Microchip

VSC6812-3.66 - Software Microchip - Free user manual and instructions

Name: VSC6812-3.66
Brand: Microchip
Rating: 7 (98 reviews)

Find the device manual for free VSC6812-3.66 Microchip in PDF.

📄 50 pages

EN ⬇ Download 💬 AI Question

Pick your language and provide your email: we'll send you a specifically translated version.

This manual is not available in your language

Desired language Your email address

User questions about VSC6812-3.66 Microchip

0 question about this device. Answer the ones you know or ask your own.

Ask a new question about this device

No questions yet. Be the first to ask one.

Download the instructions for your Software in PDF format for free! Find your manual VSC6812-3.66 - Microchip and take your electronic device back in hand. On this page are published all the documents necessary for the use of your device. VSC6812-3.66 by Microchip.

USER MANUAL VSC6812-3.66 Microchip

1.1 Supported Switch Platforms 1
1.2 Terms and Abbreviations .... 2
1.3 Software Architecture 3

2 Supported Features .... 5

3 Features and Platform Capacity....9

4 System Requirements 11

5 Port and System Functionality 13

5.1 Port Functionality 13
5.2 System Functionality 13

6 Firmware Upgrade 15

7 Port Control 17

7.1 VeriPHY Support 17
7.2 PoE/PoE+ Support 17

8 Quality of Service (QoS)....19

8.1 Policing 19
8.2 Scheduling and Shaping 19
8.3 QCL Configuration 19
8.4 WRED 19
8.5 Ingress Port Classification 19

9 L2 Switching....21

9.1 VLAN 21
9.2 IEEE 802.3ad Link Aggregation 22
9.3 Bridge Protocol Data Unit (BPDU) Guard 22
9.4 DHCP Snooping 23
9.5 Storm Control 23
9.6 MAC Table Configuration 23
9.7 Mirroring (SPAN/VSPAN and RSPAN) 23
9.8 Spanning Tree 24

10 L3 Switching....25

10.1 IP Routing 25
10.2 ICMPv6 25

11 Security....27

11.1 802.1X and MAC-based Authentication ..... 27
11.2 Port Security 28
11.3 Loop Protection 28
11.4 Authentication Authorization Accounting (AAA) 29
11.5 Secure Access 29

11.6 Users and Privilege Levels 29
11.7 Auth Method 30
11.8 Access Control List (ACLs) 30

12 Robustness and Power Savings. 33

12.1 Robustness 33
12.2 Green Ethernet 33
12.3 VeriPHY 34

13 Management....35

13.1 Management Services 35
13.2 SNMP 38
13.3 SysLog 38
13.4 IP Management, DNS, and DHCPv4/v6 38
13.5 DHCP Server 39
13.6 DHCP Relay 39
13.7 Management Requirements 39
13.8 Management Access Filtering 40
13.9 Thermal Protection 40
13.10 Default Configuration 40
13.11 Configuration Upload/Download 40
13.12 Port Statistics 40
13.13 Network Time Protocol (NTP) 41
13.14 Loop Detection Restore to Default 41
13.15 Dual Image 41

14 SNMP MIBs 43

14.1 Standard MIBs 43

15 List of Changes....45

1 Product Overview

The WebStaX turnkey software package is a fully managed L2 switch application for the small-medium enterprise (SME). This software package can be customized to support different port configurations with or without stacking. It is built on an Embedded Configurable Operating System (eCos) to ensure cost optimization without compromising efficiency. WebStaX supports the following major capabilities.

RedBoot boot loader
Web or XMODEM update and dual boot support Up to 16 units in a stack
Single point of management (SPOM) Shortest path forwarding (SPF) Slave units as backup masters
8 ms worst case master reelect across the stack

Management is done using a Web Graphical User Interface (GUI), Command Line Interface (CLI) or Simple Network Management Protocol (SNMP) running on the internal MIPS24Kec CPU. WebStaX is highly integrated with switch features such as QoS Control Lists (QCLs), Access Control Lists (ACLs), HW MAC table synchronization across the stack, and super priority management queue.

This document provides an overview of the switch and software features of WebStaX software and lays the basis for further specifications. The supported configuration details including parameters and limitations are beyond the scope of this document. The module specific requirement specifications and configuration guides may be referred to for obtaining these details.

1.1 Supported Switch Platforms

This software is supported on a series of Microsemi switches ranging from 10, 24 to 48 ports with Power over Ethernet (PoE) / non-PoE capabilities.

Table 1 • Supported Switches

Switch CPU Description
VSC7424 MIPS 24K	Kec SparX-III 10x1G Layer	2 switch
VSC7425 MIPS 24K	Kec SparX-III 18x1G Layer	2 switch
VSC7426 MIPS 24K	Kec SparX-III 24x1G Layer	2 switch
VSC7427 MIPS 24K	Kec SparX-III 26x1G Layer	2 switch
VSC7431 MIPS 24K	Kec E-StaX-III 24x1G + 2x	12G stackable switch
VSC7432 MIPS 24K	Kec E-StaX-III 24x1G + 2x	10/12G stackable switch
VSC7434 MIPS 24K	Kec E-StaX-III 24x1G + 4x	10/12G stackable switch
VSC7442 500 MHz	MIPS 24Kec SparX-IV 52	x1G Layer 2 / Layer 3 switch
VSC7444 500 MHz	MIPS 24Kec SparX-IV 44	26 Port Switch 24 × 1G (Optical) + 2 × 10G Layer 2 / Layer 3 switch 24 × 1G (Copper) + 2 × 10G Layer 2 / Layer 3 switch
VSC7448 500 MHz	MIPS 24Kec SparX-IV 80	52 Port Switch 24 × 1G (Optical) + 4 × 10G Layer 2 / Layer 3 switch 40 × 1G (Copper) + 4 × 10G Layer 2 / Layer 3 switch

1.2 Terms and Abbreviations

The following table provides the definitions of abbreviations used in this document.

Table 2 • Terms and Abbreviations

Term Definition
AAA Authentication Authorization Accounting
ACL Access	Control List
API Application	Programming Interface
BPDU Bridge	Protocol Data Unit
CIST Common	and Internal Spanning Tree
CLI Command	Line Interface
EAPoL Extensible Authentication Protocol (EAP) over LAN
eCos Embedded	Configurable Operating system
EEE Energy-Efficient Ethernet
GUI Graphical	User Interface
ICMP	Internet Control Message Protocol
IGMP	Internet Group Management Protocol
IPMC	IP Multicast
LACP	Link Aggregation Control Protocol
LLDP	Link Layer Discovery Protocol
MLD	Multicast Listener Discovery
MVR	Multicast VLAN Registration
NAS	Network Access Server
NPI	Network Peripheral Interface
OS	Operating System
OUI Organizationally Unique Identifier
PoE	Power Over Ethernet
QCL	QoS Control List
RADIUS	Remote Authentication Dial In User Service
RSTP Rapid	Spanning Tree Protocol
SMB	Small and Medium Businesses
SME	Small and Medium Enterprises
SNMP	Simple Network Management Protocol
SSDP	Simple Service Discovery Protocol
SSM	Source-Specific Multicast
TLV Type Length Value
UDLD	Unidirectional Link Detection
VLAN Virtual	LAN

1.3 Software Architecture

The WebStaX software provides stackable switch support. It consists of the following components.

Operating system (eCos) for access to the hardware.
• Application Programming Interface (API) for a function library to control switches and PHYs.
Control modules such as port control, MSTP, and VLAN to implement product features and protocols. These modules may include threads and provide a management API for configuration and monitoring.
Management modules such as CLI, Web, and SNMP for interfaces to the system based on the management API of the control modules.

