Simply Connected User Guide XMS-1024P 24 Port Gigabit Managed PoE/PoE+ Switch Use the XMS-1024P to: Cost-effectively Add 802.3af/at PoE Capability to Your Network Deliver Power and Data for up to 24 PoE-Enabled Network Devices with a Maximum Output of 320 Watts Simplify PoE Device Installation, Including IP Sercurity Cameras, VoIP Devices, and Wireless AP’s Future Proof Your Network with Gigabit Speeds (10X Performance of Fast Ethernet) Optimize and Protect Your Network with Advanced VLAN, QoS and Network Security Features XMS-1024P User Guide Model Number: XMS-1024P 24 Port Gigabit Managed PoE/PoE+ Switch © 2014 Luxul. All Rights Reserved. No part of this publication may be modified or adapted in any way, for any purposes without permission in writing from Luxul. The material in this manual is subject to change without notice. Luxul reserves the right to make changes to any product to improve reliability, function, or design. No license is granted, either expressly or by implication or otherwise under any Luxul intellectual property rights. An implied license only exists for equipment, circuits and subsystems contained in this or any Luxul product. This product is covered by one or more U.S. and foreign patents. Patents: 7,379,717, 6,606,075, 6,373,448, other patents pending DOCUMENT CONVENTIONS The following graphical alerts are used in this document to indicate notable situations: NOTE: Tips, hints, or special requirements that you should take note of. CAUTION: Care is required. Disregarding a caution can result in data loss or equipment malfunction. WARNING!: Indicates a condition or procedure that could result in personal injury or equipment damage. CONTACT LUXUL Sales Technical Support P: 801-822-5450 E: [email protected] P: 801-822-5450 E: [email protected] FCC COMPLIANCE This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. 2 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CONTENTS 1 ABOUT THIS GUIDE 6 1.1 Intended Readers 6 1.2 Conventions 6 1.3 Overview of This Guide 6 2 INTRODUCTION 10 2.1 Overview of the Switch 10 2.2 Main Features 11 2.3 Description 12 3 LOGGING ON TO THE SWITCH 14 3.1 Login 14 3.2 Configuration 15 4 SYSTEM 16 4.1 System Settings 16 4.2 User Management 24 4.3 System Tools 26 5 SWITCHING 38 5.1 Port Settings 38 5.2 LAG 48 5.3 Traffic Monitor 53 5.4 MAC Address 57 6 VLAN 64 6.1 802.1Q VLAN 66 6.2 MAC VLAN 72 6.3 Protocol VLAN 74 6.4 Application Example for 802.1Q VLAN 81 6.5 Application Example for MAC VLAN 82 6.6 Application Example for Protocol VLAN 84 6.7 GVRP 86 7 SPANNING TREE 90 7.1 STP Config 97 7.2 Port Config 100 7.3 MSTP Instance 102 7.4 STP Security 107 © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 3 XMS-1024P 7.5 Application Example for STP Function 111 8 MULTICAST 116 8.1 IGMP Snooping 119 8.2 Multicast IP 130 8.3 Multicast Filter 132 8.4 Packet Statistics 135 9 QOS 137 9.1 DiffServ 141 9.2 Bandwidth Control 147 9.3 Voice VLAN 151 10 POE 157 10.1 PoE Config 158 10.2 PoE Time-Range 161 11 ACL 165 11.1 Time-Range 165 11.2 ACL Config 169 11.3 ACL Policy 176 12 NETWORK SECURITY 186 12.1 IP-MAC Binding 186 12.2 ARP Inspection 199 12.3 DoS Defense 207 12.4 802.1X/RADIUS 209 13 SNMP 220 13.1 SNMP Config 223 13.2 SNMP Notification 232 13.3 RMON 234 14 LLDP 239 14.1 LLDP Config 244 14.2 Device Info 246 14.3 Device Statistics 249 14.4 LLDP-Media 250 15 CLUSTER 257 15.1 NDP 259 15.2 NTDP 4 263 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 15.3 Cluster 269 16 MAINTENANCE 271 16.1 System Monitor 271 16.2 System Logs 273 16.3 Device Diagnostics 279 16.4 Network Diagnostics 281 17 SAVE CONFIG 282 18 REGULATORY COMPLIANCE 283 APPENDIX A: SPECIFICATIONS 286 GLOSSARY 287 © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 5 XMS-1024P 1 ABOUT THIS GUIDE This User Guide contains information for setup and Management of the XMS-1024P 24 Port Gigabit Managed PoE/PoE+ Switch. Please read this guide carefully. 1.1 Intended Readers This Guide is intended for users or installers familiar with IP concepts and Network terminologies. 1.2 Conventions In this Guide the following conventions are used: The Switch mentioned in this Guide refers to the XMS-1024P Managed PoE Switch Menu Name>>Submenu Name>>Tab indicates the location being illustrated in the menu structure. (i.e. System>>System Settings>>Status is the Status tab under the System Settings menu option that is located under the System menu). Bold font indicates a button, a toolbar icon, menu or menu item. 1.3 Overview of This Guide Chapter Introduction Chapter 1 About This Guide Introduces the guide structure and conventions. Chapter 2 Introduction Introduces the features, application and appearance of XMS-1024P Switch. Chapter 3 Login Illustrates how to log on to the Web Management page. Chapter 4 System This chapter will show how to configure system properties of the Switch. System Settings: Configure the Description, System Time and Network parameters of the Switch. User Management: Configure the User Name and Password for users to log on to the Web Management page with the desired level of access. System Tools: Manage the Configuration File of the Switch. Access Control: Provide different security measures for login to enhance Configuration Security. 6 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Chapter Chapter 5 Switching Introduction This chapter will show how to configure basic functions of the Switch. Port: Configure the basic features of the Switch Ports. LAG: Configure Link Aggregation Group. A LAG combines a number of Ports together to make a single high-bandwidth Data path. Traffic Monitor: Monitor the traffic statistics of each Port MAC Address: Modify the MAC MAC Table properties of the Switch. Chapter 6 VLAN This chapter will show how to configure VLANs to control broadcast on the Local Area Network. 802.1Q VLAN: Configure an 802.1Q VLAN on a Port-perPort basis. MAC VLAN: Configure 802.1 Q MAC-based VLAN without changing the 802.1Q VLAN configuration. Protocol VLAN: Create VLANs using the application layer to adjust how some Data is transmitted in the specified VLAN. GVRP: GVRP allows the Switch to automatically add or remove VLAN membership via dynamic VLAN registration information and propagate the local VLAN registration information to other Switches, without having to individually configure each VLAN on every Switch. Chapter 7 Spanning Tree This chapter will show how to configure Spanning Tree functions on the Switch. STP Config: Configure and view the global settings of Spanning Tree. Port STP Config: Configure the STP parameters of Switch Ports. MSTP Instance: Configure MSTP instances. STP Security: Configure STP protection to prevent devices from any malicious attack against STP. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 7 XMS-1024P Chapter Chapter 8 Multicast Introduction This chapter will show how to configure the Multicast functions of the Switch. IGMP Snooping: Configure global parameters of IGMP Snooping, Port properties, VLAN, and Multicast VLAN. Multicast IP: Configure Multicast IP table. Multicast Filter: Configure Multicast Filter to restrict users ordering Multicast programs. Packet Statistics: View the Multicast traffic statistics on each Port of the Switch. Chapter 9 QoS This chapter will show how to configure QoS to provide the desired quality of service for various Network applications and requirements DiffServ: Configure priorities, Port priority, 802.1P Priority and DSCP priority. Bandwidth Control: Rate Limit feature to control the traffic rate on each Port; Storm Control feature to filter Broadcast, Multicast and UL frames in the Network. Voice VLAN: Voice VLAN to transmit Voice Data stream within the specified VLAN to ensure the transmission priority of Voice Data stream and Voice quality. Chapter 10 PoE This chapter will show how to configure the PoE for the Switch to supply power for PoE capable devices. Chapter 11 ACL PoE Config: PoE global functionality. PoE Time-Range: Time window(s) for PoE Port to supply power. This chapter will show how to configure ACL Rules and Policies to filter packets in order to prevent malicious packets from harming the Network. Time-Range: The effective time for ACL Rules. ACL Config: ACL Rules. Policy Config: Policy operational parameters. Policy Binding: Bind the policy to a Port or VLAN. 8 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Chapter Chapter 12 Network Security Introduction This Chapter will show how to configure the multiple protection measures in Network Security. IP-MAC Binding: Bind the IP Address, MAC address, VLAN ID and the Connected Port of the Host together. ARP Inspection: ARP Inspection feature prevent ARP attacks on the Network. DoS Defend: DoS Defense features to prevent DoS attack. 802.1X/RADIUS: Covers the use of 802.1X/RADIUS and Radius Servers. Chapter 13 SNMP This chapter will show how to configure SNMP to provide a Management frame to monitor and maintain the Network devices. SNMP Config: Global settings of SNMP. SNMP Notification: SNMP Notification options and configuration for the to monitor and process the events. RMON: RMON (Remote Monitoring) options and configuration. Chapter 14 LLDP This chapter will show how to configure LLDP to provide information for SNMP applications. Basic Config: The LLDP parameters of the device. Device Info: View the LLDP information of the local device and its neighbors Device Statistics: View the LLDP statistics of the local device LLDP-MED: Configure LLDP-MED parameters of the device. Chapter 15 Cluster This chapter will show how to configure the Cluster function to allow central Management of devices in the Network. NDP: NDP setup to get the information from the directly connected neighbor devices. NTDP: NTDP functions of the commander Switch to collect NDP information. Cluster: Cluster setup to establish and maintain the Cluster. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 9 XMS-1024P Chapter Chapter 16 Maintenance Introduction This chapter will show how to use the common system tools to manage the Switch. System Monitor: The memory and CPU usage of the Switch. Log: View system events. Device Diagnostics: Test the connection status of the cable connected to the Switch. Network Diagnostics: Ping and Traceroute utilities to test connection at the Switch. Appendix A Specifications Lists the hardware specifications of the Switch. Appendix B Configure the PCs Introduces how to configure the PCs. Appendix C Load Software Using FTP Introduces how to load software of the Switch using FTP function. Appendix D 802.1X/RADIUS Client Software Introduces how to use 802.1X/RADIUS Client Software provided for Authentication. Appendix E Glossary The glossary of the manual.z 2 INTRODUCTION Thanks for choosing the Luxul XMS-1024P Managed PoE/PoE+ Switch 2.1 Overview of the Switch Designed to meet Commercial Grade requirements, the XMS-1024P from LUXUL provides wire-speed performance and IP Layer 2 Management features to give you the best service and security available. The EIA Standardized framework and smart configuration capacity provides a flexible solution for any scale of Network. ACL, 802.1X/RADIUS and Dynamic ARP Inspection provide robust security. QoS and IGMP Snooping/Filtering help optimize Voice and video applications. Link Aggregation (LACP) increases aggregated bandwidth, optimizing the transport of critical Data. SNMP, RMON, Web Management/CLI/Telnet Log-in options give you maximum Management flexibility. The XMS-1024P Managed PoE Switch is also a Power Source Equipment device. All the Auto-Negotiating RJ45 Ports on the Switch support Power over Ethernet, which can automatically detect and supply power to Powered Devices complying with the IEEE 802.3af and IEEE 802.3at standards. 10 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 2.2 Main Features Resiliency and Availability Link Aggregation (LACP) increases aggregated bandwidth, optimizing the transport of critical Data. IEEE 802.1s Multiple Spanning Tree provides high link availability. Multicast Snooping automatically prevents flooding of IP Network when using Multicast. Layer 2 Switching GVRP (GARP VLAN Registration Protocol) allows automatic learning and dynamic assignment of VLANs. Supports up to 4094 VLANs. Quality of Service Supports L2 and L3 based CoS (Cost of Service) with 4 priority queues per Port. Rate Limiting controls the traffic flow according to the configured values. Security Supports industry standard user Authentication methods such as 802.1X/RADIUS, RADIUS. Dynamic ARP Inspection blocks ARP packets from unauthorized hosts, preventing man-in-the-middle attacks. L2/L3/L4 Access Control Lists restrict untrusted access to protected resources. Provides SSHv1/v2, SSL 2.0/3.0 and TLS v1 for Management access encryption. Manageability IP Clustering provides flexible scalability and easy Single-Switch-Management. Telnet, CLI, SNMP v1/v2c/v3, RMON and Web Management access provides excellent Administration flexibility. Port Mirroring enables monitoring of selected Ingress/Egress traffic. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 11 XMS-1024P 2.3 Description 2.3.1 Front Panel Figure 2-1 Front Panel The following parts are located on the front panel of the Switch: 24 10/100/1000Mbps Ports: Designed to connect client devices with a bandwidth of up to 1000Mbps. 4 SFP Ports: Designed to allow the use of an SFP module for fiber interlinking. NOTE: When using the SFP Port with a 100Mbps module or a Gigabit module, you need to configure its corresponding Speed and Duplex mode in Switching>>Port Settings>>Port Config page. For 100Mbps module, please select 100MFD while selecting 1000MFD for Gigabit modules. By default, the Speed and Duplex mode of any installed SFP module is 1000MFD. 1 Console Port: Designed to allow connection to the serial Port of a computer or terminal for monitoring and configuring the Switch. 24 Port LEDs The XMS-1024P has a LED mode button which is for Switching the LED status type. When the Speed LED is lit, the Port LED indicates link/link activity. When the PoE LED is lit, the Port LED indicates the power supply status. By default the Speed option is on. Pressing the Mode button will toggle between Speed and PoE. When selected, the PoE display will remain active for 60 seconds and then default back to Speed display. When the Speed display is active, the Port LED will indicate the Link/Link Activity status of the Port. 12 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide LED Status Indication Power On The Switch is powered on Off The Switch is powered off or power supply has failed Flashing Indicates a Power fault Flashing The Switch booted without error and is running System On 10/100/1000 Mbps Port LED Green Yellow The Switch encountered a boot error On A 1000 Mbps device is connected to the corresponding Port Flashing Data is being transmitted or received on the corresponding Port On A 10/100 Mbps device is connected to the corresponding Port Flashing Data is being transmitted or received on the corresponding Port Off No device is connected to the corresponding Port When the PoE display is active, the Port LED indicates the PoE status of the Port. LED Status Indication Power On The Switch is powered on Off The Switch is powered off or power supply has failed Flashing Indicates a Power fault Flashing The Switch booted without error and is running On The Switch encountered a boot error On The remaining PoE power available is ≤ 7W Flashing The remaining PoE power available stays at ≤ 7W the LED will remain on for 2 minutes System PoE Max Off 10/100/1000 Mbps Port LED Green The remaining PoE power available is > 7W On The Port is supplying power normally Flashing The supply power exceeds the correspond PD’s (Powered Device) maximum power Yellow On Overload or short circuit is detected Flashing PD Power-On self-test has failed Off No PoE power is being provided on the Port © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 13 XMS-1024P 2.3.2 Rear Panel The rear panel of XMS-1024P features a power socket and a Grounding Terminal. Hz 5.0A 60 0V-50/ 100-24 Figure 2-2 Rear Panel 1 Grounding Terminal: The XMS-1024P already comes with a grounding mechanism in the provided three prong power cable and power supply. You can also ground the Switch with the provided Ground Cable. For detailed information, please refer to Installation Guide. 1 AC Power Socket: Connect the female connector of the power cord to the Switch, and the male connector to the AC power outlet. Please make sure the voltage of the AC power source meets the requirements of the input voltage (100-240V~ 50/60Hz 0.6A). 3 LOGGING ON TO THE SWITCH 3.1 Login 1. To access the Web Management configuration, open a web-browser and type in the default address 192.168.0.4 in the address field of the browser, then press the Enter key. Figure 3-1 Web-browser NOTE: To log in to the Switch, the IP Address of your PC should be set in the same subnet of the Switch. The IP Address should be 192.168.0.x (where “x” is any number from 1 to 254 excluding 192.168.0.4 of the Switch or the IP of any other device on the Network), The Subnet Mask is 255.255.255.0. For the detailed instructions as to how to do this, please refer to Appendix B. 2. A login window will appear, as shown in Figure 3-2. Enter admin for the User Name and Password. Then click the Login button or press the Enter key. 14 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Figure 3-2 Login 3.2 Configuration After a successful login, the main System page will appear (Figure 3-3). Figure 3-3 Main Setup-Menu CAUTION: By clicking Apply the current configuration changes will be applied to the running configuration. If the Switch is rebooted the configuration will be lost. To save the configuration to nonvolatile memory please click Save Config link in the left-hand menu. We strongly recommend clicking Save Config before cutting the power or rebooting the Switch to avoid losing the new configuration. If the Switch becomes inoperable after an Apply action you can reboot the Switch to return it to the previous state. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 15 XMS-1024P 4 SYSTEM The System menu offers the various system configuration options of the Switch, and includes four submenus: System Settings User Management System Tools Access Control. 4.1 System Settings The System Settings submenu includes the: Status, Device Description, System Time, Daylight Saving Time and System IP tabs. 4.1.1 Status This page allows you to view the Port connection status and the System Info. The Port status diagram shows the status of the 24 10/100/1000Mbps RJ45 Ports and 4 SFP Ports of the Switch. Ports labeled as 1-24 are 10/100/1000Mbps Ports and Ports labeled as 21F-24F are SFP Ports. Choose System>>System Settings>>Status to load the following page. Figure 4-1 Status 16 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Port Status Indicates the Port is not connected to a device. Indicates the Port is connected at the speed of 1000Mbps. Indicates the Port is connected at the speed of 10Mbps or 100Mbps. Indicates the SFP Port is not connected. Indicates the SFP Port is connected at the speed of 1000Mbps. Indicates the SFP Port is connected at the speed of 100Mbps. When the cursor is used to highlight the Port, the detailed information of the Port will be displayed. Figure 4-2 Port Information Port Information Port: Displays the selected Port number of the Switch. Type: Displays the configured type of the Port Speed: Displays the maximum transmission rate of the Port. Status: Displays the connection status of the Port. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 17 XMS-1024P You may click a Port to display the bandwidth utilization chart for the Port. The actual rate divided by theoretical maximum rate is the bandwidth utilization. Figure 4-3 displays the bandwidth utilization monitored every four seconds. Monitoring the bandwidth utilization on a Port allows you to monitor the Network traffic and analyze the Network for any abnormalities. Figure 4-3 Bandwidth Utilization Bandwidth Utilization Rx: Select Rx to display the bandwidth utilization of received packets on this Port. Tx: Select Tx to display the bandwidth utilization of sent packets on this Port. 4.1.2 Device Description On this page you can configure the description of the Switch, including Device Name, Device Location and System Contact. Choose System>>System Settings>>Device Description to load the following page. Figure 4-4 Device Description 18 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Device Description Device Name: A name for the Switch is entered here. Device Location: Location information is entered here to help identify the location and purpose of the Switch. System Contact: Support or Admin contact information is entered here. NOTE: The Device Description settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 4.1.3 System Time System Time displays the current time settings of the Switch. On this page you can configure the System Time settings. The settings here will be used for other time-based functions like Access Control List (ACL). You can manually set the System Time, automatically aquire time from an NTP Server or synchronize with your PC’s clock. Choose System>>System Settings>>System Time to load the following page. Figure 4-5 System Time The following entries are displayed on this screen: © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 19 XMS-1024P Time Info Current System Date & Time: Displays the current date and time of the Switch. Current Time Source: Displays the current time source of the Switch. Time Config Manual: Get Time from NTP Server: When this option is selected, you can set the date and time manually. When this option is selected, you can configure the time zone and the IP Address for the desired NTP Server. The Switch will get time from NTP Server automatically if it has connected to a NTP Server. Time Zone: Select your local time zone. Primary/Secondary NTP Server: Enter an IP Address for the NTP Server(s). Update Rate: Specify in hours how often the Switch will check for an NTP time update. Synchronize with PC’S Clock: When this option is selected, the administrator PC’s clock is used to set the System Time. NOTE: The System Time settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: When “Get Time from NTP Server” is selected and no time Server is configured, the Switch will get it’s time from the time Server of the Default Gateway in the Network.. 4.1.4 Daylight Savings Time On this page you can configure the Daylight Savings Time settings of the Switch. 20 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu System>>System Settings>>Daylight Savings Time to load the following page. Figure 4-6 Daylight Savings Time The following entries are displayed on this screen: DST Config DST Status: Enable or Disable DST. Predefined Mode: Select a predefined DST configuration. Recurring Mode: USA: First Sunday in April, 02:00 ~ Last Sunday in October, 02:00. Australia: First Sunday in October, 02:00 ~ First Sunday in April, 03:00. Europe: Last Sunday in March, 01:00 ~ Last Sunday in October, 01:00. New Zealand: First Sunday in October, 02:00 ~ Last Sunday in March, 03:00. Allows you to specify a DST configuration that will run in recurring pattern. Unless changed this mode will run each Start and End Time configured. Offset: Specifies the change of time in minutes when a DST event occurs. Start Time/End Time: Set the Starting and Ending week, day and month for DST in your geographical location. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 21 XMS-1024P DST Config Date Mode: Allows you to specify the DST configuration using a Date format instead of a week, day and month format. This configuration will not run in a recurring mode and must be set each year. Offset: Specifies the change of time in minutes when a DST event occurs. Start Time/End Time: Set the Starting and Ending dates for DST in your geographical location. NOTE: The DST settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: When DST is disabled the various modes cannot be configured. NOTE: When DST is enabled the default daylight savings time will be set to USA in predefined mode. 4.1.5 System IP Each device in an IP Network must have a unique IP Address. You log in to the Web Management page of the Switch using the Switches IP Address. The Switch supports three modes to set the IP Address: Static IP, DHCP and BOOTP. The IP Address set using the new mode selected will replace the current IP Address. On this page you can configure the system IP of the Switch. Choose the menu System>>System Settings>>System IP to load the following page. 22 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Figure 4-7 System IP The following entries are displayed on this screen: IP Config MAC Address: IP Address Mode: Displays MAC Address or Hardware Address of the Switch. Allows you to select the desired mode for setting the IP Address of the Switch. Static IP: When this option is selected you set the IP Address, Subnet Mask and Default Gateway manually. DHCP: When this option is selected the Switch will obtain all IP Address settings from the DHCP Server in your Network. BOOTP: When this option is selected the Switch will obtain all IP Address settings from the BOOTP Server in your Network. Management VLAN: Enter the ID of Management VLAN this will be the only VLAN through which you can access the Management page of the Switch. By default VLAN1 is the Management VLAN and you can access the Switch via any Port on the Switch. However, if another VLAN is created and set to be the Management VLAN, you may have to reconnect the Management station to a Port that is a member of the Management VLAN. IP Address: The IP Address of the Switch. The default IP is 192.168.0.4, if you have selected the Static IP option you will be able to modify this address as desired. If DHCP or BOOTP is selected they will configure the IP Address. Subnet Mask: The Subnet Mask of the Switch. The default Mask is 255.255.255.0, if you have selected the Static IP option you will be able to modify this address as desired. If DHCP or BOOTP is selected they will configure the Subnet Mask. Default Gateway: The Default Gateway of the Switch. The default Gateway is blank, if you have selected the Static IP option you will be able to modify this address as desired. If DHCP or BOOTP is selected they will configure the Default Gateway. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 23 XMS-1024P NOTE: The System IP settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: Changing the IP Address to a different IP subnet (i.e. from 192.168.0.XXX to 192.168.1.XXX) will interrupt Network communication. Please keep the new IP Address in the same IP subnet as the rest of the local Network. NOTE: The Switch only requires one IP Address. Any new IP Address configured will replace the original default IP Address. NOTE: If the Switch gets an IP Address from the DHCP Server, you can find the IP configuration information of the Switch in the DHCP Server connected clients list. If DHCP option is selected but no DHCP Server exists, the Switch will keep trying to obtain the IP Address from DHCP Server until successful. 4.2 User Management User Management allows you to configure the User Name and Password for log in to the Web Management page with the desired access level to protect the settings of the Switch from being changed by unauthorized users. The User Management function can is implemented in the User Table and User Config pages. 4.2.1 User Table On this page you can view the information about the current configured users of the Switch. Choose the menu System>>User Management>>User Table to load the following page. Figure 4-8 User Table 24 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 4.2.2 User Config On this page you can configure the Access Level of the user allowed to log in to the Web Management page. The Switch provides two access levels: Guest and Admin. The Guest user can only view the settings and status with no rights to actually configure the Switch; the Admin user can configure all functions of the Switch. Choose the menu System>>User Management>>User Config to load the following page. Figure 4-9 User Config The following entries are displayed on this screen: User Info User Name: Create a Name for a new User login. Access Level: Select the access Level to Apply to the User. Admin: Admin can edit, modify and view all the settings of the Switch. Guest: Guest only can view the settings and status of the Switch. User Status: Enable or Disable the User configuration. (Typically you would use this function on a previously configured user.) Password: Enter a Password for the Users login. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 25 XMS-1024P User Info Confirm Password: User Table Select: User ID, Name, Access Level and status: Operation: Confirm the Password for the Users login. Select the desired entry to delete or edit the corresponding user information. If selecting multiple entries the only option available is Delete. Displays the current User ID, User Name, Access Level and User Status. Click the Edit link of the desired entry to edit the corresponding user information. After modifying the settings, please click the Modify button to save the modification. CAUTION: The User Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. CAUTION: The default Admin user can be deleted please take care when selecting multiple users for deletion. CAUTION: The User Name and Password can contain only 16 characters, if more than 16 characters are entered they will be truncated. 4.3 System Tools The System Tools menu allows you to manage the system functions of the Switch including; Config Restore, Config Backup, Firmware Upgrade, System Reboot and Restore Factory Defaults. 26 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 4.3.1 Config Restore On this page you can upload a previous backup configuration file to restore your Switch to the desired configuration. Choose the menu System>>System Tools>>Config Restore to load the following page. Figure 4-10 Config Restore The following entries are displayed on this screen: Config Restore Config File: Browse to the configuration backup file you would like to Restore. Restore Config: Click the Restore Config button to restore the backup configuration file. The Switch will automatically reboot as part of the Restore process and will load the Restored Config file after reboot. NOTE: It can take a few minutes to restore the configuration. Please wait for the operation to complete normally. CAUTION: To avoid damage to the Switch please do not power down the Switch while a Restore operation is in process. CAUTION: As part of the Restore process the current settings of the Switch will be lost. A corrupt or bad configuration file may cause the Switch to become unresponsive, if this occurs please power down the Switch and power back up to restore to the previous settings. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 27 XMS-1024P 4.3.2 Config Backup On this page you can download the current configuration of the Switch and save it as a file to your computer for your future configuration restore or to configure future installations. Choose the menu System>>System Tools>>Config Backup to load the following page. Figure 4-11 Config Backup The following entries are displayed on this screen: Config Backup Backup Config: Click the Backup Config button to save the current running configuration as a file on your computer. We recommend making a Config Backup before all Firmware Upgrades. NOTE: It may take a few minutes to Backup the configuration. Please wait without any operation. Please wait for the operation to complete normally 4.3.3 Firmware Upgrade The Switch Firmware can be upgraded via the Web Management page. Upgrades to the system Firmware can add more functionality, better performance, and/or resolve any known issues. Visit http://luxul.com to download the current firmware. 28 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu System>>System Tools>>Firmware Upgrade to load the following page. Figure 4-12 Firmware Upgrade The following entries are displayed on this screen: Firmware Upgrade Firmware File: Browse to the downloaded Firmware file and select it. Visit http:// luxul.com to download the current firmware. Current Firmware Version: Displays the current running version of Firmware on the Switch. Hardware Version: Displays the version of Hardware the Switch is running as new revisions are released they may not support all Firmware versions. Visit http://luxul.com for more information. Upgrade: Click the Upgrade button to Upgrade the current running Firmware of the Switch. We recommend making a Config Backup before all Firmware Upgrades. NOTE: We recommend making a Config Backup before all Firmware Upgrades. CAUTION: Do not interrupt the upgrade. To avoid damage to the Switch please do not power down the Switch while an Upgrade operation is in process. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 29 XMS-1024P CAUTION: Please select the proper Firmware version matching your Hardware version. Visit http://luxul.com for more information. NOTE: After the Upgrade process is complete the Switch will reboot automatically. 4.3.4 System Reboot On this page you can Reboot the Switch. Please save the current running configuration before rebooting to avoid losing the configuration. Choose the menu System>>System Tools>>System Reboot to load the following page. Figure 4-13 System Reboot The following entries are displayed on this screen: System Reboot Save Config: Leaving this checkbox checked will cause the Switch to save the Configuration to non-volatile RAM prior to Reboot. We recommend leaving this option checked. Reboot: Click the Reboot button to reboot the Switch. NOTE: We recommend making a Config Backup before any Reboot. CAUTION: To avoid damage to the Switch please do not power down the Switch while a Reboot operation is in process. 30 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 4.3.5 Restore Factory Defaults On this page you can restore the Switch to the Factory Default settings. The Switch will reboot as part of this operation once rebooted all settings will return to their default values. Choose the menu System>>System Tools>>Restore Factory Defaults to load the following page. Figure 4-14 Restore Factory Defaults The following entries are displayed on this screen: Restore Factory Defaults Reset: Click the Reset button to restore the Switch to Factory Default settings. The Switch will reboot as part of this operation once rebooted all settings will return to their default values CAUTION: If the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory all custom configuration settings will be lost. CAUTION: To avoid damage to the Switch please do not power down the Switch while a Reboot operation is in process. NOTE: After the system reboots, the Switch will be reset to default settings. 4.4 Access Control Access Control provides different security measures for remote login to enhance Management security. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 31 XMS-1024P 4.4.1 Access Control On this page you can control the users logging on to the Web Management page. The definitions of Admin and Guest refer to section 4.2 User Management. Choose the menu System>>Access Control>>Access Control to load the following page. Figure 4-15 Access Control The following entries are displayed on this screen: Access Control Control Mode: Select the control mode for users to log on to the Web Management page. 32 IP-based: Limit the IP-Range of the Users allowed to login. MAC-based: Limit the MAC Addresses of the Users allowed to login. Port-based: Limit the Ports of the Users allowed to login. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Access Control IP Address & Mask: hese fields are available for configuration only when IP-based mode is selected. Only the users within the IP-range you configure are allowed to login. MAC Address: This field is available for configuration only when MAC-based mode is selected. Only the device with the configured MAC Address is allowed to login. Port: This field is available for configuration only when Port-based mode is selected. Only the Users connected to these Ports configured are allowed to login. Session Timeout Timeout Limit: The default Timeout Limit is 10 minutes this may configured anywhere in the 5-30 minute range if desired. If you do nothing within the Web Management page during the timeout period the system will log you out automatically. User Limits Limit Users: Enable or Disable the User Limits function. Admin Users: Enter the maximum number of allowed Admin User simultaneous logins. Guest Users: Enter the maximum number of allowed Guest User simultaneous logins. 4.4.2 SSL Config SSL (Secure Sockets Layer) is a security protocol designed to provide a secure connection using the application layer protocol (i.e. HTTP) communication based on TCP. SSL is widely used to secure Data transmission between Web Browsers and Servers. SSL provides the following services: 1. Authentication of Users and Servers based on certificates to ensure the Data is transmitted to the correct User and Server. 2. Encryption of all Data transmission to prevent the Data interception. 3. To maintain the integrality of the Data to prevent Data alteration during transmission. Utilizing asymmetrical encryption technology, SSL uses key pairs to encrypt/decrypt Data. A key pair refers to a public key (contained in the certificate) and its corresponding private key. By default the Switch has a self-signed certificate and a corresponding private key. The Certificate/Key Upload function enables the user to replace the default key pair. After SSL is enabled you can log on to the Web Management page via Secure HTTP at https://192.168.0.4. The first time you use an HTTPS connection to log onto the Switch with the default certificate you will be prompted “The security certificate presented © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 33 XMS-1024P by this website was not issued by a trusted certificate authority” or “Certificate Errors”. Please choose “add this certificate to trusted certificates” or “continue to this website”. On this page you can configure SSL. Choose the menu System>>Access Control>>SSL Config to load the following page. Figure 4-16 SSL Config The following entries are displayed on this screen: SSL Config SSL: Enable or Disable the SSL function. Certificate Upload Certificate File: Select the desired Certificate to Upload to the Switch. The certificate must be BASE64 encoded. Key Upload Key File: Select the desired SSL Key to Upload to the Switch. The key must be BASE64 encoded. CAUTION: SSL Configuration settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 34 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: The SSL Certificate and Key uploaded must be a matching pair. If the Certificate and Key are not a matching pair HTTPS access to the Switch will fail.. CAUTION: The SSL Certificate and Key uploaded will not take effect until the Switch is rebooted. NOTE: To establish a secured connection to the Switch using https, please enter https:// before the IP Address of the Switch in your Web Browser. CAUTION: HTTPS connections will be slower than http connections, as https connections involve Authentication, Encryption and Decryption processes. 4.4.3 SSH Config SSH (Secure Shell) is a security protocol established on application and transport layers. An SSH-encrypted-connection is similar to a telnet connection, but with telnet remote Management method not having any inherent safety we offer this options for remote command line configuration. SSH provides information security and Authentication when you log on to the Switch remotely through any Network environment. It encrypts all transmitted Data to prevent the Data during Remote Management being compromised. SSH has two versions, V1 and V2 which are not compatible with each other. During initial communication the SSH Server and Client auto-negotiate the SSH version and the encryption algorithm. After a successful negotiation the Client sends an Authentication request to the Server for login. Once the login process is complete the two can communicate with each other. The Switch can be configured to run an SSH Server to allow Users to log on to the Switch via SSH connection using any readily available SSH client software (we recommend the PuTTY SSH Client). The SSH key can be Uploaded to the Switch. If the key is successfully Uploaded, Certificate Authentication will be preferred for SSH all connections to the Switch. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 35 XMS-1024P Choose the menu System>>Access Control>>SSH Config to load the following page. Figure 4-17 SSH Config The following entries are displayed on this screen: Global Config SSH: Enable or Disable SSH. Protocol V1: Enable or Disable SSH V1 support. Protocol V2: Enable or Disable SSH V2 support. Idle Timeout: Set the connection idle timeout time. The system will automatically release the connection when the time has expired the default timeout is 500 seconds. Max Connect: Set the maximum number of allowed connections to the SSH Server. No new connection will be allowed when the number of the connections reaches the maximum, the default value is 5. Key Upload Key Type: Select the type of SSH Key to upload, the Switch supports three types: SSH-1 RSA, SSH-2 RSA and SSH-2 DSA. Key File: Select the desired key file to upload. Upload: Click the Upload button to upload the desired key file to the Switch. 36 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: SSH settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. CAUTION: Please ensure the key length of the upload file is between 2563072 bits. CAUTION: After the Key File is uploaded the default key of the same type will be replaced. A failed or corrupt upload will result in SSH access to default to Password Authentication. Application Example 1 for SSH: SSH Login In the example below we will outline a typical connection using the Windows 7 version of the PuTTY SSH Client. 1. Open PuTTY, enter the IP Address of the Switch into Host Name (or IP Address) field, keep the default value of 22 in the Port field and select SSH as the Connection type. Figure 4-18 SSH Login © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 37 XMS-1024P 2. Click the Open button to log on to the Switch. Enter the User Name and Password used to access the Web Management page of the Switch. 5 SWITCHING Switching menu is used to configure the basic functions of the Switch, including: Port Settings, LAG, Traffic Monitor and MAC Settings. 5.1 Port Settings The Port Settings menu allows you to configure the features of the Ethernet Ports of the Switch, the available options include: Port Config, Port Mirror, Port Security, Port Isolation and Loopback Detection pages. 5.1.1 Port Config Here you can configure the basic parameters for the Ethernet Ports of the Switch. When the Port is disabled, all packets received on the Port will be discarded. Disabling unused Ports will reduce the power consumption but will require you to Enable them if a new device is connected. The parameters you set will affect the operating mode of the Port, please set the parameters appropriately according to your needs and the capability of connected devices. 38 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu Switching>>Port Settings>>Port Config to load the following page. Figure 5-1 Port Config Here you can view and configure the Port parameters. Port Config Port Select: Enter a port number and click the Select button to quick-select the corresponding Port. Select: Place a check mark to select the desired Port(s) to be configured. Port: Displays the Port number. Will be blank when selecting multiple ports. Description: Description of the Port for easy identification. Status: Allows you to Enable or Disable the Port. Speed and Duplex: Select the Speed and Duplex mode for the Port. The device connected to the Switch should be in the same Speed and Duplex as the port it is connected too. When “Auto” is selected Speed and Duplex will be determined by auto-negotiation. For the SFP adapters the Switch does not support auto-negotiation you will be required to set the port to 1000MFD. Flow Control: Allows you to Enable or Disable the Flow Control feature. When Flow Control is enabled the Switch will attempt to synchronize the speed with its peer to avoid the packet loss caused by congestion. LAG: Displays the LAG Group number the Port belongs to. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 39 XMS-1024P CAUTION: Port Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. CAUTION: After the Key File is uploaded the default key of the same type will be replaced. A failed or corrupt upload will result in SSH access to default to Password Authentication. NOTE: The parameters of the Ports in a LAG Group should be set the same for optimal operation. 