Webpage for Basic Configuration of VLANs

Table 2.76 Description of Global VLAN Configuration:

Label	Description	Factory Default
Allowed Access VLANs	This field shows the allowed Access VLANs, i.e. it only affects ports configured as Access ports. Ports in other modes are members of the VLANs specified in the Allowed VLANs field. By default, only VLAN 1 is enabled. More VLANs may be created by using a list syntax where the individual elements are separated by commas. Ranges are specified with a dash separating the lower and upper bound. The following example will create VLANs 1, 10, 11, 12, 13, 200, and 300: 1,1013,200,300. Spaces are allowed in between the delimiters.	1
Ethertype for Custom S-ports	This field specifies the ethertype/TPID (specified in hexadecimal) used for Custom S-ports. The setting is in force for all ports whose Port Type is set to S-Custom-Port.	88A8

Table 2.77 Description of Port VLAN Configuration:

Label	Description	Factory Default
Port	This is the logical port number of this row.	-
Mode	The port mode (default is Access) determines the fundamental behaviour of the port in question. A port can be in one of three modes as described below. Whenever a particular mode is selected, the remaining fields in that row will be either greyed out or made changeable depending on the mode in question. Greyed out fields show the value that the port will get when the mode is applied. Access: Access ports are normally used to connect to end stations. Dynamic features like Voice VLAN may add the port to more VLANs behind the scenes. Access ports have the following characteristics: Member of exactly one VLAN, the Port VLAN (a.k.a. Access VLAN), which by default is 1 Accepts untagged and C-tagged frames Discards all frames not classified to the Access VLAN On egress all frames are transmitted untagged Trunk: Trunk ports can carry traffic on multiple VLANs simultaneously, and are normally used to connect to other switches. Trunk ports have the following characteristics: By default, a trunk port is member of all VLANs (1-4095) The VLANs that a trunk port is member of may be limited by the use of Allowed VLANs Frames classified to a VLAN that the port is not a member of are discarded By default, all frames but frames classified to the Port VLAN (a.k.a. Native VLAN) get tagged on egress. Frames classified to the Port VLAN do not get Ctagged on egress Egress tagging can be changed to tag all frames, in which case only tagged frames are accepted on ingress Hybrid: Hybrid ports resemble trunk ports in many ways, but adds additional port configuration features. In addition to the characteristics described for trunk ports, hybrid ports have these abilities: Can be configured to be VLAN tag unaware, C-tag aware, S-tag aware, or Scustom-tag aware Ingress filtering can be controlled Ingress acceptance of frames and configuration of egress tagging can be configured independently	Access
Port VLAN	Determines the port’s VLAN ID (a.k.a. PVID). Allowed VLANs are in the range 1 through 4095, default being 1. On ingress, frames get classified to the Port VLAN if the port is configured as VLAN unaware, the frame is untagged, or VLAN awareness is enabled on the port, but the frame is priority tagged (VLAN ID = 0). On egress, frames classified to the Port VLAN do not get tagged if Egress Tagging configuration is set to untagged Port VLAN. The Port VLAN is called an “Access VLAN” for ports in Access mode and Native VLAN for ports in Trunk or Hybrid mode.	-
Port Type	Ports in hybrid mode allow for changing the port type, that is, whether a frame’s VLAN tag is used to classify the frame on ingress to a particular VLAN, and if so, which TPID it reacts on. Likewise, on egress, the Port Type determines the TPID of the tag, if a tag is required. Unaware: On ingress, all frames, whether carrying a VLAN tag or not, get classified to the Port VLAN, and possible tags are not removed on egress. C-Port: On ingress, frames with a VLAN tag with TPID = 0x8100 get classified to the VLAN ID embedded in the tag. If a frame is untagged or priority tagged, the frame gets classified to the Port VLAN. If frames must be tagged on egress, they will be tagged with a C-tag. S-Port: On egress, if frames must be tagged, they will be tagged with an S-tag. On ingress, frames with a VLAN tag with TPID = 0x88A8 get classified to the VLAN ID embedded in the tag. Priority-tagged frames are classified to the Port VLAN. If the port is configured to accept Tagged Only frames (see Ingress Acceptance below), frames without this TPID are dropped. Notice: If the S-port is configured to accept Tagged and Untagged frames (see Ingress Acceptance below), frames with a C-tag are treated like frames with an S-tag. If the S-port is configured to accept Untagged Only frames, S-tagged frames will be discarded (except for priority S-tagged frames). C-tagged frames are initially considered untagged and will therefore not be discarded. Later on in the ingress classification process, they will get classified to the VLAN embedded in the tag instead of the port VLAN ID. S-Custom-Port: On egress, if frames must be tagged, they will be tagged with the custom S-tag. On ingress, frames with a VLAN tag with a TPID equal to the Ethertype configured for Custom-S ports get classified to the VLAN ID embedded in the tag. Priority-tagged frames are classified to the Port VLAN. If the port is configured to accept Tagged Only frames (see Ingress Acceptance below), frames without this TPID are dropped. Notice: If the custom S-port is configured to accept Tagged and Untagged frames (see Ingress Acceptance below), frames with a C-tag are treated like frames with a custom S-tag. If the Custom S-port is configured to accept Untagged Only frames, custom S-tagged frames will be discarded (except for priority custom S-tagged frames). C-tagged frames are initially considered untagged and will therefore not be discarded. Later on, in the ingress classification process, they will get classified to the VLAN embedded in the tag instead of the port VLAN ID.	C-Port
Ingress Filtering	Hybrid ports allow for changing ingress filtering. Access and Trunk ports always have ingress filtering enabled. If ingress filtering is enabled (checkbox is checked), frames classified to a VLAN that the port is not a member of get discarded. If ingress filtering is disabled, frames classified to a VLAN that the port is not a member of are accepted and forwarded to the switch engine. However, the port will never transmit frames classified to VLANs that it is not a member of.	Unclicked
Ingress Acceptance	Hybrid ports allow for changing the type of frames that are accepted on ingress. Tagged and Untagged Both tagged and untagged frames are accepted. See Port Type for a description of when a frame is considered tagged. Tagged Only Only frames tagged with the corresponding Port Type tag are accepted on ingress. Untagged Only Only untagged frames are accepted on ingress. See Port Type for a description of when a frame is considered untagged.	Tagged and Untagged
Egress Tagging	Ports in Trunk and Hybrid mode may control the tagging of frames on egress. Untag Port VLAN Frames classified to the Port VLAN are transmitted untagged. Other frames are transmitted with the relevant tag. Tag All All frames, whether classified to the Port VLAN or not, are transmitted with a tag. Untag All All frames, whether classified to the Port VLAN or not, are transmitted without a tag. This option is only available for ports in Hybrid mode.	Untag All
Allowed VLANs	Ports in Trunk and Hybrid mode may control which VLANs they are allowed to become members of. Access ports can only be member of one VLAN, the Access VLAN. The field’s syntax is identical to the syntax used in the Enabled VLANs field. By default, a Trunk or Hybrid port will become member of all VLANs, and is therefore set to 1-4095. The field may be left empty, which means that the port will not become member of any VLANs.	1
Forbidden VLANs	A port may be configured to never become member of one or more VLANs. This is particularly useful when dynamic VLAN protocols like MVRP and GVRP must be prevented from dynamically adding ports to VLANs. The trick is to mark such VLANs as forbidden on the port in question. The syntax is identical to the syntax used in the Enabled VLANs field. By default, the field is left blank, which means that the port may become a member of all possible VLANs.	Null

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

SVL¶

SVL or Shared VLAN Learning Configuration can be set on the managed switch through this webpage as shown in Figure 2.89. In SVL, one or more VLANs map to a Filter ID (FID). By default, there is a one-to-one mapping from VLAN to FID, in which case the switch acts as an IVL (Independent VLAN Learning) bridge, but with SVL multiple VLANs may share the same MAC address table entries. Click Add FID button to add a new row to the SVL table. The FID will be pre-filled with the first unused FID. Table 2.78 summarizes the descriptions of Shared VLAN Learning Configuration.

Figure 2.89 Webpage to SVL Configuration

Table 2.78 Description of Shared VLAN Learning Configuration:

Label	Description	Factory Default
Delete	A previously allocated FID can be deleted by the use of this button.	-
FID	The Filter ID (FID) is the ID that VLANs get learned on in the MAC table when SVL is in effect. No two rows in the table can have the same FID and the FID must be a number between 1 and 63.	1
VLANs	List of VLANs mapped into FID. The syntax is as follows: Individual VLANs are separated by commas. Ranges are specified with a dash separating the lower and upper bound. The following example will map VLANs 1, 10, 11, 12, 13, 200, and 300: 1, 10-13, 200, 300. Spaces are allowed in between the delimiters. The range of valid VLANs is 1 to 4095. The same VLAN can only be a member of one FID. A message will be displayed if one VLAN is grouped into two or more FIDs. All VLANs must map to a particular FID, and by default VLAN x maps to FID x. This implies that if FID x is defined, then VLAN x is implicitly a member of FID x unless it is specified for another FID. If FID x doesn’t exist, a confirmation message will be displayed, asking whether to continue adding VLAN x implicitly to FID x.	-

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

VCL¶

MAC-based VLAN¶

The MAC address to VLAN ID mappings can be configured in Figure 2.90. This page allows adding and deleting MACbased VLAN Classification List entries and assigning the entries to different ports. Figure 2.77 summarizes the descriptions of MAC-based VLAN Membership Configuration.

