IP Address Conflict Detection . ... Reset VLAN Configuration . ... the switch using either the EdgeSwitch UI, command-line interface, and/or Simple Network ...
EdgeSwitchTM Administration Guide Table of Contents Table of Contents About This Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Purpose and Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Document Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Products and Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Connecting the Switch to the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Understanding the User Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Using the EdgeSwitch UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Accessing the UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 EdgeSwitch UI Page Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Device View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Navigation Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Configuration and Status Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Table Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Help Page Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 User-Defined Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using the Command-Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Chapter 2: Configuring Power over Ethernet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Chapter 3: Configuring System Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Viewing ARP Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Viewing Inventory Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Viewing the Dual Image Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Viewing System Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 System Resource Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 System Resource Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Defining General Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 System Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 IP Address Conflict Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Network Port IPv6 Neighbors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 DHCP Client Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Secure HTTP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 SSH Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Authentication Server Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Logged in Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Ubiquiti Networks, Inc. i EdgeSwitchTM Administration Guide Table of Contents Accounting Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Authentication Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Last Password Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Denial of Service Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 CLI Banner Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Basic Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Switch Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Managing Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Log Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Buffered Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Event Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Logging Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Syslog Source Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Persistent Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Configuring Email Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Email Alert Global Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Email Alert Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Email Alert Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Email Alert Subject Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Email Alert To Address Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Viewing Device Port Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Port Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Port Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Cable Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Mirroring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Configuring a Port Mirroring Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Configuring Port Mirroring Source Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Configuring the Port Mirroring Destination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Defining SNMP Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 SNMP v1 and v2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 SNMP v3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 SNMP Community Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 SNMP v1/v2 Trap Receivers Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 SNMP v3 Trap Receivers Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 SNMP Access Control Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 SNMP User Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 SNMP Trap Source Interface Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Viewing System Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Switch Detailed Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Port Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Port Detailed Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Network Port DHCPv6 Client Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Ubiquiti Networks, Inc. ii EdgeSwitchTM Administration Guide Table of Contents Time-Based Group Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Time-Based Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Time-Based Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Using System Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 System Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 TraceRoute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 IP Address Conflict Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Downloading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 AutoInstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Managing SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 System Trap Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 System Trap Flags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Managing the DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 DHCP Server Global Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 DHCP Server Pool Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 DHCP Server Pool Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 DHCP Server Bindings Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 DHCP Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 DHCP Server Conflicts Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Configuring Time Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Time Range Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Time Range Entry Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Configuring DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 DNS Global Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 DNS IP Mapping Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 DNS Source Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring SNTP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 SNTP Global Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 SNTP Global Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 SNTP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 SNTP Server Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Configuring the Time Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Time Zone Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Summer Time Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Chapter 4: Configuring Switching Information. . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Managing VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 VLAN Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 VLAN Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 VLAN Port Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Ubiquiti Networks, Inc. iii EdgeSwitchTM Administration Guide Table of Contents VLAN Internal Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Reset VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Managing Voice VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Voice VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Voice VLAN Interface Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Creating MAC Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 MAC Filter Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 GARP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 GARP Switch Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Configuring DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Global DHCP Snooping Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 DHCP Snooping Static Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 DHCP Snooping Dynamic Bindings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 DHCP Snooping Persistent Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 DHCP Snooping Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Configuring IGMP Snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Global Configuration and Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Interface Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 IGMP Snooping Source Specific Multicast. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 IGMP Snooping VLAN Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 IGMP Snooping Multicast Router Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 IGMP Snooping Multicast Router VLAN Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 IGMP Snooping Multicast Router VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . 149 Configuring IGMP Snooping Querier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 IGMP Snooping Querier Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 IGMP Snooping Querier VLAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Creating Port Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Port Channel Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Port Channel Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Viewing Multicast Forwarding Database Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Multicast Forwarding Database Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Multicast Forwarding Database GMRP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Configuring Protected Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuring Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Spanning Tree Switch Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Spanning Tree CST Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Spanning Tree CST Port Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Spanning Tree MST Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Spanning Tree MST Port Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Spanning Tree Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Ubiquiti Networks, Inc. iv EdgeSwitchTM Administration Guide Table of Contents Configuring Port Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Port Security Global Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Port Security Interface Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Port Security Statically Configured MAC Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Port Security Dynamically Learned MAC Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Managing LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 LLDP Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 LLDP Interface Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 LLDP Local Device Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Remote Device Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 LLDP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 LLDP-MED. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 LLDP-MED Global Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 LLDP-MED Local Device Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 LLDP-MED Remote Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Chapter 5: Configuring Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Configuring ARP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 ARP Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 ARP Table Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Configuring Global IP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Routing IP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Routing IP Interface Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Routing IP Interface Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Routing IP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Route Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Configured Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Adding a Static Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Configuring Policy-Based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Chapter 6: Managing Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Port Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Global Port Access Control Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Port Access Control Port Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Port Access Control Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Port Access Control Port Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Port Access Control Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Port Access Control Client Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Port Access Control Privileges Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Port Access Control History Log Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Ubiquiti Networks, Inc. v EdgeSwitchTM Administration Guide Table of Contents RADIUS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 RADIUS Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 RADIUS Named Server Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 RADIUS Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 RADIUS Accounting Server Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 RADIUS Accounting Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 RADIUS Clear Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 RADIUS Source Interface Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 TACACS+ Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 TACACS+ Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 TACACS+ Server Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 TACACS+ Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 TACACS+ Source Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Chapter 7: Configuring Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Configuring Access Control Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 IP Access Control Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Access Control List Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Access Control List Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Access Control List Interface Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Access Control List VLAN Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Configuring Auto VoIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Auto VoIP Global Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 OUI Table Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 OUI Based Auto VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Protocol Based Auto VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Configuring Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 CoS IP DSCP Mapping Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 CoS Interface Queue Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 CoS Interface Queue Drop Precedence Configuration. . . . . . . . . . . . . . . . . . . . . . . . 246 Configuring Diffserv. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Diffserv Global Configuration and Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Diffserv Class Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Diffserv Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Diffserv Policy Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Diffserv Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Diffserv Service Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Diffserv Service Performance Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Diffserv Policy Performance Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Ubiquiti Networks, Inc. vi EdgeSwitchTM Administration Guide Table of Contents Appendix A: Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Configuring VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Using the EdgeSwitch UI to Configure VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Using the CLI to Configure VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Configuring Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Using the Web UI to Configure MSTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Using the CLI to Configure MSTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Configuring VLAN Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Using the CLI to Configure VLAN Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Configuring Policy-Based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Configuring Policy-Based Routing Using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Configuring 802.1X Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Using the CLI to Configure 802.1X Port-Based Access Control. . . . . . . . . . . . . . . . . 