The following illustration shows the architecture of the Microsemi managed application software and a few control and management modules.

Microchip VSC6812-3.66 - Software Architecture - 1

flowchart

graph TD
    A["Management"] --> B["CLI Web SNMP"]
    B --> C["..."]
    C --> D["..."]
    D --> E["OS"]
    F["Control"] --> G["Port MSTP VLAN"]
    G --> H["..."]
    H --> I["..."]
    I --> J["OS"]
    K["API"] --> L["..."]
    L --> M["API"]
    N["Management API"] --> B
    N --> G
    N --> H
    N --> J

Figure 1 • Application Architecture

2 Supported Features

The following table shows the features supported by the WebStaX software.

Table 3 • Supported Features

Feature	SparX-III VSC7424-7	E-StaX-III VSC7431/2/4	SparX-IV VSC7442/4/8
"Port Control"
Port speed/duplex mode/flow control···
Per priority pause·
Port frame size (Jumbo frames)···
Port state (administrative status)···
Port status (link monitoring)···
Port statistics (MIB counters)···
Port VeriPHY (cable diagnostics)···
PoE/PoE+···
PoE/PoE+ with LLDP···
NPI port			·
On-the-fly SFP detection	···
"Quality of Service (QoS)"
Traffic classes (8 active priorities)	···
Port default priority	···
User priority	···
QoS control list (QCL mode)	···
Storm control for UC, MC, and BC	·		·
Storm control for UC, BC, and unknown		·
Random Early Discard (RED)		···
Policers
Port policers	···
Global/VCAP (ACL) policers	···
Port egress shaper	···
Queue egress shapers	···
Scheduler mode	···
"L2 Switching"
IEEE-802.1D bridge	···
Auto MAC address learning/aging	···
MAC addresses - Static	···
IEEE-802.1Q	···
Virtual LAN···
Private VLAN - Static···
Port isolation - Static···
VLAN trunking···
IEEE-802.1ad provider bridge (native or translated VLAN)···
IEEE-802.1Q-2005···
Loop guard···
IEEE-802.3ad···
Link aggregation - Static···
Link aggregation - LACP···
IGMPv2 snooping···
Port mirroring···
"Security"
Network Access Server (NAS)	···
Port-based 802.1X	···
MAC-based authentication	···
Web and CLI authentication	···
Web-based authentication			·
ACLs for filtering/policing/port copy	···
"Robustness and Power Savings"
Cold start	···
Cool start	···
Power Saving
ActiPHY	···
PerfectReach···
EEE power management···
LED power management	···
Thermal protection	·
Adaptive fan control	·
"Management"
Stack IP address		·
Double VLAN tag management	···
DHCP client	···
HTTP server	···
Web with stack management		·
CLI - console port	···
CLI stack management		·
Industrial standard CLI···
Industrial standard configuration···
Industrial standard CLI debug commands···
Management access filtering···
HTTPS···
System syslog···
Software upload via web···
SNMP v1/v2c/v3 agent···
SNMP multiple trap destinations···
IEEE-802.1AB-2005 Link Layer Discovery - LLDP···
Configuration download/upload - industrial standard···
Loop detection restore to default···
Symbolic register access···
"Standard MIBs"
RFC 1213 MIB II	···
RFC 1215 TRAPS MIB	···
RFC 4188 bridge MIB	···
RFC 3635 Ethernet-like MIB	···
RFC 3411 SNMP management frameworks	···
IEEE 802.1 MSTP MIB···
IEEE 802.1AB LLDP-MIB (LLDP MIB included in a clause of the STD)	•	•	•
RFC 3621 LLDP-MED Power (POE) (No specific MIB for POE+ exists)	••

3 Features and Platform Capacity

The following table summarizes the features and platform capacity supported by the CE Services software. The capacity mentioned in many cases is hardware, not software, constrained.

Table 4 • Features and Platform Capacity

Feature Capacity	on Platform
	SparX-III VSC7424-7 E-StaX-III VSC7431/2/4 SparX-IV VSC7442/4/8
Resilience and Availability
IEEE 802.1sMSTP instances	8	8	8
IEEE 802.3adLACP - maxLAGs	12 24 LAGs and	32 GLAGs 24 LAGs and 32 GLAGs
Traffic Control
Port-based VLAN	4095 4095 4095
Private VLAN 24	24	24
Voice VLAN	1	1	1
MAC table size	8k	32k	32k
Storm control	1 – 1024 kpps in steps of 2^n where n = 0..25 (Global setting for Unicast, Multicast, and Broadcast)	100 kbps – 1000 Mbps (per port for Unicast (known/learned), Broadcast, and Unknown (flooded Unicast and Multicast)	100 kbps – 1000 Mbps (per port for Unicast (known/learned), Broadcast, and Unknown (flooded Unicast and Multicast)
Jumbo frames supported	up to 9600	up to 10056	up to 10056
Security
Port security aging	10 to 10000000s	10 to 10000000s	10 to 10000000s
Static MAC entries supported	64	64	64
RADIUS authentication servers	5	5	5
TACACS+ authentication servers	5	5	5
RADIUS accounting servers	5	5	5
Telnet/SSH v2	4	4	4
Max ARP inspection	1K per system	1K per system	1K per system
IPSG entries	Up to 256	Up to 512	Up to 512
Policy-based security filtering	512 512 512
Password length 32	32 32
Authorization user levels	15 15 15
ACE 256 512 512
Number of logged in users	20 20 20

4 System Requirements

WebStaX software supports the port and hardware system requirements listed in the following tables.

Table 5 • Port System Requirements

Requirement SparX-III VS	C7424-7 E-StaX-III VSC	C7431/2/4 SparX-IV VSC7	442/4/8
Auto MDI/MDIX Supported	Supported Supported
Duplex capability per 10/100M	Half/Full Half/Full Half/Full
Fiber slots Supported Supported
LEDs per port 1 1 1
Port packet forwarding rate	1488000 pps (1000 Mbps) (with 64 byte)148800 pps (100 Mbps)14880 pps (10 Mbps)	14880000 pps (10 Gbps)1488000 pps (1000 Mbps) (with 64 byte)148800 pps (100 Mbps)14880 pps (10 Mbps)	14880000 pps (10 Gbps)1488000 pps (1000 Mbps) (with 64 byte)148800 pps (1O0 Mbps)14880 pps (10 Mbps)
RJ45 connectors	Supported Supported	Supported
SFP+/SFP	SFP only supported	Both SFP/SFP+ supported	Both SFP/SFP+ supported
Speed capability per 10/100M and Gigabit port	Supported Supported	Supported

Table 6 • Hardware System Requirements

Requirement	Support
Power LED	Supported by hardware
System LED	Supported by hardware
Management LED	Supported by hardware
Alarm LED	Supported by hardware
Switch fabric capacity	Supported by hardware
Forwarding architecture	Supported by hardware
MAC address entries	Supported by hardware
MAC address aging	Supported by hardware
MAC buffer memory type and size	Supported by hardware
CPU flash size	Supported by hardware
CPU memory type and size	Supported by hardware
System DDR SDRAM	Supported by hardware
Reset button	Supported by hardware
EMC/safety requirement	Supported by hardware
Performance requirement	Supported by hardware

5 Port and System Functionality

WebStaX software supports the following functionality.

5.1 Port Functionality

Capabilities of the SparX-IV, SparX-III, and E-StaX-III ports are as follows:

All copper ports can be configured as full-duplex or half-duplex. If operating at 10/100 Mbps, they support auto-sensing and auto-negotiation. Full-duplex, auto-sensing, and auto-negotiation are supported on 1000 Mbps ports.
• Full-duplex flow control is supported according to the IEEE 802.3x standard.
Half-duplex flow control is supported using collision-based backpressure.
LEDs for all the ports are driven by the SGPIO and Shift registers.
Different port-based configurations are supported on all available ports. For more information, see "Supported Features" on page 5.

