Maintenance and operation functions

• User account management
• LED control
• Using external memory
• Boot data management
• Viewing unit information
• Config management
• Remote access control
• Time management
• SNMP
• RMON
• SYSLOG
• Firmware update
• L2MS control
• Mail notification
• LLDP
• Terminal monitoring
• Performance observation
• Dante optimization setting function
• List of default settings

User account management

1 Function Overview

This product provides the functions shown below for managing user accounts.

• Functions for setting user information
• Functions for user authentication by user name and password

2 Definition of Terms Used

Unnamed user

A user who does not have a user name.

If an unnamed user logs into the console or web GUI, they can log in without specifying a user name.

Guest privileges

Users that have guest privileges can use the web GUI to view the device settings and status.

Administrator privileges

Users that have administrator privileges can perform the following actions in the web GUI.

• View and modify the settings
• Restart the device
• Initialize the device
• Update the firmware

3 Function Details

3.1 User information settings

Use the username command to specify user information.

Specify the following as user information.

• User name
• Password
• Privileges

A user to whom privileges are granted has the following differences compared to a normal user.

• Password entry is not required when executing the enable command from the console.
• When logging into the web GUI, the user can log on with administrator privileges.

Use the password command to specify the password for unnamed users.

In the factory-set state, this is unset.

You can use the password-encryption command to encrypt the specified password.

If you want to encrypt the password, specify password-encryption enable.

Once a password has been encrypted, it will not be returned to an unencrypted text string even if you specify password-encryption disable.

Encryption applies to the passwords specified by the following commands.

• password command
• enable password command
• username command

3.2 User authentication

3.2.1 When logging in to the console

When you connect to the console, the following login prompt appears.

Username:
Password:

Enter a specified user name and password to log in.

If you want to log in as an unnamed user, press the Enter key at the user name prompt to omit it, and then enter the password that was specified by the password command.

Only if you connected via the serial console, you can log in using the special password.

To log on using the special password, you must previously have specified force-password enable.

3.2.2 When logging in to the web GUI

When you access the web GUI, the following login form appears.

Enter a specified user name and password to log in.

If you want to log in as an unnamed user, leave the user name entry field blank, and in the password entry field, enter the password specified by the password command or the enable password command.

In this case if you enter the password specified by the password command, you will log in with Guest privileges.

If you enter the password specified by the enable password command, you will log in with Administrator privileges.

If the password that was entered matches both the password specified by the password command and by the enable password command, you will log in with Administrator privileges.

4 Related Commands

The related commands are shown below.

For details, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Specifying the password for unnamed users

Specify yamaha as the login password for unnamed users.

Specify yamaha_admin as the administrative password.

Yamaha>enable
Yamaha#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Yamaha(config)#password yamaha
Yamaha(config)#enable password yamaha_admin

5.2 Adding a user

Grant privilege options to the user yamaha, and assign the password yamaha_pass.

Yamaha#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Yamaha(config)#username yamaha privilege on password yamaha_pass
Yamaha(config)#exit
Yamaha#exit

Username: yamaha
Password:

SWR2311P-10G Rev.2.02.06 (Tue Mar 13 08:41:39 2018)
  Copyright (c) 2015-2016 Yamaha Corporation. All Rights Reserved.

Yamaha>enable
Yamaha#

6 Points of Caution

None

7 Related Documentation

• Remote access control

LED control

1 Function Overview

This product's chassis features the following LEDs and buttons.

Types of LED and button

The location of each LED and button is shown below.

2 Definition of Terms Used

Explanation of port LED illumination

The port LED illumination used in subsequent explanations is described below.

• Port LED illumination

  

3 Function Details

3.1 POWER LED

The POWER LED indicates the power status of this product.

The illumination pattern of the POWER LED and the corresponding statuses are as follows.

• POWER LED illumination pattern and status

  POWER LED illumination pattern	Status
  Unlit	Power is off.
  Flashing green	Power is on, and system is starting up.
  Lit green	Power is on, and system is operating normally.
  Lit orange	Power is on, and a fault has occurred in the system.

  When the following faults are detected, the POWER LED is lit orange.

  Check the fault that was detected, and take the appropriate action.

• Fan stopped

  The fan that exhausts heat generated by this product has stopped.

  You must immediately stop use, and contact your dealer for servicing or inspection.

• Abnormal temperature inside this product

  The temperature inside this product is abnormal.

  Consider the surrounding conditions, and install this product correctly so that its internal temperature will be appropriate.

You can use the show environment command to check temperature abnormalities and fan abnormalities.

3.2 microSD LED

The microSD LED indicates the connection and usage status of the microSD card.

The illumination pattern of the microSD LED and the corresponding statuses are as follows.

microSD LED illumination pattern and status

Do not remove the microSD card while this is flashing green, since the microSD card is being accessed.

3.3 Port LEDs

3.3.1 Switching between display modes

This product provides the five display modes shown below.

Mode name	MODE LED light status	Function overview
LINK/ACT mode		The left LED of the LAN/SFP port shows the link status, and the right LED shows the connection speed.
PoE mode		The power supply status of the PoE supply port is shown.
VLAN mode		The VLAN ID set for the LAN/SFP port is shown.
STATUS mode		The error status of the LAN/SFP port is shown.
OFF mode		The LAN/SFP port LEDs are unlit in order to decrease the power consumption.

Use the MODE button to switch between display modes.

Display mode switching follows the flow shown below.

Display mode switching (when the default LED mode is LINK/ACT)

The display mode after system boot and the display mode after error resolve depend on the default LED mode setting.

When an error is detected by the following functions, the port LED display automatically switches to STATUS mode.

• Loop detection
• SFP optical reception level monitoring
• PoE power supply

When an error has been detected, the unit remains in STATUS mode even if the MODE switch is pressed. (The switch will not function until all errors have been resolved.)

In this state, if you long-press the MODE button for three seconds, all error states are reset, and the unit switches to the display that is specified by the default LED mode setting.

(For details, refer to LED display in STATUS mode.)

3.3.2 LED display in LINK/ACT mode

The port LEDs will display as shown below in LINK/ACT mode.

• LAN/SFP port link status
• LAN/SFP port connection speed

The LED display for the link status is shown below.

• LAN/SFP port link status LED display

  	Linking down	Linking up	Forwarding data
  LAN port	(unlit)	(lit green)	(flashing green)
  SFP port	(unlit)	(lit green)	(flashing green)

The LED display for the connection speed is shown below.

• LAN/SFP port connection speed LED display

  	10M Link	100M Link	1000M Link	10000M Link
  LAN port	(unlit)	(lit orange)	(lit green)	(none)
  SFP port	(none)	(none)	(lit green)	(lit green)

3.3.3 LED display in PoE mode

In PoE mode, the power supply status is indicated by the LEDs of ports that are able to supply PoE power (subsequently called PoE ports).

The power supply ports of each model are as follows.

• Power supply ports by model

  Model name	Power supply ports
  SWR2311P-10G	Ports #1-#8

  The LED display for PoE mode is shown below.

• Port LED display for power supply ports

  	Power not supplied	Power being supplied
  LAN port	(unlit)	(lit green)

3.3.4 LED display in VLAN mode

In VLAN mode, the port LEDs display the VLAN association status.

The port LED light status is shown below.

• Port LED light status in VLAN mode

  VLAN association status for LAN/SFP port	Port LED light status
  Is not associated with any VLAN	(OFF)
  Associated with one VLAN	Expressed as one of six specific light patterns, starting with the newest of the VLAN IDs. All VLAN IDs from #7 onwards will be indicated using the same light pattern.
  Associated with multiple VLANs	(Both left and right port LEDs are lit orange.)

• The default VLAN (VLAN #1) is not shown. It is not counted as an associated VLAN.
• The VLAN association status does not depend on the link status of each LAN/SFP port. Ports in linkdown status will be shown.
• Only VLAN IDs for which associated LAN/SFP ports exist are shown.

  If only the VLAN ID is defined (without an associated LAN/SFP port), the VLAN ID is not shown.

3.3.5 LED display in STATUS mode

In STATUS mode, the port LEDs indicate error statuses generated by the following functions of this product.

• Loop detection
• SFP optical reception level monitoring
• PoE power supply

• Port LED display when an error occurs

  	Normal state	Loop detected or SEP optical reception level fault	PD error	PoE system limit	PoE port limit
  LAN port	(unlit)	(left flashes orange)	(left lit orange)	(right flashes orange)	(right lit orange)
  SFP port	(unlit)	(left flashes orange)	(none)	(none)	(none)

  When this product detects an error, it forcibly switches to STATUS mode.

  An error is determined by each function in the following cases.

• Loop detection
  • A loop was detected and the port was blocked.
  • A loop was detected and the port was shut down.
• SFP optical reception level monitoring
  • The SFP optical reception level fell below the normal range.
  • The SFP optical reception level exceeded the normal range.
• PoE power supply
  • Power supply was stopped because the port limit (the maximum power that can be supplied by one port) was exceeded.
  • Power supply was stopped for a low-priority port because the system limit (the maximum power that can be supplied by the entire system) was exceeded.
  • A PD error was detected

To determine the cause of the error, you can use the show error port-led command.

In STATUS mode when an error has occurred, the LEDs will automatically switch to the default LED mode in the following states.

• All of the following errors were resolved.
  • Blocked status due to loop detection was resolved.
  • Shutdown status due to loop detection was resolved.
    • The monitoring time has elapsed following shutdown due to loop detection.
    • In a shutdown state due to loop detection, the unit linked up after the no shutdown command was executed.
  • SFP optical reception level recovered.
  • PoE port error was resolved.
• The MODE switch was long-pressed (for three seconds), forcibly resetting (clearing) the error status.

3.3.6 LED display in OFF mode

If the default LED mode is OFF mode, the port LEDs are all unlit regardless of the link status.

Even if the default LED mode is OFF mode, the unit automatically transitions to STATUS mode when an error occurs, indicating the error status.

3.3.7 Changing the LED mode after system boot

The LED mode after system boot (the default LED mode) for this product can be specified.

The default value for the default LED mode is set to LINK/ACT mode, but can be changed using the led-mode default command.

Use the show led-mode command to check the default LED mode and the LED mode currently displayed.

When STATUS mode is cleared during error detection, the unit will switch to the default LED mode that was set.

3.3.8 Other port LED displays

Regardless of the LED mode status, the LEDs of all ports will display as follows during initialization at startup and during firmware update.

• Other port LED displays

  	Updating firmware	Initializing
  LAN port	(flashing green)	(unlit)
  SFP port	(flashing green)	(lit orange)

4 Related Commands

The related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Check LAN/SFP port status

Use the show interface command to check the LAN/SFP port status.

Yamaha#show interface
show interface
Interface port1.1
  Link is UP
  Hardware is Ethernet
  HW addr: ac44.f23d.0b2c
  ifIndex 5001, MRU 1522
  Speed-Duplex: auto(configured), 1000-full(current)
  Auto MDI/MDIX: on
  Vlan info :
    Switchport mode        : access
    Ingress filter         : enable
    Acceptable frame types : all
    Default Vlan           :    1
    Configured Vlans       :    1
  Interface counter:
    input  packets          : 317111
           bytes            : 31387581
           multicast packets: 317074
    output packets          : 162694
           bytes            : 220469213
           multicast packets: 162310
           broadcast packets: 149
           drop packets     : 0
  ：
(Information for all LAN/SFP ports is shown)

5.2 Check LAN/SFP port loop detection status

Check the LAN/SFP port loop status.

Yamaha#show loop-detect
loop-detect: Enable

loop-detect: Enable

port      loop-detect    port-blocking           status
-------------------------------------------------------
port1.1        enable           enable           Normal
port1.2        enable           enable           Normal
port1.3        enable           enable           Normal
port1.4        enable           enable           Normal
port1.5        enable           enable           Normal
port1.6        enable           enable           Normal
port1.7        enable           enable           Normal
port1.8        enable           enable           Normal
port1.9        enable           enable           Normal
port1.10       enable           enable           Normal
-------------------------------------------------------
(*): Indicates that the feature is enabled.

5.3 Set the default LED mode

Set the default LED mode to OFF mode.

Yamaha#configure terminal
Yamaha(config)#led-mode default off … (Set default LED mode)
Yamaha(config)#exit
YamahaW#show led-mode … (Show LED mode)
default mode : off
current mode : off

Using external memory

1 Function Overview

This product provides the following functions using external memory.

• SD card boot (firmware, config)
  • The system can be started using a firmware file and config file from an SD card.
• Firmware update
  • This unit's firmware can be updated by loading a firmware file from an SD card.
• Saving and copying a config file
  • The running-config that is currently running on the system can be saved to an SD card, and config files can be copied from the SD card to the unit's flash ROM or from the unit's flash ROM to the SD card.
• Saving a log file
  • By executing the save logging command you can back up the log file to an SD card.
• Saving technical support information
  • Technical support information (the result of executing the show tech-support command) can be saved to an SD card.
• Saving statistical information
  • Observations of resource information and traffic information are backed up regularly.
  • This statistical information can be saved as a CSV format file.
• Backing up and restoring system information
  • System information (including configurations) can be backed up to an SD card.
  • Backed up system information can be restored into the unit's flash ROM.

2 Definition of Terms Used

None

3 Function Details

3.1 External memory that can be used

Requirements for external memory that can be used are as follows.

• Card type: microSD card / microSDHC card
• File format: FAT16/FAT32

3.2 Folder structure

The SD card must contain the following folder structure.

Device name	+-- firmware          Firmware file storage folder
 		|
 		|
 		+-- startup-config    Startup config storage folder
 		|
 		|
 		+-- log               SYSLOG storage folder
 		|
 		|
 		+-- techsupport       Technical support information storage folder
 		|
 		|
 		+-- data              System-wide folder
 		|
 		|
 		+-- backup-system     System backup folder
　　　　　　　　　　　　　　

3.3 Mounting and unmounting the SD card

If the SD card is inserted when starting up or after startup, it is automatically mounted and becomes available.

To prevent loss of files, execute the unmount sd command or execute the unmount operation from the web GUI before removing the SD card.

If the SD card is unmounted, it cannot be used.

If you want to once again use the SD card after executing the unmount sd command, you must execute the following.

• Remove and reinsert the SD card
• Execute the mount sd command
• Execute mount from the web GUI

3.4 SD card boot (firmware, config)

The system can be started using a firmware file and config file from an SD card.

In order to use SD card boot, the following conditions must be satisfied.

• SD card using a firmware file
  • The SD card is connected when the system starts up.
  • The following files exist in the SD card.
    • /swr2311p/firmware/swr2311p.bin
  • boot prioritize sd enable is specified.
    * With the factory settings, boot prioritize sd enable is specified.

• SD card boot using a config file
  • The SD card is connected when the system starts up.
  • The various files exist in the following directory of the SD card.
    • /swr2311p/startup-config
  • startup-config select sd is specified.
    * With the factory settings, startup-config select sd is specified.

You can use the show environment command to check whether SD card boot was successful.

• In the case of SD card boot using a firmware file, "Startup Firmware" will indicate "exec(SD)."
• In the case of SD card boot using a config file, "Startup Configuration" will indicate "config(SD)."

In the case of SD card boot using a config file, executing the write and copy running-config startup-config commands will update the config file on the SD card.

If SD card boot using a config file fails, startup config #0 is loaded.

Also, the following message is shown in the console and in SYSLOG.

Loading config0 because can't read config in SD card.

3.5 Firmware update

This unit's firmware can be updated by loading a firmware file from an SD card.

In order to use this function, the following conditions apply.

• The following files exist in the SD card.
  • /swr2311p/firmware/swr2311p.bin

If the above file exists on the inserted SD card, executing the firmware-update sd execute command updates the firmware in flash ROM using the firmware in the SD card.

When the firmware-update sd execute command is executed, the user will be asked whether to maintain the mounted state of the SD card when the firmware file has finished loading. Remove the SD card as necessary after it is unmounted.

Note that if the SD card is left inserted during the automatic reboot in conjunction with firmware update, the system will start up with the firmware file on the SD card.

3.6 Saving and copying a config file

The running-config that is currently running on the system can be saved to the SD card. ( copy running-config startup-config command, write command)

You can copy the config file from the SD card to internal flash ROM, or from internal flash ROM to the SD card. ( copy startup-config command)

You can erase or show the startup-config in the SD card. ( erase startup-config command, show startup-config command)

The following folder in the SD card is affected.

• /swr2311p/startup-config

3.7 Saving a log file

By executing the save logging command you can back up the log file to an SD card.

The logging backup sd command enables SYSLOG backup to the SD card.

If SYSLOG backup to the SD card is enabled, executing the save logging command will save the following log file with its save date to the SD card.

• /swr2311p/log/YYYYMMDD_log.txt *YYYYMMDD=year month day

The log files in the SD card cannot be viewed or erased.

3.8 Saving technical support information

Technical support information (the result of executing the show tech-support command) can be saved to an SD card.

Executing the copy tech-support sd command will save the following technical support information file with its save date to the SD card.

• /swr2311p/techsupport/YYYYMMDDHHMMSS_techsupport.txt *YYYYMMDD=year month day, HHMMSS=hours minutes seconds

The technical support information files in the SD card cannot be viewed or erased.

3.9 Saving statistical information

Observations of resource information and traffic information are backed up regularly.

To enable backup of statistical information to the SD card, you must make settings via the web GUI in [Administration]–[Maintenance]–[Statistical information management].

This statistical information for the observed data can be saved via the web GUI as a CSV format file.

3.10 Backup and restore of system information

This unit's system information can be backed up to an SD card, and the backed up system information can be restored to a desired switch.
With an SD card connected to this unit, executing the backup system command will create a system information backup in the following folder.

• /swr2311p/backup-system

If the file swr2311p.bin exists in the /swr2311p/firmware/ folder when backup is executed, it is backed up as a firmware file.

To restore the backed up system information, connect the SD card containing the system information backup to the desired switch, and execute the restore system command.
If the firmware file was backed up, a firmware update is also performed using that file.
When restore is completed, the system will restart.

The system information backup contains the following.

• Settings associated with the unit
  • startup-config #0 - #4 and associated information
  • startup-config select command setting values
  • boot prioritize sd command setting values
• Firmware file
  * Only if the specified folder of the SD card contained a firmware file when the backup was executed.

For this reason, when replacing a unit due to malfunction or another reason, the replacement unit can be returned to the same condition as the original unit simply by restoring the backed up system information.
Do not edit or delete the backed up system information.

4. List of related commands

The related commands are shown below.

For details, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Unmount SD card

Unmount the SD card.

Yamaha>unmount sd

5.2 Mount SD card

Mount the SD card.

Yamaha>mount sd

5.3 Back up log file

By executing the save logging command you can back up the log file to the SD card as well.

Yamaha(config)#logging backup sd enable... (Enable SD card backup of log)
Yamaha(config)#exit
Yamaha#save logging ... (Back up log)

5.4 Saving technical support information

Save technical support information.

Yamaha#copy tech-support sd

6 Points of Caution

None

7 Related Documentation

• Config management
• SYSLOG
• Firmware update
• Performance observation

Boot data management

1 Function Overview

As system boot information, this product manages the information shown in the table below.

System boot information: items managed

This product stores the current boot information and information on the previous four boots, for a total of five boot records.

2 Related Commands

The related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

3 Examples of Command Execution

3.1 Show boot information

• This shows the current boot information.

  Yamaha>show boot 0
   Running EXEC: SWR2311P Rev.2.02.06 (Tue Mar 13 08:41:39 2018)
  Previous EXEC: SWR2311P Rev.2.02.06 (Tue Mar 13 08:41:39 2018)
  Restart by reload command

• This shows a list of the boot history.

  Yamaha>show boot list
  No. Date       Time     Info
  --- ---------- -------- -------------------------------------------------
    0 2018/03/15 09:50:29 Restart by reload command
    1 2018/03/14 20:24:40 Power-on boot
  --- ---------- -------- -------------------------------------------------

3.2 Clear boot information

• This clears the boot information.

  Yamaha#clear boot list

4 Points of Caution

None.

5 Related Documentation

None.

Viewing unit information

1 Function Overview

1.1 Show unit information via command

This product provides the display functions shown in the table below.

List of unit information display items

1.2 Remote retrieval of technical support information

A TFTP client installed on a PC or other remote terminal can be used to obtain the technical support information (the output results of "show tech-support") from this product.

In order to operate this product's TFTP server, use the steps shown below to set up a network environment that allows remote access.

1. Decide on the VLAN that will be used for maintenance.
2. Set the IPv4 address on the maintenance VLAN. Use the "ip address" command for this setting.
3. Permit access from the maintenance VLAN to the TFTP server. If you want to specify a different VLAN than specified by the "management interface" command, use the "tftp-server interface" command to specify it.

When using a TFTP client, specify "techinfo" for the remote path from which technical support information is obtained.

1.3 Saving technical support information to external memory

You can use the copy tech-support sd command to save this product's technical support information (the output result of "show tech-support") on an SD card.

Before executing this command, you must insert an SD card.

The information is saved in the SD card with the following file name.

• /swr2311p/techsupport/YYYYMMDDHHMMSS_techsupport.txt

  * YYYYMMDDHHMMSS … year, month, day, hour, minute, and second that the command was executed

2 Related Commands

The related commands are shown below.

For details, refer to the Command Reference.

List of related commands

3 Examples of Command Execution

3.1 Show inventory information

This checks the following inventory information for this unit and for the SFP modules.

• Name (NAME)
• Description (DESCR)
• Vendor Name (Vendor)
• Product ID (PID)
• Version ID (VID)
• Serial number (SN)

Yamaha>show inventory
NAME: L2 POE switch
DESCR: SWR2311P-10G
Vendor: Yamaha
PID: SWR2311P-10G
VID: 0000
SN: S00000000

NAME: SFP1
DESCR: 1000BASE-LX
Vendor: YAMAHA
PID: SFP-SWRG-LX
VID: 0000
SN: 00000000000

NAME: SFP2
DESCR: 1000BASE-SX
Vendor: YAMAHA
PID: SFP-SWRG-SX
VID: 0000
SN: 00000000000

3.2 Show operating information

This checks the system operating information (as shown below).

• Boot version
• Firmware revision
• Serial number
• MAC address
• CPU usage ratio
• Memory usage ratio
• Fan operating state
• Fan RPM
• Firmware file
• Startup config file
• Serial baud rate
• Boot time
• Current time
• Elapsed time from boot
• Unit temperature status
• Unit temperature

Yamaha>show environment
SWR2311P-10G BootROM Ver.1.00
SWR2311P Rev.2.02.02 (Tue Dec  5 11:37:39 2017)
main=SWR2311P-10G ver=00 serial=S00000000 MAC-Address=00a0.de00.0000
CPU:   7%(5sec)   8%(1min)   8%(5min)    Memory:  18% used
Fan status: Normal
Fan speed: FAN1=4444RPM FAN2=4444RPM
Startup firmware: exec0
Startup Configuration file: config0
Serial Baudrate: 9600
Boot time: 2018/01/01 11:13:44 +09:00
Current time: 2018/01/02 16:19:43 +09:00
Elapsed time from boot: 1days 05:06:04
Temperature status: Normal
Temperature: 28 degree C

Yamaha>

3.3 Show technical support information

The following commands show information that is useful for technical support.

• show running-config
• show startup-config
• show environment
• show inventory
• show boot all
• show logging
• show process
• show users
• show interface
• show frame-counter
• show vlan brief
• show spanning-tree mst detail
• show etherchannel status detail
• show loop-detect
• show mac-address-table
• show l2ms detail
• show qos queue-counters
• show ddm status
• show errdisable
• show auth status
• show auth supplicant
• show power-inline
• show error port-led
• show ip interface brief
• show ipv6 interface brief
• show ip route
• show ip route database
• show ipv6 route
• show ipv6 route database
• show arp
• show ipv6 neighbors
• show ip igmp snooping groups
• show ip igmp snooping interface

Yamaha#show tech-support
#
# Information for Yamaha Technical Support
#

*** show running-config ***
!
dns-client enable
!
!

...

#
# End of Information for Yamaha Technical Support
#

4 Points of Caution

None

5 Related Documentation

None

Config management

1 Function Overview

This product uses the following config information to maintain the value of settings.

Table 1.1 Config types

2 Definition of Terms Used

None

3 Function Details

3.1 Running config

running-config is the settings that are currently operating; since it is maintained in RAM, it is destroyed at reboot.

On this product, commands executed in configuration mode are immediately applied to running-config, and the unit operates according to these settings.

The contents of running-config can be viewed by using the show running-config command.

3.2 Startup config

startup-config is settings that are saved in flash ROM or on the SD card, and the contents are preserved through reboot.

When this product is started, the settings of startup-config are applied as the initial settings of running-config.

This product can maintain five startup configs in flash ROM and one startup config on the SD card.

The startup-config data in the internal flash ROM is managed with an ID of 0–4, and the config on the SD card is managed with the keyword "sd".

To specify which of the five types of config in the unit's flash ROM are used, use the startup-config select command.

• By default, sd is used.
• When executing the startup-config select command, the user selects whether to restart. If you don't restart, no change occurs in the command setting.

  If you choose to restart, the unit restarts with the startup-config of the ID specified by the user's command.

If updating from Rev.2.02.09 or earlier firmware to Rev.2.02.10 or later firmware, and startup-config select 0 is specified, it is automatically changed to startup-config select sd.

For this reason, if the unit is operating with an inserted microSD card on which CONFIG is saved, please note that SD card boot will occur.

However, this will not necessarily be the case if the startup-config select command is executed with Rev.2.02.10 or later firmware, and then the system is down-versioned to Rev.2.02.09 or earlier.

For easier management, you can use the startup-config description command to give each config a Description (explanatory text).

If you attempt to start up in a state where startup-config does not exist, such as after executing the cold start command, the default-config is automatically applied.

The running-config settings can be saved in startup-config by the copy running-config startup-config command or the write command.

The contents of startup-config can be erased by the erase startup-config command, viewed by the show startup-config command, and copied by the copy startup-config command.

3.3 Default config

default-config contains settings saved in internal flash ROM that are needed for this product to operate minimally as a switch. Like startup-config, the contents are preserved even after a restart.

The factory settings are maintained as default-config.

If startup-config does not exist when the system starts, default-config is copied to startup-config, and applied to running-config.

The contents of default-config cannot be viewed.

3.4 Deciding the config file at startup

The following describes the flow for deciding the config file used when this product starts up.

1. The startup-config select command setting is referenced to determine the startup-config that will be used.

   If the startup-config select command has specified sd, and an SD card on which startup-config is saved is not inserted, then startup-config #0 is selected.

2. If the determined startup-config exists, the corresponding data is applied as running-config in RAM.

   If the startup-config determined according to the value of the startup-config select command does not exist in ROM, then default-config is applied to RAM.

If startup using the config in the SD card fails, the following message is shown in the console and in SYSLOG.

Loading config0 because can't read config in SD card.

3.5 Controlling the config file via TFTP

If this product's TFTP server function is enabled, a TFTP client installed on a PC or other remote terminal can be used to perform the following.

1. Acquire the currently running running-config and startup-config
2. Apply a previously prepared settings file as startup-config

In order for the TFTP server to function correctly, an IP address must be specified for the VLAN.

Acquisition and settings of the settings file from the remote terminal is done in binary mode, specifying the following as the remote path for acquiring or sending the settings file.

Table 1.2 Remote path for applicable files

• The startup-config settings are applied as running-config when the system restarts.

4 Related Commands

The related commands are shown below.

For details, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Select startup config

Select startup-config #1 and restart.

Yamaha#startup-config description 1 TEST ... (Assign the description "TEST" to startup-config #1)
Yamaha#startup-config select 1 ... (Select startup-config #1)
reboot system? (y/n): y  ... (Restart)

5.2 Save running config

Save running-config.

Yamaha#copy running-config startup-config
Suceeded to write configuration
Yamaha#

5.3 Copy startup config

Copy startup-config #2 to the SD card.

Yamaha#copy startup-config 2 sd  ... (Copy startup-config #2 to SD card)
Suceeded to copy configuration
Yamaha#show startup-config sd  ... (Show startup-config of SD card)
!
!  Last Modified: Tue Mar 13 17:34:02 JST 2018
!
dns-client enable
!
interface port1.1
 switchport
 switchport mode access
 no shutdown
!
...

5.4 Erase startup config

Erase startup-config from the SD card.

Yamaha#erase startup-config sd  ... (Erase startup-config of SD card)
Suceeded to erase configuration
Yamaha#

6 Points of Caution

None

7 Related Documentation

None

Remote access control

1 Function Overview

This product lets you restrict access to the following applications that implement network services.

• Telnet server
• SSH server
• HTTP server / secure HTTP server
• TFTP server

2 Definition of Terms Used

None

3 Function Details

The following four functions are provided to limit access to network services.

• Control whether to leave the service in question running in the background on the system (start/stop control)
• Change reception port number
• Limit access destinations for services currently running
• Limit the source IP addresses that can access services currently running

The following functions that correspond to each network service are shown in the table below.

Network service access control

1. Multiple instances of a network service cannot be started.

   If the start control is applied to the same service that is currently running, the service will restart. Any connected sessions will be disconnected as a result.

2. Limiting access destinations for network services is done for the VLAN interface.
3. Limiting access sources for network services is done by specifying access source IP addresses and whether to permit or deny access.
4. The default settings for the network services are shown in the table below.

   Network service	Start/stop status	Reception port number	Access destination restriction	Access source restriction
   Telnet server	run	23	Only default management VLAN (VLAN #1) permitted	Allow all
   SSH server	stop	22	Only default management VLAN (VLAN #1) permitted	Allow all
   HTTP server	run	80	Only default management VLAN (VLAN #1) permitted	Allow all
   Secure HTTP server	stop	443
   TFTP server	stop	69	Only default management VLAN (VLAN #1) permitted	Allow all

4 Related Commands

Related commands are shown below.

For details, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Telnet server access control

This example restricts access to the Telnet server.

Change the Telnet server's reception port to 1024.

Change the management VLAN to VLAN #1000 and allow access. Access from other than the management VLAN is denied.

Access to the Telnet server is allowed only for a client from 192.168.100.1.

If you specify telnet-server access, access from IP addresses that do not meet the conditions is denied.