Figure 2.90 Webpage to Configure MAC-based VLAN of VCL

Table 2.79 Descriptions of MAC-based VLAN Configuration of VCL:

Label	Description	Factory Default
Delete	To delete a MAC to VLAN ID mapping entry, check this box and press save. The entry will be deleted in the stack.	-
MAC Address	Indicates the MAC address of the mapping.	00-00-00-00-00-00
VLAN ID	Indicates the VLAN ID the above MAC will be mapped to.	1
Port Numbers	A row of check boxes for each port is displayed for each MAC to VLAN ID mapping entry. To include a port in the mapping, check the box. To remove or exclude the port from the mapping, make sure the box is unchecked. By default, no ports are members, and all boxes are unchecked.	-

Click Add New Entry button to add a new MAC to VLAN ID mapping entry. An empty row is added to the table, and the mapping can be configured as needed. Any unicast MAC address can be used to configure the mapping. No broadcast or multicast MAC addresses are allowed. Legal values for a VLAN ID are 1 through 4095. The MAC to VLAN ID entry is enabled when you click on “Save” button. A mapping without any port members will not be added when you click “Save” button. The Delete button can be used to undo the addition of new mappings. The maximum possible MAC to VLAN ID mapping entries is limited to 256.

Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

Protocol-based VLAN¶

Protocol to Group¶

Figure 2.91 is the webpage that allows you to add new Protocol to Group Name mapping entries. Note that each protocol can be part of only one Group. It also allows you to see and delete current mapped entries for the switch. Table 2.80 provides the descriptions of the Protocol to Group Mapping Table.

Figure 2.91 Webpage to Configure Protocol to Group Mapping Table

Table 2.80 Descriptions of Protocol to Group Mapping Table Configuration

Label	Description	Factory Default
Delete	To delete a Protocol to Group Name map entry, check this box. The entry will be deleted from the switch during the next Save.	-
Frame Type	Frame Type can have one of the following values: Ethernet LLC SNAP Note: When changing the Frame type field, the valid value of the following text field will vary depending on the new frame type you selected.	Ethernet
Value	Valid value that can be entered in this text field depends on the option selected from the preceding Frame Type selection menu. Below are the criteria for the three different Frame Types: Ethernet: Value in the text field when Ethernet is selected as a Frame Type is called etype. Valid values for etype range between 0x0600 and 0xffff LLC: Valid value in this case is comprised of two different sub-values. DSAP: 1-byte long string (0x00-0xff) SSAP: 1-byte long string (0x00-0xff) SNAP: Valid value in this case is also comprised of two different sub-values. OUI: OUI (Organizationally Unique Identifier) is a parameter in the format of xx-xxxx where each pair (xx) in the string is a hexadecimal value ranging between 0x00 and 0xff. PID: PID (Protocol ID). If OUI is hexadecimal 000000, then the protocol ID is the Ethernet type (EtherType) field value for the protocol running on top of SNAP; if OUI is an OUI for a particular organization, the protocol ID is a value assigned by that organization to the protocol running on top of SNAP. In other words, if the value of OUI field is 00-00-00 then the value of PID will be etype (0x06000xffff) and if the value of OUI is other than 00-00-00 then valid values of PID will be any value between 0x0000 and 0xffff.	0x0800
Group Name	A valid Group Name is a 16-character long string, unique for every entry, which consists of a combination of alphabets (a-z or A-Z) and integers (0-9). Note: Special characters and underscores (_) are not allowed.	-

Click Add New Entry button to add a new entry in the mapping table. An empty row is added to the table, where Frame Type, Value and the Group Name can be configured as needed. The Delete button can be used to undo the addition of new entry. The maximum possible Protocol to Group mappings is limited to 128. Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

Group to VLAN¶

This page allows the user to map a Group Name, which is already configured or going to be configured in the future, to a VLAN for the managed switch. Figure 2.92 shows the Group Name to VLAN mapping Table. Description of each column’s label can be found in Table 2.81.

Figure 2.92 Webpage to Configure Group name to VLAN Mapping Table

Table 2.81 Descriptions of Group name to VLAN Mapping Table Configuration:

Label	Description	Factory Default
Delete	To delete a Group Name to VLAN mapping, check this box. The entry will be deleted from the switch during the next Save.	-
Group Name	A valid Group Name is a string, at the most 16 characters long, which consists of a combination of alphabets (a-z or A-Z) and integers (0-9) with no special characters allowed. You may either use a Group that already includes one or more protocols (see Protocol to Group mappings), or create a Group to VLAN ID mapping that will become active the moment you add one or more protocols inside that Group. Furthermore, the Group to VLAN ID mapping is not unique, as long as the port lists of these mappings are mutually exclusive (e.g., Group1 can be mapped to VID 1 on port#1 and to VID 2 on port#2).	Null
VLAN ID	Indicates the VLAN ID to which the Group Name will be mapped. A valid VLAN ID ranges from 1 to 4095.	Null
Port Members	A row of check boxes for each port is displayed for each Group Name to VLAN ID mapping. To include a port in the mapping, check the box. To remove or exclude the port from the mapping, make sure the box is unchecked. By default, no ports are members, and all boxes are unchecked.	Unclicked

Click Add New Entry button to add a new entry in the mapping table. An empty row is added to the table and the Group Name, VLAN ID and port members can be configured as needed. Legal values for a VLAN ID are 1 through 4095. The Delete button can be used to undo the addition of new entry. The maximum possible Groups to VLAN mappings are limited to 256. Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

IP Subnet-based VLAN¶

The IP subnet to VLAN ID mappings can be configured on the webpage as shown in Figure 2.93. This page allows adding, updating and deleting IP subnet to VLAN ID mapping entries and assigning them to different ports. Table 2.82 describes the column’s label in the IP Subnet-based VLAN membership configuration.

Figure 2.93 Webpage to Configure IP Subnet-based VLAN of VCL

Table 2.82 Descriptions of IP Subnet-based VLAN Configuration_

Label	Description	Factory Default
Delete	To delete a mapping, check this box and press save. The entry will be deleted in the stack.	-
IP Address	Indicates the subnet’s IP address (Any of the subnet’s host addresses can be also provided here, the application will convert it automatically).	0.0.0.0
Mask Length	Indicates the subnet’s mask length.	24
VLAN ID	Indicates the VLAN ID the subnet will be mapped to. IP Subnet to VLAN ID is a unique matching.	1
Port Members	A row of check boxes for each port is displayed for each IP subnet to VLAN ID mapping entry. To include a port in a mapping, simply check the box. To remove or exclude the port from the mapping, make sure the box is unchecked. By default, no ports are members and all boxes are unchecked.	Unclicked

Click Add New Entry to add a new IP subnet to VLAN ID mapping entry. An empty row is added to the table, and the mapping can be configured as needed. Any IP address/mask can be configured for the mapping. Valid values for the VLAN ID are 1 to 4095. The IP subnet to VLAN ID mapping entry is enabled when you click on “Save” button. The Delete button can be used to undo the addition of new mappings. The maximum possible IP subnet to VLAN ID mappings is limited to 128.

Click Save button to save the setting configuration. Click Reset button to keep to the original setting. Check the Auto-refresh box to refresh the page automatically. The automatic refresh occurs every 3 seconds. Otherwise, click Refresh box to refresh the page immediately.

QoS¶

Quality of Service (QoS) is the ability to provide different priority to different applications, users, or data flows. QoS guarantees a certain level of performance to a data flow by using the following metrics: transmitted bit rate, bit error rate, delay, jitter, and probability of packet dropping. QoS guarantees are important if the network capacity is insufficient, especially for application that requires certain bit rate and is delay sensitive. For any network that is best effort, QoS cannot be guaranteed, except that resource is more than sufficient to serve users.

Controlling network traffic needs a set of rules to help classify different types of traffic and define how each of them should be treated as they are being transmitted. This managed switch can inspect both 802.1p Class of Service (CoS) tags and DiffServ tags called Differentiated Services Code Point (DSCP) to provide consistent classification.

Port Classification¶

The Port Classification webpage shown in Figure 2.94 allows the user to configure the basic QoS Ingress Classification settings for all of managed switch ports. Table 2.83 provides the descriptions of the setting parameters of QoS Port Classification.

Figure 2.94 Webpage to Configure Port Classification of QoS

Table 2.83 Descriptions of Port Classification Configuration of QoS:

Label	Description	Factory Default
Port	The port number for which the configuration below applies.	-
CoS	Controls the default class of service (CoS) value. All frames are classified to a CoS. There is a one-to-one mapping between CoS, queue and priority. A CoS of 0 (zero) has the lowest priority. If the port is VLAN aware, the frame is tagged and Tag Class. is enabled, then the frame is classified to a CoS that is mapped from the PCP and DEI value in the tag. Otherwise, the frame is classified to the default CoS. The classified CoS can be overruled by a QCL entry. Note: If the default CoS has been dynamically changed, then the actual default CoS is shown in parentheses after the configured default CoS.	0
DPL	Controls the default Drop Precedence Level (DPL) value. All frames are classified to a Drop Precedence Level. If the port is VLAN aware, the frame is tagged and Tag Class. is enabled, then the frame is classified to a DPL that is mapped from the PCP and DEI value in the tag. Otherwise, the frame is classified to the default DPL. The classified DPL can be overruled by a QCL entry.	0
PCP	Controls the default Priority Code Point (PCP) value. All frames are classified to a PCP value. If the port is VLAN aware and the frame is tagged, then the frame is classified to the PCP value in the tag. Otherwise, the frame is classified to the default PCP value. Note: PCP is a 3-bit field storing the priority level for the 802.1Q frame. It is also known as User Priority.	0
DEI	Controls the default Drop Eligible Indicator (DEI) value. It is a 1-bit field in the VLAN tag. All frames are classified to a DEI value. If the port is VLAN aware and the frame is tagged, then the frame is classified to the DEI value in the tag. Otherwise, the frame is classified to the default DEI value.	0
Tag Class.	Shows the classification mode for tagged frames on this port. Disabled: Use default CoS and DPL for tagged frames. Enabled: Use mapped versions of PCP and DEI for tagged frames. Click on the mode in order to configure the mode and/or mapping. Note: This setting has no effect if the port is VLAN unaware. Tagged frames received on VLAN unaware ports are always classified to the default CoS and DPL.	Disabled
DSCP Based	Click to Enable Differentiated Services Code Point (DSCP) Based QoS Ingress Port Classification. It is a field in the header of IP packets for packet classification purposes.	Unclicked
Key Type	The key type specifying the key generated for frames received on the port. The allowed values are: Normal: Half key, match outer tag, SIP/DIP and SMAC/DMAC. Double Tag: Quarter key, match inner and outer tag. IP Address: Half key, match inner and outer tag, SIP and DIP. For non-IP frames, match outer tag only. MAC and IP Address: Full key, match inner and outer tag, SMAC, DMAC, SIP and DIP. Filtering on DMAC type (unicast/multicast/broadcast) is supported for any key type.	Normal
Address Mode	The IP/MAC address mode specifying whether the QoS Control List (QCL) classification must be based on source (SMAC/SIP) or destination (DMAC/DIP) addresses on this port. This parameter is only used when the key type is Normal. The allowed values are: Source: Enable SMAC/SIP matching. Destination: Enable DMAC/DIP matching.	Source

Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

Port Policing¶

Port Policing webpage allows the user to configure the Policer settings for all switch ports. Note that a policer can limit the bandwidth of received frames. It is located in front of the ingress queue. QoS Ingress Port Policer Table is shown in Figure 2.95. The descriptions of QoS Ingress Port Policers are explained in Table 2.84.