Interface capabilities details can be viewed by executing the show interface capabilities command in the CLI interface.

5.2 System Functionality

The 8 to 48 port turnkey switch platform model switches can be supported using the WebStaX software with wire speed Layer 2 Gigabit/Fast Ethernet switches, with an option to additionally support the PoE functionality with partner vendors.

The turnkey switch software runs on the Embedded Configurable Operating System (eCOS v3.0). The following system-wide operations are supported:

Store-and-forward forwarding architecture.
8K MAC table entries on the SparX-III-based switch models and 32K MAC table entries on the E-StaX-III and SparX-IV-based switches.
Configurable MAC address aging support (300 seconds is default timeout value).
Port packet-forwarding rates of 1488095 pps (1000 Mbps), 148810 pps (100 Mbps), and 14880 pps (10 Mbps).
• 128 Mbytes system DDR SDRAM is recommended for a typical 24 to 48 port switch.
• 16 Mbytes flash size is recommended for a typical 24 to 48 Port switch.
IP routing is supported on E-StaX-III and SparX-IV in hardware and is supported in software on the SparX-III family.

The following table shows some of the other features across the switch family.

Table 7 • Miscellaneous Features

Feature	SparX-III VSC7424-7	E-StaX-III VSC7431/2/4	SparX-IV VSC7442/4/8
Embedded Processor 416 MHz 416 MHz 416 MHz
Integrated shared memory 4	Mbit 4 MByte 4 MByte
MAC Table 8K	32K	32K
Power	4.5 W (8 port)2.5 W (VSC741x)	5 W (24 port)	5 W (24 port)

6 Firmware Upgrade

The WebStaX firmware controlling the switch can be updated using one of the following methods.

• Web using the HTTP protocol
- CLI using the TFTP client on the switch

The software image selection information includes the following:

• Image The file name of the firmware image
- Version The version of the firmware image
- Date The date when the firmware was produced

After the software image is uploaded from the Web interface, a Web page announces that the firmware update is initiated. After about a minute, the firmware is updated and the switch restarts.

While the firmware is being updated, Web access appears to be defunct. The front LED flashes Green/Off with a frequency of 10 Hz while the firmware update is in progress.

Warning Do not restart or power off the device at this time or the switch may fail to function.

7 Port Control

WebStaX software supports the following Port Control features.

7.1 VeriPHY Support

VeriPHY is supported on the WebStaX software for running cable diagnostics to find cable shorts/opens and to determine cable length.

7.2 PoE/PoE+ Support

The WebStaX software provides PoE/PoE+ support on the Caracal and Serval (except VSC741x) and the Jaguar-1 and Jaguar-2 switch based solutions to comply with the IEEE802.3at and IEEE802.3af standards of enabling the supply of up to 30 W per port and up to the total power budget.

• Texas Instruments Slus787
- SiliconLabs SI3452

8 Quality of Service (QoS)

WebStaX software provides support for the following rich Quality of Service (QoS) features.

8.1 Policing

The QoS ingress port policers are configurable per port and are disabled by default. The software allows disable/enable flow control on the port policer. Flow control is disabled by default. If flow control is enabled and the port is in flow control mode, then pause frames are sent instead of discarding frames.

8.2 Scheduling and Shaping

Each egress port implements a scheduler that controls eight queues, one queue (priority) per QoS class. The scheduler mode can be set to Strict Priority or Weighted (Modified-DWRR). Strict Priority is selected by default. It is possible to specify the weight for each of the queues (0 through 5).

Each egress port also implements a port shaper and a shaper per queue. The software allows disabling/enabling the port and queue shaper as part of egress shaping. The port shaper and queue shaper are disabled by default.

It is possible to specify the maximum bit rate in kbits per second or Mbits per second.

8.3 QCL Configuration

QoS classification based on basic classification can be overruled by an intelligent classifier called QoS Control List (QCL).

The QCL consists of QCE entries where each entry is configured with keys and actions. The keys specify which part of the frames must be matched and the actions specify the applied classification parameters.

When a frame is received on a port, the list of QCEs is searched for a match. If the frame matches the configured keys, the actions are applied and the search is terminated.

The QCL configuration is a table of QCEs containing QoS control entries that classify to a specific QoS class on specific traffic objects. A QoS class can be associated with a particular QCE ID.

8.4 WRED

While the random early detection (RED) settings are configurable for queues 0 to 5, weighted RED (WRED) is configurable to either disable/enable, and is disabled by default.

The minimum and maximum percentage of the queue fill level or drop probability can be configured before WRED starts discarding frames.

By specifying a different RED configuration for the queues (QoS classes), it is possible to obtain the WRED operation between queues.

8.5 Ingress Port Classification

Classification is the first step for implementing QoS. There is a one-to-one mapping between QoS class, queue, and priority. The QoS class is represented by numbers; higher numbers correspond to higher priority.

The features supported are as follows:

Port default priority (QoS class)
Port default Drop Precedence (DP level)
Port default PCP
Port default DEI
• DSCP mapping to QoS class and DP Level
• DSCP classification (DiffServ)
Advanced QoS classification

9 L2 Switching

The WebStaX software supports the following rich L2 switching features.

9.1 VLAN

WebStaX software supports the IEEE 802.1Q standard VLANs. The default configuration is as follows:

All ports are VLAN aware.
All ports are members of VLAN 1.
The switch management interface is on VLAN 1.
All ports have a Port VLAN ID (PVID) of 1.

- A port can be configured to one of the following three modes:

Access
Trunk
Hybrid

- By default, all ports are in Access mode and are normally used to connect to end stations.

- Access ports have the following characteristics:

– Member of exactly one VLAN, the Port VLAN (Access VLAN), which by default is 1

– Accepts untagged and C-tagged frames

– Discards all frames that are not classified to the Access VLAN

- On egress all frames classified to the Access VLAN are transmitted untagged. Others (dynamically added VLANs) are transmitted tagged.

• The PVID is set to 1 by default.
- Ingress filtering is always enabled.

Trunk ports can carry traffic on multiple VLANs simultaneously, and are normally used to connect to other switches. Trunk ports have the following characteristics:

By default, a trunk port is a member of all VLANs (1-4095). This may be limited by the use of allowed VLANs.
If frames are classified to a VLAN that the port is not a member of, they are discarded.
By default, all frames classified to the Port VLAN (also known as Native VLAN) get tagged on egress. Frames classified to the Port VLAN do not get C-tagged on egress.
Egress tagging can be changed to tag all frames, in which case only tagged frames are accepted on ingress.

Hybrid ports resemble trunk ports in many ways, but provide the following additional port configuration features.

Can be configured to be VLAN tag unaware, C-tag aware, S-tag aware, or S-custom-tag aware
Ingress filtering can be controlled
Ingress acceptance of frames and configuration of egress tagging can be configured independently

9.1.1 Private VLAN

In a private VLAN, communication between isolated ports in that private VLAN is not permitted.

Private VLANs are based on the source port mask, and there are no connections to VLANs. This means that VLAN IDs and private VLAN IDs can be identical.

The PVLAN ID is only configurable on SparX-III, SparX-IV, and E-StaX-III 24 port switches.

The private VLAN feature is unavailable on the Dual E-StaX-III and SparX-IV-based switch models.