Yamaha(config)#telnet-server enable 1024 ... (Change reception port to 1024, and restart Telnet server)
Yamaha(config)#management interface vlan1000 ... (Permit access for VLAN #1000 as the management VLAN)
Yamaha(config)#telnet-server access permit 192.168.100.1 ... (Permit access only from 192.168.100.1)
Yamaha(config)#end
Yamaha#show telnet-server ... (Check state of settings)
Service:Enable
Port:1024
Management interface(vlan):1000
Interface(vlan):None
Access:
    permit 192.168.100.1

5.2 SSH server access control

This example restricts access to the SSH server.

Generate the SSH server host key.

Register a user name and password.

Login from an SSH client is possible only for a registered user and password.

Change the SSH server's reception port to 1024.

Change the management VLAN to VLAN #1000 and allow access for VLAN #2.

This allows access only from the management VLAN VLAN #1000 and from VLAN #2.

If you specify ssh-server access, access from IP addresses that do not meet the conditions is denied.

Yamaha#ssh-server host key generate ... (Create host key)
Yamaha#show ssh-server host key ... (Check contents of key)
ssh-dss (Omitted)
ssh-rsa (Omitted)
Yamaha#
Yamaha#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Yamaha(config)#username user1 password pw1 ... (Register a user name and password.)
Yamaha(config)#ssh-server enable 1024 ... (Change reception port to 1024, and restart SSH server)
Yamaha(config)#management interface vlan1000 ... (Permit access for #1000 as the management VLAN)
Yamaha(config)#ssh-server interface vlan2 ... (Permit access for VLAN #2)
Yamaha(config)#end
Yamaha#show ssh-serverr ... (Check state of settings)
Service:Enable
Port:1024
Hostkey:Generated
Client alive :Disable
Management interface(vlan):1000
Interface(vlan):2
Access:None
Yamaha#

5.3 HTTP server access restriction

This example makes it possible to restrict HTTP server access.

The HTTP server reception port is changed to 8000, and access is permitted from VLAN #2.

This allows access only from the default management VLAN VLAN #1 and from VLAN #2.

Access to the HTTP server is allowed only for a client from 192.168.100.1.

If you specify http-server access, access from IP addresses that do not meet the conditions is denied.

Yamaha(config)#http-server enable 8000 ... (Change reception port to 8000, and restart HTTP server)
Yamaha(config)#http-server interface vlan2 ... (Permit access for VLAN #2)
Yamaha(config)#http-server access permit 192.168.100.1 ... (Permit access only from 192.168.100.1)
Yamaha(config)#end
Yamaha#show http-server ... (Check state of settings)
HTTP :Enable(8000)
HTTPS:Disable
Management interface(vlan):1
Interface(vlan):2
Access:
    permit 192.168.100.1

5.4 TFTP server access restriction

This example restricts TFTP server access.

The TFTP server reception port is changed to 2048, and access is permitted from VLAN #10.

Allow access only from the default management VLAN VLAN #1 and from VLAN #10.

Yamaha(config)#tftp-server enable 2048 ... (Change reception port to 2048, and restart TFTP server)
Yamaha(config)#tftp-server interface vlan10 ... (Permit access for VLAN #10)

6 Points of Caution

None

7 Related Documentation

• User account management

Time management

1 Function Overview

This product provides the functions shown below for managing the date and time.

• Manual (user-configured) date/time information setting function
• Automatic date/time setting information function via network
• Time zone setting function

Note that a function to set summertime (DST: Daylight Saving Time) is not provided.

2 Definition of Terms Used

UTC (Coordinated Universal Time)

This is an official time used when recording worldwide times.

UTC is used as a basis to determine standard time in all countries around the world.

For instance, Japan (JST, or Japan standard time) is nine hours ahead of Coordinated Universal Time, and is thus shown as "+0900 (JST)".

SNTP (Simple Network Time Protocol)

This is a simple protocol to correct clocks by using SNTP packets.

This protocol is defined in RFC4330.

3 Function Details

3.1 Manually setting the date and time

Use the clock set command to directly input the time.

3.2 Automatically setting the date and time

Date and time information is collected from a specified time server, and set in this product.

Defined in RFC4330, SNTP (Simple Network Time Protocol) is used as a communication protocol.

Up to two time servers can be specified, which can be either an IPv4 address, an IPv6 address, or an FQDN (Fully Qualified Domain Name).

Port number 123 is used for the SNTP client. (This setting cannot be changed by the user.)

Use the ntpdate command to choose from the following two methods of automatically setting the date/time.

• One-shot update (a function to update when a command is inputted)
• Interval update (a function to update in a 1–24-hour cycle from command input)

If time synchronization is performed when two time servers have been specified, queries are performed in the order of NTP server 1 and then NTP server 2 shown by the show ntpdate command.

The query to NTP server 2 is performed only if synchronization with NTP server 1 fails.

By default, one hour is specified as the update interval cycle.

However, when the default time cannot be set right after booting up the system, the time server will be queried in a one-minute cycle, regardless of the interval cycle time.

Synchronization with the time server operates with one sampling (the frequency of replies from the server) and with a timeout of 1 second.

Synchronization is blocked during command execution, and an error message is outputted if a timeout occurs.

3.3 Time zone settings

In order to manage the time for the region considered as the "base of daily life", the "clock timezone" command is used to manage the time zone of the users, and reflect this into the time.

The time zone can be set in ±1 hour increments for Coordinated Universal Time (UTC), from -12 hours to +13 hours.

The default time zone value for this product is +9.0.

4 Related Commands

Related commands are shown below.

For details, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Manually setting the time

In this example, the time zone is set to JST, and the current time is set to 2014.01.21 15:50:59.

Yamaha#configure terminal
Yamaha(config)#clock timezone JST … (Set time zone)
Yamaha(config)#exit
Yamaha#clock set 15:50:59 Jan 21 2014 … (Set time)
Yamaha#show clock … (Show current time)
15:50:59 JST Tue Jan 21 2014

5.2 Automatically setting the time

In this example, the time zone is set to +9.00, and the local 192.168.1.1 and ntp.nict.jp are specified as the NTP servers.

Also, the update cycle with the NTP server is changed to once per 24 hours.

Yamaha#configure terminal
Yamaha(config)#clock timezone +9:00 … (Set time zone)
Yamaha(config)#ntpdate server ipv4 192.168.1.1 … (Set NTP server)
Yamaha(config)#ntpdate server name ntp.nict.jp … (Set NTP server)
Yamaha(config)#ntpdate interval 24 … (Set 24 hours as the update interval for synchronizing with NTP server)
Yamaha(config)#exit
Yamaha#show clock … (Show current time)
10:03:20 +9:00 Mon Dec 12 2016
Yamaha#show ntpdate … (Show NTP time synchronization settings)
NTP server 1 : 192.168.100.1
NTP server 2 : ntp.nict.jp
adjust time : Mon Dec 12 10:03:15 2016 + interval 24 hours
sync server : 192.168.100.1

6 Points of Caution

None

7 Related Documentation

• RFC 4330: Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI

SNMP

1 Function Overview

Setting SNMP (Simple Network Management Protocol) makes it possible to monitor and change network management information for SNMP management software.

In this instance, this product will operate as an SNMP agent.

This product supports communication using SNMPv1, SNMPv2c, and SNMPv3. As an MIB (Management Information Base), it is also compatible with RFC1213 (MIB-II) and with a private MIB (yamahaSW).

SNMPv1 and SNMPv2 notifies the recipient of the group name (called a "community"), and communicates only with hosts that belong to that community. In this instance, different community names can be given for the two access modes, read-only and read-write.

In this sense, community names function as a kind of password; but since community names are sent over a network using plain text, they carry inherent security risks. The use of SNMPv3 is recommended when more secure communications are required.

SNMPv3 offers communication content authentication and encryption. SNMPv3 does away with the concept of community and instead uses security models called "USM" (User-based Security Model) and "VACM" (View-based Access Control Model). These models provide a higher level of security.

SNMP messages that notify the status of this product are called "traps." This product transmits standard SNMP traps. In SNMPv1, trap requests that do not ask for an answer with the confirmation of receipt from the recipient are specified as the notification message format. However, with SNMPv2c and SNMPv3, either an "inform" request asking for an answer from the recipient, or a trap request can be selected.

Since this product does not specifically determine a default value for the read-only and community trap names used in SNMPv1 and SNMPv2c, you can specify a community name as appropriate. However, as described above, the community name is sent over the network in plaintext, so be careful to never use a login password or administrator password as the community name.

By default, no access is possible in each SNMP version. The transmission host for the trap is not set, so traps will not be sent anywhere.

2 Definition of Terms Used

None

3 Function Details

The main characteristics of each SNMP version and the router setting policies are explained below.

See "5 Examples of Command Execution" later in this text for specific examples of settings.

3.1 SNMPv1

This is authentication between the SNMP manager and agent by using community names.

The controlling device (this product) is divided and managed by zones called "communities".

• Accessing the MIB objects

  Use the snmp-server community command to permit access using the community name that was set.

  Access is possible from a VLAN interface whose IP address has been specified.

• SNMP traps

  SNMP traps allow for the status of this product to be sent to the hosts that are configured with the snmp-server host command.

  The snmp-server enable trap command sets what kind of trap is transmitted.

3.2 SNMPv2c

As with SNMPv1, this performs authentication between the SNMP manager and agent by using community names.

The snmp-server community command sets the community name used when accessing via SNMPv2c.

The "GetBulk" and "Inform" requests are also now supported from this version.

These requests are used to efficiently retrieve multiple MIB objects, and to confirm replies to notification packets sent from this product.

• Accessing the MIB objects

  Use the snmp-server community command to permit access using the community name that was set.

  Access is possible from a VLAN interface whose IP address has been specified.

• SNMP traps

  SNMP traps allow for the status of this product to be sent to the hosts that are configured with the snmp-server host command.

  Also, the settings of this command can be used to select whether the transmitted message format is a trap or inform request.

  Inform requests are used to request confirmation of reply to the recipient.

3.3 SNMPv3

In addition to all of the functions offered in SNMPv2, SNMPv3 offers more robust security functions.

SNMP packets transmitted across the network are authenticated and encrypted, protecting the SNMP packets from eavesdropping, spoofing, falsification, replay attacks and so on, by offering security-related functionality that could not be realized in SNMPv1 and v2C in regard to community names and IP addresses of SNMP managers.

Security

SNMPv3 offers the following security functions.

1. USM (User-based Security Model)

   USM is a model for maintaining security at the message level. It offers authentication and encryption based on shared key cryptography, and prevents falsification of the message stream.

   • Security level

     The security level can be specified using the parameter settings for the group to which the user belongs.

     The security level combines authentication and encryption, and is classified as shown below.

     • noAuthNoPriv: no authentication and encryption
     • AuthNoPriv: authentication only
     • AuthPriv: authentication and encryption
   • User authentication

     For authentication, HMAC is used in the procedure to authenticate the integrity (whether data has been falsified or not) and the source.

     A hash is used in the authentication key to confirm whether the message has been falsified, and whether the sender is the user themselves.

     Both HMAC-MD5-96 and HMAC-SHA-96 are supported as hash algorithms.

   • Encryption

     With SNMPv3, SNMP messages are encrypted for the purpose of preventing leakage of managed information.

     Both the DES-CBC and AES128-CFB encryption schemes are supported.

     The user and membership group name, user authentication method and encryption scheme, as well as the password can be set with the snmp-server user command.

     The necessary authentication and encryption settings can be made according to the security level specified in the group settings.

2. VACM (View-based Access Control Model)

   VACM is a model for controlling access to SNMP messages.

   • Group

     With VACM, the access policies mentioned below are defined per group, not per user.

     Use the group option of the snmp-server user command to set the group(s) that the user will belong to. The MIB views set here that are accessible to the specified groups can be configured.

   • MIB view

     With SNMPv3, a collection of accessible MIB objects can be defined for each group. When defined, the collection of MIB objects is called the "MIB view". The "MIB view" is expressed as a collected view sub-tree that shows the object ID tree.

     Use the snmp-server view command to configure the MIB view. Whether the MIB view should be included or excluded in each view sub-tree can be selected.

   • Access policies

     With VACM, set the MIB view that will permit reading and writing for each group.

     Use the snmp-server group command to set the group name, security level, and MIB view.

     The MIB view will be the view that was configured using the snmp-server view command.

SNMP traps

SNMP traps allow for the status of this product to be sent to the hosts that are configured with the snmp-server host command.

In order to transmit a trap, the snmp-server user command must first be used to configure the user.

Also, the settings of this command can be used to select whether the transmitted message format is a trap or inform request.

Inform requests are used to request confirmation of reply to the recipient.

3.4 Private MIB

This product supports yamahaSW, which is a proprietary private MIB for switch management.

This private MIB allows the obtaining of information for Yamaha's proprietary functions, and for more detailed information about the switch.

Refer to the following SNMP MIB Reference for information on private MIBs that are supported, and on how to get them.

• SNMP MIB Reference

4 Related Commands

Related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 SNMPv1 setting example

This example makes SNMPv1-based network monitoring possible under the following conditions.

1. Set the read-only community name "public."
2. Set the trap destination as "192.168.100.11", and set "snmptrapname" as the trap community name.

Yamaha(config)# snmp-server community public ro                  　          ... 1
Yamaha(config)# snmp-server host 192.168.100.11 traps version 1 snmptrapname ... 2

5.2 SNMPv2c setting example

This example makes SNMPv2c-based network monitoring possible under the following conditions.

1. Set the readable/writable community name as "private."
2. Specify the notification message destination as "192.168.100.12", the notification type as "inform" request format, and the notification destination community name as "snmpinformsname".

Yamaha(config)# snmp-server community private rw                  　               ...1
Yamaha(config)# snmp-server host 192.168.100.12 informs version 2c snmpinformsname ...2

5.3 SNMPv3 setting example

This example makes SNMPv3-based network monitoring possible under the following conditions.

1. Specify the view that shows the internet node (1.3.6.1) and below as "most".
2. Specify the view that shows the mib-2 node (1.3.6.1.2.1) and below as "standard".
3. Create the user group "admins", and grant users belonging to the "admins" group full access rights to the "most" view.
4. Create the user group "users", and grant users belonging to the "users" group read access rights to the "standard" view.
5. Create an "admin1" user that belongs to the "admins" group.

   Set the password to "passwd1234", using the "HMAC-SHA-96" authentication algorithm.

   Set the encryption password to "passwd1234", using the "AES128-CFB" encryption algorithm.

6. Create an "user1" user that belongs to the "users" group.

   Set the password to "passwd5678", using the "HMAC-SHA-96" authentication algorithm.

7. Send notifications in trap format (without response confirmation) to 192.168.10.3.
8. Send notifications in inform request format to 192.168.20.3.

Yamaha(config)# snmp-server view most 1.3.6.1 include                                  ... 1
Yamaha(config)# snmp-server view standard 1.3.6.1.2.1 include                          ... 2
Yamaha(config)# snmp-server group admins priv read most write most                     ... 3
Yamaha(config)# snmp-server group users auth read standard                             ... 4
Yamaha(config)# snmp-server user admin1 admins auth sha passwd1234 priv aes passwd1234 ... 5
Yamaha(config)# snmp-server user user1 users auth sha passwd5678                       ... 6
Yamaha(config)# snmp-server host 192.168.10.13 traps version 3 priv admin1             ... 7
Yamaha(config)# snmp-server host 192.168.20.13 informs version 3 priv admin1           ... 8

6 Points of Caution

• Check the SNMP version that can be used with the SNMP manager beforehand. It is necessary to configure this product in accordance with the SNMP version that will be used.
• This product is not compatible with the following functions related to SNMPv3.
  • Proxy function
  • Access to MIB objects after the SNMPv2 subtree (1.3.6.1.6). Changing SNMPv3-related settings via SNMP is also not supported.

7 Related Documentation

None

RMON

1 Function Overview

By making settings for the RMON (Remote network MONitering) function, you can monitor and record the traffic volume and error occurrences for each interface.

Since the settings for the RMON function and the data obtained by the RMON function are held as an MIB, they can be retrieved and edited from the SNMP manager.

The RMON function of this product supports the following groups defined in RFC2819.

• Ethernet statistics group
• History group
• Alarm group
• Event group

2 Definition of Terms Used

RMON MIB

MIB for the RMON function, defined in RFC2819

Ethernet statistics group

MIB group defined as group 1 of the RMON MIB.

This holds a table for monitoring Ethernet statistical information.

The information in the table includes counters for the number of packets, the number of errors, etc.

The etherStatsTable is the applicable MIB for this product.

History group

MIB group defined as group 2 of the RMON MIB.

At a specified interval, it measures the same information as the Ethernet statistical information group, and has a table for saving the history of this information.

The MIBs relevant for this product are the historyControlTable and the etherHistoryTable.

Alarm group

MIB group defined as group 3 of the RMON MIB.

At the specified interval, the statistical information of the Ethernet statistical information group is compared with the threshold values.

If the sampled values exceed the threshold values, the event defined for the event group is generated.

The alarmTable is the applicable MIB for this product.

Event group

MIB group defined as group 9 of the RMON MIB.

This is the action taken in response when the alarm group conditions are met.

The eventTable is the applicable MIB for this product.

3 Function Details

The operating specifications for operation of the RMON function are shown below.

3.1 Common between groups

The specifications common between groups are given below.

1. In order to enable the RMON function on this product, the system-wide RMON function must be enabled.
   • Use the rmon command to make settings.
   • This is enabled by default.
   • You can also set this by using the private MIB ysrmonSetting(1.3.6.1.4.1.1182.3.7.1).

3.2 Ethernet statistics group

The operating specifications for the Ethernet statistics group are given below.

1. Make settings by using the rmon statistics command on an interface.
2. Starting at the point at which you specified the rmon statistics command, statistical information is collected, and the etherStatsTable of the RMON MIB will be available for retrieval.
3. This can be specified for a physical interface.
4. A maximum of eight rmon statistics commands can be specified for the same interface.
5. If an rmon statistics command is deleted, the collected statistical information is also deleted.
6. If an rmon statistics command is overwritten, the previously collected statistical information is deleted, and collection is started once again.
7. If the RMON function is disabled system-wide, collection of statistical information is halted.

   If the RMON function is subsequently enabled system-wide, the previously collected statistical information is deleted, and collection is started once again.

8. The supported OIDs in the Ethernet statistical information group are as follows.

 rmon(1.3.6.1.2.1.16)
  +- statistics(1.3.6.1.2.1.16.1)
      +- etherStatsTable(1.3.6.1.2.1.16.1.1)
              + etherStatsEntry(1.3.6.1.2.1.16.1.1.1) { etherStatsIndex }
                  +- etherStatsIndex(1.3.6.1.2.1.16.1.1.1.1)         (read-only)
                  +- etherStatsDataSource(1.3.6.1.2.1.16.1.1.1.2)    (read-create)
                  |     Interface being monitored
                  +- etherStatsDropEvents(1.3.6.1.2.1.16.1.1.1.3)    (read-only)
                  |     Number of packets dropped
                  +- etherStatsOctets(1.3.6.1.2.1.16.1.1.1.4)        (read-only)
                  |     Number of octets received
                  +- etherStatsPkts(1.3.6.1.2.1.16.1.1.1.5)          (read-only)
                  |     Number of packets received
                  +- etherStatsBroadcastPkts(1.3.6.1.2.1.16.1.1.1.6) (read-only)
                  |     Number of broadcast packets received
                  +- etherStatsMulticastPkts(1.3.6.1.2.1.16.1.1.1.7) (read-only)
                  |     Number of multicast packets received
                  +- etherStatsCRCAlignErrors(1.3.6.1.2.1.16.1.1.1.8)(read-only)
                  |     Number of FCS error packets received
                  +- etherStatsUndersizePkts(1.3.6.1.2.1.16.1.1.1.9) (read-only)
                  |     Number of undersize packets received (packets smaller than 64 octets) 
                  +- etherStatsOversizePkts(1.3.6.1.2.1.16.1.1.1.10) (read-only)
                  |     Number of oversize packets received (packets larger than 1518 octets) 
                  +- etherStatsFragments(1.3.6.1.2.1.16.1.1.1.11)    (read-only)
                  |     Number of fragment packets received (packets smaller than 64 octets with abnormal FCS)
                  +- etherStatsJabbers(1.3.6.1.2.1.16.1.1.1.12)      (read-only)
                  |     Number of jabber packets received (packets larger than 1518 octets with abnormal FCS)
                  +- etherStatsCollisions(1.3.6.1.2.1.16.1.1.1.13)   (read-only)
                  |     Number of collisions
                  +- etherStatsOwner(1.3.6.1.2.1.16.1.1.1.20)        (read-create)
                  |     Name of owner
                  +- etherStatsStatus(1.3.6.1.2.1.16.1.1.1.21)       (read-create)
                        Status of statistical group

3.3 History group

The operating specifications for the history group are shown below.

1. Make settings by using the rmon history command on an interface.
2. Starting at the point at which you specified the rmon history command, historical information is collected, and the etherHistoryTable of the RMON MIB will be available for retrieval.
3. This can be specified for a physical interface.
4. A maximum of eight rmon history commands can be specified for the same interface.
5. If an rmon history command is deleted, the collected historical information is also deleted.
6. If an rmon history command is overwritten, the previously collected historical information is deleted, and collection is started once again.
7. If the RMON function is disabled system-wide, collection of historical information is halted.

   If the RMON function is subsequently enabled system-wide, the previously collected historical information is deleted, and collection is started once again.

8. The supported OIDs in the Ethernet history group are as follows.

 rmon(1.3.6.1.2.1.16)
  +- history(1.3.6.1.2.1.16.2)
      +- historyControlTable(1.3.6.1.2.1.16.2.1)
      |       + historyControlEntry(1.3.6.1.2.1.16.2.1.1) { historyControlIndex }
      |           +- historyControlIndex(1.3.6.1.2.1.16.2.1.1.1)           (read-only)
      |           +- historyControlDataSource(1.3.6.1.2.1.16.2.1.1.2)      (read-create)
      |           |     Interface being monitored
      |           +- historyControlBucketsRequested(1.3.6.1.2.1.16.2.1.1.3)(read-create)
      |           |     Number of history group history saves requested
      |           +- historyControlBucketsGranted(1.3.6.1.2.1.16.2.1.1.4)  (read-only)
      |           |     Number of history group histories saved
      |           +- historyControlInterval(1.3.6.1.2.1.16.2.1.1.5)        (read-create)
      |           |     Interval at which history group histories are saved
      |           +- historyControlOwner(1.3.6.1.2.1.16.2.1.1.6)           (read-create)
      |           |     Name of owner
      |           +- historyControlStatus(1.3.6.1.2.1.16.2.1.1.7)          (read-create)
      |                 History group status
      |
      +- etherHistoryTable(1.3.6.1.2.1.16.2.2)
              + etherHistoryEntry(1.3.6.1.2.1.16.2.2.1) { etherHistoryIndex, etherHistorySampleIndex }
                  +- etherHistoryIndex(1.3.6.1.2.1.16.2.2.1.1)         (read-only)
                  +- etherHistorySampleIndex(1.3.6.1.2.1.16.2.2.1.2)   (read-only)
                  +- etherHistoryIntervalStart(1.3.6.1.2.1.16.2.2.1.3) (read-only)
                  |     Interval at which history group histories are saved
                  +- etherHistoryDropEvents(1.3.6.1.2.1.16.2.2.1.4)    (read-only)
                  |     Number of packets dropped
                  +- etherHistoryOctets(1.3.6.1.2.1.16.2.2.1.5)        (read-only)
                  |     Number of octets received
                  +- etherHistoryPkts(1.3.6.1.2.1.16.2.2.1.6)          (read-only)
                  |     Number of packets received
                  +- etherHistoryBroadcastPkts(1.3.6.1.2.1.16.2.2.1.7) (read-only)
                  |     Number of broadcast packets received
                  +- etherHistoryMulticastPkts(1.3.6.1.2.1.16.2.2.1.8) (read-only)
                  |     Number of multicast packets received
                  +- etherHistoryCRCAlignErrors(1.3.6.1.2.1.16.2.2.1.9)(read-only)
                  |     Number of FCS error packets received
                  +- etherHistoryUndersizePkts(1.3.6.1.2.1.16.2.2.1.10)(read-only)
                  |     Number of undersize packets received (packets smaller than 64 octets) 
                  +- etherHistoryOversizePkts(1.3.6.1.2.1.16.2.2.1.11) (read-only)
                  |     Number of oversize packets received (packets larger than 1518 octets) 
                  +- etherHistoryFragments(1.3.6.1.2.1.16.2.2.1.12)    (read-only)
                  |     Number of fragment packets received (packets smaller than 64 octets with abnormal FCS)
                  +- etherHistoryJabbers(1.3.6.1.2.1.16.2.2.1.13)      (read-only)
                  |     Number of jabber packets received (packets larger than 1518 octets with abnormal FCS)
                  +- etherHistoryCollisions(1.3.6.1.2.1.16.2.2.1.14)   (read-only)
                  |     Number of collisions
                  +- etherHistoryUtilization(1.3.6.1.2.1.16.2.2.1.15)  (read-only)
                        Estimated value of network usage ratio

3.4 Alarm group

The operating specifications for the alarm group are shown below.

1. Use the rmon alarm command to make settings.
2. From the point that the rmon alarm command is specified, sampling occurs at the specified interval.
3. If an rmon alarm command is overwritten, the previous sampling data is deleted, and sampling is started once again.
4. If the RMON function is disabled system-wide, sampling is halted.

   If the RMON function is subsequently enabled system-wide, the previous sampling data is deleted, and sampling is started once again.

5. Only etherStatsEntry(.1.3.6.1.2.1.16.1.1.1) MIB objects that have a counter type can be specified as the object of alarm group monitoring.
6. If the Ethernet statistical information group used by the rmon alarm command is deleted, the rmon alarm command is also deleted.
7. If the event group used by the rmon alarm command is deleted, the rmon alarm command is also deleted.
8. The supported OIDs in the alarm group are as follows.

 rmon(1.3.6.1.2.1.16)
  +- alarm(1.3.6.1.2.1.16.3)
      +- alarmTable(1.3.6.1.2.1.16.3.1)
              + alarmEntry(1.3.6.1.2.1.16.3.1.1) { alarmIndex }
                  +- alarmIndex(1.3.6.1.2.1.16.3.1.1.1)              (read-only)
                  +- alarmInterval(1.3.6.1.2.1.16.3.1.1.2)           (read-create)
                  |     Sampling interval
                  +- alarmVariable(1.3.6.1.2.1.16.3.1.1.3)           (read-create)
                  |     MIB object to be monitored
                  +- alarmSampleType(1.3.6.1.2.1.16.3.1.1.4)         (read-create)
                  |     Sampling type
                  +- alarmValue(1.3.6.1.2.1.16.3.1.1.5)              (read-only)
                  |     Estimated value
                  +- alarmStartupAlarm(1.3.6.1.2.1.16.3.1.1.6)       (read-create)
                  |     Threshold value used for first alarm determination
                  +- alarmRisingThreshold(1.3.6.1.2.1.16.3.1.1.7)    (read-create)
                  |     Upper threshold value
                  +- alarmFallingThreshold(1.3.6.1.2.1.16.3.1.1.8)   (read-create)
                  |     Lower threshold value
                  +- alarmRisingEventIndex(1.3.6.1.2.1.16.3.1.1.9)   (read-create)
                  |     Event index when crossing upper limit
                  +- alarmFallingEventIndex(1.3.6.1.2.1.16.3.1.1.10) (read-create)
                  |     Event index when crossing lower limit
                  +- alarmOwner(1.3.6.1.2.1.16.3.1.1.11)             (read-create)
                  |     Name of owner
                  +- alarmStatus(1.3.6.1.2.1.16.3.1.1.12)            (read-create)
                        Alarm group status

Alarm detection is determined by an upper threshold value and a lower threshold value. If the threshold value is crossed, the specified event is executed.

If an alarm is detected, the alarm will not be detected again until the value crosses the opposite threshold.

The following cases are explained as examples.

• At point 1, the upper threshold value is crossed, so an alarm is detected.

  The threshold value that is used for the very first decision can be specified by STARTUP.

  In the example above, we will assume that the STARTUP value is "1" (using only the upper threshold value (risingAlarm)) or "3" (using both the upper threshold value and the lower threshold value (risingOrFallingAlarm)).

• At point 2, an alarm is not detected.
• At point 3, the upper threshold value is crossed, but since the opposite threshold was not previously crossed, an alarm is not detected.
• At point 4, the lower threshold value is crossed, and since the upper threshold was previously crossed, an alarm is detected.
• At point 5, the lower threshold value is exceeded, but since the opposite upper threshold was not previously crossed, an alarm is not detected.
• At point 6, the upper threshold value is crossed, and since the lower threshold was previously crossed, an alarm is detected.

3.5 Event group

The operating specifications for the event group are shown below.

1. Use the rmon event command to make settings.
2. The following operations can be specified for the event group.
   • Record to log
   • Send SNMP trap
   • Record to log and send SNMP trap
3. If trap transmission is specified, the following SNMP commands must be set in order to transmit the SNMP trap.
   • snmp-server host
   • snmp-server enable trap rmon
4. The following operations will be carried out when specifying trap transmission.
   • SNMPv1, SNMPv2c
     • Only the traps for which the community name specified using the rmon event command, and for which the community name specified by the snmp-server host host command are matching will be transmitted.
   • SNMPv3
     • Only the traps for which the community name specified using the rmon event command, and for which the user name specified by the snmp-server host host command are matching will be transmitted.
       
       
5. The supported OIDs in the event group are as follows.

    rmon(1.3.6.1.2.1.16)
     +- event(1.3.6.1.2.1.16.9)
         +- eventTable(1.3.6.1.2.1.16.9.1)
                 + eventEntry(1.3.6.1.2.1.16.9.1.1) { eventIndex }
                     +- eventIndex(1.3.6.1.2.1.16.9.1.1.1)        (read-only)
                     +- eventDescription(1.3.6.1.2.1.16.9.1.1.2)  (read-create)
                     |     Event description
                     +- eventType(1.3.6.1.2.1.16.9.1.1.3)         (read-create)
                     |     Event type
                     +- eventCommunity(1.3.6.1.2.1.16.9.1.1.4)    (read-create)
                     |     Community name
                     +- eventLastTimeSent(1.3.6.1.2.1.16.9.1.1.5) (read-only)
                     |     Event execution time
                     +- eventOwner(1.3.6.1.2.1.16.9.1.1.6)        (read-create)
                     |     Name of owner
                     +- eventStatus(1.3.6.1.2.1.16.9.1.1.7)       (read-create)
                           Event group status

3.6 Setting by SetRequest from an SNMP manager

The same content as the commands of each group can be specified by using SetRequest from an SNMP manager.