Figure 2.95 Webpage to Configure Port Policing of QoS

Table 2.84 Descriptions of Port Policing Configuration of QoS:

Label	Description	Factory Default
Port	The port number for which the configuration below applies.	-
Enable	Enable or disable the port policer for this switch port.	Unchecked
Label	Description	Factory Default
Rate	Controls the rate for the port policer. This value is restricted to 100-3276700 when “Unit” is kbps or fps, and 1-3276 when “Unit” is Mbps or kfps. The rate is internally rounded up to the nearest value supported by the port policer.	500
Unit	Controls the unit of measure for the port policer rate as kbps, Mbps, fps or kfps.	kbps
Flow Control	If flow control is enabled and the port is in flow control mode, then pause frames are sent instead of discarding frames.	Unchecked

Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

Queue Policing¶

To configure the Queue Policer settings for all switch ports, the user can check the corresponding boxes in the table in Figure 2.96. Table 2.85 describes the labels in QoS Ingress Queue Policer Table.

Figure 2.96 Webpage to Configure Queue Policing of QoS

Table 2.85 Descriptions of Queue Policing Configuration of QoS:

Label	Description	Factory Default
Port	The port number for which the configuration below applies.	-
Enable (E)	Enable or disable the port policer for this switch port.	unchecked
Rate	Controls the rate for the port policer. This value is restricted to 100-3276700 when “Unit” is kbps, and 1-3276 when “Unit” is Mbps. The rate is internally rounded up to the nearest value supported by the port policer. This field is only shown if at least one of the queue policers are enabled.	500
Unit	Controls the unit of measure for the queue policer rate as kbps or Mbps. This field is only shown if at least one of the queue policers are enabled.	kbps

Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

Port Scheduler¶

This webpage provides an overview of QoS Egress Port Schedulers for all switch ports as shown in Figure 2.97. Table 2.86 describes the labels in the QoS Egress Port Schedulers.

Figure 2.97 Webpage to Configure Port Scheduler of QoS

Table 2.86 Descriptions of Port Scheduler Configuration of QoS:

Label	Description	Factory Default
Port	The logical port for the settings contained in the same row. Click on the port number in order to configure the schedulers.	-
Mode	Shows the scheduling mode for this port.	Strict Priority
Qn	Shows the weight for this queue and port.	-

After Clicking hyperlink on any port, another webpage configuration will be launched, as shown in Figure 2.98. Table 2.87 describes the QoS Egress Port Scheduler and Shapers Port Configuration.

Figure 2.98 Webpage to Configure QoS Egress Port Scheduler and Shapers Port

Table 2.87 Descriptions of QoS Egress Port Scheduler and Shapers Port Configuration:

Label	Description	Factory Default
Scheduler Mode	Controls how many of the queues are scheduled as strict and how many are scheduled as weighted on this switch port.	Strict Priority
Queue Shaper
Enable	Controls whether the queue shaper is enabled for this queue on this switch port.	Unclicked
Rate	Controls the rate for the queue shaper. This value is restricted to 1003281943 when “Unit” is kbps, and 1-3281 when “Unit” is Mbps. The rate is internally rounded up to the nearest value supported by the queue shaper.	500
Unit	Controls the unit of measure for the queue shaper rate as kbps or Mbps.	Kbps
Rate-type	The rate type of the queue shaper. The allowed values are: Line: Specify that this shaper operates on line rate. Data: Specify that this shaper operates on data rate.	Line
Excess	Controls whether the queue is allowed to use excess bandwidth.	Unclicked
Credit	Controls whether the queue has credit-based shaper enabled.	Unclicked
Queue Scheduler
Weight	Controls the weight for this queue. This value is restricted to 1-100. This parameter is only shown if “Scheduler Mode” is set to “Weighted”.
Percent	Shows the weight in percent for this queue. This parameter is only shown if “Scheduler Mode” is set to “Weighted”.
Port Shaper
Enable	Controls whether the port shaper is enabled for this switch port.	Unclicked
Rate	Controls the rate for the port shaper. This value is restricted to 100-3281943 when “Unit” is kbps, and 1-3281 when “Unit” is Mbps. The rate is internally rounded up to the nearest value supported by the port shaper.	500
Unit	Controls the unit of measure for the port shaper rate as kbps or Mbps.	Kbps
Rate-type	The rate type of the port shaper. The allowed values are: Line: Specify that this shaper operates on line rate. Data: Specify that this shaper operates on data rate.	Line

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values. Click Back button to undo any changes made locally and return to the previous page.

Port Shaping¶

This webpage provides an overview of QoS Egress Port Shapers for all switch ports as shown in Figure 2.99. Table 2.88 describes the labels in QoS Egress Port Shapers.

Figure 2.99 Webpage to Configure Port Shaping of QoS

Table 2.88 Descriptions of Port Shaping Configuration of QoS:

Label	Description	Factory Default
Port	The logical port for the settings contained in the same row. Click on the port number in order to configure the shapers.	-
Qn	Shows “-” for disabled or actual queue shaper rate - e.g., “800 Mbps”.	-
Port	Shows “-” for disabled or actual port shaper rate - e.g., “800 Mbps”.	-

After Clicking hyperlink on any port, another webpage configuration will be launched, as shown in Figure 2.100. Table 2.89 describes the detaled QoS Egress Port Scheduler and Shapers Port Configuration.

This page allows you to configure the Scheduler and Shapers for a specific port.

Figure 2.100 Webpage to Detailed Configure QoS Egress Port Scheduler and Shapers Port

Table 2.89 Descriptions of Detaled QoS Egress Port Scheduler and Shapers Port Configuration:

Label	Description	Factory Default
Scheduler Mode	Controls how many of the queues are scheduled as strict and how many are scheduled as weighted on this switch port.	Strict Priority
Queue Shaper
Enable	Controls whether the queue shaper is enabled for this queue on this switch port.	Unclicked
Rate	Controls the rate for the queue shaper. This value is restricted to 1003281943 when “Unit” is kbps, and 1-3281 when “Unit” is Mbps. The rate is internally rounded up to the nearest value supported by the queue shaper.	500
Unit	Controls the unit of measure for the queue shaper rate as kbps or Mbps.	Kbps
Rate-type	The rate type of the queue shaper. The allowed values are: Line: Specify that this shaper operates on line rate. Data: Specify that this shaper operates on data rate.	Line
Excess	Controls whether the queue is allowed to use excess bandwidth.	Unclicked
Credit	Controls whether the queue has credit-based shaper enabled.	Unclicked
Queue Scheduler
Weight	Controls the weight for this queue. This value is restricted to 1-100. This parameter is only shown if “Scheduler Mode” is set to “Weighted”.
Percent	Shows the weight in percent for this queue. This parameter is only shown if “Scheduler Mode” is set to “Weighted”.
Port Shaper
Enable	Controls whether the port shaper is enabled for this switch port.	Unclicked
Rate	Controls the rate for the port shaper. This value is restricted to 1003281943 when “Unit” is kbps, and 1-3281 when “Unit” is Mbps. The rate is internally rounded up to the nearest value supported by the port shaper.	500
Unit	Controls the unit of measure for the port shaper rate as kbps or Mbps.	Kbps
Rate-type	The rate type of the port shaper. The allowed values are: Line: Specify that this shaper operates on line rate. Data: Specify that this shaper operates on data rate.	Line

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values. Click Back button to undo any changes made locally and return to the previous page.

Port Tag Remarking¶

This webpage provides an overview of QoS Egress Port Tag Remarking for all switch ports as shown in Figure 2.101. Table 2.90 describes the labels in QoS Egress Port Tag Remarking.

Figure 2.101 Webpage to Configure Port Tag Remarking of QoS

Table 2.90 Descriptions of Port Tag Remarking Configuration of QoS:

Label	Description
Port	The logical port for the settings contained in the same row. Click on the port number in order to configure tag remarking.
Mode	Shows the tag remarking mode for this port. Classified: Use classified PCP/DEI values. Default: Use default PCP/DEI values. Mapped: Use mapped versions of QoS class and DP level.

After clicking into any port, the following webpage will be launched as shown in Figure 2.102. Table 2.901 describes the labels in Each Port Tag Remarking Mode of QoS.

Figure 2.102 Webpage to Configure Each Port Tag Remarking of QoS

Table 2.91 Descriptions for Port Tag Remarking Configuration of Mode:

Label	Description
Mode	Controls the tag remarking mode for this port.
Classified	Use classified PCP/DEI values.
Default	Use default PCP/DEI values
Mapped	Use mapped versions of CoS and DPL.
PCP/DEI Configuration	Controls the default PCP and DEI values used when the mode is set to Default.
(CoS, DPL) to (PCP, DEI) Mapping	Controls the mapping of the classified (CoS, DPL) to (PCP, DEI) values when the mode is set to Mapped.