9.2 IEEE 802.3ad Link Aggregation

A link aggregation is a collection of one or more Full Duplex (FDX) Ethernet links. These links when combined together form a Link Aggregation Group (LAG), such that the networking device can treat it as if it were a single link. The traffic distribution is based on a hash calculation of fields in the frame:

Source MAC Address The source MAC address can be used to calculate the destination port for the frame. By default, the source MAC Address is enabled.
Destination MAC Address The destination MAC address can be used to calculate the destination port for the frame. By default, the destination MAC Address is disabled.
IP Address The IP address can be used to calculate the destination port for the frame. By default, the IP Address is enabled.
TCP/UDP Port Number The TCP/UDP port number can be used to calculate the destination port for the frame. By default, the TCP/UDP Port Number is enabled.

An aggregation can be configured statically or dynamically via the Link Aggregation Control Protocol (LACP).

9.2.1 Static

Static aggregations can be configured through the CLI or the web interface. A static LAG interface does not require a partner system to be able to aggregate its member ports. In Static mode the member ports do not transmit LACPDUs.

9.2.2 Link Aggregation Control Protocol (LACP)

The LACP exchanges LACPDUs with an LACP partner and forms an aggregation automatically. LACP can be enabled or disabled on the switch port. LACP will form an aggregation when two or more ports are connected to the same partner.

The Key value can be configured to a user defined value or set to auto to calculate based on the link speed in accordance with IEEE 802.3ad standard.

The role for the LACP port configuration can be selected as either Active to transmit LACP packets each second, or Passive to wait for an LACP packet from a partner.

9.3 Bridge Protocol Data Unit (BPDU) Guard

This is provided as part of the Spanning Tree Protocol (STP) configuration settings. The BPDU guard is a control that specifies whether a port explicitly configured as Edge will disable itself upon reception of a BPDU. The port will enter the error-disabled state, and will be removed from active topology.

The Common and Internal Spanning Tree (CIST) port setting for the BPDU Guard is not subject to Edge status dependency. For restricted role, CIST port setting may also be seen as a security measure.

9.3.1 BPDU Filtering

BPDU filtering is a control that specifies whether a port explicitly configured as Edge will transmit and receive BPDUs. This is also provided as part of the STP configuration settings.

9.4 DHCP Snooping

DHCP snooping is used to block intruders on the untrusted ports of the switch device when it tries to intervene by injecting a bogus DHCP (for IPv4) reply packet to a legitimate conversation between the DHCP (IPv4) client and server.

DHCP snooping is a series of techniques applied to ensure the security of an existing DHCP

infrastructure. When DHCP servers allocate IP addresses to clients on the LAN, DHCP snooping can be configured on LAN switches to harden the security on the LAN to allow only clients with specific IP/MAC addresses to have access to the network.

Only specific IP addresses with specific MAC addresses on specific ports may access the IP network.

DHCP snooping also stops attackers from adding their own DHCP servers to the network. An attacker-controlled DHCP server could cause malfunction of the network or even control it. The port role can be set as Trusted or Untrusted in order to protect it.

9.5 Storm Control

Storm control on WebStaX software is done per system globally on SparX-III and SparX-IV-based switches. Global storm rate control configuration for unicast frames, broadcast frames, and multicast frames is supported and can be configured in pps on SparX-III switches.

On the E-StaX-III switch models, storm control is configured per port. Storm rate control configuration for unicast frames, broadcast frames, and a storm rate control configuration for unknown (flooded) frames can be configured in kbps, Mbps, fps, and kfps on the E-StaX-III-based switches.

Storm control is disabled by default.

9.6 MAC Table Configuration

MAC learning configuration can be configured per port.

Auto Learning is done automatically as soon as a frame with unknown Static MAC (SMAC) is received.
Disable No learning is done.
Secure Only SMAC entries are learned, all other frames are dropped.

The static entries can be configured in the MAC table for forwarding. The user can enable/disable MAC learning per VLAN. VLAN learning is enabled by default.

MAC aging is configurable to age out the learned entries.

MAC learning cannot be administered on each individual aggregation group.

9.7 Mirroring (SPAN/VSPAN and RSPAN)

WebStaX software allows selected traffic to be copied, or mirrored, to a mirror port where a frame analyzer can be attached to analyze the frame flow. By default, Mirror monitors all traffic, including multicast and bridge PDUs.

The software will support 'Many-to-1' port mirroring. The destination port is located on the local switch in the case of Mirror. The switch can support VLAN-based mirroring.

Note The mirroring session will have either ports or VLANs as sources, but not both.

9.8 Spanning Tree

WebStaX software supports the Spanning Tree versions IEEE 802.1Spanning Tree Protocol (STP), 802.1w Rapid STP (RSTP), and 802.1s MSTP. The desired version is configurable and the MSTP is selected by default.

The RSTP portion of the module conforms to IEEE 802.1D-2004 and the MSTP portion of the module conforms to IEEE 802.1Q-2005.

IEEE 802.1s supports 16 instances.

The STP MSTI and CIST port configurations are allowed per physical port or aggregated port, as also STP MSTI bridge instance mapping and priority configurations.

Port Error Recovery is supported to control whether a port in the error-disabled state automatically will be enabled after a certain time.

10 L3 Switching

WebStaX software provides support for the following rich L3 switching features.

10.1 IP Routing

WebStaX software static routing provides the ability to route IPv4 and IPv6 frames between different VLANs. These VLANs may exist on different ports.

It should be noted that hardware has no L3 data plane, but control plane routing is supported in software on Caracal/Serval. However, Jaguar and Jaguar 2 have the hardware support for routing. There is a provision in the software API to assign at least two router legs to a given VLAN.

When an IP interface is configured, the corresponding interface route will be installed in the routing table. In addition, the device administrator can install static routes in the routing table.

10.1.1 VLAN IP Interface Configuration

The IP stack can be configured to act either as a host or a router. The VLAN IP interface can be configured with IPv4/IPv6 parameters for assigning an IP address corresponding to a VLAN.

Host Mode Traffic between interfaces will not be routed, and auto-configuration starts automatically when each IPv6 interface starts operation (for example, triggered by link-up or creation).
Router Mode Traffic is routed between all interfaces.

10.1.2 Static IP Route Configuration

The static IPv4 route can also be configured with a valid destination IPv4/IPv6 address/mask, gateway, and a next hop VLAN. Support is available for the link-local address used as the next hop for IPv6 static routes.

10.2 ICMPv6

ICMPv6-based ping is supported on these switches. Five ICMPv6 packets are transmitted to the configured IP address, and the sequence number and roundtrip time are displayed upon reception of a reply. The ping size is set to 56 and is configurable from 1 to 1452.

11 Security

WebStaX software supports the following security features.

11.1 802.1X and MAC-based Authentication

The IEEE 802.1X standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. One or more central servers, the backend servers, determine whether the user is allowed access the network.

Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-practices method adopted by the industry. In a MAC-based authentication, users are called clients, and the switch acts as a supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address as both username and password in the subsequent Extensible Authentication Protocol (EAP) exchange with the Remote Authentication Dial In User Service (RADIUS) server.

The 6-byte MAC address is converted to a string in the following form: xx-xx-xx-xx-xx-xx. That is, a dash (-) is used as separator between the lower-case hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly. When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open up or block traffic for that particular client, using the Port Security module. The frames from the client are then forwarded to the switch. There are no EAP over LAN (EAPOL) frames involved in this authentication, and therefore, MAC-based authentication has nothing to do with the 802.1X standard.

The advantage of MAC-based authentication over 802.1 X-based authentication is that the clients do not need special supplicant software to authenticate. The disadvantage is that MAC addresses can be spoofed by equipment whose MAC address is a valid RADIUS user that can be used by anyone. The maximum number of clients that can be attached to a port can be limited using the Port Security Limit Control functionality.

