switching nms and policy boot camp student guide v1.71r

7/23/2019 Switching NMS and Policy Boot Camp Student Guide v1.71r

1/440

Enterasys Educational Services

Switching/NMS/PolicyStudentGuide

Version 1.71


2/440

Terms & Condition of Use:

Enterasys Networks, Inc. reserves all rights to its materials and the content of thematerials. No material provided by Enterasys Networks, Inc. to a Partner (or Customer, etc.)

may be reproduced or transmitted in any form or by any means, electronic or mechanical,including photocopying and recording, or by any information storage or retrieval system, orincorporated into any other published work, except for internal use by the Partner and exceptas may be expressly permitted in writing by Enterasys Networks, Inc.

This document and the information contained herein are intended solely for informational use.Enterasys Networks. makes no representations or warranties of any kind, whether expressedor implied, with respect to this information and assumes no responsibility for its accuracy orcompleteness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for anyinformation contained herein and all the material and information herein exists to be usedonly on an "as is" basis. More specific information may be available on request. By yourreview and/or use of the information contained herein, you expressly release Enterasys from

any and all liability related in any way to this information. A copy of the text of this section isan uncontrolled copy, and may lack important information or contain factual errors. Allinformation herein is Copyright Enterasys Networks, . All rights reserved. All informationcontain in this document is subject to change without notice.

For additional information refer to:

http://www.enterasys.com/constants/terms-of-use.aspx

2013EnterasysNetworks,Inc. Allrightsreserved EnterasysConfidential


3/440



4/440



5/440



6/440



7/440



8/440



9/440



10/440



11/440

A quick positioning comparison of Enterasys switches may be useful.The A4 is Enterasys Networks low cost entry level Layer 2 switch that delivers high densityand high availability switching via closed loop1 Gb stacking, redundant stack managementand external RPS support for all family members.

The C series family offers comparable port densities and Layer 2 features to the B series. Inaddition, the C series offers advanced software features like routing and IPv6.



12/440

The C5 only requires one license, unlike the C3; this single license enables both IPv6 andadvanced routing features.

While the base features of the C/G series may seem to be similar to the K series, the K series

offers a super-set (i.e. multi-user authentication and policies on a single port) of the advancedsoftware features found on the C/G series.The S series offers better features than the K when it comes to the quantity of users beingable to authenticate and be given different policies. In addition, there are additional layer 3features available on the 150/155 modules.



13/440



14/440


15/440



16/440



17/440

Port mirroring is an integrated diagnostic tool for tracking network performance and securitythat is specially useful for fending off network intrusion and attacks.It is a lowcost alternative to network taps and other solutions that may require additionalhardware, may disrupt normal network operation, may affect client applications, and may

even introduce a new point of failure into your network. Port mirroring scales better thansome alternatives and is easier to monitor. It is convenient to use in networks where portsare scarce.



18/440



19/440

Supported in a bonded chassis



20/440



21/440



22/440

Remote Monitoring (RMON) is a standard network management protocol that allows networkinformation to be gathered at a single workstation.RMON 1 defines nine MIBs that provide a much richer set of data about network usage.

Statistics: Overall packet statistics, including destination type breakdown, error breakdown,and frame size breakdown.

History: Records periodic "snapshots" of the information collected in the Statistics Group. Theamount of time that the "snapshots" capture is normally user-configurable.

Alarms: Compares user-selected statistics and compares them to user-defined rising andfalling thresholds. Alarms can be generated if a threshold is exceeded. Any MIB defined asan integer can be compared to a threshold.

Events: Works hand-in-hand with the alarm, filter, and packet capture groups, providing ameans for defining responses to alarm conditions and successful packet captures; events

can also be used to enable and/or disable an action or set of actions that will automatically betaken in response to an event..



23/440



24/440

Packet Flow SamplingThe packet flow sampling mechanism carried out by each S-Flow Instance ensures that anypacket observed at a Data Source has an equal chance of being sampled, irrespective of thepacket flow(s) to which it belongs.