Port DSCP¶

The Port DSCP webpage allows the user to configure the basic Quality of Server (QoS) Port Differentiated Service Code Point (DSCP) Configuration settings for all switch ports. The QoS Port DSCP Configuration table is shown in Figure 2.103. The user can change the setting of either or both ingress or egress traffic. Table 2.92 explains the options for each port in QoS Port DSCP Configuration.

Figure 2.103 Webpage to Configure Port DSCP of QoS

Table 2.92 Descriptions of Port DSCP Configuration of QoS:

Label		Description	Factory Default
Port		The Port column shows the list of ports for which you can configure DSCP ingress and egress settings.	-
Ingress	Translate	In Ingress settings you can change ingress translation and classification settings for individual ports. There are two configuration parameters available in Ingress: 1. Translate: To Enable the Ingress Translation click the checkbox.	Unchecked
	Classify	2. Classify: Classification for a port have 4 different values. Disable: No Ingress DSCP Classification. DSCP=0: Classify if incoming (or translated if enabled) DSCP is 0. Selected: Classify only selected DSCP for which classification is enabled as specified in DSCP Translation window for the specific DSCP. All: Classify all DSCP.	Disable
Egress Rewrite		Port Egress Rewriting can be one of – Disable: No Egress rewrite. Enable: Rewrite enabled without remapping. Remap DP Unaware: DSCP from analyser is remapped and frame is remarked with remapped DSCP value. DSCP value is always taken from the ‘DSCP Translation⭢Egress Remap DP0’ table. Remap DP Aware: DSCP from analyser is remapped and frame is remarked with remapped DSCP value. Depending on the DP level of the frame, the remapped DSCP value is either taken from the ‘DSCP Translation⭢Egress Remap DP0’ table or from the ‘DSCP Translation⭢Egress Remap DP1’ table.	Disable

Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

DSCP-Based QoS¶

This page as shown in Figure 2.104 allows the user to configure the basic QoS DSCP based QoS Ingress Classification settings for the managed switch. The maximum number of supported DSCP (Differentiated Services Code Point) is 64 as shown in the table. Table 2.93 describes the options for each DSCP.

Figure 2.104 Webpage to Configure DSCP-Based of QoS

Table 2.93 Descriptions of DSCP-Based Configuration of QoS:

Label	Description	Factory Default
DSCP	Maximum number of supported DSCP values is 64.	-
Trust	Controls whether a specific DSCP value is trusted. Only frames with trusted DSCP values are mapped to a specific QoS class and Drop Precedence Level (DPL). Frames with untrusted DSCP values are treated as a non-IP frame.	Unchecked
CoS	CoS class value can be any of (0-7)	0
DPL	Drop Precedence Level (0-1)	0

Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

DSCP Translation¶

DSCP Translation webpage as shown in Figure 2.105 allows you to configure the basic QoS DSCP Translation settings for the managed switch. DSCP translation can be done in Ingress or Egress. Table 2.94 describes the setting options for DSCP Translation.

Figure 2.105 Webpage to Configure DSCP Translation of QoS

Table 2.94 Descriptions of DSCP Translation Configuration of QoS:

Label		Description	Factory Default
DSCP		Maximum number of supported DSCP values are 64 and valid DSCP value ranges from 0 to 63.	-
Ingress	Translate	Ingress side DSCP can be first translated to new DSCP before using the DSCP for QoS class and DPL map. Translate: DSCP at Ingress side can be translated to any of (0-63) DSCP values.	-
	Classify	Click to enable Classification at Ingress side.	Unchecked
Egress		There are the following configurable parameters for Egress side – 1. Remap DP0 Controls the remapping for frames with DP level 0. 2. Remap DP1 Controls the remapping for frames with DP level 1.	-
DP0 /DP1		Select the DSCP value from select menu to which you want to remap. DSCP value ranges from 0 to 63.	-

Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

DSCP Classification¶

The DSCP Classification webpage as shown in Figure 2.106 allows you to configure the mapping of Class of Service (CoS) or QoS Class and Drop Precedence Level (DPL) to DSCP value. Table 2.95 explains the options for DSCP Classification.

Figure 2.106 Webpage to Configure DSCP Classification of QoS

Table 2.95 Descriptions of DSCP Classification Configuration of QoS

Label	Description	Factory Default
QoS Class	Actual QoS class.	-
DSCP DP0	Select the classified DSCP value (0-63) for Drop Precedence Level 0.	0
DSCP DP1	Select the classified DSCP value (0-63) for Drop Precedence Level 1.	0

Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

QoS Control List¶

The QoS Control List webpage as shown in Figure 2.107 shows the QoS Control List (QCL), which is made up of the QCEs (QoS Control Entries). Each row describes a QCE that is defined. Table 2.96 describes the definition of each column in the list. The maximum number of QCEs is 256 on each switch. To add a new entry, click on the blue_plus plus sign to add a new QCE to the list and the webpage is updated as shown in Figure 2.108. This updated webpage allows the user to edit or insert one single QoS Control Entry at a time. A QCE consists of several parameters as described in Table 2.97. These parameters vary according to the frame type that the user selected.

Figure 2.107 Webpage to Configure QoS Control List

Table 2.96 Descriptions of QoS Control List Configuration:

Label	Description	Factory Default
QCE	Indicates the QCE id.	-
Port	Indicates the list of ports configured with the QCE or ‘Any’.	-
DMAC	Indicates the destination MAC address. Possible values are: Any: Match any DMAC. Unicast: Match unicast DMAC. Multicast: Match multicast DMAC. Broadcast: Match broadcast DMAC. <MAC>: Match specific DMAC. The default value is ‘Any’.	-
SMAC	Match specific source MAC address or ‘Any’. If a port is configured to match on destination addresses, this field indicates the DMAC.	-
Tag	Indicates tag type. Possible values are: Any: Match tagged and untagged frames. Untagged: Match untagged frames. Tagged: Match tagged frames. C-Tagged: Match C-tagged frames. S-Tagged: Match S-tagged frames. The default value is ‘Any’.	-
VID	Indicates (VLAN ID), either a specific VID or range of VIDs. VID can be in the range 14095 or ‘Any’	-
PCP	Priority Code Point: Valid values of PCP are specific (0, 1, 2, 3, 4, 5, 6, 7) or range (0-1, 23, 4-5, 6-7, 0-3, 4-7) or ‘Any’.	-
DEI	Drop Eligible Indicator: Valid value of DEI are 0, 1 or ‘Any’.	-
Frame Type	Indicates the type of frame. Possible values are: Any: Match any frame type. Ethernet: Match EtherType frames. LLC: Match (LLC) frames. SNAP: Match (SNAP) frames. IPv4: Match IPv4 frames. IPv6: Match IPv6 frames.	-
Action Parameters	Indicates the classification action taken on ingress frame if parameters configured are matched with the frame’s content. Possible actions are: CoS: Classify Class of Service. DPL: Classify Drop Precedence Level. DSCP: Classify DSCP value. PCP: Classify PCP value. DEI: Classify DEI value. Policy: Classify ACL Policy number.	-

The user can modify each QCE (QoS Control Entry) in the table using the following buttons:

blue plus : Inserts a new QCE before the current row.

blue e : Edits the QCE.

blue arrow up : Moves the QCE up the list.

blue arrow down : Moves the QCE down the list.

blue cross : Deletes the QCE.

blue_plus : The lowest plus sign adds a new entry at the bottom of the QCE listings.

Figure 2.108 Adding New QCE Configuration

Table 2.97 Descriptions of QoS Control Entry’s Parameters:

Label

Description

Factory Default

Port Members

Check the checkbox button to include the port in the QCL entry. By default, all ports are included.

All ports

Key Parameters

Key configuration is described as below:
DMAC: Destination MAC address: Possible values are ‘Unicast’, ‘Multicast’, ‘Broadcast’, ‘Specific’ (xx-xx-xx-xx-xx-xx) or ‘Any’.
SMAC: Source MAC address: xx-xx-xx-xx-xx-xx or ‘Any’.
Tag: Value of Tag field can be ‘Untagged’, ‘Tagged’, ‘C-Tagged’, ‘S-Tagged’ or ‘Any’.
VID: Valid value of VLAN ID can be any value in the range 1-4095 or ‘Any’; user can enter either a specific value or a range of VIDs.
PCP: Valid value PCP are specific (0, 1, 2, 3, 4, 5, 6, 7) or range (0-1, 2-3, 4-5, 6-7, 0-3, 4-7) or ‘Any’.
DEI: Valid value of DEI can be ‘0’, ‘1’ or ‘Any’.
Inner Tag: Value of Inner Tag field can be ‘Untagged’, ‘Tagged’, ‘C-Tagged’, ‘S-Tagged’ or ‘Any’. All inner tag parameters depend on the Key Type configuration in QoS Ingress Port Classification Help.
Inner: VID Valid value of Inner VLAN ID can be any value in the range 1-4095 or ‘Any’; user can enter either a specific value or a range of VIDs.
Inner PCP: Valid value of Inner PCP are specific (0, 1, 2, 3, 4, 5, 6, 7) or range (0-1, 2-3, 45, 6-7, 0-3, 4-7) or ‘Any’.
Inner DEI: Valid value of Inner DEI can be ‘0’, ‘1’ or ‘Any’.
Frame Type: Frame Type can have any of the following values:

Any
EtherType
LLC
SNAP
IPv4
IPv6

Note: All frame types are explained in the next Table.

Any

Action Parameters

CoS: Class of Service: (0-7) or ‘Default’.
DPL: Drop Precedence Level: (0-1) or ‘Default’.
DSCP: DSCP: (0-63, BE, CS1-CS7, EF or AF11-AF43) or ‘Default’. PCP PCP: (0-7) or ‘Default’. Note: PCP and DEI cannot be set individually.
DEI: (0-1) or ‘Default’.
Policy: ACL Policy number: (0-63) or ‘Default’ (empty field).
‘Default’ means that the default classified value is not modified by this QCE.