5.1.2 Port Mirror Port Mirror can be used to forward copies of packets from one or multiple Ports (Mirrored Port or the source Port(s)) to a specified Port (Mirroring or destination Port). The mirroring Port is connected to a Data diagnosis device, which is used to analyze the mirrored packets for monitoring and troubleshooting the Network. Choose the menu Switching>>Port Settings>>Port Mirror to load the following page. Figure 5-2 Mirroring Port 40 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen. Mirror Group List Group: The Mirror Group number. Mirroring: The Mirroring Port number (destination Port). Mode: Indicates the traffic mirroring options of Ingress or Egress sources. Mirrored Port: Displays the Mirrored Ports and whether they are mirroring Ingress, Egress or Both. Operation: Click Edit to configure the mirror group. Edit to displays the following page. Figure 5-3 Mirroring Port © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 41 XMS-1024P The following entries are displayed on this screen. Mirror Group Number: The mirror group number you want to configure. Mirroring Port Mirroring Port: The Mirroring Port (destination Port) number. Mirrored Port Port Select: Enter a Port number and click the Select button to quick-select the corresponding Port. Select: Place a check in the check box to select the desired Port(s) as a Mirrored Port (source Port(s)). Port: Displays the Port number. Ingress: Enable or Disable the Ingress feature. When Ingress is enabled the incoming packets received by the Mirrored Port will be copied and forwarded to the Mirroring Port. Egress: Enable or Disable the Egress feature. When Egress is enabled the outgoing packets received by the Mirrored Port will be copied and forwarded to the Mirroring Port LAG: Displays the LAG Group number the Port belongs to. A LAG Group member cannot be selected as a Mirrored Port or Mirroring Port. CAUTION: Port Mirror settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: LAG Group members cannot be selected as a Mirrored Port or Mirroring Port. CAUTION: A Port cannot be set as a Mirrored Port and a Mirroring Port simultaneously. NOTE: The Port Mirror function will span multiple VLANs. 42 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 5.1.3 Port Security Port Security is used to protect the Switch from the malicious MAC Address Attacks by limiting the maximum number of MAC Addresses that can be learned on each Port. A Port with the Port Security feature enabled will learn MAC Addresses dynamically. When the number of learned MAC Address reaches the maximum value set the Port will stop learning. Any new devices with an unlearned MAC Address will not be allowed access to the Network via this Port. Choose the menu Switching>>Port Settings>>Port Security to load the following page. Figure 5-4 Port Security © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 43 XMS-1024P The following entries are displayed on this screen: Port Security Select: Check the check box of the desire Port(s) for Port Security configuration. Port: Displays the Port number. Max Learned MAC: Specify the Maximum number of MAC Addresses that can be learned on the Port(s). Learned Num: Displays the number of MAC Addresses that have been learned by the Port. Learn Mode: Select the Learn Mode for the Port. Dynamic: When Dynamic mode is selected any learned MAC Address will be deleted automatically after the aging time expires. Static: When Static mode is selected the learned MAC Address will not be deleted by the aging time process and can only be deleted manually. The learned entries will clear if the Switch is rebooted. Permanent: When Permanent mode is selected the learned MAC Address will not be deleted by the aging time process and can only be deleted manually. The learned entries will be saved if the Switch is rebooted. Status: Enable or Disable the Port Security feature for the Port(s). CAUTION: Port Security settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. CAUTION: Port Security is unavailable for any LAG Group members. If the Port is removed from the LAG Group the Port Security function will be available for the Port. NOTE: Port Security is disabled when using 802.1X/RADIUS/Radius Authentication. 5.1.4 Port Isolation Port Isolation (sometimes referred to as Port based VLAN) provides a method of restricting traffic flow and to improve Network security. By not allowing the selected 44 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Port to forward packets to Ports not members of its Port Isolation List. Choose the menu Switching>>Port Settings>>Port Isolation to load the following page. Figure 5-5 Port Isolation Config The following entries are displayed on this screen: Port Isolation Config Port: Select a Port number to set its Port Isolation List. Allowed Ports: Select the Allowed Port(s) for the selected Port to Forward too. Port Isolation List Port: Display the Port number. Allowed Ports: Display the Allowed Ports List for the corresponding Port. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 45 XMS-1024P NOTE: Port Isolations settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 5.1.5 Loopback Detection The Loopback Detection feature can detect Network loops using loopback detection packets. When a loop is detected, the Switch will display an alert and/or block the corresponding Port according to the settings configured. Choose the menu Switching>>Port Settings>>Loopback Detection to load the following page. Figure 5-6 Loopback Detection Config The following entries are displayed on this screen: 46 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Loopback Detection Loopback Detection: Enable or Disable Loopback Detection globally. Detection Interval: Set a Loopback Detection interval between 1 and 1000 seconds the default value is 30 seconds. Automatic Recovery: The amount of Time after which the blocked Port will automatically return to normal status. It is set as a number of detection intervals to elapse before Automatic Recovery. Refresh Status: Enable or Disable automatic refresh. Refresh Interval: Set a web refresh interval between 3 and 100 seconds the default is 3 seconds. Port Config Port Select: Enter a Port number and click the Select button to quick-select the corresponding Port. Select: Check the check box of the desired Port(s) for Loopback Detection configuration. Port: Displays the Port number. Status: Enable or Disable Loopback Detection for the Port(s). Operation Mode: Select the Mode the Switch will operate in when loops are detected. Recovery Mode: Alert: When a loop is detected display an alert. Port based: When a loop is detected display an alert and block the Port. Select the Mode the Switch will use to unblock Ports marked for recovery to normal status. Auto: Block status can be automatically removed after Recovery interval. Manual: Block status only can be removed manually. Loop Status: Displays if a loopback is detected. Block Status: Displays the Port Blocking Status block or unblock. LAG: Displays the LAG Group number the Port belongs to. Manual Recover: Click to Manually remove the block status of selected Port(s). CAUTION: Loopback Detection settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 47 XMS-1024P NOTE: Recovery Mode is not available when Alert or Port Based with Manual Recovery is the chosen Operation Mode. NOTE: Loopback Detection requires Storm Control to be configured and active. 5.2 LAG LAG (Link Aggregation Group) is used to combine a number of Ports together to make a single high-bandwidth Data path and to implement traffic load sharing among the member Ports of a group. This also enhances connection reliability. All member Ports in an Aggregation group must have the same basic configuration. The included basic configuration options include; STP, QoS, GVRP, VLAN, Port Attributes, MAC Address Learning Mode and other associated settings. If the Ports that have GVRP, 802.1Q VLAN, Voice VLAN, STP, QoS, DHCP Snooping and Port Configuration (Speed and Duplex, Flow Control) settings configured are in a LAG Group, their configurations should be the same. The Ports that have Port Security, Port Mirror, MAC Address Filtering, Static MAC Address Binding and 802.1X/RADIUS Authentication settings configured cannot be added to a LAG Group. It is not recommended to add any Ports with ARP Inspection and/or DoS Defense to the LAG Group. If a LAG Group(s) is to be used, we recommend configuration of the LAG Group before configuring the other functions for LAG Member Ports. NOTE: To calculate the bandwidth of a LAG: If a LAG consists of the four Ports with the speed of 1000Mbps Full Duplex, the aggregate bandwidth of the LAG is up to 8000Mbps (2000Mbps * 4) because the bandwidth of each member Port is 2000Mbps taking in to account the up-link speed of 1000Mbps and the down-link speed of 1000Mbps. NOTE: The traffic load of the LAG will be automatically balanced among the Member Ports. If the connection of one or several Ports are lost, the traffic using these Ports will be forwarded by the remaining Member Ports of the LAG maintaining redundancy. 48 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Depending on the Aggregation mode, Aggregation groups fall into two types: Static LAG and LACP Config. 5.2.1 LAG Table On this page you can view the information of the current LAG Groups configured on the Switch. Choose the menu Switching>>LAG>>LAG Table to load the following page. Figure 5-7 LAG Table The following entries are displayed on this screen: Lag Hash Hash Algorithm: Select the applied scope of Hash Algorithm which applies to choosing a Port used to transfer the packets. SRC MAC + DST MAC: When this option is selected the Hash Algorithm will use the source and destination MAC Addresses of the packets. SRC IP + DST IP: When this option is selected the Hash Algorithm will use the source and destination IP Addresses of the packets. LAG Table Select: Check the check box of the desired LAG Group. Group Number: Displays the LAG Group number. Description: Displays the description of LAG Group. Member: Displays the LAG Group Members. Operation: Allows you to view or modify the information for each LAG Group. Edit: Click to modify the settings of the LAG Group. Detail: Click to get the information of the LAG. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 49 XMS-1024P Click the Detail button for the detailed information of your selected LAG. Figure 5-8 Detail Information 5.2.2 Static LAG On this page you can manually configure the LAG Group. The LACP feature is disabled for the member Ports of any manually added Static LAG. Choose the menu Switching>>LAG>>Static LAG to load the following page. Figure 5-9 Manual Config 50 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: LAG Config Group Number: Select a Group Number for the LAG. Description: Displays the description of LAG (not configurable by the user). LAG Table Member Ports: Select the Ports to be added as a LAG member. Clearing all the Ports from the LAG will delete the LAG Group. NOTE: The LAG Group can be deleted by clearing its member Ports.. NOTE: Only a non-member Port can be added to a LAG Group. If a Port is the member of a LAG Group or is Dynamically Aggregated as an LACP member, the Port number will be grayed out and cannot be selected. CAUTION: Static LAG settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 5.2.3 LACP Config LACP (Link Aggregation Control Protocol) is defined in IEEE802.3ad and enables Dynamic Link Aggregation by exchanging LACP packets with a partner. The Switch can dynamically group similarly configured Ports into a single logical link, dynamically creating a LAG Group. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 51 XMS-1024P With the LACP feature enabled the Port will notify its partner of the System Priority, System MAC, Port Priority, Port Number and Operation Key (the Operation Key is determined by the physical properties of the Port). The device with higher priority will control dynamic Aggregation. System Priority and System MAC are used to decide the priority of a device. The lower System Priority value will be the Higher Priority. If partner devices have the same System Priority the device with the numerically lowest System MAC has the higher priority. The device with the highest priority will choose the Ports to be aggregated based on Port Priority, Port Number and Operation Key. Only the Ports with the same operation key can be added into the same Aggregation group. In an Aggregation group the Port with lowest Port Priority will be considered the preferred Port. If Port priorities are equal the Port with lowest Port number is preferred. After an Aggregation group is established the selected Ports will be aggregated together in a Dynamically configured LAG Group. On this page you can configure the LACP feature of the Switch. Choose the menu Switching>>LAG>>LACP Config to load the following page. Figure 5-10 LACP Config The following entries are displayed on this screen: 52 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide LACP Config System Priority: LACP Config Port Select: Specifies the system priority for the Switch. The System Priority and MAC Address constitute the System Identification (ID). A lower System Priority value indicates a higher system priority. When exchanging information between systems the system with higher priority determines which Link Aggregation Group a link belongs to. The system(s) with lower priority adds the proper links to Link Aggregation according to the selection of its partner Click the Select button to quick-select the corresponding Port based on the Port number you entered. Select: Select the desired Port(s) for LACP configuration. Port: Displays the Port number. LAG Group: Specify an LAG Group for the Port. The member Ports in a dynamic Aggregation group must have the same LAG Group. Port Priority: Specify a Port Priority for the Port. This value determines the priority of the Port to be selected as a Dynamic Aggregation group member. The Port with lowest Port Priority will be considered the preferred Port. If two Port priorities are equal the Port with lower Port number is preferred Status: Enable/Disable the LACP feature for your selected Port. LAG: Displays the LAG Group the Port belongs to. CAUTION: LACP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 5.3 Traffic Monitor Traffic Monitor allows for monitoring the traffic of each Port. 5.3.1 Traffic Summary Traffic Summary screen displays the traffic information of each Port enabling you to monitor the traffic and analyze any Network abnormities. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 53 XMS-1024P Choose the menu Switching>>Traffic Monitor>>Traffic Summary to load the following page. Figure 5-11 Traffic Summary 54 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable refreshing the Traffic Summary page automatically. Refresh Rate: Enter a value in seconds to specify the Refresh Interval. Traffic Summary Port Select: Click the Select button to quick-select the corresponding Port based on the Port number you entered. Port: Displays the Port number. Packets Rx: Displays the number of Packets Received on the Port. Error packets are not counted in this field. Packets Tx: Displays the number of Packets Transmitted on the Port. Octets Rx: Displays the number of Octets Received on the Port. Error octets are counted in this field. Octets Tx: Displays the number of Octets Transmitted on the Port. Statistics: Click the View link to View the detailed traffic statistics for the Port. 5.3.2 Traffic Statistics Traffic Statistics displays the detailed traffic information of each Port enabling you to monitor the traffic and locate faults. Choose the menu Switching>>Traffic Monitor>>Traffic Statistics to load the following page. Figure 5-12 Traffic Statistics © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 55 XMS-1024P The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable refresh of the Traffic Summary page automatically. Refresh Rate: Enter a value in seconds to specify the Refresh Interval. Statistics Port: Enter a Port number and click the Select button to view the traffic statistics of the corresponding Port. Received: Displays the Packets Received on the Port. Sent: Displays the Packets Transmitted on the Port. Broadcast: Displays the number of good Broadcast Packets Received and/or Transmitted on the Port. Error packets are not counted. Multicast: Displays the number of good Multicast Packets Received and/ orTransmitted on the Port. Error packets are not counted. Unicast: Displays the number of good Unicast Packets Received and/or Transmitted on the Port. Error packets are not counted. Alignment Errors: Displays the number of Received Packets with a bad Frame Check Sequence (FCS) containing a non-integral octet (Alignment Error). The length of the packet will be between 64 bytes and 1518 bytes. UndersizePkts: Displays the number of Received Packets (excluding error Packets) that are less than 64 bytes long. Pkts64Octets: Displays the number of Received Packets (including error Packets) that are 64 bytes long. Pkts65to127Octets: Displays the number of Received Packets (including errorPackets) that are between 65 and 127 bytes long. Pkts128to255Octets: Displays the number of Received Packets (including errorPackets) that are between 128 and 255 bytes long. Pkts256to511Octets: Displays the number of Received Packets (including errorPackets) that are between 256 and 511 bytes long. Pkts512to1023Octets: Displays the number of Received Packets (including errorPackets) that are between 512 and 1023 bytes long. PktsOver1023Octets: Displays the number of Received Packets (including errorPackets) that are over 1023 bytes. Collisions: Displays the number of Collisions experienced by a Port during Packet Transmissions. Collisions can indicate a Network loop, duplicate MAC Addresses or other Network abnormalities. 56 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: Traffic Statistics settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 5.4 MAC Address The Switch forwards traffic based on the Destination MAC Address contained in the Packet Header. To accelerate this process the Switch maintains a MAC MAC Table, the properties of which can be adjusted to meet the needs of the Network. By default the MAC MAC Table is updated dynamically as Data crosses the Switch, this combined with an Aging Timeout allows the Switch to dynamically manage the MAC MAC Table. The Switch offers multiple options for configuration to meet the needs of your Network, see the table below: The types and the features of the MAC MAC Table are listed as the following: Type Configuration Auto Aging MAC Address Relationship between the kept after reboot bound MAC Address and the Port Dynamic MAC Automatic Yes (Note: Auto Aging can be disabled but it is not recommended) No The learned MAC address can be learned by the other Ports in the same VLAN. Static MAC Manual Configuration No Yes (Note: The configuration must be saved to non-volatile RAM) The static MAC address cannot be learned by or added to other Ports in the same VLAN. MAC Filtering Manual Configuration No Yes (Note: The configuration must be saved to non-volatile RAM) The filtered MAC address cannot be learned by or added to other Ports in the same VLAN. Also if the device is moved to a new port the port will not be allowed to forward Data. Table 5-1 Types and features of MAC Table © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 57 XMS-1024P This function includes four submenus: MAC Table, Static MAC, Dynamic MAC and MAC Filtering. 5.4.1 MAC Table On this page, you can view all the information of the MAC Table. Choose the menu Switching>>MAC Settings>>MAC Table to load the following page. Figure 5-13 MAC Table The following entries are displayed on this screen: Address Table MAC Address: Enter the MAC address to search by. VLAN ID: Enter the VLAN ID to search by. Port: Select the corresponding Port number to search by. Type: Select the Type of entry to search by. 58 All: Displays all MAC Address entries. (Note: The maximum number of entries displayed on this page is 100, to display more than 100 entries please use the Search option.) Static: Displays only the Static MAC Address entries. Dynamic: Displays only the Dynamic MAC Address entries. Filtering: Displays only the Filtered MAC Address entries. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Address Table MAC Address: Displays the MAC address learned by the Switch. VLAN ID: Displays the corresponding VLAN ID of the MAC address. Port: Displays the corresponding Port number of the MAC address. Type: Displays the Type of the MAC address. Aging Status: Displays the Aging status of the MAC address. 5.4.2 Static MAC The Static MAC Table maintains the static MAC Address entries which are added or removed manually. In the stable Networks static MAC Address entries can facilitate reducing broadcast packets and enhance the efficiency of packet forwarding. Choose the menu Switching>>MAC Settings>>Static MAC to load the following page. Figure 5-14 Static MAC © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 59 XMS-1024P The following entries are displayed on this screen: Add Static MAC MAC Address: Enter the static MAC Address to be bound. VLAN ID: Enter the corresponding VLAN ID of the MAC address. Port: Select a Port from the drop-down to be bound. Search Option Search Option: Select a Search Option from the drop-down and click the Search button to find the desired entry in the Static MAC Table. MAC: Enter the MAC address of the desired entry. VLAN ID: Enter the VLAN ID number of the desired entry/entries. Port: Enter the Port number of the desired entry/entries. Static MAC Table Select: Select an entry to delete or modify the corresponding Port number. MAC Address: Displays the Static MAC Address. VLAN ID: Displays the corresponding VLAN ID of the Static MAC Address. Port: Displays the corresponding Port Number of the Static MAC Address. You can modify the Port number to which the MAC Address is bound, however the new Port must be in the same VLAN. Type: Displays the Type of the MAC Address entry. Aging Status: Displays the Aging Status of the MAC Address entry. CAUTION: Static MAC settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. CAUTION: If the corresponding Port Number of the Static MAC address is not correct due to the connected Port or device having changed, the Switch will not forward packets correctly. Please reset the static address entry correctly. CAUTION: If the MAC address of a device has been added to the Static MAC Table, connecting the device to another Port will cause its MAC Address not to be recognized dynamically by the Switch. This will result in packets not forwarding to the connected device. 60 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide NOTE: The MAC address in the Static MAC Table cannot be added to the Filtering MAC Table or be bound to a Port dynamically. NOTE: The Static MAC Address binding function is not available if the 802.1X/RADIUS/RADIUS feature is enabled. 5.4.3 Dynamic MAC The Dynamic MAC Table updates automatically by learning new MAC Addresses and Auto Aging of old MAC Addresses. To fully utilize the Dynamic MAC Table which has a limited capacity, the Switch uses Auto Aging. The Switch removes the MAC address entry related to a Network device if no packet is received from the device within the Aging Time. On this page, you can configure the Dynamic MAC parameters. Choose the menu Switching>>MAC Address>>Dynamic MAC to load the following page. Figure 5-15 Dynamic MAC © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 61 XMS-1024P The following entries are displayed on this screen: Aging Config Auto Aging: Enable/Disable the Auto Aging feature. (Note: We strongly recommend that you do not disable Auto Aging that can result in Data loss and potential connectivity issues.) Aging Time: Enter the Aging Time for the Dynamic MAC Address. Search Option Search Option: Select a Search Option from the drop-down and click the Search button to find the desired entry in the Dynamic MAC Table. MAC: Enter the MAC address of the desired entry. VLAN ID: Enter the VLAN ID number of the desired entry/entries. Port: Enter the Port number of the desired entry/entries. Dynamic MAC Table Select: Select the entry/entries to delete the dynamic address or to bind the MAC Address to the corresponding Port statically MAC Address: Displays learned MAC Address. VLAN ID: Displays the corresponding VLAN ID of the MAC address. Port: Displays the corresponding Port number of the MAC address. Type: Displays the Type of the MAC address. Aging Status: Displays the Aging Status of the MAC address. Bind: Select the desired entry/entries and click the Bind button to bind the MAC address of your selected entry to the corresponding Port statically. NOTE: Setting aging time properly helps implement effective MAC address aging. An aging time that is too long or too short decreases the performance of the Switch. If the aging time is too long, excessive invalid MAC Address entries are maintained by the Switch and may fill up the MAC Address Table. This prevents the MAC Address Table from updating any Network changes. If the aging time is too short the Switch may remove valid MAC address entries, causing the Switch to require re-learning of the deleted MAC entry, decreasing the forwarding performance of the Switch. We recommended keeping the default value. 62 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: Dynamic MAC settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 5.4.4 MAC Filtering MAC Filtering is used to control which packets are forwarded. MAC Filtering is added or removed manually and is independent of the Aging Time. MAC Filtering allows the Switch to filter the packets based on the source address or destination address. MAC Filtering entries act on all Ports and in all corresponding VLANs. Choose the menu Switching>>MAC Address>>MAC Filtering to load the following page. Figure 5-16 MAC Filtering © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 63 XMS-1024P The following entries are displayed on this screen: Add MAC Address Filter MAC Address: Enter the MAC Address to be filtered. VLAN ID: Enter the corresponding VLAN ID of the MAC address. Search Option Search Option: Select a Search Option from the drop-down and click the Search button to find your desired entry in the MAC Filter Table. MAC: Enter the MAC address the desired entry. VLAN ID: Enter the VLAN ID number the desired entry/entries. MAC Filter Table Select: Select the entry/entries to delete the corresponding MAC Filter(s). MAC Address: Displays the Filtered MAC Address. VLAN ID: Displays the corresponding VLAN ID. Port: Displays the Port number, blank indicates no specified Port. Type: Displays the Type of the MAC address. Aging Status: Displays the Aging Status of the MAC address. CAUTION: MAC Filtering settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: MAC Address(es) in the MAC Filter Table cannot be added to the Static MAC Table or be bound to a Port dynamically. NOTE: MAC Filtering is not available if 802.1X/RADIUS/RADIUS is enabled. 6 VLAN Virtual Local Area Network (VLAN) is a Network topology configured in logical scheme rather than a physical layout. VLAN technology was developed as a way for Switches to control broadcast in load in the Local Area Network (LAN). By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs, each of which has a broadcast domain of its own. Hosts in the same VLAN communicate with one another 64 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide as if they are in a LAN. However, hosts in different VLANs cannot communicate with one another directly. Broadcast packets are limited to the ports or hosts assigned to the same VLAN. Hosts in the same VLAN communicate with one another via Layer 2 (Broadcast Domain), hosts in different VLANs can communicate with one another through Boundary devices such as Routers or the Layer 3 Switches. The following figure illustrates a simple VLAN implementation. Figure 6-1 VLAN implementation VLAN configurations enjoy the following advantages. Broadcasts are confined to the VLAN. This decreases bandwidth utilization and improves Network performance. Network security is improved, VLANs cannot communicate with one another directly. A host in a VLAN cannot access resources in another VLAN directly, Boundary devices such as Routers or Layer 3 Switches are required. VLANs can be used to group specific client devices. When the physical location of a client device changes, you do not need to change its Network configuration, simply make sure the client device is still a member of its original VLAN. A VLAN can span multiple Switches. This enables client devices in a VLAN to be dispersed across your entire infrastructure and still maintain isolation. The Switch supports three VLAN modes, 802.1Q based VLAN, MAC based VLAN and Protocol based VLAN. VLAN tags are used to allow the Switch to identify packets of different VLANs. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 65 XMS-1024P The Switch can analyze the received untagged packets on the Port and match the packets with the MAC VLAN, Protocol VLAN and/or 802.1Q VLAN in turn. If a packet is matched, the Switch will add a corresponding VLAN tag to it and forward it in the corresponding VLAN. 6.1 802.1Q VLAN VLAN tags used in the packets are necessary for the Switch to identify packets of different VLANs. The Switch works at Layer 2 or the Data Link Layer in OSI model and it can identify the Data link layer encapsulation of the packet only, the VLAN tag field is added into the Data Link Layer encapsulation for identification. In 1999 IEEE ratified the IEEE 802.1Q protocol to standardize VLAN implementation, defining the structure of VLAN-tagged packets. IEEE 802.1Q protocol defines that a 4-byte VLAN tag is encapsulated after the Destination MAC Address and Source MAC Address to identify the VLAN membership of the packet. As shown in the following figure, a VLAN tag contains four fields, including TPID (Tag Protocol Identifier), Priority, CFI (Canonical Format Indicator), and VLAN ID. Figure 6-2 Format of VLAN Tag TPID: TPID is a 16-bit field, indicating that this Data frame is VLAN-tagged. (By default it is set to 0x8100 or no VLAN ID.) Priority: Priority is a 3-bit field related to 802.1p priority. Refer to the QoS section of the users guide for more details. CFI: CFI is a 1-bit field, indicating whether the MAC address is encapsulated in the standard format or modified format. This field is not described in detail in this chapter. VLAN ID: VLAN ID is a 12-bit field indicating the ID of the VLAN to which this packet belongs. It has a range of 0 to 4,095. IDs 0 and 4,095 are not used leaving the valid entries for the field in the range of 1 to 4,094. The VLAN ID identifies the VLAN to which a packet belongs. When the Switch receives an untagged packet, it will encapsulate a VLAN tag with the default VLAN ID of the Ingress Port, the packet will be assigned to the default VLAN of the Ingress Port for transmission. 66 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide In this User Guide “tagged packet” refers to a packet with a VLAN tag, “untagged packet” refers to a packet without VLAN tag and “priority-tagged” packet refers to a packet with VLAN tag whose VLAN ID is 0. Link Types of Ports When creating the 802.1Q VLAN, you should set the link type for the Port according to the configuration of the connected device. The link type of a Port includes the following three types: ACCESS: The ACCESS Port can be added to a single VLAN the Egress Rule of the Port is UNTAG. The PVID will be the same as the current VLAN ID. If the ACCESS Port is added to another VLAN, it will be removed from its current VLAN automatically. TRUNK: The TRUNK Port can be added to multiple VLANs the Egress Rule of the Port is TAG. The TRUNK Port type is generally used to connect other Network devices (i.e. Switches, routers, access points) it receives and forwards packets from multiple VLANs. Packets forwarded by a TRUNK Port will not have any changes made to the existing VLAN tag. The PVID can be set to the VID number of any VLAN the Port belongs to. GENERAL: The GENERAL Port can be added to multiple VLANs and can have various Egress Rules in different VLANs. The default Egress Rule is UNTAG. The PVID can be set to the VID number of any VLAN the Port belongs to. PVID PVID (Port VLAN ID) is the default VID of the Port. When the Switch receives an untagged packet, it will add a VLAN tag to the packet according to the PVID of the Ingress Port. When creating VLANs the PVID of each Port indicates the default VLAN to which the Port belongs, and is an important parameter with the following two purposes: When the Switch receives an untagged packet, it will add a VLAN tag to the packet of the PVID of its Ingress Port PVID determines the default broadcast domain of the Port, when the Port receives broadcast packets, the Port will broadcast the packets to all members of the same PVID. Tagged and untagged will be processed in different ways after being received by Ports of different link types, as illustrated in the following table. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 67 XMS-1024P Port Type Received Packets Untagged Packets General Tagged Packets If the VID of packet is the same as the PVID of the Port, the packet will be received. Access Trunk Forwarded Packets When untagged packets are received, the Port will add the default VLAN tag, i.e. the PVID of the Ingress Port, to the packets. If the VID of packet is not the same as the PVID of the Port, the packet will be dropped. If the VID of packet is allowed by the Port, the packet will be received. If the VID of packet is forbidden by the Port, the packet will be dropped. The packet will be forwarded after removing its VLAN tag. The packet will be forwarded with its current VLAN tag. If the Egress Rule of Port is TAG, the packet will be forwarded with its current VLAN tag. If the Egress Rule of Port is UNTAG, the packet will be forwarded after removing its VLAN tag. Table 6-1 Relationship between Port Types and VLAN Packets Processing IEEE 802.1Q VLAN function is implemented on the VLAN Config and Port VLAN Config pages. 6.1.1 VLAN Config On this page, you can view the current created 802.1Q VLAN. Choose the menu VLAN»802.1Q VLAN»VLAN Config to load the following page. Figure 6-3 VLAN Table 68 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide To ensure normal communication across the Switch the default VLAN of all Ports is set to VLAN1 and VLAN1 cannot be deleted. The following entries are displayed on this screen: VLAN Table VLAN ID Select: Click the Select button to quick-select the corresponding entry based on the VLAN ID you entered. Select: Select the desired entry to delete the corresponding VLAN(s). VLAN ID: Displays the ID of the VLAN. Description: Displays the description of the VLAN. Members: Displays the Port members of the VLAN. Operation: Allows you to view or modify the information for each entry. Edit: Click to modify the settings of a VLAN. Detail: Click to get detailed information on a VLAN. Click Create button to create a new VLAN. Figure 6-4 Create or Edit 802.1Q VLAN © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 69 XMS-1024P The following entries are displayed on this screen: VLAN Config VLAN ID: Enter the ID number of VLAN. Description: A description of the VLAN for identification. Check: Click the Check button to verify if the VLAN ID entered is valid and available. T VLAN Members Port Select: Click the Select button to quick-select the corresponding entry based on the Port number you entered. Select: Select the desired Port(s) to be added as a member of the VLAN or leave it blank to not add it to the VLAN. Port: Displays the Port number. Link Type: Displays the Link Type of the Port. It can be change in Port VLAN Config screen. Egress Rule: Select the Egress Rule for the VLAN Port member. The default Egress Rule for all ports until the Link Type is changed is UNTAG. LAG: TAG: All packets forwarded by the Port are tagged. UNTAG: All packets forwarded by the Port are untagged. Displays the LAG to which the Port belongs. CAUTION: VLAN Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 6.1.2 Port Config When creating an 802.1Q VLAN please survey all the devices connected to the Switch in order to configure the Port Link Type properly for the connected device. 70 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu VLAN>>802.1Q VLAN>>Port Config to load the following page. Figure 6-5 Port VLAN Config The following entries are displayed on this screen: VLAN Config Port Select: Click the Select button to quick-select the corresponding entry based on the Port number entered. Select: Select the desired Port(s) for configuration. Port: Displays the Port number. Link Type: Select the Link Type from the pull-down list for the Port. ACCESS: can only be added to a single VLAN, the Egress Rule of the Port is UNTAG. The PVID is same as the current VLAN ID. If the current VLAN is deleted the PVID will be set back to VLAN ID 1. TRUNK: can be added to multiple VLANs, the Egress Rule of the Port is TAG. The PVID can be set as the PVID of any VLAN the Port belongs to, this will also be the PVID used if an Untagged packet is forwarded by the port. GENERAL: can be added to multiple VLANs, various Egress tagging Rules can be applied to the different VLANs the port is a member of. The default Egress Rule is UNTAG. The PVID can be set as the PVID of any VLAN the Port belongs to and if set to TAG will be added to any Untagged packets forwarded by the port. PVID: Enter the PVID number of the Port. LAG: Displays the LAG Group the Port belongs to. VLAN: Click the Details link to view the information of the VLAN the Port belongs to. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 71 XMS-1024P CAUTION: Port Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 6.2 MAC VLAN MAC VLAN technology is used to classify and assign VLANs according to the MAC Address of Client Devices. Each MAC Address corresponds to a single VLAN ID. Devices in a MAC VLAN can be connected to another member Port in the MAC VLAN and forward traffic without changing the configuration of VLAN members. Packets in a MAC VLAN are processed in the following manner: When receiving an untagged packet the Switch will attempt to match the packet with the current MAC VLAN. If the packet is matched the Switch will add the corresponding MAC VLAN tag. If no MAC VLAN is matched to the packet the Switch will add a tag to the packet corresponding to the PVID of the receiving Port. When receiving tagged packets the Switch will process them based on the VLAN settings corresponding to the tag in the packet received. If the receiving Port is a member of the VLAN to which the tagged packet belongs the packet will be forwarded normally, if it is not the packet will be discarded. If the MAC address of a Client Device is assigned to a MAC VLAN, please set the connected Port of Switch as a member of the corresponding VLAN to ensure all packets are forwarded normally. On the following page, you can create a MAC VLAN and view the current MAC VLANs in the table. Choose the menu VLAN>>MAC VLAN to load the following page. Figure 6-6 Create and View MAC VLAN 72 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: VLAN Table MAC Address: Enter the MAC address. Description: Give a description to the MAC address for identification. VLAN ID: Enter the VLAN ID of the MAC VLAN. This VLAN should be one of the 802.1Q VLANs the Ingress Port belongs to. MAC VLAN Table MAC Select: Click the Select button to quick-select the corresponding. Select: Select the desired entry(ies). MAC Address: Displays the MAC address. Description: Displays the user-defined description of the MAC address. VLAN ID: Displays the corresponding VLAN ID of the MAC address. Operation: Click the Edit button to modify the settings of the entry, then click the Modify button to apply your changes. Configuration Procedure: Step Operation Description 1 Set the desired link type of the Port. On the VLAN>>802.1Q VLAN>>Port Config page, set the link type for the Port based on its connected device. Options include Access, Trunk and General. 2 Create a VLAN. On the VLAN>>802.1Q VLAN>>VLAN Config page, click the Create button to create a VLAN. Enter the VLAN ID, the description for the VLAN and specify its member Ports. 3 Create MAC VLAN. On the VLAN>>MAC VLAN page, create the MAC VLAN device entry(ies). For device(s) in a MAC VLAN, it is required that the Port of Switch the device(s) are connected too, be a member of the VLAN ID created for the MAC VLAN to ensure normal communication. CAUTION: MAC VLAN settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 73 XMS-1024P 6.3 Protocol VLAN Protocol VLAN is a way to classify VLANs based on Network protocol used by the packets. Protocol VLANs can be sorted by IP, IPX, DECnet, AppleTalk, Banyan and so forth. Using Protocol VLANs, the broadcast domain can span multiple Switches and the Host can change its physical position in the Network. All with its VLAN membership role always remaining in effect. By creating Protocol VLANs, you can manage the connected devices based on their actual applications and services. Using Protocol VLAN the Switch can analyze received Untagged packets on the Port and match the packets with the user-defined Protocol Template. If a packet is matched, the Switch will add a corresponding VLAN Tag automatically and assigning the Data of specific protocol automatically to a corresponding VLAN for transmission. Encapsulation Format of Ethernet Data This section introduces the common types of encapsulation format for Ethernet Data. At present there are two encapsulation formats of Ethernet Data, Ethernet II encapsulation and 802.2/802.3 encapsulation: Ethernet II encapsulation Figure 6-7 Ethernet II encapsulation 802.2/802.3 encapsulation Figure 6-8 802.2/802.3 encapsulation • DA and SA refer to Destination MAC Address and Source MAC Address. The number listed in each section indicates the length of the field in bytes. For example the length of a Source MAC Address is 12 bytes. 74 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide • The maximum amount of Ethernet Data in a standard packet is 1500 bytes, the Length field in 802.2/802.3 encapsulation is 2 bytes ranging from 0x0000 to 0x05DC and the Type field in Ethernet II encapsulation is also 2 bytes ranging from 0x0600 to 0xFFF. The Type or Length field in the Data range of 0x05DD to 0x05FF is illegal and any packets with a value in that range will be discarded. The Switch will identify whether a packet is Ethernet II or 802.2/802.3 according to the value in the Type or Length field. 802.2/802.3 encapsulation contains the following three extended formats: 802.3 raw encapsulation Figure 6-9 802.3 raw encapsulation • Only the Length field is encapsulated after source MAC address field and destination MAC address field, followed by DATA field without other header fields. Currently only the IPX protocol supports raw encapsulation format. The last two bytes of the Length field in 802.3 raw encapsulation is 0xFFFF. 802.2LLC (Logic Link Control) encapsulation Figure 6-10 802.2LLC encapsulation • The Length field, DSAP (Destination Service Access Point) field, SSAP (Source Service Access Point) field and Control field are encapsulated after Source MAC Address and Destination MAC Address fields. The value of Control field will always be 3 in a valid packet. The DSAP and SSAP fields in 802.2 LLC encapsulation are used to identify the upper layer protocol. For example when both the two fields are set to 0xE0, it indicates the upper layer protocol is IPX. 802.2: 802.2 SNAP (Sub-Network Access Protocol) is encapsulated based on the 802.3 standard. In 802.2 SNAP encapsulation, • The values of both DSAP field and SSAP field will always be 0XAA in a valid packet and the value of Control field will be 3. The Switch differentiates 802.2 LLC and SNAP encapsulation formats according to the values of DSAP and SSAP fields. • The connected device determines the encapsulation format of its sent packets, devices can send out packets of two encapsulation formats simultaneously. Ethernet II encapsulation is the most common format used. 802.3 and Ethernet II encapsulation formats are supported in IP, ARP and RARP protocols, but not supported in all other protocols. The Switch identifies the protocol of the packet by matching values of the encapsulation format. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 75 XMS-1024P The Identification Process of the Switch using Packet Protocols Figure 6-11 ID Process Switch using Packet Protocols Implementing a Protocol VLAN The Switch can match packets using a Protocol Template and transmit packets within the specified VLAN corresponding to the protocol. The Protocol Template, comprising encapsulation format and protocol type, is the standard to determine the protocol which a packet belongs to. The following table shows commonly used encapsulation formats supported in Network layer protocol and the Protocol Templates are provided for reference. Some Protocol Templates have been preset for use in the Switch, you can create a custom Protocol VLAN using the corresponding Protocol Template. 