Packet flow sampling is accomplished as follows:When a packet arrives on an interface, the Network Device makes a filtering decision todetermine whether the packet should be dropped.If the packet is not filtered (dropped), a destination interface is assigned by the switching/routing function.At this point, a decision is made on whether or not to sample the packet. The mechanisminvolves a counter that is decremented with each packet. When the counter reaches zero asample is taken.When a sample is taken, the counter indicating how many packets to skip before taking thenext sample is reset. The value of the counter is set to a random integer where the sequenceof random integers used over time is the Sampling Rate.Packet flow sampling results in the generation of Packet Flow Records. A Packet Flow

Record contains information about the attributes of a packet flow, including:Information on the packet itself a packet header, packet length, and packet encapsulation.Information about the path the packet took through the device, including information relatingto the selection of the forwarding path.



25/440

Login Security Password:- Used to access the devices CLI to start a Local Managementsession via a Telnet connection or local COM port connection.SNMP Community Names

Allow access to the device via a network SNMP management application, such as

Enterasys NetSight.Host Access Control Authentication:- Authenticates user access to Telnet management,console local management , and WebView via a central RADIUS Client/Server application.802.1X Port Based Network Access Control using EAPOL :- Provides a mechanism via aRADIUS server for administrators to securely authenticate and grant appropriate access toend user devices directly attached to device ports.MAC Authentication:- Provides a mechanism for administrators to securely authenticatesource MAC Addresses and grant appropriate access to end user devices directly attached todevice ports.MAC Locking :- Locks a port to one or more MAC Addresses, preventing connection of un-authorised devices via the port.Secure Shell (SSH) :- Permits or denies remote access based on IP address.

Access Control Lists (ACLs):- Permit or deny access to routing interfaces based on protocoland source IP Address restrictions configured in access lists.Denial of Service (DoS) Prevention



26/440



27/440



28/440



29/440



30/440



31/440

There are various configuration and management options for Enterasys switches, which varyby switch product family, including:Local Management (LM)NetSight

WebView and SSLTelnet and SSH

All Enterasys switch products may be managed via their console or COM port for out-of-bandaccess to either menu-driven management screens or to a command-line interface. This iscommonly referred to as Local Management (LM). The network administrator must be localto the device in order to manage it.A device IP address is not required to manage the device through LM. The console port on adevice may be either an RJ45 or a DB9 connector, which may be connected to a VT typeterminal, a PC with a terminal emulation application (such as HyperTerminal, PUTTY orTeraTerm Pro), or to a modem.



32/440



33/440

You must remember the type of port you are configuring.If you are configuring a gigabit port that is running at 100 mbps, that port must still be referredto as

ge.x.x



34/440

Other examples :fe.1.1-10: 100 Mbps ports 1 through 10 in chassis slot 1/Unit 1ge.3.2: 1 Gigabit port 2 in chassis slot 3/Unit 3tg.3.1: 10 Gigabit port 1 in chassis slot 3/Unit 3

In addition to fe, ge, tg, and fg, other port types include: com for COM (console) port vlan for vlan interfaces lag for IEEE802.3 link aggregation ports, or lbpk for loopback interfaces vsb for hardware VSB ports

With the S and K series, routed VLANs will be seen as vlan.0.x.



35/440

Logout timer can be set 60 or disabled when configuring the switch in a lab, (set logout 0) butfor good practice should be kept at a minimum.Using Simple Time Network Protocol (SNTP) is a better option.



36/440

A, B, C, D, G and I Switches

Do not support time delayed reset (NetSight can be used for this) reset [unit].

Note: clear config does not clear stacking IDs and switch priorities - clear config all does.



37/440



38/440

WebView is enabled by default on all products and usually works only when it is run withSuper User/Admin rights to the managed device.Secure Socket Layer (SSL) works by using a private key to encrypt data for the transmissionof private documents over the Internet.

All but the S and K series support SSL.



