Cisco Sg2008 Manual
Have a look at the manual Cisco Sg2008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security 802.1X Cisco Small Business SG200 Series 8-port Smart Switch 161 10 -auto—Select this option if the port control is based on the result of the authentication process. If the supplicant is authenticated, the port control status becomes Authorized, meaning the supplicant is granted access to the port. If the supplicant is not authenticated, the port control status becomes Unauthorized, meaning the supplicant is denied access. -Force Authorized—Select this option to always allow port access if authentication of remote supplicants is not required. If selected, the port control status will be Authorized. •Periodic Reauthentication—Select this option if the port is to re- authenticate its supplicant periodically. The port will reauthenticate at the scheduled interval, even if it has remained authenticated. •Reauthentication Period—The interval between reauthentication attempts. The range is 300–65535 seconds. The default is 3600 seconds. •Reauthenticate Now—Forces immediate port reauthentication, when selected. •Authenticator State—The current port authorization state. Possible states are: Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, Force Authenticate, and Force Unauthenticate. •Quiet Period—Amount of time that the switch remains in the quiet state following a failed authentication exchange. During the quiet period, the switch does not accept or initiate authentication requests. Change the default value of this command only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers. To provide a faster response time to the user, enter a smaller number than the default (60 seconds). The range is 0–65535 seconds. •Resending EAP—The amount of time that lapses before EAP requests are resent. The range is 1–65535 seconds and the default is 30 seconds. •Supplicant Timeout—The amount of time that lapses before EAP requests are resent to supplicants. Change the default value of this command (30 seconds) only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers. To provide a faster response time to the user, enter a smaller number than the default. The range is 1–65535 seconds. •Server Timeout—T h e a m o u n t o f t i m e t h a t l a p s e s b e fo re t h e s w i tc h re s en d s a request to the authentication server. The range is 1–65535 seconds and the default is 30 seconds.
Security 802.1X Cisco Small Business SG200 Series 8-port Smart Switch 162 10 •Max EAP Requests—The preconfigured maximum number of times the switch can send an EAP request before restarting the authentication process if it does not receive a response. •Te r m i n a t i o n C a u s e—The reason for termination. STEP 4Click Apply and then click Close. Your changes are saved to the Running Configuration. Configuring Supplicant Port Authentication Use the Supplicant Por t Authentication page to configure port access control on ports that are configured in the supplicant role. To enable a port as an supplicant, see Modifying Port PAE Capabilities. To configure supplicant port authentication: STEP 1Click Security > 802.1X > Supplicant Port Authentication in the navigation window. STEP 2Select the port to configure and click Edit. The Current Port Control field shows the current authorization mode for the port. STEP 3Configure the following: •Administrative Port Control—Select the port authorization mode. The possible values are: -Force Unauthorized—Denies the selected interface system access by moving the interface into unauthorized state. -Auto—The switch detects the mode of the interface based on the outcome of authentication exchanges between the supplicant, the authenticator, and the authentication server. -Force Authorized—The port is placed into an authorized state without requiring authentication with the authentication server. The interface sends and receives normal traffic without client port-based authentication.
Security 802.1X Cisco Small Business SG200 Series 8-port Smart Switch 163 10 •User Name—Select the user to be used by the port to identify itself as a supplicant. The user must be one of the switch management users configured in the switch. The password configured for the user will be used in the authentication process. As a supplicant, the switch supports EAP-MD5 authentication method. (See Managing User Accounts to set up the users.) STEP 4Click Apply and then click Close. Your changes are saved to the Running Configuration. Displaying Authenticated Hosts To display ports that have authenticated users on the Authenticated Hosts page, click Security > 802.1X > Authenticated Hosts in the navigation window. The Authenticated Hosts Table displays the following information for each host: •Port—Port used for authentication. •User Name—User name of the host. •Supplicant MAC Address—Supplicant device MAC address. •Session Time—Time since the supplicant logged in. •Session Timeout—Time that the given session is valid. The time period in seconds is returned by the RADIUS server on authentication of the port. •Authentication Method: -Local—A user ID and password combination from the supplicant was compared with a locally-stored user database on the switch. Or the switch could not reach a server and the local user database was used to accept or reject the request. -None—No authentication method was used. Or the switch attempted to could not reach the server, and no authentication method was used and the request was accepted. -RADIUS—Authentication requests are passed to a RADIUS server that replies with RADIUS Access-Accept or Access-Reject frames. If the switch cannot reach the server, the request is denied.