The procedure for making settings from an SNMP manager is as follows.

As an example, we explain how to make new settings for the Ethernet statistics information (etherStatsTable) group to port1.1 using index number 1.

Similar operations can be used to make settings for a supported MIB on other groups.

1. Make SNMP settings to allow the MIB to be written.

   For details, refer to the SNMP technical reference.

2. For etherStatsStatus.1, specify "2" (createRequest).

   The ".1" of etherStatsStatus.1 is the etherStatsTable index.

3. For etherStatsDataSource.1, specify iFindex.5001 as the interface to be monitored.

   ifIndex.5001 indicates port1.1.

4. Specifying "owner" is optional, but if you do, specify the text string in etherStatsOwner.1.
5. For etherStatsStatus, specify "1" (valid).

When you perform the above steps, the following commands are specified for port1.1.

We assume that "RMON" was set as the "owner" setting.

 rmon statistics 1 owner RMON

Below we show how to disable the RMON function system-wide from the SNMP manager.

1. Make SNMP settings to allow the MIB to be written.

   For details, refer to the SNMP technical reference.

2. For ysrmonSetting(1.3.6.1.4.1.1182.3.7.1), specify "2" (disabled).

When you perform the above steps, the following commands are specified.

 rmon disable

To specify enable, set ysrmonSetting(1.3.6.1.4.1.1182.3.7.1) to "1" (enabled).

4 Related Commands

Related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Set Ethernet statistical information group

Make Ethernet statistical information group settings for port 1.1, and from the SNMP manager, retrieve the MIB of the Ethernet statistical information group.

1. Enable the Ethernet statistical information group setting for port1.1.

   The index of the Ethernet statistical information group is "1."

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#rmon statistics 1 ... (Enable the Ethernet statistical information group setting)

2. From the SNMP manager, make SNMP settings that the MIB of the Ethernet statistical information group can be retrieved.

   In this example, we use "private" access on SNMPv1 or SNMPv2c.

   Yamaha(config)#snmp-server community private rw ... (Set the readable/writable community name as "private")

3. From the SNMP manger, it will be possible to retrieve the etherStatsTable(.1.3.6.1.2.1.16.1.1) with the community name "private."

5.2 Set history group

Make settings for the history group of port1.1 and retrieve the MIB of the history group from the SNMP manager.

1. Enable the port1.1 history group setting.

   The index of the history group is "1."

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#rmon history 1 ... (Enable the history group setting)

2. From the SNMP manager, make SNMP settings that the MIB of the history group can be retrieved.

   In this example, we use "private" access on SNMPv1 or SNMPv2c.

   Yamaha(config)#snmp-server community private rw ... (Set the readable/writable community name as "private")

3. From the SNMP manger, it will be possible to retrieve the etherHistoryTable(.1.3.6.1.2.1.16.2.2) with the community name "private."

5.3 Set alarm event group

Use the alarm group to monitor the statistical information values of the Ethernet statistical information group.

The conditions for monitoring are as follows.

• The MIB to be monitored is port1.1's etherStatsPkts(.1.3.6.1.2.1.16.1.1.1.5).
• The sampling interval is 180 seconds.
• The sampling type is delta.
• The upper threshold value is 2000.
• The lower threshold value is 1000.

When the above monitoring conditions are matched, the following event group is executed.

• Record to log and send SNMP trap
• Community name is "RMON"

1. Make the required settings for SNMP trap transmission.

   Yamaha(config)#snmp-server host 192.168.100.3 traps version 2c RMON ... (Set trap transmission destination)
   Yamaha(config)#snmp-server enable trap rmon                         ... (Enable trap transmission for the RMON function)

2. Make event group settings.

   The index of the event group is "1."

   Yamaha(config)#rmon event 1 log-trap RMON ... (Enable the event group setting)

3. In order to set the alarm group's monitoring target MIB object, enable the port1.1 Ethernet statistical information group setting.

   The index of the Ethernet statistical information group is "1."

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#rmon statistics 1 ... (Enable the Ethernet statistical information group setting)

4. Set the alarm group with the listed conditions.

   The index of the alarm group is "1."

   Yamaha(config)#rmon alarm 1 etherStatsPkts.1 interval 180 delta rising-threshold 3000 event 1 falling-threshold 2000 event 1  ... (Enable the alarm group)

6 Points of Caution

None

7 Related Documentation

• SNMP

SYSLOG

1 Function Overview

This product provides the SYSLOG functions shown below as a means to ascertain the operating state.

1. Functions to collect, reference, and delete the log that is accumulated inside this product
2. Functions for output to the console simultaneously with logging
3. Functions for transmitting to a previously-registered notification destination (SYSLOG server) simultaneously with logging

Logging, output to console, and notifications to the SYSLOG server are performed according to the output level specified by the user. Processing occurs only for the permitted messages.

Logging occurs in RAM, and is automatically backed up to flash ROM or can be backed up manually.

When backing up manually, you can also back up to an SD card at the same time.

Notifications to the SYSLOG server are done simultaneously with logging, but only if a SYSLOG server has been registered.

2 Definition of Terms Used

None

3 Function Details

The SYSLOG function is described below.

1. Logging occurs in RAM, and can accumulate up to 10,000 items.

   The following two types of backup to flash ROM are provided.

   • Automatic backup performed every hour since system boot
   • Manual backup performed by the save logging command
2. The accumulated log can be viewed by the show logging command.

   It can also be deleted by the clear logging command.

   The show logging command shows the information in RAM.

   For the log information of this product, it is assumed that the information in RAM always matches the information in flash ROM.

   (When the system starts, the log information in flash ROM is applied to RAM, and the service is started. The log information in RAM is not deleted following execution of a backup.)

3. Log transmission occurs only if the notification destination (SYSLOG server) has been registered.

   You can use the logging host command to register up to two notification destinations.

   Specify the notification destination either by IP address or FQDN.

   As the port number of the notification destination, the default port number 514 is used. (This setting cannot be freely set by the user.)

4. The level of log that is transmitted (SYSLOG priority) can be set using the logging trap command.

   This product allows you to enable or disable output for each level of log.

   With the factory settings, the output level enables only Information and Error.

5. The logging backup sd command enables SYSLOG backup to the SD card.

   If SYSLOG backup to the SD card is enabled, executing the save logging command will save the dated log file to the SD card.

4. List of related commands

Related commands are shown below.

For details, refer to the Command Reference.

List of related commands

5 Examples of Command Settings

1. Enable debug-level log output, and start log output to the SYSLOG server (192.168.1.100).

   Also output informational-level log to the console.

   Yamaha(config)# logging trap debug         … (Enable debug level log output)
   Yamaha(config)# logging host 192.168.1.100 … (Register SYSLOG server)
   Yamaha(config)# logging stdout info        … (Output informational-level log to the console)

2. Stop notifications to the SYSLOG server.

   Yamaha(config)# no logging host

3. Save and show the accumulated log information.

   Yamaha# save logging … (Save log from RAM to ROM)
   Yamaha# show logging … (Show accumulated log)
   2018/03/08 20:42:46: [ SESSION]:inf: Login succeeded as (noname) for HTTP: 192.168.1.40
   2018/03/09 10:06:42: [     NSM]:inf: Interface port1.11 changed state to down
   2018/03/09 10:09:48: [ SESSION]:inf: Logout timer expired as (noname) from HTTP: 192.168.1.40
   2018/03/09 16:19:36: [     NSM]:inf: Interface port1.17 changed state to up
    :

4. Clear the accumulated log information.

   Yamaha# clear logging … (Clear all accumulated logs)
   Yamaha# show logging  … (Show log)
    (Since they were cleared, nothing is shown)

6 Points of Caution

None

7 Related Documentation

None

Firmware update

1 Function Overview

This product offers the following three firmware update functions, in order to correct problems in the program and to add new functionality.

1. Firmware updates can be transmitted and applied to this product from a remote terminal such as a PC.
2. This product's built-in HTTP client can access an HTTP server, to download and apply the latest firmware.
3. A firmware update placed on the SD card can be applied to this product.

These update functions can be used to upgrade or downgrade the version of firmware used on this product.

While firmware is being updated, all port LEDs flash green regardless of the LED display mode.

When the firmware update has been correctly written, the system will reboot in order to apply the new firmware.

For details on how to specify reboot, refer to 3.4 Reboot following writing.

2 Definition of Terms Used

None

3 Function Details

3.1 Update by transmitting the firmware update

This function transmits firmware updates to this product from a remote terminal, such as a PC, and applies it as boot firmware.

The update process is executed using a TFTP client or the Web GUI.

3.1.1 Using a TFTP client to update the firmware

A TFTP client installed on a PC or other remote terminal can be used to transmit the firmware update to this product and apply it.

In order to operate this product's TFTP server, use the steps shown below to set up a network environment that allows remote access.

1. Decide on the VLAN that will be used for maintenance.
2. Set the IPv4 address on the maintenance VLAN. Use the ip address command for this setting.
3. Permit access from the maintenance VLAN to the TFTP server. To make this setting, use the tftp-server interface command or the management interface command.
4. Enable the TFTP server. Use the tftp-server enable command for this setting.

Follow the rules below when sending the firmware update using the TFTP client.

• Set the transmission mode to "binary mode".
• As shown in the table below, specify the remote path to which the firmware update is sent.
• If an administrative password has been specified for this product, use the form "/PASSWORD" to specify the administrative password following the remote path.

For a firmware update using a TFTP client, the following three types of update can be performed.

Updated firmware

If there is no problem with the firmware update that was sent, the firmware update will be saved.

3.1.2. Firmware update by specifying the Web GUI local file

Specify the firmware update located on the terminal accessing the web GUI, and applies it to this product.

This function does not do a version comparison with the existing firmware, and will overwrite the specified firmware regardless of version.

Firmware updates by specifying a local file are done by updating the firmware via [Maintenance] - [Firmware update] in the web GUI on the PC. (Refer to the part shown in a red frame on the screenshot below.)

Refer to the help contents within the GUI for the specific operation method.

Initial screen on the Web GUI for updating firmware using a PC

3.2 Using an HTTP client to update the firmware

This method of firmware update uses an HTTP client to obtain the firmware update from a specified URL, and then apply it to this product.

This function assumes that the firmware version will be upgraded. Downgrading to a previous version will only be permitted if "revision-down" is allowed.

The firmware cannot be rewritten with the same version of firmware.

An HTTP client can be used to update the firmware using the methods below.

• Use the firmware-update command from the CLI (Command-line interface)
• Execute the firmware update over the network using the Web GUI

Updating the firmware with an HTTP client is done by using the settings value shown in the table below.

Firmware update using an HTTP client: setting parameters

Refer to "5 Examples of Command Execution" or to the "Command Reference" for more information on how to use the firmware-update command.

To update firmware over the network using the Web GUI, execute the [Maintenance] - [Firmware update] command from the Web GUI. (Refer to the part shown in a red frame on the screenshot below.)

Refer to the help contents within the GUI for the specific operation method.

Initial screen for updating the firmware over the network using the Web GUI

3.3 Using an SD card to update the firmware

This function takes a firmware update from the SD card and applies it as boot firmware.

Perform the update from the CLI (Command-line interface) by using the firmware-update sd execute command.

After firmware update confirmation has been entered, the update will continue even if you remove the SD card. If you want to unmount the SD card when executing the command, you can either enter "N" when asked whether to maintain the mounted status of the SD card, or select the "sd-unmount" option for the command.

If you restart with the SD card left inserted in the unit, the unit starts from the firmware within the SD card as specified by the boot prioritize sd command.

• File path in the SD card

  /swr2311p/firmware/swr2311p.bin

3.4 Reboot after writing

When the firmware update has been successfully written, the unit will reboot in accordance with the reboot time specified by the firmware-update reload-time command.

If the reboot time was not specified, the unit reboots immediately. If the reboot time was specified, the unit reboots at the specified time.

4 Related Commands

Related commands are shown below.

For details, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Using an HTTP client to update the firmware

In this example, the firmware update is stored on the local HTTP server, and this product is set to manage the firmware in order to perform the update.

• Change the firmware download URL to http://192.168.100.1/swr2311p.bin.
• The revision-down option is left in disabled mode.
• The timeout value is left at 300 sec.
• We will not specify a reboot time, but will reboot immediately after update.

1. The download URL is changed, and the firmware update settings are confirmed.

       Yamaha(config)#firmware-update url http://192.168.100.1/swr2311p.bin … (Set download source URL)
       Yamaha(config)#exit
       Yamaha#show firmware-update … (Show firmware update function settings)
       url:http://192.168.100.1/swr2311p.bin
       timeout:300 (seconds)
       revision-down:Disable

2. The firmware update is executed.

       Yamaha#firmware-update execute … (Execute firmware update)
       Found the new revision firmware
       Current Revision: Rev.2.02.01
       New Revision:     Rev.2.02.03
       Downloading...
       Update to this firmware? (Y/N)y … (Enter "y")
       Updating...
       Finish
   
       (Reboots automatically)

3. Pressing "CTRL+C" during the firmware update process will interrupt the update.

       Yamaha#firmware-update execute
       Found the new revision firmware
       Current Revision: Rev.2.02.01
       New Revision:     Rev.2.02.03
       Downloading...                  … (Enter Control-C)
       ^CCanceled the firmware download

5.2 Using an SD card to update the firmware

In this example, the firmware update is placed on an SD card inserted in the unit, and this product is set to manage the firmware in order to perform the update.

• Change the reboot time to 23:30.

  If you do not specify a reboot time, the unit will reboot immediately after update.

1. Change the reboot time.

       Yamaha(config)#firmware-update reload-time 23 30        … (Set restart time)
       Yamaha(config)#exit

2. Execute the firmware update.

       Yamaha#firmware-update sd execute  … (Execute firmware update)
       Update the firmware.
       Current Revision: Rev.2.02.01
       New Revision:     Rev.2.02.03
   
       Update to this firmware? (Y/N)y … (enter "y")
       Continue without unmounting the SD card? (Y/N)n … (enter "n")
       Unmounted the SD card. Pull out the SD card.
       Updating...
       Finish
       Yamaha#
       (Reboots at specified reboot time)

3. After checking the version of the update firmware, you can enter "n" to cancel.

       Yamaha#firmware-update sd execute  … (Execute firmware update)
       Update the firmware.
       Current Revision: Rev.2.02.01
       New Revision:     Rev.2.02.03
   
       Update to this firmware? (Y/N)n … (enter "n")
       Yamaha#

6 Points of Caution

If the unit is rebooted or the power is turned OFF during the firmware update, the update will be interrupted, and the unit will boot with the firmware used before the update.

7 Related Documentation

• Maintenance and operation functions: LED control

L2MS control

1 Function Overview

L2MS (Layer2 Management Service) is a function that manages Yamaha network devices at the layer 2 level.

L2MS consists of one L2MS master which performs centralized management and multiple L2MS slave units (subsequently called slaves) which are controlled from the L2MS master (subsequently called the master).

The SWR2311P-10G can be either a master or a slave.

Connections for the PC, master, and slaves are described below.

L2MS connections

From the PC, log in to the master via serial connection, Telnet, or HTTP.

The master provides commands for administering the slaves, and a web GUI for making settings or acquiring the state, and these are used to operate the slaves.

The master and slaves are connected via Ethernet cables, and use a proprietary protocol for communication.

This function has the following features.

• Initial settings are not required

  Although it is necessary to specify the IP address if using Telnet or SSH, this function communicates using its own protocol, so initial settings for the slaves are not required.

  When an Ethernet cable is connected, the master automatically detects the slaves that are under it.

• Simultaneously control multiple supported units

  The master can simultaneously recognize and control multiple slaves.

The proprietary communication protocol used by L2MS is the same protocol as the communication used by the switch control functionality supported by Yamaha routers and the SWR2100P series.

This means that the master is able to manage the SWR2100P series.

2 Definition of Terms Used

Master

The device that manages Yamaha network devices that are operating as L2MS and switch control function slaves.

It manages the Yamaha switches and Yamaha wireless APs in the network.

Slave

A Yamaha switch or Yamaha wireless AP that is managed by the L2MS and switch control function master.

Its settings can be viewed or changed from the master.

3 Function Details

3.1 Supported models

The SWR2311P-10G can be either an L2MS master or slave.

If operating as a master, one master can control a maximum of 64 slave units.

The following models can be managed as slaves.

As described earlier, devices that support switch control functionality (slaves) can also be controlled.

• SWR2100P series (SWR2100P-10G, SWR2100P-5G)
• SWR2311P-10G

When operating as a slave, the unit is managed from the master of the Yamaha switch.

3.2 Usage

L2MS operation and role is set by the l2ms command.

• For the L2MS master

  This unit manages the SWR series units that are operating as slaves.

  By specifying the terminal-watch enable command, information for terminals such as PCs on the network can be acquired and monitored at regular intervals.

  Yamaha(config)#l2ms configuration
  Yamaha(config-l2ms)#l2ms enable
  Yamaha(config-l2ms)#l2ms role master
  Yamaha(config-l2ms)#terminal-watch enable

• For an L2MS slave

  This unit is managed from the Yamaha switch that is operating as the master.

  Yamaha(config)#l2ms configuration
  Yamaha(config-l2ms)#l2ms enable
  Yamaha(config-l2ms)#l2ms role slave

By specifying the show l2ms command, you can check current operation and role.

3.3 L2MS protocol

L2MS control is performed using the L2 frames of the proprietary protocol described below.

Contents of the L2MS protocol's L2 frames

3.4 Slave monitoring

The master monitors the slaves under it by transmitting a query frame at regular intervals.

In response to the query frame, the slave sends a response frame, notifying the master of their own existence.

The interval at which the query frame is transmitted is set by the slave-watch interval command.

Higher settings of the value will reduce the frequency of transmission, but will lengthen the time from when a slave is connected to when the master recognizes it.

Lower settings of the value will have the opposite result, increasing the frequency of transmission but shortening the time from when a slave is connected to when the master recognizes it.

If a response frame from the slave is not received even though the master has sent the query frame for a specified number of times, the corresponding slave is determined to be down.

The number of times is specified by the slave-watch down-count command.

If the Ethernet cable connecting the slave is unplugged, there may be cases in which the slave is determined to be down even earlier than the setting of this command.

Set the slave-watch interval and slave-watch down-count commands to values that are appropriate for your network environment.

3.5 Slave ownership

One slave cannot be simultaneously controlled by multiple masters.

For this reason, you must make settings such that there is one master in a network.

If a slave receives a query frame after boot, that slave will be managed by the master that transmitted that query frame.

This state is canceled by any of the following conditions.

• If a query frame was not received for 30 seconds.
• If the master was restarted.
• If the l2ms reset command was executed on the master.

3.6 Slave control

When the master makes settings on an L2MS-compliant slave, or acquires its operating status, these actions are referred to as "controlling the slave."

The LAN map of the web GUI is used to control a slave.

After logging in to the web GUI of the master, select the applicable slave in the LAN map and control it.

For details on operations in the LAN map, refer to the web GUI help page.

Note that you cannot control a slave using commands from the SWR2311P-10G (master).

Here we explain the operations that can be performed on slaves from the LAN map.

3.6.1 Operations for the SWR2100P series

The following operations can be performed for SWR2100P series (SWR2100P-10G, SWR2100P-5G) units.

• Display the status of the device and ports
• Update the firmware
• Show and control the power supply status of the ports (PoE-equipped models only)

3.6.2 Operations for the SWR2311P-10G

The following operations can be performed for slaves.

• Display the status of the device and ports
• Show and control the power supply status of the ports (PoE-equipped models only)
• Change the IP address setting
• Save and restore config
• Use the HTTP Proxy function to log in to the slave's GUI

If the HTTP Proxy function is enabled, you can log in to the slave's GUI from the master's LAN map.

When logging in to the slave, it will not be necessary to enter a user name and password.

If the IP address of a slave in the network conflicts with another device, it will not be possible to log in to the slave GUI via the HTTP Proxy function.

In this case, make settings in the master LAN map to change the IP address setting of the slave.

For details, refer to "3.6.3. About the HTTP Proxy function and IP address settings"

3.6.3 About the HTTP Proxy function and IP address settings

The following operations can be performed for the SWR2311P-10G series and the WLX series.

With the factory settings, or immediately after the cold start command is executed, a fixed IP address is specified. (The L2MS operates as a slave.)

At this time if the unit is managed by the master, DHCP client settings are made automatically.

This is to avoid conflicting IP addresses in the case that multiple slaves exist.

Since the IP address is allocated by the DHCP sever in the network, you can access the slave's web GUI via HTTP Proxy without making slave settings.

If a DHCP server does not exist in the network, it will not be possible to obtain an IP address, so you must specify the slave's IP address in the master's LAN map.

If settings are made and a startup config has been saved, they will not subsequently be automatically set by the DHCP client.

3.7 Information notified from the slave

A slave that is managed by the master informs the master when its own state changes or if a fault is detected.

Information from the slave is output to the master's SYSLOG or LAN map.

For details on the messages that are output to SYSLOG, refer to "7. SYSLOG message list."

The notifications sent by each slave are as follows.

Notifications sent by each slave to the master

3.8 Monitoring of connected terminals

By specifying the terminal-watch enable command for the master, you can enable the monitoring function for connected terminals, and manage information for the terminals that are connected to the master and to the slaves.

The following information for connected terminals is managed by the master.

• If the master and slave are Yamaha switches
  • MAC address of the terminal
  • Port number of the master or slave to which the terminal is connected
  • Date and time at which the terminal was detected

This information can be referenced by the show l2ms detail command.

The recommended number of terminals managed by this function is a maximum of 200 units regardless of the network configuration.

Note that if more terminals than the recommended number of units exist in the network, the LAN map of the web GUI might become sluggish or unresponsive.

According to changes in the network, the master will search for connected terminals or delete terminal information that it is managing.

The timing at which the master searches for connected terminals and the object of the search are as follows.

If new terminal information is found as a result of the search, it is determined that a terminal was detected.

Timing and object of terminal search

The timing at which the master determines that a terminal has disappeared from the network and deletes the managed terminal information, and the object of the deletion, are as follows.

Timing and object of terminal information deletion

4 Related Commands

Related commands are shown below.

For details, refer to the Command Reference.

List of L2MS-related commands

5 Examples of Command Execution

5.1 Set slave monitoring

Set the slave monitoring time interval.

L2SW(config)#l2ms configuration
L2SW(config-l2ms)#slave-watch interval 8

Set the number of times after which the slave is determined to be down.

L2SW(config)#l2ms configuration
L2SW(config-l2ms)#slave-watch down-count 7

5.2 Set terminal management function

Enable the terminal monitoring function.

L2SW(config)#l2ms configuration
L2SW(config-l2ms)#terminal-watch enable

Set the time interval at which terminal information is acquired.

L2SW(config)#l2ms configuration
L2SW(config-l2ms)#terminal-watch interval 3600

Show the terminal information acquired by the master.

Yamaha>show l2ms detail
Role : Master

[Master]
 Number of Terminals   : 0

[Slave]
 Number of Slaves      : 2
  [ac44.f230.00a5]
   Model name          : SWR2311P-10G
   Device name         : SWR2311P-10G_Z5301050WX
   Route               : port2.1
   LinkUp              : 1, 3, 9
     Uplink            : 1
     Downlink          : 3
   Config              : None
   Appear time         : Tue Mar 13 18:43:18 2018
   Number of Terminals : 1
    [bcae.c5a4.7fb3]
     Port              : 9
     Appear time       : Wed Mar 14 14:01:18 2018

  [00a0.deae.b8bf]
   Model name          : SWR2311P-10G
   Device name         : SWR2311P-10G_S4L000401
   Route               : port2.1-3
   LinkUp              : 1
     Uplink            : 1
     Downlink          : None
   Config              : None
   Appear time         : Tue Mar 13 18:43:18 2018
   Number of Terminals : 0

5.3 Set L2MS control frame transmission/reception

Make settings so that L2MS control frames are not transmitted and received on port 1.5.

L2SW(config)#interface port1.5
L2SW(config-if)#l2ms filter enable

5.4 Set event monitoring function

Disable the event monitoring function.

L2SW(config)#l2ms configuration
L2SW(config-l2ms)#event-watch disable

Set the time interval at which event information is acquired.

L2SW(config)#l2ms configuration
L2SW(config-l2ms)#event-watch interval 60

5.5 Enable/disable use of the zero-config function

Specify whether the master uses the zero-config function for slaves.

This setting must be made for the master.

Disable the zero config function.

L2SW(config)#l2ms configuration
L2SW(config-l2ms)#l2ms enable
L2SW(config-l2ms)#l2ms role master
L2SW(config-l2ms)#config-auto-set disable

6 Points of Caution

6.1 Regarding device configuration

The number of slaves that can be administered is a maximum of 64 units.

If slaves are used in a series connection, the maximum number of slave units that can be connected is eight units counting from the master.

Counting slaves from the master, a ninth or subsequent slave unit cannot be connected in series.

If the number of slave units connected in series is no more than eight units counting from the master, the number of units specified by the maximum number of administered units can be controlled.

If nine or more slave units are connected in series, counting from the master, L2MS communication will be delayed, preventing slaves from being correctly detected or controlled, and possibly causing problems such as the following.

• Synchronization processing might not work correctly.
• When slave settings are modified from the GUI, correct execution might not be possible.

If a switch made by a different manufacturer exists in the L2MS communication route, such as if a switch made by a different manufacturer is inserted between the master and a slave, it might not be possible to correctly control the slave.

If you are configuring a network that includes a switch made by a different manufacturer, verify operation beforehand.

6.2 Regarding terminal monitoring

If more terminals than the recommended number of managed units exist in the network, the LAN map of the web GUI might become sluggish or unresponsive.

Terminal monitoring is performed using the information that is registered in the FDB (MAC address table) of the applicable device.

For this reason, depending on the timing at which search is performed, a terminal might not be detected even though it is connected, or a terminal might be detected even though it is no longer present on the network.

If link-down is detected for a master port or for a port of a Yamaha switch, all information for terminals connected to that port is deleted even if the terminals are registered in the FDB (MAC address table).

After a slave is connected to a port, it may take several seconds until L2MS detects the slave.

During this time, the corresponding slave is handled as a terminal.

Yamaha network devices that are not managed by the master as a slave are treated as terminals.

Since terminal search at the interval specified by the terminal-watch interval command is performed for the master and for all slaves, it might take twenty to thirty minutes for terminal search to be completed, depending on the configuration of the network.

It is not the case that other processing cannot be executed until terminal search has completed.

If an L2 switch made by another manufacturer is connected to an L2MS-compliant device, the terminals that are connected to the other manufacturer's L2 switch are detected as terminals connected to the L2MS-compliant device.

However, if a terminal and a Yamaha switch are connected in parallel to the other manufacturer's L2 switch, it will not be possible to detect terminals that are connected to the other manufacturer's L2 switch.

6.3 Regarding use in conjunction with other functions

6.3.1 Use in conjunction with VLAN

If using a VLAN, you must specify the port used for L2MS communication as the access port or as the trunk port assigned to the native VLAN.

It is not possible to perform L2MS communication on a trunk port that is not assigned to the native VLAN.

6.3.2 Use in conjunction with mirroring

When the mirroring function is used, L2MS communication sent and received at the monitor port is also copied.

For this reason, connecting a master or slave to the mirror port might cause L2MS to not operate correctly; do not make such a connection.

6.3.3 Use with ACL

L2MS communication is not subject to ACL control.

Although the ACL discards frames that are not specified in the permission list (tacit rejection), L2MS communication is not subject to control, and therefore will be forwarded without being discarded.

6.3.4 Use with STP and the loop detection function

L2MS communication cannot be performed on a port that is in a blocked state because of STP or the loop detection function.

If link switching is performed by STP, the master is unable to correctly recognize the topology, possibly making it impossible to find a slave, or causing a mistake in the route when a slave is found.

In such cases, reset slave management by executing the l2ms reset command after STP has finished switching the link.

If multiple MST instances are operating, L2MS control frames are sent and received on the logical route (tree) formed by CIST (instance #0).

6.3.5 Use with link aggregation

If link aggregation is used, L2MS communication is considered to be occurring on "the lowest-numbered of the linked-up ports associated with the logical interface."

If link aggregation is used in conjunction with the monitoring function for connected terminals, and a terminal is discovered at the end of a logical interface connection, the terminal is considered to be connected to "the lowest-numbered of the linked-up ports associated with the logical interface," and the corresponding port number is shown.

In the following situation, L2MS communication is considered to be occurring between port1.1 and port1.1.

In the following situation, L2MS communication is considered to be occurring between port1.4 of the master and port1.5 of the slave.

7. SYSLOG message list

The SYSLOG messages output by L2MS are shown below.

The messages that are output are given the prefix "[ L2MS]."

The prefix "route(ADDR):" is further added to SYSLOG messages that are shown when operating as the master.

ADDR is the MAC address of the slave.

• SYSLOG messages shown when the unit starts up

  Output level	Message	Meaning
  informational	Start L2MS(Master)	L2MS started as master.
  	Start L2MS(Slave)	L2MS started as slave.
  	L2MS is disabled	L2MS was set to disable, and therefore did not start.