39/440

Telnet is a terminal emulation program for TCP/IP networks. Once an Enterasys switch has avalid IP address, you can establish a Telnet session to the device from any TCP/IP basednode on the network. You can manage your devices via the Telnet program and they will beexecuted as if you were entering them via the console or COM port. The management

screens seen during a Telnet session are identical to those seen via the console or COMport.An enhancement to Telnet is SSH. SSH is a protocol for secure remote login over aninsecure network. It provides a secure replacement of the Telnet feature by encryptingcommunications between two hosts.



40/440

Enterasys periodically provides firmware upgrades and, less frequently, Boot PROMupgrades. These are required to:Address software incompatibilitiesIntroduce and integrate new features

Address problems and issues with previous firmware versionsSupport new and future technologiesEnterasys switches primarily support Trivial File Transfer Protocol (TFTP) or BootP serverfunctionality. Other methods of firmware upgrade include File Transfer Protocol (FTP) andserial connection via zmodem.



41/440

The online TFTP download process for upgrading firmware is as follows:The operating image remains in LRAM while the new image is downloaded directly to theflash memory.Once the TFTP server and settings are initialized, the device will erase the contents of the

flash memory. (Caution should be taken in this state because with no image in flash memory,the device would require a BootP if the device were reset for any reason.) The compressedfile will download directly to the flash memory.Once the download is complete, the device will operate using the old image until such timethat the device is reset.Upon reboot, the new image will be utilized via a normal boot up.



42/440

The S and K series allows you to download and store multiple image files. This feature isuseful for reverting back to a previous version in the event that a firmware upgrade fails toboot successfully. When installing a new module in an existing system, the systemsoperating firmware image needs to be compatible with the new module. If they are not

compatible, we recommend that the system be upgraded prior to the installation of the newmodule. If the system is not upgraded prior to the installation, the new module may notcomplete initialisation and be operational. It will remain in a halted state until the runningchassis is upgraded to a compatible firmware version.There are three ways to download firmware to the S and K series devices:FTP download uses an FTP server connected to the network and downloads the firmwareusing the FTP protocol. This is the most robust downloading mechanism.A TFTP download uses a TFTP server connected to the network and downloads the firmwareusing the TFTP protocol.An out-of-band download is accomplished via the serial (console) port. By typing thecommand download, you send the firmware image via the ZMODEM protocol from yourterminal emulation application.



43/440



44/440



45/440

Once you have configured a device, you can save that configuration to a file as backup oruse it to configure a new, similar switch. Uploading and downloading configurations is usefulfor replicating configurations of switches of the same model, and for troubleshootingpurposes. This section of the module describes how each product family handles

configuration uploads and downloads.First, lets define some terms.Uploading a configuration from a switch means that the configuration is currently on thedevice and is copied to a local server via the TFTP protocol.Downloading a configuration means that you are taking a configuration file previouslyuploaded from a switch and downloading it. The switch will now take the properties that hadbeen previously uploaded.For best results, the switch should be physically identical to the switch that the config wasuploaded from. That is, it should be the same switch type, with the same sub-module typesinstalled, and should be running the same firmware. This last bit is not an absolute rule, butis based on the fact that interpretation of configuration files is somewhat firmware-specific.The Enterasys recommended way to back up switch configurations is to use Inventory

Managers Archive utility. Note that each switch has a limited amount of storage forconfigurations (the number of configurations a switch can store depends on the size of theconfiguration).



46/440



47/440



48/440



49/440

Default VLAN and Number of Supported VLANsBy default, all ports on all Enterasys switches are assigned to VLAN ID 1, with the egressstatus defaulting to untagged for all ports. How many VLANs are supported and the range ofVLAN IDs (VIDs) allowed varies depending on the device. IEEE 802.1Q specifies 4096 VLAN

IDs. There is a distinction between the range of VID values (0 through 4095) that a switchvendor implements, and the maximum number of active VLANs a particular switch cansupport. For example, a switch may only support 10 active VLANs, but may support VIDsfrom anywhere in the full IEEE specified range.The allowable user-configurable range for VLAN IDs (VIDs) is from 2 through 4094.VID 0 is the null VLAN ID, indicating that the tag header in the frame contains priorityinformation rather than a VLAN identifier. It cannot be configured as a port VLAN ID (PVID).VID 1 is designated the default PVID value for classifying frames on ingress through aswitched port. It may be changed on a per-port basis.VID 4095 is reserved by IEEE for implementation use.Each VLAN ID in a network must be unique. If a duplicate VLAN ID is entered, the Enterasysswitch assumes that the administrator intends to modify the existing VLAN.