76 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Encapsulation Protocol Ethernet II 802.3 raw 802.2 LLC 802.2 SNAP IP (0x0800) Supported Not Supported Not Supported Supported IPX (0x8137) Supported Supported Supported Supported Not Supported Not Supported Supported AppleTalk (0x809B) Supported Table 6-2 Protocol types in common use Protocol VLAN packets are processed in the following manner: When receiving an Untagged packet, the Switch attempts to match the packet with the current Protocol VLAN. If the packet is matched, the Switch will add a corresponding Protocol VLAN Tag. If no Protocol VLAN is matched, the Switch will add the Tag of the PVID of the receiving Port. Assigning the packet automatically to the corresponding VLAN for transmission. When receiving a Tagged packet, the Switch will process it based on the 802.1Q VLAN ID of the packet. If the receiving Port is the member of the VLAN to which the tagged packet belongs to the packet will be forwarded normally. If the receiving Port is not a member of the VLAN the tagged packets belongs to the packet will be discarded. If a Protocol VLAN is created please remember to configure it as a member of the corresponding 802.1Q VLAN to ensure the packets are forwarded normally. 6.3.1 Protocol Group Table On this page, you can create a Protocol VLAN and view the information of the defined Protocol VLANs. Choose the menu VLAN>>Protocol VLAN>>Protocol Group Table to load the following page. Figure 6-12 Protocol Group Table © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 77 XMS-1024P The following entries are displayed on this screen: Protocol Group Table Select: Select the desired entry or entries. Protocol: Displays the Protocol of the Protocol Group. VLAN ID: Displays the corresponding VLAN ID of the Protocol Group. Member: Displays the member(s) of the Protocol Group. Configuration: Click the Edit button to modify the settings of the entry, then click the Modify button to apply your changes. CAUTION: Protocol VLAN settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 6.3.2 Protocol Group On this page, you can create a Protocol Group. Choose the menu VLAN>>Protocol VLAN>>Protocol Group to load the following page. Figure 6-13 Create Protocol VLAN 78 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Protocol Group Config Protocol: Select the desired Protocol Template. VLAN ID: Enter the ID number of the Protocol VLAN. This VLAN must be one of the 802.1Q VLANs the Ingress Port belongs too. Protocol Group Member Select the desired Port(s) for Protocol VLAN Group. CAUTION: Protocol Group settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 6.3.3 Protocol Template The Protocol Template must be created before configuring the corresponding Protocol VLAN. By default the Switch has the predefined templates for the; IP, ARP, RARP, IPX and AT Protocols. You can add more Protocol Templates via this page. Choose the menu VLAN>>Protocol VLAN>>Protocol Template to load the following page. Figure 6-14 Create and View Protocol Template © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 79 XMS-1024P The following entries are displayed on this screen: Create Protocol Template Protocol Name: Description name of the Protocol Template. Ether Type: Enter the Ethernet Protocol Type in the Protocol Template. Frame Type: Select a Frame Type for the Protocol Template. Protocol Template Table Select: Select the desired entry(ies). ID Displays the ID of the Protocol Template. Protocol Name: Displays the Name of the Protocol Template. Ether Type: Displays the Ethernet Protocol Type of the Protocol Template. Frame Type Displays the Frame Type of the Protocol Template. CAUTION: Protocol Template settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: The Protocol Template bound to VLAN cannot be deleted. Step Operation Description 1 Set the link type of the member Port. On the VLAN>>802.1Q VLAN>>Port Config page set the link type for the Port based on its Connected Device. 2 Create a VLAN. On the VLAN>>802.1Q VLAN>>VLAN Config page click the Create button to create a VLAN. Enter the VLAN ID , a Description for the VLAN and specify its member Ports. 3 Create or Select a Protocol Template. On the VLAN>>Protocol VLAN>>Protocol Template page Create or Select the Protocol Template before configuring the Protocol VLAN. 4 Create a Protocol VLAN. On the VLAN>>Protocol VLAN>>Protocol VLAN page select the Protocol Type and enter the VLAN ID to create a Protocol VLAN. 80 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 6.4 Application Example for 802.1Q VLAN Network Requirements Switch A is connecting to PC A and Server B; Switch B is connecting to PC B and Server A; PC A and Server A are in the same VLAN; PC B and Server B are in the same VLAN; PCs in the two VLANs cannot communicate with each other. Network Diagram Figure 6-15 Network Diagram 802.1Q VLAN © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 81 XMS-1024P Configuration Procedure Configure Switch A Step Operation Description 1 Configure the Link Type of the Ports On VLAN>>802.1Q VLAN>>Port Config page configure the link type of Port 2 as ACCESS, Port 3 as TRUNK and Port 4 as ACCESS 2 Create VLAN10 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 10 with members being Port 2 and Port 3 3 Create VLAN20 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 20 with members being Port 3 and Port 4. Configure Switch B Step Operation Description 1 Configure the Link Type of the Ports On VLAN>>802.1Q VLAN>>Port Config page configure the link type of Port 7 as ACCESS, Port 6 as TRUNK and Port 8 as ACCESS 2 Create VLAN10 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 10 with members being Port 6 and Port 8 3 Create VLAN20 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 20 with members being Port 6 and Port 7. 6.5 Application Example for MAC VLAN Network Requirements Switch A and Switch B are connected to meeting room A and meeting room B respectively, and the two rooms used by all departments; Notebook A and Notebook B, are from two different departments; The two departments use VLAN10 and VLAN20 respectively. The two notebooks can only access the Server of their own departments; The MAC address of Notebook A is 00-19-56-8A-4C-71, Notebook B’s MAC address is 00-19-56-82-3B-70. 82 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Network Diagram Figure 6-16 Network Diagram MAC VLAN Configuration Procedure Configure Switch A Step Operation Description 1 Configure the Link Type of the Ports On VLAN>>802.1Q VLAN>>Port Config page configure the link type of Port 11 as GENERAL and Port 12 as TRUNK. 2 Create VLAN10 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 10 with members being Port 11 and Port 12 and configure the Egress Rule of Port 11 as Untag and Port 12 as Tag. 3 Create VLAN20 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 20 with members being Port 11 and Port 12, and configure the Egress Rule of Port 11 as Untag and Port 12 as Tag. 4 Configure MAC VLAN 10 On VLAN>>MAC VLAN page create MAC VLAN10 with a MAC Address of 00-19-56-8A-4C-71. 5 Configure MAC VLAN 20 On VLAN>>MAC VLAN page create MAC VLAN20 with a MAC Address of 00-19-56-82-3B-70. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 83 XMS-1024P Configure Switch B Step Operation Description 1 Configure the Link Type of the Ports On VLAN>>802.1Q VLAN>>Port Config page configure the link type of Port 11 as GENERAL and Port 12 as TRUNK. 2 Create VLAN10 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 10 with members being Port 11 and Port 12 and configure the Egress Rule of Port 11 as Untag and Port 12 as Tag. 3 Create VLAN20 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 20 with members being Port 11 and Port 12, and configure the Egress Rule of Port 11 as Untag and Port 12 as Tag. 4 Configure MAC VLAN 10 On VLAN>>MAC VLAN page create MAC VLAN10 with a MAC Address of 00-19-56-8A-4C-71. 5 Configure MAC VLAN 20 On VLAN>>MAC VLAN page create MAC VLAN20 with a MAC Address of 00-19-56-82-3B-70. Configure Switch C Step Operation Description 1 Configure the Link Type of the Ports On VLAN>>802.1Q VLAN>>Port Config page configure the link type of Port 2 as GENERAL, Port 3 as GENERAL, Port 4 as ACCESS and Port 5 as ACCESS. 2 Create VLAN10 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 10 with members being Port 2, Port 3 and Port 5. 3 Create VLAN20 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 20 with members being Port 2, Port 3 and Port 4. 6.6 Application Example for Protocol VLAN Network Requirements Department A is connected to the company LAN via Port12 of Switch A; Department A has IP host and AppleTalk host; IP host, in VLAN10, is served by IP Server while AppleTalk host is served by AppleTalk Server; Switch B is connected to IP Server and AppleTalk Server. 84 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Network Diagram Figure 6-17 Network Diagram Protocol VLAN Configuration Procedure Configure Switch A Step Operation Description 1 Configure the Link Type of the Ports On VLAN>>802.1Q VLAN>>Port Config page configure the link type of Port 11 as ACCESS, Port 13 as ACCESS, and Port 12 as GENERAL. 2 Create VLAN10 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 10 with members being Port 12 and Port 13 and configure the Egress Rule of Port 12 as Untag. 3 Create VLAN20 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 20 with members being Port 11 and Port 12 and configure the Egress Rule of Port 12 as Untag. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 85 XMS-1024P Configure Switch B Step Operation Description 1 Configure the Link Type of the Ports On VLAN>>802.1Q VLAN>>Port Config page configure the link type of Port 4 as ACCESS, Port 5 as ACCESS and Port 3 as GENERAL. 2 Create VLAN10 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with a VLANID of 10 with members being Port 3 and Port 4 and configure the Egress Rule of Port 3 as Untag. 3 Create VLAN20 On VLAN>>802.1Q VLAN>>VLAN Config page create a VLAN with its VLANID as 20 with members being Port 3 and Port 5 and configure the Egress Rule of Port 3 as Untag. 4 Create Protocol Template On VLAN>>Protocol VLAN>>Protocol Template page configure the Protocol Template, the IP Network packets are encapsulated in Ethernet II format and its Ether Type is 0800; the AppleTalk Network packets are encapsulated in SNAP format and its Ether Type is 809B. 5 Create Protocol VLAN 10 On VLAN>>Protocol VLAN>>Protocol Group page create protocol VLAN 10 with Protocol as IP and select Port 3. 6 Create Protocol VLAN 20 On VLAN>>Protocol VLAN>>Protocol Group page create protocol VLAN 20 with Protocol as AppleTalk and select Port 3. 6.7 GVRP GVRP (GARP VLAN Registration Protocol) is an implementation of GARP (Generic Attribute Registration Protocol). GVRP allows the Switch to automatically add or remove VLANs via dynamic VLAN registration information and propagate the local VLAN registration information to other Switches, without having to individually configure each VLAN on each Switch. GARP GARP provides a mechanism by which the Switch members in LAN can deliver, propagate and register information among group members. The application complied with GARP is called GARP Implementation and GVRP is another Implementation of GARP. When GARP is implemented on a Port of a device, the Port is called GARP entity. The information exchanged between GARP entities is completed using three message types. GARP defines the message types as: Join, Leave and LeaveAll. 86 Join Message: When a GARP entity expects other Switches to register a certain attribute(s), it sends out a Join message. When receiving a Join Message from another entity or configuring attributes statically, the device also sends out a Join Message to register changes to the other GARP entities. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Leave Message: When a GARP entity expects other Switches to un-register certain attributes, it sends out a Leave Message. When receiving a Leave Message from another entity or un-configuring attributes statically, the device also sends out a Leave Message. LeaveAll Message: Once a GARP entity starts, it also starts the LeaveAll Timer. If the Timer expires, the GARP entity sends a LeaveAll Message. LeaveAll Messages will un-register all attribute information to enable the other GARP entities to re-register attribute information. Through message exchange, all attribute information to be registered can be propagated to all member Switches in the same Switched Network. The interval of GARP Messaging is controlled by Timers. GARP uses the following Timers: Hold Timer: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately. Instead it starts the Hold Timer, then puts all registration information it receives before the timer expires into one Join message and sends out the message after the timer has expired. Join Timer: To transmit the Join Messages reliably to other entities, a GARP entity sends each Join Message two times. The Join Timer is used to define the interval between the two sending operations of each Join Message. Leave Timer: When a GARP entity expects to un-register attribute information, it sends out a Leave Message. Any GARP entity receiving this message starts its Leave Timer, and un-registers the attribute information if it does not receive a Join Message before the timer expires. LeaveAll Timer: Once a GARP entity starts it also starts the LeaveAll Timer, and sends out a LeaveAll Message after the Timer expires, so the other GARP entities can re-register all the attribute information on this entity. After re-registration the entity restarts the LeaveAll Timer to begin a new cycle. GVRP GVRP, as an Implementation of GARP and is used to maintain dynamic VLAN registration information and to propagate the information to other Switches. Once the GVRP feature is enabled on a Switch, the Switch receives the VLAN registration information from other Switches to dynamically update the local VLAN registration information, including VLAN members, Ports through which the VLAN members can be reached, and so on. The Switch also propagates the local VLAN registration information to other member Switches so that all the Switching devices in the same Switched Network can have the same VLAN information. The VLAN registration information includes not only the static registration information configured locally, but also © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 87 XMS-1024P the dynamic registration information, which is received from other Switches. On this Switch, only a Port with a TRUNK link type can be set as the GVRP application entity to maintain the VLAN registration information. GVRP has the following three Port registration modes: Normal, Fixed, and Forbidden. Normal: In this mode a Port can dynamically register/un-register a VLAN and propagate the dynamic/static VLAN information. Fixed: In this mode a Port cannot register/un-register a VLAN dynamically. It only propagates static VLAN information. A Port in Fixed mode only permits the packets of its static VLAN to pass. Forbidden: In this mode a Port cannot register/un-register VLANs. It only propagates VLAN 1 information. A Port in Forbidden mode only permits the packets of the default VLAN (VLAN 1) to pass. Choose the menu VLAN>>GVRP to load the following page. Figure 6-18 GVRP Config NOTE: If the GVRP feature is enabled on a member Port of a LAG, please ensure all the member Ports of this LAG are set to the same Status and Registration Mode. 88 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Global Config GVRP: Enable/Disable the GVRP function. Port Config Port Select: Click the Select button to quick-select the corresponding entry. Select: Select the desired Port(s) for configuration. Port: Displays the Port number. Status: Enable/Disable the GVRP feature on the Port. The Port type must be set to TRUNK before enabling the GVRP feature. Registration Mode: Select the Registration Mode for the Port. Normal: A Port can dynamically register/un-register a VLAN and propagate the dynamic/static VLAN information. Fixed: A Port cannot register/un-register a VLAN dynamically. It only propagates static VLAN information. Forbidden: A Port cannot register/un-register VLANs. It only propagates VLAN1 information LeaveAll Timer: Once the LeaveAll Timer is set the Port with GVRP enabled can send a LeaveAll message after the timer expires, so the other GARP entities can re-register all the attribute information on this entity. After re-registration the entity restarts the LeaveAll Timer to begin a new cycle. The LeaveAll Timer ranges from 1000 to 30000 centiseconds (10.00 to 300.00 seconds) the default value is 1000 centiseconds. Join Timer: To guarantee the transmission of the Join Messages the GARP Port sends each Join Message two times. The Join Timer is used to define the interval between the two sending operations of each Join Message. The Join Timer ranges from 20 to 1000 centiseconds (0.20 to 10.00 seconds) the default value is 20 centiseconds. Leave Timer: Once the Leave Timer is set the GARP Port receiving a Leave message will start its Leave Timer and un-register the attribute information if it does not receive a Join Message again before the Timer expires. The Leave Timer ranges from 60 to 3000 centiseconds (0.60 to 30.00 seconds) the default is 60 centiseconds LAG: Displays the LAG Group to which the Port belongs. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 89 XMS-1024P CAUTION: GVRP settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: LeaveAll Timer >= 10* Leave Timer, Leave Timer >= 2*Join Timer Configuration Procedure: Step Operation Description 1 Set the link type for Port. On the VLAN>>802.1Q VLAN>>Port Config page set the link type of the Port to be TRUNK. 2 Enable GVRP function. On the VLAN>>GVRP page enable GVRP function. 3 Configure the registration mode and the timers for the Port. On the VLAN>>GVRP page configure the parameters of the Ports based on the recommended intervals. 7 SPANNING TREE STP (Spanning Tree Protocol), IEEE standard 802.1D, is used to control Network loops in the Data Link layer of a local Network. Devices running STP discover loops in the Network and block Ports by exchanging information. A Network loop can be blocked to form a standard topology loop-free Network preventing packets from being duplicated and forwarded endlessly inside the Network. BPDU (Bridge Protocol Data Unit) is the protocol Data that STP and RSTP use to pass topology information. Enough information is carried in a BPDU to ensure Spanning Tree operation. STP is used to determine the topology of the Network by transferring BPDUs between devices. To implement Spanning Tree the Switches in the Network transfer BPDUs between each other to exchange information and all the Switches supporting STP receive and process the BPDUs. BPDUs carry the information needed for Switches to configure Spanning Tree appropriately. STP Elements Bridge ID (Bridge Identifier): Is a value used to identify the Switch to other STP devices in the Network the priority and MAC address of the Switch are used to calculate the Bridge ID. The Bridge ID can be configured, the Switch with lowest bridge ID has the highest priority. 90 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Root Bridge: Identifies the Switch with the lowest Bridge ID. Configure the Switch with the lowest latency as the Root Bridge to ensure best Network performance and reliability. Designated Bridge: Identifies the Switch with the lowest path cost to the Root Bridge in each Network segment. BPDUs are forwarded to the Network segment through the designated bridge. If more than one Switch has the same path cost the Switch with the lowest bridge ID will be chosen as the Designated Bridge. Root Path Cost: Indicates the sum of the path cost of the root Port and the path cost of all the Switches that packets pass through. The root path cost of the Root Bridge is 0, the path cost of a Designated Bridge will typically be at least 2. Bridge Priority: The bridge priority can be set to any value in the range 0-32768. The lower the value the higher the priority. A Switch with a higher priority has more chance to be chosen as the Root Bridge. Root Port: Indicates the Port that has the lowest path cost from this bridge to the Root Bridge and forwards packets to the Root. Designated Port: Indicates the Port that forwards packets to a downstream Network segment or Switch. Port Priority: The Port priority can be set to any value in the range 0-255. The lower the value the higher the priority. The Port with the higher priority has more chance to be chosen as the Root Port. Path Cost: Is the parameter used for choosing the link path of the STP Topology. By calculating the path cost, STP chooses the best links and blocks any redundant links to form a standard topology loop-free Network. The following Network diagram shows a map of a typical Spanning Tree Topology. Switch A, B and C are connected together in order. After STP is enabled, Switch A is chosen as Root Bridge and the path from Port 2 to Port 6 is blocked. Bridge: Switch A is the Root Bridge in the Network; Switch B is the Designated Bridge of Switch C. Port: Port 3 is the Root Port of Switch B and Port 5 is the Root Port of Switch C; Port 1 is the Designated Port of Switch A and Port 4 is the Designated Port of Switch B; Port 6 of Switch C and Port 2 of Switch A are blocked to prevent a Network loop. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 91 XMS-1024P Figure 7-1 Basic STP diagram STP Timers STP uses three timers to manage when BPDU packets are transmitted they include; Hello Time, Max. Age and Forward Delay. Hello Time: Ranges from 1-10 seconds, default is 2 seconds. It specifies the interval to send BPDU packets. It is used to test for Network Loops. Max. Age: Ranges from 6-40 seconds, default is 20 seconds. It specifies the maximum time the Switch can wait without receiving a BPDU before attempting to reconfigure itself as the Root Bridge. Forward Delay: Ranges from 4-30 seconds, default is 15 seconds. It specifies the time needed for a Port to change its state after the Network topology is changed via STP. When changes to the Network occur, caused by Network malfunction or physical changes, the STP structure will adapt to the corresponding change. However it will take time for the new configuration BPDUs to spread throughout the whole Network, a temporary loop may occur if the Port changes its state immediately. Because of this STP adopts a state change mechanism, the new Root Port and the Designated Port(s) will begin to forward Data after tow Forward Delay Timers have expires. This ensures the new configuration BPDUs are spread to the whole Network prior to any temporary loop becoming active. BPDU Comparison Principle in STP Assume we have two BPDUs: BPDU X and BPDU Y If the Root Bridge ID of X is smaller than that of Y, X is superior to Y and X will become the Root Bridge. 92 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide If the Root Bridge ID of X equals that of Y, but the Root Path cost of X is smaller than that of Y, X is superior to Y and X will become the Root Bridge. If the Root Bridge ID and the Root Path cost of X equal those of Y, but the Bridge ID of X is smaller than that of Y, X is superior to Y and X will become the Root Bridge. If the Root Bridge ID, the Root Path cost and Bridge ID of X equal those of Y, but the Port ID of X is smaller than that of Y, X is superior to Y and X will become the Root Bridge. STP Generation Starting STP After initially configuring STP each Switch considers itself the Root Bridge and generates a configuration BPDU for each Port as a Root Port. The root path cost will be 0, the ID of the Designated Bridge being that of the Switch itself and the Designated Port being itself. Comparing BPDUs Each Switch sends out configuration BPDUs and receives configuration BPDUs on one or more of its own Ports from other Switches. The following table shows the comparison operations. Step Operation 1 If the priority of the BPDU received on the Port is lower than that of the BPDU of the Port itself, the Switch discards the BPDU and does not change the BPDU of the Port. 2 If the priority of the BPDU is higher than that of the BPDU of the Port itself, the Switch replaces the BPDU of the Port with the BPDU received and compares it with those of other Ports on the Switch to find the Port with the highest priority. Table 7-1 Comparing BPDUs Selecting the Root Bridge The Root Bridge is selected by comparing BPDUs. The Switch with the lowest Root ID is chosen as the Root Bridge. Selecting the Root Port and Designated Port Step Operation 1 For each Switch (except the Switch chosen as the Root Bridge) in a Network, the Port that receives the BPDU with the highest priority is chosen as the Root Port of the Switch. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 93 XMS-1024P Step Operation 2 Using the Root Port BPDU and the Root Path cost, the Switch generates a Designated Port BPDU for each of its Ports. Root ID is replaced with that of the Root Port; Root Path is replaced with the sum of the Root Path cost of the root Port and the path cost between this Port and the Root Port; The ID of the Designated Bridge is replaced with that of the Switch; The ID of the Designated Port is replaced with that of the Port. 3 The Switch compares the resulting BPDU with the BPDU of the desired Port whose role is yet to be determined. If the resulting BPDU takes precedence over the BPDU of the Port, the Port is chosen as the Designated Port and the BPDU of this Port is replaced with the resulting BPDU. If the BPDU of this Port takes precedence over the resulting BPDU, the BPDU of this Port is not replaced and the Port is Blocked. The Port can now only receive BPDUs and will not process any other traffic. Table 7-2 Selecting root Port and designated Port NOTE: In an STP Network with a stable topology, only the Root Port(s) and Designated Port(s) can forward Data, the other Ports are Blocked. Blocked Ports only can receive BPDUs and will not process any other traffic. RSTP (Rapid Spanning Tree Protocol) evolved from the 802.1D STP standard, and enables Ethernet Ports to change their states rapidly. The premise for Ports in RSTP to change states rapidly are as follows. The condition needed for the Root Port to change its Port state rapidly: The previous Root Port of the Switch stops forwarding Data and the Designated Port of the upstream Switch begins to forward Data. The condition needed for the Designated Port to change its Port state rapidly: The Designated Port is an edge Port or connected to a point-to-point link. If the designated Port is an edge Port, it can directly change to a forwarding state. If the Designated Port is connected to a point-to-point link, it can change its forwarding state after receiving a response from the downstream Switch through a handshake. RSTP Enhancements Edge Port: Indicates a Port connected directly to a Layer 3 device such as a Router. P2P Link: Indicates a link between two directly connected Switches. 94 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide MSTP (Multiple Spanning Tree Protocol) is compatible with both STP and RSTP and subject to the IEEE 802.1s standard. It not only enables Spanning Tree rapid convergence, but also enables packets of different VLANs to be forwarded along their respective paths to provide redundant links with a better Load-Balancing mechanism. Features of MSTP: MSTP combines VLANs and Spanning Tree together via the VLAN-to-Instance mapping table. It binds several VLANs to an instance to save communication cost and Network resources. MSTP divides a Spanning Tree Network into several regions. Each region has several internal Spanning Trees, which are independent of each other. MSTP provides a Load-Balancing mechanism for packet transmission in the VLAN. MSTP is compatible with both STP and RSTP. MSTP Elements MST Region (Multiple Spanning Tree Region): An MST Region comprises Switches with the same region configuration and VLAN-to-Instance mapping relationships. IST (Internal Spanning Tree): An IST is a Spanning Tree in an MST. CST (Common Spanning Tree): A CST is the Spanning Tree in a Switched Network that connects all MST Regions in the Network. CIST (Common and Internal Spanning Tree): A CIST comprised of an IST and a CST, is the Spanning Tree in a Switched Network that connects all Switches in the Network. The following figure shows the Network diagram of an MSTP Topology. Figure 7-2 Basic MSTP diagram © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 95 XMS-1024P MSTP MSTP divides a Network into several MST Regions. The CST will encompass all MST Regions in the Network, and multiple Spanning Trees can be generated in each MST region. Each Spanning Tree is called an Instance. Like STP MSTP uses BPDUs to generate the Spanning Tree topology. The only difference is that the BPDU for MSTP carries the MSTP configuration information. Port States In an MSTP, Ports can have one of the following four states: Forwarding: The Port can receive/forward Data, receive/send BPDU packets and learn MAC Addresses. Learning: In this status the Port can receive/send BPDU packets and learn MAC addresses. Blocking: In this status the Port can only receive BPDU packets and will drop all other traffic received. Disconnected: In this status the Port is not participating in STP. Port Roles In MSTP the following six roles exist: Root Port: Indicates the Port that has the lowest path cost from this Bridge to the Root Bridge and forwards packets to the root. Designated Port: Indicates the Port that forwards packets to a downstream Network segment or Switch. Master Port: Indicates the Port that connects a MST region to the Common Root. The path from the Master Port to the Common Root is the shortest path between this MST Region and the Common Root. Alternate Port: The Port can become a backup Port of a Root or Master Port. Backup Port: The Port that is the backup Port of a Designated Port. Disabled: The Port is not participating in the STP. The following diagram shows the different Port roles. 96 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Figure 7-3 Port roles The Spanning Tree module is used for Spanning Tree configuration, including four submenus: STP Config, Port Config, MSTP Instance and STP Security. 7.1 STP Config STP Config is used for global configuration of Spanning Trees implementation and can be implemented on the STP Config and STP Summary pages. 7.1.1 STP Config Before configuring Spanning Tree Protocol you should decide which role each Switch plays in the Spanning Tree instance. One Switch will be the Root Bridge in each Spanning Tree instance. On this page you can globally configure the Spanning Tree function and related parameters. Choose the menu Spanning Tree>>STP Config>>STP Config to load the following page. Figure 7-4 STP Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 97 XMS-1024P The following entries are displayed on this screen: Global Config STP: Enable/Disable STP function. Version: Select the desired STP version. STP: Spanning Tree Protocol. RSTP: Rapid Spanning Tree Protocol. MSTP: Multiple Spanning Tree Protocol. Parameters Config CIST Priority: Enter a value from 0 to 61440 to specify the priority of the Switch for comparison in the CIST. CIST priority is important in determining which Switch will be the Root Bridge. The Switch with the highest priority will be chosen as the Root Bridge. The lower value the higher priority. The default value is 32768 any value used must be evenly divisible by 4096. Hello Time Enter a value from 1-10 seconds to specify the interval to send BPDU packets. BPDUs used to test the links for Network loops. The default value is 2 seconds. Max Age: Enter a value from 6-40 seconds to specify the maximum time the Switch can wait without receiving a BPDU before attempting to reconfigure. The default value is 20 seconds. If adjusting the Max Age the following Rules should be applied: 2*(Hello Time + 1) ≤ Max Age, and 2*(Forward Delay-1) ≥ Max Age. Forward Delay: Enter a value from 4-30 seconds to specify the time for the Port to transit its state after the Network topology has changed. The default value is 15 seconds. TxHold Count: Enter a value from 1-20 to set the maximum number of BPDU packets transmitted per Hello Time interval. The default value is 5pps. Max Hops: Enter a value from 1-40 to set the maximum number of hops that can occur in a specific region before the BPDU is discarded. The default value is 20 hops. CAUTION: STP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. CAUTION: It is not recommended to change the Parameter settings without first consulting a Network Administrator with advanced understanding of Spanning Tree functions. 98 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide NOTE: The Forward Delay parameter and the Network size are correlated. Too short of a Forward Delay parameter may result in temporary loops. Too long of a forward delay may cause the Network to be unable to resume normal operations in an acceptable amount of time. Keeping the default value is recommended. NOTE: The Hello Time parameter enables the Switch to discover link failures that occur in the Network without over utilizing Network resources. Too long of a Hello Time may result in normal links being regarded as invalid when packets drops occur on the links, which in turn can result in Spanning Tree being locked in a constant discovery state. Too short of a Hello Time may result in duplicate configuration information being sent, which increases the Network load of the Switches and wastes Network resources. Keeping the default value is recommended. NOTE: The Max Age parameter allows the Switch to restart the STP discovery process if no BPDUs are received before the Max Age expires. Too short of a Max Age may result in the Switches regenerating Spanning Trees Instances frequently and cause Network congestions that can be falsely interpreted as link problems. Too long of a Max Age results in the Switches being unable to find the link problems in an acceptable period of time, which in turn handicaps Spanning Tree Instance generation and makes the Network less adaptive. Keeping the default value is recommended. NOTE: The TXHold parameter specifies the number of BPDUs to send during the Hello Time, the value is specified in Packets per Second. If the TxHold Count is too large the number of MSTP packets being sent during each Hello Time interval will occupy excessive Network resources. Keeping the default value is recommended. 7.1.2 STP Summary On this page you can view the active parameters of the Spanning Tree configuration. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 99 XMS-1024P Choose the menu Spanning Tree>>STP Config>>STP Summary to load the following page. Figure 7-5 STP Summary 7.2 Port Config On this page you can configure the parameters of the Ports for STP, RSTP and MSTP. Choose the menu Spanning Tree>>Port STP Config to load the following page. Figure 7-6 Port Config 100 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Port Config Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for STP configuration. Port: Displays the Port number of the Switch. Status: Enable /Disable STP function for the desired Port. Priority: Enter a value from 0-240 that must be divisible by 16. Port priority is an important criterion in determining if the Port connected will be chosen as the Root Port. The lower the value the higher the priority. ExtPath: ExtPath Cost is used to choose the path and calculate the path costs of Ports in different MST Regions. It is an important criterion in determining the Root Port. The lower the value the higher the priority. IntPath: IntPath Cost is used to choose the path and calculate the path costs of Ports in the same MST Region. It is an important criterion in determining the Root Port. The lower the value the higher the priority. Edge Port: Enable/Disable Edge Port. Edge Ports can change states from blocking to forwarding rapidly without waiting for the Forward Delay. P2P Link: P2P Link status. If the two Ports in the P2P link are Root Ports or Designated Ports, they can change their states to Forwarding rapidly to reduce any unnecessary Forward Delay. MCheck: Enable to perform MCheck operations on the Port. Unchange means no MCheck operations will take place. STP Version: Displays the STP version of the Port. Port Role: Displays the role of the Port plays in the STP Instance. Root Port: Indicates the Port that has the lowest path cost from this bridge to the Root Bridge and forwards packets to the root. Designated Port: Indicates the Port forwards packets to a downstream Network segment or Switch. Master Port: Indicates the Port connects an MST region to the Common Root. The path from the master Port to the Common Root is the shortest path between this MST region and the Common Root. Alternate Port: Indicates the Port that may become a Backup Port of a Root or Master Port. Backup Port: Indicates the Port is the Backup Port of a Designated Port. Disabled: Indicates the Port is not participating in the STP. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 101 XMS-1024P Port Config Port Status: Displays the operating status of the Port. Forwarding: The Port can receive/forward Data, receive/send BPDU packets and learn MAC addresses. Learning: The Port can receive/send BPDU packets and learn MAC addresses. Blocking: The Port can only receive BPDU packets and will drop all other traffic. Disconnected: The Port is not participating in STP. LAG: Displays the LAG Group number the Port belongs to. CAUTION: Port STP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: Configure the Ports connected directly to Layer 3 devices, such as a Router, as edge Ports and Enable the BPDU protection function. This will allow these Ports to change to Forwarding States rapidly and secure your Network. NOTE: All the links of Ports in a LAG should be configured as Point-toPoint links. CAUTION: When the link of a Port is configured as a Point-to-Point link, the Spanning Tree Instance owning this Port is configured as a Pointto-Point link. If the physical link of a Port is not a Point-to-Point link and you configure the link as a Point-to-Point link, temporary loops may be occur affecting Network performance. 7.3 MSTP Instance MSTP combines VLANs and Spanning Tree together via VLAN-to-Instance mapping table (VLAN-to-Spanning Tree mapping). By adding MSTP Instances it binds several VLANs to an instance to enable load balancing based on Instances. When Switches have the same MST Region Name, MST Region Revision and VLAN-toInstance mapping table the Switches are considered to be in the same MST Region. 102 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The MSTP Instance is implemented with the Region Config, Instance Config and Instance Port Config pages. 7.3.1 Region Config On this page you can configure the name and revision of the MST region Choose the menu Spanning Tree>>MSTP Instance>>Region Config to load the following page: Figure 7-7 Region Config The following entries are displayed on this screen: Region Config Region Name: Create a name for the MST Region using up to 32 characters. Revision: Enter the Revision from 0-65535 for MST Region identification. CAUTION: MSTP Instance settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 7.3.2 Instance Config The Instance property of MST region is used to describe the VLAN-to-Instance mapping configuration. You can assign VLANs to different instances according to your needs. Every Instance is a VLAN group independent of other Instances and CIST. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 103 XMS-1024P Choose the menu Spanning Tree>>MSTP Instance>>Instance Config to load the following page. Figure 7-8 Instance Config The following entries are displayed on this screen: Instance Table Instance ID Select: Select button to quick-select the corresponding Instance ID. Select: Select the desired Instance ID(s) for configuration. Instance: Displays Instance ID of the Switch. Status: Enable/Disable the instance. Priority: Enter the Priority of the Switch in the Instance. Priority is an important criterion in determining if the Switch will be chosen as the Root Bridge in the specific Instance. VLAN ID: Enter the VLAN ID(s) which belong to the corresponding Instance ID. Clear: Click the Clear link to remove all VLAN IDs from the Instance ID. All removed VLAN ID(s) will be automatically mapped to the CIST. VLAN-Instance Mapping VLAN ID: Enter the desired VLAN ID(s). The new VLAN ID will be added to the corresponding Instance ID and any previously entered VLAN ID will not be replaced. Instance ID: 104 Enter the corresponding Instance ID. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: Instance Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: In a Network with both GVRP and MSTP enabled, GVRP packets are forwarded along the CIST. If you want to broadcast packets of a specific VLAN through GVRP, please be sure to map the VLAN to the CIST when configuring the MSTP VLAN-Instance mapping. For detailed information on GVRP, please refer to the GVRP section of this guide. 7.3.3 Instance Port Config Ports can play different roles in different Spanning Tree Instances. On this page you can configure the parameters of the Ports in different Instance IDs as well as view status of the Ports in the specified Instance. Choose the menu Spanning Tree>>MSTP Instance>>Instance Port Config to load the following page. Figure 7-9 Instance Port Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 105 XMS-1024P The following entries are displayed on this screen: Port Config Instance ID: Select the desired instance ID for Port configuration. Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) to specify its priority and path cost. Port: Displays the Port number. Priority: Enter the Priority of the Port in the Instance. Port Priority is an important criterion in determining if the Port connected will be chosen as the Root Port. Path Cost: Path Cost is used to choose the path and calculate the path costs of Ports in an MST region. Path Cost is an important criterion in determining the Root Port. The lower the value the higher the priority. Port Role: Displays the role the Port plays in the MSTP Instance. Port Status: Displays the working Status of the Port. LAG: Displays the LAG Group number the Port belongs to. CAUTION: Instance Port Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: The Port status of one Port in different Spanning Tree instances can be different. Global configuration Procedure for MSTP Spanning Tree: Step Operation Description 1 Decide what roles the Switches will play in your Spanning Tree Instances: Root Bridge or Designated Bridge Preparation. 2 Configure the MSTP parameters Enable Spanning Tree on the Switch and configure the MSTP parameters on Spanning Tree>>STP Config>>STP Config page. 3 Configure the MSTP parameters for the Ports Configure MSTP parameters for Ports on Spanning Tree>>Port STP Config>>Port Config page. 106 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Step Operation Description 4 Configure the MST region Create an MST Region and configure the role the Switch plays in the MST Region on Spanning Tree>>MSTP Instance>>Region Config and Tree>>MSTP Instance>>Instance Config pages. 5 Configure the MSTP Instance Ports parameters If you are going to configure different Instances in the MST Region you can configure MSTP parameters for Instance Ports on Spanning Tree>>MSTP Instance>>Instance Port Config page. 7.4 STP Security STP Security can protect devices from malicious attacks against STP features. The STP Security function can be implemented on Port Protect and TC Protect pages. Port Protect is used to protect devices from malicious attacks against STP features. 7.4.1 Port Protect On this page you can configure the Loop Protect, Root Protect, TC Protect, BPDU Protect and BPDU Filter features for each Port. We suggest enabling the corresponding Protection feature for the corresponding Ports. Loop Protect In a stable Network topology a Switch maintains the Port states by receiving and processing BPDU packets from the Upstream Switch. However, when link congestion or link failures occur, the Downstream Switch does not receive BPDU packets, which can result in Spanning Tree regeneration and the Roles of Ports changing. This can cause Blocked Ports to change to a Forwarding state, causing loops to occur in the Network. The Loop Protect function suppresses Loops. With this function Enabled, a Port, regardless of the role it plays in any Instances, is always set to Blocking state when the Port does not receive BPDU packets from the Upstream Switch. This allows Spanning Trees to be regenerated, and prevents Loops from occuring. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 107 XMS-1024P Root Protect A CIST and its Secondary Root Bridges should be located in the High-Bandwidth core Region. Poor configuration or malicious attacks may result in configuration BPDU packets with higher Priorities being received by the Root Bridge, which can cause the current Root Bridge to lose its position and Network topology inconsistencies to occur. In this case traffic that should travel along high-speed links will be forced to low-speed links and Network congestion will occur. To avoid this, MSTP provides the Root Protect function. Ports with this function enabled can only be set as Designated Ports in any Spanning Tree Instances. When a Port of this type receives BDPU packets with higher priority, it changes its state to Blocking state and stops forwarding packets (as if it is disconnected from the link). The Port resumes a normal state if it does not receive any configuration BPDU packets with higher priorities for a period of 2 x the Forward Delay. TC Protect The Switch will remove MAC Address entries upon receipt of TC-BPDU packets. If a device or user maliciously sends a large number of TC-BPDU packets, the Switch will be kept busy removing MAC Address entries, which will reduce the performance and stability of the Network. To prevent the Switch from removing MAC Address entries, you can enable the TC Protect function. With the TC Protect function enabled, if the number of the received TC-BPDUs exceeds the maximum number set, the Switch will not perform the removal operation during the TC protect cycle. This prevents the Switch from frequently removing MAC Address entries. BPDU Protect Ports of the Switch directly connected to PCs or Servers are configured as edge Ports to allow rapid changes to their states. When these Ports receive BPDUs, the system automatically configures these Ports as non-edge Ports and regenerates Spanning Tree, this can cause Network topology jitter. Normally these Ports do not receive BPDUs, but if a device or user maliciously attacks the Switch by sending BPDUs, Network topology jitter occurs. To prevent this type of attack, MSTP provides the BPDU Protect function. With this function enabled, the Switch shuts down the edge Ports that receive BPDUs and reports the issue to the Network Administrator. If a Port is shut down in this method, only an Administrator can restore it. 108 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide BPDU Filter Prevents BPDU floods in the STP Network. If a Switch receives malicious BPDUs, it forwards these BPDUs to the other Switched in the Network, which can result in Spanning Tree continuously regenerating. When this occurs the Switch occupies excessive CPU cycles and the protocol status of BPDUs can be incorrect. With the BPDU Filter function enabled the Port does not receive or forward BPDUs, but it will send out its own BPDU. This prevents the Switch from being attacked by malicious BPDUs and protects Spanning Tree from malicious regeneration. Choose the menu Spanning Tree>>STP Security>>Port Protect to load the following page. Figure 7-10 Port Protect The following entries are displayed on this screen: Port Protect Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for Port protect configuration. Port: Displays the Port number. Loop Protect: Prevents loops in the Network caused by recalculating STP brought on by link failures and Network congestion. Root Protect: Prevents Network topology changes caused by a role change of the current Root Bridge. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 109 XMS-1024P Port Protect TC Protect: Prevents decreases in performance and stability of the Switch brought on by continuous removal of MAC Address entries upon receipt of TC-BPDUs in the STP Network. BPDU Protect: Prevents the edge Port from being attacked by malicious BPDUs. BPDU Filter: Prevents malicious BPDU floods in the STP Network. LAG: Displays the LAG Group number the Port belongs to. CAUTION: Port Protect settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 7.4.2 TC Protect When TC Protect is enabled for the Port on Port Protect page, the TC threshold and TC protect cycle need to be configured on this page. Choose the menu Spanning Tree>>STP Security>>TC Protect to load the following page. Figure 7-11 TC Protect The following entries are displayed on this screen: TC Protect TC Threshold: Enter a number from 1-100. This is the maximum number of the TC-BPDU packets received by the Switch in a TC Protect Cycle. The default value is 20 packets. TC Protect Cycle: Enter a value from 1-10 seconds to specify the TC Protect Cycle. The default value is 5 seconds. 110 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: TC Protect settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 7.5 Application Example for STP Function Network Requirements Switch A, B, C, D and E all support the MSTP function. A is the Central Switch. Switches B and C are in the Convergence layer. Switches D, E and F are in the Access layer. There are 6 VLANs labeled VLAN101-VLAN106 in the Network. All Switches are running MSTP and belong to the same MST region. The Data in VLAN101, 103 and 105 are transmitted in the Spanning Tree with B as the Root Bridge. The Data in VLAN102, 104 and 106 are transmitted in the Spanning Tree with C as the Root Bridge. Network Diagram Figure 7-12 Network Diagram STP Function Configuration Procedure Configure Switch A: © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 111 XMS-1024P Step Operation Description 1 Configure Ports On VLAN>>802.1Q VLAN page, configure the link type of the interconnect Ports as Trunk, and add the Ports to VLAN 101-VLAN 106. Detailed instructions can be found in the section 802.1Q VLAN. 2 Enable STP function On Spanning Tree>>STP Config>>STP Config page, enable STP function and select MSTP as your STP version. On Spanning Tree>>Port STP Config>>Port Config page, enable STP on all Ports. 3 Configure the Region Name and the Revision of the MST Region On Spanning Tree>>MSTP Instance>>Region Config page, configure the region as LUXUL and keep the default revision setting. 4 Configure VLAN-toInstance mapping table of the MST region On Spanning Tree>>MSTP Instance>>Instance Config page, configure VLAN-to-Instance mapping table. Map VLAN 101, 103 and 105 to Instance 1. Then map VLAN 102, 104 and 106 to Instance 2. Configure Switch B: Step Operation Description 1 Configure Ports On VLAN>>802.1Q VLAN page, configure the link type of the interconnect Ports as Trunk, and add the Ports to VLAN 101-VLAN 106. Detailed instructions can be found in the section 802.1Q VLAN. 2 Enable STP function On Spanning Tree>>STP Config>>STP Config page, enable STP function and select MSTP as your STP version. On Spanning Tree>>Port STP Config>>Port Config page, enable STP on all Ports. 3 Configure the Region Name and the Revision of the MST Region On Spanning Tree>>MSTP Instance>>Region Config page, configure the region as LUXUL and keep the default revision setting. 4 Configure VLAN-to-Instance mapping table of the MST region On Spanning Tree>>MSTP Instance>>Instance Config page, configure VLAN-to-Instance mapping table. Map VLAN 101, 103 and 105 to Instance 1. Then map VLAN 102, 104 and 106 to Instance 2. 5 Configure Switch B as the Root Bridge of Instance 1 On Spanning Tree>>MSTP Instance>>Instance Config page, configure the priority of Instance 1 to be 0. 112 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Step Operation Description 6 Configure Switch B as the Designated Bridge of Instance 2 On Spanning Tree>>MSTP Instance>>Instance Config page, configure the priority of Instance 2 to be 4096. Configure Switch C: Step Operation Description 1 Configure Ports On VLAN>>802.1Q VLAN page, configure the link type of the interconnect Ports as Trunk, and add the Ports to VLAN 101-VLAN 106. Detailed instructions can be found in the section 802.1Q VLAN. 2 Enable STP function On Spanning Tree>>STP Config>>STP Config page, enable STP function and select MSTP as your STP version. On Spanning Tree>>Port STP Config>>Port Config page, enable STP on all Ports. 3 Configure the Region Name and the Revision of the MST Region On Spanning Tree>>MSTP Instance>>Region Config page, configure the region as LUXUL and keep the default revision setting. 4 Configure VLAN-to-Instance mapping table of the MST region On Spanning Tree>>MSTP Instance>>Instance Config page, configure VLAN-to-Instance mapping table. Map VLAN 101, 103 and 105 to Instance 1. Then map VLAN 102, 104 and 106 to Instance 2. 5 Configure Switch C as the Designated Bridge of Instance 1 On Spanning Tree>>MSTP Instance>>Instance Config page, configure the priority of Instance 2 to be 4096. 6 Configure Switch C as the Root Bridge of Instance 2 On Spanning Tree>>MSTP Instance>>Instance Config page, configure the priority of Instance 1 to be 0. Configure Switch D: Step Operation Description 1 Configure Ports On VLAN>>802.1Q VLAN page, configure the link type of the interconnect Ports as Trunk, and add the Ports to VLAN 101-VLAN 106. Detailed instructions can be found in the section 802.1Q VLAN. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 113 XMS-1024P Step Operation Description 2 Enable STP function On Spanning Tree>>STP Config>>STP Config page, enable STP function and select MSTP as your STP version. On Spanning Tree>>Port STP Config>>Port Config page, enable STP on all Ports. 3 Configure the region name and the revision of MST region 4 Configure VLAN-to-Instance On Spanning Tree>>MSTP Instance>>Instance Config mapping table of the MST page, configure VLAN-to-Instance mapping table. Map region VLAN 101, 103 and 105 to Instance 1. Then map VLAN 102, 104 and 106 to Instance 2. On Spanning Tree>>MSTP Instance>>Region Config page, configure the region as LUXUL and keep the default revision setting. The configuration procedure for Switch E and F is the same as that of Switch D. The Topology Diagram of the two Instances after the Topology has stabilized For Instance 1 (VLAN 101, 103 and 105), the red paths in the following figure are connected links; the gray paths are the blocked links. Figure 7-13 Network Diagram Stabilized I 114 For Instance 2 (VLAN 102, 104 and 106), the blue paths in the following figure are connected links; the gray paths are the blocked links. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Figure 7-14 Network Diagram Stabilized II Suggested STP Security for this Configuration Enable TC Protect function for all the Ports of Switches. Enable Root Protect function for all the Ports of Root Bridges. Enable Loop Protect function for all non-edge Ports. Enable BPDU Protect function or BPDU Filter function for the edge Ports which are connected to any client device. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 115 XMS-1024P 8 MULTICAST Multicast Overview Packets are transmitted in one of three modes: Unicast, Broadcast and Multicast. In Unicast the Source transmits information to a single destination device. When a large number of devices require this information, the Server must send Data with the same content to multiple devices-occupying large amounts of bandwidth. In Broadcast, the system transmits information to all devices in a Broadcast Domain (Hub, Switch, Access Point, etc…). All devices in the Broadcast Domain receive the Data with no regard to whether or not it is needed. In Multicast, the Source transmits to multiple devices using a Multicast address which allows the Client devices to listen and grab the Multicast packets without the Server having to target individual client devices. Suppose you have a point to multi-point presentation, Unicast is suitable for Networks with a small number of client devices, Multicast is much more efficient in Networks with a high number of client devices. When the number of client devices requiring this information is variable unicast is very inefficient. Multicast solves this problem as well. It is extremely efficient sending Data in the point to multi-point format. Multicast can save large amounts of bandwidth and reduce the Network load. In Multicast, the packets are transmitted in the following manner as shown in Figure 8-1. Figure 8-1 Information transmission in the Multicast mode Features of Multicast: 116 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide If the number of client devices is variable, Multicast transmission will be the most efficient delivery method. When multiple client devices are receiving the same information form a Multicast group, the Multicast Server sends the Multicast group information to each device once. The client device then handles the Management of the Multicast session to which it belongs. Each user can join and leave the Multicast group at any time. Multicast Address Multicast IP Address: As specified by IANA (Internet Assigned Numbers Authority) Class D IP Addresses are used as destination addresses of Multicast packets. The Multicast IP Addresses range from 224.0.0.0~239.255.255.255. The following table displays the range and description of Multicast IP Addresses. Multicast IP Address range Description 224.0.0.0~224.0.0.255 Reserved Multicast Addresses used for routing protocols and other Network protocols 224.0.1.0~224.0.1.255 Addresses for Video Conferencing 239.0.0.0~239.255.255.255 Local Multicast Addresses which are used in the local Network only Table 8-1 Range of the special Multicast IP Multicast MAC Address: When a unicast packet is transmitted in an Ethernet Network, the destination MAC address is the MAC address of the receiving device. When a Multicast packet is transmitted in an Ethernet Network, the destination is not a single device but a group with a variable number of members, so a Multicast MAC Address (a logical MAC address), is used as the destination address. As stipulated by IANA the high-order or OID (Organizational Identifier) 24 bits of a Multicast MAC Address will be 01-00-5E while the low-order 23 bits of a Multicast MAC address are the low-order 23 bits of the Multicast IP Address. The mapping relationship is described in Figure 8-2. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 117 XMS-1024P Figure 8-2 Mapping relationship between Multicast IP Address and Multicast MAC address The high-order 4 bits of the IP Multicast address are 1110, identifying the Multicast group. Only 23 bits of the remaining low-order 28 bits are mapped to a Multicast MAC address. In this configuration, 5 bits of the IP Multicast Address are not utilized. As a result, 32 IP Multicast addresses are mapped to the same MAC address. Multicast MAC Table The Switch forwards Multicast packets based on the Multicast MAC Table. As the transmission of Multicast packets cannot span VLANs, the first part of the Multicast MAC Table is VLAN ID. Based on which VLAN ID the received Multicast packets have, the Multicast packets are forwarded to the ports that are a member of the corresponding VLAN. The Multicast MAC Table is not mapped to an Egress Port but a group Port list. When forwarding a Multicast packet, the Switch looks up the Multicast MAC Table based on the destination Multicast Address of the Multicast packet. If the corresponding entry cannot be found in the table, the Switch will broadcast the packet to all of the member ports of the VLAN. If the corresponding entry can be found in the table, it indicates that the destination Address should be a group Port list, so the Switch will duplicate the Multicast Data and deliver it each Port in the group. The general format of the Multicast MAC Table is described in Figure 8-3 below. VLAN ID Multicast IP Port Figure 8-3 Multicast MAC Table IGMP Snooping In the Network client devices apply to the nearest Multicast Server to join/leave a Multicast group by sending IGMP (Internet Group Management Protocol) messages. When the up-stream device forwards the Multicast Data, the Switch is responsible for sending them to the client devices. IGMP Snooping is a Multicast control mechanism, which can be used on the Switch for dynamic registration of devices in the Multicast group. A Switch running IGMP Snooping manages and controls the Multicast group by listening for and processing the IGMP messages transmitted between the client devices and the Multicast Server, this prevents Multicast groups being broadcasted on the Network. 118 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The Multicast module is used for Multicast Management configuration of the Switch and includes four submenus: IGMP Snooping, Multicast IP, Multicast Filter and Packet Statistics. 8.1 IGMP Snooping IGMP Snooping Process A Switch running IGMP Snooping listens to the IGMP messages transmitted between the client device and the Multicast Sever, tracking the IGMP messages and the registered Port(s). When the Switch receives an IGMP report message the Switch adds the Port to the Multicast MAC Table. The Switch listens to IGMP leave message from the client device, the router sends a Group-Specific Query message to the Port to check if other client devices connected need the Multicast. If they do the Switch forwards the report message to the Multicast Server. If they do not the Multicast Server will receive no response from the hosts and the Switch will remove the Port from the Multicast MAC Table. The Multicast Server regularly sends IGMP Query messages. After receiving the IGMP Query message, the Switch will remove the Port from the Multicast MAC Table if the Switch receives no IGMP report messages from the host within the timeout period. IGMP Messages A Switch running IGMP Snooping processes the IGMP messages of different types as follows. 1. IGMP Query Message Query Messages sent by the Multicast Server fall into two categories; IGMP General Query Message and IGMP Group-Specific-Query Message. The Multicast Server regularly sends IGMP General Message to query if the Multicast group contains any members. When receiving an IGMP Leave Message the receiving Port of the Multicast Server will send an IGMP Group-Specific-Query Message to the Multicast group and the Switch will forward IGMP Group-Specific-Query Message to check if other members in the Multicast group connected to the Port need this Multicast. When receiving IGMP General Query Messages, the Switch will forward them to all member Ports of the VLAN hosting the Multicast. The Receiving Port will be processed if the receiving Port is not a Multicast Server Port yet, it will be added to the Multicast Server Port list with its Multicast Server Port time specified. If the receiving Port is already a Multicast Server Port, its Multicast Server Port time will be reset. When receiving IGMP Group-Specific-Query messages, the Switch will send the GroupSpecific Query Message to the members of the Multicast group being queried. 2. IGMP Report Message © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 119 XMS-1024P An IGMP Report Message is sent by the client device when it applies to join a Multicast group or when responding to the IGMP Query Messages from the Multicast Server. When receiving IGMP Report Message, the Switch will send the Report Message to the Multicast Sever Port in the specified VLAN as well as analyze the message to get the Address of the Multicast Group the host applies to join. The receiving Port will be processed if the receiving Port is a new member Port and it will be added to the Multicast MAC Table with its member Port time specified. If the receiving Port is already a member Port, its member Port time will be reset. 3. IGMP Leave Message Client devices running IGMPv1 do not send IGMP Leave Messages when leaving a Multicast group. As a result, the Switch does not receive the Leave information of the client device. However after leaving the Multicast group, the host does not send IGMP Report Messages, so the Switch will remove the Port from the corresponding Multicast MAC Table when its member Port time elapses. Client devices running IGMPv2 or IGMPv3 send IGMP Leave Messages when leaving a Multicast group to inform the Multicast Server it is leaving the group. When receiving IGMP Leave Messages, the Switch will forward an IGMP GroupSpecific-Query Message to check if other members in the Multicast group of the member Port still need this Multicast and reset the member Port times. When the Leave Time elapses, the Switch will remove the Port from the corresponding Multicast group. If no other member remains in the group after the Port is removed, the Switch will send IGMP Leave Messages to the Multicast Server and remove the whole Multicast group. IGMP Snooping Fundamentals 1. Ports Router Port: Indicates the Switch Port directly connected to the Multicast Server. Member Port: Indicates a Switch Port connected to a Multicast Group member. 2. Timers Router Port Time: Within the time specified if the Switch does not receive any IGMP Query Messages from the Router Port, it will no longer consider this Port a Router Port. The default value is 300 seconds. Member Port Time: Within the time specified if the Switch does not receive any IGMP Report Messages from the member Port, it will no longer consider this Port a member Port. The default value is 260 seconds. 120 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Leave Time: Indicates the interval between the Switch receiving a leave message from a client device and the Switch removing the client device from the Multicast Group. The default value is 1 second. The IGMP Snooping function is implemented on Snooping Config, Port Config, VLAN Config and Multicast VLAN pages. 8.1.1 Snooping Config To configure IGMP Snooping on the Switch, please first configure the IGMP Global configuration and related parameters on the following page. If the Multicast Address of the received Multicast Data is not in the Multicast MAC Table, the Switch will broadcast the Data in the member VLAN. When Unknown Multicast Discard feature is enabled, the Switch drops the received Unknown Multicast packets to save bandwidth and enhance the efficiency of the Network. Choose the menu Multicast>>IGMP Snooping>>Snooping Config to load the following page. Figure 8-4 Basic Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 121 XMS-1024P The following entries are displayed on this screen: Global Config IGMP Snooping: Enable/Disable IGMP Snooping function globally on the Switch. Unknown Multicast: Select the operation used for processing Unknown Multicast packets, Forward/Discard: the default is Forward. If you are unsure of your needs, we recommend keeping the default option of Forward. IGMP Snooping Status Description: Displays IGMP Snooping status. Member: Displays the members of the corresponding status. CAUTION: IGMP Snooping Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 8.1.2 Port Config On this page you can configure the IGMP feature for the Ports of the Switch. Choose the menu Multicast>>IGMP Snooping>>Port Config to load the following page. Figure 8-5 Port Config 122 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Port Config Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for IGMP Snooping feature configuration. Port: Displays the Port number of the Switch. IGMP Snooping: Enable/Disable IGMP Snooping for the desired Port. Fast Leave: Enable/Disable Fast Leave feature for the desired Port. If Fast Leave is enabled for a Port, the Switch will immediately remove this Port from the Multicast group upon receiving IGMP Leave Messages. LAG: Displays the LAG Group number the Port belongs to. CAUTION: Port IGMP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: Fast Leave on the Port is in effect only when the host supports IGMPv2 or IGMPv3. NOTE: When both the Fast Leave feature and Unknown Multicast Discard feature are enabled, the removal of a client device connected to a Port owning multiple members will result in the other client devices having intermittent access to the Multicast. 8.1.3 VLAN Config Multicast groups established by IGMP Snooping are based on VLANs. On this page you can configure different IGMP parameters for different VLANs. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 123 XMS-1024P Choose the menu Multicast>>IGMP Snooping>>VLAN Config to load the following page. Figure 8-6 VLAN IGMP Config The following entries are displayed on this screen: VLAN Config VLAN ID: Enter the VLAN ID to enable IGMP Snooping for the desired VLAN. Router Port Time: Specify the Aging Time of the Router Port (Multicast Server). If the Switch does not receive an IGMP Query Message from the Router Port before the Aging Time elapses, it will no longer consider this Port a Router Port. Default value is 300 seconds. Member Port Time: Specify the Aging Time of the member Port. If the Switch doesn’t receive an IGMP Report Message from the member Port before the Aging Time elapses, it will no longer consider this Port a Member Port. Default value is 260 seconds. Leave Time: Specify the interval between the Switch receiving a Leave Message from a client device and the Switch removing the client device from the Multicast Group. Default value is 1 second. Static Router Port: Select a static Router Port (Multicast Server), used in a Network with stable topology and defined Multicast Servers. VLAN Table VLAN ID Select: Click the Select button to quick-select the corresponding VLAN ID. Select: Select the desired VLAN ID(s) for configuration. 124 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide VLAN Config VLAN ID: Displays the VLAN ID. Router Port Time: Displays the Router Port Time of the VLAN. Member Port Time: Displays the Member Port Time of the VLAN. Leave Time: Displays the Leave Time of the VLAN. Router Port: Displays the Router Port of the VLAN. CAUTION: VLAN IGMP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: The settings here will be invalid when Multicast VLAN is enabled Configuration procedure: CONFIGURATION PROCEDURE: Step Operation Description 1 Enable IGMP Snooping Enable IGMP Snooping globally on the Switch and for the Ports on Multicast>>IGMP Snooping>>Snooping Config and Port Config pages. 2 Configure the Multicast parameters for VLANs Configure the Multicast parameters for VLANs on Multicast>>IGMP Snooping>>VLAN Config page. If a VLAN has no Multicast parameters configured it indicates IGMP Snooping is not enabled in the VLAN, any Multicast Data in the VLAN will be broadcasted. 8.1.4 Multicast VLAN In the original implementation of Multicast, when users in different VLANs applied to join the same Multicast group, the Multicast Router would duplicate the Multicast Data and deliver each VLAN its own copy of the Data. This utilizes large amounts of bandwidth. This problem can be solved by configuring a Multicast VLAN. By adding Switch Ports to the Multicast VLAN and enabling IGMP Snooping, you can allow client devices in different VLANs to share the same Multicast VLAN. This preserves bandwidth since Multicast streams are transmitted only within the Multicast VLAN and also adds security as the Multicast VLAN is isolated from the other VLANs on the Switch. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 125 XMS-1024P Before configuring a Multicast VLAN, you should first configure a VLAN and add the corresponding Ports to the VLAN on the 802.1Q VLAN page. If the Multicast VLAN is enabled, the Multicast configuration for other VLANs on the VLAN Config page will be deleted and the Multicast streams will be transmitted only within the Multicast VLAN. Choose the menu Multicast>>IGMP Snooping>>Multicast VLAN Config to load the following page. Figure 8-7 Multicast VLAN Config The following entries are displayed on this screen: Multicast VLAN Multicast VLAN: Enable/Disable Multicast VLAN feature. VLAN ID: Enter the VLAN ID of the Multicast VLAN. The VLAN ID must be configured in the 802.1Q VLAN page. Router Port Time: Specify the Aging Time of the Router Port (Multicast Server). If the Switch does not receive any IGMP Query Messages from the Router Port before the time elapses, it will no longer consider this Port a Router Port. Default value is 300 seconds. Member Port Time: Specify the Aging Time of the member Port. If the Switch does not receive any IGMP Report Messages from the Member Port, it will no longer consider this Port a Member Port. Default value is 260 seconds. Leave Time: Specify the interval between the Switch receiving a Leave Message from a host and the Switch removing the host from the Multicast Group. Default value is 1 second. Router Port: Select the Static Router Port, used in a Network with stable topology 126 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: Multicast VLAN Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: The Router Port (Multicast Server) should be in the Multicast VLAN, if it is not, the member Ports cannot receive Multicast streams. NOTE: The Multicast VLAN will not take effect unless you first complete the configuration for the corresponding VLAN and Ports on the 802.1Q VLAN page. NOTE: The Link Type of the possible Member Ports in the Multicast VLAN must be set to GENERAL.. NOTE: Configure the Link Type of the Router Port (Multicast Server) in the Multicast VLAN as TRUNK or configure the Egress Rule as TAG and the Link Type as GENERAL otherwise the member Ports in the Multicast VLAN cannot receive Multicast streams. NOTE: After a Multicast VLAN is created, all IGMP packets will be processed only within the Multicast VLAN. Configuration procedure: Step Operation Description 1 Enable IGMP Snooping Enable IGMP Snooping globally on the Switch and for the Port on Multicast-IGMP Snooping-Snooping Config and Port Config page. 2 Create a Multicast VLAN Create a Multicast VLAN and add all the potential Member Ports and Router Ports to the VLAN on the VLAN>>802.1Q VLAN page. Configure the Link Type of the potential Member Ports as GENERAL. Configure the Link Type of the Router Ports as TRUNK or configure the Egress Rule as tagged and Link Type as GENERAL. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 127 XMS-1024P Step Operation Description 3 Configure parameters for Multicast VLAN Enable and configure a Multicast VLAN on the Multicast>>IGMP Snooping>>Multicast VLAN page. It is recommended to keep the default time parameters. 4 Look over the configuration If it is successfully configured, the VLAN ID of the Multicast VLAN will be displayed in the IGMP Snooping Status table on the Multicast>>IGMP Snooping>>Snooping Config page. Application Example for Multicast VLAN: Network Requirements A Multicast Server sends Multicast streams via the router, and the streams are transmitted to user A and user B through the Switch. NOTE: Most Multicast Servers can also be connected directly to the Switch, please check the compatibility with your Multicast Server administrator. Router: A WAN or LAN Port can be connected to the Multicast Server; its LAN Port is connected to the Switch. The Multicast packets are transmitted in VLAN3. Switch: Port 3 is connected to the router and the packets are transmitted in VLAN3; Port 4 is connected to user A and the packets are transmitted in VLAN4; Port 5 is connected to user B and the packets are transmitted in VLAN5. User A: Connected to Port 4 of the Switch. User B: Connected to Port 5 of the Switch. Configure a Multicast VLAN, and user A and B receive Multicast streams through the Multicast VLAN. 128 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Network Diagram Configuration Procedure Step Operation Description 1 Create VLANs Create three VLANs with the VLAN IDs of 3, 4 and 5 respectively. Specify the description of VLAN3 as Multicast VLAN on VLAN>>802.1Q VLAN page. 2 Configure Ports On VLAN>>802.1Q VLAN pages, configure Port 3 as Link Type GENERAL and its Egress Rule as TAG and add it to VLAN3, VLAN4 and VLAN5. Configure Port 4 as link type GENERAL and its Egress Rule as UNTAG and add it to VLAN3 and VLAN 4. Configure Port 5 as link type GENERAL and its Egress Rule as UNTAG and add it to VLAN3 and VLAN 5. 3 Enable IGMP Snooping function Enable IGMP Snooping function globally on Multicast>>IGMP Snooping>>Snooping Config page. Enable IGMP Snooping function for Port 3, Port 4 and Port 5 on Multicast>>IGMP Snooping>>Port Config page. 4 Enable Multicast VLAN Configure the VLAN ID of a Multicast VLAN as 3 and keep the other parameters as default on Multicast>>IGMP Snooping>>Multicast VLAN page. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 129 XMS-1024P Step Operation Description 5 Check Multicast VLAN 3-5 and Multicast VLAN 3 will be displayed in the IGMP Snooping Status table on the Multicast>>IGMP Snooping>>Snooping Config page. 8.2 Multicast IP In a Network, receivers can join different Multicast groups appropriate to their needs. The Switch forwards Multicast streams based on Multicast MAC Table. The Multicast IP can be implemented on Multicast IP Table, Static Multicast IP page. 8.2.1 Multicast IP Table On this page you can view the Multicast IP Table on the Switch. Choose the menu Multicast>>Multicast IP>>Multicast IP Table to load the following page. Figure 8-8 Multicast IP Table The following entries are displayed on this screen: Search Option Multicast IP: Enter the Multicast IP Address of the desired entry. VLAN ID: Enter the VLAN ID of the desired entry. Port: Select the Port number of the desired entry. Type: Select the type of the desired entry. All: Displays all Multicast IP entries. Static: Displays all Static Multicast IP entries. Dynamic: Displays all Dynamic Multicast IP entries. Multicast IP Table Multicast IP Displays Multicast IP Address. 130 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Search Option VLAN ID: Displays the VLAN ID of the Multicast Group. Forward Port Displays the forward Port of the Multicast Group. Type: Displays the type of the Multicast IP. CAUTION: If the configuration on VLAN Config page and Multicast VLAN page is changed, the Switch will clear the dynamic Multicast Addresses in Multicast MAC Table and learn new addresses. 8.2.2 Static Multicast IP The Static Multicast IP Table is isolated from any Dynamic Multicast group and Multicast Filter, and is not learned by IGMP Snooping. It can enhance the quality and security of information transmission in fixed Multicast Groups. Choose the menu Multicast>>Multicast IP>>Static Multicast IP to load the following page. Figure 8-9 Static Multicast IP Table The following entries are displayed on this screen: Create Static Multicast Multicast IP: Enter Static Multicast IP Address. VLAN ID: Enter the VLAN ID of the Multicast IP. Forward Port: Enter the Forward Port of the Multicast Group. Search Option © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 131 XMS-1024P Create Static Multicast Search Option: Select the Rule for displaying Multicast IP table to find the desired entries quickly. All: Displays all static Multicast IP entries. Multicast IP: Enter the Multicast IP Address the desired entry contains. VLAN ID: Enter the VLAN ID the desired entry contains. Port: Enter the Port number the desired entry contains. Static Multicast IP Table Select: Select the desired entry(ies) to delete the corresponding static Multicast IP. Multicast IP: Displays the Multicast IP. VLAN ID: Displays the VLAN ID of the Multicast Group. Forward Port: Displays the Forward Port of the Multicast Group. CAUTION: Static Multicast IP settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 8.3 Multicast Filter When IGMP Snooping is enabled, you can specify the Multicast IP-Range the Ports can join to restrict client devices ordering Multicast programs by configuring Multicast Filter Rules. When applying for a Multicast Group, the client device will send an IGMP Report Message. After receiving the Report Message, the Switch will check the Multicast filter Rules configured for the receiving Port. If the Port can be added to the Multicast Group it will be added to the Multicast MAC Table. If the Port cannot be added to the Multicast Group the Switch will drop the IGMP Report Message. Multicast streams will not be transmitted to this Port. This allows you to control client devices able to join a Multicast Group. 8.3.1 Multicast IP-Range On this page you can figure the desired IP-Ranges to be filtered. 132 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu Multicast>>Multicast Filter>>Multicast IP-Range to load the following page. Figure 8-10 Multicast IP-Range The following entries are displayed on this screen: Create IP-Range IP Range ID: Enter the IP-Range ID. Start Multicast IP: Enter starting Multicast IP of the IP-Range. End Multicast IP: Enter ending Multicast IP of the IP-Range. IP-Range Table IP-Range ID Select: Click the Select button to quick-select the corresponding IP-Range ID. Select: Select the desired entry(ies) to delete or modify the corresponding IP-range. IP-Range ID: Displays IP-Range ID. Start Multicast IP: Displays starting Multicast IP of the IP-Range. End Multicast IP: Displays ending Multicast IP of the IP-Range. CAUTION: Multicast IP-Range settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 8.3.2 Multicast Port Filter On this page you can configure the Multicast Filter Rules for Ports. The configuration on this page and the configuration on the IP-Range page together implement Multicast Filter functions on the Switch. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 133 XMS-1024P Choose the menu Multicast>>Multicast Filter>>Multicast Port Filter to load the following page. Figure 8-11 Multicast Port Filter The following entries are displayed on this screen: Port Filter Config Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for Multicast Filtering. Port: Displays the Port number. Filter: Enable/Disable Multicast Filtering feature on the Port. Action Mode: Select the action mode to process Multicast packets when the Multicast IP is in the Filtered IP-Range. Permit: Only the Multicast packets whose Multicast IP is in the IPRange will be processed. Deny: Only the Multicast packets whose Multicast IP is not in the IP-Range will be processed. Bound IP-Range (ID): Enter the IP-Range ID the Port will be bound to. Max Groups: Specify the Maximum number of Multicast Groups to prevent Ports using up excessive bandwidth. LAG: Displays the LAG Group number the Port belongs to. 134 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: Multicast Port Filter settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: Multicast Port Filter Rules can only have effect on VLANs with IGMP Snooping enabled. NOTE: Multicast Port Filter Rules have no effect on Static Multicast IPs. NOTE: Up to 5 IP-Ranges can be bound to one Port. Configuration Procedure: Step Operation Description 1 Configure IP-Range Configure an IP-Range to be filtered on Multicast>>Multicast Filter>>IP-Range page. 2 Configure Multicast Filter Rules for Ports Configure Multicast Filter Rules for Ports on Multicast>>Multicast Filter>>Port Filter page. 8.4 Packet Statistics On this page you can view the Multicast Data traffic on each Port of the Switch. This helps you to monitor the number of IGMP Messages in the Network. Choose the menu Multicast>>Packet Statistics to load the following page. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 135 XMS-1024P Figure 8-12 Packet Statistics The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable auto refresh feature. Refresh Period: Enter a time from 3 to 300 in seconds to specify the auto refresh period. (Please note: a short refresh interval can make the page difficult to use.) IGMP Statistics Port Select: Click the Select button to quick-select the corresponding Port. Port: Displays the Port number of the Switch. Query Packet: Displays the number of Query packets the Port received. RePort Packet (V1): Displays the number of IGMPv1 Report packets the Port received. RePort Packet (V2): Displays the number of IGMPv2 Report packets the Port received. RePort Packet (V3): Displays the number of IGMPv3 Report packets the Port received. Leave Packet: Displays the number of Leave packets the Port received. Error Packet: Displays the number of Error packets the Port received. 136 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: Packet Statistics settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 9 QOS QoS (Quality of Service) provides different levels of service for various Network applications and requirements. It helps optimize the bandwidth distribution to provide Network service of the best quality. QoS This Switch Classifies the Ingress packets, then Maps the packets to different Priority Queues and forwards the packets according to specified Scheduling Algorithms. Figure 9-1 QoS function Traffic Classification: Identifies packets conforming to certain characteristics. Map: The user can Map the Ingress packets to different priority queues based on the priority modes. This Switch implements three priority modes based on Port, 802.1P and DSCP. Queue Scheduling Algorithm: When the Network is congested packets compete for resources this is solved using Queue Scheduling. The Switch supports four Priority Schedule Modes: SP (Strict Priority), WRR (Weighted Round Robin), SP+WRR (Strict Priority+Weighted Round Robin) and Equ (Equal). © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 137 XMS-1024P Priority Mode This Switch implements three Priority Modes based on Port, 802.1P and DSCP. By default, the priority mode based on Port is enabled. Port Priority Port Priority is a property of the Port. After Port Priority is configured, the Data stream will be mapped to the Egress Queues according to the CoS (Cost of Service) of the Port and the Mapping relationship between CoS and Queues. 802.1P Priority Figure 9-2 802.1Q frame As shown in the figure above, each 802.1Q Tag has a PRI field, comprising 3 bits. The 3-bit priority field is 802.1P Priority with a range of 0-7. 802.1P Priority determines the priority of the packets based on the PRI value. In the Switch, you can configure different priority tags mapping to the corresponding priority levels. The Switch determines which packets are sent with what Priority when forwarding packets. The Switch processes untagged packets and Maps them to the default priority mode. DSCP Priority Figure 9-3 IP Datagram As shown in the figure above, the ToS (Type of Service) in an IP header contains 8 bits. The first three bits indicate IP Precedence with a range of 0-7. RFC2474 re-defines the ToS field in the IP packet header which is called the DS field. The first six bits (bit 0-5) of the DS field indicate DSCP precedence with a range of 0-63. The last 2 bits (bit 6 and bit 7) are reserved. In the Switch, you can configure different DS Field Mappings to 138 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide corresponding priority levels. Non-IP Datagrams with 802.1Q tags are mapped to different priority levels based on the 802.1P Priority mode. Any untagged Non-IP Datagrams are Mapped based on the Port Priority mode. Priority Schedule Mode When the Network is congested, packets compete for resources. This is solved using Queue Scheduling. The Switch implements four Scheduling Queues, TC0, TC1, TC2 and TC3. TC0 has the lowest priority while TC3 has the highest priority. The Switch provides four Priority Schedule Modes: SP (Strict Priority), WRR (Weighted Round Robin), SP+WRR (Strict Priority+Weighted Round Robin) and Equ (Equal). SP-Mode (Strict-Priority Mode): In this mode, the Queue with highest priority will occupy all available bandwidth. Packets in the Queue with Lower Priority are sent only when the Queue with Higher Priority is empty. The Switch has four Egress Queues TC0, TC1, TC2 and TC3. In SP mode their Priorities increase in order. TC3 has the Highest Priority. A disadvantage of SP-Mode is that if there are packets in the queues with Higher Priority for long periods of time during congestion, the packets in the queues with Lower Priority will expire because they are not forwarded. This requires the Low Priority packets to be resent, further congesting the Network. Figure 9-4 SP-Mode © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 139 XMS-1024P WRR-Mode (Weight Round Robin Mode): In this mode packets in all Queues are sent in order, based on the Weight Value for each Queue. In this mode, every Queue can be assured of a certain level of service. The Weight Value indicates the occupied proportion of the resource. WRR-Mode overcomes the main disadvantage of SP-Mode Queue. In WRR-Mode the Queues are Scheduled in order. The service time for each queue is not fixed. If a Queue is empty, the next Queue will be Scheduled. This allows the Bandwidth resources to be made full use of. The default Weight Value ratio of TC0, TC1, TC2 and TC3 is 1:2:4:8. Figure 9-5 WRR-Mode SP+WRR-Mode (Strict-Priority+Weight Round Robin Mode): In this mode, the Switch provides two Scheduling Groups: the SP Group and the WRR Group. Queues in the SP Group are Scheduled based on Strict-Priority Mode while the Queues inside the WRR Group follow WRR Scheduling. In SP+WRR mode, TC3 is in the SP Group and TC0, TC1 and TC2 belong to the WRR Group. The Weight Value ratio of TC0, TC1 and TC2 is 1:2:4. When Scheduling Queues in this Mode, the Switch allows TC3 to occupy all available bandwidth following the SP-Mode scheduling and then allows TC0, TC1 and TC2 to use the WRR-Mode schedule according to the ratio 1:2:4 respectively. Equ-Mode (Equal-Mode): In this mode, all the Queues occupy the bandwidth equally. The weight value ratio of all the queues is 1:1:1:1. The QoS module is used for Traffic Control and Priority Configuration, including three submenus: DiffServ, Bandwidth Control and Voice VLAN. 140 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 9.1 DiffServ This Switch Classifies Ingress packets, Maps the packets to the corresponding Priority Queues and then Forwards the packets according to specified Scheduling Algorithms. This Switch implements three Priority Modes based on: Port, 802.1P and DSCP, and supports four Queue Scheduling Algorithms. The Port priorities are labeled as CoS0-CoS7. The DiffServ function can be implemented on CoS Port Priority, DSCP Priority, CoS/ TC Queue Mapping and Priority Schedule Mode pages. 