11 Cisco Small Business SG200 Series 8-port Smart Switch 164 Quality of Service This chapter describes the QoS features of the device. •QoS Properties •Defining Queues •Mapping CoS/802.1p Priorities to Queues •Mapping IP Precedence to Queues •Mapping DSCP Values to Queues •Defining Rate Limit Profiles •Applying Rate Limit Profiles to Interfaces •Traffic Shaping QoS is a means of providing consistent, predictable data delivery by distinguishing packets that have strict timing requirements from those that are more tolerant of delay. Packets with strict timing requirements are given special treatment in a QoS-capable network. Each physical port on a switch has one or more queues for transmitting packets to the attached network. Multiple queues per port are often configured to give preference to certain packets over others based on a user-defined criteria. When a packet is queued for transmission in a port, the rate at which it is serviced depends on how the queue is configured and, possibly, the amount of traffic present in the other queues for the port. If a delay is necessary, packets get held in the queue until the scheduler authorizes the queue for transmission. If a queue is full, packets have no place to be held for transmission and might be dropped by the switch. In networks where QoS operation is enabled, all elements of the network must be QoS-capable. The presence of one or more nodes that are not QoS-capable creates a deficiency in the network path and the performance of the entire packet flow is compromised.
Quality of Service QoS Properties Cisco Small Business SG200 Series 8-port Smart Switch 165 11 The switch supports four egress queues for each port or LAG. Queue 1 has the lowest priority and queue 4 has the highest priority. The pages in the Quality of Service menu enable you to define the properties of the queues, and to associate to the queues the traffic that has particular characteristics or arrives on specific interfaces. You can also create rate limit profiles that define criteria for determining if a port is receiving more traffic than it can handle. You can then assign the rate limit profiles to ports. QoS Properties You can configure switch ports to assign traffic to egress queues based on the priority information encoded in Ethernet frames or IP packet headers. Or traffic might use a default priority value configured on the port where it arrives. When a port is configured to use the encoded priority value [such as the 802.1p, IP precedence, or DSCP (Differentiated Services Code Point) value], it is considered a trusted port. A port that is configured to use its own priority value, rather than the value encoded in the frame or packet, to make queue assignment decisions is considered untrusted. If a port is configured as trusted but the frame or packet does not have priority information, the default port priority is assigned to the packet. The default port priority is zero. You can use the Inter face Set tings page to change the value of the VLAN Priority. You can use the QoS Proper ties page to define a port as trusted or untrusted and to configure which priority values it trusts. To configure the trust mode on a port or LAG: STEP 1Click Quality of Service > QoS Properties in the navigation window. STEP 2Select a filter from the Interface Type menu to display ports or LAGs in the Trust Mode Configuration Table. STEP 3Select the interface to configure and click Edit. STEP 4To specify the type of priority values to use to determine the egress queues of the packets, select one of the following trust modes: •untrusted—The port assigns its own default 802.1p priority (0). •trust dot1p—The port uses the 802.1p priority value in VLAN-tagged Ethernet frames. For untagged frames, the default priority is assigned.
Quality of Service Defining Queues Cisco Small Business SG200 Series 8-port Smart Switch 166 11 •trust ip-precedence—The port uses the IP Precedence value in the IP packet header. If no value is provided, the default priority is assigned. Non-IP VLAN tagged and untagged frames are assigned the default priority. •trust ip-dscp—The por t uses the DSCP marking in the IP packet header for both VLAN tagged and untagged IP packets. Non-IP VLAN tagged and untagged frames are assigned the default priority. •trust all—For IP packets, the port uses the DSCP marking to determine the priority. For non-IP frames, the port uses the 802.1p priority if the frame is VLAN-tagged and the port default priority if the frame is not VLAN tagged. STEP 5Click Apply and then click Close. Your changes are saved to the Running Configuration. Defining Queues You can use the Queue page to configure how the traffic scheduler determines which queue has access to the egress port. A queue can be configured in strict priority mode or Weighted Round-Robin (WRR) mode. By default, all queues are strict priority queues. Packets are transmitted according to the following principles: •Packets from the highest priority queue are transmitted first. •If a queue is in strict priority mode, it is allowed to transmit until it has no more packets or until a higher priority queue has packets to send. •If a queue is in WRR mode, it is allowed to transmit a number of packets that is proportional to its configurable weight value. The weight is expressed as a percentage of the total bandwidth for each port. A combination of strict queue and WRR queues can be configured at a port.