Enterasys switches use the VLAN tag information contained in a data packet for all ingress,forwarding and egress decisions.



50/440



51/440

For this example, assume that a unicast untagged frame is received on Port 3. The frame isclassified for VLAN 20. The switch makes its forwarding decision by comparing thedestination MAC address to information previously learned and entered into its filteringdatabase.

In this case, the MAC address is looked up in the FDB for FID 20.Lets say the switch recognizes the destination MAC of the frame as being located out Port 4.Having made the forwarding decision based on entries in the FID, the switch now examinesthe Port VLAN egress list of Port 4 to determine if it may transmit frames belonging to VLAN20. If so, the frame is transmitted out Port 4.The VLAN egress config will dictate if the frame leaves tagged or untagged

If Port 4 has not been configured to transmit frames belonging to VLAN 20, the frame is eitherdiscarded or will be forwarded through another port.



52/440

For most networks, the following is the normal sequence you would follow to configureVLANs:Review existing VLANsCreate and name VLANs

Assign port VLAN IDsEnable ingress filteringConfigure VLAN egressCreate a management VLANEnable/disable GVRPLets review each of these steps for Enterasys switches.



53/440



54/440



55/440

When creating VLANs, first assign a VLAN ID within the supported range of the device. Thisis a numeric ID. You may also assign a VLAN name to each VLAN. This name is for theadministrators use. The name of the VLAN has no affect on the VLAN or its functioning. It isthe VLAN ID that counts.



56/440

If you are configuring multiple VLANs, we recommend that you configure a management-onlyVLAN. This allows a station connected to the management VLAN to manage the device. Italso makes management secure by preventing configuration via ports assigned to otherVLANs.

The process of assigning a management VLAN must be repeated on every device that isconnected to the network to ensure that each device has a secure management VLAN. Whenconfiguring multiple devices, the VLAN names can be different, but the management VLANID must be the same on each device. It is not necessary to configure a physical port formanagement on each switch. Only those switches that will have a management stationattached need a physical port assigned to the management VLAN.



57/440

Before enabling VLANs for the switch, you must first assign each port to the VLAN group orgroups in which it will participate. Port VLAN IDs (PVIDs) determine the VLAN to which alluntagged frames received on one or more ports will be classified. This is a classificationmechanism that associates a port with a specific VLAN and is used to make forwarding

decisions for untagged packets received by the port.For example, if port 2 is assigned a PVID of 3, then all untagged packets received on port 2will be assigned to VLAN 3. If no VLANs are defined on the switch, all ports are assigned tothe default VLAN with a PVID equal to 1.You should add a port as a tagged port (that is, a port attached to a VLAN-aware device) ifyou want it to carry traffic for one or more VLANs, and the device at the other end of the linkalso supports VLANs. If you want a port on a switch to participate in one or more VLANs, butintermediate devices or the device at the other end of the link do not support VLANs, thenyou must add the port as an untagged port (a port attached to a VLAN-unaware device).On Enterasys switches, ports can be assigned to multiple tagged or untagged VLANs. Eachport on the switch is therefore capable of passing tagged or untagged frames.



58/440

Switch PortfolioPVIDs are configured in the same way on all our switches. The PVID is used to classifyuntagged frames as they ingress into a given port. When setting a PVID with the set port vlancommand, you can also add the port to the VLANs untagged egress list (egress is discussed

later).Example: If you assign ports 1, 5, 8, and 9 to VLAN 3, untagged frames received on thoseports will be assigned to VLAN 3. If the specified VLAN (VLAN 3 in this example) has notalready been created, this command (set port vlan) will create it, add the VLAN to the portsegress list as untagged, and remove the default VLAN from the ports egress list.The port egress type for all ports defaults to tagging transmitted frames. This can be changedto forbidden or untagged. Setting a port to forbidden prevents it from participating in thespecified VLAN and ensures that any dynamic requests, either through GVRP or DynamicEgress, for the port to join the VLAN, will be ignored. (Dynamic Egress is discussed in a latersection of this module.) Setting a port to untagged allows it to transmit frames without a tagheader. This setting is usually used to configure a port connected to an end user or otherVLAN-unaware device.