9.1.1 CoS Port Priority On this page you can configure the Port priority. Choose the menu QoS>>DiffServ>>Port Priority to load the following page. Figure 9-6 CoS Port Priority The following entries are displayed on this screen: Port Priority Config Select: Select the desired Port(s) to configure the priority. Port: Displays the Port number of the Switch. Priority: Specifies the priority of the Port. LAG: Displays the LAG Group to which the Port belongs. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 141 XMS-1024P CAUTION: CoS Port Priority settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. CONFIGURATION PROCEDURE: Step Operation Description 1 Select the Port priority On QoS>>DiffServ>>Port Priority page configure the Port priority. 2 Configure the mapping relation between the 802.1P priority and TC On QoS>>DiffServ>>CoS/TC Queue Mapping page configure the mapping relationship between the 802.1P Priority and TC Priority. 3 Select a Priority Schedule Mode On QoS>>DiffServ>>Schedule Mode page select a Priority Schedule Mode. 9.1.2 DSCP Priority On this page you can configure DSCP Priority. DSCP (DiffServ Code Point) is a new definition to the IP ToS field. This field is used to divide IP Datagram into 64 Priorities. When DSCP Priority is enabled, IP Datagrams are Mapped to different Priority Levels based on the DSCP Priority. Non-IP Datagrams with 802.1Q tags are Mapped to different Priority Levels based on 802.1P Priority Mode. Untagged Non-IP Datagrams are Mapped based on Port Priority Mode. 142 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu QoS>>DiffServ>>DSCP Priority to load the following page. Figure 9-7 DSCP Priority The following entries are displayed on this screen: DSCP Priority DSCP Priority: Priority Level DSCP: Priority: Enable/Disable DSCP Priority. Indicates the priority determined by the DS Field of the IP Datagram, it ranges from 0-63. Indicates the 802.1P priority the packets with a DSCP tag are mapped to, the priorities are labeled as CoS0-CoS7. CAUTION: DSCP Priority settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 143 XMS-1024P CONFIGURATION PROCEDURE: Step Operation Description 1 Configure the mapping relationship between DSCP Priority and 802.1P Priority On QoS>>DiffServ>>DSCP Priority page Enable DSCP Priority and configure the Mapping relationship between the DSCP Priority and 802.1P Priority. (All values have a default mapping that can be changed if needed.) 1 Configure the mapping relationship between the 802.1P Priority and TC On QoS>>DiffServ>>CoS/TC Queue Mapping page configure the mapping relationship between the 802.1P Priority and TC. (All values have a default mapping that can be changed if needed.) 2 Select a Priority Schedule Mode On QoS>>DiffServ>>Schedule Mode page select a Priority Schedule Mode. 9.1.3 802.1P/CoS mapping On this page you can configure the mapping relationship between the 802.1P Priority Tag-ID/CoS-ID and the TC-ID. 802.1P gives the PRI field in 802.1Q Tags a recommended definition ranging from 0-7. This Tag is used to divide packet streams into 8 priorities. 802.1P Priority is enabled by default so any packets with an 802.1Q Tag are Mapped to different priority levels based on 802.1P Priority Mode. Any Untagged packets are Mapped based on Port Priority Mode. Any packets with the same value in the 802.1P Priority Tag or Port CoS value will be mapped to the same TC-ID. 144 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu QoS>>DiffServ>>CoS/TC Queue Mapping to load the following page. Figure 9-8 CoS/TC Queue Mapping The following entries are displayed on this screen: CoS/TC Queue Mapping Tag-ID/CoS-ID: Indicates the precedence level defined by IEEE 802.1P and the CoS ID. Queue TC-ID: Indicates the priority level of the Egress Queue the packets with a Tag or CoS-ID are mapped to. The priority levels of the Egress Queue are labeled TC0, TC1, TC2 and TC3. CoS/TC Queue Mapping settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 145 XMS-1024P Configuration Procedure: Step Operation Description 1 Configure the mapping relationship between the 802.1P Priority Tag/CoS-ID and the TC-ID On QoS>>DiffServ>>CoS/TC Queue Mapping page, configure the mapping relationship between the 802.1P priority Tag/CoS-ID and the TC-ID. 2 Select a Priority Schedule Mode On QoS>>DiffServ>>Priority Schedule Mode page select a Priority Schedule Mode. 9.1.4 Priority Schedule Mode On this page you can select a Priority Schedule Mode for the Switch. When the Network is congested, the problem that many packets complete for resources must be solved, usually by way of queue scheduling. The Switch will control the forwarding sequence of the packets according to the priority queues and scheduling algorithms you set. On this Switch, the priority levels of Egress queue are labeled as TC0, TC1… TC3. Choose the menu QoS»DiffServ»Priority Schedule Mode to load the following page. Figure 9-9 Priority Schedule Mode The following entries are displayed on this screen: Priority Schedule Mode Config SP-Mode: In this mode, the Queue with Higher priority will occupy all available bandwidth. Packets in the Queue with Lower Priority are sent only when the Queue with Higher Priority is empty. WRR-Mode: In this mode, packets in all Queues are sent in order based on the Weight value for each Queue. The weight value ratio of TC0, TC1, TC2 and TC3 is 1:2:4:8. 146 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Priority Schedule Mode Config SP+WRR-Mode: In this mode, this Switch provides two scheduling Groups, the SP Group and WRR Group. Queues in SP Group are Scheduled strictly based on the Strict-Priority Mode while the queues in the WRR Group follow the WRR Mode scheduling. In SP+WRR Mode TC3 is in the SP Group; TC0, TC1 and TC2 belong to the WRR Group with the Weight Value ratio of TC0, TC1 and TC2 being 1:2:4 respectively. When Scheduling Queues, the Switch allows TC3 to occupy all available bandwidth following the SP Mode and then TC0, TC1 and TC2 in the WRR Group will take up the remaining bandwidth according to their Scheduling ratio 1:2:4. Equ-Mode: In this Scheduling Mode, all the Queues occupy the bandwidth equally. The weight value ratio of all the queues is 1:1:1:1. CAUTION: Port Priority Mapping settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 9.2 Bandwidth Control Bandwidth Control allows you to control the traffic rate and broadcast flow on each Port to ensure there is no abuse of Network bandwidth resources. Bandwidth Control is implemented on the Rate Limit and Storm Control pages. 9.2.1 Rate Limit Rate Limit is used to control the Ingress/Egress traffic rate on each Port by configuring the available bandwidth of each Port. In this way the Network bandwidth can be reasonably distributed and utilized. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 147 XMS-1024P Choose the menu QoS>>Bandwitdth Control>>Rate Limit to load the following page. Figure 9-10 Rate Limit The following entries are displayed on this screen: Rate Limit Config Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for Rate configuration. Port: Displays the Port number of the Switch. Download Rate (Kbps): Configure the allowed Bandwidth for receiving packets on the Port. You can select a Rate from the dropdown list or select “Manual” to set the Download Rate, the system will automatically select an integral that is a multiple of 64Kbps that is closest to the rate you entered. Upload Rate(Kbps): Configure the allowed Bandwidth for sending packets on the Port. You can select a Rate from the dropdown list or select “Manual” to set the Upload Rate, the system will automatically select an integral that is a multiple of 64Kbps that is closest to the rate you entered. LAG: Displays the LAG Group number the Port belongs to. 148 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: Rate Limit settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: If you enable the Download Rate Limit feature on a Storm ControlEnabled Port, Storm Control will be disabled for this Port. NOTE: When selecting “Manual” to set Download/Upload Rate, the system will automatically select a multiple of 64Kbps that is closest to the rate you entered. For example, if you enter 1023Kbps for the Upload Rate, the system will automatically select 1024Kbps as the Upload Rate. NOTE: When the Upload Rate Limit feature is enabled for one or more Ports, we suggest you Disable Flow Control on each Port to ensure Network integrity. 9.2.2 Storm Control Storm Control allows the Switch to filter Broadcast, Multicast and Unknown Unicast packets in the Network. If the transmission rate of these three kinds of packets exceeds the set Bandwidth Limits, the packets will be Automatically Discarded to avoid a Network broadcast storm. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 149 XMS-1024P Choose the menu QoS>>Bandwidth Control>>Storm Control to load the following page. Figure 9-11 Storm Control The following entries are displayed on this screen: Storm Control Config Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for Storm Control configuration. Port: Displays the Port number of the Switch. Broadcast Rate (bps): Select the Bandwidth Limit for received Broadcast packets on the Port. Any Broadcast packet traffic exceeding the bandwidth will be Discarded. Select Disable to disable the storm control function for the Port. Multicast Rate (bps): Select the Bandwidth Limit for received Multicast packets on the Port. Any Multicast packet traffic exceeding the bandwidth will be Discarded. Select Disable to disable the storm control function for the Port. 150 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Storm Control Config UL-Frame Rate (bps): Select the Bandwidth Limit for received Unknown Unicast packets on the Port. Any Unknown Unicast packet traffic exceeding the bandwidth will be Discarded. Select Disable to disable the storm control function for the Port. LAG: Displays the LAG Group number to which the Port belongs. CAUTION: Storm Control settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: If you enable storm control feature for the Ingress rate limitenabled Port, The Ingress rate limit feature will be disabled for this Port. 9.3 Voice VLAN Voice VLANs are configured specifically for Voice Data. By configuring Voice VLANs and adding the Ports with Voice devices attached, you can perform QoS-Related filtering for Voice Data, ensuring the Priority of Voice Data Stream and Voice quality. OUI (Organizationally Unique Identifier) The Switch can determine whether a received packet is a Voice packet by checking its Source MAC Address. If the Source MAC Address of packets complies with an OUI configured in the system, the packets are identified as Voice packets and transmitted in Voice VLAN. An OUI is a unique identifier assigned by IEEE (Institute of Electrical and Electronics Engineers) to a device vendor. It comprises the first 24 bits of a MAC Address. You can identify which vendor a device belongs to using the OUI. The following table shows the OUIs of several manufacturers. The following OUIs are preset in the Switch by default. Number OUI Vendor 1 00-01-E3-00-00-00 Siemens phone 2 00-03-6B-00-00-00 Cisco phone © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 151 XMS-1024P Number OUI Vendor 3 00-04-0D-00-00-00 Avaya phone 4 00-60-B9-00-00-00 Philips/NEC phone 5 00-D0-1E-00-00-00 Pingtel phone 6 00-E0-75-00-00-00 Polycom phone 7 00-E0-BB-00-00-00 3com phone Table 9-1 OUIs on the Switch Voice VLAN Mode A Voice VLAN can operate in two Modes: Automatic Mode and Manual Mode. Automatic Mode: The Switch will Automatically add any Port that receives Voice packets to the Voice VLAN and determine the Priority of the packets by learning the Source MAC of the Untagged packets sent from the IP phone when it is powered on. The Aging Time of the Voice VLAN can be configured. If the Switch does not receive any Voice packets on the Ingress Port within the Aging Time, the Switch will remove the Port from the Voice VLAN. Manual Mode: You must manually add the Port connected to an IP Phone to the Voice VLAN. After adding the Port, the Switch will assign ACL Rules and configure the Priority of the packets by learning the Source MAC Address of packets and matching it to an OUI. The Voice VLAN mode is configured according to the type of packets sent by Voice device and the link type of the connected Port. Securing Voice VLAN Ports When a Voice VLAN is enabled on a Port, you can configure its Forwarding Mode to filter the Data Stream. If Forwarding Mode is enabled, the Port will only forward Voice packets and discards other packets whose Source MAC Addresses do not match any configured OUIs. If Forwarding Mode is disabled, the Port forwards all packets received regardless of OUI. NOTE: We do not recommend transmitting Voice streams with other data packets in the Voice VLAN. The Voice VLAN function can be implemented on VoIP VLAN Config, VoIP VLAN Port Config and VoIP OUI Config pages. 152 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 9.3.1 VoIP VLAN Config On this page you can configure the global parameters of the Voice VLAN including; VLAN ID, Aging Time and the Transmission Priority of the Voice packets. Choose the menu QoS>>Voice VLAN>>Global Config to load the following page. Figure 9-12 VoIP VLAN Config The following entries are displayed on this screen: Global Config Voice VLAN: Enable/Disable Voice VLAN function. VLAN ID: Enter the VLAN ID of the Voice VLAN. Aging Time: Specifies the timeout of the member Port in Auto Mode after the OUI ages out. Priority: Select the priority of the Port when sending Voice Data. CAUTION: VoIP VLAN Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: Before the Voice VLAN function is enabled the parameters of the Ports in the Voice VLAN should be configured. 9.3.2 VoIP VLAN Port Config Before the Voice VLAN function is enabled the parameters of the Ports in the Voice VLAN should be configured on the following page. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 153 XMS-1024P Choose the menu QoS>>Voice VLAN>>Port Config to load the following page. Figure 9-13 VoIP VLAN Port Config The following entries are displayed on this screen: Port Config Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for Voice VLAN configuration. Port: Displays the Port number of the Switch. Port Mode: Select the mode for the Port to use joining the Voice VLAN. Security Mode: Auto: The Switch Automatically adds or removes the Port from the Voice VLAN. Manual: You must Manually add or remove a Port from the Voice VLAN. The Security Mode for forwarding packets. Disable: All packets are forwarded. Enable: Only Voice Data packets are forwarded. VLAN Membership: Displays the status of the Port in the current Voice VLAN. LAG: 154 Displays the LAG Group to which the Port belongs. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: VoIP VLAN Port Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: To enable Voice VLAN function for a LAG Group Port, please ensure its member state corresponds with its Port mode. NOTE: If a Port is a member Port of the Voice VLAN, changing its Port mode to be “Auto” will make the Port leave the Voice VLAN and will not join the Voice VLAN automatically until it receives Voice streams. 9.3.3 VoIP OUI Config The Switch supports OUI creation allowing you to add any additional OUIs for Voice VLAN Identification. The Switch determines whether a Received packet is a Voice packet by checking its OUI. The Switch analyzes the Received packets. If the packet is recognized as a Voice packet, the Port will be automatically added to the Voice VLAN. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 155 XMS-1024P Choose the menu QoS>>Voice VLAN>>VoIP OUI Config to load the following page. Figure 9-14 OUI Configuration The following entries are displayed on this screen: Create OUI OUI: Enter the OUI of the Voice device. Mask: Enter the OUI mask of the Voice device (this should always be the standard mask of FF-FF-FF-00-00-00 except in rare circumstances). Description: Give a description to the OUI for easy identification. OUI Table Select: Select the desired entry(ies) to be Deleted. OUI: Displays the OUI of the Voice device. Mask: Displays the OUI mask of the Voice device. Description: Displays the description of the OUI. CAUTION: VoIP OUI Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 156 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Configuration Procedure of Voice VLAN: Step Operation Description 1 Configure the link type of the Port On VLAN>>802.1Q VLAN>>Port Config page configure the link type of Ports of the Voice device. 2 Create VLAN On VLAN>>802.1Q VLAN>>Port Config page click the Create button to create a VLAN. 3 Add an OUI On QoS>>Voice VLAN>>VoIP OUI Config page, you can check whether the Switch is supporting the OUI template or not. If not, please add the OUI. 4 Configure the Parameters of the Ports in Voice VLAN. On QoS>>Voice VLAN>>VoIP VLAN Port Config page configure the parameters of the Ports in Voice VLAN. 5 Enable Voice VLAN On QoS>>Voice VLAN>>VoUP VLAN Config page configure the global parameters of Voice VLAN. 10 POE PoE (Power over Ethernet) technology is a system by which to transmit Electrical Current and Data to remote devices over standard twisted-pair Ethernet cable. Devices A PoE system usually consists of PSE (Power Sourcing Equipment) and PD (Powered Device). PSE (Power Sourcing Equipment): Is the device, such as a Switch, that provides power via the Ethernet cable to the PD. PD (A powered device): Is the device which accepts power from the PSE. PDs falls into two types: Standard and Nonstandard. Standard PDs refers to the Powered Devices that comply with IEEE 802.3af and IEEE 802.3at. Examples include Wireless Access Points, IP Phones, IP Cameras, and Embedded Devices. Advantage Inexpensive Cabling: Remote devices can be powered by the PSE with no need of an AC power outlet. Ethernet cable is less exspensive than AC cable. Easy to connect: PoE uses only one Ethernet cable. Reliable: A Powered Device can be either powered by a PSE using Ethernet cable or powered through the provided power adapter. Flexibility: In compliance with IEEE 802.3af and IEEE 802.3at global organizations can deploy PoE companywide without concern for any variance in AC power standards or outlet type. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 157 XMS-1024P The XMS-1024P Managed PoE Switch is a PSE (Power Sourcing Equipment). All RJ45 Ports except the Console Port on the Switch support PoE (Power over Ethernet) which automatically detects and supplies power for PDs (Powered Devices) complying with IEEE 802.3af and IEEE 802.3at. The maximum total power the Luxul PoE Switch can supply is 320W and the maximum power to each Port is 30W. The PoE function can be configured in the sections PoE Config and PoE Time-Range. 10.1 PoE Config All the RJ45 Ports on the Switch can be configured to supply power for Powered Devices that comply with IEEE 802.3af and IEEE 802.3at. The power the system can provide is limited so some attributes should be set to make full use of the power and guarantee the adequate power to linked PDs. When the power exceeds the Maximum power limit, the Switch may disconnect power to the PD linked to a Port with lower priority. When a detected PD is disconnected, the Switch will stop supplying power via the disconnected Port. PoE Config is implemented on PoE Config and PoE Profile pages. 10.1.1 PoE Config On this page you can configure the parameters to implement PoE. Choose the menu PoE>>PoE Config>>PoE Config to load the following page. Figure 10-1 PoE Config 158 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following items are displayed on this screen: PoE Config System Power Limit: The Max power the PoE Switch can supply. System Power Consumption: Displays the PoE Switch’s real time System Power Consumption. System Power Remain: Displays the PoE Switch’s real time Remaining System Power. Port Config Port Select: Click the Select button to quick-select the corresponding entry. Select: Select the desired Port(s) to configure its parameters. Port: Displays the Port number. PoE Status: Disable/Enable the PoE feature for the corresponding Port. If set to Enable, the corresponding Port can supply power to a linked PD (Powered Device). PoE Priority: Priority Levels include High, Medium and Low in descending order. When the supplied power exceeds the System Power Limit, the PD linked to the Port with lower priority will be disconnected from power. Power Limit (0.1w-30w): Defines the max power the corresponding Port can supply. Class1 4w, Class2 7w, Class3 15.4w and Class4 30w. Time Range: Select the Time Range for the PoE Port to supply power. If No Limit is selected, the PoE Port will supply power all the time. PoE Profile: Select the profile you want to apply to the selected Port. If a PoE Profile is selected, the following three attributes are no longer editable: PoE Status, PoE Priority and Power Limit. Power (W): Displays the Port’s real time Power usage. Current (mA): Displays the Port’s real time Current draw. Voltage (V) Displays the Port’s real time Voltage. PD Class: Displays the Class the linked PD (Powered Device) belongs to. Power Status: Displays the Port’s real time power status. CAUTION: PoE Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 159 XMS-1024P 10.1.2 PoE Profile PoE (Power over Ethernet) Profile is a short cut for configuring the PoE Ports. You can create a profile(s) to be applied to the Ports. In a profile, the PoE status, PoE priority and Power limit are all configured for any Port using the Profile. Choose the menu PoE>>PoE Config>>PoE Profile to load the following page. Figure 10-2 Profile Config The following items are displayed on this screen: Create PoE Profile Profile Name: Enter the name of the profile. PoE Status: Enable/Disable PoE feature. If Enabled the Port will supply power to connected PDs (Power Device). PoE Priority: Priority Levels include High, Medium and Low in descending order. When the supplied power exceeds the System Power Limit the PD linked to the Port with lower priority will be disconnected from power. Power Limit: Defines the max power the corresponding Port can supply. Class1 4w, Class2 7w, Class3 15.4w and Class4 30w. PoE Profile Select: Select the desired Profile to Delete. Profile Name: Displays the name of the Profile. PoE Status: Displays the PoE status of the Port in the Profile. PoE Priority: Displays the PoE Priority of the Port in the Profile. Power Limit: Displays the Max power the Port in the Profile can supply. 160 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 10.2 PoE Time-Range A Time-Range based PoE implementation allows you to implement PoE Power by TimeRanges. A Time-Range can be specified for each Port. The Port will not supply power when the specified Time-Range is in effect. Absolute, Week and Holiday Time-Ranges can be configured. Configure Absolute time in the form of “the Start Date to the End Date” to keep the Port based on this TimeRange supplying power during the configured Time-Slice. Configure a Week time to keep the Port supplying power based on this Time-Range on the desired days of the week during the configured Time-Slice. Configure a Holiday Time-Range to keep the Port based on this Time Range from supplying power on Holidays. In each Time-Range, 4 Time-Slices can be configured. The Time-Range configuration can be implemented on PoE Time-Range Table, PoE Time-Range and PoE Holiday Config pages. 10.2.1 Time-Range Table On this page you can view, edit or delete the current Time-Ranges. Choose the menu PoE>>PoE Time-Range>>PoE Time-Range Table to load the following page. Figure 10-3 Time-Range Table The following items are displayed on this screen: Time-Range Table Select: Select the desired entry to Delete the corresponding Time-Range. Index: Displays the Index of the Time-Range. Time-Range Name: Displays the Name of the Time-Range. Slice: Displays the Time-Slice(s) of the Time-Range. Mode: Displays the Mode of the Time-Range. Operation: Click Edit to modify this Time-Range. Click Detail to display complete information on this Time-Range. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 161 XMS-1024P CAUTION: PoE Time-Range Table settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 10.2.2 PoE Time-Range Create On this page you can create Time-Ranges. Choose the menu PoE>>PoE Time-Range>>PoE Time-Range Create to load the following page. Figure 10-4 PoE Time-Range The following items are displayed on this screen: Create Time-Range Name: Enter the Name of the Time-Range for easy identification. Exclude Holiday: Select Exclude Holiday and the Port using this Time-Range will not supply power when the System Time is within the Holiday period. Absolute: Select Absolute to configure an Absolute Time-Range. The Port using this Time-Range will supply power based on this Time-Range when the System Time is within the configured Time-Slice(s). 162 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Create Time-Range Week: Select Week to configure a Weekly Time-Range. The Port using this Time-Range will supply power based on this Time-Range when the System Time is within the configured Time-Slice(s). Create Time-Slice Start Time: Set the Start Time of the Time-Slice. End Time: Set the End Time of the Time-Slice. Time-Slice Table Index: Displays the Index of the Time-Slice. Start Time: Displays the Start Time of the Time-Slice. End Time: Displays the End Time of the Time-Slice. Delete: Click the Delete button to Delete the corresponding Time-Slice. CAUTION: PoE Time-Range settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: To configure Time-Ranges please first specify a Time-Slice(s) and then Time-Range(s). 10.2.3 PoE Holiday Config Holiday mode is a different Time-Range control policy from the Absolute or Week mode. On this page you can define Holidays according to your local calendar. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 163 XMS-1024P Choose the menu PoE>>PoE Time-Range>>PoE Holiday Create to load the following page. Figure 10-5 Holiday Configuration The following entries are displayed on this screen: Create Holiday Start Date: Specify the Start Date of the Holiday. End Date: Specify the End Date of the Holiday. Holiday Name: Enter the Name of the Holiday. Holiday Table Select: Select the desired entry to Delete the corresponding Holiday. Index: Displays the Index of the Holiday. Holiday Name: Displays the Name of the Holiday. Start Date: Displays the Start Date of the Holiday. End Date: Displays the End Date of the Holiday. CAUTION: PoE Holiday Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 164 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 11 ACL ACL (Access Control List) is used to filter packets by configuring Rules and Policies in order to control the access of client devices in the Network. ACL is used to control traffic flows and preserve Network resources. It provides a flexible and secure Access Control Policy facilitating control of network security. ACLs classify packets based on a series of Match Conditions which use Layer2-Layer4 protocol fields in the packets. A Time-Range based ACL allows you to implement ACL control at different specified times. The ACL configuration of the Switch includes four submenus: Time-Range, ACL Config, Policy Config and Policy Binding. 11.1 Time-Range If a configured ACL is going to be in effect during a specified Time-Range, a Time-Range should be created prior to specifying it in the ACL. A Time-Range based ACL takes effect only within the specified Time-Range. Absolute, Week and Holiday Time-Ranges can be configured. Configure Absolute Time-Range in the form of “the Start Date to the End Date” to make ACLs effective. Configure a Week Time-Range to make ACLs effective on fixed days of the Week. Configure a Holiday time to make ACLs effective on Holidays. In each Time-Range up to four Time-Slices can be configured. The Time-Range configuration can be implemented on ACL Time-Range Table, ACL Time-Range and ACL Holiday Config pages. 11.1.1 ACL Time-Range Table On this page you can view the current ACL Time-Ranges. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 165 XMS-1024P Choose the menu ACL>>ACL Time-Range>>ACL Time-Range Table to load the following page: Figure 11-1 ACL Time-Range Table The following entries are displayed on this screen: ACL Time-Range Table Select: Select the desired entry to Delete the corresponding Time-Range. Index: Displays the Index of the Time-Range. Time-Range Name: Displays the Name of the Time-Range. Slice: Displays the Time-Slice of the Time-Range. Mode: Displays the Mode of the Time-Range. Configuration: Click Edit to modify this Time-Range and click Detail to display the information of this Time-Range. CAUTION: ACL Time-Range Table settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 11.1.2 ACL Time-Range On this page you can create Time-Ranges. Choose the menu ACL>>ACL Time-Range>>ACL Time-Range to load the following page. 166 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Figure 11-2 ACL Time-Range The following entries are displayed on this screen: Create Time-Range Name: Enter the Name of the Time-Range for easy identification. Holiday: Select Holiday to set a Holiday Time-Range. The ACL Rule based on this Time-Range takes effect only when the System Time is within the Holiday period. Absolute: Select Absolute to configure an Absolute Time-Range. The ACL Rule based on this Time-Range takes effect only when the System Time is within the Absolute Time-Range. Week: Select Week to configure a Weekly Time-Range. The ACL Rule based on this Time-Range takes effect only when the System Time is within the Week Time-Range. Create Time-Slice Start Time: Set the Start Time of the Time-Slice. End Time: Set the End Time of the Time-Slice. Time-Slice Table Index: Displays the Index of the Time-Slice. Start Time: Displays the Start Time of the Time-Slice. End Time: Displays the End Time of the Time-Slice. Delete: Click the Delete button to Delete the corresponding Time-Slice. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 167 XMS-1024P CAUTION: PoE Time-Range settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: To successfully configure Time-Ranges, please specify Time-Slices first and then Time-Ranges. 11.1.3 ACL Holiday Config Holiday mode is a different Time-Range control policy from the Absolute or Week mode. On this page you can define Holidays according to your local calendar. Choose the menu ACL>>ACL Time-Range>>ACL Holiday Config to load the following page. Figure 11-3 ACL Holiday Config 168 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Create Holiday Start Date: Specify the Start Date of the Holiday. End Date: Specify the End Date of the Holiday. Holiday Name: Enter the Name of the Holiday. Holiday Table Select: Select the desired entry to Delete the corresponding Holiday. Index: Displays the Index of the Holiday. Holiday Name: Displays the Name of the Holiday. Start Date: Displays the Start Date of the Holiday. End Date: Displays the End Date of the Holiday. CAUTION: ACL Holiday Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 11.2 ACL Config An ACL may contain a number of Rules, and each Rule specifies a different packet range. Packets are Matched in order. Once a Rule is Matched, the Switch Processes the Matched packets taking the operation specified in the Rule without Processing the other Rules. ACL Rules are used to increase the performance of the Switch and to maintain a secure local Network. Packets are classified based on Matching Rules in order of the Rules in the ACL Rule Table. The ACL Config can be implemented on ACL Summar, ACL, MAC ACL Rule StandardIP ACL Rule and Extended-IP ACL Rule pages. 11.2.1 ACL Rule Table On this page, you can view the current ACLs configured in the Switch. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 169 XMS-1024P Choose the menu ACL>>ACL Config>>ACL Rule Table to load the following page. Figure 11-4 ACL Rule Table The following entries are displayed on this screen: Search Option Select ACL: Select the ACL you have created ACL Type: Displays the type of the ACL you select. Rule Order: Displays the Rule order of the ACL you select. Rule Table Select : Select the desired entry to Delete the corresponding Holiday. Index: Displays the Index of the ACL Rule. Rule ID: Displays the Rule ID of the ACL. S-MAC Address : Displays the Source-MAC Address configured in the ACL Rule. D-MAC Address: Displays the Destination-MAC Address configured in the ACL Rule. VLAN ID: Displays the VLAN ID the ACL is active in. Time Range Name: Displays the Name of the Time-Range the ACL is configured to use. Configuration: Click Edit to modify the ACL selected, click Detail to view the configured ACL Rule, click Up to move the Rule Up in the list and click Down to move the Rule Down in the list. 170 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: ACL Rule Table settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. Here you can view the information about the ACL Rule you select. 11.2.2 ACL On this page you can create ACLs. Choose the menu ACL»ACL Config»ACL to load the following page. Figure 11-5 ACL The following entries are displayed on this screen: Create ACL ACL ID: Enter ACL ID you want to create. Rule Order: User Config is the only Matching order. CAUTION: ACL settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 171 XMS-1024P 11.2.3 MAC ACL RULE MAC ACL Rules analyze and process packets based on a series of Match conditions based on MAC Addresses, VLAN ID and Ether Type in the packet. They can analyze the Source MAC Address, Destination MAC Address, VLAN ID and Ether Type of the packets. Choose the menu ACL>>ACL Config>>AC ACL RULE to load the following page. Figure11-6 MAC ACL Rule The following entries are displayed on this screen: Create MAC ACL RULE ACL ID: Select the desired ACL ID for configuration. Rule ID: Enter the Rule ID. Operation: Select the operation the Switch will use to process packets. Permit: Forward Packets. Deny: Discard Packets. S-MAC: Enter the Source MAC Address to be contained in the Rule. D-MAC: Enter the Destination MAC Address to be contained in the Rule. 172 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Create MAC ACL RULE MASK: Enter MAC Address Mask. If it is set to 1, the Switch must Match the Address Exactly. VLAN ID: Enter the VLAN ID contained in the Rule. Ether Type: Enter Ether Type contained in the Rule. User Priority: Select the User Priority contained in the Rule for the Matched packets. Time-Range: Select the Time-Range for the Rule to take effect. CAUTION: MAC ACL Rule settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 11.2.4 Standard-IP ACL Rule Standard-IP ACL Rules analyze and process Data packets based on a series of Matching conditions. They can analyze the Source IP Address and Destination IP Address carried in the packets. Choose the menu ACL>>ACL Config>>Standard-IP ACL Rule to load the following page. Figure11-7 Create Standard-IP Rule © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 173 XMS-1024P The following entries are displayed on this screen: Create Standard-IP ACL ACL ID: Select the desired Standard-IP ACL for configuration. Rule ID: Enter the Rule ID. Operation: Select the operation the Switch will use to process packets. Permit: Forward Packets. Deny: Discard Packets. S-IP: Enter the Source IP Address to be contained in the Rule. D-IP: Enter the Destination IP Address to be contained in the Rule. Mask: Enter IP Address Mask. If it is set to 1, the Switch must Match the Address Exactly. Time-Range: Select the Time-Range for the Rule to take effect. CAUTION: Standard-IP ACL Rule settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 11.2.5 Extended-IP ACL Rules Extend-IP ACL Rules analyze and process Data packets based on a series of matching conditions. They can analyze the Source IP Address, Destination IP Address, IP Protocol, TCP Flag, Source-Port, Destination-Port, DSCP field values, IP ToS field values and IP Precedence field values. 174 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu ACL>>ACL Config>>Extended-IP ACL Rule to load the following page. Figure11-8 Extended-IP ACL Rule The following entries are displayed on this screen: Create Extend-IP ACL ACL ID: Select the desired Extended-IP ACL. Rule ID: Enter the Rule ID. Operation: Select the operation the Switch will use to process packets. Permit: Forward Packets. Deny: Discard Packets. S-IP: Enter the Source IP Address to be contained in the Rule. D-IP: Enter the Destination IP Address to be contained in the Rule. Mask: Enter IP Address Mask. If it is set to 1 the Switch must Match the Address Exactly. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 175 XMS-1024P Create Extend-IP ACL IP Protocol: Select the IP Protocol to be contained in the Rule. TCP Flag: Select TCP Flag(s) when TCP is selected from the dropdown list of IP Protocol. S-Port: Configure the TCP/IP Source Port to be contained in the Rule when TCP/UDP is selected from the dropdown list of IP Protocol. D-Port: Configure the TCP/IP Destination Port to be contained in the Rule when TCP/ UDP is selected from the dropdown list of IP Protocol. DSCP: Enter the DSCP value to be contained in the Rule. IP ToS: Enter the IP-ToS value to be contained in the Rule. IP Pre: Enter the IP Precedence value to be contained in the Rule. Time-Range: Select the Time-Range used by the Rule. CAUTION: Extended-IP ACL Rule settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 11.3 ACL Policy Policies are used to control the Data packets that match the corresponding ACL Rules by linking ACL Rules and actions together. The possible actions include; Port Mirroring, data Condition, Redirection and QoS re-assignment. Policy Config can be implemented using the ACL Policy Table, ACL Policy and ACL Policy Rule pages. 176 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 11.3.1 ACL Policy Table On this page, you can view the ACL and the corresponding actions in the Policy. Choose the menu ACL>>ACL Policy>>ACL Policy Table to load the following page. Figure 11-9 ACL Policy Table The following entries are displayed on this screen: Search Option Select Policy: Select the Name of the desired Policy to view the current settings. If you want to Delete the policy, click the Delete button. Action Table Select: Select the desired entry to Delete the corresponding policy. Index: Enter the Index of the Policy. ACL ID: Displays the ID of the ACL contained in the Policy. Mirror Port: Displays the Mirror Port of the Policy. Condition: Displays the source Condition added to the Policy. Redirect: Displays the Redirect added to the Policy. QoS: Displays the QoS assignment added to the Policy. Configuration: Edit the information of this Policy. CAUTION: ACL Policy Table settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 177 XMS-1024P 11.3.2 ACL Policy On this page you can create an ACL Policy. Choose the menu ACL>>ACL Policy>>ACL Policy to load the following page. Figure 11-10 ACL Policy The following entries are displayed on this screen: Create Policy Policy Name: Enter the Name of the Policy. CAUTION: ACL Policy settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 11.3.3 ACL Policy Rule On this page you can add ACLs and create corresponding actions for the Policy. Choose the menu ACL>>ACL Policy>>ACL Policy Rule to load the following page. Figure 11-11 ACL Policy Rule 178 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Create Policy Rule Select Policy: Select the Name of the Policy. Select ACL: Select the ACL to be linked to the Policy. S-Mirror: Select a Mirror Port to mirror the Data packets in the policy to the specific Port. Condition: Select a Condition on which to limit the Transmission Rate of Data packets in the Policy. Rate: Specify the Forwarding Rate of the Data packets that match the corresponding ACL. Out of Band: Specify the disposal method of the Data packets that are transmitted beyond the Rate limit. Redirect: Select Redirect to change the Forwarding destination of the Data packets in the Policy. Destination Port: Forward the Data packets that match the corresponding ACL to the specified Port. QoS Remark: Select QoS to Forward the Data packets based on the QoS settings. DSCP: Specify the DSCP Region for the Data packets that match the corresponding ACL. Local Priority: Specify the Local Priority for the Data packets that match the corresponding ACL. CAUTION: ACL Policy Rule settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 11.4 ACL Policy Binding Policy Binding allows the Policy to take effect on a specified Port or VLAN. Policies will take effect only when they are bound to a Port or VLAN. The Port/VLAN will receive Data packets and process them based on the Policy only when the Policy is Bound to a © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 179 XMS-1024P Port or VLAN. Policy Binding can be implemented on ACL Policy Binding Table, ACL Policy Port Binding and ACL Policy VLAN Binding pages. 11.4.1 ACL Policy Binding Table On this page you can view the Policy bound to Port or VLAN. Choose the menu ACL>>ACL Policy Binding>>ACL Policy Binding Table to load the following page. Figure 11-12 ACL Policy Binding Table The following entries are displayed on this screen: Search Option Binding Mode: Select a Binding Mode appropriate to your needs. Policy Bind Table Select: Select the desired entry to Delete the corresponding Binding. Index: Displays the Index of the Binding Policy. Policy Name: Displays the Name of the Binding Policy. Interface: Displays the Port number or VLAN ID Bound to the Policy. Direction: Displays the Binding Direction. CAUTION: ACL Policy Binding Table settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 180 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 11.4.2 ACL Policy Port Binding On this page you can bind a Policy to a Port. Choose the menu ACL>>ACL Policy Binding>>ACL Policy Port Binding to load the following page: Figure 11-13 ACL Policy Port Binding The following entries are displayed on this screen: Port Binding Config Policy Name: Select the Name of the Policy you want to Bind. Port: Enter the Number of the Port(s) you want to Bind. Port Binding Table Index: Displays the Index of the Binding Policy. Policy Name: Displays the Name of the Binding Policy. Port: Displays the Number of the Port Bound to the corresponding Policy. Direction: Displays the Binding Direction. CAUTION: ACL Policy Port Binding settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 181 XMS-1024P 11.4.3 ACL Policy VLAN Binding On this page you can Bind a Policy to a VLAN. Choose the menu ACL>>ACL Policy Binding>>ACL Policy VLAN Binding to load the following page: Figure11-14 ACL Policy VLAN Binding The following entries are displayed on this screen: VLAN-Bind Config Policy Name: Select the Name of the Policy you want to Bind. VLAN ID: Enter the ID of the VLAN you want to Bind. VLAN-Bind Table Index: Displays the Index of the Binding Policy. Policy Name: Displays the Name of the Binding Policy. VLAN ID: Displays the ID of the VLAN Bound to the corresponding Policy. Direction: Displays the Binding Direction. CAUTION: ACL Policy VLAN Binding settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory 182 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CONFIGURATION PROCEDURE: Step Operation Description 1 Configure the effective Time-Range On ACL>>ACL Time-Range configuration pages, configure the effective Time-Range for the ACL. 2 Configure ACL Rules On ACL>>ACL Config pages, configure ACL Rules to Match packets. 3 Configure Policy On ACL>>ACL Policy configuration pages, configure the Policies used to control the Data packets that Match the corresponding ACL Rules. 4 Bind the Policy to a Port or VLAN On ACL>>ACL Policy Binding configuration pages, Bind the Policies to a Port or VLAN to bring the Policy into effect on the corresponding Port or VLAN. 11.5 Application Example for ACL Network Requirements The manager of the R&D Department can access to the company Forum and Internet without any limitations. The MAC Address of the managers computer is 00-46-A5-5D-12-C3. The staff of the R&D Department cannot access the Internet during work hours but they are allowed to visit the Forum all day. The staff of the Marketing Department can access to the Internet all day but cannot visit the Forum during work hours. The R&D Department and Marketing Department cannot communicate with each other. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 183 XMS-1024P Network Diagram Figure 11-15 Network Diagram ACL Configuration Procedure Step Operation Description 1 Configure Time-Range On ACL>>ACL Time-Range page, create a Time-Range named Work Time. Select Week mode and configure the Week from Monday to Friday. Add the Time-Slice 08:00-18:00. 