• SYSLOG messages shown when operating as master

  Type	Output level	Message	Meaning
  Slave management	informational	Find slave	Slave was found.
  		Detect down	Slave went down.
  Synchronization processing	informational	Sync start	Slave synchronization processing was started.
  		Sync done	Slave synchronization processing was completed.
  		Sync failed	Slave synchronization processing failed.
  	debug	Can't get param of sync	Failed to obtain the slave information needed to perform synchronization processing.
  Terminal management	informational	Fail to update device info	Failed to update terminal information connected to slave.
  	debug	Update device info	Updated terminal information connected to slave.
  Device master management	debug	path: Format Version: Not found.	The format version is not listed in the device master file path.
  		path: Format Version: Illegal value.	An illegal value is listed for the format version in the device master file path.
  		path: Device Information: Illegal value. (line)	An illegal value is listed in the device information of the device master file path. (line)
  		path: Device Information: Duplicate device. (line)	A conflicting device is listed in the device information in (line) of the device master file path. (line)
  		path: Character Code: Not Shift_JIS.	The character code of the device master file path is not expressed in Shift JIS.
  Config management	informational	Received config (file)	The master received a config file (file) from the slave and saved it.
  		Sent config (file)	The master sent a config file (file) to the slave.
  		Removed config (file)	Config file (file) was deleted.

• SYSLOG messages shown if operating as the master and the logging event lan-map command is set

  The prefix "[ LANMAP]" is added to the messages.

  Type	Output level	Message	Meaning
  Snapshot function	informational	SnapShot: Not found. [Device_Name: "device_name", MAC_Address: addr]	There is a Yamaha switch that cannot be found.
  		SnapShot: Not found. [MAC_Address: addr]	There is a terminal that cannot be found.
  		SnapShot: Unknown. [Device_Name: "device_name", MAC_Address: addr]	There is a Yamaha switch that is not registered.
  		SnapShot: Unknown. [MAC_Address: addr]	There is a terminal that is not registered.
  		SnapShot: Route difference. [Device_Name: "device_name", Route: route(UpLink:uplink_port), Route(SnapShot): route_snapshot(UpLink:uplink_port_snapshot), MAC_Address: addr]	There is a Yamaha switch of a different connection port. The correct route is route_snapshot, and the uplink port is uplink_port_snapshot.
  		SnapShot: Route difference. [Route: route, Route(SnapShot): route_snapshot, MAC_Address: addr]	There is a terminal of a different connection port. The correct route is route_snapshot.
  		SnapShot: Status recovered. [Device_Name: "device_name", MAC_Address: addr]	The state of the Yamaha switch matched the snapshot file.
  		SnapShot: Status recovered. [MAC_Address: addr]	The state of the terminal matched the snapshot file.

• Notifications received by the master from the slave include the following information.

  Type	Output level	Message	Meaning
  Link status	informational	Portn link up(SPEED)	Port nof the slave linked-up. The communication speed is SPEED.
  		Portn link down	Port nof the slave went link-down.
  Loop detection	informational	Portn loop detect	A loop occurred at port n of the slave.
  Wireless function	informational	Airlink setting changed	A setting of the slave's wireless function was changed.
  PoE	informational	Portn PoE state(supply-classX)	Power supply to a classX device started on slave port n. classX is shown as class0–4.
  		Portn PoE state(terminate)	Power supply stopped at slave port n.
  		Portn PoE state(overcurrent)	Power supply stopped at slave port n because of overcurrent.
  		Portn PoE state(forced-terminate)	Power supply stopped at slave port n which had been supplying Class3 (15.4W) by Class4 (30W) power supply.
  		Portn PoE state(over-supply)	Power supply stopped because the supplied power at slave port n exceeded the maximum supply capability.
  		Portn PoE state(over-temperature)	Power supply stopped at slave port n because of a temperature fault inside the unit.
  		Portn PoE state(fanlock)	Power supply stopped at slave port n because the fan stopped.
  		Portn PoE state(power-failure)	Power supply stopped at slave port n because the power supply malfunctioned.
  		Portn PoE state(class-failure)	Power supply stopped at slave port n because a class higher than the power class setting was detected.
  		Portn PoE state(pd-failure)	Power supply stopped at slave port n because a malfunction was detected on the PD.
  		Portn PoE state(over-guardband)	The supplied power reached the guard band on slave port n.
  		PoE state error(over-supply)	The power supplied by the slave exceeded the maximum supply capacity.
  		PoE state error(over-temperature)	Power supply stopped because of a temperature fault inside the slave.
  		PoE state error(fanlock)	Power supply stopped due to the slave fan stopping.
  		PoE state error(power-failure)	The slave's power supply has malfunctioned.
  SFP optical reception level	informational	Portn SFP RX power(normal)	The SFP optical reception level at slave port n returned to normal.
  		Portn SFP RX power(low)	The SFP optical reception level at slave port n fell below the lower threshold value.
  		Portn SFP RX power(high)	The SFP optical reception level at slave port n rose above the upper threshold value.
  Transmit queue usage	informational	Portn queuem usage rate(recovered)	The transmission load at slave port n returned to normal. (QoS transmission queue: m)
  		Portn queuem usage rate(busy)	The transmission load at slave port n increased. (QoS transmission queue: m)
  		Portn queuem usage rate(full)	The transmission load at slave port n reached the upper limit. (QoS transmission queue: m)
  Terminal monitoring	informational	ping:ip-address(description) state(IDLE)	ip-address(description) is not performing ping monitoring.
  		ping:ip-address(description) state(DOWN)	According to ping monitoring, ip-address(description) has gone down.
  		ping:ip-address(description) state(UP)	According to ping monitoring, ip-address(description) is now operating.
  		Frame Counter:port(description) state(IDLE)	port(description) is not performing frame reception volume monitoring.
  		Frame Counter:port(description) state(DOWN)	According to frame reception volume monitoring, port(description) has gone down.
  		Frame Counter:port(description) state(UP)	According to frame reception volume monitoring, port(description) is now operating.
  		LLDP:port(description) state(IDLE)	port(description) is not performing LLDP frame monitoring.
  		LLDP:port(description) state(DOWN)	According to LLDP frame monitoring, port(description) has gone down.
  		LLDP:port(description) state(UP)	According to LLDP frame monitoring, port(description) is now operating.
  Power supply	informational	Power voltage(high)	The slave's power supply voltage exceeded the upper threshold value.
  		Power current(high)	Overcurrent occurred at the slave's power supply.
  Fan	informational	Fan lock	The slave's fan is stopped.
  		FAN control(low)	The slave's fan rotation speed decreased.
  		FAN control(high)	The slave's fan rotation speed increased.
  		FANn (stop)	The slave's fan (FANn) stopped.
  Temperature	informational	CPU temperature(normal)	The slave's CPU temperature returned to normal.
  		CPU temperature(high)	The slave's CPU temperature exceeded the threshold value.
  		CPU temperature(alarm)	A temperature fault occurred at the slave's CPU.
  		PHY temperature(normal)	The slave's PHY temperature returned to normal.
  		PHY temperature(high)	The slave's PHY temperature exceeded the threshold value.
  		PHY temperature(alarm)	A temperature fault occurred at the slave's PHY.
  		SFP temperature(normal)	The slave's SFP temperature returned to normal.
  		SFP temperature(high)	The slave's SFP temperature exceeded the threshold value.
  		SFP temperature(alarm)	A temperature fault occurred at the slave's SFP.
  		Thermal sensor temperature(normal)	The slave's thermal sensor monitoring temperature returned to normal.
  		Thermal sensor temperature(high)	The slave's thermal sensor monitoring temperature exceeded the threshold value.
  		Thermal sensor temperature(alarm)	A temperature fault occurred at the slave's thermal sensor.
  		PSE temperature(normal)	The slave's PSE temperature returned to normal.
  		PSE temperature(high)	The slave's PSE temperature exceeded the threshold value.
  Config management	informational	Executing a config ... progress% (file)	Config file (file) settings are being recovered on the slave. progress indicates the ratio of completion.
  		Finished executing a config (file)	Recovery of config file (file) settings on the slave has finished.
  		line:errmsg (file)	While recovering a config file (file) on the slave, line line produced the error errmsg. errmsg is the content of the error, and line is the line within the config file of the command that produced the error.

• SYSLOG messages shown when operating as slave

  Type	Output level	Message	Meaning
  Slave management	infromational	Start management by controller(ADDR)	MAC address was managed by the ADDR master.
  		Release from controller(ADDR)	MAC address was released from management of the ADDR master.
  Config management	infromational	Sent config to master (ADDR)	Config file was sent to the master.
  		Received config from master (ADDR)	Config file was received from the master.
  		Restart for update settings.	The unit will restart in order to update the received config file.

8 Related Documentation

None

Mail notification

1 Function Overview

Mail notification is a function in which information detected by the L2MS function or the terminal monitoring function is conveyed via email.

By making the following settings, you can be notified of the information detected by various functions.

• Specify the mail server used when sending the mail.
• Specify the mail template.

2 Definition of Terms Used

Mail template

A definition that collects the following information needed when sending mail.

• Mail server to use
• Sender's mail address
• Recipient's mail address
• Subject of mail
• Content of notification
• Transmission wait time

3 Function Details

3.1 Operation

With the mail server settings and mail template settings having been made correctly, when a notification event occurs for a function that supports mail notification, the mail notification function will enter the send-standby state.

The mail notification function that is now in the send-standby state will wait until the mail transmission wait time specified for each mail template has elapsed.

When the mail transmission wait time has elapsed, the mail notification function combines the notification events that have occurred during the wait time into a single mail, and sends it to the recipient.

3.2. Mail server setting

This can be set in List of registered mail servers in the web GUI's [Advanced settings]-[Mail notification].

Press the New button or the Setting button of an existing setting to move to Mail server settings.

In Mail server settings, make the following settings.

• Account identification name

  A name that distinguishes the mail server settings. This may be omitted.

• SMTP server address
• Port number of the SMPT server

3.3 Mail template settings

This can be set in List of mail notification settings in the web GUI's [Advanced settings]-[Mail notification].

Press the New button or the Setting button of an existing setting to move to Mail notification settings.

In Mail notification settings, make the following settings.

• Sender (From)
• Recipient (To)
• Subject

  If Use prescribed subject has a check mark, the subject line of the mail will be Notification from (device name).

• Content of notification
• Mail transmission wait time

3.4 Functions that support mail notification

The following functions support mail notification.

LAN map

The following notification events will be the subject of mail notification.

Terminal monitoring function

The following notification events will be the subject of mail notification.

3.5 Mail body example

The body of a notification mail includes content such as the following.

For details, refer to the technical reference for each function.

Up to 100 items can be shown in one notification mail.

Model: SWR2311P-10G                  * Model name
Revision: Rev.2.02.06                * Firmware version
SystemName: SWR2311P-10G_XXXXXXXX    * Host name
Time: 2017/06/13 11:42:56            * Mail transmission time
Template ID: 1                       * Mail template ID

<<<<<<<<<<<<<<<<<<<<<<<<    Lan Map Information    >>>>>>>>>>>>>>>>>>>>>>>>>

[SFP RX Power]

  Type                                Device_Name
  MAC_Address                         Err_Port
  Route
  State
============================================================================
(Detected: 2017/06/13 10:09:40  Recovered: 2017/06/13 10:10:10)
  SWR2311P-10G                        SWR2311P-10G_S4K000398
  00a0.deae.b89c                      1.9
  port1.7(UpLink:1.5)
  Low
----------------------------------------------------------------------------

[Queue Usage Rate]

  Type                                Device_Name
  MAC_Address                         Err_Port
  Route
  State
============================================================================
(Detected: 2017/06/13 10:15:42  Recovered: 2017/06/13 10:17:24)
  SWR2311P-10G                        SWR2311P-10G_S4K000398
  00a0.deae.b89c                      1.6
  port1.7(UpLink:1.5)
  Full(Queue:2)
----------------------------------------------------------------------------

[Fan Lock]

  Type                                Device_Name
  MAC_Address
  Route
============================================================================
(Detected: 2017/06/13 10:28:43  Recovered: ----/--/-- --:--:--)
  SWR2100P-10G                        SWR2100P-10G_S45000345
  00a0.de83.4146
  port1.5(UpLink:2)
----------------------------------------------------------------------------
(Detected: 2017/06/13 10:42:13  Recovered: 2017/06/13 10:42:22)
  SWR2100P-5G                         SWR2100P-5G_X00000344
  00a0.de2a.dbbb
  port1.1(UpLink:23)
----------------------------------------------------------------------------

<<<<<<<<<<<<<<<<<<    Terminal Monitoring Information    >>>>>>>>>>>>>>>>>>>

[via Ping]

 Date                      Status    IP Address        Description
----------------------------------------------------------------------------
 2017/06/13 Thu 10:42:56   UP        192.168.100.155   IP_Camera_1
 2017/06/13 Thu 10:51:00   DOWN      192.168.100.155   IP_Camera_1
 2017/06/13 Thu 10:54:02   UP        192.168.100.10    IP_Camera_2
 2017/06/13 Thu 11:29:27   UP        192.168.100.155   IP_Camera_1
 2017/06/13 Thu 11:30:31   DOWN      192.168.100.10    IP_Camera_2

[via Bandwidth Usage]

 Date                      Status    Interface         Description
----------------------------------------------------------------------------
 2017/06/13 Thu 10:45:43   UP        port1.4           IP_Camera_2
 2017/06/13 Thu 10:45:56   UP        port1.6           Note_PC_1
 2017/06/13 Thu 10:50:00   DOWN      port1.6           Note_PC_1
 2017/06/13 Thu 10:53:27   DOWN      port1.4           IP_Camera_2

[via LLDP]

 Date                      Status    Interface         Description
----------------------------------------------------------------------------
 2017/06/13 Thu 10:53:56   UP        port1.3           Note_PC_2
 2017/06/13 Thu 11:11:54   DOWN      port1.3           Note_PC_2
 2017/06/13 Thu 11:14:24   UP        port1.3           Note_PC_2

LAN map

The device information included in the notification is shown below.

The device information that is shown will differ depending on the type of fault. The device information shown for each type of fault is as follows.

4 Related Commands

This function does not support settings via commands.

5 Points of Caution

None

6 Related Documentation

• Terminal monitoring

LLDP

1 Function Overview

LLDP is a protocol for passing device management information between a device and its neighboring devices.

This is a simple protocol in which a device unidirectionally advertises its own information and neighbor devices receive this information. However, since LLDP-compliant devices maintain the information received from neighbor devices as MIB objects, the user can access this information via SNMP and ascertain what type of devices are connected to which interfaces are.

This is also used for negotiation between devices that support PoE (Power Over Ethernet).

2 Definition of Terms Used

LLDP

Link Layer Discovery Protocol.

This is defined in IEEE 802.1AB.

LLDP-MED

LLDP for Media Endpoint Devices.

This is defined in ANSI/TIA-1057.

3 Function Details

3.1 Operating Specifications

3.1.1 Basic Specifications

This product supports the following operations.

• LLDP frames are transmitted from any LAN/SFP port to convey information about the device itself.
• LLDP frames are received at any LAN/SFP port to obtain information about neighboring devices.
• Information transmitted via LLDP about the device itself, and information obtained via LLDP about neighbor devices, etc., can be referenced via SNMP.

LLDP sends and receives information using Type, Length, and Value (TLV) attributes.

For details on the TLV information sent by this product, refer to 3.2 TLV list.

This product's LLDP supports the following MIBs of SNMP. For details, refer to 3.3 Supported MIBs.

• LLDP-V2-MIB
• LLDP-EXT-DOT3-V2-MIB
• LLDP-EXT-MED-MIB

The following settings are required in order to use the LLDP function.

• Use the lldp run command to enable the system-wide LLDP function.
• Use the lldp-agent command to create an LLDP agent for the applicable interface.
• Use the set lldp command to specify the LLDP frame transmit/receive mode.

With the default settings of this product, the LLDP function is enabled.

LLDP frames are always transmitted without tags, regardless of the VLAN settings of the transmitting switch port.

They are also transmitted without tags from a trunk port without a native VLAN.

In order to use LLDP for PoE negotiation, you must enable LLDP transmission/reception for the port that is connected to the PoE powered device.

3.1.2 Transmitted information settings

Use the following commands to specify the LLDP frames that are transmitted from the device itself. There are also some TLVs (required TLVs) that are transmitted regardless of the settings of the following commands.

• tlv-select basic-mgmt command (basic management TLV)
• tlv-select ieee-8021-org-specific command (IEEE 802.1 TLV)
• tlv-select ieee-8023-org-specific command (IEEE 802.3 TLV)
• tlv-select med command (LLDP-MED TLV)

The system name and description that are transmitted in the basic management TLVs are specified by the lldp system-name command and the lldp system-description command.

The type of management address is set by the set management-address-tlv command.

3.1.3 Transmission timer setting

The interval at which LLDP frames are sent is specified by the set timer msg-tx-interval command.
The multiplier for calculating the hold time (TTL) for device information is set by the set msg-tx-hold command.

The TTL for LLDP transmission is the result of the following calculation. The default is 121 seconds.

• TTL = ( value set by the "set timer msg-tx-interval" command ) × ( value set by the "set msg-tx-hold" command ) ＋ 1 (second)

When a neighbor device is connected to a LAN/SFP port for which LLDP frame transmission is enabled, LLDP frames are transmitted rapidly at a fixed interval according to the high-speed transmission interval setting.

The transmission interval and the number of transmissions for high speed transmission are set by the set timer msg-fast-tx command and the set tx-fast-init.

If from a state in which LLDP frame transmission is enabled, the set lldp command is used to disable it, this product transmits a shut-down frame, notifying the neighbor device that LLDP frame transmission has stopped.

Subsequently, even if LLDP frame transmission is once again enabled, LLDP frame transmission to the neighbor device is stopped for a time.

The stopped duration until the next transmission occurs after transmitting the shutdown frame is set by the set timer reinit-delay command.

3.1.4 Maximum connected devices setting

The maximum number of connected devices that can be managed by the corresponding port is set by the set too-many-neighbors limit command.

The default value for the maximum number of connected devices is 5 devices.

3.1.5 Checking LLDP information

LLDP interface settings and received information about neighbor devices can be checked by using the show lldp interface command or the show lldp neighbors command.

To clear the LLDP frame counter, use the clear lldp counters command.

3.1.6 Other functions using LLDP

This product provides a function that uses LLDP to automatically make optimal settings for the Dante digital audio network. The Dante optimization settings function is set by the lldp auto-setting command. For details, refer to Dante optimization setting function.

This product also provides a function that uses LLDP to monitor the live/dead state of a specific connected terminal. For details, refer to Terminal monitoring.

For the voice VLAN function, you can use LLDP-MED to make voice traffic settings for IP telephony. For details, refer to VLAN.

3.2 TLV list

The TLVs supported by this product are listed below.

• Required TLVs
• Basic management TLVs
• IEEE 802.1 TLV
• IEEE 802.3 TLV
• LLDP-MED TLV

For the detailed specification of each TLV, refer to IEEE 802.1AB (LLDP) and ANSI/TIA-1057 (LLDP-MED).

The TLVs that are transmitted by this product are explained below.

3.2.1 Required TLVs

3.2.2 Basic management TLVs

These TLVs are transmitted if LLDP frame transmission is enabled and the tlv-select basic-mgmt command is specified.

System-related management information is transmitted, such as name, system capabilities, and address.

The basic management TLVs are as follows.

Basic management TLVs

3.2.3 IEEE 802.1 TLV

These TLVs are transmitted if LLDP frame transmission is enabled and the tlv-select ieee-8021-org-specific command is specified.

These transmit information such as VLAN and link aggregation for the corresponding port.

The IEEE 802.1 TLVs are shown below.

IEEE 802.1 TLV

3.2.4 IEEE 802.3 TLV

These TLVs are transmitted if LLDP frame transmission is enabled and the tlv-select ieee-8023-org-specific command is specified.

Auto negotiation support information and PoE information etc. for the corresponding port is transmitted.

The IEEE 802.3 TLVs are shown below.

IEEE 802.3 TLV

3.2.5 LLDP-MED TLV

These TLVs are transmitted if LLDP frame transmission is enabled and the tlv-select med command is specified.

These transmit information such as network policy and extended PoE information.

The LLDP-MED TLVs are shown below.

LLDP-MED TLV

3.3 Supported MIBs

Refer to the following SNMP MIB Reference for information on the MIBs that are supported.

• SNMP MIB Reference

4 Related Commands

Related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Set LLDP frame transmission/reception

For port1.1, enable LLDP frame transmission/reception.

Basic management TLVs, IEEE 802.1 TLVs, IEEE 802.3 TLVs, and LLDP-MED TLVs are transmitted.

Set the LLDP frame transmission interval to 60 seconds. Set the LLDP frame TTL to 181 seconds.

Set "SWITCH1" as the name of the transmitting system.

Specify 10 as the maximum number of connected devices managed by the port.

Yamaha#configure terminal
Yamaha(confif)#lldp system-name SWITCH1 ... (Set system name)
Yamaha(config)#interface port1.1
Yamaha(config-if)#lldp-agent ... (Create LLDP agent and transition modes)
Yamaha(lldp-agent)#tlv-select basic-mgmt ... (Set basic management TLV)
Yamaha(lldp-agent)#tlv-select ieee-8021-org-specific ... (Set IEEE 802.1 TLV)
Yamaha(lldp-agent)#tlv-select ieee-8023-org-specific ... (Set IEEE 802.3 TLV)
Yamaha(lldp-agent)#tlv-select med ... (Set LLDP-MED TLV)
Yamaha(lldp-agent)#set timer msg-tx-interval 60 ... (Set transmission interval)
Yamaha(lldp-agent)#set msg-tx-hold 3 ... (Set multiplier for TTL calculation: TTL = 60 x 3 + 1 = 181 seconds)
Yamaha(lldp-agent)#set too-many-neighbors limit 10 ... (Set maximum number of connected devices)
Yamaha(lldp-agent)#set lldp enable txrx ... (Set LLDP transmission/reception mode)
Yamaha(lldp-agent)#exit
Yamaha(config-if)#exit
Yamaha(config)#lldp run ... (Enable LLDP function)
Yamaha(config)#exit

5.2 Show LLDP interface status

Show the port1.1 LLDP interface status.

Yamaha#show lldp interface port1.1  ... (Show interface information)
Agent Mode                    : Nearest bridge
Enable (tx/rx)                : Y/Y
Message fast transmit time    : 1
Message transmission interval : 30
Reinitialisation delay        : 2
MED Enabled                   : Y
Device Type                   : NETWORK_CONNECTIVITY
LLDP Agent traffic statistics
  Total frames transmitted       : 0

5.3 Show LLDP connected device information

Show LLDP connected device information.

Yamaha#show lldp neighbors  ... (Show connected device information)
Interface Name           : port1.1
System Name              : SWR2311P-10G
System Description       : SWR2311P-10G Rev.2.02.06 (Mon Dec  4 12:33:18 2017)
Port Description         : port1.3
System Capabilities      : L2 Switching
Interface Numbering      : 2
Interface Number         : 5003
OID Number               :
Management MAC Address   : ac44.f230.0000
Mandatory TLVs
  CHASSIS ID TYPE
    IP ADDRESS           : 0.0.0.0
  PORT ID TYPE
    INTERFACE NAME       : port1.3
  TTL (Time To Live)     : 41
8021 ORIGIN SPECIFIC TLVs
  Port Vlan id                : 1
  PP Vlan id                  : 0
  Remote VLANs Configured
    VLAN ID                   : 1
    VLAN Name                 : default
  Remote Protocols Advertised :
    Multiple Spanning Tree Protocol
  Remote VID Usage Digestt    : 0
  Remote Management Vlan      : 0
  Link Aggregation Status     : Disabled
  Link Aggregation Port ID    : 0
8023 ORIGIN SPECIFIC TLVs
  AutoNego Support            : Supported Enabled
  AutoNego Capability         : 27649
  Operational MAU Type        : 30
  Power via MDI Capability (raw data)
    MDI power support         : 0x0
    PSE power pair            : 0x0
    Power class               : 0x0
    Type/source/priority      : 0x0
    PD requested power value  : 0x0
    PSE allocated power value : 0x0
  Max Frame Size              : 1522
LLDP-MED TLVs
  MED Capabilities            :
    Capabilities
    Network Policy
  MED Capabilities Dev Type   : End Point Class-3
  MED Application Type        : Reserved
  MED Vlan id                 : 0
  MED Tag/Untag               : Untagged
  MED L2 Priority             : 0
  MED DSCP Val                : 0
  MED Location Data Format    : ECS ELIN
    Latitude Res      : 0
    Latitude          : 0
    Longitude Res     : 0
    Longitude         : 0
    AT                : 0
    Altitude Res      : 0
    Altitude          : 0
    Datum             : 0
    LCI length        : 0
    What              : 0
    Country Code      : 0
    CA type           : 0
  MED Inventory

6 Points of Caution

None

7 Related Documentation

• SNMP
• Terminal monitoring
• Dante optimization setting function
• PoE control
• VLAN

Terminal monitoring

1 Function Overview

The terminal monitoring function checks the dead-or-alive state of specific terminals connected to the network switch.

The operating specifications for the terminal monitoring function are shown below.

Terminal monitoring function overview

This is an example with an L3 switch as the L2MS master and an intelligent L2 PoE switch as the L2MS slave.

As dead/alive monitoring methods, the following three types are provided.

1. Monitoring by ping

   Ping (ICMP Echo request/reply) is issued at regular intervals to a terminal that has an IP address, and the terminal is determined to be down if there is no longer a response.

   The user can specify the interval at which ping is transmitted, the time to wait for ping response, and the number of failures until the terminal is determined to be down.

2. Frame reception amount monitoring

   The frame reception amount is monitored at regular intervals for an individual port, and the terminal is determined to be down if the traffic falls below a specified amount.

   The user can specify the monitoring start threshold value and the threshold value at which a down condition is determined.

   Monitoring starts when the traffic exceeds the monitoring start threshold value, and a down condition is determined when the traffic falls below the down decision threshold.

3. LLDP reception interval monitoring

   The LLDP received at regular intervals by an individual port is monitored.

   Using the TTL which is a required item in the data portion of an LLDP packet, a down condition is determined if LLDP is not received within the TTL interval.

If monitoring detects a terminal fault (down), the following processing is automatically performed.

1. Alert shown in dashboard screen

   An indication that a fault (down) occurred for the monitored terminal is displayed in the alert screen of the dashboard.

2. Alert shown in LAN map screen

   • If the switch performing the monitoring is the L2MS master

     An indication that a fault (down) occurred for the monitored terminal is shown in the LAN map notification and history information.

   • If the switch performing the monitoring is an L2MS slave

     The L2MS trap function is used to notify the L2MS master.

     The L2MS master that receives the notification indicates in the LAN map screen that the monitored terminal has experienced a fault (down).

By the user's choice, the following operations can be applied in parallel.

1. Fault detection notification by mail

   Notification that a monitored terminal has experienced a fault is sent to the desired recipient.

2. Notification to the SNMP manager

   A trap is sent to the SNMP manager specified by a command.

3. Restart terminal by temporarily stopping the PoE power supply

   If a down condition is detected on a port to which PoE power is being supplied, PoE power supply is temporarily turned off in an attempt to recover the monitored terminal.

2 Definition of Terms Used

None

3 Function Details

3.1 Monitoring by ping (ICMP Echo request/reply)

Specifications for terminal monitoring by ping are given below.

1. The interval of ICMP Echo request transmission from the network switch is fixed at 5 seconds.
2. The ICMP Echo request that is transmitted has the following format.
   • As the ID field of the ICMP header, the unique ID assigned to each monitored terminal is specified.
   • As the sequence field of the ICMP header, a number that is sequentially incremented from 0 is specified.
3. The validity of the ICMP Echo reply is checked as follows.
   • Whether the ID field of the ICMP header contains the ID that was specified when sending the request
   • Whether the sequence field of the ICMP header contains the sequence number that was specified when sending the request
4. The wait time for ICMP Echo reply can be changed in the range of 1–60 sec, and the default is 2 sec.
5. The number of failures to receive the ICMP Echo reply from the monitored terminal after which a fault is determined can be set in the range of 1–100, and the default is twice.
6. Monitoring via ping can be done for a maximum of 64 units.

3.2 Monitoring by frame reception amount

The way in which this device monitors by frame reception amount is described below.

Overview of frame reception amount monitoring

1. At one-second intervals, the number of octets received at the port is referenced, and the number of octets received during one second is calculated.
   • All ports are the object of observation.
2. Using the number of octets received during one second and the link speed, the reception throughput (bps) and reception ratio (%) are calculated.
3. Monitoring by frame reception amount starts when the monitoring start threshold value (bps) specified by the user is exceeded.
4. After monitoring has started, a fault (down) is detected if the amount falls below the down detection threshold value (bps) specified by the user.

3.3 Monitoring by LLDP

Using the TTL which is a required item in the data portion of an LLDP frame, a down condition is determined if LLDP is not received within the TTL time.

Monitoring starts when an LLDP frame is first received.

This monitoring can be specified individually by port.

4 Related Commands

This function does not support settings via commands.

5. Settings via the web GUI

Terminal monitoring settings can be done from [Advanced settings]-[Terminal monitoring] of the web GUI.

Details on the settings in each screen can be referenced via the web GUI help.

5.1 Terminal monitoring top page

The top page of terminal monitoring is shown below.

Terminal monitoring top page

• If you want to newly add a terminal for monitoring, press the New icon.
• If you want to change a currently-specified monitored terminal, press the Settings button in the list.

  If you want to delete a currently-specified monitored terminal, select the check box of that terminal, and press the delete button.

• If you want to ascertain the current state of the monitored terminal for which you are making settings, press the update button to acquire the latest state.

5.2 Adding or modifying a monitored terminal

The method for adding a new monitored terminal, or for making changes, is shown below for each method of monitoring.

1. Monitoring by ping

   

2. Monitoring by frame reception amount

   

3. Monitoring by LLDP

   

• Restart terminal by controlling PoE power supply can be specified only for models that support PoE power supply.
• When specifying the monitoring start threshold value and the down detection threshold value for frame reception amount monitoring, it is useful to use the traffic observation function.
• If you want mail notification to be sent in the event of a fault, you must separately make mail notification settings.

  For details, refer to Technical reference: [Management/operation functions] - [Mail notification] and to Web GUI help: [Advanced settings] - [Mail notification].

5.3. Checking the state of a monitored terminal

The state of a specified monitored terminal can be checked in the terminal monitoring gadget of the dashboard.