269 Configuring Differentiated Services for VoIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Using the CLI to Configure DiffServ VoIP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Appendix B: Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Ubiquiti Networks Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Online Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Ubiquiti Networks, Inc. vii EdgeSwitchTM Administration Guide About This Document About This Document This section contains the following information about this document: · "Purpose and Audience" on page 8 · "Document Organization" on page 8 · "Products and Models" on page 8 · "Related Documents" on page 9 · "Typographical Conventions" on page 9 · "Typographical Conventions" on page 9 Purpose and Audience This guide describes how to configure the EdgeSwitch software features using the browser-based EdgeSwitch user interface (UI). The information in this guide is intended for system administrators who are responsible for configuring and operating a network using EdgeSwitch devices. To obtain the greatest benefit from this guide, you should have an understanding of the base software and should have read the specification for your networking device platform. You should also have basic knowledge of Ethernet and networking concepts. Document Organization This guide contains the following sections: · "Chapter 1: Getting Started" on page 10 contains information about performing the initial system configuration and accessing the user interface. · "Chapter 3: Configuring System Information" on page 19 describes how to configure administrative features such as SNMP, system users, and port information. · "Chapter 4: Configuring Switching Information" on page 126 describes how to manage and monitor the Layer-2 switching features. · "Chapter 5: Configuring Routing" on page 187 describes how to configure the Layer-3 routing features. · "Chapter 6: Managing Device Security" on page 204 contains information about configuring switch security information such as port access control, TACACS+, and RADIUS server settings. · "Chapter 7: Configuring Quality of Service" on page 229 describes how to manage the EdgeSwitch software ACLs, and how to configure the Differentiated Services and Class of Service features. · "Appendix A: Configuration Examples" on page 259 describes how to configure selected features on the switch using either the EdgeSwitch UI, command-line interface, and/or Simple Network Management Protocol (SNMP). Products and Models This document covers the following Ubiquiti products and models: Name EdgeSwitch 48-port 750W EdgeSwitch 48-port 500W EdgeSwitch 24-port 500W EdgeSwitch 24-port 250W Affected Products Description Managed PoE+ Gigabit Switch with SFP+ Managed PoE+ Gigabit Switch with SFP+ Managed PoE+ Gigabit Switch with SFP Managed PoE+ Gigabit Switch with SFP Part Number ES-48-750W ES-48-500W ES-24-500W ES-24-250W Ubiquiti Networks, Inc. 8 EdgeSwitchTM Administration Guide About This Document Related Documents · EdgeSwitch CLI Command Reference · EdgeSwitch Quick Start Guide For additional information, refer to the EdgeSwitch community website: community.ubnt.com/edgemax Typographical Conventions The following table lists typographical conventions used throughout this document. Convention Bold Italic > Courier font Typographical Conventions Indicates Example User selection User-entered text Select VLAN 2 from the VLAN ID list; Click Submit enter 3 to assign VLAN 3 as the default VLAN Name of a field Name of UI page, dialog box, window, etc. delete the existing name in the Username field Use the IP Address Conflict Detection page Order of navigation selections to access a page To access the Session page, click System > Users > Session CLI commands and their output show network Ubiquiti Networks, Inc. 9 EdgeSwitchTM Administration Guide Getting Started Using the Command-Line Interface The command-line interface (CLI) is a text-based way to manage and monitor the system. You can access the CLI by using a direct serial connection or by using a remote logical connection with Telnet or SSH. The CLI groups commands into modes according to the command function. Each of the command modes supports specific software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode. To display the commands available in the current mode, enter a question mark (?) at the command prompt. To display the available command keywords or parameters, enter a question mark (?) after each word you type at the command prompt. If there are no additional command keywords or parameters, or if additional parameters are optional, the following message appears in the output: <cr> Press Enter to execute the command For more information about the CLI, see the EdgeSwitch CLI Command Reference Guide. The EdgeSwitch CLI Command Reference lists each command available from the CLI by the command name and provides a brief description of the command. Each command reference also contains the following information: · The command keywords and the required and optional parameters. · The command mode you must be in to access the command. · The default value, if any, of a configurable setting on the device. Each show command in this document also includes a description of the information displayed by the command. Ubiquiti Networks, Inc. 16 EdgeSwitchTM Administration Guide Configuring Power over Ethernet Use the buttons to perform the following tasks: · To edit an interface's PoE settings, select the interface, click Edit, and make the changes as needed. Then, click Submit to apply the settings. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 18 EdgeSwitchTM Administration Guide Configuring System Information Chapter 3: Configuring System Information Use the features in the System feature menu to define the switch's relationship to its environment. The System folder contains links to the following features: · "Viewing ARP Cache" on page 20 · "Viewing Inventory Information" on page 21 · "Viewing the Dual Image Status" on page 22 · "Viewing System Resources" on page 23 · "Defining General Device Information" on page 25 · "Basic Switch Configuration" on page 52 · "Managing Logs" on page 53 · "Configuring Email Alerts" on page 60 · "Viewing Device Port Information" on page 65 · "Defining SNMP Parameters" on page 72 · "Viewing System Statistics" on page 80 · "Using System Utilities" on page 91 · "Managing SNMP Traps" on page 101 · "Managing the DHCP Server" on page 103 · "Configuring Time Ranges" on page 110 · "Configuring DNS" on page 113 · "Configuring SNTP Settings" on page 116 Ubiquiti Networks, Inc. 19 EdgeSwitchTM Administration Guide Configuring System Information Defining General Device Information The System menu's Configuration and Summary submenus contains links to pages that allow you to configure device parameters, such as the following features: · "System Description" on page 26 · "IP Address Conflict Detection" on page 27 · "Network Connectivity" on page 27 · "Network Port IPv6 Neighbors" on page 30 · "DHCP Client Options" on page 31 · "HTTP Configuration" on page 31 · "Secure HTTP Configuration" on page 32 · "SSH Configuration" on page 33 · "Telnet Session Configuration" on page 34 · "User Accounts" on page 35 · "Authentication Server Users" on page 37 · "Logged in Sessions" on page 39 · "User Domain Name" on page 39 · "Accounting List" on page 40 · "Accounting Selection" on page 41 · "Authentication List Configuration" on page 42 · "Authentication Selection" on page 44 · "Line Password Configuration" on page 44 · "Enable Password Configuration" on page 45 · "Password Rules" on page 46 · "Last Password Result" on page 48 · "Denial of Service Configuration" on page 49 · "CLI Banner Configuration" on page 51 Ubiquiti Networks, Inc. 25 EdgeSwitchTM Administration Guide Configuring System Information Denial of Service Configuration Fields (Continued) Field Description SMAC=DMAC When selected, this option allows the device to drop packets that have a source MAC address equal to the destination MAC address. TCP FIN and URG and PSH When selected, this option allows the device to drop packets that have TCP Flags FIN, URG, and PSH set and a TCP Sequence Number equal to 0. TCP Flag and Sequence When selected, this option allows the device to drop packets that have TCP control flags set to 0 and the TCP sequence number set to 0. TCP SYN When selected, this option allows the device to drop packets that have TCP Flags SYN set. TCP SYN and FIN When selected, this option allows the device to drop packets that have TCP Flags SYN and FIN set. TCP Fragment When selected, this option allows the device to drop packets that have a TCP payload where the IP payload length minus the IP header size is less than the minimum allowed TCP header size. TCP Offset When selected, this option allows the device to drop packets that have a TCP header Offset set to 1. Min TCP Hdr Size The minimum TCP header size allowed. If First Fragment DoS prevention is enabled, the device will drop packets that have a TCP header smaller than this configured value. ICMP Settings These options help prevent the device and the network from attacks that involve issues with the ICMP echo request packets (pings) that the device receives. ICMP Enable this option to allow the device to drop ICMP packets that have a type set to ECHO_REQ (ping) and a payload size greater than the ICMP payload size configured in the Max ICMPv4 Size field. Max ICMPv4 Size The maximum allowed ICMPv4 packet size. If ICMP DoS prevention is enabled, the device will drop ICMPv4 ping packets that have a size greater then this configured maximum ICMPv4 packet size. ICMPv6 Enable this option to allow the device to drop ICMP packets that have a type set to ECHO_REQ (ping) and a payload size greater than the ICMP payload size configured in the Max ICMPv6 Size field. Max ICMPv6 Size The maximum allowed IPv6 ICMP packet size. If ICMP DoS prevention is enabled, the switch will drop IPv6 ICMP ping packets that have a size greater than this configured maximum ICMPv6 packet size. ICMP Fragment Enable this option to allow the device to drop fragmented ICMP packets. Use the buttons to perform the following tasks: · If you change any of the DoS settings, click Submit to apply the changes to the running configuration. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 50 EdgeSwitchTM Administration Guide Configuring System Information Log Configuration Fields Field Description Buffered Log Configuration section: Admin Mode Used to Enable or Disable logging to the buffered (RAM) log file. Behavior Specify what the device should do when the buffered log is full. It can either overwrite the oldest messages (Wrap) or stop writing new messages to the buffer (Stop on Full). Command Logger Configuration section: Admin Mode Used to Enable or Disable logging of the command-line interface (CLI) commands issued on the device. Console Log Configuration section: Admin Mode Used to Enable or Disable logging to any serial device attached to the host. Severity Filter Select the severity of the messages to be logged. All messages at and above the selected threshold are logged to the console. The severity can be one of the following: · Emergency (0) The device is unusable. · Alert (1) Action must be taken immediately. · Critical (2) The device is experiencing primary system failures. · Error (3) The device is experiencing non-urgent failures. · Warning (4) The device is experiencing conditions that could lead to system errors if no action is taken. · Notice (5) The device is experiencing normal but significant conditions. · Info (6) The device is providing non-critical information. · Debug (7) The device is providing debug-level information. Persistent Log Configuration section: Admin Mode Used to Enable or Disable logging to the persistent log. These messages are not deleted when the device reboots. Severity Filter Select the severity of the messages to be logged. All messages at and above the selected threshold are logged to the console. See the previous severity filter description for more information about each severity level. Syslog Configuration section: Admin Mode Used to Enable or Disable logging to configured syslog hosts. When the syslog admin mode is disabled the device does not relay logs to syslog hosts, and no messages will be sent to any collector/relay. When the syslog admin mode is enabled, messages will be sent to configured collectors/relays using the values configured for each collector/relay. Local UDP Port The UDP port on the local host from which syslog messages are sent. Use the buttons to perform the following tasks: · If you make changes to the page, click Submit to apply the changes to the running configuration. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 54 EdgeSwitchTM Administration Guide Configuring System Information Port Summary Fields (Continued) Field Description STP Mode The Spanning Tree Protocol (STP) Administrative Mode associated with the port or LAG. STP is a Layer-2 protocol that provides a tree topology for switches on a bridged LAN. STP allows a network to have redundant paths without the risk of network loops, by providing a single path between end stations on a network. The possible values for STP mode are: · Enabled Spanning tree is enabled for this port. · Disabled Spanning tree is disabled for this port. For more information about STP, see "Configuring Spanning Tree Protocol" on page 161. LACP Mode The administrative mode of the Link Aggregation Control Protocol (LACP). The mode must be enabled in order for the port to participate in Link Aggregation. This field can have the following values: · Enabled The port uses LACP for dynamic LAG configuration. When LACP is enabled, the port sends and receives LACP Protocol Data Units (PDUs) with its link partner to confirm that the external switch is also configured for link aggregation. · Disabled The port supports static LAG configuration only. This mode might be used when the port is connected to a device that does not support LACP. When a port is added to a LAG as a static member, it neither transmits nor receives LACP PDUs. Link Status Indicates whether the Link is up or down. The link is the physical connection between the port or LAG and the interface on another device. Edit Port Configuration dialog box Click Edit to display this dialog box with configurable Admin Mode, Physical Mode, STP Mode, and LACP Mode fields, plus the following configurable fields: Link Trap Indicates whether the port will send an SNMP trap when link status changes. · Enable (Default) The system sends a trap when the link status changes. · Disable The system does not send a trap when the link status changes. Maximum Frame Size The maximum Ethernet frame size the interface supports or is configured to support. The maximum frame size includes the Ethernet header, CRC, and payload. Broadcast Storm Recovery Level The broadcast storm control threshold for the port. If broadcast traffic on the Ethernet port exceeds this threshold, the system blocks (discards) the broadcast traffic. To configure this threshold (disabled by default), click Enable, enter a threshold value, and select the units for the threshold: · % The threshold value specifies a percentage of port speed from 0 to 100 (default: 5). · pps The threshold value is in packets per second. Multicast Storm Recovery Level The multicast storm control threshold for the port. If multicast traffic on the Ethernet port exceeds this threshold, the system blocks (discards) the multicast traffic. To configure this threshold (disabled by default), click Enable, enter a threshold value, and select the units for the threshold: · % The threshold value specifies a percentage of port speed from 0 to 100 (default: 5). · pps The threshold value is in packets per second. Unicast Storm Recovery Level The unicast storm control threshold for the port. If unicast traffic on the Ethernet port exceeds this threshold, the system blocks (discards) the unicast traffic. To configure this threshold (disabled by default), click Enable, enter a threshold value, and select the units for the threshold: · % The threshold value specifies a percentage of port speed from 0 to 100 (default: 5). · pps The threshold value is in packets per second. Use the command buttons as follows: · To edit a port's settings, select the port and click Edit. In the Edit Port Configuration dialog box, change the settings as needed, and click Submit to apply the changes. · Click Refresh to redisplay the page with the latest information. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 66 EdgeSwitchTM Administration Guide Configuring System Information Defining SNMP Parameters Simple Network Management Protocol (SNMP) provides a method for managing network devices. The device supports SNMP version 1, SNMP version 2, and SNMP version 3. SNMP v1 and v2 The SNMP agent maintains a list of variables, which are used to manage the device. The variables are defined in the Management Information Base (MIB). The MIB presents the variables controlled by the agent. The SNMP agent defines the MIB specification format, as well as the format used to access the information over the network. Access rights to the SNMP agent are controlled by access strings. SNMP v3 SNMP v3 also applies access control and a new traps mechanism to SNMPv1 and SNMPv2 PDUs. In addition, the User Security Model USM) is defined for SNMPv3 and includes: · Authentication: Provides data integrity and data origin authentication. · Privacy: Protects against disclosure of message content. Cipher-Bock-Chaining (CBC) is used for encryption. Either authentication is enabled on an SNMP message, or both authentication and privacy are enabled on an SNMP message. However privacy cannot be enabled without authentication. · Timeliness: Protects against message delay or message redundancy. The SNMP agent compares the incoming message to the message time information. · Key Management: Defines key generation, key updates, and key use. The device supports SNMP notification filters based on Object IDs (OID). OIDs are used by the system to manage device features. SNMP v3 supports the following features: · Security · Feature Access Control · Traps Authentication or Privacy Keys are modified in the SNMPv3 User Security Model (USM). Use the SNMP page to define SNMP parameters. To display the SNMP page, click System > SNMP in the navigation menu. Ubiquiti Networks, Inc. 72 EdgeSwitchTM Administration Guide Configuring System Information Field Type Interface VLAN ID Tunnel ID SNMP Trap Source Interface Configuration Fields Description The type of interface to use as the source interface: · None The primary IP address of the originating (outbound) interface is used as the source address. · Interface The primary IP address of a physical port is used as the source address. · VLAN The primary IP address of a VLAN routing interface is used as the source address. · Tunnel The primary IP address of a tunnel interface is used as the source address. When the selected Type is Interface, select the physical port to use as the source interface. When the selected Type is VLAN, select the VLAN to use as the source interface. The menu contains only the VLAN IDs for VLAN routing interfaces. When the selected Type is Tunnel, select the tunnel interface to use as the source interface Use the buttons to perform the following tasks: · If you make any changes to the page, click Submit to apply the changes to the system. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 79 EdgeSwitchTM Administration Guide Configuring System Information Field Status section: Current Usage Peak Usage Maximum Allowed Static Entries Dynamic Entries Total Entries Deleted System section: Interface Time Since Counters Last Cleared Description Switch Statistics Fields (Continued) In the FDB Entries column, the value shows the number of learned and static entries in the MAC address table. In the VLANs column, the value shows the total number of static and dynamic VLANs that currently exist in the VLAN database. The highest number of entries that have existed in the MAC address table or VLAN database since the most recent reboot. The maximum number of statically configured or dynamically learned entries allowed in the MAC address table or VLAN database. The current number of entries in the MAC address table or VLAN database that an administrator has statically configured. The current number of entries in the MAC address table or VLAN database that have been dynamically learned by the device. The number of VLANs that have been created and then deleted since the last reboot. This field does not apply to the MAC address table entries. The interface index object value of the interface table entry associated with the Processor of this switch. This value is used to identify the interface when managing the device by using SNMP. The amount of time in days, hours, minutes, and seconds, that has passed since the statistics for this device were last reset. Use the command buttons to perform the following actions: · Click Refresh to refresh the data on the screen with the present state of the data in the switch. · Click Clear Counters to clear all the statistics counters, resetting all switch summary and detailed statistics to default values. The discarded packets count cannot be cleared. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 81 EdgeSwitchTM Administration Guide Configuring System Information Port Detailed Statistics Fields Field Description Interface Use the drop-down menu to select the interface for which data is to be displayed or configured. For non-stacking systems, this field is Slot/Port. Maximum Frame Size The maximum Ethernet frame size the interface supports or is configured to support. The maximum frame size includes the Ethernet header, CRC, and payload. Packet Lengths Received and Transmitted section: 64 Octets The total number of packets (including bad packets) received or transmitted that were 64 octets in length (excluding framing bits but including FCS octets). 65-127 Octets The total number of packets (including bad packets) received or transmitted that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets). 128-255 Octets The total number of packets (including bad packets) received or transmitted that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets). 256-511 Octets The total number of packets (including bad packets) received or transmitted that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets). 512-1023 Octets The total number of packets (including bad packets) received or transmitted that were between 512 and 1023 octets in length inclusive (excluding framing bits but including FCS octets). 1024-1518 Octets The total number of packets (including bad packets) received or transmitted that were between 1024 and 1518 octets in length inclusive (excluding framing bits but including FCS octets). 1519-1522 Octets The total number of packets (including bad packets) received or transmitted that were between 1519 and 1522 octets in length inclusive (excluding framing bits but including FCS octets). 1523-2047 Octets The total number of packets (including bad packets) received or transmitted that were between 1523 and 2047 octets in length inclusive (excluding framing bits but including FCS octets). 2048-4095 Octets The total number of packets (including bad packets) received or transmitted that were between 2048 and 4095 octets in length inclusive (excluding framing bits but including FCS octets). 4096-9216 Octets The total number of packets (including bad packets) received or transmitted that were between 4096 and 9216 octets in length inclusive (excluding framing bits but including FCS octets). Basic section: Unicast Packets The Transmit column shows the total number of packets that higher-level protocols requested be transmitted to a subnetwork unicast address, including those that were discarded or not sent. The Receive column shows the number of subnetwork unicast packets delivered to a higher-layer protocol. Multicast Packets The Transmit column shows the total number of packets that higher-level protocols requested be transmitted to a multicast address, including those that were discarded or not sent. The Receive column shows the number of multicast packets delivered to a higher-layer protocol. Broadcast Packets The Transmit column shows the total number of packets that higher-level protocols requested be transmitted to a broadcast address, including those that were discarded or not sent. The Receive column shows the number of broadcast packets delivered to a higher-layer protocol. Total Packets (Octets) The total number of octets of data (including those in bad packets) transmitted or received on the interface (excluding framing bits but including FCS octets). This object can be used as a reasonable estimate of Ethernet utilization. If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval. Packets > 1518 Octets The total number of packets transmitted or received by this interface that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. This counter has a maximum increment rate of 815 counts per sec at 10 Mb/s. 802.3x Pause Frames The number of MAC Control frames transmitted or received by this interface with an opcode indicating the PAUSE operation. This counter does not increment when the interface is operating in half-duplex mode. FCS Errors The total number of packets transmitted or received by this interface that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with an integral number of octets. Protocol section: STP BPDUs The number of Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) transmitted or received by the interface. RSTP BPDUs The number of Rapid STP BPDUs transmitted or received by the interface. MSTP BPDUs The number of Multiple STP BPDUs transmitted or received by the interface. Ubiquiti Networks, Inc. 84 EdgeSwitchTM Administration Guide Configuring System Information Port Detailed Statistics Fields (Continued) Field Description GVRP PDUs The number of Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) PDUs transmitted or received by the interface. GMRP PDUs The number of GARP Multicast Registration Protocol (GMRP) PDUs transmitted or received by the interface. EAPOL Frames The number of Extensible Authentication Protocol (EAP) over LAN (EAPOL) frames transmitted or received by the interface for IEEE 802.1X port-based network access control. Advanced - Transmit section: Total Transmit Packets Discarded The sum of single collision frames discarded, multiple collision frames discarded, and excessive frames discarded. Single Collision Frames A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly one collision. Multiple Collision Frames A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by more than one collision. Excessive Collision Frames A count of frames for which transmission on a particular interface fails due to excessive collisions. Underrun Errors The total number of frames discarded because the transmit FIFO buffer became empty during frame transmission. GMRP Failed Registrations The number of times attempted GMRP registrations could not be completed. GVRP Failed Registrations The number of times attempted GVRP registrations could not be completed. Advanced - Receive section: Total Packets Received Not Forwarded The number of inbound packets which were chosen to be discarded to prevent them from being delivered to a higher-layer protocol, even though no errors had been detected. One possible reason for discarding such a packet is to free up buffer space. Total Packets Received With The total number of inbound packets that contained errors preventing them from being delivered to a MAC Errors higher-layer protocol. Overruns The total number of frames discarded as this port was overloaded with incoming packets, and could not keep up with the inflow. Alignment Errors The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with a non-integral number of octets. Jabbers Received The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). Note that this definition of jabber is different than the definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2). These documents define jabber as the condition where any packet exceeds 20 ms. The allowed range to detect jabber is between 20 ms and 150 ms. Fragments Received The total number of packets received that were less than 64 octets in length with ERROR CRC (excluding framing bits but including FCS octets). Undersize Received The total number of packets received that were less than 64 octets in length with GOOD CRC (excluding framing bits but including FCS octets). Unacceptable Frame Type The number of frames discarded from this interface due to being a frame type that the interface cannot accept. Time Since Counters Last Cleared The amount of time in days, hours, minutes, and seconds, that has passed since the statistics for this interface were last reset. Use the buttons to perform the following tasks: · Click Clear Counters to clear all the counters. This resets all statistics for this port to the default values. · Click Clear All Counters to clear all the counters for all ports on the switch. The button resets all statistics for all ports to default values. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 85 EdgeSwitchTM Administration Guide Configuring System Information Field Host Name or IP Address Count Interval Size Source IP Address Interface Status Results Ping Fields Description Enter the IP address or the host name of the station you want the switch to ping. The initial value is blank. This information is not retained across a power cycle. The number of ICMP echo request packets to send to the host. The number of seconds to wait between sending ping packets. The size of the ping packet, in bytes. Changing the size allows you to troubleshoot connectivity issues with a variety of packet sizes, such as large or very large packets. The source IP address or interface to use when sending the echo request packets. If source is not required, select None as the Source option. The source IP address to use when sending the Echo requests packets. This field is enabled when the Source option is set to IP Address. The interface to use when sending the Echo requests packets. This field is enabled when the Source option is set to Interface. Displays the results of the ping. The results of the ping test, which includes information about the reply (if any) received from the host. Use the buttons to perform the following tasks: · Click Start to initiate the ping test. The device sends the specified number of ping packets to the host. · Click Stop to interrupt the current ping test. · Click Refresh to refresh the data on the screen with the present state of the data in the switch. Ping IPv6 Use the Ping IPv6 page to tell the device to send one or more ping requests to a specified IPv6 host. You can use the ping request to check whether the device can communicate with a particular host on an IPv6 network. A ping request is an Internet Control Message Protocol version 6 (ICMPv6) echo request packet. The information you enter on this page is not saved as part of the device configuration. To access the Ping IPv6 page, click System > Utilities > Ping IPv6 in the navigation menu. Ubiquiti Networks, Inc. 92 EdgeSwitchTM Administration Guide Configuring System Information Field Admin Mode Persistent Mode AutoSave Mode AutoReboot Mode Retry Count Status Autoinstall Configuration Fields Description The current administrative mode of the AutoInstall feature: · Start AutoInstall is enabled, and the feature will attempt to automatically configure the device during the next boot cycle. · Stop AutoInstall is disabled. The automatic process will begin only if no configuration file is located during the next boot cycle. If this option is selected, the settings you configure on this page are automatically saved to persistent memory in the startup-config file when you apply the changes. If this option is cleared, the device treats these settings like any other applied changes (i.e., the changes are not retained across a reboot unless you save the configuration). If this option is selected, the downloaded configuration is automatically saved to persistent storage. If this option is cleared, you must explicitly save the downloaded configuration in non-volatile memory for the configuration to be available for the next reboot. If this option is selected, the switch automatically reboots after a new image is successfully downloaded and makes the downloaded image the active image. If this option is cleared, the device continues to boot with the current image. The downloaded image will not become the active image until the device reboots. When attempting to retrieve the DHCP-specified configuration file, this value represents the number of times the TFTP client on the device tries to use unicast requests before reverting to broadcast requests. The current status of the AutoInstall process. Use the buttons to perform the following tasks: · If you change any settings on this page, click Submit to apply the changes. · To reset the fields to their original values, click Cancel. · Click Refresh to display the most recently configured AutoInstall state from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 100 EdgeSwitchTM Administration Guide Configuring System Information Time Range Entry Summary Fields (Continued) Field Description End Time Select this option to configure values for the End Date and the Ending Time of Day. If this option is not selected, the entry does not have an end time; after the configured Start Time begins, the entry will remain active indefinitely. End Date Click to select the day, month, and year when this entry should no longer be active. This field can be configured only if the End Time option is selected. Ending Time of Day Specify the time of day that the entry becomes inactive by entering the information in the field or by using the scroll bar in the Choose Time pop-up window. Click Now to use the current time of day. Click Done to close the Choose Time pop-up window. This field can be configured only if the End Time option is selected. Add Periodic Time Range dialog box When you click Add Periodic, this dialog box appears, with the following fields: Time Range Name The time range configuration that will include the Periodic time range entry. Applicable Days Select the days on which the Periodic time range entry is active: · Daily Every day of the week · Weekdays Monday through Friday · Weekend Saturday and Sunday · Days of Week User-defined start days Start Days Indicates on which days the time entry becomes active. If the selected option in the Applicable Days field is Days of Week, select one or more days on which the entry becomes active. To select multiple days, press and hold CTRL and select each desired start day. Starting Time of Day Specify the time of day that the entry becomes active by entering the information in the field or by using the scroll bar in the Choose Time pop-up window. Click Now to use the current time of day. Click Done to close the Choose Time pop-up window End Days Indicates on which days the time entry ends. If the selected option in the Applicable Days field is Days of Week, select one or more days on which the entry ends. To select multiple days, press and hold CTRL and select each desired end day. Ending Time of Day Specify the time of day that the entry becomes inactive by entering the information in the field or by using the scroll bar in the Choose Time pop-up window. Click Now to use the current time of day. Click Done to close the Choose Time pop-up window. To configure the time range entries for a time range configuration, select the time range configuration from the Time Range Name menu and use the buttons to perform the following tasks: · To add an absolute time range entry, click Add Absolute, configure the settings to define the absolute time range, and then click Submit to apply the changes. If the Add Absolute button is not available, an absolute entry already exists for the time range specified by Time Range Name. · To add a periodic time range entry, click Add Periodic and specify the days and times that the entry is in effect. · To delete a time range entry, select each entry to delete, click Remove, and confirm the action. · Click Refresh to update the information on the screen. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 112 EdgeSwitchTM Administration Guide Configuring System Information Configuring SNTP Settings The EdgeSwitch software supports the Simple Network Time Protocol (SNTP). SNTP assures accurate network device clock time synchronization up to the millisecond. Time synchronization is performed by a network SNTP server. The EdgeSwitch software operates only as an SNTP client and cannot provide time services to other systems. Time sources are established by Stratums. Stratums define the accuracy of the reference clock. The higher the stratum (where zero is the highest), the more accurate the clock. The device receives time from stratum 1 and above since it is itself a stratum 2 device. The following is an example of stratums: · Stratum 0: A realtime clock is used as the time source, for example, a GPS system. · Stratum 1: A server that is directly linked to a Stratum 0 time source is used. Stratum 1 time servers provide primary network time standards. · Stratum 2: The time source is distanced from the Stratum 1 server over a network path. For example, a Stratum 2 server receives the time over a network link, via NTP, from a Stratum 1 server. Information received from SNTP servers is evaluated based on the time level and server type. SNTP time definitions are assessed and determined by the following time levels: T1: Time at which the original request was sent by the client. T2: Time at which the original request was received by the server. T3: Time at which the server sent a reply. T4: Time at which the client received the server's reply. The device can poll Unicast and Broadcast server types for the server time. Polling for Unicast information is used for polling a server for which the IP address is known. SNTP servers that have been configured on the device are the only ones that are polled for synchronization information. T1 through T4 are used to determine server time. This is the preferred method for synchronizing device time because it is the most secure method. If this method is selected, SNTP information is accepted only from SNTP servers defined on the device using the SNTP Server Configuration page. Broadcast information is used when the server IP address is unknown. When a Broadcast message is sent from an SNTP server, the SNTP client listens to the message. If Broadcast polling is enabled, any synchronization information is accepted, even if it has not been requested by the device. This is the least secure method. The device retrieves synchronization information, either by actively requesting information or at every poll interval. If Unicast and Broadcast polling are enabled, the information is retrieved in this order: · Information from servers defined on the device is preferred. If Unicast polling is not enabled or if no servers are defined on the device, the device accepts time information from any SNTP server that responds. · If more than one Unicast device responds, synchronization information is preferred from the device with the lowest stratum. · If the servers have the same stratum, synchronization information is accepted from the SNTP server that responded first. MD5 (Message Digest 5) Authentication safeguards device synchronization paths to SNTP servers. MD5 is an algorithm that produces a 128-bit hash. MD5 is a variation of MD4, and increases MD4 security. MD5 verifies the integrity of the communication, authenticates the origin of the communication. Ubiquiti Networks, Inc. 116 EdgeSwitchTM Administration Guide Configuring System Information Summer Time Configuration Fields Field Description Summer Time The summer time mode on the system: · Disable Summer time is not active, and the time does not shift based on the time of year. · Recurring Summer time occurs at the same time every year. The start and end times and dates for the time shift must be manually configured. · EU The system clock uses the standard recurring summer time settings used in countries in the European Union. When this field is selected, the rest of the applicable fields on the page except Offset and Zone are automatically populated and cannot be edited. · USA The system clock uses the standard recurring daylight saving time settings used in the United States. When this field is selected, the rest of the applicable fields on the page except Offset and Zone are automatically populated and cannot be edited. · Non-Recurring Summer time settings are in effect only between the start date and end date of the specified year. When this mode is selected, the summer time settings do not repeat on an annual basis. Date Range The fields in this section are available only if the Summer Time field is set to Non-Recurring mode. Start Date The day, month, and year that summer time begins. To change the date, click next to the field, select the year from the menu, browse to the desired month, and click the date. Starting Time and Day The time, in hours and minutes, to start summer time on the specified day. End Date The day, month, and year that summer time ends. To change the date, click next to the field, select the year from the menu, browse to the desired month, and click the date. Ending Time of Day The time, in hours and minutes to end summer time on the specified day. Recurring Date The fields in this section are available only if the Summer Time field is set to Recurring mode. Start Week The week of the month within which summer time begins. Start Day The day of the week on which summer time begins. Start Month The month of the year within which summer time begins. Starting Time of Day The time, in hours and minutes, to start summer time. End Week The week of the month within which summer time ends. End Day The day of the week on which summer time ends. End Month The month of the year within which summer time ends. Ending Time of Day The time, in hours and minutes, to end summer time. Zone The fields in this section are available for all modes selected from the Summer Time field except Disable. Offset The number of minutes to shift the summer time from the standard time. Zone The acronym associated with the time zone when summer time is in effect. Use the buttons to perform the following tasks: · If you make any changes to the page, click Submit to apply the settings. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 125 EdgeSwitchTM Administration Guide Configuring Switching Information Chapter 4: Configuring Switching Information · "Managing VLANs" on page 127 · "Creating MAC Filters" on page 134 · "GARP Configuration" on page 135 · "Configuring DHCP Snooping" on page 137 · "Configuring IGMP Snooping" on page 144 · "Configuring IGMP Snooping Querier" on page 151 · "Creating Port Channels" on page 154 · "Viewing Multicast Forwarding Database Information" on page 157 · "Configuring Protected Ports" on page 160 · "Configuring Spanning Tree Protocol" on page 161 · "Mapping 802.1p Priority" on page 170 · "Configuring Port Security" on page 172 · "Managing LLDP" on page 176 Ubiquiti Networks, Inc. 126 EdgeSwitchTM Administration Guide Configuring Switching Information Field Bridge Priority Bridge Max Age Bridge Hello Time Bridge Forward Delay Spanning Tree Maximum Hops BPDU Guard BPDU Filter Spanning Tree Tx Hold Count Bridge Identifier Time Since Topology Change Topology Change Count Topology Change Designated Root Root Path Cost Root Port Max Age Forward Delay Hold Time CST Regional Root CST Path Cost Spanning Tree CST Fields Description The value that helps determine which bridge in the spanning tree is elected as the root bridge during STP convergence. A lower value increases the probability that the bridge becomes the root bridge. The amount of time a bridge waits before implementing a topological change. The amount of time the root bridge waits between sending hello BPDUs. The amount of time a bridge remains in a listening and learning state before forwarding packets. The maximum number of hops a Bridge Protocol Data Unit (BPDU) is allowed to traverse within the spanning tree region before it is discarded. When enabled, BPDU Guard can disable edge ports that receive BPDU packets. This prevents a new device from entering the existing STP topology. Thus devices that were originally not a part of STP are not allowed to influence the STP topology. When enabled, this feature filters the BPDU traffic on the edge ports. When spanning tree is disabled on a port, BPDU filtering allows BPDU packets received on that port to be dropped. The maximum number of BPDUs that a bridge is allowed to send within a hello time window. A unique value that is automatically generated based on the bridge priority value and the base MAC address of the bridge. When electing the root bridge for the spanning tree, if the bridge priorities for multiple bridges are equal, the bridge with the lowest MAC address is elected as the root bridge. The amount of time that has passed since the topology of the spanning tree has changed since the device was last reset. The number of times the topology of the spanning tree has changed. Indicates whether a topology change is in progress on any port assigned to the CST. If a change is in progress the value is True; otherwise, it is False. The bridge identifier of the root bridge for the CST. The identifier is made up of the bridge priority and the base MAC address. The path cost to the designated root for the CST. Traffic from a connected device to the root bridge takes the least-cost path to the bridge. If the value is 0, the cost is automatically calculated based on port speed. The port on the bridge with the least-cost path to the designated root for the CST. The amount of time a bridge waits before implementing a topological change. The forward delay value for the root port bridge. The minimum amount of time between transmissions of Configuration BPDUs. The bridge identifier of the CST regional root. The identifier is made up of the priority value and the base MAC address of the regional root bridge. The path cost to the CST tree regional root. Use the buttons to perform the following tasks: · If you make any configuration changes, click Submit to apply the new settings to the switch. · Click Refresh to update the information on the screen with the most current data. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 163 EdgeSwitchTM Administration Guide Configuring Switching Information Spanning Tree CST Port Fields (Continued) Field Description Port Priority The priority for the port within the CST. This value is used in determining which port on a switch becomes the root port when two ports have the same least-cost path to the root. The port with the lower priority value becomes the root port. If the priority values are the same, the port with the lower interface index becomes the root port. Port Path Cost The path cost from the port to the root bridge. Description A user-configured description of the port. If you select an interface and click Edit, the Edit CST Port Entry dialog box (described below) opens and allows you to edit the CST port settings and view additional CST information for the interface. Edit CST Port Entry dialog box When you click Edit, this dialog box opens and allows you to configure these additional fields: Admin Edge Port Select this option to administratively configure the interface as an edge port. An edge port is an interface that is directly connected to a host and is not at risk of causing a loop. Auto-calculate Port Path Cost Shows whether the path cost from the port to the root bridge is automatically determined by the speed of the interface (Enabled) or configured manually (Disabled). Hello Timer The amount of time the port waits between sending hello BPDUs. External Port Path Cost The cost of the path from the port to the CIST root. This value becomes important when the network includes multiple regions. Auto-calculate External Port Path Cost Shows whether the path cost from the port to the CIST root is automatically determined by the speed of the interface (Enabled) or configured manually (Disabled). BPDU Filter Select this option to enable this feature. When enabled, this feature filters the BPDU traffic on the edge ports. Edge ports do not need to participate in the spanning tree, so BPDU filtering allows BPDU packets received on edge ports to be dropped. BPDU Flood Select this option to enable this feature, which determines the behavior of the interface if STP is disabled on the port and the port receives a BPDU. If BPDU flooding is enabled, the port will flood the received BPDU to all the ports on the switch that are similarly disabled for spanning tree. BPDU Guard Effect Shows the status (Disabled or Enabled) of BPDU Guard Effect on the interface. When enabled, BPDU Guard Effect can disable edge ports that receive BPDU packets. This prevents a new device from entering the existing STP topology. Thus devices that were originally not a part of STP are not allowed to influence the STP topology. Port ID A unique value that is automatically generated based on the port priority value and the interface index. Port Up Time Since Counters Last Cleared The amount of time that the port has been up since the counters were cleared. Port Mode Used to Enable or Disable the administrative mode of spanning tree on the port. Port Forwarding State · Blocking The port discards user traffic and receives, but does not send, BPDUs. During the election process, all ports are in the blocking state. The port is blocked to prevent network loops. · Listening The port sends and receives BPDUs and evaluates information to provide a loop-free topology. This state occurs during network convergence and is the first state in transitioning to the forwarding state. · Learning The port learns the MAC addresses of frames it receives and begins to populate the MAC address table. This state occurs during network convergence and is the second state in transitioning to the forwarding state. · Forwarding The port sends and receives user traffic. · Disabled The port is administratively disabled and is not part of the spanning tree. Port Role The role of the port within the CST, which is one of the following: · Root A port on the non-root bridge that has the least-cost path to the root bridge. · Designated A port that has the least-cost path to the root bridge on its segment. · Alternate A blocked port that has an alternate path to the root bridge. · Backup A blocked port that has a redundant path to the same network segment as another port on the bridge. · Master The port on a bridge within an MST instance that links the MST instance to other STP regions. · Disabled The port is administratively disabled and is not part of the spanning tree. Designated Root The bridge ID of the root bridge for the CST. Designated Cost The path cost offered to the LAN by the designated port. Designated Bridge The bridge ID of the bridge with the designated port. Designated Port The port ID of the designated port. Ubiquiti Networks, Inc. 165 EdgeSwitchTM Administration Guide Configuring Switching Information Field Topology Change Acknowledge Auto Edge Edge Port Point-to-point MAC Root Guard Loop Guard TCN Guard CST Regional Root CST Path Cost Loop Inconsistent State Transitions Into LoopInconsistent State Transitions Out Of LoopInconsistent State Spanning Tree CST Port Fields (Continued) Description Displays True if the next BPDU to be transmitted for this port will have the topology change acknowledgement flag set; otherwise, displays False. When this option is selected (enabled), Auto Edge allows the interface to become an edge port if it does not receive any BPDUs within a given amount of time. Displays Enabled if the interface is configured as an edge port; otherwise, displays Disabled. Displays True if the link type for the interface is a point-to-point link; otherwise, displays False. When this option is selected (enabled), Root Guard allows the interface to discard any superior information it receives to protect the root of the device from changing. The port gets put into discarding state and does not forward any frames. When this option is selected (enabled), Loop Guard prevents an interface from erroneously transitioning from blocking state to forwarding when the interface stops receiving BPDUs. The port is marked as being in loop-inconsistent state. In this state, the interface does not forward frames. When this option is selected (enabled), TCN Guard restricts the interface from propagating any topology change information received through that interface. The bridge ID of the bridge that has been elected as the root bridge of the CST region. The path cost from the interface to the CST regional root. Displays True if the interface is currently in a loop inconsistent state; otherwise, displays False. An interface transitions to a loop inconsistent state if loop guard is enabled and the port stops receiving BPDUs. In this state, the interface does not transmit frames. The number of times this interface has transitioned into loop inconsistent state. The number of times this interface has transitioned out of loop inconsistent state. Use the buttons to perform the following tasks: · To edit the CST port settings, click Edit, configure the settings as needed, and click Submit to apply the new settings to the switch. · Click Details to display the CST port settings. · Click Refresh to update the screen with most recent data. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Spanning Tree MST Configuration Use the Spanning Tree MST Summary page to view and configure the Multiple Spanning Tree Instances (MSTIs) on the device. Multiple Spanning Tree Protocol (MSTP) allows the creation of MSTIs based upon a VLAN or groups of VLANs. Configuring MSTIs creates an active topology with a better distribution of network traffic and an increase in available bandwidth when compared to classic STP. To display the Spanning Tree MST Port Summary page, click Switching > Spanning Tree > MST in the navigation menu. Use the buttons to perform the following tasks: · To configure a new MSTI, click Add and specify the desired settings. · To change the Priority or the VLAN associations for an existing MSTI, select the entry to modify and click Edit. · To remove one or more MSTIs, select each entry to delete and click Remove. You must confirm the action before the entry is deleted. Ubiquiti Networks, Inc. 166 EdgeSwitchTM Administration Guide Configuring Switching Information Spanning Tree MST Port Summary Fields (Continued) Field Description Description A user-configured description of the port. If you select an interface and click Edit, the Edit MST Port Entry dialog box (described below) opens and allows you to edit the MST port settings and view additional MST information for the interface. Edit MST Port Entry dialog box When you click Edit, this dialog box opens and allows you to configure these additional fields: Auto-calculate Port Path Cost Shows whether the path cost from the port to the root bridge is automatically determined by the speed of the interface (Enabled) or configured manually (Disabled). Port ID A unique value that is automatically generated based on the port priority value and the interface index. Port Up Time Since Counters Last Cleared The amount of time that the port has been up since the counters were cleared. Port Mode The spanning tree administrative mode (Disable or Enable) on the port. Designated Root The bridge ID of the root bridge for the MST instance. Designated Cost The path cost offered to the LAN by the designated port. Designated Bridge The bridge ID of the bridge with the designated port. Designated Port The port ID of the designated port. Loop Inconsistent State Display True if the interface is currently in a loop inconsistent state; otherwise, displays False. An interface transitions to a loop inconsistent state if loop guard is enabled and the port stops receiving BPDUs. In this state, the interface does not transmit frames. Transitions Into LoopInconsistent State The number of times this interface has transitioned into loop inconsistent state. Transitions Out Of LoopInconsistent State The number of times this interface has transitioned out of loop inconsistent state. Use the buttons to perform the following tasks: · To edit the MST port settings, click Edit, configure the settings as needed, and click Submit to apply the new settings to the switch. · Click Details to display the MST port settings. · Click Refresh to update the screen with most recent data. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 169 EdgeSwitchTM Administration Guide Configuring Switching Information Use the buttons to perform the following tasks: · Click Refresh to update the page with the most current information. · Click Clear to clear the LLDP statistics of all the interfaces. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 181 EdgeSwitchTM Administration Guide Configuring Switching Information Field Manufacturer Name Model Name Asset ID Location Information: Sub Type Information Extended PoE Device Type LLDP Remote Device Information Fields (Continued) Description The name of the system manufacturer advertised by the remote device. The name of the system model advertised by the remote device. The system asset ID advertised by the remote device. The type of location information advertised by the remote device. The text description of the location information included in the subtype. Indicates whether the remote device is advertised as a PoE device. If the remote device is a PoE device, this field identifies the PoE device type of the remote device connected to this port. Use the buttons to perform the following tasks: · To view additional information about a remote device, select the interface that received the LLDP-MED data and click Details. The LLDP-MED Remote Device Information window appears and displays the fields in the table below. · Click Refresh to refresh the page with the most current data from the switch. Ubiquiti Networks, Inc. 186 EdgeSwitchTM Administration Guide Configuring Routing Chapter 5: Configuring Routing EdgeSwitch supports IP routing. Use the links in the Routing navigation menu folder to manage routing on the system. This section contains the following information: · "Configuring ARP" on page 188 · "Configuring Global IP Settings" on page 191 · "Router" on page 200 · "Configuring Policy-Based Routing" on page 203 When a packet enters the switch, the destination MAC address is checked to see if it matches any of the configured routing interfaces. If it does, then the silicon searches the host table for a matching destination IP address. If an entry is found, then the packet is routed to the host. If there is not a matching entry, then the switch performs a longest prefix match on the destination IP address. If an entry is found, then the packet is routed to the next hop. If there is no match, then the packet is routed to the next hop specified in the default route. If there is no default route configured, then the packet is passed to the software to be handled appropriately. The routing table can have entries added either statically by the administrator or dynamically via a routing protocol. The host table can have entries added either statically by the administrator or dynamically via ARP. Ubiquiti Networks, Inc. 187 EdgeSwitchTM Administration Guide Configuring Routing Configuring ARP The Address Resolution Protocol (ARP) associates a Layer-2 MAC address with a Layer-3 IPv4 address. The EdgeSwitch software features both dynamic and manual ARP configuration. With manual ARP configuration, you can statically add entries into the ARP table. ARP is a necessary part of the internet protocol (IP) and is used to translate an IP address to a media (MAC) address, defined by a local area network (LAN) such as Ethernet. A station needing to send an IP packet must learn the MAC address of the IP destination, or of the next hop router, if the destination is not on the same subnet. This is achieved by broadcasting an ARP request packet, to which the intended recipient responds by unicasting an ARP reply containing its MAC address. Once learned, the MAC address is used in the destination address field of the Layer-2 header prepended to the IP packet. The ARP cache is a table maintained locally in each station on a network. ARP cache entries are learned by examining the source information in the ARP packet payload fields, regardless of whether it is an ARP request or response. Thus, when an ARP request is broadcast to all stations on a LAN segment or virtual LAN (VLAN), every recipient has the opportunity to store the sender's IP and MAC address in their respective ARP cache. The ARP response, being unicast, is normally seen only by the requestor, who stores the sender information in its ARP cache. Newer information always replaces existing content in the ARP cache. The number of supported ARP entries is platform-dependent. Devices can be moved in a network, which means the IP address that was at one time associated with a certain MAC address is now found using a different MAC, or may have disappeared from the network altogether (i.e., it has been reconfigured, disconnected, or powered off ). This leads to stale information in the ARP cache unless entries are updated in reaction to new information seen on the network, periodically refreshed to determine if an address still exists, or removed from the cache if the entry has not been identified as a sender of an ARP packet during the course of an ageout interval, usually specified via configuration. The Routing > ARP Table submenu contains links to the following UI pages that configure and display ARPrelated details: · "ARP Table" on page 189 · "ARP Table Configuration" on page 190 Ubiquiti Networks, Inc. 188 EdgeSwitchTM Administration Guide Configuring Routing Routing IP Interface Summary Fields (Continued) Field Description Details window If you select an interface and click Details, the Details window opens and displays the following additional routing information for the selected interface: Routing Mode Indicates whether routing is administratively Enabled or Disabled on the interface. Link Speed Data Rate The physical link data rate of the interface. IP Address Configuration Method The source of the IP address, which is one of the following: · None The interface does not have an IP address. · Manual The IP address has been statically configured by an administrator. · DHCP The IP address has been learned dynamically through DHCP. If the method is DHCP but the interface does not have an IP address, the interface is unable to acquire an address from a network DHCP server. Bandwidth The configured bandwidth on this interface. This setting communicates the speed of the interface to higher-level protocols. Encapsulation Type The link layer encapsulation type for packets transmitted from the interface, which can be either Ethernet or SNAP. Forward Net Directed Broadcasts Indicates how the interface handles network-directed broadcast packets. A network-directed broadcast is a broadcast directed to a specific subnet. The possible values are as follows: · Enabled Network directed broadcasts are forwarded. · Disabled Network directed broadcasts are dropped. Local Proxy ARP Indicates whether local proxy ARP is Enabled or Disabled on the interface. When local proxy ARP is enabled, the interface can respond to an ARP request for a host other than itself. Unlike proxy ARP, local proxy ARP allows the interface to respond to ARP requests for a host that is on the same subnet as the host that sent the ARP request. This feature is useful when a host is not permitted to reply to an ARP request from another host in the same subnet, for example when using the protected ports feature. Destination Unreachables Displays Enabled if the interface is allowed to send ICMP Destination Unreachable message to a host if the intended destination cannot be reached for some reason. If the field displays Disabled, this interface will not send ICMP Destination Unreachable messages to inform the host about the error in reaching the intended destination. ICMP Redirects Displays Enabled if the interface is allowed to send ICMP Redirect messages; otherwise, displays Disabled. The device sends an ICMP Redirect message on an interface only if ICMP Redirects are enabled both globally and on the interface. An ICMP Redirect message notifies a host when a better route to a particular destination is available on the network segment. Use the buttons to perform the following tasks: · To edit an interface's routing configuration, select the interface and click Edit. The display changes to the Routing IP Interface Configuration page; for instructions on using this page, see "Routing IP Interface Configuration" on page 195. · To view detailed routing information on an interface, select the interface's entry and click Details. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 194 EdgeSwitchTM Administration Guide Configuring Routing Field IpInReceives IpInHdrErrors IpInAddrErrors IpForwDatagrams IpInUnknownProtos IpInDiscards IpInDelivers IpOutRequests IpOutDiscards IpOutNoRoutes IpReasmTimeout IpReasmReqds IpReasmOKs IpReasmFails IpFragOKs IpFragFails IpFragCreates IpRoutingDiscards IcmpInMsgs IcmpInErrors IcmpInDestUnreachs IcmpInTimeExcds IcmpInParmProbs IcmpInSrcQuenchs IcmpInRedirects IcmpInEchos Routing IP Statistics Fields Description The total number of input datagrams received from interfaces, including those received in error. The number of input datagrams discarded due to errors in their IP headers, including bad checksums, version number mismatch, other format errors, time-to-live exceeded, errors discovered in processing their IP options, etc. The number of input datagrams discarded because the IP address in their IP header's destination field was not a valid address to be received at this entity. This count includes invalid addresses (e.g., 0.0.0.0) and addresses of unsupported Classes (e.g., Class E). For entities which are not IP Gateways and therefore do not forward datagrams, this counter includes datagrams discarded because the destination address was not a local address. The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter includes only those packets which were Source-Routed via this entity, and the Source-Route option processing was successful. The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol. The number of input IP datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. The total number of input datagrams successfully delivered to IP user-protocols (including ICMP). The total number of IP datagrams which local IP user-protocols (including ICMP) supplied to IP in requests for transmission. Note that this counter does not include any datagrams counted in IpForwDatagrams. The number of output IP datagrams for which no problem was encountered to prevent their transmission to their destination, but which were discarded (e.g., for lack of buffer space). Note that this counter would include datagrams counted in IpForwDatagrams if any such packets met this (discretionary) discard criterion. The number of IP datagrams discarded because no route could be found to transmit them to their destination. Note that this counter includes any packets counted in IpForwDatagrams which meet this `no-route' criterion. Note that this includes any datagrams which a host cannot route because all of its default gateways are down. The maximum number of seconds which received fragments are held while they are awaiting reassembly at this entity. The number of IP fragments received which needed to be reassembled at this entity. The number of IP datagrams successfully re-assembled. The number of failures detected by the IP re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IP fragments since some algorithms can lose track of the number of fragments by combining them as they are received. The number of IP datagrams that have been successfully fragmented at this entity. The number of IP datagrams that have been discarded because they needed to be fragmented at this entity but could not be, e.g., because their Don't Fragment flag was set. The number of IP datagram fragments that have been generated as a result of fragmentation at this entity. The number of routing entries which were chosen to be discarded even though they are valid. One possible reason for discarding such an entry could be to free-up buffer space for other routing entries. The total number of ICMP messages which the entity received. Note that this counter includes all those counted by IcmpInErrors. The number of ICMP messages which the entity received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, etc.). The number of ICMP Destination Unreachable messages received. The number of ICMP Time Exceeded messages received. The number of ICMP Parameter Problem messages received. The number of ICMP Source Quench messages received. The number of ICMP Redirect messages received. The number of ICMP Echo (request) messages received. Ubiquiti Networks, Inc. 198 EdgeSwitchTM Administration Guide Configuring Routing Field IcmpInEchoReps IcmpInTimestamps IcmpInTimestampReps IcmpInAddrMasks IcmpInAddrMaskReps IcmpOutMsgs IcmpOutErrors IcmpOutDestUnreachs IcmpOutTimeExcds IcmpOutParmProbs IcmpOutSrcQuenchs IcmpOutRedirects IcmpOutEchos IcmpOutEchoReps IcmpOutTimestamps IcmpOutTimestampReps IcmpOutAddrMasks Routing IP Statistics Fields (Continued) Description The number of ICMP Echo Reply messages received. The number of ICMP Timestamp (request) messages received. The number of ICMP Timestamp Reply messages received. The number of ICMP Address Mask Request messages received. The number of ICMP Address Mask Reply messages received. The total number of ICMP messages which this entity attempted to send. Note that this counter includes all those counted by IcmpOutErrors. The number of ICMP messages which this entity did not send due to problems discovered within ICMP such as a lack of buffers. This value should not include errors discovered outside the ICMP layer such as the inability of IP to route the resultant datagram. In some implementations there may be no types of error which contribute to this counter's value. The number of ICMP Destination Unreachable messages