In a port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened for network traffic. This allows other clients connected to the port (for instance through a hub) to piggy-back on the successfully authenticated client and get network access even though they really are not authenticated. To overcome this security breach, use the Single 802.1X variant.

Multi 802.1X is not an IEEE standard, but a variant that features many of the same characteristics. In Multi 802.1X, one or more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and secured in the MAC table using the Port Security module. In Multi 802.1X, it is not possible to use the multicast BPDU MAC address as destination MAC address for EAPOL frames sent from the switch toward the supplicant because that causes all supplicants attached to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL Request Identity frames using the BPDU multicast MAC address as destination to wake up any supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality.

When RADIUS-assigned QoS/VLANs are enabled globally and on a given port, the switch reacts to the QoS Class/VLAN information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If QoS information is present and valid, traffic received on the supplicant's port will be classified to the given QoS class in the case of RADIUS-assigned QoS. Conversely, if VLAN ID is present and valid, the port's Port VLAN ID will be changed to

this VLAN ID, the port will be set to be a member of that VLAN ID, and the port will be forced into VLAN Unaware mode. Once assigned, all traffic arriving on the port will be classified and switched on the RADIUS-assigned VLAN ID.

RADIUS-assigned VLANs based on a VLAN name are also supported.

If (re-)authentication fails, or the RADIUS Access-Accept packet no longer carries a QoS class/VLAN ID, or it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS class in the case of RADIUS-assigned QoS, and VLAN in the case of RADIUS-assigned VLAN, are immediately reverted to the original values (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned).

This RADIUS-assigned QoS or VLAN option is only available for single-client modes, namely Port-based 802.1X.

11.2 Port Security

Port security enables configuration of the port security limit control system and port settings. It is possible to configure the port security limit aging per system.

Limit control enables limiting the number of users on a given port. A user is identified by a MAC address and VLAN ID. If limit control is enabled on a port, the limit specifies the maximum number of users on the port. If this number is exceeded, one of the following actions is taken.

None
Syslog
Shutdown
Syslog and Shutdown

The switch is configured with a total number of MAC addresses from which all ports draw when a new MAC address is seen on a Port Security-enabled port. Because all ports draw from the same pool, it may happen that a configured maximum cannot be granted, if the remaining ports have already used all available MAC addresses.

11.3 Loop Protection

Loops inside a network are very costly because they consume resources and lower network performance. Detecting loops manually can be very cumbersome and tasking. Loop protection can be enabled or disabled on a port, or system-wide.

If loop protection is enabled, it sends packets to a reserved layer2 multicast destination address on all the ports on which the feature is enabled. Transmission of the packet can be disabled on selected ports, even when loop protection is on. If a packet is received by the switch with matching multicast destination address, the source MAC in the packet is compared with its own MAC. If the MAC does not match, the packet is forwarded to all ports that are member of the same VLAN, except to the port from which it came in, treating it similar to a data packet. If the feature is enabled and source MAC matches its own MAC, the port on which the packet is received will be shut down, logged, or both actions taken depending upon the action configured.

If the feature is disabled, the packet will be dropped silently. The following matching criteria are used:

DA = determined on customer requirement, AND

SA = first 5 bytes of switch SA, AND

Ether Type = 9003, AND

Loop protection is disabled by default, with an option to either enable globally on all the ports or individually on each port of the switch including the trunks (static only). Loop protection will co-exist with the (M)STP protocol being enabled on the same physical ports. Loop protection will not affect the ports that (M)STP has put in non-forwarding state.

11.4 Authentication Authorization Accounting (AAA)

AAA allows the common server configuration including the Timeout, Retransmit, Secret Key, NAS IP Address, NAS IPv6 Address, NAS Identifier, and Dead Time parameters. WebStaX software supports the configuration of the RADIUS and TACACS+ servers.

RADIUS servers use the UDP protocol, which is unreliable by design. In order to cope with lost frames, the timeout interval is divided into three sub-intervals of equal length. If a reply is not received within the sub-interval, the request is transmitted again. This algorithm causes the RADIUS server to be queried up to three times before it is considered dead.

RADIUS authentication servers are used both by the NAS module and to authorize access to the switch's management interface.

Dead time, which can be set to a number between 0 and 3600 seconds, is the period during which the switch does not send new requests to a server that has failed to respond to a previous request. This stops the switch from continually trying to contact a server that it has already determined as dead. Setting the dead time to a value greater than 0 (zero) enables this feature, but only if more than one server has been configured.

Authorization is for authorizing users to access the management interfaces of the switch.

11.5 Secure Access

The following options are available for Secure Access.

Table 8 • Secure Access Options

Method Description
SSH Enable or disable	option provided, supports v2 only
SSL/HTTPS Enable or	disable
HTTPS Auto redirect A	redirect web browser to HTTPS option available when HTTPS mode is enabled.

Note: SSL and HTTPS are not supported in the non-crypto version of the software.

11.6 Users and Privilege Levels

Multiple users can be created on the switch identified by the username and privilege level.

The privilege level of the user allowed range is 1 to 15. A privilege level value of 15 enables access to all groups and grants full control of the device. User privilege should be the same or greater than the privilege level for the group. By default, privilege level 5 provides read-only access and privilege level 10 provides read-write access for most groups. Privilege level 15 is needed for system maintenance tasks such as software upload and factory default restore. Generally, privilege level 15 is used for an administrator account, privilege level 10 for a standard user account, and privilege level 5 for a guest account.

The name identifying the privilege group is called the Group name. In most cases, a privilege level group consists of a single module (for example, LACP, RSTP, or QoS), but a few of them contains more than one.

Each group has an authorization privilege level configurable between 1 to 15 for the following subgroups.

Configuration read-only
Configuration/execute read-write
• Status/statistics read-only
Status/statistics read-write (for example, for clearing of statistics).

Group privilege levels are used only in the Web interface. The CLI privilege level works on each individual command. User privilege should be same or greater than the privilege level for the group.

11.7 Auth Method

11.7.1 Authentication Method

This method allows configuration of how users are authenticated when they log into the switch from one of the management client interfaces. The following configuration is allowed on the following management client types.

• Console
• SSH
- Web

Methods that involve remote servers are timed out if the remote servers are offline. In this case the next method is tried. Each method is tried from left to right (when entered in the CLI) and continues until a method either approves or rejects a user. If a remote server is used for primary authentication, it is recommended to configure secondary authentication as local. This will enable the management client to log in using the local user database if none of the configured authentication servers are alive.

11.7.2 Command Authorization Method Configuration

This configuration allows the administrator to limit the CLI commands available to the user from the different management clients, Console and SSH. It is possible to set the privilege level and authorize configuration commands.

11.7.3 Accounting Method Configuration

This configuration allows the administrator to configure command and Exec (login) accounting of the user from the different management clients, Console and SSH. It is possible to set the privilege level and enable exec (login) accounting.

11.8 Access Control List (ACLs)

The ACL consists of a table of ACEs containing access control entries that specify individual users or groups permitted access to specific traffic objects such as a process or a program. The ACE parameters vary according to the frame type selected.

Each accessible traffic object contains an identifier to its ACL. The privileges determine whether there are specific traffic object access rights.

ACL implementations can be quite complex, for example, when the ACEs are prioritized for the various situations. In networking, ACL refers to a list of service ports or network services that are available on a host or server, each with a list of hosts or servers permitted to use the service. ACLs can generally be configured to control inbound traffic, and in this context, they are similar to firewalls.

There are three rich configurable sections associated with the manual ACL configuration.