Dashboard terminal monitoring gadget

• For each monitored terminal, this shows the monitoring target, model name, monitoring type, and status.
• The following three states are shown as the state of the monitored terminal.
  • Idle: Monitoring is not yet being performed:
  • Up: The monitored terminal is operating correctly:
  • Down: The monitored terminal is not operating correctly:
• When you place the mouse cursor on the status field, the status of the monitored terminal is shown.
• If you click the Idle , Up, or Down button in the upper part of the dashboard, only the monitored terminals that are in the corresponding state are shown. (The All button shows terminals of all states.)
• If not even one monitor terminal is registered, the display indicates "No monitored terminals are registered."

6 Points of Caution

None

7 Related Documentation

• Performance observation

Performance observation

1 Function Overview

This product provides a mechanism for constantly observing the system's performance.

An overview of the function is given below.

Performance observation

This product constantly observes the following two types of data.

1. Resource usage: CPU and memory usage
2. Traffic amount: The amount of communication port bandwidth used (transmission/reception)

Based on the results of observation, one year's worth of the following change data is accumulated inside this product.

• Hourly change: Change for each hour (e.g. 0:00, 1:00, ...)
• Daily change: Change for each day of each month (e.g. 1/1, 1/2, ...)
• Weekly change: Change for each day of the week (e.g. SUN, MON, ...)
• Monthly change: Change for each month (e.g. Jan, Feb, ...)

The accumulated data can be backed up to an SD card. By accessing this product via the web GUI, the maintainer can view the various types of change data including live data in the dashboard, and can also acquire the accumulated result in a PC.

Since the acquired data is in CSV format, it can also be manipulated using spreadsheet software on a PC.

By using this function, the maintainer can accomplish the following:

• Ascertain the short-term communication status
• Predict long-term future demand for network facilities

2 Definition of Terms Used

None

3 Function Details

3.1 Resource and traffic usage observation

Starting immediately after boot, this device automatically observes the CPU and memory and the transmit/receive throughput of each port every second.

The observed data is normalized using a moving average, and one year of data is saved in RAM.

3.3 Observation data backup

Backup of observation data can be specified only in the web GUI.

Backup of observation data assumes that an SD card is inserted in this device.

If backup is enabled, the most recent hour of observation data every hour starting at the point it was enabled (e.g., 1:00, 2:00 ...) is saved on the SD card.

The saved data is dedicated binary data of this device.

The save-destination on the SD card and the file name of the backup data file are as follows.

1. Resource information

   1. Hourly change data

      /[model name]/data/resource/YYYYMM_smsys_res_monitor_hour.bin

   2. Daily change data (data for each day)

      /[model name]/data/resource/YYYYMM_smsys_res_monitor_day.bin

   3. Weekly change data

      /[model name]/data/resource/YYYYMM_smsys_res_monitor_week.bin

   4. Monthly change data

      /[model name]/data/resource/YYYY_smsys_res_monitor_month.bin

2. Traffic information

   1. Hourly change data

      /[model name]/data/trf/YYYYMM_trf_bandwidth_hour.bin

   2. Daily change data

      /[model name]/data/trf/YYYYMM_trf_bandwidth_day.bin

   3. Weekly change data

      /[model name]/data/trf/YYYYMM_trf_bandwidth_week.bin

   4. Monthly change data

      /[model name]/data/trf/YYYY_trf_bandwidth_month.bin

• [Model name] is the following.
  • For the SWR2311P-10G: swr2311p
• YYYY: year, MM: month are specified.
• Since this is a proprietary Yamaha format, it cannot be referenced.

3.4. Observation data export

Export of observation data to a PC can be executed only in the web GUI.

As with backup data, export of observation data to a PC assumes that an SD card is inserted in this device.

The exported data is multiple CSV files compressed in zip format. The structure of the compressed files are given below.

1. When resource observation data is exported
   • zip file name: YYYYMMDDhhmmss_resource_csv.zip
   • Folder structure

   YYYYMMDDhhmmss_resource_csv
       +- 20170922_resource_hour.csv ... (CPU and memory data for each hour of 2017/9/22)
       +-     :
       +- 20170925_resource_hour.csv ... (CPU and memory data for each hour of 2017/9/25)
       +- 201709_resource_day.csv    ... (CPU and memory data for each day of 2017/9)

2. When transmission traffic observation data is exported
   • zip file name: YYYYMMDDhhmmss_trf_tx_csv.zip
   • Folder structure

   YYYYMMDDhhmmss_trf_tx_csv
       +- 20170922_trf_tx_hour.csv  ... (Transmission traffic data for each hour of 2017/9/22)
       +-     :
       +- 20170925_trf_tx_hour.csv  ... (Transmission traffic data for each hour of 2017/9/25)
       +- 201709_trf_tx_day.csv     ... (Transmission traffic data for each day of 2017/9)

3. When reception traffic observation data is exported
   • zip file name: YYYYMMDDhhmmss_trf_rx_csv.zip
   • Folder structure

   YYYYMMDDhhmmss_trf_rx_csv
       +- 20170922_trf_rx_hour.csv  ... (Reception traffic data for each hour of 2017/9/22)
       +-     :
       +- 20170925_trf_rx_hour.csv  ... (Reception traffic data for each hour of 2017/9/25)
       +- 201709_trf_rx_day.csv     ... (Reception traffic data for each day of 2017/9)

• YYYYMMDDhhmmss specifies the date and time at which export was executed (the date and time that the file was generated).

4 Related Commands

This function does not support settings via commands.

5. Settings via the web GUI

Performance observation can be controlled from the following pages of the web GUI.

• Viewing the resource usage amount
  • This can be viewed in the [Dashboard] item [Resource information (graph)].
• Viewing the traffic usage amount
  • This can be viewed in the [Dashboard] item [Traffic information (graph)].
• Backing up, clearing, or exporting observation data
  • Select [Management], and then use [Maintenance] - [Manage statistical information] to make these settings.

5.1 Viewing the resource usage amount

The resource information (graph) screen is shown below.

Example when Live is selected for resource information (graph)

1. The graph rendering can be changed using the following buttons.

   • Current status: Live

     The various current usage ratios are obtained at one-second intervals and shown on the graph.

   • Hourly change: Day

     The various usage ratios for the specified day are shown at one-hour intervals on the graph.

     To specify the day, use the day-specifying box in the upper right of the gadget.

   • Daily change: Month

     The various usage ratios for the specified month are shown at one-day intervals.

     To specify the month, use the month-specifying box in the upper right of the gadget.

   • Monthly change: Year

     The various usage ratios for the specified year are shown at one-month intervals.

     To specify the year, use the select box in the upper right of the gadget.

   • It is not currently possible to reference changes in the day of the week.
2. If the CPU and memory usage ratios exceed 80%, then a warning message is shown on the dashboard.

   If the ratio falls below 80% after having exceeded 80%, the warning is automatically cleared.

5.2 Viewing the traffic usage amount

The traffic usage amount (graph) screen is shown below.

Example of when traffic usage amount (graph) Day is selected / Example of transmission traffic

1. The traffic usage amount of each port can be shown separately for transmission and reception.
2. The graph rendering can be changed using the following buttons.

   • Current status: Live

     The various current usage ratios are obtained at one-second intervals and shown on the graph.

     The most recent two minutesof the obtained data is held and rendered on the graph.

   • Hourly change: Day

     The various usage ratios for the specified day are shown at one-hour intervals on the graph.

     To specify the day, use the day-specifying box in the upper right of the gadget.

   • Daily change: Month

     The various usage ratios for the specified month are shown at one-day intervals.

     To specify the month, use the month-specifying box in the upper right of the gadget.

   • Monthly change: Year

     The various usage ratios for the specified year are shown at one-month intervals.

     To specify the year, use the select box in the upper right of the gadget.

   • It is not currently possible to reference changes in the day of the week.

3. To select the interface to be shown, click the interface select button (), and then make a selection in the following screen.

   
4. If the traffic usage ratio exceeds 60%, a warning message is shown on the dashboard. If the ratio falls below 50% after having exceeded 60%, the warning is automatically cleared.

5.3 Backing up, clearing, or exporting observation data

Backup, clearing, and exporting of observation data is performed from [Management] - [Maintenance] - [Manage statistical information].

The statistical information management screen is shown below.

Statistical information management screen (top page)

5.3.1 Observation data backup settings

Backup settings for observation data are performed from [Top screen] - [Backup settings for statistical data].

The screen that appears when you press the [Settings] button is shown below.

• Observation data backup settings screen

  

• Place a check mark in the check box of the statistical data for which you want to enable backup, and then press the [OK] button.

  After you press the button, the following screen appears.

  
• If you decide to cancel this setting, press the [Back] button in each screen.

5.3.2 Clearing observation data

Clearing the observation data is performed from [Top screen] - [Clearing statistical data].

The screen that appears when you press the [Next] button is shown below.

• Clear observation data screen

  

• In the select box, choose the statistical data that will be cleared, and press the [OK] button. After you press the button, the following screen appears.

  

• If you decide to cancel this operation, press the [Back] button in each screen.

5.3.3 Exporting observation data

Exporting observation data is performed from [Top screen] - [Export statistical data].

The screen that appears when you press the [Next] button is shown below.

• Observation data export screen

  

• From the select box, choose the observation data that you want to export to the PC that is accessing the web GUI, and then specify the term of observation data that you want to export.

  After making the selection, press the [OK] button, and the following screen will appear.

  
• If you decide to cancel this operation, press the [Back] button in each screen.

6 Points of Caution

None

7 Related Documentation

None

Dante optimization setting function

1 Function Overview

Dante optimization settings is a function that makes it easy to specify the optimal environment for the Dante digital audio network.

This allows the user to easily make settings such as QoS settings, IGMP snooping settings, flow control disable settings, and EEE disable settings.

The following items can be set using the Dante optimization setting function.

Use the Dante optimization setting function after you have made all of the basic switch settings (such as VLAN and IP).

If you make new changes to the settings, the Dante optimization settings will not follow.

2 Definition of Terms Used

Dante

A digital audio network specification developed by the Audinate Corporation.

3 Function Details

This function provides the following operations.

• Automatic optimization settings using LLDP
• Manual optimization settings via the web GUI

3.1 Automatic optimization settings using LLDP

By receiving special LLDP frames from certain Dante-enabled devices made by Yamaha, optimal settings for using Dante can be automatically applied.

Automatic optimization settings via LLDP are set by the lldp auto-setting command.

By default, this product is set to enable automatic optimization settings via LLDP.

Certain Dante-enabled devices made by Yamaha transmit Yamaha-proprietary LLDP frames that include the following content.

• EEE (Energy-Efficient Ethernet) disable setting
• Flow control disable setting
• Diffserve base QoS setting
• IGMP snooping setting

If this function is enabled and the corresponding LLDP frame is received, the following settings are automatically applied to running-config.

[System-wide]

flowcontrol disable ... (Disable flow control)
qos enable ... (Enable QoS)
qos dscp-queue 0 0 ... (Set the DSCP-transmission queue ID conversion table; same for the following)
qos dscp-queue 1 0
qos dscp-queue 2 0
qos dscp-queue 3 0
qos dscp-queue 4 0
qos dscp-queue 5 0
qos dscp-queue 6 0
qos dscp-queue 7 0
qos dscp-queue 8 2
qos dscp-queue 9 0
qos dscp-queue 10 0
qos dscp-queue 11 0
qos dscp-queue 12 0
qos dscp-queue 13 0
qos dscp-queue 14 0
qos dscp-queue 15 0
qos dscp-queue 16 0
qos dscp-queue 17 0
qos dscp-queue 18 0
qos dscp-queue 19 0
qos dscp-queue 20 0
qos dscp-queue 21 0
qos dscp-queue 22 0
qos dscp-queue 23 0
qos dscp-queue 24 0
qos dscp-queue 25 0
qos dscp-queue 26 0
qos dscp-queue 27 0
qos dscp-queue 28 0
qos dscp-queue 29 0
qos dscp-queue 30 0
qos dscp-queue 31 0
qos dscp-queue 32 0
qos dscp-queue 33 0
qos dscp-queue 34 0
qos dscp-queue 35 0
qos dscp-queue 36 0
qos dscp-queue 37 0
qos dscp-queue 38 0
qos dscp-queue 39 0
qos dscp-queue 40 0
qos dscp-queue 41 0
qos dscp-queue 42 0
qos dscp-queue 43 0
qos dscp-queue 44 0
qos dscp-queue 45 0
qos dscp-queue 46 5
qos dscp-queue 47 0
qos dscp-queue 48 0
qos dscp-queue 49 0
qos dscp-queue 50 0
qos dscp-queue 51 0
qos dscp-queue 52 0
qos dscp-queue 53 0
qos dscp-queue 54 0
qos dscp-queue 55 0
qos dscp-queue 56 7
qos dscp-queue 57 0
qos dscp-queue 58 0
qos dscp-queue 59 0
qos dscp-queue 60 0
qos dscp-queue 61 0
qos dscp-queue 62 0
qos dscp-queue 63 0

[VLAN interface that received LLDP]

interface vlanX *Applies to the VLAN
  ip igmp snooping enable ... (Enable IGMP snooping)
  ip igmp snooping query-interval 30 ... (Set query transmission interval)
  ip igmp snooping querier ... (Set query)
  ip igmp snooping check ttl disable ... (Disable IGMP packet TTL value checking function)

[LAN/SFP port that received LLDP]

interface portX.X
  qos trust dscp ... (Set DSCP trust mode)
  flowcontrol disable ... (Disable flow control)
  eee disable ... (Disable EEE)

If you save using the copy running-config startup-config command or the write command, the settings are also applied to the startup-config that is used for the next and subsequent startups.

Even if the port to which the device is connected experiences a link-down state after automatic optimization settings, the automatically added settings are maintained.

This function can be used only for a physical interface (LAN/SFP port). It cannot be used with a link aggregated logical interface.

This does not apply to the trunk port.

In order to use this function, reception of LLDP frames must be enabled.

For this reason, check in advance that the following settings have been made.

• Use the lldp run command to enable the system-wide LLDP function.
• Use the lldp-agent command to create an LLDP agent for the applicable interface.
• Use the set lldp command to specify the LLDP frame transmit/receive mode.

With the default settings of this product, LLDP frame transmission and reception is enabled.

3.2 Manual optimization settings via the web GUI

The web GUI of this product allows you to manually specify Dante optimization settings and to enable/disable automatic settings using LLDP.

If manual settings are executed, the settings shown in 3.1 Automatic optimization settings via LLDP are specified for all LAN/SFP ports and VLAN interfaces.

Dante optimization settings are performed from [Management] - [Dante optimization settings]. The Dante optimization settings screen is shown below.

Dante optimization settings screen (top page)

To execute manual settings, press the Next button for Manual settings.

To enable/disable automatic settings, press the Settings button for Automatic settings using LLDP.

3.2.1 Manual settings

The screen that appears when you press the Next button for Manual settings is shown below.

Manual settings - execution screen

To execute manual settings, press the OK button.

3.2.2 Automatic settings using LLDP

The screen that appears when you press the Settings button for Automatic settings using LLDPis shown below.

Automatic settings using LLDP - execution screen

To enable/disable the automatic setting function using LLDP, select the enable or disable radio button, and then press the OK button.

The screen that appears when you press the OK button is shown below.

Automatic settings using LLDP - confirmation screen

To enable/disable automatic settings using LLDP, press the Confirm settings button.

4 Related Commands

Related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Automatic optimization settings using LLDP

Enable automatic optimization settings using LLDP.

Enable LLDP transmission and reception on port1.1.

Yamaha#configure terminal
Yamaha(config)#interface port1.1
Yamaha(config-if)#lldp-agent ... (Create LLDP agent and transition modes)
Yamaha(lldp-agent)#set lldp enable txrx ... (Set LLDP transmission/reception mode)
Yamaha(lldp-agent)#exit
Yamaha(config-if)#exit
Yamaha(config)#lldp run ... (Enable LLDP function)
Yamaha(config)#lldp auto-setting enable ... (Enable automatic optimization settings using LLDP)

6 Points of Caution

• Note that if you use this function when settings such as QoS settings, flow control settings, EEE settings, and IGMP snooping have already been made, those settings are overwritten by Dante-optimized settings.
• It is assumed that you will use the Dante optimization setting function after you have made all of the basic switch settings (such as VLAN and IP).
  If you make new changes to the settings (such as adding a VLAN), the Dante optimization settings will not follow.
• The setting values requested from Dante-enabled devices must be consistent between all devices. If the values are different, operation cannot be guaranteed.
• In general, IGMP snooping operates as version "3".

7 Related Documentation

• LLDP
• QoS
• Flow control
• IGMP Snooping
• Interface basic functions

List of default settings

List of default settings

The default settings of the SWR2311P-10G is shown below.

System-wide default settings

Default settings for each LAN/SFP port

Settings for default VLAN (vlan1)

• IPv4 Address: DHCP client
• IGMP Snooping: Enable
  • Querier : Disable
  • Fast-Leave : Disable
  • Check TTL : Enable

Interface control functions

• Interface basic functions
• Link aggregation
• Port authentication functions
• Port security functions
• PoE control

Interface basic functions

1 Function Overview

Here we explain the basic interface functions of this product.

2 Definition of Terms Used

Combo port

This is a port that provides a choice of either LAN port or SFP port.

The LAN port and SFP port cannot be used simultaneously. If both ports are connected, the SFP port takes priority for use.

If there is a setting that applies only to the LAN port, it does not apply to the SFP port.

3 Function Details

3.1 Interface types

This product can handle the five interface types shown in the table below.

Interface list

3.2 Interface control

The interface on this product can be controlled as shown in the table below.

Interface control items

Command control of the interface is performed as shown on the table below.

Interface control functionality chart

*1: As the communication speed / communication mode setting for a LAN port, it is not possible to select 10 Gbps / full-duplex.

*2: The communication speed / communication mode setting for a combo port will be either auto negotiation or 1 Gbps / full-duplex.

*3: Settings for a combo port apply only to the LAN port side.

3.3 LAN/SFP port defaults

Initially, this product's LAN/SFP ports will be in the following state.

• All LAN/SFP ports function as access ports (ports that handle untagged frames), and belong to the default VLAN (VLAN #1).
• The following functions are enabled for the default VLAN (VLAN #1) to which all LAN/SFP ports belong.
  • MSTP: Multiple Spanning Tree Protocol
  • IGMP Snooping
  • IPv4 address (192.168.100.240/24)
  • Access from a Telnet client
  • Access from a web client

3.4 Port mirroring

This product provides a port mirroring function, which copies the data traffic from a selected LAN/SFP port to another specified port.

The communication status can be analyzed by collecting the copied packets.

This product allows you to specify one mirror port, making all other LAN/SFP port allocable as "monitor ports".

The monitoring direction (transmit/receive, transmit only, receive only) can be selected for the monitor ports.

The mirror command can be used to set the port mirroring.

The mirror port setting is disabled by default.

3.5 Frame counter

This product counts the number of frames transmitted/received for each LAN/SFP port. (This is called a "frame counter".)

To reference the frame counter, use the show frame counter command.

The table below shows the display items for the frame counter and their maximum values.

Received frame counter display items

(*1): Packets is the total value of the (*2) packets.

(*3): This will change, depending on the MRU that is set for the LAN/SFP port.

(4): This is shown only if tail drop is disabled.

Transmitted frame counter display items

(*1): The packet value is the total of the (*2) packets.

(3): This is shown only if tail drop is enabled.

Transmitted/received frame counter display items

(*1): This will change, depending on the MRU that is set for the LAN/SFP port.

The frame counter can also be cleared by using the clear counters command.

When you execute the show interface command which shows the status of the LAN/SPF ports, information on the number of transmitted and received frames is shown, but this information is shown based on the frame counter information.

The number of frames transmitted/received that is displayed using the show interface command and how the frame counter is handled are shown below.

• Number of frames transmitted/received that is displayed by the show interface command, and how the frame counter is handled

  Display item		Information on the frame counter referred to
  input	packets	Received frame counter packets
  	bytes	Received frame counter octets
  	multicast packets	Received frame counter multicast packets
  	drop packets(*1)	Received frame counter drop packets
  output	packets	Transmitted frame counter packets
  	bytes	Transmitted frame counter octets
  	multicast packets	Transmitted frame counter multicast packets
  	broadcast packets	Transmitted frame counter broadcast packets
  	drop packets(*1)	Transmitted frame counter drop packets

  (*1) If tail drop is enabled this shows only the transmission information; if it is disabled this shows only the reception information.

3.6 SFP module optical receive level monitoring

This product provides functionality for monitoring the optical receive level of an SFP module connected to the SFP port.

If a fault occurs in an SFP module's optical receive level, this product's port lamp indications change to a dedicated state, and a SYSLOG message is output.

An optical receive level fault state can be forcibly cleared by holding down the MODE switch for three seconds.

When the optical receive level returns to the normal range, this product's port lamp indications will recover, and a SYSLOG message is output.

A SYSLOG message is not output if the corresponding port's link status goes down, or if the optical receive level fault state is forcibly cleared.

The SFP module's optical receive level monitoring settings can be made using the sfp-monitor command.

By default, SFP module optical receive level monitoring is enabled.

3.7 Transmit queue usage monitoring

If the transmit queue's usage ratio becomes high (above 60%, above 100%), a SYSLOG message is output.

A SYSLOG message is also output when the transmit queue's usage ratio returns to the normal range (below 50%).

Transmit queue usage monitoring is always enabled.

4 Related Commands

The related commands are shown below.

For details on the commands, refer to the Command Reference.

Basic interface functions: list of related commands

5 Examples of Command Execution

5.1 Basic LAN port settings

Some examples of basic LAN port settings are shown below.

For details on how to make the settings, refer to the Command Reference.

• Set the description text for LAN port #1 (port1.1).

  Yamaha(config)#interface port1.1
  Yamaha(config-if)#description Connected to rtx1200-router

• Disable LAN port #1 (port1.1).

  Yamaha(config)#interface port1.1
  Yamaha(config-if)#shutdown

• Enable LAN port #1 (port1.1).

  Yamaha(config)#interface port1.1
  Yamaha(config-if)#no shutdown

• Set the communication speed and communication mode for LAN port #1 (port1.1) to 100Mbps/Full.

  Yamaha(config)#interface port1.1
  Yamaha(config-if)#speed-duplex 100-full

5.2 Mirroring settings

In this example, we will set LAN port #1 to monitor the frames transmitted/received by LAN port #4 and the frames transmitted by LAN port #5.

The roles of the ports are shown below.

• Mirror port: LAN port #1 (port1.1)
• Monitor port: LAN port #4 (port1.4), LAN port #5 (port1.5)

1. Set the monitor port for mirror port LAN port #1 (port1.1).

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#mirror interface port1.4 direction both     ... (Monitor transmission/reception frames)
   Yamaha(config-if)#mirror interface port1.5 direction transmit ... (Monitor transmission frames)

2. Confirm the mirroring settings.

   Yamaha#show mirror
   Monitor Port  Mirror Port  Mirror Option  Direction
   ============= ============ ============== ==========
   port1.1       port1.4      enable         both
                 port1.5      enable         transmit

5.3 Show LAN/SFP port information

• Confirm the status of LAN port #1 (port1.1).

  Yamaha#show interface port 1.1
  Interface port1.1
    Link is UP
    Hardware is Ethernet
    HW addr: 00a0.deae.b89f
    Description: Connected to router
    ifIndex 5001, MRU 1522
    Speed-Duplex: auto(configured), 1000-full(current)
    Auto MDI/MDIX: on
    Vlan info :
      Switchport mode        : access
      Ingress filter         : enable
      Acceptable frame types : all
      Default Vlan           :    1
      Configured Vlans       :    1
    Interface counter:
      input  packets          : 0
             bytes            : 0
             multicast packets: 0
      output packets          : 0
             bytes            : 0
             multicast packets: 0
             broadcast packets: 0
             drop packets     : 0

6 Points of Caution

None

7 Related Documentation

None

Link aggregation

1 Function Overview

Link aggregation is a function used to combine multiple LAN/SFP ports that connect network devices, and handle them as a single logical interface.

Link aggregation is a technology that is useful when multiple communications occur. Communications can be distributed by using a load balance function within the combined lines.

If one LAN/SFP port fails within the lines that were combined using link aggregation, and communications cannot be made, the other ports will continue communicating.

Link aggregation function overview

The link aggregation functions in this switch are shown below.

Link aggregation functions

2 Definition of Terms Used

LACP

Abbreviation for "Link Aggregation Control Protocol". This is a technology standardized in IEEE802.3ad,

and is also called EtherChannel.

• IEEE 802.3 Study Group Interim meeting

Load balance

This is a function to distribute forwarded frames between the LAN/SFP ports that are associated with the logical interface.

As a distribution rule, the L2/L3/L4 information within frames is used.

3 Function Details

3.1 Static/LACP link aggregation: common specifications

The common specifications for the static/LACP link aggregation functions of this switch are shown below.

1. The link aggregation on this switch can be defined for 127 interfaces, including both static and LACP.

   A single logical interface can be associated with up to eight LAN/SFP ports.

2. The settings shown below must be the same for each of the LAN/SFP ports contained within.
   • Communication speed/communication mode

     If auto negotiation is enabled, only the same port that was used in the contained ports for the initial negotiation results will be contained.

   • Port mode (access/trunk [including native VLAN settings])
   • Associated VLAN
   • QoS trust mode (including port priority and default CoS settings)
3. The following operations are performed when a LAN/SFP port is associated with a logical interface.
   • LAN/SFP ports that are linked up will be linked down.

     The logical interface's default value will be set to shutdown, in order to safely integrate the logical interface into the system.

   • MSTP settings will be discarded and will revert to their defaults.

     When dissociating a LAN/SFP port from the logical link, the MSTP settings for the relevant port will revert to their defaults as well.

4. The following operations can be performed for the logical interface.
   • Add description text (description command)
   • Enable/disable the interface (shutdown command)
5. Another LAN/SFP port cannot be associated with a logical interface in operation.

   To associate a LAN/SFP port, make sure to shut down the logical interface before associating.

6. LAN/SFP ports that are associated with a logical interface that is in operation cannot be removed.

   When dissociating a LAN/SFP port, make sure to shut down the logical interface before dissociating.

   LAN/SFP ports that have been dissociated from a logical interface will be in shutdown mode. Enable the ports as necessary (using "no shutdown").

7. Load balance settings can be made on the logical interface. The rules that can be set for this are shown below.

   The default value when defining a logical interface is the destination/source MAC address.

   • Destination MAC address
   • Source MAC address
   • Destination/source MAC address
   • Destination IP address
   • Source IP address
   • Destination/source IP address
   • Destination port number
   • Source port number
   • Destination/source port number

3.2 Static link aggregation

The operating specifications for static link aggregation are shown below.

1. An interface number from 1–96 can be assigned to the static logical interface.
2. Use the static-channel-group command to associate a LAN/SFP port with a static logical link interface.
   • When associating a LAN/SFP port with an interface number for which there is no static logical interface, a new logical interface will be generated.
   • When the associated port no longer exists as a result of removing a LAN/SFP port from a static logical interface, the relevant logical interface will be deleted.
3. Use the show static-channel-group command to show the static logical link interface's status.

3.3 LACP link aggregation

The operating specifications for LACP link aggregation are shown below.

Refer to "3.1 Static/LACP link aggregation: common specifications" for the common specifications of static link aggregation.

1. An interface number from 1–127 can be assigned to the LACP logical interface.
2. Use the channel-group command to associate a LAN/SFP port with an LACP logical link interface.
   • When associating an LAN/SFP, specify the following operating modes. (It is recommended to specify "active mode".)
     • Active mode

       The LACP frame will be voluntarily transmitted, and negotiation with the opposing device's port will begin.

     • Passive mode

       The LACP frame will not be voluntarily transmitted, but will instead be transmitted when a frame is received from the opposing device.

   • When associating a LAN/SFP port with an interface number for which there is no LACP logical interface, a new logical interface will be generated.
   • When the associated port no longer exists as a result of removing a LAN/SFP port from an LACP logical interface, the relevant logical interface will be deleted.
3. The parameters that influence the operations of the LACP logical interface are shown below.
   • LACP timeout

     LACP timeout indicates the down time that was determined, when an LACP frame has not been received from the opposing device.

     Specify either "Long" (90 sec.) or "Short" (3 sec.) using the lacp timeout command.

     The LACP timeout value is stored in the LACP frame and transmitted to the opposing device.

     The opposing device that received the frame will transmit the LACP frames it has stored at intervals equaling 1/3 of the LACP timeout value.

     The default value when the logical interface is generated is "Long (90 sec.)".

   • LACP system priority

     The LACP system priority is used when deciding which device will control the logical interface, when communicating with the opposing device.

     The device with the highest combined system priority exchanged with the opposing device and MAC address (together called the "system ID") is selected.

     The LAN/SFP port associated with the logical interface that is to be enabled (active) is determined for the selected device.

     The LACP system priority can be specified from a range of 1–65,535 by the lacp system-priority command. (Lower numbers have higher priority.)

     The default value when the logical interface is generated is set to 32,768 (0x8000).

   • LACP port priority

     LACP port priority is used to control active/standby for the LAN/SFP ports that are associated with the logical interface.

     When there are more LAN/SFP ports associated to the logical interface than the 8-port maximum, the port status is controlled based on a combination of the LACP port priority and the port number (which is called "port ID").

     As the maximum number of LAN/SFP ports associated to a logical interface is currently eight, this function is disabled.

     The LACP system priority for opposing devices is transmitted at a fixed value (32,768 (0x8000)).

4. Use the show etherchannel command to show the LACP logical interface status.

4 Related Commands

The related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Setting the static logical interface

In this example, we will set link aggregation to use four LAN ports, in order to communicate between switches.

• Static logical interface setting example
• Static link aggregation is set to static.

  The logical interface numbers are set to switch A: #2 and switch B: #5.

• The LAN ports associated with the logical interface are all access ports, and are associated with the VLAN #1000.

1. Define [switch A] VLAN #1000, and associate it with LAN ports (#15, #17, #19, #21, #23).

   Together with this, associate LAN ports (#17, #19, #21, #23) with the logical interface #2.