Default

Table 2.98 Description of Frame Type:

Frame Type	Description
Any	Allow all types of frames.
EtherType	Ether Type Valid Ether Type can be 0x600-0xFFFF excluding 0x800(IPv4) and 0x86DD(IPv6) or ‘Any’.
LLC	DSAP Address Valid DSAP (Destination Service Access Point) can vary from 0x00 to 0xFF or ‘Any’. SSAP Address Valid SSAP(Source Service Access Point) can vary from 0x00 to 0xFF or ‘Any’. Control Valid Control field can vary from 0x00 to 0xFF or ‘Any’.
SNAP	PID Valid PID (a.k.a Ether Type) can be 0x0000-0xFFFF or ‘Any’.
IPv4	Protocol IP protocol number: (0-255, ‘TCP’ or ‘UDP’) or ‘Any’. Source IP Specific Source IP address in value/mask format or ‘Any’. IP and Mask are in the format x.y.z.w where x, y, z, and w are decimal numbers between 0 and 255. When Mask is converted to a 32-bit binary string and read from left to right, all bits following the first zero must also be zero. Destination IP Specific Destination IP address in value/mask format or ‘Any’. IP Fragment IPv4 frame fragmented option: ‘Yes’, ‘No’ or ‘Any’. DSCP Diffserv Code Point value (DSCP): It can be a specific value, range of values or ‘Any’. DSCP values are in the range 0-63 including BE, CS1-CS7, EF or AF11-AF43. Sport Source TCP/UDP port:(0-65535) or ‘Any’, specific or port range applicable for IP protocol UDP/TCP. Dport Destination TCP/UDP port:(0-65535) or ‘Any’, specific or port range applicable for IP protocol UDP/TCP.
IPv6	Protocol IP protocol number: (0-255, ‘TCP’ or ‘UDP’) or ‘Any’. Source IP 32 LS bits of IPv6 source address in value/mask format or ‘Any’. Destination IP Specific Destination IP address in value/mask format or ‘Any’. DSCP Diffserv Code Point value (DSCP): It can be a specific value, range of values or ‘Any’. DSCP values are in the range 0-63 including BE, CS1-CS7, EF or AF11-AF43. Sport Source TCP/UDP port:(0-65535) or ‘Any’, specific or port range applicable for IP protocol UDP/TCP. Dport Destination TCP/UDP port:(0-65535) or ‘Any’, specific or port range applicable for IP protocol UDP/TCP.

Click Save button to save the configuration and move to main QCL page. Click Reset button to undo any changes made locally and revert to previously saved values. Click Cancel button to return to the previous page without saving the configuration change.

Storm Policing¶

Global storm policers for the managed switch are configured on this webpage as shown in Figure 2.109. There are unicast storm policer, multicast storm policer, and broadcast storm policer. These only affect flooded frames, i.e., frames with a (VLAN ID, DMAC) pair not present in the MAC Address table. The settings are described in Table 2.99.

Figure 2.109 Webpage to Configure Storm Policing of QoS

Table 2.99 Descriptions of Storm Policing Configuration of QoS:

Label	Description	Factory Default
Frame Type	The frame type for which the configuration below applies.	-
Enable	Enable or disable the global storm policer for the given frame type.	Unchecked
Rate	Controls the rate for the global storm policer. This value is restricted to 1-1024000 when “Unit” is fps, and 1-1024 when “Unit” is kfps. The rate is internally rounded up to the nearest value supported by the global storm policer. Supported rates are 1, 2, 4, 8, 16, 32, 64, 128, 256 and 512 fps for rates <= 512 fps and 1, 2, 4, 8, 16, 32, 64, 128, 256, 512 and 1024 kfps for rates > 512 fps.	1
Unit	Controls the unit of measure for the global storm policer rate as fps or kfps.	fps

Click Save button to save the setting configuration. Click Reset button to undo any changes made locally and revert to previously saved values.

Mirroring¶

In order to help the network administrator keeps track of network activities, the managed switch supports port mirroring, which allows incoming and/or outgoing traffic to be monitored by a single port that is defined as a mirror port. Note that the mirrored network traffic can be analysed by a network analyser or a sniffer for network performance or security monitoring purposes. Figure 2.111 shows the Mirror Port webpage. The descriptions of port mirroring options are summarized in Table 2.100.

Port mirroring or traffic mirroring enables users to monitor network traffic passing in, or out of, a set of ports. can then pass this traffic to a destination port on the same router. Traffic mirroring copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyser or other monitoring device. However, traffic from one source port can be copied to only one destination port. Traffic mirroring does not affect the flow of traffic on the source ports, and allows the mirrored traffic to be sent to a destination port. For example, you need to attach a traffic analyser to the router if you want to capture Ethernet traffic that is sent by host A to host B. Traffic between host A and host B is also seen on the destination port.

Figure 2.110 Traffic Mirroring Operation

When local traffic mirroring is enabled, the traffic analyser is attached directly to the port of the same router that is configured to receive a copy of every packet that host A sends. This port is called a traffic mirroring port. The other sections of this document describe how you can fine tune this feature.

The following types of traffic mirroring are supported:

Local traffic mirroring: This is the most basic form of traffic mirroring. The network analyzer orsniffer is directly attached to the destination interface. In other words, all monitored ports are all located on the same router as the destination port.
Layer 2 or Layer 3 traffic mirroring: Both Layer 2 and Layer 3 source ports can be mirrored.

Mirroring is a feature for switched port analyzer. The administrator can use the Mirroring to debug network problems. The selected traffic can be mirrored or copied on a destination port where a network analyzer can be attached to analyze the network traffic. Remote Mirroring is an extend function of Mirroring. It can extend the destination port in other switch so that the administrator can analyze the network traffic on the other switches. If you want to get the tagged mirrored traffic, you have to set VLAN egress tagging as “Tag All” on the reflector port. On the other hand, if you want to get untagged mirrored traffic, you have to set VLAN egress tagging as “Untag ALL” on the reflector port.

Figure 2.111 Webpage to Configure Mirroring

Table 2.100 Descriptions of Mirroring Webpage

Label	Description	Factory Default
Session ID	Display Mirror feature session id.	1
Mode	To Enabled/Disabled the Mirroring function.	Disabled
Type	Display switch mirroring type. Mirror: The switch is running on mirror mode. The source port(s) and destination port are located on this switch.	Mirror
VLAN ID	The VLAN ID points out where the monitor packet will copy to. The default VLAN ID is 200.	-
Port Configuration	Port: The logical port for the settings contained in the same row. Source: select mirror mode Disabled: Neither frames transmitted nor frames received are mirrored. Both: Frames received and frames transmitted are mirrored on the Destination port. Rx only: Frames received on this port are mirrored on the Destination port. Frames transmitted are not mirrored. Tx only: Frames transmitted on this port are mirrored on the Destination port. Frames received are not mirrored. Destination: select destination port This checkbox is designed for mirror Mirroring. The destination port is a switched port that you receive a copy of traffic from the source port. Note1: On mirror mode, the device only supports one destination port. Note2: The destination port needs to disable MAC Table learning.	-

Figure 2.112 Webpage to Detailed Configure Mirroring for Session ID

PTP¶

Precision Time Protocol (PTP) is defined in IEEE 1588 as Precision Clock Synchronization for Networked Measurements and Control Systems, and was developed to synchronize the clocks in packet-based networks that include distributed device clocks of varying precision and stability. PTP, which is a high-precision time protocol, can be used with measurement and control systems in local area network that require precise time synchronization. PTP is designed specifically for industrial, networked measurement and control systems, and is optimal for use in distributed systems because it requires minimal bandwidth and little processing overhead. Smart grid power automation applications such as peak-hour billing, virtual power generators, and outage monitoring and management, require extremely precise time accuracy and stability. Timing precision improves network monitoring accuracy and troubleshooting ability. In addition to providing time accuracy and synchronization, the PTP message-based protocol can be implemented on packetbased networks, such as Ethernet networks. The benefits of using PTP in an Ethernet network include:

Low cost and easy setup in existing Ethernet networks
Limited bandwidth is required for PTP data packets

In an Ethernet network, switches provide a full-duplex communication path between network devices. Switches send data packets to packet destinations using address information contained in the packets. When the switch attempts to send multiple packets simultaneously, some of the packets are buffered by the switch so that they are not lost before they are sent. When the buffer is full, the switch delays sending packets. This delay can cause device clocks on the network to lose synchronization with one another. Additional delays can occur when packets entering a switch are stored in local memory while the switch searches the MAC address table to verify packet CRC fields. This process causes variations in packet forwarding time latency, and these variations can result in asymmetrical packet delay times. Adding PTP to a network can compensate for these latency and delay problems by correctly adjusting device clocks so that they stay synchronized with one another. PTP enables network switches to function as PTP devices, including boundary clocks (BCs) and transparent clocks (TCs). To ensure clock synchronization, PTP requires an accurate measurement of the communication path delay between the time source or primary clock and the client clock. The system clocks can be categorized based on the role of the node in the network. They are broadly categorized into ordinary clocks and boundary clocks. The primary clock and the client clock are known as ordinary clocks. The boundary clock can operate as either a primary clock or a client clock. The following list explains these clocks in detail:

Primary clock—The primary clock transmits the messages to the PTP clients (also called client node or boundary node). This allows the clients to establish their relative time distance and offset from the primary clock (which is the reference point) for phase synchronization. Delivery mechanism to the clients is either unicast or multicast packets over Ethernet or UDP.
Member clock—located in the PTP client (also called client node), the client clock performs clock and time recovery operations based on the received and requested timestamps from the primary clock.
Boundary clock—The boundary clock operates as a combination of the primary and client clocks. The boundary clock endpoint acts as a client clock to the primary clock, and also acts as the primary to all the slaves reporting to the boundary endpoint.