The ACL configuration shows the ACEs in a prioritized way, highest (top) to lowest (bottom). An ingress frame will only get a hit on one ACE even though there are more matching ACEs. The first matching ACE will take action (permit/deny) on that frame and a counter associated with that ACE is incremented. An ACE can be associated with any combination of ingress port(s) and policy (value/mask pair). If an ACE policy is created then that policy can be associated with a group of ports as part of the ACL port configuration. There are a number of parameters that can be configured with an ACE.

The ACL ports configuration is used to assign a policy ID to an ingress port. This is useful to group ports to obey the same traffic rules. Traffic policy is created under the ACL configuration. The following traffic properties can be set for each ingress port.

Action
Rate Limiter
Port Redirect
Mirror
Logging
Shutdown

The management interface allows the port action that is used to determine whether forwarding is permitted (Permit) or denied (Deny) on the port. The default action is Permit.

The ACE will only apply if the frame gets past the ACE matching without getting matched. In that case a counter associated with that port is incremented. There can be 16 different ACL rate limiters. A rate limiter ID may be assigned to the ACE(s) or ingress port(s).

An ACE consists of several parameters. These parameters vary according to the frame type selected. The ingress port needs to be selected for the ACE, and then the frame type. Different parameter options are displayed depending on the frame type selected. The supported frame types include the following:

• Any
- Configurable Ethernet Type
• I P v 4
• I P v 6

MAC-based filtering and IP protocol-based filtering can be achieved with configurations based on the selection of appropriate frame types.

12 Robustness and Power Savings

The WebStaX software supports the following features for robustness and power savings (Green Ethernet).

12.1 Robustness

12.1.1 Cold and Cool Restart

All SparX-III, E-StaX-III, and SparX-IV turnkey solutions support cold restart as well as cool restart.

12.1.2 Reset Button

WebStaX software supports the addition of a Reset button, generally accessible on the front panel of a switch. This button acts as a reset when pressed for more than 1 second. The switch automatically reboots and reloads its factory default configuration upon restart.

12.1.3 Console

WebStaX software uses the serial console to support the CLI interface for configuration.

12.1.4 CPU Load

The system running processes and CPU load information can be viewed using the show process load command.

12.2 Green Ethernet

12.2.1 Energy-Efficient Ethernet (EEE) Support

EEE is a power saving option that reduces the power usage when there is low traffic utilization (or no traffic). EEE support allows the user to inspect and configure the current EEE port settings.

EEE works by powering down circuits when there is no traffic. When a port gets data to be transmitted all circuits are powered up. The time it takes to power up the circuits is named wakeup time. The default wakeup time is 17 s for 1Gbit links and 30 s for other link speeds. EEE devices must agree upon the value of the wakeup time to make sure that both the receiving and transmitting devices have all circuits powered up when traffic is transmitted. The devices can exchange information about device wakeup times using the LLDP protocol.

EEE works for ports in auto-negotiation mode, where the port is negotiated to either 1G or 100 Mbit full duplex mode.

12.2.2 LED Power Reduction Support

WebStaX software supports the LED power reduction feature.

LED power consumption can be reduced by lowering the intensity of LEDs. LEDs can be dimmed or turned off. LED intensity can be set for 24 one-hour periods in a day and can be configured from 0% to 100% in 10% increments for each period.

A network administrator may want to have full LED intensity during the maintenance period. Therefore it is possible to specify that the LEDs will use full intensity for a specific period of time.

Maintenance Time The number of seconds (10 to 65535, 10 being default) that the LEDs will have full intensity after either a port has changed link state or the LED button has been pressed.

12.2.3 Fan Information

WebStaX software supports the following fan controls.

Maximum Temperature Temperature at which the fan runs at full speed.

Turn on Temperature Temperature at which the fan runs at the lowest possible speed.

12.3 VeriPHY

VeriPHY is supported for running cable diagnostics.

13 Management

The WebStaX software supports the following management features.

13.1 Management Services

WebStaX software provides the network administrator with a set of comprehensive management functions. The network administrator has a choice of the following easy-to-use management methods.

CLI Interface
Web-based
Simple Network Management Protocol (SNMP)

Management interfaces of the turnkey switch solutions are branded to comply with platform changes and the customer recommended standards as desired.

13.1.1 Industry Standard CLI Model

The CLI interface of the WebStaX software is an Industry Standard CLI model and consists of different configuration commands structure with an ability to configure and view the configuration using the Serial Console or SSH access.

The Industry Standard CLI model includes the following features.

Command history. Clicking Up arrow presents the history of commands.
Command-line editing
• VT100 compatible CLI terminal
Command groups based on command types
Configuration commands for configuring features and available options of the device.
— Show commands for displaying switch configuration, statistics, and other information.
Copy commands for transferring or saving the software images for upgrade/downgrade, configuration files to and from the switch.

- Help for groups and specific commands.

- Shortcut key options. For example, the full command syntax support can be viewed for each possible command using the Ctrl+Q shortcut.

(config-if-vlan)# ip^Qip address
{{ <ipv4_addr> <ipv4_netmask> } | { dhcp [ fallback <ipv4_addr> < ipv4_netmask> [ timeout <uint> ] ] }} 
ip igmp snooping
ip igmp snooping compatibility { auto | v1 | v2 | v3 }
ip igmp snooping last-member-query-interval <0-31744>
ip igmp snooping priority <0-7>
ip igmp snooping querier { election | address <ipv4_ucast> }
ip igmp snooping query-interval <1-31744>
ip igmp snooping query-max-response-time <0-31744>
ip igmp snooping robustness-variable <1-255>
ip igmp snooping unsolicited-report-interval <0-31744>

Context-sensitive help. Click '?' button for a list of valid possible parameters, with descriptions.
Auto completion. Press key by partially typing the keyword. The rest of the keyword will be entered automatically.
Ctrl+C option to break the display

- Modes for commands. Each command can belong to one or more modes. The commands in a particular mode can be made invisible in any other mode. The interface also allows wildcard support.

(config)# interface *
(config-if)#

If multiple sessions are concurrently in the same sub mode with same parameters, then 'no' form of commands will not work and will display a warning message.

- Privilege. A set of privilege attributes may be assigned to each command based on the level configured. A command cannot be accessed or executed if the logged in user does not have sufficient privilege.

13.1.1.1 User EXEC Mode

The User EXEC mode is the initial mode available for the users with insufficient privileges. The User EXEC mode contains a limited set of commands. The command prompt shown at this level is:

WebStaX>

13.1.1.2 Privileged EXEC Mode

The administrator/user must enter the Privileged EXEC mode in order to have access to the full command suite. The Privileged EXEC mode requires password authentication using an 'enable' command if set. The command prompt shown at this level is:

WebStaX#

It is also possible to have runtime configurable privilege levels per command.

- Keyword abbreviations. Any keyword can be accepted just by typing an unambiguous prefix (for example, "sh" for "show").

WebStaX# sh ip route
0.0.0.0/0 via VLAN1:10.9.61.1 <UP GATEWAY HW_RT>
10.9.61.0/24 via VLAN1 <UP HW_RT>
127.0.0.1/32 via OS:lo:127.0.0.1 <UP HOST>
224.0.0.0/4 via OS:lo:127.0.0.1 <UP>

- Error checking. Before executing a command, the CLI checks whether the current mode is still valid, user has sufficient privileges, and valid range of parameter(s) among others. The user is alerted to the error by displaying a caret under the offending word along with an error message.

WebStaX(config)# clock summer-time PDT date 14

% Invalid word detected at '^' marker.

Every configuration command has a no form to negate or set its default. In general, the no form is used to reverse the action of a command or reset a value back to the default. For example, the no ip routing configuration command reverses the ip routing of an interface.

- do command support. This will allow the users to execute the commands from the configuration mode.