   Yamaha(config)#vlan database ... (VLAN-ID #1000 definition)
   Yamaha(config-vlan)#vlan 1000
   Yamaha(config-vlan)#exit
   Yamaha(config)#interface port1.15 ... (Set LAN port #15)
   Yamaha(config-if)#switchport access vlan 1000 ... (Set as access port, and associate with VLAN #1000)
   Yamaha(config-if)#interface port1.17 ... (Set LAN port #17)
   Yamaha(config-if)#switchport access vlan 1000 ... (Set as access port, and associate with VLAN #1000)
   Yamaha(config-if)#static-channel-group 2 ... (Associate with logical interface #2)
   Yamaha(config-if)#interface port1.19
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)#static-channel-group 2
   Yamaha(config-if)#interface port1.21
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)#static-channel-group 2
   Yamaha(config-if)#interface port1.23
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)#static-channel-group 2

2. Confirm the setting status of [switch A] logical interface #2.

   Yamaha#show static-channel-group
   % Static Aggregator: sa2
   % Member:
      port1.17
      port1.19
      port1.21
      port1.23

3. Define [switch B] VLAN #1000, and associate it with LAN ports (#07, #09, #11, #13, #15).

   Together with this, associate LAN ports (#09, #11, #13, #15) with the logical interface #5.

   Yamaha(config)#vlan database
   Yamaha(config-vlan)#vlan 1000
   Yamaha(config-vlan)#exit
   Yamaha(config)#interface port1.7
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)#interface port1.9
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)#static-channel-group 5
   Yamaha(config-if)#interface port1.11
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)#static-channel-group 5
   Yamaha(config-if)#interface port1.13
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)#static-channel-group 5
   Yamaha(config-if)#interface port1.15
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)#static-channel-group 5

4. Confirm the setting status of [switch B] logical interface #5.

   Yamaha#show static-channel-group
   % Static Aggregator: sa5
   % Member:
      port1.9
      port1.11
      port1.13
      port1.15

5. Enable [switch A] logical interface.

   Yamaha(config)#interface sa2 ... (Set logical interface #2)
   Yamaha(config-if)#no shutdown ... (Enable logical interface)

6. Enable [switch B] logical interface.

   Yamaha(config)#interface sa5 ... (Set logical interface #5)
   Yamaha(config-if)#no shutdown ... (Enable logical interface)

7. Confirm the setting status of [switch A] logical interface.

   Yamaha#show interface sa2
   Interface sa2
     Link is UP ... (is enabled)
     Hardware is AGGREGATE
     ifIndex 4502, MRU 1522
     Vlan info :
       Switchport mode        : access
       Ingress filter         : enable
       Acceptable frame types : all
       Default Vlan           : 1000
       Configured Vlans       : 1000
     Interface counter:
       input  packets          : 1020
              bytes            : 102432
              multicast packets: 1020
       output packets          : 15
              bytes            : 1845
              multicast packets: 15
              broadcast packets: 0

8. Confirm the setting status of [switch B] logical interface.

   Yamaha#show interface sa5
   Interface sa5
     Link is UP
     Hardware is AGGREGATE
     ifIndex 4505, MRU 1522
     Vlan info :
       Switchport mode        : access
       Ingress filter         : enable
       Acceptable frame types : all
       Default Vlan           : 1000
       Configured Vlans       : 1000
     Interface counter:
       input  packets          : 24
              bytes            : 2952
              multicast packets: 24
       output packets          : 2109
              bytes            : 211698
              multicast packets: 2109
              broadcast packets: 0

5.2 Setting the LACP logical interface

In this example, we will set link aggregation to use four LAN ports, in order to communicate between switches.

• Set the LACP logical interface
• Use LACP for link aggregation.

  The logical interface numbers are set to switch A: #10 and switch B: #20.

  Set the switch A logical interface to active status, and the switch B logical interface to passive status.

• The LAN ports associated with the logical interface are all access ports, and are associated with the VLAN #1000.
• For load balance, set the destination/source IP address.

1. Define [switch A] VLAN #1000, and associate it with LAN ports (#15, #17, #19, #21, #23).

   Together with this, associate LAN ports (#17, #19, #21, #23) in active status with the logical interface #10.

   The logical interface at this point in time will be in shutdown mode.

   Yamaha(config)#vlan database
   Yamaha(config-vlan)#vlan 1000 ... (VLAN #1000 definition)
   Yamaha(config-vlan)#exit
   Yamaha(config)#interface port1.15
   Yamaha(config-if)#switchport access vlan 1000 ... (Set as access port, and associate with VLAN #1000)
   Yamaha(config-if)#interface port1.17
   Yamaha(config-if)#switchport access vlan 1000 ... (Set as access port, and associate with VLAN #1000)
   Yamaha(config-if)#channel-group 10 mode active ... (Associate with logical interface #10 in an active status)
   Yamaha(config-if)#interface port1.19
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)# channel-group 10 mode active
   Yamaha(config-if)#interface port1.21
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)# channel-group 10 mode active
   Yamaha(config-if)#interface port1.23
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)# channel-group 10 mode active

2. Confirm the setting status of [switch A] logical interface #10.

   Yamaha#show etherchannel
   % Lacp Aggregator: po10
   % Member:
      port1.17
      port1.19
      port1.21
      port1.23
   Yamaha#show lacp sys-id ... (Check LACP system ID: set to the default value (0x8000))
   % System 8000,00-a0-de-ae-b9-1f
   Yamaha#show interface po10
   Interface po10
     Link is DOWN ... (Link is down)
     Hardware is AGGREGATE
     ifIndex 4610, MRU 1522
     Vlan info :
       Switchport mode        : access
       Ingress filter         : enable
       Acceptable frame types : all
       Default Vlan           : 1000
       Configured Vlans       : 1000
     Interface counter:
       input  packets          : 0
              bytes            : 0
              multicast packets: 0
       output packets          : 0
              bytes            : 0
              multicast packets: 0
              broadcast packets: 0

3. Define [switch A] VLAN #1000, and associate it with LAN ports (#07, #09, #11, #13, #15).

   Together with this, associate LAN ports (#09, #11, #13, #15) in passive status with the logical interface #20.

   The logical interface at this point in time will be in shutdown mode.

   Yamaha(config)#vlan database
   Yamaha(config-vlan)#vlan 1000 ... (VLAN #1000 definition)
   Yamaha(config-vlan)#exit
   Yamaha(config)#interface port1.7
   Yamaha(config-if)#switchport access vlan 1000 ... (Set as access port, and associate with VLAN #1000)
   Yamaha(config-if)#interface port1.9
   Yamaha(config-if)#switchport access vlan 1000 ... (Set as access port, and associate with VLAN #1000)
   Yamaha(config-if)#channel-group 20 mode passive ... (Associate with logical interface #20 in a passive status)
   Yamaha(config-if)#interface port1.11
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)# channel-group 20 mode passive
   Yamaha(config-if)#interface port1.13
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)# channel-group 20 mode passive
   Yamaha(config-if)#interface port1.15
   Yamaha(config-if)#switchport access vlan 1000
   Yamaha(config-if)# channel-group 20 mode passive

4. Confirm the setting status of [switch B] logical interface #20.

   Yamaha#show etherchannel
   % Lacp Aggregator: po20
   % Member:
      port1.9
      port1.11
      port1.13
      port1.15
   Yamaha#show lacp sys-id ... (Check LACP system ID: set to the default value (0x8000))
   % System 8000,00-a0-de-ae-b8-7e
   Yamaha#show interface po20
   Interface po20
     Link is DOWN ... (Link is down)
     Hardware is AGGREGATE
     ifIndex 4620, MRU 1522
     Vlan info :
       Switchport mode        : access
       Ingress filter         : enable
       Acceptable frame types : all
       Default Vlan           : 1000
       Configured Vlans       : 1000
     Interface counter:
       input  packets          : 0
              bytes            : 0
              multicast packets: 0
       output packets          : 0
              bytes            : 0
              multicast packets: 0
              broadcast packets: 0

5. Set the load balance of [switch B] to the destination/source IP address, and enable.

   Yamaha(config)#port-channel load-balance src-dst-ip ... (Set load balancing)
   Yamaha(config)#interface po10 ... (Set logical interface #10)
   Yamaha(config-if)#no shutdown ... (Enable logical interface)

6. Set the load balance of [switch B] to the destination/source IP address, and enable.

   Yamaha(config)#port-channel load-balance src-dst-ip ... (Set load balancing)
   Yamaha(config)#interface po20 ... (Set logical interface #20)
   Yamaha(config-if)#no shutdown ... (Enable logical interface)

7. Confirm the setting status of [switch A] logical interface.

   Link up and confirm whether frames are being sent and received.

   Yamaha#show interface po10
   Interface po10
     Link is UP
     Hardware is AGGREGATE
     ifIndex 4610, MRU 1522
     Vlan info :
       Switchport mode        : access
       Ingress filter         : enable
       Acceptable frame types : all
       Default Vlan           : 1000
       Configured Vlans       : 1000
     Interface counter:
       input  packets          : 560
              bytes            : 58239
              multicast packets: 560
       output packets          : 98
              bytes            : 12474
              multicast packets: 98
              broadcast packets: 0
   Yamaha#
   Yamaha#show lacp-counter
   % Traffic statistics
   Port       LACPDUs         Marker         Pckt err
           Sent    Recv    Sent    Recv    Sent    Recv
   % Aggregator po10 , ID 4610
   port1.17     50      47      0       0       0       0
   port1.19     49      46      0       0       0       0
   port1.21     49      46      0       0       0       0
   port1.23     49      46      0       0       0       0

8. Confirm the setting status of [switch B] logical interface.

   Link up and confirm whether frames are being sent and received.

   Yamaha#show interface po20
   Interface po20
     Link is UP
     Hardware is AGGREGATE
     ifIndex 4620, MRU 1522
     Vlan info :
       Switchport mode        : access
       Ingress filter         : enable
       Acceptable frame types : all
       Default Vlan           : 1000
       Configured Vlans       : 1000
     Interface counter:
       input  packets          : 78
              bytes            : 9914
              multicast packets: 78
       output packets          : 438
              bytes            : 45604
              multicast packets: 438
              broadcast packets: 0
   Yamaha#
   Yamaha#show lacp-counter
   % Traffic statistics
   Port       LACPDUs         Marker         Pckt err
           Sent    Recv    Sent    Recv    Sent    Recv
   % Aggregator po20 , ID 4620
   port1.9      55      57      0       0       0       0
   port1.11     54      56      0       0       0       0
   port1.13     54      56      0       0       0       0
   port1.15     54      56      0       0       0       0

6 Points of Caution

• A host port that is associated with a private VLAN cannot be aggregated as a link aggregation logical interface.
• If access list settings exist for the received frame of a LAN/SFP port, the ports cannot be aggregated as a link aggregation logical interface.

7 Related Documentation

• LAN/SFP port control: Interface basic functions

Port authentication functions

1 Function Overview

Port authentication is a function that authenticates devices or users.

This authenticates a device connected to the LAN/SFP port, and permits LAN access only for devices that succeeded in authenticating.

Devices that are not yet authenticated or that failed to authenticate can be denied access to the LAN, or permitted to access only a specific VLAN.

2 Definition of Terms Used

IEEE 802.1X

The authentication standard used when connecting to the LAN.

Authenticator

A device or software that authenticates a supplicant connected to a LAN/SFP port.

It mediates between the supplicant and the authentication server, controlling access to the LAN according to the success or failure of authentication.

Supplicant

A device or software that connects to an authenticator and receives authentication.

Authentication server

A device or software that authenticates a supplicant that is connected via the authenticator.

This manages authentication information such as user names, passwords, MAC addresses, and associated VLANs.

EAP (Extended authentication protocol)

This is an authentication protocol that extends PPP, allowing various authentication methods to be used.

This is defined in RFC3748.

EAP over LAN (EAPOL)

This is a protocol for conveying EAP packets between the supplicant and the authenticator.

EAP over Radius

This is a protocol for conveying EAP packets between the authenticator and the authentication server (RADIUS server).

EAP-MD5 (Message digest algorithm 5)

Client authentication using user name and password.

This uses an MD5 hash value to authenticate.

EAP-TLS (Transport Layer Security)

This uses the digital certificates of the server and the client to authenticate.

With the transport layer encrypted, the digital certificates are exchanged and authenticated.

This is defined in RFC2716 and RFC5216.

EAP-TTLS (Tunneled TLS)

This is an extended version of EAP-TLS.

This uses the digital signature of the server to establish a TLS communication route, and within this encrypted communication route uses a password to authenticate the client.

This is defined in RFC5281.

EAP-PEAP (Protected EAP)

The principle of operation is equivalent to EAP-TTLS (the only difference is the protocol inside the encrypted tunnel).

This uses the digital signature of the server to establish a TLS communication route, and within this encrypted communication route uses a password to authenticate the client.

3 Function Details

The operating specifications for port authentication are shown below.

As port authentication functions, this switch supports IEEE 802.1X authentication, MAC authentication, and web authentication.

The following table shows the distinctive features of each authentication method.

Port authentication method features

This screen assumes a RADIUS server as the authentication server.

Note that the port authentication functionality of this switch has the following limitations.

• It cannot be used on a private VLAN port.
• It cannot be used on a voice VLAN port.
• If port authentication is enabled, a spanning tree topology change will occur according to the authentication result.

  If you want to avoid this, specify "spanning-tree edgeport" for the authentication port to which the supplicant will be connected.

• The number of supplicants that can be authenticated is one for each port in single host mode or multi-supplicant mode; for multi-supplicant mode, the maximum is 512 for the entire system.
• Web authentication can be used only in multi-supplicant mode.
• Web authentication cannot be used together with a guest VLAN.
• The L2MS functions cannot be used if settings are made with the trunk port without a native VLAN.
• A guest VLAN cannot be used on a trunk port.
• If the following supplicant VLAN is changed by the authentication VLAN, the authentication function might not work correctly.
  • DHCP server
  • L2MS compatible device

3.1 IEEE 802.1X authentication

IEEE 802.1X authentication uses EAP to authenticate in units of devices or users.

The supplicant receiving authentication must support IEEE 802.1X authentication.

This switch operates as an authenticator that communicates with the supplicant via EAP over LAN and communicates with the RADIUS server via EAP over RADIUS.

The authentication process itself occurs directly between the supplicant and the RADIUS server.

As authentication methods, this switch supports EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP.

The features of each authentication method are shown in the following table.

Features of each authentication method

Make settings for the supplicant and the RADIUS server as appropriate for the authentication method you use.

The basic procedure for IEEE 802.1X authentication is shown in the following diagram.

Basic procedure for IEEE 802.1X authentication

The supplicant is connected to the LAN, and transmits a communication start message (EAPOL-Start) message to start authentication.

When authentication succeeds, authentication success (Success) notification is sent to the supplicant, and the supplicant's MAC address is registered in the FDB, allowing the supplicant to access the network.

If authentication fails, an authentication failure (Failure) notification is sent to the supplicant, and network access is denied for the supplicant.

(Even without authentication, it is possible to allow access to a specific VLAN if a guest VLAN has been specified.)

3.2 MAC authentication

MAC authentication uses the MAC address of a device to authenticate an individual device.

Since the supplicant does not need special functionality to be authenticated, authentication is possible even for devices that do not support IEEE 802.1X.

The basic procedure for MAC authentication is shown in the following diagram.

When this switch receives any Ethernet frame from the supplicant, it queries the RADIUS server with the supplicant's MAC address as the user name and password.

EAP-MD5 is used as the authentication mode between this switch and the RADIUS server.

When authentication succeeds, the supplicant's MAC address is registered in the FDB, allowing the supplicant to access the network.

If authentication fails, the supplicant is denied network access.

(Even without authentication, it is possible to allow access to a specific VLAN if a guest VLAN has been specified.)

The supplicant's MAC address must be registered as the user name and password in the RADIUS server, in one of the following formats.

• XX-XX-XX-XX-XX-XX (hyphen delimited)
• XX:XX:XX:XX:XX:XX (colon delimited)
• XXXXXXXXXXXX (not delimited)

This switch lets you use the auth-mac auth-user command to change the format of the MAC address query that is made to the RADIUS server.

Specify the appropriate command according to the format of the MAC addresses that are registered in the RADIUS server.

3.3 Web authentication

Web authentication is a function that authenticates a user when a user name and password are entered from the supplicant's web browser.

HTTP is supported as the communication method between the web browser and the switch.

Because web authentication performs authentication by communicating via HTTP, it is necessary for IP communication between this switch and the supplicant to be possible even before authentication.

Either the DHCP server must assign an IP address to the supplicant, or the supplicant must specify an IP address statically.

Web authentication operates only in multi-supplicant mode.

Also, this cannot be used together with a guest VLAN.

The basic procedure for web authentication is shown in the following diagram.

This switch queries the RADIUS server using the user name and password that were entered in the supplicant's web browser.

EAP-MD5 is used as the authentication mode between this switch and the RADIUS server.

When authentication succeeds, the supplicant's MAC address is registered in the FDB, allowing the supplicant to access the network.

If authentication fails, the supplicant is denied network access.

3.3.1 Operations on the supplicant

When the supplicant's web browser accesses IPv4 TCP port 80, the following authentication screen appears.

To be authenticated, enter a user name and password, and click the "log in" button.

The supplicant's MAC address is registered in the FDB, allowing the supplicant to access the network.

If authentication fails three times in succession, authentication is temporarily restricted.

3.3.2 Customizing the authentication screen

The displayed content on the Web authentication screen (the edited HTML, CSS and image files) can be copied to this product, and the following parts can be customized.
Note that we cannot provide support for how to code in HTML/CSS or what formatting to use, or for any troubles that may occur due to modifications to the code.

1. Header
   The header section includes the "header.html" and "style.css" files. Edit these files and copy them to this product in order to customize them.
2. Image files
   Copy the images provided to this product in order to modify them.
3. Input form
   The display style used for the input form is defined in the "style.css" file. Although the text cannot be changed, you can edit the "style.css" file and copy it to this product in order to change the input form's design.
4. Footer
   The footer section includes the "footer.html" and "style.css" files. Edit these files and copy them to this product in order to customize them.

The following explains how to modify the Web authentication screen.

3.3.2.1 Preparing the authentication screen customization files

The following files are used to customize the web authentication screen.

• header.html
• footer.html
• logo.png
• style.css

Use the Web browser to access the "header.html", "footer.html" and "style.css" files from the switch.

For example if the IP address of the switch is 192.168.100.240, you can use the following URL to access the file from a PC connected to a port on which web authentication is enabled, and then use the browser's "Save as" command to save the file on the PC.

• http://192.168.100.240/web-auth/header.html
• http://192.168.100.240/web-auth/footer.html
• http://192.168.100.240/web-auth/style.css

When saving, specify the extension as ".css" and specify the character encoding as "UTF-8."
For the image file logo.png, prepare a desired image file on the PC, and save it with the file name logo.png.
The maximum file size is 1 MB.

3.3.2.2 Editing the authentication screen customization files

Edit the above-mentioned HTML and CSS files as appropriate on your PC.

You are free to edit this in accordance with CSS specifications, but please note the following points.

• The only image file that can be referenced from the "header.html" and "footer.html" files is "logo.png".
• The extension of the HTML and CSS file must be ".css", and the character encoding of all files must be UTF-8.

3.3.2.3 Placing the authentication screen customization files

When you have prepared the files, place them in /model name/startup-config/web-auth/ on the SD card.

After placing the files, use the copy auth-web custom-file command or the copy startup-config command to copy the authentication screen customization files to the switch.

If the following files exist in the folder hierarchy in which the currently-running CONFIG is saved, they are used to generate the web authentication screen.

You can determine the currently-running CONFIG number by using the show environment command. Even if the switch started up using the CONFIG on the SD card, you can customize the web authentication screen by placing these files in /model name/startup-config/web-auth/ on the SD card.

• header.html

  This is used as the header section referenced from the authentication screen. If this file does not exist, the original "header.html" is used.

• footer.html

  This is used as the footer section referenced from the authentication screen. If this file does not exist, the original "footer.html" is used.

• logo.png

  This is used as the logo in the upper left of the authentication screen. If this file does not exist, the original Yamaha logo is shown.

• style.css

  This is used as the "style.css" referenced from the authentication screen. If this file does not exist, the original style.css is used.

When you have finished placing the edited files, check the display by using your browser to access the web authentication screen.

If you need to make additional changes, edit the files on your PC, and transfer them again.

3.3.2.4 Canceling customization

If you decide to cancel customization of the authentication screen, delete the customization files from the folder in which the currently-running CONFIG is saved. You will revert to the original authentication screen.

To delete the files, you can use the erase auth-web custom-file command or the erase startup-config command.

However, since the erase startup-config command also deletes files such as config.txt, you should first copy files such as config.txt to an SD card etc. as a backup.

3.4 Using multiple authentication functions

This screen lets you use IEEE802.1X authentication, MAC authentication, and web authentication together on the same port.

When multiple methods are used together, IEEE 802.1X authentication takes priority.

Web authentication can be attempted at any time as long as another of the multiple authentication methods is not currently communicating with the RADIUS server.

If multiple authentication methods are being used simultaneously, operation is as follows.

• Procedure if the supplicant supports IEEE 802.1X authentication
• Procedure if the supplicant does not support IEEE 802.1X authentication

note

• If authentication succeeds with any one of the methods, authentication has succeeded.
• If the reauthentication setting is enabled, then reauthentication is performed using the method with which authentication succeeded.
• If multiple authentication methods are being used simultaneously, the forwarding control setting of an unauthenticated port will be to discard reception.
• If EAPOL start is received from an unauthenticated supplicant, operation will transition to IEEE 802.1X authentication even if authentication operation is already in progress using MAC authentication or web authentication.
• If 802.1X authentication and MAC authentication are being used simultaneously, the authentication restriction interval does not start even if 802.1X authentication fails.
• If 802.1X authentication and MAC authentication are being used simultaneously, and any Ethernet frame is received from the supplicant, this switch transmits an EAP Request.
• If web authentication is also being used, unauthenticated supplicants are registered in FDB as static/discard.

3.5 Host mode

This switch lets you select the host mode for the port authentication function.

Host mode indicates how an applicable supplicant's communication will be permitted on the authentication port.

This switch lets you choose from the following host modes.

• Single host mode

  This mode permits communication for only one supplicant for each LAN/SFP port.

  Communication is permitted only for the first supplicant that successfully authenticates.

• Multi-host mode

  This mode permits communication for multiple supplicants for each LAN/SFP port.

  When a supplicant successfully authenticates and communication is permitted, another supplicant that is connected to the same LAN/SFP port and that successfully authenticates is also permitted to communicate on the same VLAN.

• Multi-supplicant

  This mode permits communication for multiple supplicants for each LAN/SFP port.

  Each supplicant is distinguished by its MAC address, permitting communication in units of supplicants.

  When using dynamic VLAN functions, you can specify the VLAN for each supplicant.

3.5 Authentication VLAN

This product supports authentication VLAN with IEEE802.1X, MAC and Web authentication.

An authentication VLAN is a function that changes the authentication port's associated VLAN according to the VLAN attributes of authentication data received from the RADIUS server.

As shown in the illustration above, if a port's associated VLAN is 1, and the received authentication data has a VLAN attribute of 10, then following successful authentication, the authentication port's associated VLAN is 10, and communication on VLAN 10 is permitted.

For the RADIUS server, make settings so that the authentication information sent from the server includes the following attribute values.

• Tunnel-Type = VLAN (13)
• Tunnel-Medium-Type = IEEE-802 (6)
• Tunnel-Private-Group-ID = VLAN ID

If an authentication VLAN is used, operation in the various host modes will be as follows.

• Single host mode

  The authentication port's associated VLAN is changed according to the VLAN attribute value of the supplicant that successfully authenticates.

• Multi-host mode

  The authentication port's associated VLAN is changed according to the VLAN attribute value of the supplicant that successfully authenticates.

  Other supplicants that are connected to the same port are also permitted to communicate on the same VLAN.

• Multi-supplicant mode

  The authentication port's associated VLAN is changed according to the VLAN attribute value of the supplicant that successfully authenticates.

  You can specify the VLAN for each supplicant.

3.6 VLAN for unauthenticated or failed-authentication ports

This switch's IEEE 802.1X authentication and MAC authentication allows you to specify a guest VLAN so that unauthenticated ports or ports that failed authentication will be assigned to a specific VLAN.

In multi-supplicant mode, you can specify this for each supplicant.

This is useful when you want to provide partial functionality on a limited network even to a supplicant that has not succeeded in authenticating, as shown in the illustration above.

3.7 EAP pass-through function

You can switch between enable and disable for EAP pass-through and configure whether EAPOL frames are to be forwarded.

The authentication function will be prioritized for interfaces on which the 802.1X authentication function is enabled, and EAP pass-through will not be applied.

4 Related Commands

The related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Set IEEE 802.1X authentication

Make settings so that IEEE 802.1X authentication can be used.

• We will use LAN port #1 as the authentication port to which the supplicant is connected.
• We will set the host mode to multi-supplicant mode.
• We will use VLAN #10 as the guest LAN.
• We will use 192.168.100.101 as the IP address of the RADIUS server that is connected.

1. Define VLAN #10 as the guest VLAN.

   Yamaha(config)#vlan database
   Yamaha(config-vlan)#vlan 10               ... (VLAN #10 definition)
   Yamaha(config-vlan)#exit

2. Enable the IEEE 802.1X authentication function for the entire system.

   Yamaha(config)#aaa authentication dot1x

3. Set IEEE 802.1X authentication for LAN port #1.

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#dot1x port-control auto          ... (Set IEEE 802.1X authentication operating mode to auto)
   Yamaha(config-if)#auth host-mode multi-supplicant  ... (Set host mode to multi-supplicant mode)
   Yamaha(config-if)#auth guest-vlan 10               ... (Set guest VLAN as VLAN #10)
   Yamaha(config-if)#exit

4. Set RADIUS server settings.

   Yamaha(config)#radius-server host 192.168.100.101 key test1
                        (Set host as 192.168.100.101 and shared password as "test1")

5. Check RADIUS server settings.

   Yamaha#show radius-server
   Server Host : 192.168.100.101
     Authentication Port : 1812
     Secret Key          : test1
     Timeout             : 5 sec
     Retransmit Count    : 3
     Deadtime            : 0 min

6. Check port authentication settings.

   Yamaha#show auth status
   [System information]
     802.1X Port-Based Authentication : Enabled
     MAC-Based Authentication         : Disabled
     WEB-Based Authentication         : Disabled
   
     Clear-state time : Not configured
   
     Redirect URL :
       Not configured
   
     RADIUS server address :
       192.168.100.101 (port:1812)
   
   [Interface information]
     Interface port1.1 (up)
       802.1X Authentication   : Force Authorized (configured:auto)
       MAC Authentication      : Disabled (configured:disable)
       WEB Authentication      : Enabled (configured:disable)
       Host mode               : Multi-supplicant
       Dynamic VLAN creation   : Disabled
       Guest VLAN              : Enabled (VLAN ID:10)
       Reauthentication        : Disabled
       Reauthentication period : 3600 sec
       MAX request             : 2 times
       Supplicant timeout      : 30 sec
       Server timeout          : 30 sec
       Quiet period            : 60 sec
       Controlled directions   : In (configured:both)
       Protocol version        : 2
       Clear-state time        : Not configured

5.2 Set MAC authentication

Make settings so that MAC authentication can be used.

• We will use LAN port #1 as the authentication port to which the supplicant is connected.
• We will set the host mode to multi-supplicant mode.
• We will use 192.168.100.101 as the IP address of the RADIUS server that is connected.

1. Enable the MAC authentication function for the entire system.

   Yamaha(config)#aaa authentication auth-mac

2. Set MAC authentication for LAN port #1.

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#auth-mac enable                  ... (Enable MAC authentication)
   Yamaha(config-if)#auth host-mode multi-supplicant  ... (Set host mode to multi-supplicant mode)
   Yamaha(config-if)#exit

3. Set RADIUS server settings.

   Yamaha(config)#radius-server host 192.168.100.101 key test1
                        (Set host as 192.168.100.101 and shared password as "test1")

4. Check RADIUS server settings.

   Yamaha#show radius-server
   Server Host : 192.168.100.101
     Authentication Port : 1812
     Secret Key          : test1
     Timeout             : 5 sec
     Retransmit Count    : 3
     Deadtime            : 0 min

5. Check port authentication settings.

   Yamaha#show auth status
   [System information]
     802.1X Port-Based Authentication : Disabled
     MAC-Based Authentication         : Enabled
     WEB-Based Authentication         : Disabled
   
     Clear-state time : Not configured
   
     Redirect URL :
       Not configured
   
     RADIUS server address :
       192.168.100.101 (port:1812)
   
   [Interface information]
     Interface port1.1 (up)
       802.1X Authentication   : Force Authorized (configured:-)
       MAC Authentication      : Enabled (configured:enable)
       WEB Authentication      : Disabled (configured:disable)
       Host mode               : Multi-supplicant
       Dynamic VLAN creation   : Disabled
       Guest VLAN              : Disabled
       Reauthentication        : Disabled
       Reauthentication period : 3600 sec
       MAX request             : 2 times
       Supplicant timeout      : 30 sec
       Server timeout          : 30 sec
       Quiet period            : 60 sec
       Controlled directions   : In (configured:both)
       Protocol version        : 2
       Clear-state time        : Not configured
       Authentication status   : Unauthorized

5.3 Set web authentication

Make settings so that web authentication can be used.

• We will use LAN port #1 as the authentication port to which the supplicant is connected.
• We will assume that 192.168.100.10 the IP address of the supplicant.
• We will use 192.168.100.101 as the IP address of the RADIUS server that is connected.