PTP sends messages between the primary clock and client clock device to determine the delay measurement. Then, PTP measures the exact message transmit and receive times and uses these times to calculate the communication path delay. PTP then adjusts current time information contained in network data for the calculated delay, resulting in more accurate time information. This delay measurement principle determines path delay between devices on the network, and the local clocks are adjusted for this delay using a series of messages sent between masters and slaves. The one-way delay time is calculated by averaging the path delay of the transmit and receive messages. This calculation assumes a symmetrical communication path; however, switched networks do not necessarily have symmetrical communication paths, due to the buffering process. PTP provides a method, using transparent clocks, to measure and account for the delay in a time-interval field in network timing packets, making the switches temporarily transparent to the master and slave nodes on the network. An end-to-end transparent clock forwards all messages on the network in the same way that a switch does.

The PTP webpage as shown in Figure 2.113 allows the user to configure and inspect the current PTP clock settings. Table 2.101 summarizes the parameters for PTP Clock Configuration.

Figure 2.113 Webpage to Configure PTP

Figure 2.114 Webpage to Configure New PTP Clock

Table 2.101 Descriptions of PTP Clock Configuration:

Label	Description	Factory Default
Delete	Check this box and click on ‘Save’ button to delete the clock instance.	-
Clock Instance	Indicates the Instance of a particular Clock Instance [0…3]. Click on the Clock Instance number to edit the Clock details.
HW Domain	Indicates the HW clock domain used by the clock.
Device Type	Indicates the Type of the Clock Instance. There are five Device Types. Ord-Bound - clock’s Device Type is Ordinary-Boundary Clock. P2p Transp - clock’s Device Type is Peer to Peer Transparent Clock. E2e Transp - clock’s Device Type is End to End Transparent Clock. Master Only - clock’s Device Type is Master Only. Slave Only - clock’s Device Type is Slave Only.
Profile	Indicates the profile used by the clock.

After Clicking Add NEW PTP Clock button, another webpage will be launched, as shown in Figure 2.114. Table 2.102 summarizes the parameters for new PTP Clock Configuration.

Table 2.102 Descriptions of New PTP Clock Configuration:

Label	Description	Factory Default
Delete	Check this box and click on ‘Save’ to delete the clock instance.	-
Clock Instance	Indicates the instance number of a particular Clock Instance [0..3]. Click on the Clock Instance number to edit the Clock details.	0
HW Domain	Indicates the HW clock domain used by the clock.	0
Device Type	Indicates the Type of the Clock Instance. There are five Device Types. Ord-Bound - clock’s Device Type is Ordinary-Boundary Clock. P2p Transp - clock’s Device Type is Peer to Peer Transparent Clock. E2e Transp - clock’s Device Type is End to End Transparent Clock. Master Only - clock’s Device Type is Master Only. Slave Only - clock’s Device Type is Slave Only.	Ord-bound
Profile	Indicates the profile used by the clock.	No Profile

Click Add New PTP Clock button to create a new clock instance. Click Save button to save the setting configuration. Click Reset button to keep to the original setting.

GVRP¶

GVRP (GARP VLAN Registration Protocol or Generic VLAN Registration Protocol) is a standard-based protocol that facilitates control of virtual local area networks (VLANs) within a larger network. GVRP conforms to the Institute of Electrical and Electronics Engineers (IEEE) 802.1Q specification, which defines a method of tagging frames with VLAN configuration data over networ trunk interconnects. GVRP is based on Generic Attribute Registration Protocol (GARP) and IEEE 802.1r, which defines procedures for end stations and switches in a VLAN to register and deregister attributes, such as identifiers or addresses, with each other. It provides every end station and switch with a current record of all the other end stations and switches that can be reached on the network. GVRP is similar to GARP, as both eliminate unnecessary network traffic by preventing attempts to transmit information to unregistered users. In addition, it is necessary to manually configure only one switch with all the other switches then being updated automatically.

Becoming part of a formal IEEE 802.1ak standard amendment in 2007, Multiple VLAN Registration Protocol replaced GVRP, as it was found to be prone to performance issues that could potentially cause prolonged network convergence. This delay was found to create bandwidth degradation on the network at the point where the delayed convergence appeared. Technically, GVRP is still included as part of the IEEE standard, as the amendment did not completely remove it. It is expected to be removed in the future, but until that happens, GVRP is still being used. GVRP can be used to keep VLAN configurations on trunk interfaces organized across the network on large networks that consist of dozens or even hundreds of VLAN segments. There are three benefits for administrators that enable GVRP on a network:

It enables switches to automatically delete unused VLANs so that only the VLANs that are in use are transported across 802.1Q trunk links.
It enables admins to configure a new VLAN on one switch and then have it propagate the configuration across all network switches participating in the GVRP process.
GVRP can eliminate some unnecessary broadcast traffic on the network, reducing bandwidth overhead used for network management.

GVRP works as follows. When two or more switches are connected via 802.1Q trunk ports with GVRP enabled in a network, these switches will begin to communicate statically or dynamically through VLAN information. Switches with statically configured VLANs will advertise them to connected switches using GVRP data units. Those units are specifically designed management packets used to share VLAN information. If a switch learns of a new VLAN from its neighbor, this VLAN is added to the list of VLAN tags that can be transported across the link The VLAN that learned the new information can then pass along its own statically configured VLANs, in addition to ones learned from its neighbor. For loop avoidance, switch cannot send dynamically learned VLAN information out the same interface that it was learned on. All the dynamically learned VLAN information is stored in switch memory. So, if power is lost or the switch is rebooted, the dynamically learned VLAN information is lost, and the VLANs are pruned from the trunk interface. But, once the switches begin communication again, they will relearn the shared VLAN information to bring the network and all VLANs back into a fully informed state.

Global config¶

This GVRP⭢Global config webpage shown in Figure 2.115 allows the user to configure the global GVRP configuration settings that are commonly applied to all GVRP enabled ports.

Figure 2.115 Webpage to Configure GVRP Globally

Table 2.103 Descriptions of GVRP Globally Configuration:

Label	Description	Factory Default
Join-time	Join-time is a value in the range of 1-20cs, i.e. in units of one hundredth of a second. The default value is 20cs	20
Leave-time	Leave-time is a value in the range of 60-300cs, i.e. in units of one hundredth of a second. The default is 60cs.	60
LeaveAll-time	LeaveAll-time is a value in the range of 1000-5000cs, i.e. in units of one hundredth of a second. The default is 1000cs.	1000
Max VLANs	When GVRP is enabled, a maximum number of VLANs supported by GVRP is specified. By default, this number is 20. This number can only be changed when GVRP is turned off.	20

Click Save button to save the setting configuration. Click Refresh box to refresh the page immediately. Note that unsaved changes will be lost.

Port config¶

The GVRP Port Config webpage shown in Figure 2.116 allows the user to enable or disable a port for GVRP operation. This configuration can be performed either before or after GVRP is configured globally; however, the protocol operation will remain the same. Table 2.104 describes the labels on GVRP Port Configuration.

Figure 2.116 Webpage to Configure Port for GVRP

Table 2.104 Descriptions of GVRP PortConfiguration:

Label	Description	Factory Default
Port	The logical port that is to be configured.	-
Mode	Mode can be either ‘Disabled’ or ‘GVRP enabled’. These values turn the GVRP feature off or on respectively for the port in question.	Disabled

Click Save button to save the setting configuration. Click Reset button to undo any changes made locally and revert to previously saved values.

DDMI¶

Digital Diagnostics Monitoring Interface (DDMI) allows users to perform diagnostic tests on transceiver modules such as small form-factor pluggable (SFP). Click Enabled this feature to view the various parameters of the transceiver module, such as temperature, voltage, transmission power, and so on. Figure 2.117 shows the DDMI configuration webpage. Table 2.105 describes the option on DDMI Configuration webpage.

Figure 2.117 Webpage to Configure DDMI

Table 2.105 Descriptions of DDMI Configuration:

Label	Description	Factory Default
Mode	Indicates the DDMI mode operation. Possible modes are: Enabled: Enable DDMI mode operation. Disabled: Disable DDMI mode operation.	Disabled

Click Save button to save changes. Click Reset button to undo any changes made locally and revert to previously saved values.

UDLD¶

Unidirectional Link Detection (UDLD) is a layer 2 protocol used to determine the physical status of a link. The purpose of UDLD is to detect and deter issues that arise from Unidirectional Links. UDLD helps to prevent forwarding loops and blackholding of traffic by identifying and acting on logical one-way links that would otherwise go undetected. UDLD works with the Layer 1 mechanisms to determine the physical status of a link. At Layer 1, auto-negotiation takes care of physical signaling and fault detection. UDLD performs tasks that auto-negotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected ports. When users enable both auto-negotiation and UDLD, Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols.

UDLD works by exchanging UDLD protocol packets that include information about the port’s device and port ID between the neighboring devices. In order for UDLD to work, both devices on the link must support UDLD and have it enabled on respective ports. Each switch port configured for UDLD sends UDLD protocol packets that contain the port’s own device/port ID, and the neighbor’s device/port IDs seen by UDLD on that port. Neighboring ports should see their own device/port ID (echo) in the packets received from the other side.

Because of this, a port should receive its own device and port ID information from its neighbor if the link is bi-directional. If a port does not receive information about its own device and port ID from its neighbor for a specific duration of time, the link is considered to be unidirectional. This can also occur when the link is up on both sides, but one side is not receiving packets, or when wiring mistakes occur, causing the transmit and receive wires to not be connected to the same ports on both ends of a link.

This echo-algorithm allows detection of these issues:

Link is up on both sides; however, packets are only received by one side.
Wiring mistakes when receive and transmit fibers are not connected to the same port on the remote side.

Once the unidirectional link is detected by UDLD, the respective port is disabled. Port shutdown by UDLD remains disabled until it is manually reenabled, or until errdisable timeout expires (if configured).