Quality of Service Defining Queues Cisco Small Business SG200 Series 8-port Smart Switch 167 11 Queue Configuration Recommendations It is recommended that higher numbered queues be configured with higher priority, weight, and minimum-bandwidth settings. The following are recommended scenarios for strict priority (SP) and WRR queues: •All eight queues in SP mode (q8 > q7 > q6 > q5 > q4 > q3 > q2 > q1). q8 is allocated bandwidth as long as there are packets to serve in q8. Then Q7 is served, followed by Q6, and so forth. •All 8-queues in WRR mode (q8:q7:q6:q5:q4:q3:q2:q1 = A:B:C:D:E:F:G:H). In this mode, each queue is allocated its minimum bandwidth according to the weights configured. •One queue in SP mode and all other queues in WRR mode (q8 > q7/q6/.../ q1 and q7::q1 = A::G). In this scenario q8 is configured in SP mode and q7 through q1 in WRR mode. •Four queues in SP mode and four queues in WRR mode (q8 > q7 > q6 > q5 > q4/q3/q2/q1 and q4/q3/q2/q1 = A:B:C:D): In this scenario q8, q7, q6, and q5 are configured in strict mode with q4, q3, q2 and q1 in WRR mode. When there are more ingress ports with traffic destined to different queues on egress ports, a system might encounter a Head of Line Blocking (HOL) condition. HOL could result in higher numbered queues getting more bandwidth, although higher numbered queues are configured with lower bandwidth and weight. It is always recommended that higher numbered queues with higher weight be configured in SP mode, so that even in a HOL condition, the desired egress segregation is achieved. Configuring Queues To configure QoS properties: STEP 1Click Quality of Service > Queue in the navigation window. STEP 2Select from the Interface drop-down menus the Port or the LAG to configure. STEP 3Select one of the following modes for each queue on the selected interface: •Strict Priority—Select to have the scheduler forward traffic strictly based on the priority levels in the queues. The queue with the highest priority traffic has access to the egress port until all such traffic is forwarded. Strict priority mode provides low-latency service to higher priority classes of traffic.
Quality of Service Mapping CoS/802.1p Priorities to Queues Cisco Small Business SG200 Series 8-port Smart Switch 168 11 •WRR—Select to have the scheduler service the queue in turn with other WRR queues, based on bandwidth percentage of the queue relative to other WRR queue s . (Stri ct queue s c ont inue to b e s er vi c e d for a s long as they have higher priority traffic.) STEP 4If you selected WRR mode for a queue, enter a bandwidth percentage in the Percentage of WRR Bandwidth field. The total of all bandwidth percentages for all queues cannot exceed 100 percent. STEP 5Click Apply. Your changes are saved to the Running Configuration. To apply these queue properties to all other interfaces on the switch, click Copy Settings to All Interfaces. Mapping CoS/802.1p Priorities to Queues The priority of a packet arriving on an interface might be identified by an IEEE 802.1p priority value in the Ethernet frame header. 802.1p specifies eight priority levels (0–7). Use the CoS/802.1p to Queue page to map these priority levels to the four CoS queue s to steer packets to the appropriate outbound queue. Queue 1 has the lowest priority and queue 4 has the highest priority. To map 802.1p priority values to queues: STEP 1Click Quality of Service > CoS/802.1p to Queue in the navigation window. STEP 2Select from the Interface drop-down menus the Port or the LAG to configure. STEP 3For each 802.1p Class of Service, select a queue from the Output Queue list. Queue 1 has the lowest priority, and queue 4 has the highest priority. STEP 4Click Apply. Your changes are saved to the Running Configuration. STEP 5To apply these mappings to all other interfaces on the switch, click Copy Settings to All Interfaces.
Quality of Service Mapping CoS/802.1p Priorities to Queues Cisco Small Business SG200 Series 8-port Smart Switch 169 11 NOTEIf you click Restore Defaults, the following mappings are applied to the selected interface. 802.1p Priority Output Queue 01 11 22 33 43 54 64 74
Quality of Service Mapping IP Precedence to Queues Cisco Small Business SG200 Series 8-port Smart Switch 170 11 Mapping IP Precedence to Queues The priority of a packet arriving at an interface can be identified by the Type of Service (ToS) field in an IP packet header. Eight precedence levels are defined (0-7). You can use the IP Precedence to Queue page to map these values to the four. CoS queues to steer packets to the appropriate outbound queue. Queue 1 has the lowest priority and queue 4 has the highest priority. NOTEIP Precedence-to-queue mapping is configured per interface. Configure these mapping values on the incoming interface. To map IP precedence values to queues: STEP 1Click Quality of Service > IP Precedence to Queue in the navigation window. STEP 2Select from the Interface drop-down menus the Port or the LAG to configure. STEP 3For each IP Precedence value, select a queue from the Output Queue list. Queue 1 has the lowest priority, and queue 4 has the highest priority. STEP 4Click Apply. Your changes are saved to the Running Configuration. To apply these mappings to all other interfaces on the switch, click Copy Settings to All Interfaces. 802.1p Priority Output Queue 03 11 22 34 45 56 67 78