1. Assign an IP address to the authenticator for IP communication.

   Yamaha(config)#interface valn1
   Yamaha(config-if)#ip address 192.168.100.240/24
   Yamaha(config-if)#exit

2. Enable the web authentication function for the entire system.

   Yamaha(config)#aaa authentication auth-web

3. Set web authentication for LAN port #1.

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#auth host-mode multi-supplicant     ... (Set host mode to multi-supplicant mode)
   Yamaha(config-if)#auth-web enable                     ... (Enable web authentication)
   Yamaha(config-if)#exit

4. Set RADIUS server settings.

   Yamaha(config)#radius-server host 192.168.100.101 key test1
                        (Set host as 192.168.100.101 and shared password as "test1")

5. Check RADIUS server settings.

   Yamaha#show radius-server
   Server Host : 192.168.100.101
     Authentication Port : 1812
     Secret Key          : test1
     Timeout             : 5 sec
     Retransmit Count    : 3
     Deadtime            : 0 min

6. Check port authentication settings.

   Yamaha#show auth status
   [System information]
     802.1X Port-Based Authentication : Disabled
     MAC-Based Authentication         : Disabled
     WEB-Based Authentication         : Enabled
   
     Clear-state time : Not configured
   
     Redirect URL :
       Not configured
   
     RADIUS server address :
       192.168.100.101 (port:1812)
   
   [Interface information]
     Interface port1.1 (up)
       802.1X Authentication   : Force Authorized (configured:-)
       MAC Authentication      : Disabled (configured:disable)
       WEB Authentication      : Enabled (configured:enable)
       Host mode               : Multi-supplicant
       Dynamic VLAN creation   : Disabled
       Guest VLAN              : Disabled
       Reauthentication        : Disabled
       Reauthentication period : 3600 sec
       MAX request             : 2 times
       Supplicant timeout      : 30 sec
       Server timeout          : 30 sec
       Quiet period            : 60 sec
       Controlled directions   : In (configured:both)
       Protocol version        : 2
       Clear-state time        : Not configured

6 Points of Caution

Using dynamic VLAN in multi-supplicant mode will consume internal resources.

These resources are also used by the ACL and QoS functions. There may not be enough resources according to the settings.

Use caution, since communications may not be possible if there are not enough resources, even though authentication might succeed.

7 Related Documentation

None

Port security functions

1 Function Overview

Port security is a function that limits communication to only permitted terminals, preventing access from illegal terminals.

2 Definition of Terms Used

None

3 Function Details

For ports on which the port security function is enabled, you can pre-register the MAC address of a terminal for which you want to permit communication, thereby allowing communication only for permitted terminals.

Conversely, if there is access from a terminal that is not registered (an illegal terminal), this is considered illegal access, and the packets are discarded.

Depending on the settings, the corresponding port can also be shut down.

The port security function cannot be used simultaneously with the port authentication function.

3.1 Limiting the terminals that can access

By enabling the port security function, and using the port-security mac-address command to register the MAC addresses of only the terminals for which you want to allow communication, you can limit the terminals that are allowed access.

4 Related Commands

The related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Limiting the terminals that can access

Manually specify the MAC address so that only the permitted terminal can communicate.

1. Enable port security on LAN port #1.

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#port-security enable

2. Register the MAC address that you want to permit.

   Yamaha(config)#port-security mac-address 00A0.DE00.0001 forward port1.1 vlan 1
   Yamaha(config)#port-security mac-address 00A0.DE00.0002 forward port1.1 vlan 1

3. Check the port security status.

   Yamaha#show port-security status
    Port      Security  Action     Status    Last violation
    --------- --------- ---------- --------- ---------------------
    port1.1   Enabled   Discard    Normal    00A0.DE00.0003
    port1.2   Disabled  Discard    Normal
    port1.3   Disabled  Discard    Normal
    port1.4   Disabled  Discard    Normal
    port1.5   Disabled  Discard    Normal
    port1.6   Disabled  Discard    Normal
    port1.7   Disabled  Discard    Normal
    port1.8   Disabled  Discard    Normal
    port1.9   Disabled  Discard    Normal
    port1.10  Disabled  Discard    Normal

6 Points of Caution

• Use the no shutdown command to recover the port that has shut down due to illegal access.

  The status of the show port-security status command will not return to normal until the port links up. (The status will remain in shutdown state.)

• If the wrong port is specified with the port-security mac-address command, traffic and violation frames will not be correctly detected.

7 Related Documentation

None

PoE control

1 Function Overview

PoE (Power over Ethernet) is technology that supplies electrical power via an Ethernet cable (category 5e or higher).

This product supports IEEE 802.3at, which is able to supply power to class 4 powered devices.

IEEE 802.3at refers to the devices as follows:

• Device that supplies power (power supply device): PSE: Power Sourcing Equipment
• Device that receives power (powered device): PD: Powered Device

This product uses Alternative A, which uses the cable's signal wires (1, 2, 3, 6) to supply power.

2 Definition of Terms Used

None

3 Function Details

3.1 Enabling/disabling the PoE power supply function

The following ports of this product support PoE power supply (subsequently referred to as PoE ports).

• SWR2311P-10G: ports 1–8

With the factory settings, the power supply function is enabled for all PoE ports of this product.

However, you can individually disable the power supply function of each port.

If the connected device is a conventional Ethernet device, these ports operate as conventional Ethernet ports without supplying power.

3.2 Power supply class and maximum number of ports to which power can be simultaneously supplied

As a power sourcing device that complies with the PoE standard, this product can supply power to all ports simultaneously with a maximum of 30W per port.

Detection of the connected PD and of its power class is performed automatically, and power supply is started.

3.3 Guard band

The guard band is a margin that is specified for the maximum supplied power in order to avoid unintended stoppage of the power supply.

This product assigns a fixed guard band of 7W for maximum power supply.

3.4 Power supply priority

This product allows you to specify the power supply priority for each PoE port.

In descending order, the priority is critical, high, and low, and all ports are set to low by default.

Between ports that are set to the same priority, the lower-numbered port has the higher priority, so that the priority becomes lower in the order of port number (1 → 2 → 3...).

3.5 PoE power supply operation

This product performs the following operations depending on the amount of electrical power used.

• If the power consumption of the entire system exceeds the PoE power supply capacity

  Power supply from the PoE ports is stopped beginning with the lower-priority ports, so that the electrical power consumption stays within the PoE supply limit.

  At this time, the MODE LED automatically transitions to STATUS mode, and the SPEED LED flashes orange for ports whose power supply was stopped.

  In addition, "portX.X over system power limit" is output to SYSLOG.

• If the amount of power supply capacity is less than the guard band

  Power continues to be supplied to each PD that is already being supplied with power, but if a PD is newly connected, power is not supplied to that PD regardless of its power supply priority.

  At this time, the MODE LED automatically transitions to STATUS mode, and the SPEED LED is lit orange for ports to which power was not supplied.

• If the power consumption of a specific PoE port exceeds the maximum power that can be supplied to an individual PoE port

  Power supply stops for the applicable PoE port. Power continues to be supplied to the other PoE ports.

  At this time, the MODE LED automatically transitions to STATUS mode, and the SPEED LED is lit orange for the port whose power supply was stopped.

  In addition, "portX.X port power limit" is output to SYSLOG.

• If the power consumption amount is other than the above (within the normal range)

  Power continues to be supplied to the PD.

  At this time, if the MODE LED status had transitioned to STATUS mode for a reason listed above, the MODE LED automatically returns to the MODE in which it had been.

If a change occurs in the state of a PoE port or in the amount of power that can be supplied, the following operations are performed.

• If power supply is started

  "portX.X power on" is output to SYSLOG.

  If the MODE LED status is PoE mode, the LINK LED of the port that started supplying power is lit green.

• If power supply is stopped

  "portX.X power off" is output to SYSLOG.

  If the MODE LED status is PoE mode, the LINK LED of the port that stopped supplying power is unlit.

• If the remaining power supply capacity becomes less than the guard band

  "guardband active" is output to SYSLOG.

• If the unit recovers from a state in which the remaining power supply capacity was less than the guard band

  "guardband negative" is output to SYSLOG.

4 Related Commands

The related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Set PoE port power supply

Set the power supply function for port1.8.

Yamaha(config)#power-inline enable ... (Enable system-wide PoE power supply function *Not necessary with the default settings)
Yamaha(config)#interface port1.8
Yamaha(config-if)#power-inline description "AP1" ... (Set "AP1" as the PoE port's description)
Yamaha(config-if)#power-inline priorty critical  ... (Set PoE port priority order to highest)
Yamaha(config-if)#power-inline enable ... (Enable the interface's PoE power supply function *Not necessary with the default settings)
Yamaha(config-if)#exit
Yamaha(config)#exit

6 Points of Caution

None

7 Related Documentation

None

Layer 2 functions

• FDB
• VLAN
• Multiple VLAN
• Spanning tree
• Proprietary loop detection

FDB

1 Function Overview

The Forwarding Database (subsequently referred to as the FDB) manages the combination of destination MAC addresses, transmission ports, and VLANs.

This product uses the FDB to determine the forwarding destination port for the received frames.

1. Enable/disable acquisition function
2. Timeout adjustment for FDB entries acquired
3. Timeout clear for FDB entries acquired
4. Manual registration of FDB entries (static entries)

2 Definition of Terms Used

FDB

Abbreviation of "Forwarding Database."

This database manages the combination of destination MAC address, transmission port, and VLAN.

FDB entry

This is data registered in the FDB, and consists of multiple elements.

3 Function Details

3.1 FDB entry

On this product, the contents listed in the table below are registered as a single entry in the FDB.

3.1.1 MAC address

This is one of the FDB key items; the VLAN-ID and MAC address are combined to become the record key.

Operation differs depending on whether the MAC address is unicast or multicast.

• Unicast

  Since the forwarding destination interface ID must be uniquely determined for a given record key, duplication is not allowed.

  (Multiple combinations of the same VLAN-ID and MAC address do not exist.)

• Multicast

  Multiple forwarding destination interface IDs may exist for a given key record.

  In this case, frames are sent to multiple forwarding destination interface IDs.

Up to 16,384 addresses (described later*) can be registered on this product, including entries registered via automatic acquisition and manual registration.

The MAC addresses of all received frames can be acquired, and the source MAC address is acquired and registered in the FDB.

(However, if the transmission source MAC address is multicast, this is considered an invalid frame and is discarded without being registered.)

Automatically acquired MAC address information is maintained until the ageing timeout.

If multiple multicast MAC addresses are specified, all are considered as one in this case.

VLAN  port    mac             fwd      type    timeout
   1  port1.1 0100.0000.1000  forward  static       0
   1  port1.2 0100.0000.1000  forward  static       0
   1  port1.3 0100.0000.1000  forward  static       0
   1  port1.4 0100.0000.1000  forward  static       0
   1  port1.5 0100.0000.1000  forward  static       0
   1  port1.6 0100.0000.1000  forward  static       0

3.1.2 VLAN-ID

MAC address acquisition is done per VLAN, and the MAC address and VLAN are managed in the FBD as a pair.

For different VLANs, identical MAC addresses are also acquired.

3.1.3 Forwarding destination interface ID

The following IDs are registered.

• LAN/SFP port (port)
• Static/LACP logical interface (sa,po)

3.1.4 Action

This defines the action for a received frame that matches a key record.

If the MAC address is unicast, the actions are as follows.

• forward ... Forward to the forwarding destination interface ID.
• discard ... Discard without forwarding.

If the MAC address is multicast, the actions are as follows.

• forward ... Forward to the forwarding destination interface ID.
• discard ... Cannot be specified.

  (The discard setting cannot be made if the MAC address is multicast.)

3.1.5 Registration types

• dynamic ... Registered and deleted automatically. The registration result does not remain in the config settings file.
• static ... Registered and deleted manually, and therefore remains in the config settings file.
• multicast ... Automatically registered and deleted by the IGMP/MLD snooping function. The registration result does not remain in the config settings file.

3.2 Automatic MAC address acquisition

Automatic MAC address acquisition refers to the active creation of FBD entries based on the information for the source MAC address of the received frame, and the reception port.

Entries registered through automatic acquisition are called "dynamic entries".

A timer (ageing time) is used to monitor individual entries.

Entries for MAC addresses that have not received frames within a certain amount of time will be deleted from the FDB (see below*).

This prevents invalid device entries from being left over in the FDB due to power shutoff, being moved and so on.

If a frame is received within the specified amount of time, the monitoring timer will be reset.

The control specifications for automatic acquisition are shown below.

1. Automatic MAC address acquisition can be enabled or disabled using the mac-address-table learning command. The setting is enabled by default.
2. If automatic acquisition is changed from enabled to disabled, all dynamic entries that have been learned will be deleted. The acquisition function "disable" setting is useful when you want to flood all ports with all received frames.
3. The ageing time for dynamic entries can be adjusted by specifying a value from 10–400 seconds, using the mac-address-table ageing-time command. This value is set to 300 seconds by default.
4. Clear the dynamic entries that have been acquired by using the clear mac-address-table dynamic command. The entire contents of the FDB can be cleared at once; or a VLAN number can be specified and all MAC addresses acquired by that VLAN can be cleared from the FDB. Specifying the port number will clear all MAC addresses from the FDB that were acquired from that port.
5. Use the show mac-address-table command to check the automatic acquisition status.

* The time after which an FDB entry is actually deleted from the FDB by the timer (ageing time) is as follows.

• With the ageing time as "T," it is the time from "T" seconds that does not exceed 2*T seconds.

3.3 Setting MAC addresses manually

In addition to automatic acquisition using received frames, MAC addresses can be set on this product by using user commands.

Entries that have been registered by using commands are called "static entries".

The specifications for manual settings are shown below.

1. Use the mac-address-table static command to register static entries.
2. When registering static entries, dynamic acquisition will not be performed on the corresponding MAC addresses.

   Entries that have already been acquired will be deleted from the FDB, and will be registered as static entries.

3. Use the no mac-address-table static command to delete static entries.
4. Either "forward" or "discard" can be specified for the destination MAC address of a received frame.
   • When forwarding is specified, either the LAN/SFP port forwarding destination or the static/LACP logical interface can be specified.
   • When discarding is specified, frames received by the MAC address will not be forwarded to any port, and will be discarded.
5. If registering a multicast MAC address, you cannot specify "discard."

   Also, MAC addresses in the following ranges cannot be registered.

   • 0180.c200.0000–0180.c200.000f
   • 0180.c200.0020–0180.c200.002f

4 Related Commands

4.1 List of related commands

5 Examples of Command Execution

5.1 Referring to the FDB

Yamaha#show mac-address-table
VLAN  port     mac             fwd      type     timeout
   1  port1.2  00a0.de11.2233  forward  static        0
   1  port1.1  1803.731e.8c2b  forward  dynamic     300
   1  port1.1  782b.cbcb.218d  forward  dynamic     300

5.2 Deleting a dynamic entry

Deleting an FDB entry registered in the FBD (MAC address 00:a0:de:11:22:33)

Yamaha#clear mac-address-table dynamic address 00a0.de11.2233

5.3 Changing the dynamic entry ageing time

This example shows how to change the dynamic entry ageing time to 400 seconds.

Yamaha(config)#mac-address-table ageing-time 400

5.4 Registering a static entry

This example shows how frames addressed to a device associated with VLAN #10 (MAC address 00:a0:de:11:22:33) can be forwarded to LAN port 2 (port1.2).

Yamaha(config)#mac-address-table static 00a0.de11.2233 forward port1.2 vlan 10

This example shows how to discard the frames sent to a device associated with VLAN #10 (MAC address 00:a0:de:11:22:33).

Specifying the interface name ("port1.2" in the example) will have no effect on operations. Since this cannot be omitted, specify the LAN/SFP port.

Yamaha(config)#mac-address-table static 00a0.de11.2233 discard port1.2 vlan 10

5.5 Deleting a static entry

This example shows how to delete the forwarding settings sent to a device associated with VLAN #10 (MAC address 00:a0:de:11:22:33).

Yamaha(config)#no mac-address-table static 00a0.de11.2233 forward port1.2 vlan 10

6 Points of Caution

If the l2-unknown-mcast command is configured to discard unknown multicast frames, using the mac-address-table static command to passively forward a multicast MAC address will have no effect when registered.

7 Related Documentation

None

VLAN

1 Function Overview

VLAN (Virtual LAN) is technology that allows a LAN to be constructed virtually, without regard to the physical structure of connections.

This product lets you use VLANs to divide the LAN into multiple broadcast domains.

The VLANs that are supported by this product are shown below.

Supported VLAN types

2 Definition of Terms Used

Broadcast domain

This is a range in which broadcast frames can be delivered in a network, such as an Ethernet.

Devices that are connected by relaying a data link layer (MAC layer), such as switching hubs, can belong to the same broadcast domain.

A broadcast domain generally refers to the network in an Ethernet.

3 Function Details

3.1 Defining a VLAN ID

On product, a maximum of 255 VLANs can be defined, with VLAN IDs ranging from 2–4094. (ID #1 is used as the default VLAN ID.)

VLAN IDs are defined using the vlancommand, after the vlan database command is used to enter VLAN mode.

For details, refer to the Command Reference.

3.2 VLAN settings for the LAN/SFP ports

The following settings must be configured after defining the VLANs to use, in order to make use of VLAN on this product.

• LAN/SFP port mode settings
• VLAN associations for LAN/SFP ports

1. The LAN/SFP ports on this product are set to one of the following modes.
   • Access port

     This is a port that handles untagged frames. It can be associated with one VLAN.

   • Trunk port

     This is a port that handles both tagged and untagged frames.

     It can be associated with multiple VLANs, and is mainly used to connect switches to one another.

     This product only supports IEEE 802.1Q. (Cisco ISL is not supported.)

2. Use the switchport mode command to set the LAN/SFP port mode.

   When setting the trunk port, use the input filter ("ingress-filter") to control whether frames not belonging to the specified VLAN ID will be handled.

   • Input filter enabled: only frames set to the specified VLAN ID will be handled.
   • Input filter disabled: all VLAN IDs will be handled.
3. Use the show interface switchport command to check the LAN/SFP port setting mode.
4. Use the switchport access vlan command to set which VLANs belong to the access port.
5. Use the switchport trunk allowed vlan command to set which VLANs belong to the trunk port.

   As the trunk port can be associated with multiple VLANs, use the "all", "none", "except", "add" and "remove" settings as shown below.

   • add

     Adds the specified VLAN ID.

     VLAN IDs that can be added are limited by the IDs that are defined by the VLAN mode.

   • remove

     Deletes the specified VLAN ID.

   • all

     Adds all VLAN IDs specified by the VLAN mode.

     The VLAN IDs added by the VLAN mode can also be added after this command is executed.

   • none

     The trunk port will not be associated with any VLAN.

   • except

     Adds all other VLAN IDs except for the ones specified.

     The VLAN IDs added by the VLAN mode can also be added after this command is executed.

6. A VLAN that uses untagged frames (native VLAN) can be specified for the trunk port.
7. Tagged audio frames can be transferred by specifying a voice VLAN for an access port.
8. Use the show vlan command to check which VLANs belong to a LAN/SFP port.

3.3 VLAN access control

This product provides an VLAN access map function, to control access to the VLAN.

The VLAN access map can be associated with a standard/extended IP access control list and a MAC address control list as VLAN ID filtering parameters.

The VLAN access map is operated using the commands shown below.

• Create VLAN access map: vlan access-map command
• Set VLAN access map parameters: match access-list command
• Assign VLAN access map: vlan filter command
• Show VLAN access map: show vlan access-map command

3.4 Default VLAN

The default VLAN is VLAN #1 (vlan1), which exists in this switch by default.

As the default VLAN is a special VLAN, it always exists and cannot be deleted.

The following operations can be used to automatically delete the relevant port from the default VLAN.

• Setting the VLAN for an access port
• Setting any VLAN other than the default as the native VLAN for the trunk port
• Setting the native VLAN for the trunk port to "none"

3.5 Native VLAN

A native VLAN is a VLAN that associates untagged frames received by the LAN/SFP port that was set as a trunk port.

Defining an LAN/SFP port as a trunk port will set the default VLAN (VLAN #1) as the native VLAN.

Use the switchport trunk native vlan command when specifying a certain VLAN as the native VLAN.

The native LAN can be set to none, when setting the relevant LAN/SFP port to not handle untagged frames. (Specify "none" in the switchport trunk native vlan command.)

3.6 Private VLAN

This product can configure a private VLAN for further dividing up groups that can communicate within the same subnet. The operating specifications are shown below.

1. A private VLAN contains the following three VLAN types.
   • Primary VLAN

     This is the parent VLAN of the secondary VLAN.

     Only one primary VLAN can be set per private VLAN.

   • Isolated VLAN

     This is a kind of secondary VLAN, which only sends traffic to a primary VLAN.

     Only one primary VLAN can be set per private VLAN.

   • Community VLAN

     This is a kind of secondary VLAN, which only sends traffic to VLANs in the same community and to a primary VLAN.

     Multiple community VLANs can be set for each private VLAN.

2. A primary VLAN may contain multiple promiscuous ports.

   Access ports, trunk ports, or static/LACP logical interfaces are the ports that can be used as promiscuous ports.

3. Only access ports can be used as host ports for a secondary VLAN (isolated VLAN, community VLAN).
4. A secondary VLAN (isolated VLAN, community VLAN) can be associated with one primary VLAN.

   Use the switchport private-vlan mapping command to create the association.

   • An isolated VLAN can be associated with multiple promiscuous ports contained within a private VLAN.
   • A community VLAN can be associated with multiple promiscuous ports contained within a private VLAN.

3.7 Voice VLAN

Voice VLAN is a function that can prevent audio from being adversely affected even when IP phone voice traffic is mixed with PC data traffic.

Some IP phones have two ports: a port for connection to the switch and a port for connection to the PC.

By connecting the switch to the IP phone, and the IP phone to the PC, it is possible to use one port of the switch to handle the IP phone audio traffic and the PC's data traffic.

Using the voice VLAN function in this type of configuration allows the audio data and the PC data to be separated so that noise is less likely to occur on the IP phone, or to handle the audio data with a higher priority.

Voice VLAN settings are made by the switchport voice vlan command.

Set one of the following to be handled as voice traffic.

• Frames with the 802.1p tag
• Priority tag frames (802.1p tags with a VLAN ID of 0 and only the CoS value specified)
• Untagged frames

When tagged frames are handled as voice traffic, untagged frames are handled as data traffic.

By using LLDP, this product can automatically apply settings to a connected IP telephone.

The conditions for making automatic settings are as follows.

• LLDP-MED TLV transmission is enabled on the port for which voice VLAN is enabled.
• The connected IP phone supports settings via LLDP-MED.

If the above conditions are satisfied, and when an IP phone is connected to the corresponding port, voice VLAN information (tagged/untagged, VLAN ID, the CoS value to be used, DSCP value) are notified according to the Network Policy TLV of LLDP-MED when an IP phone is connected to the corresponding port.

The IP phone will transmit voice data according to the information that was provided to it from this unit.

The CoS value specified for the IP phone is set by the switchport voice cos command, and the DSCP value is set by the switchport voice dscp command.

In order to give priority to handling voice traffic, QoS settings (enable QoS, set trust mode) are also required.

The limitations of voice VLAN are as follows.

• It can be used only on a physical interface port that is assigned as an access port.

  It cannot be used on a link aggregation logical interface or on a VLAN logical interface.

• The voice VLAN function and the port authentication function cannot be used together.

4 Related Commands

4.1 List of related commands

• The related commands are shown below.

  Operations	Operating commands
  Enter VLAN mode	vlan database
  Define VLAN interface, or change a predefined VLAN	vlan
  Define a private VLAN	private-vlan
  Set the secondary VLAN for a private VLAN	private-vlan association
  Create VLAN access map	vlan access-map
  Set VLAN access map parameters	match
  Assign VLAN access map to VLAN	vlan filter
  Set access port (untagged port)	switchport mode access
  Set associated VLAN of an access port (untagged port)	switchport access vlan
  Set trunk port (tagged port)	switchport mode trunk
  Set associated VLAN for trunk port (tagged port)	switchport trunk allowed vlan
  Set native VLAN for trunk port (tagged port)	switchport trunk native vlan
  Set ports for private VLAN (promiscuous port, host port)	switchport mode private-vlan
  Configure VLAN for private VLAN port and host port	switchport private-vlan host-association
  Configure VLAN for private VLAN port and promiscuous port	switchport private-vlan mapping
  Configure voice VLAN	switchport voice vlan
  Set CoS value for voice VLAN	switchport voice cos
  Set DSCP value for voice VLAN	switchport voice dscp
  Show VLAN information	show vlan
  Show private VLAN information	show vlan private-vlan
  Show VLAN access map	show vlan access-map
  Show VLAN access map filter	show vlan filter

5 Examples of Command Execution

5.1 Port-based VLAN settings

In this example, a port-based VLAN is configured for this product in order to allow communication between hosts A–B and hosts C–D.

Port VLAN setting example

The LAN port settings for this product are as follows.

• Set LAN ports #1/#2 as access ports, and associate them with VLAN #1000.
• Set LAN ports #3/#4 as access ports, and associate them with VLAN #2000.

1. Switch to VLAN mode using the vlan database command, and define two VLANs using the vlan command.

   Yamaha(config)# vlan database … (Transition to VLAN mode)
   Yamaha(config-vlan)# vlan 1000 … (Create VLAN #1000)
   Yamaha(config-vlan)# vlan 2000 … (Create VLAN #2000)
   Yamaha(config-if)# exit

2. Set LAN ports #1–2 as access ports, and associate them with VLAN #1000.

   Yamaha(config)# interface port1.1-2 … (Transition to interface mode)
   Yamaha(config-if)# switchport mode access … (Set as access port)
   Yamaha(config-if)# switchport access vlan 1000 … (Specify VLAN ID)
   Yamaha(config-if)# exit

3. Set LAN ports #3–4 as access ports, and associate them with VLAN #2000.

   Yamaha(config)# interface port1.3-4
   Yamaha(config-if)# switchport mode access
   Yamaha(config-if)# switchport access vlan 2000
   Yamaha(config-if)# exit

4. Confirm the VLAN settings.

   Yamaha#show vlan brief
   (u)-Untagged, (t)-Tagged
   VLAN ID  Name            State   Member ports
   ======= ================ ======= ===============================
   1       default          ACTIVE  port1.5(u) port1.6(u)
                                    port1.7(u) port1.8(u)
   1000    VLAN1000         ACTIVE  port1.1(u) port1.2(u)
   2000    VLAN2000         ACTIVE  port1.3(u) port1.4(u)
   

5.2 Tagged VLAN settings

In this example, a tagged VLAN is configured between #A and #B of this product, in order to communicate between hosts A–B and hosts C–D.

Tagged VLAN setting example

The LAN port settings for #A and #B of this product are as follows.

• Set LAN port #1 as an access port, and associate it with VLAN #1000
• Set LAN port #2 as an access port, and associate it with VLAN #2000
• Set LAN port #3 as a trunk port, and associate it with LAN #1000 and VLAN #2000

1. [Switch #A/#B] Define VLAN.

   Yamaha(config)#vlan database … (Transition to VLAN mode)
   Yamaha(config-vlan)#vlan 1000 … (Define VLAN 1000)
   Yamaha(config-vlan)#vlan 2000 … (Define VLAN 2000)

2. [Switch #A/#B] Set LAN port #1 as the access port, and associate it with VLAN #1000.

   Yamaha(config)#interface port1.1 … (Transition to interface mode)
   Yamaha(config-if)#switchport mode access … (Set as access port)
   Yamaha(config-if)#switchport access vlan 1000 … (Associate to VLAN 1000)
   Yamaha(config-if)#exit

3. [Switch #A/#B] Set LAN port #2 as the access port, and associate it with VLAN #2000.

   Yamaha(config)#interface port1.2 … (Transition to interface mode)
   Yamaha(config-if)#switchport mode access … (Set as access port)
   Yamaha(config-if)#switchport access vlan 2000 … (Associate to VLAN 2000)
   Yamaha(config-if)#exit

4. [Switch #B] Set LAN port #3 as a trunk port, and associate it with VLAN #1000/#2000.

   Yamaha(config)#interface port1.3 … (Transition to interface mode)
   Yamaha(config-if)#switchport mode trunk … (Set as trunk port)
   Yamaha(config-if)#switchport trunk allowed vlan add 1000 … (Add VLAN 1000)
   Yamaha(config-if)#switchport trunk allowed vlan add 2000 … (Add VLAN 2000)
   Yamaha(config-if)#exit

5. Confirm the VLAN settings.

   Yamaha#show vlan brief
   (u)-Untagged, (t)-Tagged
   
   VLAN ID  Name                            State   Member ports
   ======= ================================ ======= ======================
   1       default                          ACTIVE  port1.3(u)
   1000    VLAN1000                         ACTIVE  port1.1(u) port1.3(t)
   2000    VLAN2000                         ACTIVE  port1.2(u) port1.3(t)

5.3 Private VLAN settings

This example makes private VLAN settings for this product, to achieve the following.

Hosts connected to ports 1–7 will connect to the Internet and other external lines, through the line to which port 8 is connected

Communications between hosts connected to ports 1–4 are blocked (isolated VLAN: VLAN #21)

Communications between hosts connected to ports 5–7 are permitted (community VLAN: VLAN #22)

Communications between hosts connected to ports 1–4 and ports 5–7 are blocked

Private VLAN setting example

1. Define the VLAN ID to be used for the private VLAN.

   Yamaha(config)# vlan database … (Transition to VLAN mode)
   Yamaha(config-vlan)# vlan 2  … (Create VLAN)
   Yamaha(config-vlan)# vlan 21
   Yamaha(config-vlan)# vlan 22
   Yamaha(config-vlan)# private-vlan 2 primary … (Set Primary VLAN)
   Yamaha(config-vlan)# private-vlan 21 isolated … (Set Isolated VLAN)
   Yamaha(config-vlan)# private-vlan 22 community … (Set Community VLAN)
   Yamaha(config-vlan)# private-vlan 2 association add 21 … (Associate with Primary VLAN)
   Yamaha(config-vlan)# private-vlan 2 association add 22
   Yamaha(config-vlan)# exit

2. Configure the isolated VLAN (VLAN #21) for LAN ports 1–4.

   Yamaha(config)#interface port1.1-4 … (Transition to interface mode)
   Yamaha(config-if)#switchport mode access … (Set as access port)
   Yamaha(config-if)#switchport access vlan 21 .. (Associate to VLAN #21)
   Yamaha(config-if)#switchport mode private-vlan host … (Set as private VLAN's host port)
   Yamaha(config-if)#switchport private-vlan host-association 2 add 21
   Yamaha(config-if)#exit
   

3. Configure the community VLAN (VLAN #22) for LAN ports 5–7.

   Yamaha(config)#interface port1.5-7 … (Transition to interface mode)
   Yamaha(config-if)#switchport mode access … (Set as access port)
   Yamaha(config-if)#switchport access vlan 22 … (Associate to VLAN #22)
   Yamaha(config-if)#switchport mode private-vlan host … (Set as private VLAN's host port)
   Yamaha(config-if)#switchport private-vlan host-association 2 add 22
   Yamaha(config-if)#exit

4. Configure the primary VLAN (VLAN #2) for LAN port 8. (Promiscuous port)

   Yamaha(config)#interface port1.8 … (Transition to interface mode)
   Yamaha(config-if)#switchport mode access … (Set as access port)
   Yamaha(config-if)#switchport access vlan 2 … (Associate to VLAN #2)
   Yamaha(config-if)#switchport mode private-vlan promiscuous … (Set as private VLAN's promiscuous port)
   Yamaha(config-if)#switchport private-vlan mapping 2 add 21
   Yamaha(config-if)#switchport private-vlan mapping 2 add 22
   Yamaha(config-if)#exit

5. Confirm the VLAN settings.

   Yamaha#show vlan brief
   (u)-Untagged, (t)-Tagged
   
   VLAN ID  Name                            State   Member ports
   ======= ================================ ======= ======================
   1       default                          ACTIVE
   2       VLAN0002                         ACTIVE  port1.8(u)
   21      VLAN0021                         ACTIVE  port1.1(u) port1.2(u)
                                                    port1.3(u) port1.4(u)
   22      VLAN0022                         ACTIVE  port1.5(u) port1.6(u)
                                                    port1.7(u)
   
   Yamaha#show vlan private-vlan
    PRIMARY        SECONDARY          TYPE          INTERFACES
    -------        ---------       ----------      ----------
          2              21          isolated       port1.1 port1.2
                                                    port1.3 port1.4
          2              22         community       port1.5 port1.6
                                                    port1.7

5.4 Voice VLAN settings

Make voice VLAN settings for this product, and implement the following.