UDLD can operate in two modes: normal and aggressive. In normal mode, if the link state of the port was determined to be bidirectional and the UDLD information times out, no action is taken by UDLD. The port state for UDLD is marked as undetermined. The port bRSAESaves according to its STP state. In aggressive mode, if the link state of the port is determined to be bi-directional and the UDLD information times out while the link on the port is still up, UDLD tries to re-establish the state of the port. If not successful, the port is put into the errdisable state.

Aging of UDLD information happens when the port that runs UDLD does not receive UDLD packets from the neighbor port for duration of hold time. The hold time for the port is dictated by the remote port and depends on the message interval at the remote side. The shorter the message interval, the shorter the hold time and the faster the detection. Recent implementations of UDLD allow configuration of message interval.

UDLD information can age out due to the high error rate on the port caused by some physical issue or duplex mismatch. Such packet drop does not mean that the link is unidirectional and UDLD in normal mode will not disable such link.

It is important to be able to choose the right message interval in order to ensure proper detection time. The message interval should be fast enough to detect the unidirectional link before the forwarding loop is created, however, it should not overload the switch CPU. The default message interval is 7 seconds, and is fast enough to detect the unidirectional link before the forwarding loop is created with default STP timers. The detection time is approximately equal to three times the message interval.

For example: T~detection~ ~ message_interval x 3 This is 21 seconds for the default message interval of 7 seconds.

It takes T~reconvergence~=max_age + 2x forward_delay for the STP to reconverge in case of unidirectional link failure. With the default timers, it takes 20+2x7=34 seconds.

It is recommended to keep T~detection~ < T~reconvergence~ by choosing an appropriate message interval.

In aggressive mode, once the information is aged, UDLD will attempt to re-establish the link state by sending packets every second for eight seconds. If the link state is still not determined, the link is disabled.

Aggressive mode adds additional detection of these situations:

The port is stuck (on one side the port neither transmits nor receives, however, the link is up on both sides).
The link is up on one side and down on the other side. This is issue might be seen on fiber ports. When transmit fiber is unplugged on the local port, the link remains up on the local side. However, it is down on the remote side.

Most recently, fiber FastEthernet hardware implementations have Far End Fault Indication (FEFI) functions in order to bring the link down on both sides in these situations. On Gigabit Ethernet, a similar function is provided by link negotiation. Copper ports are normally not susceptible to this type of issue, as they use Ethernet link pulses to monitor the link. It is important to mention that, in both cases, no forwarding loop occurs because there is no connectivity between the ports. If the link is up on one side and down on the other, however, blackholing of traffic might occur. Aggressive UDLD is designed to prevent this.

This UDLD webpage shown Figure 2.118 allows the user to inspect the current UDLD configurations, and possibly change them as well. Table 2.106 provides the descriptions of UDLD Port Configuration.

Figure 2.118 Webpage to Configure UDLD

Table 2.106 Descriptions of UDLD Port Configuration:

Label

Description

Factory Default

Port

Port number of the switch.

1-11

UDLD Mode

Configures the UDLD mode on a port. Valid values are Disable, Normal and Aggressive. Default mode is Disable.

Disable in disabled mode, UDLD functionality doesn’t exists on port.
Normal in normal mode, if the link state of the port was determined to be unidirectional, it will not affect the port state.

Aggressive in aggressive mode, unidirectional detected ports will get shutdown. To bring back the ports up, need to disable UDLD on that port.

Disable

Click Save button to save the setting configuration. Click Reset button to undo any changes made locally and revert to previously saved values.

SD Backup¶

The SD card can be used instead of the internal flash memory of the switch to update or restore configuration settings. In addition, the SD card can be used to boot the switch. User can also copy IOS software and switch configuration settings from a PC or from the switch to the SD card, and then use the SD card to copy this software and settings to other switches.

SD Backup can be configured on this page as shown in Figure 2.119. Options for SD Backup can be set according to the descriptions in Table 2.107.

Figure 2.119 Webpage to Configure SD Backup

Table 2.107 Descriptions of SD Backup Configuration:

Label	Description	Factory Default
Use the configuration file form sd	The startup-config file will be replaced from the newest config file in sd card when booting switch.	Disabled
Automatic backup	Backup the starup-config into sd card folder “Automatic_backup” when saving startup-config. Only have one file be saved.	Enabled
Periodic backup	Backup the starup-config into sd card folder “Period_backup” when saving startup-config. Multiple files can be saved which depend on “Backup period time”.	Enabled
Backup period time (Hr)	The backup Periodic time setting.	720

Click Save button to save the setting configuration. Click Reset button to undo any changes made locally and revert to previously saved values.

Modbus Setting¶

Welotec’s managed switch can be connected to a Modbus network using Modbus TCP/IP protocol which is an industrial network protocol for controlling automation equipment. The managed switch’s status and settings can be read and written through Modbus TCP/IP protocol which operates similar to a Management Information Base (MIB) browser. The managed switch will be a Modbus slave which can be remotely configured by a Modbus master. The Modbus slave address must be set to match the setting inside the Modbus master. In order to access the managed switch, a Modbus Address must be assigned as described in this subsection. Figure 2.120 shows the Modbus Setting webpage.

Figure 2.120 Webpage to Configure Modbus Setting

Table 2.108 Descriptions of Modbus Setting PortConfiguration:

Label	Description	Factory Default
Modbus Address	Identifier for modbus slave device, range from 1 to 247	1

Click Save button to save the setting configuration. Click Reset button to undo any changes made locally and revert to previously saved values.

Users can use Modbus TCP/IP compatible applications such as Modbus Poll to configure the switch. Note that Modbus Poll can be download from http://www.modbustools.com/download.html. The Modbus Poll 64-bit version 9.2.2, Build 1343 was used in this document. Welotec does not provide this software to the users. Tutorial of Modbus read and write examples are illustrated below. Note:** The switch only supports Modbus function code 03, 04 (for Read) and 06 *(for Write).

Read Registers (This example shows how to read the switch’s IP address.)

Figure 2.119 Mapping Table of Modbus Address for Switch's IP Address

Make sure that a supervising computer (Modbus Master) is connected to your target switch (Modbus Slave) over Ethernet network.
Launch Modbus Poll in the supervising computer. Note a registration key may be required for a long-term use of Modbus Poll after 30-day evaluation period. Additionally, there is a 10-minute trial limitation for the connection to the managed switch.
Click Connect button on the top toolbar to enter Connection Setup dialog by selecting Connect… menu as shown in Figure 2.120

Figure 2.120 Entering Connection Setup Menu of the Modbus Poll

Select Modbus TCP/IP as the Connection mode and enter the switch’s IP address inside the Remote Modbus Server’s IP Address or Node Name field at the bottom as shown in Figure 2.121. The Port number should be set to 502. Then click OK button.

Figure 2.121 Modbus Poll Connection Setup

On the window Mbpoll1, select multiple cells from row 0 to row 2 by clicking on cells in second column of row 0 and row 2 while holding the shift key as shown in Figure 2.122.

Figure 2.122 Multiple Cell Section in Modbus Poll

Set Display mode of the selected cells in previous step to HEX (hexadecimal) by selecting Display pull-down menu and choosing the Hex as shown in Figure 2.123.

Figure 2.123 Set Display Mode to Hex in Modbus Poll

Click on the Setup pull-down menu and choose Read/Write Definition… as shown in Figure 2.124.

Figure 2.124 Modbus Poll Setup Read/Write Definition

Enter the Slave ID in the Modbus Poll function as shown in Figure 2.125, which should match the Modbus Address = 1 entered in Figure 2.118.

Figure 2.125 Slave ID in the Modbus Poll Function is set to 1

Select Function 03 or 04 because the managed switch supports function code 03 and 04 as shown in Figure 2.126.

Figure 2.126 Set Code 03 in the Modbus Poll Function

Set starting Address to 81 and Quantity to 2 as shown in Figure 2.127.

Figure 2.127 Setup Starting Address and Quantity in Modbus Poll

Click OK button to read the IP address of the switch.

Figure 2.128 Modbus Memory Address 81 and 82 are the location of RSAES's IP Address

Modbus Poll will get the values 0x0A, 0x00, 0x32, 0x01, which means that the switch’s IP is 192.168.2.1 as shown in Figure 2.128.

Write Registers (This example shows how to clear the switch’s Port Count (Statistics).)

Figure 2.129 Mapping Table of Modbus Address for Clearing Port Statistics

Check the switch’s Port TX/RX counts in Port Statistics page as shown in Figure 2.130.

Figure 2.130 Port Count in Port Statistics Webpage

Click function 06 on the toolbar as shown in Figure 2.131.

Figure 2.131 Click on Function 06 in the Modbus Poll

Set Address to 256 and Value (HEX) to 1 as shown in Figure 2.132, then click “Send” button.

Figure 2.132 Use Modbus Poll to Clear Switch's Port Count

Check Port Statistics in the managed switch’s Web UI as shown in Figure 2.133. The packet count is now cleared.

Figure 2.133 Cleared Port Statistics

Modbus Memory Map¶

Read Registers (Support Function Code 3, 4).
Write Register (Support Function Code 6).
1 Word = 2 Bytes.