2 Configure for Requirement 1 On ACL>>ACL Config>>ACL page, create ACL 11. On ACL>>ACL Config>>MAC ACL Rule page, select ACL 11, create Rule 1, configure the operation as Permit, configure the S-MAC as 00-45-A5-5D-12-C3 and mask as FF-FF-FF-FF-FF-FF, and configure the Time-Range as No Limit. On ACL>>ACL Policy>>ACL Policy page, create a Policy Named Manager. On ACL>>ACL Policy>>ACL Policy Rule page, add ACL 11 to Policy Manager. On ACL>>ACL Policy Binding>>ACL Policy Port Binding page, select Policy Manager to bind to Port 3 184 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Step Operation Description 3 Configure requirement and 4 for 2 On ACL>>ACL Config>>ACL page, create ACL 100. On ACL>>ACL Config>>Standard-IP ACL Rule page, select ACL 100, create Rule 1, configure operation as Deny, configure S-IP as 172.31.70.1 and mask as 255.255.255.0, configure D-IP as 172.31.50.1 and mask as 255.255.255.0, configure the Time-Range as No Limit. On ACL>>ACL Config>>Standard-IP ACL Rule page, select ACL 100, create Rule 2, configure operation as Deny, configure S-IP as 172.31.70.1 and mask as 255.255.255.0, configure D-IP as 172.31.50.1 and mask as 255.255.255.0, configure the Time-Range as No Limit. On ACL>>ACL Config>>Standard-IP ACL Rule page, select ACL 100, create Rule 3, configure operation as Permit, configure S-IP as 172.31.70.1 and mask as 255.255.255.0, configure D-IP as 172.31.88.5 and mask as 255.255.255.0, configure the Time-Range as Work Time On ACL>>ACL Policy>>ACL Policy Rule page, add ACL 100 to Policy limit1. On ACL>>ACL Policy Binding>>ACL Policy Port Binding page, select Policy limit1 to Bind to Port 3. 4 Configure requirement and 4 for 3 On ACL>>ACL Config>>ACL page, create ACL 101. On ACL>>ACL Config>>Standard-IP ACL Rule page, select ACL 101, create Rule 1, configure operation as Deny, configure S-IP as 172.31.70.1 and mask as 255.255.255.0, configure D-IP as 172.31.50.1 and mask as 255.255.255.0, configure the Time-Range as No Limit. On ACL>>ACL Config>>Standard-IP ACL Rule page, select ACL 101, create Rule 2, configure operation as Deny, configure S-IP as 172.31.70.1 and mask as 255.255.255.0, configure D-IP as 172.31.88.5 and mask as 255.255.255.255, configure the Time-Range as No Limit. On ACL>>ACL Policy>>ACL Policy page, create a policy named limit2. On ACL>>ACL Policy>>ACL Policy page, add ACL 101 to Policy limit1. On ACL>>ACL Policy Binding>>ACL Policy Port Binding page, select Policy limit2 to bind to Port 4. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 185 XMS-1024P 12 NETWORK SECURITY The Network Security module provides various protection measures and includes four submenus: IP-MAC Binding, ARP Inspection, DoS Defense and 802.1X/RADIUS. 12.1 IP-MAC Binding The IP-MAC Binding function allows you to bind an IP Address, MAC address, VLAN ID and the connected Port Number. Based on the IP-MAC Binding Table and ARP Inspection functions, you can control Network access and only allow the client devices matching the Bound entries access the Network. The following three IP-MAC Binding methods are supported by the Switch. Manual: You can manually bind an IP Address, MAC address, VLAN ID and Port Number. Scanning: You can quickly collect the information of client devices in the LAN using the ARP Scanning function and bind them with the collected information. You are only required to enter the Range of IP Addresses to be scanned on the ARP Scanning page. DHCP Snooping: You can use the DHCP Snooping function to monitor the process of the client device obtaining an IP Address from a DHCP Server for Automatic Binding. These three methods are also the source of all IP-MAC Binding entries. The entries from various sources should be different from one another to avoid conflicting settings. Among the entries conflicting with each other, only the entry from the source with the highest priority will take effect. The three sources Manual, Scanning and Snooping are in descending order of priority. The IP-MAC Binding function is implemented on the IP-MAC Binding Table, Manual IP-MAC Binding, ARP IP-MAC Binding and IP-MAC DHCP Snooping pages. 12.1.1 IP-MAC Binding Table On this page, you can view the information of the Bound entries. 186 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu Network Security>>IP-MAC Binding>>IP-MAC Binding Table to load the following page. Figure 12-1 IP-MAC Binding Table The following entries are displayed on this screen: Search Option Source: Select a Source from the dropdown list and click the Search button to view your desired Source in the Binding Table. All: All Bound entries will be displayed. Manual: Only the Manually added entries will be displayed. Scanning: Only the entries added using ARP Scanning will be displayed. Snooping: Only the entries added using DHCP Snooping will be displayed. Binding Table IP Select: Click the Select button to quick-select the corresponding entry. Select: Select the desired entry(ies) to modify the Host Name and Protect Type. Host Name: Displays the Host Name. IP Address: Displays the IP Address of the Host. MAC Address: Displays the MAC Address of the Host. VLAN ID: Displays the VLAN ID. Port: Displays the Port Number connected to the Host. Protect Type: Allows you to view and modify the Protect Type of the entry. Source: Displays the Source of the entry. Collision: Displays the Collision status of the entry. Warning: Indicates that a collision may be caused by the MSTP function. Critical: Indicates that the Entry has caused a collision with other Entries. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 187 XMS-1024P CAUTION: IP-MAC Binding Table settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory NOTE: Among the entries with a Critical collision level the entry with the highest Source Priority will take precedence. NOTE: Among the conflicting entries with the same Source Priority the last added or edited entry will take effect. 12.1.2 Manual Binding You can Manually Bind the IP Address, MAC Address, VLAN ID and Port Number together. Choose the menu Network Security>>IP-MAC Binding>>Manual IP MAC Binding to load the following page: Figure 12-2 Manual IP-MAC Binding The following entries are displayed on this screen: Manual Binding Config Host Name: Enter the Host Name. IP Address: Enter the IP Address of the Host. MAC Address: Enter the MAC Address of the Host. VLAN ID: Enter the VLAN ID. Port: Select the Port Number connected to the Host. Protect Type: Select the Protect Type for the Entry. 188 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Manual Binding Table Select: Select the desired entry(ies) to be Deleted. Host Name: Displays the Host Name. IP Address: Displays the IP Address of the Host. MAC Address: Displays the MAC Address of the Host. VLAN ID: Displays the VLAN ID. Port: Displays the Port Number connected to the Host. Protect Type: Displays the Protect Type of the Entry. Collision: Displays the Collision status of the Entry. Warning: Indicates that a collision may be caused by the MSTP function. Critical: Indicates that the Entry has caused a collision with other Entries. CAUTION: IP-MAC Binding Table settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory NOTE: Among the entries with a Critical collision level, the entry with the highest Source Priority will take precedence. NOTE: Among the conflicting entries with the same Source Priority, the last added or edited entry will take effect. 12.1.3 ARP Scanning ARP (Address Resolution Protocol) is used to analyze and map IP Addresses to their corresponding MAC Addresses so that packets can be delivered to their destinations correctly and efficiently. An IP Address is the Address of a connected device on the Network Layer (Layer 3). A MAC Address is the Address of a connected device on the Data Link Layer (Layer 2) and is necessary for the packet to reach the device. The Destination IP Address carried in a packet needs to be translated into the corresponding devices MAC Address for data to be delivered. ARP translates the IP Address into the corresponding MAC Address and maintains an ARP Table where the current IP Address-to-MAC Address mapping Entries are stored. When a known device communicates with an unknown device, ARP follows the outline in the figure shown below. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 189 XMS-1024P Figure 12-3 ARP Procedure Suppose there are two devices in the LAN: Host A and Host B. To send a packet to Host B, Host A checks its own ARP Table first to see if the ARP entry related to the IP Address of Host B exists. If it does exist, Host A will send the packets to Host B directly. If the corresponding MAC address is not found in the ARP Table, Host A will broadcast ARP Request Packets, which contain the IP Address of Host B, the IP Address of Host A, and the MAC address of Host A. Since the ARP Request Packets are broadcast, all devices in the LAN receive them. Only Host B recognizes and responds to the request. Host B sends back an ARP Reply Packet to Host A, with its MAC Address. Upon receipt of the ARP Reply Packet, Host A adds the IP Address and the corresponding MAC Address of Host B to its ARP Table for further packet forwarding. The ARP Scanning function allows the Switch to send the ARP Request Packets of the specified IP Field to the devices in the LAN or VLAN. Upon receiving the ARP Reply Packet, the Switch can gather the IP Address, MAC Address, VLAN and the connected Port Number of a device by analyzing the packet and can be used to Bind the Entry. 190 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu Network Security>>IP-MAC Binding>>ARP IP-MAC Binding to load the following page: Figure 12-4 ARP Scanning The following entries are displayed on this screen: Scanning Config Start IP Address: Specify the Starting IP Address. End IP Address: Specify the Ending IP Address. VLAN ID: Enter the VLAN ID. If left blank, the Switch will send the untagged packets when scanning. Scan: Click the Scan button to Scan the Hosts in the LAN. Scanning Result Select: Select the desired Entry to be Bound or Deleted. Host Name: Displays the Host Name. IP Address: Displays the IP Address of the Host. MAC Address: Displays the MAC Address of the Host. VLAN ID: Displays the VLAN ID. Port: Displays the Port Number connected to the Host. Protect Type: Displays the Protect Type of the Entry. Collision: Displays the Collision status of the Entry. Warning: Indicates that a collision may be caused by the MSTP function. Critical: Indicates that the Entry has caused a collision with other Entries. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 191 XMS-1024P CAUTION: ARP IP-MAC Binding settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: Among the entries with a Critical collision level, the entry with the highest Source Priority will take precedence. NOTE: Among the conflicting entries with the same Source Priority, the last added or edited entry will take effect. 12.1.4 IP-MAC DHCP Snooping Networks are growing larger and more complicated. Wireless Devices and Laptops are more widely used and with the location of PCs changing, we need better Management options. Managing all of these IP Address needs manually does not make sense. This has given rise to DHCP ( (Dynamic Host Configuration Protocol) this Network configuration protocol further optimized and developed the older BOOTP protocol and solves the need to manually assign IP Addresses. DHCP Working Principle DHCP works using the “Client/Server” communication model. The Client applies to the Server for configuration information. The Server assigns the configuration information such as the IP Address, Subnet Mask, Gateway, DNS Servers, etc… to the Client. A Server can assign the IP Address for hundreds or even thousands of Clients. This configuration is illustrated in the following figure. 192 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Figure 12-5 Network diagram for DHCP-Snooping implementation Most DHCP Servers provide two methods for assigning IP Addresses: Static IP Address: Allows the administrator to bind the static IP Address to specific Client using the Client Device MAC Address. Dynamic IP Address: DHCP Server assigns any open DHCP Pool address to a connecting Client Device. This can cause the IP Address of Devices in the Network to change from time to time. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 193 XMS-1024P Most Clients obtain their IP Addresses Dynamically which is illustrated in the following figure. Figure 12-6 Interaction between a DHCP client and a DHCP Server DHCP-DISCOVER Stage: The Client broadcasts the DHCP-DISCOVER packet to find the DHCP Server. DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet, the DHCP Server selects an IP Address from the DHCP Pool and replies to the Client with DHCP-OFFER packet carrying the IP Address and other information. DHCP-REQUEST Stage: If in the situation that there are multiple DHCP Servers sending DHCP-OFFER packets, the Client will only respond to the first OFFER packet received. Once the DHCP-OFFER packet is received, the client will broadcast the DHCP-REQUEST packet which includes the assigned IP Address of the DHCPOFFER packet. DHCP-ACK Stage: Since the DHCP-REQUEST packet is broadcast, all DHCP Servers on the Network segment will receive it. However only the requested Server processes the request. If the DHCP Server acknowledges assigning this IP Address to the Client, it will send the DHCP-ACK packet back to the Client. If the DHCP Server does not acknowledge assigning this IP Address, the Server will send the DHCP-NAK packet and refuse assigning this IP Address to the Client. 194 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Option 82 DHCP packets are classified into 8 types with the same format as the older BOOTP packets. The difference between DHCP packets and BOOTP packets is the Option Field. The Option Field of the DHCP packet is used to expand the functions of the packet. For example, the DHCP Server can transmit control information and Network parameters via the Option field. For more details on the available DHCP Options, please refer to IEEE RFC 2132. Option 82 records the location of the DHCP Client. Upon receiving the DHCP-REQUEST packet, the Switch adds Option 82 to the packet and then transmits the packet to DHCP Server. Administrators can then see the location of the DHCP Client via Option 82. DHCP Servers supporting Option 82 also can set the distribution policy of IP Addresses and the other parameters according to the Option 82 setting, providing more flexible IP Address distribution. Option 82 can contain up to 255 sub-options. If Option 82 is defined, a sub-option should be defined in the packet as well. The Switch supports two of the available suboptions: Circuit ID and Remote ID. Since there is no standard for the content of Option 82, different manufacturers define the sub-options of Option 82 to fit their needs. On the Switch, the sub-options are defined as follows: The Circuit ID is defined as the Port Number that receives the DHCP Request packets and its VLAN ID. The Remote ID is defined as the MAC Address of the DHCP Snooping device which receives the DHCP Request packets from the DHCP Clients. DHCP Cheat Attack During the process of a DHCP Request there is no Authentication mechanism between Server and Client. If there are multiple DHCP Servers in the Network, conflicting IP Addresses and Security breaches can occur. Common causes of Rogue DHCP Servers are: © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 195 XMS-1024P The Rogue DHCP Server is manually configured by a Network user by mistake (i.e. adding a wireless router to a Network for more wireless coverage, turning the DHCP option on in a Server in the Network, etc….). Hacker compromised machine pretending to be a valid DHCP Server to assign the IP Addresses and other parameters to Clients. Hackers use the Rogue DHCP Server to assign a modified DNS Server Address to redirect users to compromised or outright fraudulent Web Sites. The following figure illustrates a DHCP Cheat Attack. Figure 12-7 DHCP Cheat Attack 196 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The DHCP Snooping feature allows you to set the Port connected to the DHCP Server as the only trusted Port to forward DHCP Response packets ensuring that users get IP Addresses from the Approved DHCP Server. DHCP Snooping is used to monitor the process of the Host obtaining the IP Address from a DHCP Server. It records the IP Address, MAC address, VLAN and Port Number of the client device for Automatic Binding. The Bound entry cooperates with ARP Inspection and the other Security Protection features. The DHCP Snooping feature protects the Network from DHCP Server Cheat Attacks by discarding the DHCP packets from any untrusted Port(s). Choose the menu Network Security>>IP-MAC Binding>>IP-MAC DHCP Snooping to load the following page. Figure 12-8 IP-MAC DHCP Snooping The following entries are displayed on this screen: DHCP Snooping Config DHCP Snooping: Enable/Disable the DHCP Snooping function. Global Flow Control: Select the value to specify the maximum number of DHCP messages that can be forwarded by the Switch per second. Any messages in excess of this number will be discarded. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 197 XMS-1024P DHCP Snooping Config Decline Threshold: Select the value to specify the minimum number of Declined packets to trigger the Decline protection for the specified Port. Decline Flow Control: Select the value to specify the Decline Flow Control rate. The traffic flow of the corresponding Port will be limited to this value if the transmission rate of Declined packets exceeds the Decline Threshold. Option 82 Config Option 82 Support: Enable/Disable the Option 82 feature. Existed Option 82 field: Select the operation for the Option 82 Field of the DHCP request packets from the Host. Keep: Keeps the Option 82 Field settings of the packets. Replace: Replaces the Option 82 Field of the packets with the Switch defined settings. Drop: Discards packets that include the Option 82 Field. Customization: Allows the Switch to define the Option 82 Field. Circuit ID: Enter the customized Sub-Option Circuit ID used by Replace Option 82. Remote ID: Enter the customized Sub-Option Remote ID used by Replace Option 82. Port Config Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for configuration. Port: Displays the Port Number. Trusted Port: Enable/Disable the Port as a Trusted Port. Only the Trusted Port can receive DHCP packets from DHCP Servers. MAC Verify: Enable/Disable the MAC Verify feature. There are two fields of the DHCP packet that contain the MAC address of the Host. The MAC Verify feature is used to compare the two fields and discards the packet if the two fields do not match. Flow Control: Enable/Disable the Flow Control feature for DHCP packets. Excess DHCP packets will be discarded. Decline Protect: Enable/Disable the Decline Protect feature. LAG: Displays the LAG Group to which the Port belongs. CAUTION: IP-MAC DHCP Snooping settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory.. 198 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide NOTE: If you want to enable the DHCP Snooping feature for a member Port of a LAG Group, please ensure the parameters of all Member Ports are the same. 12.2 ARP Inspection According to the ARP Implementation Procedure stated in 12.1.3. ARP Scanning, the ARP protocol facilitates Hosts in the Network to communicate with one another or access external Networks via Gateway. However, ARP protocol is implemented under the premise that all Hosts and Gateways are trusted, there are security risks inherent in ARP Implementation. Cheat attacks against ARP, such as Imitating Gateway, Cheating Gateway, Cheating Terminal Hosts and ARP Flooding, can occur on the Network, in larger Networks such as campus Networks, large corporations, public Networks, etc. Imitating Gateway An attacker sends the MAC Address of a forged Gateway to a Host, the Host will automatically update the ARP table after receiving the ARP response packets, which causes that Host to use the counterfeit Gateway. The ARP Attack Imitating Gateway is illustrated in the following figure: Figure 12-9 ARP Attack - Imitating Gateway As the above figure shows, when the Host tries to communicate with Gateway, the Host will encapsulate the false destination MAC Address, which results in a breakdown of the normal communication. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 199 XMS-1024P Cheating Gateway The attacker sends the wrong IP Address-to-MAC Address Mapping entries of Hosts to the Gateway, which causes the Gateway to lose communication with the Hosts. The ARP Attack Cheating Gateway is illustrated in the following figure: Figure 12-10 ARP Attack – Cheating Gateway As the above figure shows, when the Gateway tries to communicate with Host A in the LAN, it will encapsulate the false destination MAC Address, which results in a breakdown of normal communication. Cheating Terminal Hosts The attacker sends the false IP Address-to-MAC Address mapping entries of Terminal Host/Server to another terminal Host, which causes that the two terminal Hosts in the same Network segment to lose communication with each other. The ARP Attack Cheating Terminal Hosts is illustrated in the following figure: 200 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Figure 12-11 ARP Attack – Cheating Terminal Hosts As the above figure shows, when Host B tries to communicate with Host A, it will encapsulate the false destination MAC Address, which results in a breakdown of normal communication. Man-In-The-Middle Attack The attacker continuously sends counterfeit ARP packets to Hosts in the LAN to get the Hosts to maintain a counterfeit ARP Table. When the Hosts in LAN communicate with one another, they will send the packets to the attacker’s designated ARP table entry. The attacker can process the packets before forwarding them. The communication packets between the two Hosts are stolen and the Hosts are unaware of the attack. This is called a Man-In-The-Middle Attack. The Man-In-The-Middle Attack is illustrated in the following figure: Figure 12-12 Man-In-The-Middle Attack © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 201 XMS-1024P Suppose there are three Hosts in LAN connected with one another through a Switch. Host A: IP Address is 192.168.0.101; MAC address is 00-00-00-11-11-11. Host B: IP Address is 192.168.0.102; MAC address is 00-00-00-22-22-22. Attacker: IP Address is 192.168.0.103; MAC address is 00-00-00-33-33-33. The attacker sends the counterfeit ARP Response packets. Upon receiving the ARP Response packets, Host A and Host B update their ARP Tables. When Host A communicates with Host B, it will send the packets to the counterfeit destination MAC Address, (i.e. to the attacker) using the updated ARP Table. After receiving the communication packets between Host A and Host B, the attacker processes and forwards the packets to the correct destination MAC Address, which makes Host A and Host B maintain an uninterrupted normal-appearing connection. The attacker continuously sends counterfeit ARP packets to Host A and Host B to get the Hosts to maintain the counterfeit ARP Table. Host A and Host B think their packets are directly sent to each other. But in fact there is a Man-In-The-Middle stealing the packet information during communication. ARP Flood Attack In an ARP Flood attack, the attacker broadcasts a mass of various fake ARP packets in a Network to occupy the maximum amount of Network bandwidth possible. This can result in a dramatic slowdown of Network speed. In the meantime, the Gateway learns the false IP Address-to-MAC Address mapping entries from these ARP packets and updates its ARP table. As a result, the ARP table is filled with false entries and is unable to learn the ARP entries of valid Hosts. This causes the valid Hosts to lose access to all internal and external Networks. The IP-MAC Binding function allows the Switch to bind the IP Address, MAC address, VLAN ID and Port Number of the Host together when the Host connects to the Switch. Based on the predefined IP-MAC Binding entries, the ARP Inspection function can be used to detect ARP packets and filter counterfeit ARP packets to prevent ARP attacks. The ARP Inspection function is implemented on the ARP Detection, ARP Defense and ARP Statistics pages. 12.2.1 ARP Detection Allows the Switch to detect ARP packets based on the Bound Entries in the IP-MAC Binding Table and filter counterfeit ARP packets to prevent ARP attacks. 202 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu Network Security>>ARP Inspection>>ARP Detection to load the following page: Figure 12-13 ARP Detection The following entries are displayed on this screen: ARP Detection ARP Detection: Trusted Port Trusted Port: Enable/Disable the ARP Detection function. Select the Port(s) for which the ARP Detection function is unnecessary. Ports such as Uplink Ports, Router Ports and LAG Ports, should be set as Trusted Ports. To ensure the normal communication with the Switch, please configure the ARP Trusted Ports before Enabling the ARP Detection function. CAUTION: ARP Detection settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: ARP Detection and ARP Defense cannot be Enabled at the same time. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 203 XMS-1024P Configuration Procedure: Step Operation Description 1 Bind the IP Address, MAC address, VLAN ID and Port Number of the Host together. On the IP-MAC Binding page bind the IP Address, MAC address, VLAN ID and Port Number of the Host together via Manual Binding, ARP Scanning or DHCP Snooping. 2 Enable Protection for the bound entry. On the Network Security>>IP-MAC Binding>>IP-MAC Binding Table page specify a Protect Type for the corresponding bound entry. 3 Specify the trusted Port(s). On the Network Security>>ARP Inspection>>ARP Detection page specify the trusted Port(s). Ports such as Uplink Ports, Router Ports and LAG Ports, should be set as Trusted Ports. 4 Enable ARP Detection feature. On the Network Security>>ARP Inspection>>ARP Detection page Enable the ARP Detection feature. 12.2.2 ARP Defense When Enabled, the Switch can terminate receipt of ARP packets for up to 300 seconds when the transmission speed of valid ARP packets on the Port exceeds the defined parameters thus avoiding an ARP Flood attack. Choose the menu Network Security>>ARP Inspection>>ARP Defense to load the following page: Figure 12-14 ARP Defense 204 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: ARP Defense Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for configuration. Port: Displays the Port number. Defend: Enable/Disable the ARP Defense feature for the Port. Speed: Enter a value to specify the maximum amount of received ARP packets per second. Current Speed: Displays the current speed of received ARP packets. Status: Displays the status of ARP Defense on the port. LAG: Displays the LAG Group the Port belongs to. Operation: Click the Recover button to restore the Port to the Normal status. ARP Defense for this Port will be reset. CAUTION: ARP Defense settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: It’s not recommended to enable ARP Defense for LAG Group members. 12.2.3 ARP Statistics Displays the number of counterfeit ARP packets received on each Port, this helps you to locate the offending device or party and allows you to take the necessary precautions. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 205 XMS-1024P Choose the menu Network Security>>ARP Inspection>>ARP Statistics to load the following page: Figure 12-15 ARP Statistics The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable the Auto Refresh feature. Refresh Interval: Specify the refresh interval to display the ARP Statistics. Illegal ARP Packet Port: Displays the Port number. Trusted Port: Displays wither the Port is a Trusted ARP Port or not. Illegal ARP Packet: Displays the number of the received counterfeit ARP packets. CAUTION: ARP Statistics settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 206 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 12.3 DoS Defense DoS (Denial of Service) Attacks attempt to occupy the Network bandwidth by sending massive amounts of service requests to a Host(s). This can cause poor service quality or even a breakdown of Network communication. With the DoS Defense function enabled, the Switch can analyze the Fields of IP packets and distinguish malicious DoS attack packets from permitted traffic. Upon detection of a DoS packet, the Switch will discard the malicious packets and limit the transmission rate of valid packets if the valid packets may cause a breakdown of Network communication. The Switch can defend against the following types of DoS attack: DoS Attack Type Description Land Attack The attacker sends a specific fake SYN packet to a destination Host in order to cause a data loop on the Host. Since both the Source IP Address and the Destination IP Address of the SYN packet are set to the IP Address of the Host, the Host will be trapped in an endless loop. This prevents the affected host from passing data normally. Scan SYNFIN The attacker sends a packet with its SYN Field and the FIN Field set to 1. The SYN field is used to request the initial connection, whereas the FIN field is used to request termination. A packet of this type is malicious. This prevents the Host from establishing new connections and terminating unused connections. Xmascan The attacker sends a malicious packet with its TCP index, FIN, URG and PSH field set to 1. This packet takes priority over other packets in the Host’s processing queue, causing connection latency. NULL Scan Attack The attacker sends a malicious packet with its TCP index and all Control Fields set to 0. Packets with all control Fields set to 0 are considered to be malicious packets. These packets overwhelm a Host and cause latency issues as the Host attempts to drop these packets. SYN packet with its source Port less than 1024 The attacker sends a malicious packet with its TCP SYN field set to 1 and source Port to a value less than 1024. As most well-known ports reside below 1024, this malicious packet attempts to block valid connection streams. Blat Attack The attacker sends a malicious packet with its source Port and destination Port set to the same Port and its URG field set to 1. Similar to the Land Attack, the Host will be trapped in an endless loop. This prevents the affected host from passing data normally. Ping Flooding The attacker floods the destination Network with a Ping broadcast storm, causing Network latency and connection issues. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 207 XMS-1024P DoS Attack Type Description SYN/SYN-ACK Flooding The attacker uses a counterfeit IP Address to send TCP request packets to a Server. Upon receipt of the request packets, the Server responds with SYN-ACK packets. Since the IP Address is fake, no response is returned. The Server keeps sending SYN-ACK packets attempting to reach the counterfeit Host. This attack causes latency on the Network and can block access to Server resources. Table 12-1 Defendable DoS Attack Types On this page, you can Enable the DoS Defense types appropriate for your Network. Choose the menu Network Security>>DoS Defense>>DoS Defense to load the following page: Figure 12-16 DoS Defense 208 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: DoS Defense: Enable/Disable the DoS Defense function. Defend Options Select: Select the Entry to Enable the corresponding Defense Type. Defense Type: Displays the Defense Type. We suggest taking the following steps to ensure the Network security. NOTE: Inspect and Repair system vulnerabilities regularly. We recommend installing the latest system Firmware on all Network devices and backup of all important data. NOTE: The Network Administrator should inspect the data environment and block any unnecessary Network services. NOTE: Enhance Network security using protection devices, such as a Hardware based Firewall. CAUTION: DoS Defense settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 12.4 802.1X/RADIUS The 802.1X/RADIUS protocol was developed by the IEEE 802 LAN/WAN committee to deal with wireless LAN security issues. It was also used in Hardwired connections as a common access control mechanism for LAN Ports to solve lack of Authentication on Hardwired connections. 802.1X/RADIUS is a Port-Based Network Access Control protocol. It authenticates and controls devices requesting access by controlling the devices access to the LAN Port to which it is connected. With the 802.1X/RADIUS protocol enabled, a Supplicant can access the LAN only when it passes Authentication. Those failing to pass Authentication are denied access. Architecture of 802.1X/RADIUS Authentication © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 209 XMS-1024P 802.1X/RADIUS uses a Client/Server architecture with three entities: a Supplicant, an Authenticator and an Authentication Server, as shown in the following figure: Figure 12-17 Architecture of 802.1X/RADIUS Authentication Supplicant: The Supplicant is an entity in the LAN and is Authenticated by the Authenticator. The Supplicant is usually a common terminal or computer. 802.1X/ RADIUS Authentication is initiated when a user launches a RADIUS Client program on the Supplicant. Note that the Client program must support the 802.1X/RADIUS Authentication protocol. Authenticator: The Authenticator is usually an 802.1X/RADIUS supported Network device such as this Luxul Switch. It provides the physical Port the Supplicant uses to access the LAN and authenticates the Supplicant. Authentication Server: The Authentication Server is an entity that provides Authentication service to the Authenticator. Normally in the form of a RADIUS Server. The Authentication Server stores user information and performs Authentication and Authorization. To ensure a stable Authentication system, an Alternate Authentication Server can be specified. If the main Authentication Server is busy or unavailable, the Alternate Authentication Server can provide normal Authentication services. The Mechanism of 802.1X/RADIUS Authentication An IEEE 802.1X/RADIUS Authentication System uses EAP (Extensible Authentication Protocol) to exchange information between the Supplicant and the Authentication Server. 210 EAP protocol packets are transmitted between the Supplicant and the Authenticator. They are encapsulated as EAPOL packets. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide EAP protocol packets transmitted between the Authenticator and the RADIUS Server can either be encapsulated as EAPOR (EAP over RADIUS) packets or the Supplicant transmission will be terminated at Authenticator and the Authenticator then communicates with RADIUS Servers through PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol) protocol packets. When a Supplicant passes Authentication, the Authentication Server passes the information about the Supplicant to the Authenticator. The Authenticator in turn determines the state (Authorized or Unauthorized) of the controlled Port according to the instructions (Accept or Reject) received from the RADIUS Server. 802.1X/RADIUS Authentication Procedure 802.1X/RADIUS Authentication can be initiated by Supplicant or Authenticator. When the Authenticator detects an Unauthenticated Supplicant, it will initiate the 802.1X/ RADIUS Authentication by sending EAP-Request/Identity packets to the Supplicant. The Supplicant can also launch an 802.1X/RADIUS Client program to initiate an 802.1X/ RADIUS Authentication process by sending an EAPOL-Start packet to the Switch, This LUXUL Switch can authenticate Supplicants in EAP relay mode or EAP termination mode. The illustration below of these two modes outlines this process. EAP Relay Mode This mode is defined in 802.1X. In this mode EAP-packets are encapsulated in a higher level protocol (such as EAPOR) to allow them to successfully reach the Authentication Server. This mode normally requires a RADIUS Server that supports the two fields of EAP: the EAP-Message Field and the Message-Authenticator Field. This Switch supports EAP-MD5 Authentication when using EAP relay mode. The following figure depicts the basic EAP-MD5 Authentication procedure. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 211 XMS-1024P Figure 12-18 EAP-MD5 Authentication Procedure A Supplicant launches an 802.1X/RADIUS Client program using its registered User Name and Password to initiate an Access Request by sending an EAPOL-Start packet to the Switch. The 802.1X Client program then forwards the packet to the Switch to start the Authentication process. Upon receiving the Authentication Request packet, the Switch sends an EAPRequest/Identity packet to ask the 802.1X/RADIUS Client program for the User Name. The 802.1X/RADIUS Client program responds by sending an EAP-Response/Identity packet to the Switch with the User Name included. The Switch then encapsulates the packet in a RADIUS Access-Request packet and forwards it to the RADIUS Server. Upon receipt of the User Name from the Switch, the RADIUS Server retrieves the User Name, finds the corresponding Password by matching the User Name in its Database, encrypts the Password using a randomly-generated key and sends the key to the Switch using a RADIUS Access-Challenge packet. The Switch then sends the key to the 802.1X/RADIUS Client program. 212 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Upon receipt of the key (encapsulated in an EAP-Request/MD5 Challenge packet) from the Switch, the client program encrypts the Password of the Supplicant with the key and sends the encrypted Password (contained in an EAP-Response/MD5 Challenge packet) to the RADIUS Server through the Switch. The RADIUS Server compares the received encrypted Password (contained in a RADIUS Access-Request packet) with the locally-encrypted Password. If the two match, it will then send feedback (through a RADIUS Access-Accept packet and an EAP-Success packet) to the Switch to indicate that the Supplicant is Authorized. The Switch changes the state of the corresponding Port to Accepted, which allows the Supplicant to access the Network. The Switch will then monitor the status of the Supplicant by sending Hand-Shake packets periodically. By default, the Switch will force the Supplicant to log off if it does not receive a response from the Supplicant after two attempts. The Supplicant can also terminate the Authenticated state by sending EAPOL-Logoff packets to the Switch. The Switch then changes the Port state from Accepted to Rejected. EAP Terminating Mode In this mode packet transmission from the Supplicant is terminated at Authenticator and the EAP packets are converted into RADIUS packets. Authentication and Accounting are accomplished through the RADIUS protocol. In this mode, PAP or CHAP is employed between the Switch and the RADIUS Server. This Switch supports the PAP termination mode. The Authentication procedure of PAP is illustrated in the following figure: Figure 12-19 PAP Authentication Procedure © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 213 XMS-1024P In PAP mode, the Switch (instead of the Server) encrypts the Password and sends the User Name using the Randomly-Generated key, and the Supplicant-Encrypted Password to the RADIUS Server for further Authentication. 802.1X/RADIUS Timer In 802.1X Authentication, the following timers are used to ensure that the Supplicant, the Switch, and the RADIUS Server interact correctly: Supplicant Timeout: This timer is triggered by the Switch after the Switch sends a Request packet to a Supplicant. The Switch will resend the Request packet to the Supplicant if the Supplicant fails to respond within the specified timeout period. Server Timeout: This timer is triggered by the Switch after the Switch sends an Authentication Request packet to RADIUS Server. The Switch will resend the Authentication Request packet if the RADIUS Server fails to respond within the specified timeout period. Quiet Period: This timer sets the Quiet-Period. When a Supplicant fails to forward an Authentication response, the Switch will ignore Authentication packets from the Supplicant for the specified period, before it processes another Authentication Request from the Supplicant. Guest VLAN The Guest VLAN function enables Supplicants that do not pass Authentication to access specified Network resources. By default, all of the Ports connected to the Supplicants belong to a VLAN (i.e. Guest VLAN). Users belonging to the Guest VLAN can access the resources of the Guest VLAN without being Authenticated. But they need to be Authenticated before accessing security sensitive resources. After passing the Authentication, the Ports will be removed from the Guest VLAN and be allowed to access the security sensitive resources. With the Guest VLAN function enabled, users can access the Guest VLAN to install the 802.1X/RADIUS Client program or Upgrade the 802.1X/RADIUS Client without being Authenticated. With the 802.1X/RADIUS function enabled and Guest VLAN configured. After the maximum number Retries have been made sending the EAP-Request/Identity packets, and there are still Ports that have not sent any response back, the Switch will then add these Ports into the Guest VLAN. Only when the corresponding Supplicant passes the 802.1X/RADIUS Authentication, will the Port be removed from the Guest VLAN and added to the specified VLAN. The Port will be put back in the Guest VLAN when its Supplicant logs off. 214 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The 802.1X/RADIUS function is implemented on the 802.1X Config, 802.1X Port Config and Radius Server Config pages. 12.4.1 802.1X Config On this page you can enable the 802.1X/RADIUS Authentication function globally and control the Authentication process by specifying the Authentication Method, Guest VLAN and various Timers. Choose the menu Network Security>>802.1X/RADIUS>>802.1X Config to load the following page: Figure 12-20 802.1X Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 215 XMS-1024P The following entries are displayed on this screen: 802.1X Config 802.1X: Enable/Disable the 802.1X function. Authentication Select the Authentication Method from the pull-down list. Method: EAP-MD5: IEEE 802.1X/RADIUS Authentication system uses extensible Authentication protocol (EAP) to exchange information between the Switch and the client. The EAP protocol packets with Authentication Data can be encapsulated in advanced protocol packets to be transmitted to the Authentication Server. PAP: IEEE 802.1X/RADIUS Authentication system uses extensible Authentication protocol (EAP) to exchange information between the Switch and the client. The transmission of EAP packets are terminated at the Switch and the EAP packets are converted to another protocol for transmission. Guest VLAN: Enable/Disable the Guest VLAN feature. Guest VLAN ID: Enter your desired VLAN ID to enable the Guest VLAN feature. The Supplicants in the Guest VLAN can access only the specified Network resources. Authentication Config Quiet: Enable/Disable the Quiet timer. Quiet Period: Specify a value for Quiet Period. When the Supplicant fails 802.1X/RADIUS Authentication the Switch will stop responding to Authentication Requests from the same Supplicant during the Quiet Period. Retry Times: Specify the maximum number of times to allow Authentication Request retries. Supplicant Timeout: Specify the maximum time for the Switch to wait for a response from the Supplicant before resending a request to the Supplicant. Server Timeout: Specify the maximum time for the Switch to wait for a response from the Authentication Server before resending a request to the Authentication Server. CAUTION: 802.1X Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 216 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 12.4.2 802.1X Port Config On this page you can configure the 802.1X/RADIUS features for the Ports. Choose the menu Network Security>>802.1X/RADIUS>>802.1X Port Config to load the following page: Figure 12-21 802.1X Port Config The following entries are displayed on this screen: 802.1X Port Config Port Select: Click the Select button to quick-select the corresponding Port. Select: Select the desired Port(s) for configuration. Port: Displays the Port number. Status: Enable/Disable the 802.1X/RADIUS Authentication feature for the Port Guest VLAN: Enable/Disable the Guest VLAN feature for the Port. Control Mode: Specify the Control Mode for the Port. Auto: In this mode the Port will work normally only after passing 802.1X/RADIUS Authentication. Force-Authorized: In this mode the Port will work normally without passing 802.1X/RADIUS Authentication. Force-Unauthorized: In this mode the Port will not work at all as it is forced into unauthorized status. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 217 XMS-1024P 802.1X Port Config Control Type: Specify the Control Type for the Port. MAC Based: Any client connected to the Port must pass 802.1X/ RADIUS Authentication for access. Port Based: All the clients connected to the Port can access the Network once any one of the connected clients has passed 802.1X/ RADIUS Authentication. Authorized: Displays the Authentication status of the Port. LAG: Displays the LAG Group number the Port belongs to. CAUTION: 802.1X Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 12.4.3 Radius Server The RADIUS (Remote Authentication Dial-In User Service) Server provides Authentication service for the Switch using stored client information usually consisting of a User Name and Password. The RADIUS Server controls the Authentication and Accounting status of the client. On this page you can configure the parameters of the Authentication Server. Choose the menu Network Security>>802.1X/RADIUS>>Radius Server Config to load the following page: Figure 12-22 Radius Server 218 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: RADIUS Sever Config Primary IP: Enter the IP Address of the Primary Authentication Server. Secondary IP: Enter the IP Address of the Secondary Authentication Server. Authentication Port: Set the UDP Port for the Authentication Server(s). Default Port 1812 Authentication KEY: Set the shared Password for the Switch and the Authentication Server(s) used when exchanging messages. Accounting Config Accounting: Enable/Disable the Accounting feature. Primary IP: Enter the IP Address of the Primary Accounting Server. Secondary IP: Enter the IP Address of the Secondary Accounting Server. Accounting Port: Set the UDP Port for the Accounting Server(s). Default Port 1813 Accounting Key: Set the shared Password for the Switch and the Accounting Server(s) used when exchanging messages. CAUTION: RADIUS Server settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: The 802.1X/RADIUS function takes effect only when it is enabled globally on the Switch and enabled on the Port(s). NOTE: The 802.1X/RADIUS function cannot be enabled for LAG Group members. Also Ports with the 802.1X/RADIUS function enabled cannot be added to a LAG Group. NOTE: The 802.1X/RADIUS function should not be enabled for Port(s) connected to the Authentication Server. Authentication parameters of the Switch and the Authentication Server should be identical. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 219 XMS-1024P Configuration Procedure: Step Operation Description 1 Connect an Authentication Server to the Switch Record the information for a client in the LAN to the Authentication Server and configure the corresponding Authentication Username and Password for the client. 2 Install the 802.1X/ RADIUS Client software. Client computers are required to install the 802.1X/RADIUS software that is provided with your RADIUS Server. 3 Configure 802.1X/ RADIUS globally. By default, the 802.1X/RADIUS function is Disabled. On the Network Security>>802.1X/RADIUS>>802.1X Config page, configure the 802.1X/RADIUS function globally. 4 Configure the parameters of the Authentication Server On the Network Security>>802.1X/RADIUS>>Radius Server page, configure the parameters of the RADIUS Server. 5 Configure 802.1X/ RADIUS on the Port(s). On the Network Security>>802.1X/RADIUS>>802.1X Port Config page, configure the 802.1X/RADIUS feature for the Port(s) of the Switch. 13 SNMP SNMP Overview SNMP (Simple Network Management Protocol) provides a Management framework to monitor and maintain Network devices. It is used to automatically manage various Network devices. Currently most Network Management systems are based on SNMP. SNMP is simple and convenient to use with no need for complex functions or a large amount of Network resources. With the SNMP function enabled, Network administrators can easily monitor Network performance, detect malfunctions and configure Network devices. They can also locate faults, implement fault diagnosis, create capacity plans and generate reports related to network usage. SNMP Management Framework The SNMP Management framework includes three Network elements: the SNMP Management Station, an SNMP Agent and the MIB (Management Information Base). SNMP Management Station: An SNMP Management Station is the workstation that runs the SNMP Client program, providing a friendly Management interface the allow the administrator to manage most Network devices. SNMP Agent: An SNMP Agent is the Server software operating on the Network devices. It handles the responsibility of receiving and processing SNMP Request 220 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide packets from the SNMP Management Station. The SNMP Agent will inform the SNMP Management Station of Events, device Status changes, or if the device encounters any abnormalities such as a device reboot. MIB: The MIB is a set of Managed Objects. The MIB defines the attributes of the managed objects including Names, Access Rights and Data types. Every SNMP Agent has its own specific MIB. The SNMP Management Station can Read/Write to the MIB Objects based on its Management rights. SNMP Management Station is the manager of SNMP Network while SNMP Agent is the Managed Object. The information exchanged between SNMP Management Station and SNMP Agent is exchanged through SNMP (Simple Network Management Protocol). The relationship between the SNMP Management Station, SNMP Agent and MIB is illustrated in the following figure: Figure 13-1 Relationship between SNMP Network Elements SNMP Versions This Switch supports SNMP up to Version 3 and is compatible with SNMP Version 1 and SNMP Version 2c. The SNMP Versions used by the SNMP Management Station and SNMP Agent should be the same in order for the SNMP Management Station and SNMP Agent to communicate with each other correctly. You can select the Management mode with proper security level to fit your application requirements. SNMP Version 1: SNMP v1 uses Community Name Authentication. The Community Name is used to define the relation between SNMP Management Station and SNMP Agent. Any SNMP packets failing to pass the Community Name are discarded. The community name can limit access to SNMP Agent from SNMP Management Station functioning as a Password. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 221 XMS-1024P SNMP Version 2c: SNMP v2c also uses Community Name Authentication. It is compatible with SNMP v1 and expands the functions of SNMP v1. SNMP Version 3: Based on SNMP v1 and SNMP v2c, SNMP v3 greatly enhances the security and manageability of SNMP. It adopts VACM (View-Based Access Control Model) and USM (User-Based Security Model) Authentication. You can configure the Authentication and Encryption functions. The Authentication function is used to limit the access of an illegal user by authenticating the sender of SNMP packets. The Encryption function is used to encrypt the SNMP packets transmitted between the SNMP Management Station and SNMP Agent. The combination of Authentication and Encryption creates more reliable communications between SNMP Management stations and SNMP Agents. MIB Introduction To uniquely identify the Management Objects of a device in SNMP messages, SNMP adopts a hierarchical architecture to identify the Managed Objects. It uses a tree format with each tree node representing a Managed Object, as shown in the following figure below. This allows Objects to be identified within the unique path starting from the root and indentified by a string of numbers. The number string is the Object Identifier of the Managed Object. In the following figure, the OID of Managed Object B is {1.2.1.1}. While the OID of Managed Object A is {1.2.1.1.5}. Figure 13-2 Architecture of the MIB tree SNMP Configuration Outline Create a View The SNMP View Config, is created for an SNMP Management Station to manage MIB objects. The managed object uniquely identified by an OID can be set to allow or 222 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide forbid Management by the SNMP Management Station by configuring its view type (Included/Excluded). The OID of the Managed Object can be found in the SNMP Client program running on the SNMP Management Station. Create an SNMP Group Settings After creating the SNMP View Config, it is required to create SNMP Group Settings or The Group Name, Security Model and Security Level comprise the identifier of the SNMP Group Settings. Groups with these three items set the same are considered to be the same Group. You can configure an SNMP Group Settings and control SNMP access by providing the users in various groups with different Management rights using the Read View, Write View and Notify View. Create an SNMP User Config The User configured in SNMP Group Settings can Manage the Switch using the Client program on a Management Station. The specified Username and the Auth/Privacy Password are used by an SNMP Management Station to access the SNMP Agent, functioning as a Password. The SNMP module is used to configure the SNMP functions of the Switch and includes three submenus: SNMP Config, SNMP SNMP Notification and RMON. 13.1 SNMP Config The SNMP Config is implemented on the SNMP Config, SNMP View Config, SNMP Group Settings, SNMP User Config and SNMP Community Config pages. 13.1.1 Global Config To enable SNMP, please configure the SNMP function globally on this page. Choose the menu SNMP>>SNMP Config>>SNMP Config to load the following page: Figure 13-3 SNMP Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 223 XMS-1024P The following entries are displayed on this screen: SNMP Config SNMP: Enable/Disable the SNMP function globally. Local Engine Local Engine ID: Specifies the Switch’s Engine ID for remote clients. The Engine ID is a unique alphanumeric string used to identify the SNMP engine on the Switch Remote Engine Remote Engine ID: Specifies the Remote client Engine ID on the Switch. The Engine ID is a unique alphanumeric string used to identify the SNMP engine on the remote device which receives traps and informs from Switch. CAUTION: SNMP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: The number of Engine ID Characters must be even. 13.1.2 SNMP View Config The OID (Object Identifier) in SNMP packets is used to describe the Managed Objects of the Switch, the MIB (Management Information Base) contains the set of OIDs available on the Switch. The SNMP View Config is created to allow the SNMP Management station to Manage MIB Objects. 224 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu SNMP>>SNMP Config>>SNMP View Config to load the following page. Figure 13-4 SNMP View Config The following entries are displayed on this screen: View Config View Name: Give a Name to the View for easy identification. Each View can include several entries with the same Name. MIB Object ID: Enter the Object Identifier (OID) of the Entry. View Type: Select the Type for the View Entry. Include: The View Entry can be managed by the SNMP Management Station. Exclude: The View Entry cannot be managed by the SNMP Management Station. View Table Select: Select the desired entry to Delete the corresponding View. View Name: Displays the Name of the View Entry. View Type: Displays the Type of the View Entry. MIB Object ID: Displays the OID of the View Entry. 13.1.3 SNMP Group Settings On this page you can configure SNMP Group Settings to control SNMP access by providing Users in various groups with different Management rights using the Read View, Write View and/or Notify View. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 225 XMS-1024P Choose the menu SNMP>>SNMP Config>>SNMP Group Settings to load the following page. Figure 13-5 SNMP Group Settings The following entries are displayed on this screen: Group Config Group Name: Enter the SNMP Group Name. The Group Name, Security Model and Security Level compose the identifier of the SNMP Group. Groups with these three items set the same are considered to be the same. Security Model: Select the Security Model for the SNMP Group. Security Level: Select the Security Level for the SNMP v3 Group. Read View: 226 v1: SNMPv1 is defined for the Group. In this model the Community Name is used for Authentication. SNMP v1 can be configured on the SNMP Community Config page. v2c: SNMPv2c is defined for the Group. In this model the Community Name is used for Authentication. SNMP v2c can be configured on the SNMP Community Config page. v3: SNMPv3 is defined for the Group. In this model the USM mechanism is used for Authentication. If SNMPv3 is enabled the Security Level field is enabled. noAuthNoPriv: No Authentication and No Privacy security level is used. authNoPriv: Only the Authentication security level is used. authPriv: Both the Authentication and the Privacy security levels are used. Select the View to be the active Read View. Management Access is restricted to Read-Only, changes cannot be made to the assigned SNMP View Config. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Group Config Write View: Select the View to be the active Write View. Management Access Is set to write only, changes can be made to the assigned SNMP View Config. A View defined both as the Read View and the Write View can be Read and/or Modified. Notify View: Select the View to be the active Notify View. The Management Station can receive Trap Messages from the assigned SNMP View Config. Trap Messages are generated by the Switch’s SNMP Agent. Group Table Select: Select the desired entry(ies) to Delete the corresponding Group. Group Name: Displays the Group Name. Security Model: Displays the Security Model of the Group. Security Level: Displays the Security Level of the Group. Read View: Displays the Read View Name in the Entry. Write View: Displays the Write View Name in the Entry. Notify View: Displays the Notify View Name in the Entry. Operation: Click the Edit button to modify the View settings in the Entry, then click the Modify button to apply. CAUTION: SNMP Group Settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: Every Group must contain at least a Read View. The default Read View is viewDefault. 13.1.4 SNMP User Config The User in an SNMP Group can Manage the Switch via the Management Station. The User and its Group have the same Security Level and Access Rights. You can configure the SNMP User Config on this page. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 227 XMS-1024P Choose the menu SNMP>>SNMP Config>>SNMP User Config to load the following page: Figure 13-6 SNMP User Config The following entries are displayed on this screen: User Config User Name: User Type: Enter the User Name. Select the type of User. Group Name: Local User: Indicates that the User is connected to a Local SNMP Engine. Remote User: Indicates that the User is connected to a Remote SNMP Engine. Select the Group to which the User belongs. The User is associated to the corresponding Group according to its Group Name, Security Model and Security Level. Security Model: Select the Security Model for the User. Security Level: 228 Select the Security Level for the User. (SNMP v3 only) a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide User Config Auth Mode: Select the Authentication Mode for the User. (SNMP v3 only) None: No Authentication method is used. MD5: Port Authentication is performed using the HMAC-MD5 algorithm. SHA: Port Authentication is performed using the SHA (Secure Hash Algorithm). This Authentication mode uses higher security than MD5 mode. Auth Password: Enter the Password for Authentication. Privacy Mode: Select the Privacy Mode for the User. (SNMP v3 only) None: No Privacy method is used. DES: DES Encryption method is used. Privacy Password: User Table Select: Enter the Privacy Password. User Name: Displays the Name of the User. User Type: Displays the User Type. Group Name: Displays the Group Name the User belongs. Select the desired entry(ies) to Delete the corresponding User. Security Model: Displays the Security Model of the User. Security Level: Displays the Security Level of the User. Auth Mode: Displays the Authentication Mode of the User. Privacy Mode: Displays the Privacy Mode of the User. Operation: Click the Edit button to modify the Group associated to a User, then click the Modify button to apply. CAUTION: SNMP User Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: The SNMP User and its associated Group must have the same Security Model and Security Level. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 229 XMS-1024P 13.1.5 SNMP Community Config SNMP v1 and SNMP v2c use Community Name Authentication. The Community Name is used to limit access to the SNMP Agent, functioning as a Password. If SNMP v1 or SNMP v2c is employed you can configure the SNMP Community Config on this page without configuring SNMP Group Settings and User Config Settings. Choose the menu SNMP>>SNMP Config>>SNMP Community Config to load the following page. Figure 13-7 SNMP Community Config The following entries are displayed on this screen: Community Config Community Name: Access: Enter the Community Name. Defines the Access Rights of the Community. Read-Only: The Management Rights of a Community are restricted to Read-Only. Changes cannot be made to the corresponding View. Read-Write: The Management rights of a Community are set to Read-Write, allowing changes to be made to the corresponding View. MIB View: Select the MIB View for the Community to access. Community Table Select: Select the desired Entry to Delete the corresponding Community. Community Name: Displays the Community Name. Access: Displays the Rights of the Community when accessing a View. MIB View: Displays the View(s) the Community can access. Operation: Click the Edit button to modify the MIB View and the Access right of the Community, and then click the Modify button to apply. 230 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: SNMP Community Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: The default MIB View of SNMP Community Config is view Default. Configuration Procedure: If SNMPv3 is employed please use the following steps: Step Operation Description 1 Enable SNMP function globally. On the SNMP>>SNMP Config>>SNMP Config page enable the SNMP function globally. 2 Create SNMP View Config. On the SNMP>>SNMP Config>>SNMP View Config page create an SNMP View. The default View Name is viewDefault and the default OID is 1. 3 Create SNMP Group Settings. On the SNMP>>SNMP Config>>SNMP Group Settings page create an SNMP Group for use with SNMPv3 and specify the SNMP View(s) with the associated Access Levels. 4 Create SNMP User Config. On the SNMP>>SNMP Config>>SNMP User Config page create an SNMP User Config assign the User to a Group and configure the Auth/Privacy mode and Auth/Privacy Password for the User. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 231 XMS-1024P If SNMPv1 or SNMPv2c is employed please use the following steps: Step Operation Description 1 Enable SNMP function globally. On the SNMP>>SNMP Config>>SNMP Config page to enable the SNMP function globally. 2 Create SNMP View Config. On the SNMP>>SNMP Config>>SNMP View Config page create an SNMP View for the Management Agent. The default View Name is viewDefault and the default OID is 1. 3 Create an SNMP Community. Configure the Access Level of the user. Create an SNMP Group and SNMP User. To Create an SNMP Community Config directly, go to the SNMP>>SNMP Config>>SNMP Community Config page and create an SNMP Community based on SNMP v1 or SNMP v2c. To Create an SNMP Group using an SNMP User, the configuration is similar to the configuration used with SNMPv3. Create an SNMP Group and an SNMP User configured for SNMP v1/v2c. The User Name limits access to the SNMP Agent from SNMP Network Management Station, functioning as a Community Name. Users can manage the device via the Read View, Write View and Notify View defined in the SNMP Group Settings. 13.2 SNMP Notification With the SNMP Notification function enabled, the Switch can send notifications to the Management Station about Events that occur within the defined View(s) (e.g., the Managed device is rebooted). This allows the Management Station to monitor and process Events in real time. SNMP Notifications include the following two types: Trap: A Trap is information that the Managed device sends to the Network Management Station without requiring a request. Inform: An Inform packet is sent to Inform the Management Station and ask for a reply. The Switch will resend the Inform Request if it does not receive a response from the Management Station during the Timeout interval. It will terminate resending of the Inform Request if the number of resends reach the specified number of Retries allowed. The Inform method employed in SNMPv2c and SNMPv3 has a higher security than the Trap method. On this page you can configure the SNMP Notification functions of SNMP. 232 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Choose the menu SNMP>>SNMP Notification>>SNMP Notification Config to load the following page. Figure 13-8 SNMP Notification Config The following entries are displayed on this screen: Create Notification IP Address: Enter the IP Address of the Management Station. UDP Port: Enter the UDP Port used to send SNMP Notifications. Default is 162 User: Enter the Username for the Management Station. Security Model: Select the Security Model of the Management Station. Security Level: Select the Security Level for the User (SNMP v3 only). Type: noAuthNoPriv: No Authentication and No Privacy Security Level is used. authNoPriv: Only the Authentication Security Level is used. authPriv: Both the Authentication and Privacy Security Levels are used. Select the type for the SNMP Notification. Trap: Indicates Trap messages are sent. Inform: Indicates Inform messages are sent. Inform messages have higher security than Trap type messages. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 233 XMS-1024P Create Notification Retry: Specify the number of times the Switch will Retry an Inform Request. The Switch will Retry the Inform Request. If it does not receive a response from the Management Station within the Timeout interval, it will terminate Retrying. If the number of Retry attempts reach the specified maximum number of Retries, the Switch will stop attempting to send the message. Timeout: Specify the maximum Time allowed for the Switch to wait for a response from the Management Station before retrying a request. SNMP Notification Table Select: Select the desired entry to Delete the corresponding Management Station. IP Address: Displays the IP Address of the Management Station. UDP Port: Displays the UDP Port used for SNMP Notifications. User: Displays the User Name for Management Station. Security Model: Displays the Security Model of the Management station. Security Level: Displays the Security Level for the User (SNMP v3 only). Type: Displays the type of SNMP Notification. Timeout: Displays the maximum Time allowed for the Switch to wait for a response from the Management Station before retrying a request. Retry: Displays the number of times the Switch Retries an Inform Request. Operation: Click the Edit button to modify the corresponding Entry and click the Modify button to apply. CAUTION: SNMP Notification settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 13.3 RMON RMON (Remote Monitoring) is based on SNMP (Simple Network Management Protocol) architecture, and allows you to monitor the Network. RMON is a commonly used Network Management standard defined by Internet Engineering Task Force (IETF) and is used to monitor the Data traffic across a Network segment up to and including the 234 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide entire Network. The RMON MIB records Network Statistics, Network Performance and Malfunctions. RMON helps the Network administrator manage large-scale Networks. It also reduces traffic between the Management Station and Managed Agent. RMON Group This Switch supports the following four RMON Groups defined in the RMON standard (RFC1757): History Group, Event Group, Statistic Group and Alarm Group. RMON Group Function History Group After a History Group is configured, the Switch collects and records Network Statistics which the Management station can monitor. Event Group Event Group is used to define RMON Events. Alarms occur when an Event is detected. Statistic Group Statistic Group is set to monitor the Statistics of Alarm Variables on the specified Ports. Alarm Group Alarm Group is configured to monitor the specified Alarm Variables. When the value of a monitored Variable exceeds the threshold, an Alarm Event is generated, which causes the Switch to respond in a predetermined manner. RMON Groups can be configured on the History Control Config, Event Config and Alarm Config pages. 13.3.1 History Control Config On this page, you can configure the History Group for RMON. Choose the menu SNMP>>RMON>>History Control Config to load the following page. Figure 13-9 History Control Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 235 XMS-1024P The following entries are displayed on this screen: History Control Config Table Select: Select the desired Entry to configure. Index: Displays the Index number of the Entry. Port: Specifies the Port from which the History samples were taken. Interval: Specifies the Interval to take samplings from the Port. Owner: Enter the Name of the device or User that defined the entry. Status: Enable/Disable the corresponding Sampling Entry. CAUTION: History Control Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 13.3.2 Event Config On this page you can configure RMON Events. Choose the menu SNMP>>RMON>>Event Config to load the following page. Figure 13-10 Event Config 236 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Event Table Select: Select the desired Entry to configure. Index: Displays the Index number of the Entry. User: Enter the Name of the User or the Community to which the Event belongs. Description: Give a Description to the Event for easy identification. Type: Select the Event Type which will determine the action taken by the Network device in response to an Event. None: No action taken. Log: Log the Event. Notify: Send Trap Message to the Management Station. Log&Notify: Log the Event and send Trap Message to the Management Station. Owner: Enter the Name of the Device or User that defined the entry. Status: Enable/Disable the corresponding event entry. CAUTION: Event Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 13.3.3 Alarm Config On this page you can configure an Alarm Group for RMON. Choose the menu SNMP>>RMON>>Alarm Config to load the following page. Figure 13-11 Alarm Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 237 XMS-1024P The following entries are displayed on this screen: Alarm Table Select: Select the desired Entry to configure. Index: Displays the Index number of the Entry. Variable: Select the Alarm Variable from the dropdown list. Port: Select the Port to which the Alarm Entry is associated. Sample Type: Specify the Sampling method for the selected Variable. Absolute: Compares the values directly with the Thresholds at the end of the Sampling Interval. Delta: Subtracts the last Sampled Value from the current Value. The difference in the Values is compared to the Threshold. Rising Threshold: Enter the Rising Value that triggers the Rising Threshold alarm. Rising Event: Select the Index of the corresponding Event which will be triggered if the Sampled Value is larger than the Rising Threshold. Falling Threshold: Enter the Falling Value that triggers the Falling Threshold alarm. Falling Event: Select the Index of the corresponding Event which will be triggered if the Sampled Value is lower than the Falling Threshold. Alarm Type: Specify the Type of Alarm. All: The Alarm Event will be triggered if either the Sampled Value exceeds the Rising Threshold or is less than the Falling Threshold. Rising: When the Sampled Value exceeds the Rising Threshold the Alarm event is triggered. Falling: When the Sampled Value is less than the Falling Threshold the Alarm event is triggered. Interval: Enter the Alarm Interval time in seconds. Owner: Enter the Name of the Device or User defined in the Entry. Status: Enable/Disable the corresponding Alarm Entry. CAUTION: Alarm Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 238 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Note: When an Alarm Variable exceeds the Threshold on the same Entry continuously, an Alarm Event will only be generated the first time the Threshold is exceeded. The Rising Alarm and Falling Alarm are triggered independently, so a Rising Alarm would not be considered a reason to block a Falling Alarm. 14 LLDP LLDP (Link Layer Discovery Protocol) is a Layer 2 protocol that is used to allow Network devices to advertise their Device Information to neighbors in the same Local Area Network. The advertised Information, including details such as Device Identification, Capabilities and Configuration Settings is forwarded in TLV (Type/Length/Value) format according to the IEEE 802.1ab standard. The TLVs are encapsulated in LLDPDU (Link Layer Discovery Protocol Data Unit) packets. The LLDPDU packets are distributed via LLDP and is stored by its recipients in the MIB (Management Information Base). This makes it possible for the information to be accessed by a Network Management System (NMS) using a Management protocol such as SNMP (Simple Network Management Protocol). An IETF Standard MIB, as well as a number of vendor specific MIBs, have been created to describe a Network’s physical topology and associated systems within that topology. There is no standard protocol for populating these MIBs or communicating this information among stations on the LAN. The LLDP protocol is a stop gap protocol that accomplishes this task. A Device running LLDP can Automatically Discover and Learn about neighbors allowing for interoperability between Network devices from different vendors. For instance, this protocol allows two systems running different Network Layer protocols to learn about each other. LLDP-MED (Link Layer Discovery Protocol for Media Endpoint Devices) is an extension of LLDP intended for managing endpoint devices such as Voice over IP Phones and Network Switches. The LLDP-MED TLVs advertise information such as Network Policy, Power via MDI, Inventory Management information and Device Location details. LLDP and LLDP-MED information can be used by SNMP applications to simplify troubleshooting, enhance Network Management, and maintain an accurate Network topology. LLDPDU Format Each LLDPDU includes an ordered sequence of three required TLVs followed by one or more optional TLVs and an End of LLDPDU TLV as shown in the figure below. Chassis ID TLV, Port ID TLV, TTL TLV and End TLV are the four required TLVs in an LLDPDU. Optional TLVs provide various details about the LLDP Agent advertising them and are selected by Network Management. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 239 XMS-1024P Figure 14-1 LLDPDU Format The maximum length of the LLDPDU is the maximum information field length allowed by the particular transmission rate and protocol. In IEEE 802.3 MAC for example, the maximum LLDPDU length is the maximum Data Field length for the basic Untagged MAC frame (1500 bytes). LLDP Mechanism 1. LLDP Admin Status The transmission and the reception of LLDPDUs is enabled for each Port, making it possible to configure an implementation to restrict the Port either to Transmit only, Receive only or to allow the Port to both Transmit and Receive. Four LLDP admin statuses are supported. Tx&Rx: the Port can both Transmit and Receive LLDPDUs. Rx_Only: the Port can only Receive LLDPDUs. Tx_Only: the Port can only Transmit LLDPDUs. Disable: the Port cannot Transmit or Receive LLDPDUs. 2. LLDPDU Transmission If the Ports are working in TxRx or Tx mode, they will advertise local information by sending LLDPDUs. If there is a change made to the local Device, the SNMP change Notification will be advertised. To prevent a series of successive LLDPDUs during a short period due to frequent changes to a local Device, a Transmission Delay Timer is set to ensure that there is a defined time between successive LLDP Frame Transmissions. If the LLDP Admin Status of the Port is changed from Disable/Rx to TxRx/Tx, the Fast Start Mechanism will become active. The transmit interval changes to 1 second, several LLDPDUs are sent out, then the Transmit Interval returns to the regular Interval. 3. LLDPDU Processing When a Port is working in TxRx or Rx mode, the device will check the validity of the received LLDPDUs and the attached TLVs. Once verified it will save this neighbor information to the local Device, then set the Aging Time for the information according 240 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide to the TTL value of TTL (Time To Live) of the TLV. Once the TTL reaches 0 the neighbor information will be Aged Out. The Aging Time of the local information in the neighbor Device is determined by the TTL. A Hold Multiplier is a multiplier used on the Transmit Interval to determine the actual TTL value used in an LLDPDU. TTL = Hold Multiplier * Transmit Interval. TLV TLV refers to Type/Length/Value and is contained in a LLDPDU. Type identifies what kind of information is being sent, Length indicates the length of information string in bytes and Value is the actual information to be sent. The basic TLV Format is shown below: Figure 14-2 TLV Each TLV is identified by a unique TLV Type Value that indicates the type of information contained in the TLV. The following table shows details of currently defined TLVs. TLV type TLV Name Description Usage in LLDPDU 0 End of LLDPDU A mark at the end of the TLV sequence in LLDPDUs. Any information following an End Of LLDPDU TLV is ignored. Mandatory 1 Chassis ID Identifies the Chassis Address of the connected Device. Mandatory © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 241 XMS-1024P TLV type TLV Name Description Usage in LLDPDU 2 Port ID Identifies the specific Port that transmitted the LLDP frame. When the Device does not advertise MED TLV, this field displays the Port name; when the device advertises MED TLV, this field displays the MAC Address of the Port. Mandatory 3 Time To Live Indicates the number of seconds that the neighbor Device is to keep the LLDPDU information. Mandatory 4 Port Description Identifies the Description string of the Port. Optional 5 System Name Identifies the System Name. Optional 6 System Description Identifies the System Description. Optional 7 System Capabilities Identifies the Main Functions of the System and the Functions Enabled. Optional 8 Management Address Identifies the Management IP Address, Optional the corresponding Interface number and OID (Object Identifier). 127 Organizationally Specific Allows different organizations such Optional as IEEE, IETF, as well as individual software and equipment vendors to define TLVs that advertise information to remote Devices. Optional TLVs are grouped into two categories: Basic Management TLV and Organizationally-Specific TLV. Basic Management TLV This set of TLVs is considered to be basic to the Management of the Network stations and are required for all LLDP implementations. Organizationally Specific TLV Different organizations have defined various TLVs. For instance, Port VLAN ID TLV, Port and Protocol VLAN ID TLV, VLAN Name TLV And Protocol Identity TLV are defined in IEEE 802.1, while MAC/PHY Configuration/Status TLV, Power Via MDI TLV, Link Aggregation TLV and Maximum Frame TLV are defined in IEEE 802.3. Some specific TLVs are for LLDP-MED protocol, such as LLDP-MED Capabilities TLV, Network Policy TLV, 242 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Extended Power-via-MDI TLV, Hardware Revision TLV and so on. NOTE: For detailed introduction of TLV, please refer to IEEE 802.1AB standard and ANSI/TIA-1057. In the Switch, the following LLDP optional TLVs are supported: Port Description TLV The Port Description TLV allows Network Management to advertise the IEEE 802 LAN station's Port Description. System Capabilities TLV The System Capabilities TLV identifies the primary functions of the System and whether or not these primary functions are enabled. System Description TLV The System Description TLV allows Network Management to advertise the System's Description, which should include the Name and Version identification of the system's hardware type, software operating system, and Networking software. System Name TLV The System Name TLV allows Network Management to advertise the system's assigned Name, which should be the system's fully qualified Domain Name. Management Address TLV The Management Address TLV identifies an Address associated with the local LLDP Agent that may be used to reach higher entities to assist in discovery by Network Management. Port VLAN ID TLV The Port VLAN ID TLV allows a VLAN Port to advertise the Port's VLAN Identifier (PVID) that will i s associated with Untagged or Tagged frames. Port And Protocol VLAN ID TLV The Port And Protocol VLAN ID TLV allows a Port to advertise a Port and protocol VLAN ID. VLAN Name TLV The VLAN Name TLV allows an IEEE 802.1Q-compatible IEEE 802 LAN station to advertise the assigned Name of any VLAN with which it is configured. Link Aggregation TLV The Link Aggregation TLV indicates whether the link is capable of being aggregated, whether the link is currently in an aggregation group, and if in an aggregation the Port identification of the aggregation group. MAC/PHY Configuration/Status TLV The MAC/PHY Configuration/Status TLV identifies: a)The duplex and bit-rate capability of the sending IEEE 802.3 LAN node that is connected to the physical medium; b)The current duplex and bit-rate settings of the sending IEEE 802.3 LAN node; c)Whether these settings are the result of autonegotiation during link initiation or manually set. Max Frame Size TLV The Maximum Frame Size TLV indicates the maximum frame size capability of the implemented MAC and PHY. Power Via MDI TLV The Power Via MDI TLV allows Network Management to advertise and discover the MDI power supPort capabilities of the sending IEEE 802.3 LAN station. The LLDP module is used for LLDP function configuration of the Switch and includes three submenus: LLDP Config, Device Info, Device Statistics and LLDP-Media. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 243 XMS-1024P 14.1 LLDP Config LLDP is configured on the LLDP Config and LLDP Port Config pages. 14.1.1 LLDP Config On this page you can configure the LLDP parameters of the Device globally. Choose the menu LLDP>>LLDP Config>>LLDP Config to load the following page: Figure 14-1 LLDP Config The following entries are displayed on this screen: LLDP Config LLDP: Enable/Disable the LLDP function globally. Parameter Config Transmit Interval: Enter the Interval for the local Device to transmit LLDPDUs to its neighbors. The default value is 30. Hold Multiplier: Enter a Multiplier on the Transmit Interval. This will determine the TTL (Time To Live) Value used in the LLDPDU. TTL = Hold Multiplier * Transmit Interval. The default value is 4. Transmit Delay: Enter a value from 1-8192 seconds to specify the time for the local device to transmit LLDPDUs to its neighbors after changes occur to prevent LLDPDUs from being sent frequently. The default value is 2. Reinit Delay: The amount of delay from when LLDP Status becomes “Disable” until re-initialization will be attempted. The default value is 3. 244 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide LLDP Config SNMP Notification Interval: Fast Start Count:. Specify the interval of Trap Messages to be sent from the local Device to Network Management system. The default value is 5. When the Port’s LLDP state changes from Disable (Rx_Only) to Enable (Tx&Rx or Tx Only), the fast start mechanism will be Enabled. This shortens the transmit interval to one second, and several LLDPDUs will be sent out (the number of LLDPDUs equals this parameter). The default value is 3. CAUTION: LLDP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 14.1.2 Port Config On this page you can configure the Port(s) LLDP parameters. Choose the menu LLDP>>LLDP Config>>LLDP Port Config to load the following page: Figure 14-2 LLDP Port Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 245 XMS-1024P The following entries are displayed on this screen: LLDP Port Config Port Select: Select the desired Port(s) to configure. Admin Status: Select the Port’s LLDP operating mode: Tx&Rx: Send and Receive LLDP frames. Rx_Only: Receive LLDP frames only. Tx_Only: Send LLDP frames only. Disable: neither Send nor Receive LLDP frames. SNMP Notification Mode: Allows you to Enable or Disable the Ports’ SNMP Notifications. If Enabled, the local Device will notify using a Trap Event to the SNMP Management Station. Included TLVs: Select TLVs to be included in outgoing LLDPDUs. Details: Click the Detail button to display the included TLVs and select the desired TLVs. CAUTION: Port Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. 14.2 Device Info Here you can view the LLDP information of the local Device and its neighbors on the Local Info and Neighbor Info pages respectively. 246 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 14.2.1 Local Info On this page you can see the Port configurations and System Settings information. Choose the menu LLDP>>Device Info>>Local Info to load the following page: Figure 14-3 LLDP Local Info The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable the Auto Refresh function. Refresh Rate: Specify the Auto Refresh Rate. Local Info Enter the desired Port number and click Select to display the information for the corresponding Port. CAUTION: Local Info settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 247 XMS-1024P 14.2.2 Neighbor Info On this page you can view the information of Neighbor Devices: Choose the menu LLDP>>Device Info>>Neighbor Info to load the following page. Figure 14-4 LLDP Neighbor Information The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable the Auto Refresh function. Refresh Rate: Specify the Auto Refresh Rate. Neighbor Info Port Select: Click the Select button to quick-select the corresponding Port. Local Port: Displays the local Port number connected to the Neighbor Device. System Name: Displays the System Name of the Neighbor Device. Chassis ID: Displays the Chassis ID of the Neighbor Device. System Description: Displays the System Description of the Neighbor Device. Neighbor Port: Displays the Port number of the Neighbor linked to a local Port. Information: Click Information to display the detailed information for the Neighbor Device. CAUTION: Neighbor Info settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 248 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 14.3 Device Statistics Here you can view the LLDP statistics of the local Device. Choose the menu LLDP>>Device Statistics>>Statistic Info to load the following page: Figure 14-5 LLDP Statistic Information The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable the Auto Refresh function. Refresh Rate: Specify the Auto Refresh Rate. Global Statistics Last Update: Displays latest Update time for the Statistics. Total Inserts: Displays the number of Neighbors inserted since the last Update time. Total Deletes: Displays the number of Neighbors Deleted by the local Device. Total Drops: Displays the number of Neighbors Dropped by the local Device. Total Ageouts: Displays the number of Neighbors that have Aged Out on local Device. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 249 XMS-1024P Neighbor Statistics Port Select Click the Select button to quick-select the corresponding Port. Port: Displays local Device’s Port number. Transmit Total: Displays the number of LLDPDUs Sent by this Port. Receive Total: Displays the number of LLDPDUs Received by this Port. Discards: Displays the number of LLDPDUs Discarded by this Port. Errors: Displays the number of error LLDPDUs Received by this Port. Ageouts: Displays the number of Aged Out Neighbors linking to this Port. TLV Discards: Displays the number of TLVs Dropped by this Port. TLV Unknowns: Displays the number of Unknown TLVs Received by this Port. CAUTION: Device Statistics settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 14.4 LLDP-Media LLDP-Media is an extension of LLDP intended to assist managing endpoint devices such as Voice over IP Phones and Network Switches. The LLDP-MED TLVs advertise information such as Network Policy, Power via MDI, Inventory Management information and Device Location details. Elements LLDP-MED Device: Refers to any device which implements this Extension. LLDP-MED Device Type: LLDP-MED Devices have two primary device types: Network Connectivity Devices and Endpoint Devices. Network Connectivity Device: Refers to an LLDP-MED Device that provides access to the IEEE 802 based LAN infrastructure for LLDP-MED Endpoint Devices. This Switch is a Network Connectivity Device. Endpoint Device: Refers to an LLDP-MED Device at the Network edge providing some type of IP communications service based on IEEE 802 LAN technology. Endpoint Devices may be a member of any of the Endpoint Device Classes. Endpoint Devices have three defined Classes: Class I, Class II and Class III. 250 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Generic Endpoint Device (Class I): The most basic class of Endpoint Device. Media Endpoint Device (Class II): This class of Endpoint Device supports Media Stream capabilities. Communication Device Endpoint (Class III): This class of Endpoint Device supports end Users of the IP communication system. The following LLDP-MED optional TLVs are supported in XMS-1024P. Network Policy TLV The Network Policy TLV allows both Network Connectivity Devices and Endpoints to advertise VLAN configuration and associated Layer 2 and Layer 3 attributes that apply to specified applications on that Port. Location Identification TLV The Location Identification TLV provides Location Identification information to Communication Endpoint Devices based on the configuration of the Network Connectivity Device it is connected to. If the Location Identification TLV is included and Location Identification Parameters are not set a default value is used in place of the Location Identification TLV. Extended Power-Via-MDI TLV The Extended Power-Via-MDI TLV is intended to enable Advanced Power Management between LLDP-MED Endpoint and Network Connectivity Devices. It allows advertisement of low level Power requirement details, Endpoint Power Priority and both Endpoint and Network Connectivity Device Power status. Inventory TLV The Inventory TLV contains seven basic Inventory Management TLVs Hardware Revision TLV, Firmware Revision TLV, Software Revision TLV, Serial Number TLV, Manufacturer Name TLV, Model Name TLV and Asset ID TLV. If support for any of the TLVs in the Inventory Management set is implemented then support for all Inventory Management TLVs is implemented. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 251 XMS-1024P LLDP-Media is configured on the LLDP-Media Config, LLDP-Media Port Config, LLDPMedia Local Info and LLDP-Media Neighbor Info pages. 14.4.1 LLDP-Media Config On this page you can configure the Global LLDP-MED parameters of the device. Choose the menu LLDP>>LLDP-Media>>LLDP Media Config to load the following page: Figure 14-6 LLDP-MED Global Configuration The following entries are displayed on this screen: LLDP-MED Parameters Config Fast Start Count: When the LLDP-MED fast start mechanism is activated multiple LLDPMED frames will be transmitted based on this parameter. Device Class: LLDP-MED Devices are of two primary device types: Network Connectivity Devices and Endpoint Devices. Endpoint Devices have three defined Classes: Class I, Class II and Class III. Bridge is a Network Connectivity Device. CAUTION: LLDP-Media Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 252 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 14.4.2 LLDP-Media Port Config On this page you can configure the Port(s) LLDP-MED parameters. Choose the menu LLDP>>LLDP-Media>>LLDP-Media Port Config to load the following page: Figure 14-7 LLDP-Media Port Config The following entries are displayed on this screen: LLDP-MED Port Config Port Select: Select the desired Port(s) to configure. LLDP-MED Status: Configure the Port’s LLDP-MED status: Enable: The Port’s LLDP-MED status, and the Port’s Admin Status will be changed to Tx&Rx. Disable: The Port’s LLDP-MED status will be completely Disabled. Included TLVs: Select TLVs to be included in outgoing LLDPDU. Details: Click the Detail button to display the included TLVs and to select the desired TLVs. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 253 XMS-1024P Included TLVs Select TLVs to be included in outgoing LLDPDUs. Location Identification Parameters Configure the Location Identification TLV’s content in outgoing LLDPDUs. Emergency Number: An Emergency Call Service ELIN identifier which is used during emergency call setup to a traditional CAMA or ISDN Trunk-Based PSAP. Civic Address: The Civic Address will reuse the relevant sub-fields of the DHCP option for Civic Address based Location Configuration Information as specified by IETF. CAUTION: LLDP-Media Port Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 254 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 14.4.3 LLDP-Media Local Info On this page you can view the Port LLDP-MED configuration. Choose the menu LLDP>>LLDP-Media>>LLDP-Media Local Info to load the following page: Figure 14-8 LLDP-Media Local Info The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable the Auto Refresh function. Refresh Rate: Specify the Auto Refresh Rate. Local Info Enter the desired Port number and click Select to display the information of the corresponding Port. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 255 XMS-1024P CAUTION: LLDP-Media Local Info settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 14.4.4 LLDP-Media Neighbor Info On this page you can view the LLDP-MED information of Neighbor Devices. Choose the menu LLDP>>LLDP-Media>>LLDP-Media Neighbor Info to load the following page: Figure 14-9 LLDP-Media Neighbor Info 256 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable the Auto Refresh function. Refresh Rate: Specify the Auto Refresh Rate. Neighbor Info Port Select: Click the Select button to quick-select the corresponding Port. Local Port: Displays the local Port number connected to the Neighbor Device. Device Type: Displays the Device Type of the Neighbor. Application Type: Displays the Application Type of the Neighbor. Application Type indicates the primary function of the applications defined for the Network policy. Local Data Format: Displays the Location Identification of the Neighbor. Power Type: Displays the Power Type of the Neighbor device Power Sourcing Entity (PSE) or Powered Device (PD). Information: Click the Information button to Display detailed information for the corresponding Neighbor. CAUTION: LLDP-Media Neighbor Info settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 15 CLUSTER With the development of IP-based technology, the scale of Networks is getting larger and requiring more Network devices which results in more and more complicated Network Management Systems. Large numbers of devices need to be assigned different Network Addresses and every Managed device needs to be configured to meet the application requirements of the Network. This requires more manpower. The Cluster Management function solves this problem. By centrally managing scattered devices in the Network. A Network administrator can Manage and Maintain Switches in the cluster via a Commander Switch. The Commander Switch is the manager of the Cluster and all other Switches are considered member Switches. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 257 XMS-1024P The typical Cluster topology is shown below: Figure 15-1 Cluster topology Cluster Role According to their function and status in a Cluster, Switches in the Cluster will play different roles. You can specify the role this Switch plays. There are three roles in a Cluster. Commander Switch: Indicates this Device can configure and manage all Member Devices in a Cluster. The Commander discovers and determines the Candidate Switches by collecting NDP (Neighbor Discovery Protocol) and NTDP (Neighbor Topology Discovery Protocol) information. Member Switch: Indicates the Device is Managed by the Commander. Candidate Switch: Indicates the Device does not belong to any Cluster though it can be added to a Cluster. Individual Switch: Indicates the Device has the Cluster feature Disabled The roles can be changed following these specific Rules. The Switch on which the Cluster is created is specified as the Commander. The Commander Switch discovers and determines Candidate Switches by collecting related information. After being added to the Cluster, a Candidate Switch becomes a Member Switch. 258 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide After being removed from the Cluster, a Member Switch becomes a Candidate Switch again. The Commander Switch becomes a Candidate Switch only when the Cluster is Deleted. NOTE: The XMS-1024P Switch cannot be configured as Commander Switch and cannot manage the Cluster. Introduction to Cluster The Cluster functions used to Configure and Manage the Switches in the Cluster are based on three protocols, NDP, NTDP and CMP (Cluster Management Protocol). NDP: All Switches get Neighbor information by collecting NDPs. NTDP: The Commander collects NDP information and neighboring connection information of each device in a specified Network range to determine the Candidate Switches in the Cluster. Cluster Maintenance: The Commander adds Candidate Switches to the Cluster and removes Member Switches from the Cluster using the collected NTDP information. The Cluster module is used for Cluster Management Configuration and includes three submenus: NDP, NTDP and Cluster. 15.1 NDP NDP (Neighbor Discovery Protocol) is used to pass the information of directly connected Neighbor Devices to support Cluster establishment. An NDP-Enabled device sends NDP packets regularly to Neighbor Devices as well as receiving NDP packets from Neighbor Devices. An NDP packet carries NDP information (including the Device Name, MAC Address, Firmware Version, etc…). © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 259 XMS-1024P A Switch maintains a Neighbor Information table which contains the NDP information of each discovered Neighbor Switch. If a Switch receives the NDP information of a new Neighbor it will add the information to the Neighbor Information Table. If the received NDP information is different from old information already existing in the Table the Switch will update the Neighbor Information Table. If the received NDP information is the same as the old information the Switch will just update the Aging Time. If the Switch does not receive NDP information within the Aging Time limit the Switch will remove the corresponding information from the Table automatically. The NDP function is implemented on the NDP Neighbor Info, NDP Summary and NDP Config pages. 15.1.1 NDP Neighbor Info On this page you can view the NDP Neighbor information. Choose the menu Cluster>>NDP>>NDP Neighbor Info to load the following page: Figure 15-2 NDP Neighbor Info The following entries are displayed on this screen: NDP Neighbor Search Search Option: Neighbor Info Native Port: Select the information the desired Entry should contain and then click the Search button to display the desired Entry in the Neighbor Information table. Displays the Port number of the local Switch. Remote Port: Displays the Port number of the Neighbor Switch which is connected to the corresponding Port. Device Name: Displays the Name of the Neighbor Switch. Device MAC: Displays MAC Address of the Neighbor Switch. Firmware Version: Displays the Firmware Version of the Neighbor Switch. Aging Time: Displays the period of time for the Switch to keep the NDP packets from the Neighbor Switch. 260 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 15.1.2 NDP Summary On this page you can view the NDP Configuration of the Switch. Choose the menu Cluster>>NDP>>NDP Summary to load the following page: Figure 15-3 NDP Summary The following entries are displayed on this screen: NDP Config Status NDP: Displays the Global NDP status (Enabled/Disabled) for the Switch. Aging Time: Displays the period of time for the Neighbor Switch to keep the NDP packets from this Switch. Hello Time: Displays the Interval used when sending NDP packets. Port Status Port: Displays the Port Number of the Switch. NDP: Displays the NDP Status (Enabled/Disabled) for the current Port. Send NDP Packets: Displays the count of Sent NDP packets. Receive NDP Displays the count of Received NDP packets. Packets: Error NDP Packets: Displays the count of Received error NDP packets. Neighbors: Displays the count of connected Neighbors. Detail: Click the Detail link to view the detailed information collected on the Port. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 261 XMS-1024P 15.1.3 NDP Config On this page you can configure the NDP functions of the Switch. Choose the menu Cluster>>NDP>>NDP Config to load the following page: Figure 15-4 NDP Config The following entries are displayed on this screen: NDP Config NDP: Select to Enable/Disable NDP function Globally. Aging Time: Enter the period of time the Neighbor Switch should keep the NDP packets from this Switch. Hello Time: Enter the Interval used when sending NDP packets. Port Config Select: Select the desired Port(s) to configure its NDP status. Port: Displays the Port Number of the Switch. NDP: Displays NDP Status of the current Port. Enable: Click the Enable button to enable NDP for the Port you select. Disable: Click the Disable button to disable NDP for the Port you select. 262 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide CAUTION: NDP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to nonvolatile memory. NOTE: The NDP functions are effective only when NDP is enabled Globally and for at least one Port. NOTE: The Aging Time should be set higher than the Hello Time value. 15.2 NTDP NTDP (Neighbor Topology Discovery Protocol) is used by the Commander to collect NDP information. NTDP packets transmit and forward NTDP topology information collection requests based on the NDP Neighbor Information Table. The information is then collected and the NDP information and neighboring connection information of each device in a specified Network range is recorded. The Commander collects the specified Topology in the Network regularly. You can also enable Topology Collection Manually on the Commander Switch. After the Commander Switch sends out NTDP request packets the Member Switches receive the request packets and send out response packets. This can result in Network congestion and Commander Switch overload. To avoid this, 2 Time Parameters are designed to control the spread of NTDP request packets. NTDP Hop Delay: The amount of time between the Switch receiving the NTDP request packets and the Switch forwarding NTDP response packets for the first time. NTDP Port Delay: The amount of time between the Port forwarding NTDP request packets and its adjacent Port forwarding NTDP request packets. The NTDP function can be implemented on NTDP Device Table, NTDP Summary and NTDP Config pages. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 263 XMS-1024P 15.2.1 NTDP Device Table On this page you can view the information of the devices collected by NTDP. Even if a cluster is not established, you can manually collect NTDP information at any time to manage and control devices. Choose the menu Cluster>>NTDP>>NTDP Device Table to load the following page: Figure 15-5 NTDP Device Table The following entries are displayed on this screen: Device Table Device Type: Displays the Device Type collected through NTDP. Device MAC: Displays the MAC Address of the Device. Cluster Name: Displays the Cluster Name of the Device. Role: Displays the Role the Device plays in the Cluster. Commander: Indicates the Device that can configure and manage all the devices in a Cluster. Member: Indicates a Device that is managed in a Cluster. Candidate: Indicates a Device that does not belong to any Cluster though it can be added to a Cluster. Individual: Indicates the device with cluster feature disabled. Hops: Displays the Hop Count from this Device to the Switch. Neighbor Info: Click the Detail link to view the detailed information for this Device and its Neighbors Collect Topology: Click the Collect Topology button to collect NTDP topology information 264 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Figure 15-6 Detailed Information for the Current Device © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 265 XMS-1024P 15.2.2 NTDP Summary On this page you can view the NTDP configuration. Choose the menu Cluster>>NTDP>>NTDP Summary to load the following page: Figure 15-7 NTDP Summary The following entries are displayed on this screen: NTDP Config Status NTDP: Displays the NTDP status (Enabled/Disabled) of the Switch. NTDP Interval Time: Displays the Interval for collecting Topology information. NTDP Hops: Displays the Hop Count of the Switch topology. NTDP Hop Delay: Displays the Time between the Switch receiving an NTDP request packet and the Switch forwarding an NTDP request packet for the first time. NTDP Port Delay: Displays the Time between the Port forwarding NTDP request packets and its adjacent Port forwarding NTDP request packets over. Port Status Port: Displays the Port Number of the Switch. NTDP: Displays NTDP Status (Enabled/Disabled) of the current Port. 266 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 15.2.3 NTDP Config On this page you can configure NTDP Globally. Choose the menu Cluster>>NTDP>>NTDP Config to load the following page: Figure 15-8 NTDP Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 267 XMS-1024P The following entries are displayed on this screen: Global Config NTDP: Enable/Disable NTDP for the Switch Globally. NTDP Interval Time: Enter the Interval used for collecting Topology information. The default is 1 minute. NTDP Hops: Enter the number of Hops Count for which data is collected. The default is 3 hops. NTDP Hop Delay: Enter the Time between the Switch receiving NTDP request packets and the Switch forwarding NTDP request packets for the first time. The default is 200 milliseconds. NTDP Port Delay: Enter the Time between the Port forwarding NTDP request packets and its adjacent Port forwarding NTDP request packets. The default is 20 milliseconds. Port Config Select: Select the desired Port(s) for NTDP status configuration. Port: Displays the Port Number of the Switch. NTDP: Displays NTDP Status (Enabled/Disabled) of the current Port. Enable: Click the Enable button to Enable the NTDP feature for the Port(s) you select. Disable: Click the Disable button to Disable the NTDP feature for the Port(s) you select. CAUTION: NTDP Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. NOTE: The NTDP function is effective only when NTDP is Enabled Globally and on at least one Port. 268 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 15.3 Cluster A Commander Switch can recognize and add a Candidate Switch to a Cluster Automatically based on NDP and NTDP. You can Manually add a Candidate Switch to a Cluster. If the Candidate Switch is successfully added to the Cluster it will receive a private IP Address assigned by the Commander Switch. You can manage and configure the member Switch via the Commander Switch. Note: The XMS-1024P cannot be configured as a Commander Switch and cannot manage the Cluster. The Cluster function is implemented on the Cluster Summary and Cluster Config pages. 15.3.1 Cluster Summary On this page you can view the Status of the current Cluster. Choose the menu Cluster>>Cluster>>Cluster Summary to load the following page: Figure 15-9 Cluster Summary for Candidate Switch The following entries are displayed on this screen: Cluster Config Status Cluster: Displays the Cluster Status (Enabled/Disabled) of the Switch. Cluster Role: Displays the role the Switch plays in the Cluster. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 269 XMS-1024P 15.3.2 Cluster Config On this page you can configure the Status of the Cluster the Switch belongs to. Choose the menu Cluster>>Cluster>>Cluster Config to load the following page: Figure 15-12 Cluster Configuration for Candidate Switch The following entries are displayed on this screen: Current Role Role: Displays the Role the Switch plays in the Cluster. Role Change Individual: Select this option to change the role of the Switch. 270 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 16 MAINTENANCE The maintenance function provides some commonly used tools to help manage the Switch. It offers a convenient method for locating and solving Network problems. CPU Monitor/Memory Monitor: Monitors the utilization status of Memory and the CPU in the Switch. System Logs: Allows you to view logs generated by the Switch and find errors via the Logs. Cable Test: Allows you to test the connection status of a cable to locate and diagnose potential cabling issues. Loopback: Allows you to test whether the Ports of the Switch and its peer device are available. Network Diagnostics: Tests whether the destination device is reachable and detects the route hops from the Switch to the destination device. 16.1 System Monitor System Monitor displays the utilization status of the Memory and the CPU of Switch. The CPU utilization rate and the Memory utilization rate do fluctuate. However if the CPU utilization rate or the Memory utilization rate increases dramatically it can indicate the Network is under attack or configured improperly. The System Monitor function is implemented on the CPU Monitor and Memory Monitor pages. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 271 XMS-1024P 16.1.1 CPU Monitor Choose the menu Maintenance>>System Monitor>>CPU Monitor to load the following page: Figure 16-1 CPU Monitor Click the Monitor button to enable monitoring and display of the CPU utilization rate every four seconds. 272 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 16.1.2 Memory Monitor Choose the menu Maintenance>>System Monitor>>Memory Monitor to load the following page: Figure 16-2 Memory Monitor Click the Monitor button to enable monitoring and display its Memory utilization rate every four seconds. 16.2 System Logs The Log system of Switch can record, classify and manage the System Logs effectively, providing powerful support tool for the Network administrator to monitor Network operations and diagnose malfunctions. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 273 XMS-1024P The switch Logs are classified into the following eight levels. Severity Level Description emergencies 0 The system is unusable. alerts 1 Action must be taken immediately. critical 2 Critical conditions errors 3 Error conditions warnings 4 Warning conditions SNMP Notifications 5 Normal but significant conditions informational 6 Informational messages debugging 7 Debug-level messages Table 16-1 Log Level The System Logs function is implemented on the Log Table, Local Log Config, Syslog Config and Backup Log File pages. 274 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 16.2.1 Log Table The Switch supports log output into two formats: the log buffer and a log file. The information in log buffer will be lost after the Switch is rebooted or powered. The information in log file will be kept even if the Switch is rebooted or powered off. The Log Table displays the information in log buffer. Choose the menu Maintenance>>Log>>Log Table to load the following page: Figure 16-3 Log Table The following entries are displayed on this screen: Log Info Index: Displays the Index of the log Entry. Time: Displays the Time when the log Event occured. The log will have the correct Time after you have configured the System>>System Settings>>System Time page. Module: Displays the Module which the log information belongs to. You can select a Module from the drop-down list to display the corresponding log information. Severity: Displays the Severity Level of the log Entry. You can select a Severity Level to display the log information whose Severity Level value is the same or smaller. Content: Displays the Content of the log information. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 275 XMS-1024P Note: Logs are classified into eight levels based on Severity. The higher the Severity, the lower the corresponding level. Note: This page displays logs in the log buffer and has a limit of 512 logs. 16.2.2 Local Log Config Local Log is log information saved on the Switch. By default all system logs are saved in log buffer and the logs with severities from level_0 to level_4 are saved in the log file. On this page you can set the output channel for the logs. Choose the menu Maintenance>>System Logs>>Local Log Config to load the following page: Figure 16-4 Local Log Config The following entries are displayed on this screen: Local Log Config Select: Select the desired Entry to configure the corresponding Local Log. Log Buffer: Indicates the location to which the system log is saved. The information in the log buffer is displayed on the Log Table page. It is lost when the Switch is restarted. Log File: Indicates the location to which the system log is saved. The information in the Log File will not be lost after the Switch is restarted and can be exported on the Backup Log page. 276 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Local Log Config Severity: Specifies the Severity Level of the log information output to each channel. Only the log with the same or smaller Severity Level will be saved. Status: Enable/Disable the Channel. CAUTION: Local Log Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 16.2.3 Syslog Config The Syslog feature enables the Switch to send System Logs to a Log Server. The Log Server is used to centralize System Logs from various devices for the administrator to monitor and manage the Network. Choose the menu Maintenance>>Log>>Syslog Config to load the following page: Figure 16-5 Syslog Config © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 277 XMS-1024P The following entries are displayed on this screen: Syslog Hosts Index: Displays the Index of the Syslog Host. The Switch supports up to 4 Syslog Hosts. Host IP: Configure the IP for the Syslog Host. UDP Port: Displays the UDP Port used for Receiving/Sending log information. The default is Port 514. Severity: Specifies the Severity Level of the log information to be sent to each Syslog Host. Only logs with the same or smaller Severity Level value will be sent to the corresponding Syslog Host. Status: Enable/Disable the Syslog Host. CAUTION: Syslog Config settings will be restored to defaults if the Switch is restarted and you have not selected Save Config from the main menu and saved your running configuration to non-volatile memory. 16.2.4 Backup Log The Backup Log feature allows the system logs saved in the Switch to be output as a file for device diagnosis and statistics analysis. Choose the menu Maintenance>>Log>>Backup Log File to load the following page: Figure 16-6 Backup Log 278 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entry is displayed on this screen: Backup Log Backup Log: Click the Backup Log button to save the log as a file to your computer. Note: It may take a few minutes to backup the log file. Please be patient. 16.3 Device Diagnostics This Switch provides Cable Test and Loopback functions for device diagnostics. 16.3.1 Cable Test Cable Test function tests the connection status of the cable connected to the Switch, this help you to locate and diagnose cable issues. Choose the menu Maintenance>>Device Diagnostics>>Cable Test to load the following page: Figure 16-7 Cable Test © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 279 XMS-1024P The following entries are displayed on this screen: Cable Test Port: Select the Port for Cable Testing. Pair: Displays the Pair Number. Status: Displays the Connection Status of the cable connected to the Port. The test results of the cable include normal, close, open, short, impedance or unknown. Length: If the Connection Status returned is normal, this will attempt to display the Length Range of the Cable. Error: If the Connection Status is close, open or impedance this will attempt to display the Length Range of the bad cable. Note: The Lengths displayed are the lengths of the pairs in the cable, not that of the physical cable. Note: The Length results are an approximation and are not to be exactly relied upon. 16.3.2 Loopback The Loopback test function loops the sender and the receiver of the signal and is used to test whether the Port of the Switch is available as well as to check and analyze the physical connection status of the Port. Choose the menu Maintenance>>Device Diagnostics>>Loopback to load the following page: Figure 16-8 Loopback 280 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide The following entries are displayed on this screen: Loopback Type Internal: Select Internal to test whether the Port is available. External: Select External to test whether the Device connected to the Port of the Switch is available Loopback Port Loopback Port: Select the desired Port for Loopback testing. Test: Click the Test button to start the Loopback test on the Port. 16.4 Network Diagnostics This Switch provides Ping and Trace Route test functions for Network diagnostics. 16.4.1 Ping The Ping test function tests the connectivity between the Switch and a node of the Network. This helps test Network connectivity. Choose the menu Maintenance>>Network Diagnostics>>Ping to load the following page: Figure 16-9 Ping The following entries are displayed on this screen: Ping Config Destination IP: Enter the IP Address of the Destination node for Ping testing. Ping Times: Enter the number of times to send test Data during Ping testing. The default value is recommended in most cases. Data Size: Enter the Size of the sent Data during Ping testing. The default value is recommended. Interval: Specify the Interval to send ICMP request packets. The default value is recommended. 16.4.2 Trace Route The Trace Route test function is used to test the connectivity of gateways during the packets journey from the Source to Destination of the test Data. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 281 XMS-1024P Choose the menu Maintenance>>Network Diagnostics>>Trace Route to load the following page: Figure 16-10 Trace Route The following entries are displayed on this screen: Trace Route Config Destination IP: Enter the IP Address of the Destination Device. Max Hop: Specify the Maximum number of the Route Hops the test Data can pass through. 17 SAVE CONFIG The Save Config function is used to Save the Running Configuration of the Switch to Non-Volatile RAM. If the running configuration is not saved in this manner, a Reboot or Power cycle of the switch will cause any custom Configuration changes to be lost. Choose the menu Save Config to load the following page. Figure 17-1 Save Config The following is displayed on this screen: OK: Press the OK button to Save the Running configuration to Non-Volatile RAM. Cancel: Press the Cancel button to back out of the Save Config option. 282 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide 18 REGULATORY COMPLIANCE The device complies with internationally recognized standards covering human exposure to electromagnetic fields from radio devices. This equipment also complies with FCC radiation exposure set forth for an uncontrolled environment. In order to avoid the possibility of exceeding the FCC radio frequency exposure limits, human proximity to the antenna shall not be less than 20 cm (8 inches) during normal operation. Unauthorized antennas, modifications, or attachments could cause damage and may violate regulatory approvals. Any changes or modifications not expressly approved by the party responsible for compliance could void the authority to operate the equipment. The equipment version marketed in the U.S. is restricted to usage of channels 1-11 only on 2.4 GHz and channels 36-48, 149-161 on 5 GHz Health and Safety Recommendations If the product has power Switch, it can be used to completely power off the unit; When there is no power Switch, the only way to completely shut off power is to disconnect the unit or the power adapter from the power source. Don’t disassemble the product, or make repairs yourself. There are no user serviceable parts inside. You run the risk of electric shock and voiding the warranty of the unit. If you need service, please contact us. Avoid water and wet locations. Warnings for the use of Wireless Devices: Please observe all warning notices with regard to the usage of wireless devices Potentially Hazardous Atmospheres: You are reminded of the need to observe restrictions on the use of radio devices in fuel depots, chemical plants etc. and areas where the air contains chemicals or particles (such as grain, dust, or metal powders). Safety in Hospitals: Wireless devices transmit radio frequency energy and may affect medical electrical equipment. When installed adjacent to other equipment, it is advised to verify that the adjacent equipment is not adversely affected. RF Exposure Guidelines Safety Information: The device complies with internationally recognized standards covering human exposure to electromagnetic fields from radio devices. Warning: Exposure to Radio Frequency (RF) Radiation: The radiated output of this device is below the FCC radio frequency exposure limits. Nevertheless, the device should be used in such a manner that the potential for human contact during normal operation is minimized. The end user must avoid any extended human RF exposure directly in front of the device, up to a distance of 20cm, when unit is on. When servicing the equipment and selecting a location for the antennas, it is important to note that a minimum distance of 20cm is required between personnel and the device or antenna to comply with the radio frequency exposure limit. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 283 XMS-1024P The antenna used for this transmitter must be installed to provide a separation distance of at least 20cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. The following safety precautions should be observed: Do not touch or move the antenna while the unit is transmitting or receiving. Do not hold any component containing the radio such that the antenna is very close or touching any exposed parts of the body, especially the face or eyes, while transmitting. Do not operate the radio or attempt to transmit data unless the antenna is connected; this behavior may cause damage to the radio. Remote and Standalone Antenna Configurations: To comply with FCC RF exposure requirements, antennas that are mounted externally at remote locations or operating near users at stand-alone desktop of similar configurations must operate with a minimum separation distance of 20 cm from all persons. Radio Frequency Interference Requirements—FCC This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense. This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operation. Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. Radio Transmitters (Part 15) This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Hereby, Luxul, 14203 Minuteman Drive, Suite 201, Draper, Utah, 84020, declares that this Luxul device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. For a copy of this report send a self addressed stamped envelope to: Luxul CE, 14203 Minuteman Drive, Suite 201, Draper, Utah, 84020. 284 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Industry Canada (RSS-Gen Issue 2) This device complies with Industry Canada licence-exempt RSS standard(s). Operation is subject to the following two conditions: (1) this device may not cause interference, and (2)this device must accept any interference, including interference that may cause undesired operation of the device. Le présent appareil est conforme aux CNR d’Industrie Canada applicables aux appareilsradio exempts de licence. L’exploitation est autorisée aux deux conditions suivantes : (1)l’appareil ne doit pas produire de brouillage, et (2) l’utilisateur de l’appareil doit accepter tout brouillage radioélectrique subi, même si le brouillage est susceptible d’en compromettre le fonctionnement. The device meets the exemption from the routine evaluation limits in section 2.5 of RSS 102 and compliance with RSS-102 RF exposure, users can obtain Canadian information on RF exposure and compliance. Le dispositif rencontre l’exemption des limites courantes d’évaluation dans la section 2.5 de RSS 102 et la conformité à l’exposition de RSS-102 rf, utilisateurs peut obtenir l’information canadienne sur l’exposition et la conformité de rf. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. Cet émetteur ne doit pas être Co-placé ou ne fonctionnant en même temps qu’aucune autre antenne ou émetteur. Cet équipement devrait être installé et actionné avec une distance minimum de 20 centimètres entre le radiateur et votre corps. CAN ICES-03(B)/NMB-3(B) COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. Other brands and product names are trademarks or registered trademarks of their respective holders. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 285 XMS-1024P APPENDIX A: SPECIFICATIONS Standards IEEE802.3 10Base-T Ethernet IEEE802.3u 100Base-TX/100Base-FX Fast Ethernet IEEE802.3ab 1000Base-T Gigabit Ethernet IEEE802.3z 1000Base-X Gigabit Ethernet IEEE802.3x Flow Control IEEE802.1p QoS IEEE802.1q VLAN IEEE802.1X/RADIUS Port-based Access Authentication Transmission Rate Ethernet: 10Mbps HD,20Mbps FD Fast Ethernet: 100Mbps HD,200Mbps FD Gigabit Ethernet: 2000Mbps FD Transmission Medium 10Base-T: UTP/STP of Cat. 3 or above 100Base-TX: UTP/STP of Cat. 5 or above 100Base-FX: MMF or SMF SFP Module (Optional) 1000Base-T: 4-pair UTP (≤100m) of Cat. 5, Cat. 5e, Cat. 6 or above 1000Base-X: MMF or SMF SFP Module (Optional) LED Power, System, Port Status LED, Speed, PoE, PoE Max Transmission Method Store and Forward Packets Forwarding Rate 10BASE-T:14881pps/Port 100BASE-TX:148810pps/Port 1000Base-T:1488095pps/Port Operating Environment Operating Temperature: 32°F to 104°F (0°C to 40°C) Storage Temperature: -40°C ~ 70°C Operating Humidity: 10% ~ 90% RH Non-condensing Storage Humidity: 5% ~ 90% RH Non-condensing 286 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide GLOSSARY Access Control List (ACL) ACLs are used to limit Network traffic and restrict access to certain users or devices by checking each packet for specified IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide boot IP information for Network devices, including IP Address information, the address of a TFTP Server that contains the devices system files, and the name of the boot file. Class of Service (CoS) CoS is used to prioritizing packets based on the required level of service, and then placing them in the appropriate output queue. Data is transmitted from the queues using the weighted round-robin service to enforce priority and prevent blockage of lowerlevel queues. Priority may be set accordingly on the Port, in the packet’s priority bit (part of the VLAN tag), TCP/UDP Port number, or DSCP priority bit. Differentiated Services Code Point (DSCP) DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on Network policies, different kinds of traffic can be marked for different levels of forwarding priority. The DSCP bits are mapped to the Class of Service categories and then into the output queues. Domain Name Service (DNS) A system used for translating host names for Network nodes into IP Addresses. Dynamic Host Control Protocol (DHCP) Provides a framework for passing IP configuration information to hosts on a TCP/IP Network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable Network addresses and additional configuration options. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client Authentication protocol used by this Switch to verify the Network access rights for any device that is plugged into the Switch. A User Name and Password are requested by the Switch and are then passed to an Authentication Server (e.g., RADIUS) for verification. EAPOL is implemented as part of the IEEE 802.1X Port Authentication standard. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 287 XMS-1024P GARP VLAN Registration Protocol (GVRP) Allows Switches to exchange VLAN information in order to register necessary VLAN members on Ports across the Spanning Tree so that VLANs defined in each Switch will function automatically over a Spanning Tree Network. Generic Attribute Registration Protocol (GARP) The GARP provides a generic attribute dissemination capability that is used by participants in GARP Applications (GARP Participants) to register and de-register attribute values with other GARP Participants within a Bridged LAN. The definition of the attribute types, the values that they can carry, and the semantics that are associated with those values when registered, are specific to the GARP Application. Generic Multicast Registration Protocol (GMRP) GMRP allows Network devices to register end stations with Multicast groups. GMRP requires that any participating Network devices or end stations comply with the IEEE 802.1P standard. Group Attribute Registration Protocol (GARP) (See Generic Attribute Registration Protocol). IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows Switches to assign endstations to different virtual LANs, and defines a standard by which VLANs can communicate across Switched Networks. IEEE 802.1P An IEEE standard for providing quality of service (QoS) in Ethernet Networks. The standard uses packet tags that define up to eight traffic classes and allows Switches to transmit packets based on the tagged priority value. IEEE 802.1X Port Authentication controls access to the Switch Ports by requiring users to first enter a user ID and Password for Authentication. IEEE 802.3AC Defines frame extensions for VLAN tagging. 288 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide IEEE 802.3X Defines Ethernet frame start/stop requests and timers used for flow control on fullduplex links. (Now incorporated in IEEE 802.3-2002) Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local Router for Multicast services. If there is more than one Multicast Switch/Router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership. IGMP Snooping Listening to IGMP Query and IGMP report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP Multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP Address in the subnetwork. IP Multicast Filtering Allows or denies the Client to add the specified Multicast group. Multicast Switching A process whereby the Switch filters incoming Multicast frames for services for which no attached host has registered, or forwards them to all Ports contained within the designated Multicast group. Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for Network devices and passes on traffic based on MAC addresses. Link Aggregation (See Port Trunk). Link Aggregation Control Protocol (LACP) Allows Ports to automatically negotiate a trunked link with LACP-configured Ports on another device. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 289 XMS-1024P Management Information Base (MIB) MIB is an acronym for Management Information Base. It is a set of Database objects that contains information about a specific device. MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm. MD5 is a one-way hash function. It takes a message and converts it into a fixed string of digits also called a message digest. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the Network. The time Servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio. Port Authentication (See IEEE 802.1X) Port Mirroring A method whereby Data on a target Port is mirrored to a monitor Port for troubleshooting with a logic analyzer or RMON probe. This allows Data on the target Port to be studied. Port Trunk Defines a Network link Aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links. Remote Authentication Dial-in User Service (RADIUS) RADIUS is a logon Authentication protocol that uses software running on a central Server to control access to RADIUS-compliant devices on the Network. Remote Monitoring (RMON) RMON provides comprehensive Network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. Rapid Spanning Tree Protocol (RSTP) Reduces the convergence time for Network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. 290 a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314 User Guide Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt Data connections between Management clients and the Switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols that offers Network Management services. Simple Network Time Protocol (SNTP) SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) Server. Updates can be requested from a specified NTP Server, or can be received via broadcasts sent by NTP Servers. Spanning Tree Algorithm (STA) A technology that checks your Network for any loops. A loop can often occur in complicated or backup linked Network systems. Spanning Tree detects and directs Data along the shortest available path, maximizing the performance and efficiency of the Network. Telnet Defines a remote communication utility for interfacing to a terminal device over TCP/IP. Transmission Control Protocol/Internet Protocol (TCP/IP) Protocol suite that includes TCP as the primary transport protocol, and IP as the Network layer protocol. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. © 2014 Luxul. All Rights Reserved. Other trademarks and registered trademarks are the property of their respective owners 291 User Datagram Protocol (UDP) Provides a Datagram mode for packet-Switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less Datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary. Virtual LAN (VLAN) A Virtual LAN is a collection of Network nodes that share the same collision domain regardless of their physical location or connection point in the Network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. Information on this document supersedes all previous versions. Products and documents subject to change without notice. Products may be discontinued without notice. © 2014 Luxul. All Rights Reserved. a: 14203 Minuteman Drive, Suite 201, Draper, UT 84020-1685 | luxul.com | 801-822-5450 LUX-UG-XMS-1024P Vers: 081314
© Copyright 2026 Paperzz