Connect an IP phone to port 1. Connect a PC to the other LAN port of the IP phone.

Using LLDP-MED, make the following settings from this product for the IP phone.

• As voice traffic for the IP phone, transmit and receive 802.1q tagged frames of VLAN #2.
• Untagged frames are transmitted and received as PC data traffic.
• Use a CoS value of 6 when transmitting and receiving voice traffic.

1. Define the VLAN ID used by the voice VLAN.

   
   Yamaha(config)# vlan database … (transition to vlan mode)
   Yamaha(config-vlan)# vlan 2  … (create a VLAN)
   Yamaha(config-vlan)# exit
   

2. Set voice VLAN for LAN port #1.

   
   Yamaha(config)#interface port1.1 … (transition to interface mode)
   Yamaha(config-if)#switchport mode access … (assign as access port)
   Yamaha(config-if)#switchport voice vlan 2 … (set voice traffic as tagged frames of VLAN #2)
   Yamaha(config-if)#switchport voice cos 6 … (set CoS value to 6 for voice traffic)
   Yamaha(config-if)#exit
   
   

3. Set QoS for LAN port #1.

   
   Yamaha(config)#qos enable … (enable QoS)
   Yamaha(config)#interface port1.1 … (transition to interface mode)
   Yamaha(config-if)#qos trust cos ... (set trust mode to CoS)
   Yamaha(config-if)#exit
   

4. Set LLDP-MED transmission and reception for LAN port #1.

   
   Yamaha(config)#interface port1.1 … (transition to interface mode)
   Yamaha(config-if)#lldp-agent ... (create LLDP agent, transition modes)
   Yamaha(lldp-agent)#tlv-select med ... (set LLDP-MED TLV)
   Yamaha(lldp-agent)#set lldp enable txrx ... (set LLDP transmission and reception mode)
   Yamaha(lldp-agent)#exit
   Yamaha(config-if)#exit
   Yamaha(config)#lldp run … (enable LLDP function)
   Yamaha(config)#exit
   

6 Points of Caution

A host port that is associated with a private VLAN cannot be aggregated as a link aggregation logical interface; this limitation is specific to host ports.

7 Related Documentation

• Multiple VLAN

Multiple VLAN

1 Function Overview

On a multiple VLAN, by associating a port with a multiple VLAN group, you can block traffic from ports that do not belong to the same multiple VLAN group.

You can also join a single port to multiple VLAN groups.

By using this function, it is easy to handle requests to block only traffic between terminals, such as the example below.

Example of using multiple VLANs

2 Definition of Terms Used

None

3 Function Details

3.1 Operating Specifications

Use the switchport multiple-vlan group command to configure a multiple VLAN group.

Multiple VLANs can be configured as LAN/SFP ports and link aggregation logical interfaces.

If you wish to configure a multiple VLAN group for a trunk port, this will be applied to all relevant VLANs that belong to the port in question.

The VLAN group settings will also be applied to a multicast frame.

This can be used together with the following functions. Control of traffic enable/disable for these functions is set according to the multiple VLAN settings.

• Port-based VLAN/tagged VLAN/voice VLAN
• Port authentication

A multiple VLAN can contain up to 256 groups.

Use the show vlan multiple-vlan group command to confirm the setting status for the interface of each multiple VLAN group.

3.2 Examples of traffic between multiple VLAN groups

Example of traffic for a multiple VLAN group

When using multiple VLAN group settings (Group #1 through #4) as shown in the diagram above, enabling/disabling traffic between specific ports A/B and the reasons for such as shown in the table below.

Traffic enabled/disabled between specific ports A/B

Also, traffic can be established between ports that are not associated with a multiple VLAN group, so long as it is within the same VLAN.

4 Related Commands

Related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 Multiple VLAN settings

This configures multiple VLAN settings to achieve the following.

Hosts connected to ports 1–7 will connect to the Internet and other external lines, through the line to which port 8 is connected

Communications between hosts connected to ports 1–4 are blocked

Communications between hosts connected to ports 5–7 are permitted

Communications between hosts connected to ports 1–4 and ports 5–7 are blocked

Examples of multiple VLAN settings

The multiple VLAN group settings are as follows.

• port1.1: Associated with multiple VLAN group #1
• port1.2: Associated with multiple VLAN group #2
• port1.3: Associated with multiple VLAN group #3
• port1.4: Associated with multiple VLAN group #4
• port1.5: Associated with multiple VLAN group #5
• port1.6: Associated with multiple VLAN group #5
• port1.7: Associated with multiple VLAN group #5
• port1.8: Associated with multiple VLAN groups #1, #2, #3, #4, #5

1. This sets the name of multiple VLAN group #1 to “Network1”.
   

   Yamaha(config)# multiple-vlan group 1 name Network1 …(settings for the name of multiple VLAN group #1)

2. This sets the name of multiple VLAN group #5 to “Network5”.
   

   Yamaha(config)# multiple-vlan group 1 name Network5 …(settings for the name of multiple VLAN group #5)

3. Associates port1.1 through port1.4 with multiple VLAN groups #1 through #4 respectively.
   

   Yamaha(config)# interface port1.1 … (transition to interface mode)
   Yamaha(config-if)# switchport multiple-vlan group 1 … (multiple VLAN group settings)
   Yamaha(config-if)# exit
   Yamaha(config)# interface port1.2 … (transition to interface mode)
   Yamaha(config-if)# switchport multiple-vlan group 2 … (multiple VLAN group settings)
   Yamaha(config-if)# exit
   Yamaha(config)# interface port1.3 … (transition to interface mode)
   Yamaha(config-if)# switchport multiple-vlan group 3 … (multiple VLAN group settings)
   Yamaha(config-if)# exit
   Yamaha(config)# interface port1.4 … (transition to interface mode)
   Yamaha(config-if)# switchport multiple-vlan group 4 … (multiple VLAN group settings)
   Yamaha(config-if)# exit
   

4. This associates port1.5 through port1.7 with multiple VLAN group #5.
   

   Yamaha(config)# interface port1.5–7 … (transition to interface mode) 
   Yamaha(config-if)# switchport multiple-vlan group 5 … (specify multiple VLAN group) 
   Yamaha(config-if)# exit

5. This associates port1.8 with multiple VLAN groups #1, #2, #3, #4, #5.
   

   Yamaha(config)# interface port1.8 … (transition to interface mode) 
   Yamaha(config-if)# switchport multiple-vlan group 1–5 … (specify multiple VLAN group) 
   Yamaha(config-if)# exit

6. This checks the multiple VLAN group settings.
   

   Yamaha>show vlan multiple-vlan group
   GROUP ID  Name                            Member ports
   ======== ================================ ======================
   1        Network1                         port1.1 port1.8
   2        GROUP002                         port1.2 port1.8
   3        GROUP003                         port1.3 port1.8
   4        GROUP004                         port1.4 port1.8
   5        Network5                         port1.5 port1.6
                                             port1.7 port1.8
   
   

6 Points of Caution

The points of caution regarding this function are as follows.

• The function cannot be used in conjunction with a private VLAN.

• The multiple VLAN group to associate with a link aggregation logical interface must be the same.

• A multiple VLAN group is only applicable to forwarding between ports. Voluntary packets will not be affected by the settings of a multiple VLAN group.

• Even if a multiple VLAN is configured, communication may not work correctly due to the following influences.
  • Block status of spanning tree
  • IGMP snooping/MLD snooping status
  • Blocked status of loop detection

7 Related Documentation

• Layer 2 functions: VLAN

Spanning tree

1 Function Overview

The spanning tree is a function that maintains redundancies in the network routes while preventing loops.

Normally, the L2 switch floods the adjacent switch with the broadcast packets.

If the network is constructed as a loop, the switches will flood each other, causing the loop to occur.

This results in a major degradation of bandwidth and CPU resources in the switches.

The spanning tree determines the roles of each port and establishes a network construction where the broadcast packets do not keep traveling around, for networks that contain physical loops as well.

When there are problems linking, the problem is detected and the tree is reconstructed in order to restore the system.

This product supports STP, RSTP, and MSTP.

Spanning tree function overview

2 Definition of Terms Used

STP: Spanning Tree Protocol (802.1d)

The spanning tree protocol (STP) exchanges BPDU (bridge protocol data unit) messages, in order to avoid loops.

This product supports IEEE802.1d and RFC4188.

RSTP: Rapid Spanning Tree Protocol (802.1w)

The rapid spanning tree protocol (RSTP) is an extension of STP. It can recover the spanning tree more quickly than STP, when the network architecture has changed or when there is a problem linking.

This product supports IEEE802.1w and RFC4318.

MSTP: Multiple Spanning Tree Protocol (802.1s)

Multiple spanning tree protocol (MSTP) is a further extension of STP and RSTP. It groups the VLAN into instances, and constructs a spanning tree for each group.

This can be used to distribute load within the network routes.

This product supports IEEE802.1s.

3 Function Details

This product supports the following functions in order to flexibly handle the construction of routes based on MSTP.

• Set priority
  • Set bridge priority
  • Set port priority
• Set path cost
• Set timeout
  • Set forward delay time
  • Set maximum aging time
• Specify edge port (Port Fast settings)
• BPDU guard
• BPDU filtering
• Route guard

4 Related Commands

The related commands are shown below.

For details on the commands, refer to the Command Reference.

List of related commands

5 Examples of Command Execution

5.1 MSTP setting example

Use this product to realize the architecture shown in the diagram below.

MSTP architecture diagram

• In this example, MST instances are used to construct the spanning tree.
• A different route is set for each MST instance (VLAN), in order to distribute network load.
• The LAN port that is connected to the PC is set as the edge port.

1. [Switch #A] Define VLAN #2 and VLAN #3.

   Yamaha(config)#vlan database
   Yamaha(config-vlan)#vlan 2                              ... (VLAN #2 definition)
   Yamaha(config-vlan)#vlan 3                              ... (VLAN #3 definition)
   Yamaha(config-vlan)#exit

2. [Switch #A] Set the CIST priority.

   Yamaha(config)#spanning-tree priority 8192              ... (Set CIST priority to 8192)

3. [Switch #A] Set the MST.

   Yamaha(config)#spanning-tree mst configuration
   Yamaha(config-mst)#region Sample                        ... (Set MST region name to "Sample")
   Yamaha(config-mst)#revision 1                           ... (Set MST revision number to 1)
   Yamaha(config-mst)#instance 2 vlan 2                    ... (Define MST interface #2, and associate with VLAN #2)
   Yamaha(config-mst)#instance 3 vlan 3                    ... (Define MST interface #3, and associate with VLAN #3)
   Yamaha(config-mst)#exit

4. [Switch #A] Set LAN ports #1–#2 as trunk ports, and associate them with VLAN #2–#3.

   Also, set the MST instances #2–#3.

   Yamaha(config)#interface port1.1
   Yamaha(config-if)#switchport mode trunk                 ... (Set as trunk port)
   Yamaha(config-if)#switchport trunk allowed vlan add 2,3 ... (Associate to VLAN #2–#3)
   Yamaha(config-if)#spanning-tree instance 2              ... (Set MST instance #2)
   Yamaha(config-if)#spanning-tree instance 3              ... (Set MST instance #3)
   Yamaha(config-if)#exit
   (Also perform the above settings for LAN port #2.)

5. [Switch #A] Set LAN port #3 as the access port, and associate it with VLAN #2.

   Also, set the MST instance #2, and make it an edge port.

   Yamaha(config)#interface port1.3
   Yamaha(config-if)#switchport mode access                ... (Set as access port)
   Yamaha(config-if)#switchport access vlan 2              ... (Associate to VLAN #2)
   Yamaha(config-if)#spanning-tree instance 2              ... (Set MST instance #2)
   Yamaha(config-if)#spanning-tree edgeport                ... (Set as edge port)
   Yamaha(config-if)#exit

6. [Switch #A] Set LAN port #4 as the access port, and associate it with VLAN #3.

   Also, set the MST instance #3, and make it an edge port.

   Yamaha(config)#interface port1.4
   Yamaha(config-if)#switchport mode access                ... (Set as access port)
   Yamaha(config-if)#switchport access vlan 3              ... (Associate to VLAN #3)
   Yamaha(config-if)#spanning-tree instance 3              ... (Set MST instance #3)
   Yamaha(config-if)#spanning-tree edgeport                ... (Set as edge port)
   Yamaha(config-if)#exit

7. [Switch #B] Define VLAN #2 and VLAN #3.

   Yamaha(config)#vlan database
   Yamaha(config-vlan)#vlan 2                              ... (VLAN #2 definition)
   Yamaha(config-vlan)#vlan 3                              ... (VLAN #3 definition)
   Yamaha(config-vlan)#exit

8. [Switch #B] Set the CIST priority.

   Yamaha(config)#spanning-tree priority 16384             ... (Set CIST priority to 16384)

9. [Switch #B] Set the MST.

   Yamaha(config)#spanning-tree mst configuration
   Yamaha(config-mst)#region Sample                        ... (Set MST region name to "Sample")
   Yamaha(config-mst)#revision 1                           ... (Set MST revision number to 1)
   Yamaha(config-mst)#instance 2 vlan 2                    ... (Define MST interface #2, and associate with VLAN #2)
   Yamaha(config-mst)#instance 2 priority 8192             ... (Set priority of MST instance #2 to 8192)
   Yamaha(config-mst)#instance 3 vlan 3                    ... (Define MST interface #3, and associate with VLAN #3)
   Yamaha(config-mst)#instance 3 priority 16384            ... (Set priority of MST instance #3 to 16384)
   Yamaha(config-mst)#exit

10. [Switch #B] Set LAN ports #1–#2 as trunk ports, and associate them with VLAN #2–#3.

    Also, set the MST instances #2–#3.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#switchport mode trunk                 ... (Set as trunk port)
    Yamaha(config-if)#switchport trunk allowed vlan add 2,3 ... (Associate to VLAN #2–#3)
    Yamaha(config-if)#spanning-tree instance 2              ... (Set MST instance #2)
    Yamaha(config-if)#spanning-tree instance 3              ... (Set MST instance #3)
    Yamaha(config-if)#exit
    (Also perform the above settings for LAN port #2.)

11. [Switch #B] Set LAN port #3 as the access port, and associate it with VLAN #2.

    Also, set the MST instance #2, and make it an edge port.

    Yamaha(config)#interface port1.3
    Yamaha(config-if)#switchport mode access                ... (Set as access port)
    Yamaha(config-if)#switchport access vlan 2              ... (Associate to VLAN #2)
    Yamaha(config-if)#spanning-tree instance 2              ... (Set MST instance #2)
    Yamaha(config-if)#spanning-tree edgeport                ... (Set as edge port)
    Yamaha(config-if)#exit
    (Also perform the above settings for LAN port #4.)

12. [Switch #C] Define VLAN #2 and VLAN #3.

    Yamaha(config)#vlan database
    Yamaha(config-vlan)#vlan 2                              ... (VLAN #2 definition)
    Yamaha(config-vlan)#vlan 3                              ... (VLAN #3 definition)
    Yamaha(config-vlan)#exit

13. [Switch #C] Set the MST.

    Yamaha(config)#spanning-tree mst configuration
    Yamaha(config-mst)#region Sample                        ... (Set MST region name to "Sample")
    Yamaha(config-mst)#revision 1                           ... (Set MST revision number to 1)
    Yamaha(config-mst)#instance 2 vlan 2                    ... (Define MST interface #2, and associate with VLAN #2)
    Yamaha(config-mst)#instance 2 priority 16384            ... (Set priority of MST instance #2 to 16384)
    Yamaha(config-mst)#instance 3 vlan 3                    ... (Define MST interface #3, and associate with VLAN #3)
    Yamaha(config-mst)#instance 3 priority 8192             ... (Set priority of MST instance #3 to 8192)
    Yamaha(config-mst)#exit

14. [Switch #C] Set LAN ports #1–#2 as trunk ports, and associate them with VLAN #2–#3.

    Also, set the MST instances #2–#3.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#switchport mode trunk                 ... (Set as trunk port)
    Yamaha(config-if)#switchport trunk allowed vlan add 2,3 ... (Associate to VLAN #2–#3)
    Yamaha(config-if)#spanning-tree instance 2              ... (Set MST instance #2)
    Yamaha(config-if)#spanning-tree instance 3              ... (Set MST instance #3)
    Yamaha(config-if)#exit
    (Also perform the above settings for LAN port #2.)

15. [Switch #C] Set LAN port #3 as the access port, and associate it with VLAN #3.

    Also, set the MST instance #3, and make it an edge port.

    Yamaha(config)#interface port1.3
    Yamaha(config-if)#switchport mode access                ... (Set as access port)
    Yamaha(config-if)#switchport access vlan 3              ... (Associate to VLAN #3)
    Yamaha(config-if)#spanning-tree instance 3              ... (Set MST instance #3)
    Yamaha(config-if)#spanning-tree edgeport                ... (Set as edge port)
    Yamaha(config-if)#exit
    (Also perform the above settings for LAN port #4.)

16. Connect the LAN cable.
17. [Switch #A] Check the CIST architecture.

    Yamaha>show spanning-tree | include Root Id
    % Default: CIST Root Id 200100a0deaeb920      ... (The higher-priority switch #A is the CIST root bridge)
    % Default: CIST Reg Root Id 200100a0deaeb920
    
    Yamaha>show spanning-tree | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Designated - State Forwarding
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Designated - State Forwarding
    %   port1.3: Port Number 907 - Ifindex 5003 - Port Id 0x838b - Role Designated - State Forwarding
    %   port1.4: Port Number 908 - Ifindex 5004 - Port Id 0x838c - Role Designated - State Forwarding
    %   port1.5: Port Number 909 - Ifindex 5005 - Port Id 0x838d - Role Disabled - State Discarding
    %   port1.6: Port Number 910 - Ifindex 5006 - Port Id 0x838e - Role Disabled - State Discarding
    %   port1.7: Port Number 911 - Ifindex 5007 - Port Id 0x838f - Role Disabled - State Discarding
    %   port1.8: Port Number 912 - Ifindex 5008 - Port Id 0x8390 - Role Disabled - State Discarding
    %   port1.9: Port Number 913 - Ifindex 5009 - Port Id 0x8391 - Role Disabled - State Discarding
    %   port1.10: Port Number 914 - Ifindex 5010 - Port Id 0x8392 - Role Disabled - State Discarding

18. [Switch #B] Check the CIST architecture.

    Yamaha>show spanning-tree | include Root Id
    % Default: CIST Root Id 200100a0deaeb920      ... (The higher-priority switch #A is the CIST root bridge)
    % Default: CIST Reg Root Id 200100a0deaeb920
    
    Yamaha>show spanning-tree | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Rootport - State Forwarding
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Designated - State Forwarding
    %   port1.3: Port Number 907 - Ifindex 5003 - Port Id 0x838b - Role Designated - State Forwarding
    %   port1.4: Port Number 908 - Ifindex 5004 - Port Id 0x838c - Role Designated - State Forwarding
    %   port1.5: Port Number 909 - Ifindex 5005 - Port Id 0x838d - Role Disabled - State Discarding
    %   port1.6: Port Number 910 - Ifindex 5006 - Port Id 0x838e - Role Disabled - State Discarding
    %   port1.7: Port Number 911 - Ifindex 5007 - Port Id 0x838f - Role Disabled - State Discarding
    %   port1.8: Port Number 912 - Ifindex 5008 - Port Id 0x8390 - Role Disabled - State Discarding
    %   port1.9: Port Number 913 - Ifindex 5009 - Port Id 0x8391 - Role Disabled - State Discarding
    %   port1.10: Port Number 914 - Ifindex 5010 - Port Id 0x8392 - Role Disabled - State Discarding

19. [Switch #C] Check the CIST architecture.

    Yamaha>show spanning-tree | include Root Id
    % Default: CIST Root Id 200100a0deaeb920      ... (The higher-priority switch #A is the CIST root bridge)
    % Default: CIST Reg Root Id 200100a0deaeb920
    
    Yamaha>show spanning-tree | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Alternate - State Discarding ... (LAN #1 port of lower-priority switch #C is the CIST alternate port)
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Rootport - State Forwarding
    %   port1.3: Port Number 907 - Ifindex 5003 - Port Id 0x838b - Role Designated - State Forwarding
    %   port1.4: Port Number 908 - Ifindex 5004 - Port Id 0x838c - Role Designated - State Forwarding
    %   port1.5: Port Number 909 - Ifindex 5005 - Port Id 0x838d - Role Disabled - State Discarding
    %   port1.6: Port Number 910 - Ifindex 5006 - Port Id 0x838e - Role Disabled - State Discarding
    %   port1.7: Port Number 911 - Ifindex 5007 - Port Id 0x838f - Role Disabled - State Discarding
    %   port1.8: Port Number 912 - Ifindex 5008 - Port Id 0x8390 - Role Disabled - State Discarding
    %   port1.9: Port Number 913 - Ifindex 5009 - Port Id 0x8391 - Role Disabled - State Discarding
    %   port1.10: Port Number 914 - Ifindex 5010 - Port Id 0x8392 - Role Disabled - State Discarding

20. [Switch #A] Check the architecture of MST instance #2.

    Yamaha>show spanning-tree mst instance 2 | include Root Id
    % Default: MSTI Root Id 200200a0deaeb879      ... (The higher-priority switch #B is the root bridge for MST instance #2)
    
    Yamaha>show spanning-tree mst instance 2 | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Rootport - State Forwarding
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Alternate - State Discarding ... (LAN #2 port of lower-priority switch #A is the alternate port for MST instance #2)
    %   port1.3: Port Number 907 - Ifindex 5003 - Port Id 0x838b - Role Designated - State Forwarding

21. [Switch #B] Check the architecture of MST instance #2.

    Yamaha>show spanning-tree mst instance 2 | include Root Id
    % Default: MSTI Root Id 200200a0deaeb879      ... (The higher-priority switch #B is the root bridge for MST instance #2)
    
    Yamaha>show spanning-tree mst instance 2 | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Designated - State Forwarding
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Designated - State Forwarding
    %   port1.3: Port Number 907 - Ifindex 5003 - Port Id 0x838b - Role Designated - State Forwarding
    %   port1.4: Port Number 908 - Ifindex 5004 - Port Id 0x838c - Role Designated - State Forwarding

22. [Switch #C] Check the architecture of MST instance #2.

    Yamaha>show spanning-tree mst instance 2 | include Root Id
    % Default: MSTI Root Id 200200a0deaeb879      ... (The higher-priority switch #B is the root bridge for MST instance #2)
    
    Yamaha>show spanning-tree mst instance 2 | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Rootport - State Forwarding
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Designated - State Forwarding

23. [Switch #A] Check the architecture of MST instance #3.

    Yamaha>show spanning-tree mst instance 3 | include Root Id
    % Default: MSTI Root Id 200300a0deaeb83d      ... (The higher-priority switch #C is the root bridge for MST instance #3)
    
    Yamaha>show spanning-tree mst instance 3 | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Alternate - State Discarding ... (LAN #1 port of lower-priority switch #A is the alternate port for MST instance #3)
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Rootport - State Forwarding
    %   port1.4: Port Number 908 - Ifindex 5004 - Port Id 0x838c - Role Designated - State Forwarding

24. [Switch #B] Check the architecture of MST instance #3.

    Yamaha>show spanning-tree mst instance 3 | include Root Id
    % Default: MSTI Root Id 200300a0deaeb83d      ... (The higher-priority switch #C is the root bridge for MST instance #3)
    
    Yamaha>show spanning-tree mst instance 3 | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Designated - State Forwarding
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Rootport - State Forwarding

25. [Switch #C] Check the architecture of MST instance #3.

    Yamaha>show spanning-tree mst instance 3 | include Root Id
    % Default: MSTI Root Id 200300a0deaeb83d      ... (The higher-priority switch #C is the root bridge for MST instance #3)
    
    Yamaha>show spanning-tree mst instance 3 | include Role
    %   port1.1: Port Number 905 - Ifindex 5001 - Port Id 0x8389 - Role Designated - State Forwarding
    %   port1.2: Port Number 906 - Ifindex 5002 - Port Id 0x838a - Role Designated - State Forwarding
    %   port1.3: Port Number 907 - Ifindex 5003 - Port Id 0x838b - Role Designated - State Forwarding
    %   port1.4: Port Number 908 - Ifindex 5004 - Port Id 0x838c - Role Designated - State Forwarding

6 Points of Caution

• STP and RSTP on this product are supported by backward-compatibility provided by MSTP.

7 Related Documentation

• L2 switching functions: VLAN
• STP
  • IEEE802.1d
  • RFC4188
• RSTP
  • IEEE802.1w
  • RFC4318
• MSTP
  • IEEE802.1s

Proprietary loop detection

1 Function Overview

This product offers a proprietary system to detect whether there is a loop in the network environment that was configured.

A proprietary loop detection frame is sent from the LAN/SFP port, and the unit monitors whether the frame returns or not.

If the transmitted frame returns, the system determines that there is a loop in the port in question.

2 Definition of Terms Used

LDF (Loop Detection Frame)

This is a Yamaha proprietary Ethernet frame that is used to detect loops.

3 Function Details

3.1 Loop detection operating specifications

The loop detection specifications for this product are shown below.

1. In addition to enabling/disabling the entire system, the loop detection on this product can enable/disable individual ports.

   When detecting loops in LAN/SFP ports, the system-wide setting must be set to enable.

   • Use the loop-detectcommand in global configuration mode for system-wide settings.
   • Use the loop-detect command in the interface mode of the relevant port for individual LAN/SFP port settings.
2. The default settings for the loop detection function are as shown below. (In the initial state, this function is not operating.)
   • System-wide settings: disabled
   • LAN/SFP port settings: enabled
3. When the system-wide settings for both loop detection and spanning tree protocol are set to enabled, the spanning tree protocol is given priority for LAN/SFP port settings.
4. If the loop detection function is enabled for this product, the following operations are performed.
   • Loop detection frames (hereafter "LDF") are sent every two seconds from the linked-up LAN/SFP port.

     The loop detection function cannot be used on static/LACP logical interfaces, and ports on which mirror settings have been made (mirror ports).

   • When the transmitted loop detection frame receives itself, it determines that a loop has occurred, and the following operations are performed.
     • Port Shutdown

       When both the transmitting and the receiving LAN/SFP port is the same, the relevant port is shut down.

       The linkup will be made five minutes after shutdown, and LDF transmission will resume. (If a loop has occurred, this operation will repeat.)

       When a linkup to the relevant port is desired within five minutes of monitored time, the no shutdown command is used.

     • Port Blocking

       When the port number of the transmitting LAN/SFP port is smaller than the receiving port number, all frames except for LDF are blocked.

       The LDF will be transmitted periodically, but LDF will not be forwarded from other devices.

       For the LAN/SFP ports that were blocked, if the LDF that was transmitted does not return within five seconds, it is determined that the loop has been resolved, and normal communications are resumed.

     • Port Detected

       When the port number of the LAN/SFP port that was transmitted is larger than the port number during reception, another port is doing the blocking, so communication continues as normal.

   • When a loop is detected, the port lamp display on this product changes to a dedicated status, and the following SYSLOG message is output.
     • [LOOP]: inf: Detected Loop!: port1.1, 1.3 … (displayed in a five-second cycle, starting from the detection of the loop)
   • The port lamp display on this product is restored as communications are resumed after the loop is resolved, and the following SYSLOG message is output.
     • [LOOP]: inf: Recovered Loop! : port1.1, 1.3
5. The "detected" operation can be forcibly performed without performing shutdown/blocking of the LAN/SFP port on which the loop was detected.
   • Use the loop-detect blocking-disable command for this setting.
   • If this setting is "enabled", port blocking will be implemented on the next largest port number. (Shutdown operations will not occur.)
6. A force-clear can be performed on the loop detection status (detected, blocking) by using the loop-detect reset command. (On models equipped with a MODE button, this can be also done by holding down the MODE button for three seconds.)

   If a linkdown has occurred on the port where a loop has been detected, the detection status will be cleared. (The port lamp display is restored, and the following syslog message is outputted.)

7. The status of the loop detection function can be checked using the show loop-detect command. The following is displayed.
   • System Enable/disable status
   • Loop detection status (status for each LAN/SFP port)
8. When an LDF is received by a LAN/SFP port when the loop detection function is disabled, the received frames from all other ports will be forwarded as-is.

   However, frames will not be forwarded for static/LACP logical interfaces and ports on which mirror settings have been made (mirror ports).

9. In the following kinds of situations, loops in hubs that are connected to this product might not be detected.
   • Loops are being detected in a connected hub
   • Loop detection frames are not being forwarded by a connected hub