sent. The number of ICMP Time Exceeded messages sent. The number of ICMP Parameter Problem messages sent. The number of ICMP Source Quench messages sent. The number of ICMP Redirect messages sent. For a host, this object is always zero, since hosts do not send redirects. The number of ICMP Echo (request) messages sent. The number of ICMP Echo Reply messages sent. The number of ICMP Timestamp (request) messages. The number of ICMP Timestamp Reply messages sent. The number of ICMP Address Mask Request messages sent. Click Refresh to refresh the page with the most current data from the switch. Ubiquiti Networks, Inc. 199 EdgeSwitchTM Administration Guide Configuring Routing Configuring Policy-Based Routing Policy-based routing (PBR) enhances/modifies existing features in the EdgeSwitch software. These features are route maps and access-control lists. Route maps are part of routing (see "Router" on page 200) and access control lists are part of QOS (see "Configuring Access Control Lists" on page 230). As policy-based routing feature utilizes services of both features mentioned above, the EdgeSwitch software with a combination of Routing and QOS packages is required to have PBR functional. Normally, routers take forwarding decision based on routing tables in order to forward packets to destination addresses. Policy-Based Routing is a feature that enables network administrator to define forwarding behavior based on packet contents. In brief, Policy-Based Routing overrides traditional destination-based routing behavior. The EdgeSwitch software's policy-based routing feature match the following packet entities and overrides traditional forwarding behavior accomplished through destination-based routing: · The size of the packet · Protocol of the payload · Source MAC address · Destination MAC address · Source IP address · Destination IP address · VLAN tag · Priority Ubiquiti Networks, Inc. 203 EdgeSwitchTM Administration Guide Managing Device Security Chapter 6: Managing Device Security Use the features in the Security folder on the navigation menu to set management security parameters for port, user, and server security. The Security folder contains links to the following features: · "Port Access Control" on page 204 · "RADIUS Settings" on page 218 · "TACACS+ Settings" on page 225 Port Access Control In port-based authentication mode, when 802.1X is enabled globally and on the port, successful authentication of any one supplicant attached to the port results in all users being able to use the port without restrictions. At any given time, only one supplicant is allowed to attempt authentication on a port in this mode. Ports in this mode are under bidirectional control. This is the default authentication mode. The 802.1X network has three components: · Authenticators: Specifies the port that is authenticated before permitting system access. · Supplicants: Specifies host connected to the authenticated port requesting access to the system services. Authentication Server: Specifies the external server, for example, the RADIUS server that performs the authentication on behalf of the authenticator, and indicates whether the user is authorized to access system services. The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system. Ubiquiti Networks, Inc. 204 EdgeSwitchTM Administration Guide Managing Device Security Port Access Control Port Configuration Fields (Continued) Field Description Supplicant Options The fields in this section can be changed only when the selected port is configured as a supplicant port (that is, the PAE Capabilities field is set to Supplicant). Control Mode The port-based access control mode on the port, which is one of the following: · Auto The port is in an unauthorized state until a successful authentication exchange has taken place between the supplicant port, the authenticator port, and the authentication server. · Force Unauthorized The port is placed into an unauthorized state and is automatically denied system access. · Force Authorized The port is placed into an authorized state and does not require client portbased authentication to be able to send and receive traffic. User Name The name the port uses to identify itself as a supplicant to the authenticator port. The menu includes the users that are configured for system management. When authenticating, the supplicant provides the password associated with the selected User Name. Authentication Period The amount of time the supplicant port waits to receive a challenge from the authentication server. If the configured Authentication Period expires, the supplicant retransmits the authentication request until it is authenticated or has sent the number of messages configured in the Maximum Start Messages field. Start Period The amount of time the supplicant port waits for a response from the authenticator port after sending a Start packet. If no response is received, the supplicant retransmits the Start packet. Held Period The amount of time the supplicant port waits before contacting the authenticator port after an active 802.1X session fails. Maximum Start Messages The maximum number of Start packets the supplicant port sends to the authenticator port without receiving a response before it considers the authenticator to be 802.1X-unaware. Use the buttons to perform the following tasks: · If you change any settings on this page, click Submit to apply the changes. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 210 EdgeSwitchTM Administration Guide Managing Device Security Field Transmit Period Guest VLAN ID Guest VLAN Period Unauthenticated VLAN ID Supplicant Timeout Server Timeout Maximum Requests Configured MAB Mode Operational MAB Mode Re-Authentication Period Maximum Users Port Access Control Port Details Fields (Continued) Description The value, in seconds, of the timer used by the authenticator state machine on the port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The VLAN ID for the guest VLAN. The guest VLAN allows the port to provide a distinguished service to unauthenticated users. This feature provides a mechanism to allow users access to hosts on the guest VLAN. The value, in seconds, of the timer used for guest VLAN authentication. The VLAN ID of the unauthenticated VLAN. Hosts that fail the authentication might be denied access to the network or placed on a VLAN created for unauthenticated clients. This VLAN might be configured with limited network access. The amount of time that the port waits for a response before retransmitting an EAP request frame to the client. The amount of time the port waits for a response from the authentication server. The maximum number of times that the port sends an EAP request frame (assuming that no response is received) to the client before restarting the authentication process. The configured MAC-based Authentication Bypass (MAB) mode on the port. The operational MAC-based Authentication Bypass (MAB) mode on the port. The amount of time that clients can be connected to the port without being reauthenticated. If this field is disabled, connected clients are not forced to reauthenicate periodically. The maximum number of clients supported on the port if the Control Mode on the port is MAC-based 802.1X authentication. Click Refresh to update the information on the screen. Ubiquiti Networks, Inc. 212 EdgeSwitchTM Administration Guide Managing Device Security Field EAP Response/ID Frames Received EAP Response Frames Received EAP Request/ID Frames Transmitted EAPOL Start Frames Transmitted EAPOL Logoff Frames Transmitted EAP Response/ID Frames Transmitted EAP Request/ID Frames Received EAP Request Frames Received Invalid EAPOL Frames Received EAPOL Length Error Frames Received Clear (Button) Port Access Control Statistics Fields (Continued) Description The total number of EAP-Response Identity frames the interface has received. EAP-Response Identity frames are sent by a supplicant to provide user information that is used to for authentication. This field is displayed only if the interface is configured as an authenticator. The total number of EAP-Response frames the interface has received. EAP-Response frames are sent from a supplicant to an authentication server during the authentication process. This field is displayed only if the interface is configured as an authenticator. The total number of EAP-Request Identity frames the interface has sent. EAP-Request Identity frames are sent from an authenticator to a supplicant to request user information that is used to for authentication. This field is displayed only if the interface is configured as an authenticator. The total number of EAPOL-Start frames the interface has sent to a remote authenticator. EAPOL-Start frames are sent by a supplicant to initiate the 802.1X authentication process when it connects to the interface. This field is displayed only if the interface is configured as a supplicant. The total number of EAPOL-Logoff frames the interface has sent to a remote authenticator. EAPOLLogoff frames are sent by a supplicant to indicate that it is disconnecting from the network, and the interface can return to the unauthorized state. This field is displayed only if the interface is configured as a supplicant. The total number of EAP-Response Identity frames the interface has sent. EAP-Response Identity frames are sent by a supplicant to provide user information that is used to for authentication. This field is displayed only if the interface is configured as a supplicant. The total number of EAP-Request Identity frames the interface has received. EAP-Request Identity frames are sent from an authenticator to a supplicant to request user information that is used to for authentication. This field is displayed only if the interface is configured as a supplicant. The total number of EAP-Request frames the interface has received. EAP-Request frames are sent from the authentication server to the supplicant during the authentication process. This field is displayed only if the interface is configured as a supplicant. The number of unrecognized EAPOL frames received on the interface. The number of EAPOL frames with an invalid packet body length received on the interface. Resets all statistics counters to 0 for the selected interface or interfaces. Use the buttons to perform the following tasks: · Click Details to view additional per-interface EAPOL and EAP message statistics for the selected interface(s). · Click Clear to reset all statistics counters to 0 for the selected interface(s). · Click Refresh to refresh the page with the most current data from the switch. Ubiquiti Networks, Inc. 214 EdgeSwitchTM Administration Guide Configuring Quality of Service Chapter 7: Configuring Quality of Service This section gives an overview of Quality of Service (QoS) and explains the QoS features available from the Quality of Service navigation menu. This section contains the following subsections: · "Configuring Access Control Lists" on page 230 · "Configuring Auto VoIP" on page 238 · "Configuring Class of Service" on page 243 In a typical switch, each physical port consists of one or more queues for transmitting packets on the attached network. Multiple queues per port are often provided to give preference to certain packets over others based on user-defined criteria. When a packet is queued for transmission in a port, the rate at which it is serviced depends on how the queue is configured and possibly the amount of traffic present in the other queues of the port. If a delay is necessary, packets get held in the queue until the scheduler authorizes the queue for transmission. As queues become full, packets have no place to be held for transmission and get dropped by the switch. QoS is a means of providing consistent, predictable data delivery by distinguishing between packets that have strict timing requirements from those that are more tolerant of delay. Packets with strict timing requirements are given "special treatment" in a QoS capable network. With this in mind, all elements of the network must be QoS-capable. The presence of at least one node which is not QoS-capable creates a deficiency in the network path and the performance of the entire packet flow is compromised. Ubiquiti Networks, Inc. 229 EdgeSwitchTM Administration Guide Configuring Quality of Service Configuring Access Control Lists Access Control Lists (ACLs) ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach network resources. ACLs are used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all provide security for the network. The EdgeSwitch software supports IPv4 and MAC ACLs. The total number of MAC and IP ACLs supported by the EdgeSwitch software is platform-specific. You first create an IPv4-based or MAC-based rule and assign a unique ACL ID. Then, you define the rules, which can identify protocols, source and destination IP and MAC addresses, and other packet-matching criteria. Finally, you use the ID number to assign the ACL to a port or to a VLAN interface. IP Access Control Lists IP access control lists (ACL) allow network managers to define classification actions and rules for specific ports. ACLs are composed of access control entries (ACE), or rules, that consist of the filters that determine traffic classifications. The total number of rules that can be defined for each ACL is platform-specific. These rules are matched sequentially against a packet. When a packet meets the match criteria of a rule, the specified rule action (Permit/Deny) is taken, including dropping the packet or disabling the port, and the additional rules are not checked for a match. For example, a network administrator defines an ACL rule that says port number 20 can receive TCP packets. However, if a UDP packet is received the packet is dropped. The IP Access Control List folder contains links to UI pages that allow you to configure and view IP ACLs. To configure an IP ACL: 1. Use the IP ACL Configuration page to define the IP ACL type and assign an ID to it. 2. Use the Access Control List Interface Summary page to create rules for the ACL. 3. Use the Access Control List Configuration page to view the configuration. Ubiquiti Networks, Inc. 230 EdgeSwitchTM Administration Guide Configuring Quality of Service Access Control List Configuration Fields (Continued) Field Description Add IPv4 ACL Rule window fields After you click Add Rule, this window opens, allowing you to add a rule to the ACL selected in the ACL Identifier field. The fields available in the window depend on the ACL Type. The following information describes the fields in this window. The Match Criteria tables that apply to IPv4 ACLs, IPv6 ACLs, and MAC ACLs are described separately. Match Criteria (IPv4 ACLs) Fields in this section specify the criteria to use to determine whether an IP packet matches the rule. Note: The fields described below apply to IPv4 Standard, IPv4 Extended, and IPv4 Named ACLs, except those marked with an asterisk (*)which apply to IPv4 Extended and IPv4 Named ACLs only. Every When this option is selected, all packets will match the rule and will be either permitted or denied. This option is exclusive to all other match criteria if Every is selected, no other match criteria can be configured. To configure specific match criteria, this option must be cleared. Protocol* The IANA-assigned protocol number to match within the IP packet. You can also specify one of the following keywords: EIGRP, GRE, ICMP, IGMP, IP, IPINIP, OSPF, PIM, TCP, or UDP. Fragments* IP ACL rule to match on fragmented IP packets. Source IP Address / Wildcard Mask The source port IP address in the packet and source IP wildcard mask (in the second field) to compare to the IP address in a packet header. Wild card masks determines which bits in the IP address are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all of the bits are important. Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence the inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are used for the network address, and has zeros (0's) for the bit positions that are not used. In contrast, a wildcard mask has (0's) in a bit position that must be checked. A `1' in a bit position of the ACL mask indicates the corresponding bit can be ignored. This field is required when you configure a source IP address. Source L4 Port* The TCP/UDP source port to match in the packet header. The Source L4 Port and Destination L4 port are configurable only if protocol is either TCP or UDP. Equal to, Not Equal to, Greater than, and Less than options are available. For TCP protocol: BGP, Domain, Echo, FTP, FTP-Data, HTTP, SMTP, Telnet, WWW, POP2, or POP3. For UDP protocol: Domain, Echo, NTP, RIP, SNMP, TFTP, Time, or WHO. Destination IP Address / Wildcard Mask The destination port IP address in the packet and destination IP wildcard mask (in the second field) to compare to the IP address in a packet header. Wild card masks determines which bits in the IP address are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all of the bits are important. Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence the inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are used for the network address, and has zeros (0's) for the bit positions that are not used. In contrast, a wildcard mask has (0's) in a bit position that must be checked. A 1 in a bit position of the ACL mask indicates the corresponding bit can be ignored. This field is required when you configure a destination IP address. Destination L4 Port* The TCP/UDP destination port to match in the packet header. The Source L4 Port and Destination L4 port are configurable only if protocol is either TCP or UDP. Equal to, Not Equal to, Greater than, and Less than options are available. For TCP protocol: BGP, Domain, Echo, FTP, FTP-Data, HTTP, SMTP, Telnet, WWW, POP2, or POP3. For UDP protocol: Domain, Echo, NTP, RIP, SNMP, TFTP, Time, or WHO. IGMP Type* IP ACL rule to match on the specified IGMP message type. Available only if the protocol is IGMP. ICMP Type * IP ACL rule to match on the specified ICMP message type. Available only if the protocol is ICMP. ICMP Code* IP ACL rule to match on the specified ICMP message code. Available only if the protocol is ICMP. ICMP Message* IP ACL rule to match on the ICMP message type and code. Available only if the protocol is ICMP. Specify one of the following supported ICMP messages: Echo, Echo-Reply, Host-Redirect, MobileRedirect, Net-Redirect, Net-Unreachable, Redirect, Packet-Too-Big, Port-Unreachable, Source-Quench, Router-Solicitation, Router-Advertisement, Time-Exceeded, TTL-Exceeded, and Unreachable. TCP Flags* IP ACL rule to match on the TCP flags. Available only if the protocol is TCP. When a + flag is specified, a match occurs if the flag is set in the TCP header. When a - flag is specified, a match occurs if the flag is not set in the TCP header. When Established is specified, a match occurs if either RST or ACK bits are set in the TCP header. Ubiquiti Networks, Inc. 233 EdgeSwitchTM Administration Guide Configuring Quality of Service Access Control List Configuration Fields (Continued) Field Description Service Type* The service type to match in the IP header. The available options are alternate ways to specify a match condition for the same Service Type field in the IP header, but each service type uses a different user notation. After you select the service type, specify the value for the service type in the appropriate field. Only the field associated with the selected service type can be configured. The services types are: · IP DSCP Matches the packet IP DiffServ Code Point (DSCP) value to the rule. The DSCP value is defined as the high-order six bits of the Service Type octet in the IP header. · IP Precedence Matches the IP Precedence value to the rule. The IP Precedence field in a packet is defined as the high-order three bits of the Service Type octet in the IP header. · IP TOS Bits Matches on the Type of Service (TOS) bits in the IP header. The IP TOS field in a packet is defined as all eight bits of the Service Type octet in the IP header. For example, to check for an IP TOS value having bits 7 and 5 set and bit 1 clear, where bit 7 is most significant, use a TOS Bits value of 0xA0 and a TOS Mask of 0xFF. · TOS Bits Requires the bits in a packet's TOS field to match the two-digit hexadecimal number entered in this field. · TOS Mask The bit positions that are used for comparison against the IP TOS field in a packet. Time Range Name The name of the time range that will impose a time limit on the ACL rule. If a time range with the specified name does not exist, and the ACL containing this rule is associated with an interface, the ACL rule is applied immediately. If a time range with specified name exists, and the ACL containing this ACL rule is associated with an interface, the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. Committed Rate / Burst The allowed transmission rate for packets on the interface (Committed Rate), and the number of bytes Size allowed in a temporary traffic burst (Burst Rate). Match Criteria (IPv6 ACLs) The fields in this section specify the criteria to use to determine whether an IP packet matches the rule. The fields described below apply to IPv6 ACLs. Every When this option is selected, all packets will match the rule and will be either permitted or denied. This option is exclusive to all other match criteria if Every is selected, no other match criteria can be configured. To configure specific match criteria, this option must be cleared. Protocol The IANA-assigned protocol number to match within the IP packet. You can also specify one of the following keywords: ICMP, IGMP, TCP, UDP, ICMPv6, or IP. Fragments IPv6 ACL rule to match on fragmented IP packets. Source Prefix / Prefix Length The IPv6 prefix combined with IPv6 prefix length of the network or host sending the packet. Source L4 Port The TCP/UDP source port to match in the packet header. Select one of the following options: Equal, Not Equal, Less Than, Greater Than, or Range, and specify the port number or keyword. TCP port keywords include BGP, Domain, Echo, FTP, FTP Data, HTTP, SMTP, Telnet, WWW, POP2, and POP3. UDP port keywords include Domain, Echo, NTP, RIP, SNMP, TFTP, TIME, and WHO. Destination Prefix / Prefix Length The IPv6 prefix combined with the IPv6 prefix length to be compared to a packet's destination IPv6 address as a match criteria for the IPv6 ACL rule. To indicate a destination host, specify an IPv6 prefix length of 128. Destination L4 Port The TCP/UDP destination port to match in the packet header. Select one of the following options: Equal, Not Equal, Less Than, Greater Than, or Range, and specify the port number or keyword. TCP port keywords include BGP, Domain, Echo, FTP, FTP Data, HTTP, SMTP, Telnet, WWW, POP2, and POP3. UDP port keywords include Domain, Echo, NTP, RIP, SNMP, TFTP, TIME, and WHO. ICMP Type IPv6 ACL rule to match on the specified ICMP message type. This option is available only if the protocol is ICMPv6. ICMP Code IPv6 ACL rule to match on the specified ICMP message code. This option is available only if the protocol is ICMPv6. ICMP Message IPv6 ACL rule to match on the ICMP message type and code. Specify one of the following supported ICMPv6 messages: Destination-Unreachable, Echo-Request, Echo-Reply, Header, Hop-Limit, MLD-Query, MLD-Reduction, MLD-Report, ND-NA, ND-NS, Next-Header, No-Admin, No-Route, Packet-Too-Big, PortUnreachable, Router-Solicitation, Router-Advertisement, Router-Renumbering, Time-Exceeded, and Unreachable. This option is available only if the protocol is ICMPv6. TCP Flags IPv6 ACL rule to match on the TCP flags. When a + flag is specified, a match occurs if the flag is set in the TCP header. When a - flag is specified, a match occurs if the flag is not set in the TCP header. When Established is specified, a match occurs if either RST or ACK bits are set in the TCP header. This option is available only if the protocol is TCP. Flow Label A 20-bit number that is unique to an IPv6 packet, used by end stations to signify quality-of-service handling in routers. Ubiquiti Networks, Inc. 234 EdgeSwitchTM Administration Guide Configuring Quality of Service Access Control List Configuration Fields (Continued) Field Description IP DSCP The IP DSCP value in the IPv6 packet to match to the rule. The DSCP value is defined as the high-order six bits of the Service Type octet in the IPv6 header. Routing IPv6 ACL rule to match on routed packets. Match Criteria (MAC ACLs) The fields in this section specify the criteria to use to determine whether an Ethernet frame matches the rule. The fields described below apply to MAC ACLs. Every When this option is selected, all packets will match the rule and will be either permitted or denied. This option is exclusive to all other match criteria if Every is selected, no other match criteria can be configured. To configure specific match criteria, this option must be cleared. CoS The 802.1p user priority value to match within the Ethernet frame. Ethertype The EtherType value to match in an Ethernet frame. Specify the number associated with the EtherType or specify one of the following keywords: AppleTalk, ARP, IBM SNA, IPv4, IPv6, IPX, MPLS, Unicast, NETBIOS, NOVELL, PPPoE, or RARP. Source MAC Address / Mask The MAC address to match to an Ethernet frame's source port MAC address. If desired, enter the MAC mask associated with the source MAC to match. The MAC address mask specifies which bits in the source MAC to compare against an Ethernet frame, and uses F's and 0's in a wildcard format. An F means that the bit is not checked, and a 0 in a bit position means that the data must equal the value given for that bit. For example, if the MAC address is aa:bb:cc:dd:ee:ff, and the mask is 00:00:ff:ff:ff:ff, all MAC addresses with aa:bb:xx:xx:xx:xx result in a match (where x is any hexadecimal number). Destination MAC Address / Mask The MAC address to match to an Ethernet frame's destination port MAC address. If desired, enter the MAC Mask associated with the destination MAC to match. The MAC address mask specifies which bits in the destination MAC to compare against an Ethernet frame. Use F's and 0's in the MAC mask, which is in a wildcard format. An F means that the bit is not checked, and a 0 in a bit position means that the data must equal the value given for that bit. For example, if the MAC address is aa:bb:cc:dd:ee:ff, and the mask is 00:00:ff:ff:ff:ff, all MAC addresses with aa:bb:xx:xx:xx:xx result in a match (where x is any hexadecimal number). VLAN The VLAN ID to match within the Ethernet frame. Rule Attributes The fields in this section provide information about the actions to take on a frame or packet that matches the rule criteria. The attributes specify actions other than the basic Permit or Deny actions. Assign Queue The number that identifies the hardware egress queue that will handle all packets matching this rule. Interface The interface to use for the action: · Redirect Allows traffic that matches a rule to be redirected to the selected interface instead of being processed on the original port. The redirect function and mirror function are mutually exclusive. · Mirror Allows traffic that matches a rule to be mirrored to a selected interface. Mirroring is similar to the redirect function, except that in flow-based mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is forwarded normally through the device. Log When this option is selected, logging is enabled for this ACL rule (subject to resource availability in the device). If the Access List Trap Flag is also enabled, this will cause periodic traps to be generated indicating the number of times this rule went into effect during the current report interval. A fixed 5 minute report interval is used for the entire system. A trap is not issued if the ACL rule hit count is zero for the current interval. Time Range Name The name of the time range that will impose a time limitation on the ACL rule. If a time range with the specified name does not exist, and the ACL containing this ACL rule is associated with an interface, the ACL rule is applied immediately. If a time range with specified name exists, and the ACL containing this ACL rule is associated with an interface, the ACL rule is applied when the specified time-range becomes active. The ACL rule is removed when the specified time-range with becomes inactive. Committed Rate / Burst The allowed transmission rate for frames on the interface (Committed Rate), and the number of bytes Size allowed in a temporary traffic burst (Burst Rate). Use the buttons to perform the following tasks: · To add an ACL rule entry, select the ID of the ACL that will include the rule from the ACL Identifier dropdown menu. Then, click Add Rule and configure the rule criteria and attributes (new rules cannot be created if the maximum number of rules has been reached). Finally, click Submit to apply the changes. · To remove the most recently configured rule for an ACL, select the ID of the appropriate ACL from the ACL Identifier menu and click Remove Last Rule. You must confirm the action before the entry is deleted. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 235 EdgeSwitchTM Administration Guide Configuring Quality of Service Field 802.1p Priority Traffic Class Interface Auto VoIP Mode Operational Status Protocol Based Auto VoIP Fields (Continued) Description The 802.1p priority used for protocol-based VoIP traffic. This field can be configured if the Prioritization Type is 802.1p Priority. If the Auto VoIP Mode is enabled and the interface detects a call-control protocol, the device marks traffic in that session with the specified 802.1p priority value to ensure voice traffic always gets the highest priority throughout the network path. Egress tagging must be administratively enabled on the appropriate uplink port to carry the remarked priority at the egress port. The traffic class used for protocol-based VoIP traffic. This field can be configured if the Prioritization Type is Traffic Class. If the Auto VoIP Mode is enabled and the interface detects a call-control protocol, the device assigns the traffic in that session to the configured Class of Service (CoS) queue. Traffic classes with a higher value are generally used for time-sensitive traffic. The CoS queue associated with the specified traffic class should be configured with the appropriate bandwidth allocation to allow priority treatment for VoIP traffic. The interface associated with the rest of the data in the row. When editing Auto VoIP settings on one or more interfaces, this field identifies the interface(s) being configured. The administrative mode of the Auto VoIP feature on the interface: · Enable The interface scans incoming traffic for the following call-control protocols: · Session Initiation Protocol (SIP) · H.323 · Skinny Client Control Protocol (SCCP) · Disable The interface does not use the Auto VoIP feature to scan for call-control protocols. The operational status of an interface. To be up, an interface must be administratively enabled and have a link. Use the buttons to perform the following tasks: · If you edit any fields, click Submit to apply the changes. · To configure settings on one or more interfaces, select each interface and click Edit. In the Edit Protocol Based Port Configuration window, edit the settings as needed, and click Submit to apply the changes. · To configure settings on all interfaces, click Edit All. In the Edit Protocol Based Port Configuration window, change the settings as needed, and click Submit to apply the changes. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 242 EdgeSwitchTM Administration Guide Configuring Quality of Service Field Reference Class Class of Service Secondary Class of Service Ethertype VLAN Secondary VLAN Source MAC Address Destination MAC Address Source IPv6 Address Destination IPv6 Address Diffserv Class Configuration Fields (Continued) Description Select this option to reference another class for criteria. The match criteria defined in the referenced class is as match criteria in addition to the match criteria you define for the selected class. After selecting this option, the classes that can be referenced are displayed. Select the class to reference. A class can reference at most one other class of the same type. Select this option to require the Class of Service (CoS) value in an Ethernet frame header to match the specified CoS value. Select this option to require the secondary CoS value in an Ethernet frame header to match the specified secondary CoS value. Select this option to require the EtherType value in the Ethernet frame header to match the specified EtherType value. After you select this option, specify the EtherType value in one of these two fields: · Ethertype Keyword The menu includes several common protocols that are mapped to their EtherType values. · Ethertype Value This field accepts custom EtherType values. Select this option to require a packet's VLAN ID to match a VLAN ID or a VLAN ID within a continuous range. If you configure a range, a match occurs if a packet's VLAN ID is the same as any VLAN ID within the range. After you select this option, use the following fields to configure the VLAN match criteria: · VLAN ID Start The VLAN ID to match or the VLAN ID with the lowest value within a range of VLANs. · VLAN ID End The VLAN ID with the highest value within the range of VLANs. This field is not required if the match criteria is a single VLAN ID. Select this option to require a packet's VLAN ID to match a secondary VLAN ID or a secondary VLAN ID within a continuous range. If you configure a range, a match occurs if a packet's secondary VLAN ID is the same as any secondary VLAN ID within the range. After you select this option, use the following fields to configure the secondary VLAN match criteria: · Secondary VLAN ID Start The secondary VLAN ID to match or the secondary VLAN ID with the lowest value within a range of VLANs. · Secondary VLAN ID End The secondary VLAN ID with the highest value within the range of VLANs. This field is not required if the match criteria is a single VLAN ID. Select this option to require a packet's source MAC address to match the specified MAC address. After you select this option, use the following fields to configure the source MAC address match criteria: · MAC Address The source MAC address to match. · MAC Mask The MAC mask, which specifies the bits in the source MAC address to compare against an Ethernet frame. Use F's and 0's to configure the MAC mask. An F means that the bit is checked, and a 0 in a bit position means that the data is not significant. For example, if the MAC address is aa:bb:cc:dd:ee:ff, and the mask is ff:ff:00:00:00:00, all MAC addresses with aa:bb:xx:xx:xx:xx result in a match (where x is any hexadecimal number). Note that this is not a wildcard mask, which ACLs use. Select this option to require a packet's destination MAC address to match the specified MAC address. After you select this option, use the following fields to configure the destination MAC address match criteria: · MAC Address The destination MAC address to match. · MAC Mask The MAC mask, which specifies the bits in the destination MAC address to compare against an Ethernet frame. Use F's and 0's to configure the MAC mask. An F means that the bit is checked, and a 0 in a bit