(config)# do show vlan

VLAN Name

Interfaces

1 default

Gi 1/1-9 2.5G 1/1-2

- Platform debug command support. This will allow the users to obtain technical support by entering and running a debug command in this field.

13.1.2 Industry Standard Configuration Support

The WebStaX software supports an industry standard configuration (ICFG) where commands are stored in a text format.

The switch stores its configuration in a number of text files in CLI format. The files are either virtual (RAM-based), or stored in flash on the switch.

There are three system files:

running-config A virtual file that represents the currently active configuration on the switch. This file is volatile.
startup-config The startup configuration for the switch, read at boot time.
default-config A read-only file with vendor-specific configuration. This file is read when the system is restored to default settings. This is a per-build customizable file that does not require C source code changes.

It is also possible to store up to four files and apply them to running-config, thereby switching configuration. The maximum number of files in the configuration file is limited to a compressed size not exceeding 1 MB. The configuration can be dynamically viewed by issuing the show running-config command.

This current running configuration may be copied to the startup configuration using the copy command. ICFG may be edited and populated on multiple other switches using any standard text editor offline.

It is possible to upload a file from the web browser to all the files on the switch, except default-config, which is read-only. If the destination is running-config, the file will be applied to the switch configuration. This can be done in two ways:

Replace mode The current configuration is fully replaced with the configuration in the uploaded file.
Merge mode The uploaded file is merged with running-config.

If the file system is full, (that is, contains the three system files mentioned previously along with other files), it is not possible to create new files. An existing file must be overwritten or another deleted first.

It is possible to activate any of the configuration files present on the switch, except running-config, which represents the currently active configuration. This will initiate the process of completely replacing the existing configuration with that of the selected file.

It is possible to delete any of the writable files stored in flash, including startup-config. If this is done and the switch is rebooted without a prior Save operation, it effectively resets the switch to default configuration.

13.1.3 Web

The web-based software management method allows the network administrator to configure, manage, view, and control the switches remotely. The web-based management method also provides help pages for assisting the switch administrator in understanding the usage.

The supported web browsers are as follows:

• Internet Explorer 8.0 and above
- Firefox 30 and above
- Google Chrome 30 and above
- Safari S5
• O p e r a 1 1

The WebStaX software also supports a Copy-all feature for selecting all the available ports. The web configuration is divided into different trees for the following tasks.

Configuration of the features
Monitoring of the configured features using the Auto-Refresh option
Running supported diagnostics
Maintenance of the related features

13.2 SNMP

WebStaX software provides rich SNMP system configuration features with support for SNMPv1, SNMPv2c, and SNMPv3. SNMPv3 configuration facilitates creation of users without authentication and privacy.

SNMPv3 User, Group, View, and Access configuration is also supported including authentication and privacy protocols/ passwords. The SNMPv3 configuration allows creation of users without authentication and privacy.

SNMP configuration is supported with an option to specify the allowed network addresses restricted for read-only and read-write privileges.

13.2.1 Multiple SNMP Trap Destinations

WebStaX software provides SNMP configuration features with support for multiple trap destinations on SNMPv1, SNMPv2c, and SNMPv3. SNMPv2c and SNMPv3 also support Inform mode.

13.3 SysLog

Syslog is a method to collect messages from devices to a server running a Syslog daemon. Logging to a central Syslog server helps in aggregation of logs and alerts. WebStaX software can send the log messages to a configured Syslog server running on UDP Port 512.

Some of the supported Syslog events are as follows.

Port link up and down
Port security limit control reach but the action is none
Switch boot up
• SNMP authentication failure

The Syslog RAM buffer supports the display of a maximum of 21622 of the most recent entries.

13.4 IP Management, DNS, and DHCPv4/v6

The WebStaX software IP stack can be configured to act either as a host or a router. In Host mode, IP traffic between interfaces will not be routed. In Router mode, traffic is routed between all interfaces using Unicast routing.

The system can be configured with zero or more IP interfaces. Each IP interface is associated with a VLAN, and the VLAN represents the IP broadcast domain. Each IP interface may be configured with an IPv4 and/or IPv6 address.

By default, all management interfaces are available on all configured IP interfaces. If this is not desirable, then management access filtering must be configured. For more information, see "Access Control List (ACLs)" on page 30.

The IP address, IP Mask, IP Gateway, and the Next hop VLAN (in the case of IPv6 only) can be configured along with an assigned VLAN. For more information, see "VLAN IP Interface Configuration" on page 25.

The DHCP (IPv4 and/or IPv6) client can be enabled to automatically obtain an IPv4 or IPv6 address from a DHCP server.

A fallback optional mechanism is also provided in the case of IPv4 so that the user can enter time period in seconds to obtain a DHCP address. After this lease expires, a configured IPv4 address will be used as the IPv4 interface address.

The DHCP query process can be re-initiated on a VLAN.

The Rapid-Commit option is available when a DHCPv6 client is used. If this option is enabled, the DHCPv6 client terminates the waiting process as soon as a Reply message with a Rapid Commit option

is received. The IP (both v4 and v6) address of the DNS server can be provided as part of the IP configuration.

There is also an option to select the DNS proxy where the DUT relays DNS requests to the current configured DNS server on DUT, and replies as a DNS resolver to the client device on the network when enabled.

13.5 DHCP Server

DHCP provides a framework for passing configuration information to hosts on a TCP/IP network and is based on the Bootstrap protocol (BOOTP). It adds the capability of automatic allocation of reusable network addresses and additional configuration options.

DHCP consists of two components: a protocol for delivering host-specific configuration parameters from a DHCP server to a host and a mechanism for allocation of network addresses to hosts. It is a client-server model where the DHCP client is the Internet host to obtain configuration parameters such as network address. The DHCP server is the Internet host that allocates network address and returns configuration parameters to the client.

The WebStaX software conforms to the RFC2131 implementation.

13.6 DHCP Relay

The following configuration parameters are available for configuring the DHCP relay.

Table 9 • DHCP Relay Configuration Parameters

Parameter Allowed Range	Default
Relay Mode Enabled/Disabled	Disabled
Relay Server Address IP Address None
Relay Information Mode Enabled/Disabled Disabled
Relay Information Policy Replace Keep Drop		Keep

Relay Information mode enables or disables the DHCP option 82 operation. When DHCP Relay Information mode operation is enabled, the agent inserts specific information (option 82) into a DHCP message when forwarding to DHCP server and removes it from a DHCP message when transferring to DHCP client.

The first four characters represent the VLAN ID, the fifth and sixth characters are the module ID (in standalone device it always equals 0, in stackable device it means switch ID), and the last two characters are the port number.

13.7 Management Requirements

13.7.1 Console

The WebStaX software uses the RJ45 serial console to support the CLI for out of band management, debugging, and software upgrades.

13.7.2 System Management

The WebStaX software can be supported in band through any of the front panel ports.

It is possible to create a separate dedicated configurable Management VLAN corresponding to a port for managing the system. The system can be managed through SSH, SNMP, and Web interfaces from this Management VLAN. However, there is no specific service port available on the device.

13.7.3 Crash File Support

The WebStaX software support has a provision to capture the crash file when the system has crashed. This is stored in the Flash and can be managed using the CLI interface to support the following operations.

List the files on the Flash using the dir command
Read the file using the more command
Delete the file using the del command
• Transfer the crash file to a remote server via TFTP using the copy command

13.8 Management Access Filtering

It is possible to restrict access to the switch by specifying the IP address of the VLAN. The HTTP/HTTPS, SNMP, and Telnet/ SSH interfaces can be restricted with this feature. The maximum management access filter entries allowed is 16.