Address	Data Type	Read/Write	Description
System Information
0x0000 (0)	32 words	R	System Description = “Managed Switch RSAES” Word 0 Hi byte = ‘M’ Word 0 Lo byte = ‘a’ Word 1 Hi byte = ‘n’ Word 1 Lo byte = ‘a’ Word 2 Hi byte = ‘g’ Word 2 Lo byte = ‘e’ Word 3 Hi byte = ‘d’ Word 3 Lo byte = ‘ ‘ Word 4 Hi byte = ‘S’ Word 4 Lo byte = ‘w’ Word 5 Hi byte = ‘i’ Word 5 Lo byte = ‘t’ Word 6 Hi byte = ‘c’ Word 6 Lo byte = ‘h’ Word 7 Hi byte = ‘ ‘ Word 7 Lo byte = ‘E’ Word 8 Hi byte = ‘H’ Word 8 Lo byte = ‘9’ Word 9 Hi byte = ‘7’ Word 9 Lo byte = ‘1’ Word 10 Hi byte = ‘1’ Word 10 Lo byte = ‘\0’
0x0020 (32)	1 word	R	Firmware Version = Ex: Version = 1.02 Word 0 Hi byte = 0x01 Word 0 Lo byte = 0x02
0x0021 (33)	3 words	R	Ethernet MAC Address Ex: MAC = 00-01-02-03-04-05 Word 0 Hi byte = 0x00 Word 0 Lo byte = 0x01 Word 1 Hi byte = 0x02 Word 1 Lo byte = 0x03 Word 2 Hi byte = 0x04 Word 2 Lo byte = 0x05
0x0024 (36)	1 word	R	Kernel Version Ex: Version = 1.03 Word 0 Hi byte = 0x01 Word 0 Lo byte = 0x03
Console Information
0x0030 (48)	32 words	R	Baud Rate 0x0000: 4800 0x0001: 9600 0x0002: 14400 0x0003: 19200 0x0004: 28800 0x0005: 38400 0x0006: 57600 0x0007: 144000 0x0008: 115200
0x0031 (49)	1 word	R	Data Bits 0x0007: 7 0x0008: 8
0x0032 (50)	1 word	R	Parity 0x0000: None 0x0001: Odd 0x0002: Even
0x0033 (51)	1 word	R	Stop Bit 0x0001: 1 0x0002: 2
0x0034 (52)	1 word	R	Flow Control 0x0000: None
Power Information
0x0040 (64)	1 word	R	Power Status Power 1 OK, Hi byte = 0x01 Power 1 Fail, Hi byte = 0x00 Power 2 OK, Low byte = 0x01 Power 2 Fail, Low byte = 0x00
IP Information
0x0050 (80)	1 word	R	DHCP Status 0x0000: Disabled 0x0001: Enabled
0x0051 (81)	2 words	R	IP Address of switch Ex: IP = 192.168.1.1 Word 0 Hi byte = 0xC0 Word 0 Lo byte = 0xA8 Word 1 Hi byte = 0x01 Word 1 Lo byte = 0x01
0x0053 (83)	2 words	R	Subnet Mask of switch Ex: IP = 255.255.255.0 Word 0 Hi byte = 0xFF Word 0 Lo byte = 0xFF Word 1 Hi byte = 0xFF Word 1 Lo byte = 0x00
0x0055 (85)	2 words	R	Gateway Address of switch Ex: IP = 192.168.1.254 Word 0 Hi byte = 0xC0 Word 0 Lo byte = 0xA8 Word 1 Hi byte = 0x01 Word 1 Lo byte = 0xFE
0x0057 (87)	2 words	R	DNS1 of switch Ex: IP = 168.95.1.1 Word 0 Hi byte = 0xA8 Word 0 Lo byte = 0x5F Word 1 Hi byte = 0x01 Word 1 Lo byte = 0x01
0x0059 (89)	2 words	R	DNS2 of switch Ex: IP = 168.95.1.1 Word 0 Hi byte = 0xA8 Word 0 Lo byte = 0x5F Word 1 Hi byte = 0x01 Word 1 Lo byte = 0x01
System Status Clear
0x0100 (256)	1 word	W	Clear Port Statistics 0x0001: Do clear action
0x0101 (257)	1 word	W	Clear Relay Alarm 0x0001: Do clear action
Port Status
0x1000 (4096)	5 words	R	Port Status 0x0000: Disabled 0x0001: Enabled Word 0 Hi byte = Port 1 Status Word 0 Lo byte = Port 2 Status Word 1 Hi byte = Port 3 Status Word 1 Lo byte = Port 4 Status Word 2 Hi byte = Port 5 Status Word 2 Lo byte = Port 6 Status Word 3 Hi byte = Port 7 Status Word 3 Lo byte = Port 8 Status Word 4 Hi byte = Port 9 Status Word 4 Lo byte = Port 10 Status
0x1020 (4128)	5 words	R	Port Negotiation Status, force = 0x00 Status, auto = 0x01 Word 0 Hi byte = Port 1 Status Word 0 Lo byte = Port 2 Status Word 1 Hi byte = Port 3 Status Word 1 Lo byte = Port 4 Status Word 2 Hi byte = Port 5 Status Word 2 Lo byte = Port 6 Status Word 3 Hi byte = Port 7 Status Word 3 Lo byte = Port 8 Status Word 4 Hi byte = Port 9 Status Word 4 Lo byte = Port 10 Status
0x1040 (4160)	5 words	R	Port Speed Status, 10M = 0x01 Status, 100M = 0x02 Status, 1000M = 0x03 Word 0 Hi byte = Port 1 Status Word 0 Lo byte = Port 2 Status Word 1 Hi byte = Port 3 Status Word 1 Lo byte = Port 4 Status Word 2 Hi byte = Port 5 Status Word 2 Lo byte = Port 6 Status Word 3 Hi byte = Port 7 Status Word 3 Lo byte = Port 8 Status Word 4 Hi byte = Port 9 Status Word 4 Lo byte = Port 10 Status
0x1060 (4192)	5 words	R	Port Duplex Status, half-duplex = 0x00 Status, full-duplex = 0x01 Word 0 Hi byte = Port 1 Status Word 0 Lo byte = Port 2 Status Word 1 Hi byte = Port 3 Status Word 1 Lo byte = Port 4 Status Word 2 Hi byte = Port 5 Status Word 2 Lo byte = Port 6 Status Word 3 Hi byte = Port 7 Status Word 3 Lo byte = Port 8 Status Word 4 Hi byte = Port 9 Status Word 4 Lo byte = Port 10 Status
0x1080 (4224)	5 words	R	Port Flow Control Status, disabled = 0x00 Status, enabled = 0x01 Word 0 Hi byte = Port 1 Status Word 0 Lo byte = Port 2 Status Word 1 Hi byte = Port 3 Status Word 1 Lo byte = Port 4 Status Word 2 Hi byte = Port 5 Status Word 2 Lo byte = Port 6 Status Word 3 Hi byte = Port 7 Status Word 3 Lo byte = Port 8 Status Word 4 Hi byte = Port 9 Status Word 4 Lo byte = Port 10 Status
0x10A0 (4256)	5 words	R	Port Link Status Status, down = 0x00 Status, up = 0x01 Word 0 Hi byte = Port 1 Status Word 0 Lo byte = Port 2 Status Word 1 Hi byte = Port 3 Status Word 1 Lo byte = Port 4 Status Word 2 Hi byte = Port 5 Status Word 2 Lo byte = Port 6 Status Word 3 Hi byte = Port 7 Status Word 3 Lo byte = Port 8 Status Word 4 Hi byte = Port 9 Status Word 4 Lo byte = Port 10 Status
0x1300 (4864)	40 words	R	Count of Good Packets of TX Ex. Port 1 gets 0x2EEEE1FFFF good packets of TX. Word 0 of Port 1 = 0x0000 Word 1 of Port 1 = 0x002E Word 2 of Port 1 = 0xEEE1 Word 3 of Port 1 = 0xFFFF Word 0,1,2,3 = Port 1 good packets Word 4,5,6,7 = Port 2 good packets Word 8,9,10,11 = Port 3 good packets Word 12,13,14,15 = Port 4 good packets Word 16,17,18,19 = Port 5 good packets Word 20,21,22,23 = Port 6 good packets Word 24,25,26,27 = Port 7 good packets Word 28,29,30,31 = Port 8 good packets Word 32,33,34,35 = Port 9 good packets Word 36,37,38,39 = Port 10 good packets
0x1400 (5120)	40 words	R	Count of Bad Packets of TX Ex. Port 1 gets 0x2EEEE1FFFF bad packets of TX. Word 0 of Port 1 = 0x0000 Word 1 of Port 1 = 0x002E Word 2 of Port 1 = 0xEEE1 Word 3 of Port 1 = 0xFFFF Word 0,1,2,3 = Port 1 good packets Word 4,5,6,7 = Port 2 good packets Word 8,9,10,11 = Port 3 good packets Word 12,13,14,15 = Port 4 good packets Word 16,17,18,19 = Port 5 good packets Word 20,21,22,23 = Port 6 good packets Word 24,25,26,27 = Port 7 good packets Word 28,29,30,31 = Port 8 good packets Word 32,33,34,35 = Port 9 good packets Word 36,37,38,39 = Port 10 good packets
0x1500 (5376)	40 words	R	Count of Good Packets of RX Ex. Port 1 gets 0x2EEEE1FFFF good packets of RX. Word 0 of Port 1 = 0x0000 Word 1 of Port 1 = 0x002E Word 2 of Port 1 = 0xEEE1 Word 3 of Port 1 = 0xFFFF Word 0,1,2,3 = Port 1 good packets Word 4,5,6,7 = Port 2 good packets Word 8,9,10,11 = Port 3 good packets Word 12,13,14,15 = Port 4 good packets Word 16,17,18,19 = Port 5 good packets Word 20,21,22,23 = Port 6 good packets Word 24,25,26,27 = Port 7 good packets Word 28,29,30,31 = Port 8 good packets Word 32,33,34,35 = Port 9 good packets Word 36,37,38,39 = Port 10 good packets
0x1600 (5632)	40 words	R	Count of Bad Packets of RX Ex. Port 1 gets 0x2EEEE1FFFF bad packets of RX. Word 0 of Port 1 = 0x0000 Word 1 of Port 1 = 0x002E Word 2 of Port 1 = 0xEEE1 Word 3 of Port 1 = 0xFFFF Word 0,1,2,3 = Port 1 good packets Word 4,5,6,7 = Port 2 good packets Word 8,9,10,11 = Port 3 good packets Word 12,13,14,15 = Port 4 good packets Word 16,17,18,19 = Port 5 good packets Word 20,21,22,23 = Port 6 good packets Word 24,25,26,27 = Port 7 good packets Word 28,29,30,31 = Port 8 good packets Word 32,33,34,35 = Port 9 good packets Word 36,37,38,39 = Port 10 good packets