position means that the data is not significant. For example, if the MAC address is aa:bb:cc:dd:ee:ff, and the mask is ff:ff:00:00:00:00, all MAC addresses with aa:bb:xx:xx:xx:xx result in a match (where x is any hexadecimal number). Note that this is not a wildcard mask, which ACLs use. Select this option to require the source IPv6 address in a packet header to match the specified values. After you select this option, use the following fields to configure the source IPv6 address match criteria: · Source Prefix The source IPv6 prefix to match. · Source Prefix Length The IPv6 prefix length. Select this option to require the destination IPv6 address in a packet header to match the specified values. After you select this option, use the following fields to configure the destination IPv6 address match criteria: · Destination Prefix The destination IPv6 prefix to match. · Destination Prefix Length The IPv6 prefix length. Ubiquiti Networks, Inc. 251 EdgeSwitchTM Administration Guide Configuring Quality of Service Field Source L4 Port Destination L4 Port IP DSCP IP Precedence IP TOS Protocol Flow Label Diffserv Class Configuration Fields (Continued) Description Select this option to require a packet's TCP/UDP source port to match the specified port or the port number within a range of port numbers. If you configure a range, a match occurs if a packet's source port number is the same as any source port number within the range. After you select this option, use the following fields to configure a source port keyword, source port number, or source port range for the match criteria: · Protocol Select the desired L4 keyword from the list on which the match is based. If you select a keyword, the other source port configuration fields are not available. · Port End A user-defined L4 source port number to match or the source port number with the lowest value within a range of ports. · Port Start The source port with the highest value within the range of ports. This field is not required if the match criteria is a single port. Select this option to require a packet's TCP/UDP destination port to match the specified port or the port number within a range of port numbers. If you configure a range, a match occurs if a packet's destination port number is the same as any destination port number within the range. After you select this option, use the following fields to configure a destination port keyword, destination port number, or destination port range for the match criteria: · Protocol Select the desired L4 keyword from the list on which the match is based. If you select a keyword, the other destination port configuration fields are not available. · Port End A user-defined L4 destination port number to match or the destination port number with the lowest value within a range of ports. · Port Start The destination port with the highest value within the range of ports. This field is not required if the match criteria is a single port. Select this option to require the packet's IP DiffServ Code Point (DSCP) value to match the specified value. The DSCP value is defined as the high-order six bits of the Service Type octet in the IP header. After you select this option, use one of the following fields to configure the IP DSCP match criteria: · IP DSCP Keyword The IP DSCP keyword code that corresponds to the IP DSCP value to match. If you select a keyword, you cannot configure an IP DSCP Value. · IP DSCP Value The IP DSCP value to match. Select this option to require the packet's IP Precedence value to match the number configured in the IP Precedence Value field. The IP Precedence field in a packet is defined as the high-order three bits of the Service Type octet in the IP header. Select this option to require the packet's Type of Service (ToS) bits in the IP header to match the specified value. The IP ToS field in a packet is defined as all eight bits of the Service Type octet in the IP header. After you select this option, use the following fields to configure the ToS match criteria: · IP TOS Bits Enter a two-digit hexadecimal number to match the bits in a packet's ToS field. · IP TOS Mask Specify the bit positions used for comparison against the IP ToS field in a packet. Select this option to require a packet header's Layer-4 protocol to match the specified value. After you select this option, use one of the following fields to configure the protocol match criteria: · Protocol The L4 keyword that corresponds to value of the IANA protocol number to match. If you select a keyword, you cannot configure a Protocol Value. · Protocol Value The IANA L4 protocol number value to match. Select this option to require an IPv6 packet's flow label to match the configured value. The flow label is a 20-bit number that is unique to an IPv6 packet, used by end stations to signify quality-of-service handling in routers. Use the buttons to perform the following tasks: · To define the match criteria for the selected class, click Add Match Criteria, In the Add Match Criteria window, configure the fields shown in the table below, and click Submit to apply the changes. Once you add a match criteria entry to a class, you cannot edit or remove the entry. However, you can add more match criteria entries to a class until the maximum number of entries has been reached for the class. · To remove the associated reference class from the selected class, click Remove Reference Class and confirm the action. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 252 EdgeSwitchTM Administration Guide Configuring Quality of Service Field Police Simple Police Single Rate Police Two Rate Redirect Interface Diffserv Policy Configuration Fields (Continued) Description Select this option to enable the simple traffic policing style for the policy-class. The simple form of the police attribute uses a single data rate and burst size, resulting in two outcomes (conform and violate). After you select this option, configure the following policing criteria: · Color Mode The type of color policing used in DiffServ traffic conditioning. · Color Conform Class For color-aware policing, packets in this class are metered against both the committed information rate (CIR) and the peak information rate (PIR). The class definition used for policing color awareness is only allowed to contain a single, non-excluded class match condition identifying one of the supported comparison fields: CoS, IP DSCP, IP Precedence, or Secondary COS. · Committed Rate (Kbps) The maximum allowed arrival rate of incoming packets for this class. · Committed Burst Size (Kbytes) The amount of conforming traffic allowed in a burst. · Conform Action The action taken on packets considered to be conforming (below the police rate). · Violate Action The action taken on packets considered to be non-conforming (above the police rate). Select this option to enable the single-rate traffic policing style for the policy-class. The single-rate form of the police attribute uses a single data rate and two burst sizes, resulting in three outcomes (conform, exceed, and violate). After you select this option, configure the following policing criteria: · Color Mode The type of color policing used in DiffServ traffic conditioning. · Color Conform Class For color-aware policing, packets are metered against the committed information rate (CIR) and the peak information rate (PIR). The class definition used for policing color awareness is only allowed to contain a single, non-excluded class match condition identifying one of the supported comparison fields: CoS, IP DSCP, IP Precedence, or Secondary COS. This field is available only if one or more classes that meets the color-awareness criteria exist. · Color Exceed Class For color-aware policing, packets are metered against the PIR only. · Committed Rate (Kbps) The maximum allowed arrival rate of incoming packets for this class. · Committed Burst Size (Kbytes) The amount of conforming traffic allowed in a burst. · Excess Burst Size (Kbytes) The amount of conforming traffic allowed to accumulate beyond the Committed Burst Size (Kbytes) value during longer-than-normal idle times. This value allows for occasional bursting. · Conform Action The action taken on packets considered to be conforming (below the police rate). · Exceed Action The action taken on packets that are considered to exceed the committed burst size but are within the excessive burst size. · Violate Action The action taken on packets considered to be non-conforming (above the police rate). Select this option to enable the two-rate traffic policing style for the policy-class. The two-rate form of the police attribute uses two data rates and two burst sizes. Only the smaller of the two data rates is intended to be guaranteed. After you select this option, configure the following policing criteria: · Color Mode The type of color policing used in DiffServ traffic conditioning. · Color Conform Class For color-aware policing, packets are metered against the committed information rate (CIR) and the peak information rate (PIR). The class definition used for policing color awareness is only allowed to contain a single, non-excluded class match condition identifying one of the supported comparison fields: CoS, IP DSCP, IP Precedence, or Secondary COS. This field is available only if one or more classes that meets the color-awareness criteria exist. · Color Exceed Class For color-aware policing, packets are metered against the PIR. · Committed Rate (Kbps) The maximum allowed arrival rate of incoming packets for this class. · Committed Burst Size (Kbytes) The amount of conforming traffic allowed in a burst. · Peak Rate (Kbps) The maximum information rate for the arrival of incoming packets for this class. · Excess Burst Size (Kbytes) The maximum size of the packet burst that can be accepted to maintain the Peak Rate (Kbps). · Conform Action The action taken on packets considered to be conforming (below the police rate). · Exceed Action The action taken on packets that are considered to exceed the committed burst size but are within the excessive burst size. · Violate Action The action taken on packets considered to be non-conforming (above police rate). Select this option to force a classified traffic stream to the specified egress port (physical port or LAG). Use the Interface field to select the interface to which traffic is redirected. After you select the policy to configure from the Policy menu, use the buttons to perform the following tasks: · To add a class to the policy, click Add Class. · To add attributes to a policy or to change the policy attributes, select the policy with the attributes to configure and click Add Attribute. · To remove the most recently associated class from the selected policy, click Remove Last Class. · Click Refresh to refresh the page with the most current data from the switch. To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save. Ubiquiti Networks, Inc. 255 EdgeSwitchTM Administration Guide Configuration Examples Using the CLI to Configure MSTP 1. Create VLAN 10 and VLAN 20. (UBNT EdgeSwitch) #vlan database vlan 10 vlan 20 exit 2. Enable spanning tree globally. (UBNT EdgeSwitch) #config spanning-tree 3. Create MST instances 10 and 20. spanning-tree mst instance 10 spanning-tree mst instance 20 4. Associate MST instance 10 to VLAN 10 and MST instance 20 to VLAN 20. spanning-tree mst vlan 10 10 spanning tree mst vlan 20 20 5. Change the name so that all the bridges that want to be part of the same region can form the region. spanning-tree configuration name ubnt 6. Make the MST ID 10 bridge the root bridge by lowering the priority. spanning-tree mst priority 10 16384 7. Change the priority of MST ID 20 to ensure the other bridge is the root bridge. spanning-tree mst priority 20 61440 8. Enable STP on interface 0/1. interface 0/1 spanning-tree port mode exit 9. Enable STP on interface 0/2. interface 0/2 spanning-tree port mode 10.On the non-root bridge, change the priority to force port 0/2 to be the root port. spanning-tree mst 20 port-priority 64 exit Ubiquiti Networks, Inc. 264 EdgeSwitchTM Administration Guide Configuration Examples 3. Configure port 0/3 as a member of VLAN 20 and specify that untagged frames received on these ports will be assigned to VLAN 20. interface 0/3 vlan participation include 20 vlan pvid 20 exit exit 4. Specify that all frames transmitted for VLANs 10 and 20 will be tagged. config vlan port tagging all 10 vlan port tagging all 20 exit 5. Enable routing for the VLANs: (UBNT EdgeSwitch) #vlan database vlan routing 10 vlan routing 20 exit 6. View the logical interface IDs assigned to the VLAN routing interfaces. (UBNT EdgeSwitch) #show ip vlan MAC Address used by Routing VLANs: 00:00:AA:12:65:12 VLAN ID ------10 20 Logical Interface -------------4/1 4/2 IP Address --------------0.0.0.0 0.0.0.0 Subnet Mask --------------0.0.0.0 0.0.0.0 As the output shows, VLAN 10 is assigned ID 4/1 and VLAN 20 is assigned ID 4/2. 7. Enable routing for the switch: config ip routing exit 8. Configure the IP addresses and subnet masks for the virtual router ports. config interface 4/1 ip address 192.150.3.1 255.255.255.0 exit interface 4/2 ip address 192.150.4.1 255.255.255.0 exit exit Ubiquiti Networks, Inc. 266 EdgeSwitchTM Administration Guide Configuration Examples 1. Create VLANs 10, 20, 30, 40, and enable routing on these VLANs. (UBNT EdgeSwitch) #vlan database vlan 10,20,30,40 vlan routing 10 1 vlan routing 20 2 vlan routing 30 3 vlan routing 40 4 exit 2. Add physical ports to the VLANs and configure PVID on the corresponding interfaces. config interface 0/2 vlan pvid 10 vlan participation exclude 1 vlan participation include 10 exit interface 0/4 vlan pvid 20 vlan participation exclude 1 vlan participation include 20 exit interface 0/22 vlan pvid 30 vlan participation exclude 1 vlan participation include 30 exit interface 0/24 vlan pvid 40 vlan participation exclude 1 vlan participation include 40 exit exit 3. Enable routing on each VLAN interface and assign an IP address. config interface vlan 10 routing ip address 1.1.1.1 255.255.255.0 exit interface vlan 20 routing ip address 2.2.2.1 255.255.255.0 exit interface vlan 30 routing ip address 3.3.3.1 255.255.255.0 exit interface vlan 40 routing ip address 4.4.4.3 255.255.255.0 exit Ubiquiti Networks, Inc. 268 EdgeSwitchTM Administration Guide Configuration Examples 4. Enable IP Routing (Global configuration). config ip routing exit After this step, if traffic with the following characteristics is sent, it will be routed from VLAN routing interface 10 to VLAN routing interface 20. Source IP: 1.1.1.2 Destination IP: 2.2.2.2 In order to policy route such traffic to VLAN routing interface 30, continue with the following steps: 5. Create an access-list matching incoming traffic. config access-list 1 permit 1.1.1.2 0.0.0.255 exit 6. Create a route-map and add match/set terms to the route-map. configure route-map pbr_test permit 10 match ip address 1 set ip next-hop 3.3.3.3 exit exit 7. Assign a route-map to VLAN routing interface 10. config interface vlan 10 ip policy pbr_test exit exit After this step, traffic mentioned in the diagram "Policy-Based Routing Example" on page 267 is policyrouted to VLAN interface 30. Counters are incremented in the "show route-map" command indicating that traffic is being policy routed. 8. Run the show command. (UBNT EdgeSwitch) #show route-map pbr_test route-map pbr_test permit 10 Match clauses: ip address (access-lists) : 1 Set clauses: ip next-hop 3.3.3.3 Policy routing matches: 19922869 packets, 1275063872 bytes Ubiquiti Networks, Inc. 269 EdgeSwitchTM Administration Guide Configuration Examples 3. Create a second DiffServ classifier named `class_ef' and define a single match criterion to detect a DiffServ code point (DSCP) of `EF' (expedited forwarding). This handles incoming traffic that was previously marked as expedited elsewhere in the network. class-map match-all class_ef match ip dscp ef exit 4. Create a DiffServ policy for inbound traffic named `pol_voip', and then add the previously created classes `class_ef' and `class_voip' as instances within this policy. This policy handles incoming packets already marked with a DSCP value of `EF' (per `class_ef' definition), or marks UDP packets per the `class_voip' definition) with a DSCP value of `EF'. In each case, the matching packets are assigned internally to use queue 5 of the egress port to which they are forwarded. policy-map pol_voip in class class_ef assign-queue 5 exit class class_voip mark ip-dscp ef assign-queue 5 exit exit Attach the defined policy to an inbound service interface. interface 0/2 service-policy in pol_voip exit exit Ubiquiti Networks, Inc. 272 EdgeSwitchTM Administration Guide Appendix B: Contact Information Appendix B: Contact Information Ubiquiti Networks Support Ubiquiti Support Engineers are located around the world and are dedicated to helping customers resolve software, hardware compatibility, or field issues as quickly as possible. We strive to respond to support inquiries within a 24-hour period. Online Resources Support: support.ubnt.com Community: community.ubnt.com Downloads: downloads.ubnt.com Ubiquiti Networks, Inc. 2580 Orchard Parkway San Jose, CA 95131 www.ubnt.com ©2014 Ubiquiti Networks, Inc. All rights reserved. Ubiquiti, Ubiquiti Networks, the Ubiquiti U logo, the Ubiquiti beam logo, EdgeMAX, and EdgeSwitch are trademarks or registered trademarks of Ubiquiti Networks, Inc. in the United States and in other countries. All other trademarks are the property of their respective owners. Ubiquiti Networks, Inc. AI093014 273Adobe InDesign CC 2014 (Macintosh) 3-Heights(TM) PDF Optimization Shell 4.8.25.2 (http://www -tools.com)