If the application's type matches any one of the access management entries, it will allow access to the switch. The access management statistics can also be viewed.

13.9 Thermal Protection

Thermal protection is used to protect the chip from getting overheated. WebStaX software supports thermal protection. This allows users to inspect and configure the current setting for controlling thermal protection.

When the temperature exceeds the configured thermal protection temperature, the ports will be turned off. It is possible to assign ports with different priorities. Each priority can be given a temperature at which the assigned ports will be turned off.

13.10 Default Configuration

The user can also reset the configuration of the switch using the Web interface. Only the IP configuration is retained after resetting to factory defaults. The new configuration is available immediately, which means that no restart is necessary.

13.11 Configuration Upload/Download

The switch software allows saving, viewing, or loading the switch configuration. XML configuration upload/download has been obsoleted by the industry standard configuration. For more information, see "Industry Standard Configuration Support" on page 36.

13.12 Port Statistics

WebStaX software supports detailed port related statistics and system information related configuration. It is possible to view the detailed QoS related statistics using WebStaX software.

13.13 Network Time Protocol (NTP)

NTP is widely used to synchronize system clocks among a set of distributed time servers and clients. NTP is disabled by default. The implemented NTP version is 4.

The NTP IPv4 or IPv6 address can be configured and a maximum of five servers are supported. Daylight saving time can also be supported to automatically adjust the Time offset.

13.14 Loop Detection Restore to Default

Restoring factory default can also be performed by making a physical loopback between port 1 and port 2 within the first minute from switch reboot. In the first minute after boot, loopback packets will be transmitted at port 1.

If a loopback packet is received at port 2, the switch will restore to default.

13.15 Dual Image

WebStaX software supports the provision for a dual software image. It also provides software image selection information for the active and alternate (backup) firmware images in the device to enable reverting to the alternate image if desired.

If the alternate image is active (as a result of corruption of the primary image or by manual intervention), uploading a new firmware image to the device will automatically use the primary image slot and activate this image.

The software image selection information includes the following:

• Image The flash index name of the firmware image
- Version The version of the firmware image
- Date The date where the firmware was produced

14 SNMP MIBs

WebStaX supports a comprehensive set of standard MIBs.

SNMPv3 is supported and is backward compatible with SNMPv2c and SNMP v1. The MIB information can be viewed with the Community name configured. For more information, see "SNMP" on page 38.

The following CLI commands can be used to display the supported MIBs and view the ifIndex mapping.

<h1 id="show-snmp-mib-context">show snmp mib context</h1>
BRIDGE-MIB :
- dotldBase (.1.3.6.1.2.1.17.1)
- dotldTp (.1.3.6.1.2.1.17.4)
Dot3-OAM-MIB :
- dot3OamMIB (.1.3.6.1.2.1.158)
ENTITY-MIB :
- entityMIBObjects (.1.3.6.1.2.1.47.1)
EtherLike-MIB :
- transmission (.1.3.6.1.2.1.10)
IEEE8021-BRIDGE-MIB
:
<h1 id="show-snmp-mib-ifmib-ifindex">show snmp mib ifmib ifIndex</h1>

Table 10 • ifIndex Descriptions

ifIndex	ifDescr	Interface
1 VLAN 1 vlan 1
1000001 Switch 1 - Port 1 GigabitEthernet 1/1
1000002 Switch 1 - Port 2 GigabitEthernet 1/2
1000003 Switch 1 - Port 3 GigabitEthernet 1/3
1000004 Switch 1 - Port 4 GigabitEthernet 1/4
1000005 Switch 1 - Port 5 GigabitEthernet 1/5
1000006 Switch 1 - Port 6 GigabitEthernet 1/6
1000007 Switch 1 - Port 7 GigabitEthernet 1/7
1000008 Switch 1 - Port 8 GigabitEthernet 1/8
1000009 Switch 1 - Port 9 2.5GigabitEthernet 1/1
1000010 Switch 1 - Port 10 2.5GigabitEthernet 1/2
1000011 Switch 1 - Port 11 GigabitEthernet 1/9

14.1 Standard MIBs

The following standard MIBs are supported.

• BRIDGE-MIB
• DIFFSERV-DSCP-TC
• E N T I T Y - M I B
- EtherLike-MIB
• IANA-ADDRESS-FAMILY-NUMBERS-MIB
• IANAifType-MIB

- IEEE8021-MSTP-MIB

- IEEE8021-TC-MIB

- IEEE8023-LAG-MIB

• IF-MIB

- IGMP-STD-MIB

• INET-ADDRESS-MIB

- IP-FORWARD-MIB

• IP-MIB

• IPATM-IPMC-MIB

• LLDP-EXT-MED-MIB

- LLDP-MIB

• M A U - M I B

• MGMD-MIB

• POWER-ETHERNET-MIB

• Q-BRIDGE-MIB

- RFC1213-MIB

• S F L O W - M I B

• SMON-MIB

• SNMP-FRAMEWORK-MIB

• SNMP-MPD-MIB

• SNMP-USER-BASED-SM-MIB

• SNMP-VIEW-BASED-ACM-MIB

- SNMPv2-CONF

• S N M P v 2 - M I B

• SNMPv2-PDU

• SNMPv2-SMI

• S N M P v 2 - T C

15 List of Changes

The following changes were implemented in this document. The changes are listed by revision, starting with the most current publication.

Date Revision Changes
July 2015 1.0 This was the first publication of the document. All examples and descriptions are valid for the API release version 4.64m.

Microchip VSC6812-3.66 - List of Changes - 1

Microsemi.

Power Matters.™

Microsemi Corporate Headquarters

One Enterprise, Aliso Viejo,

CA 92656 USA

Within the USA: +1 (800) 713-4113

Outside the USA: +1 (949) 380-6100

Sales: +1 (949) 380-6136

© 2015 Microsemi Corporation. All rights reserved. Microsemi and the Microsemi logo are trademarks of Microsemi Corporation. All other trademarks and service marks are the property of their respective owners.

Microsemi Corporation (Nasdaq: MSCC) offers a comprehensive portfolio of semiconductor and system solutions for communications, defense & security, aerospace and industrial markets. Products include high-performance and radiation-hardened analog mixed-signal integrated circuits, FPGAs, SoCs and ASICs; power management products; timing and synchronization devices and precise time solutions, setting the world's standard for time; voice processing devices; RF solutions; discrete components; security technologies and scalable anti-tamper products; Ethernet solutions; Power-over-Ethernet ICs and midspans; as well as custom design capabilities and services. Microsemi is headquartered in Aliso Viejo, Calif., and has approximately 3,600 employees globally. Learn more at www.microsemi.com.

Microsemi makes no warranty, representation, or guarantee regarding the information contained herein or the suitability of its products and services for any particular purpose, nor does Microsemi assume any liability whatsoever arising out of the application or use of any product or circuit. The products sold hereunder and any other products sold by Microsemi have been subject to limited testing and should not be used in conjunction with mission-critical equipment or applications. Any performance specifications are believed to be reliable but are not verified, and Buyer must conduct and complete all performance and other testing of the products, alone and together with, or installed in, any end-products. Buyer shall not rely on any data and performance specifications or parameters provided by Microsemi. It is the Buyer's responsibility to independently determine suitability of any products and to test and verify the same. The information provided by Microsemi hereunder is provided "as is, where is" and with all faults, and the entire risk associated with such information is entirely with the Buyer. Microsemi does not grant, explicitly or implicitly, to any party any patent rights, licenses, or any other IP rights, whether with regard to such information itself or anything described by such information. Information provided in this document is proprietary to Microsemi, and Microsemi reserves the right to make any changes to the information in this document or to any products and services at any time without notice.