59/440

The egress process dictates where the packet is allowed to go within the VLAN. The ingressprocess classifies received frames as belonging to one and only one VLAN. The forwardingprocess looks up learned information in the filtering database to determine where receivedframes should be forwarded.

Egress determines which ports will be eligible to transmit frames for a particular VLAN, or itmay be used to prevent one or more ports from participating in a VLAN. In general, VLANshave no egress (except VLAN ID 1), until they are configured by static administration orthrough dynamic mechanisms (GVRP, policy classification, or Enterasys Dynamic Egress).



60/440

If the frame format is not specified in the set vlan egress command, the port is automaticallyadded to the VLANs egress list as tagged.



61/440

On all platforms, the show vlan command displays the devices VLANs and only ports on theVLANs egress list that are forwarding.If a port possesses one or more of the following characteristics, the port is not displayed withthe show vlan command, regardless of the administrative configuration of the device:

No link Blocking due to spanning tree Member of a LAG port



62/440



63/440

This is quite a common configuration when using IP telephones in a network. This is anexample of using tagged and untagged devices off of a common port.All network managers will want to place Voice Over IP (VOIP) traffic into a separate VLANthan that for end user PCs.

The reason for this is that they will want to treat the VOIP traffic differently in time ofcongestion and also to reduce the broadcast traffic, that is why the 2 types of traffic areplaced in different VLANs.

The way this is achieved is that the PCs send untagged packets and the phones send taggedpackets.By doing this the Port VLAN Identifier (PVID) configured on the port of the switch will placethe PCs packets into that VLAN but the Phone sends tagged packets to the switch and theswitch keeps the packets in that VLAN, for this to work though the switches still has to haveall the VLANs configured on them.



64/440

An Enable Ingress Filtering parameter is associated with each port on the Enterasysswitches. Ingress Filtering is disabled by default per the IEEE 802.1Q standard because it isvery limiting as to what packets will be forwarded. It can be useful, however, in limitingbroadcasts. If ingress filtering is disabled and a port receives frames tagged for VLANs for

which it is not a member, these frames will be flooded to all other ports (except for thoseVLANs explicitly forbidden on this port).



65/440

In this Figure, Workstation As packet has a VLAN ID tag of 7. It is received on port 1 of aswitch and it is a broadcast packet. The switch logic will check to see if port 1 is on theegress list of VLAN 7.If port 1 is on VLAN 7s egress list, the packet from Workstation A will be classified to VLAN

7, checked against the information in the filtering database and egress list, and transmittedout the appropriate port.If port 1 is not on the egress list of VLAN 7 (as in this figure), the packet will not betransmitted. This configuration prevents Workstation As broadcast packets from floodingacross VLAN 7 and wasting valuable bandwidth.

The process just described is referred to as ingress filtering and it is used to conservebandwidth within the switch by dropping packets that are not on the same VLAN as theingress port at the point of reception. This eliminates the subsequent processing of packetsthat will just be dropped by the destination port. It affects tagged frames only and does notaffect VLAN independent BPDU frames.



66/440

GVRP employs three GARP timers:

Join Timer: Controls the interval between transmitting requests/queries to participate in aVLAN group. The default value is 20 seconds.

Leave Timer: Controls the interval a port waits before leaving a VLAN group. It should bemore than twice the join time to ensure that the applicant can rejoin before a port actuallyleaves the group. The default value is 60 seconds.

Leave All Timer: Controls the interval between sending out a LeaveAll query message forVLAN group participants and the port leaving the group. This interval should be considerablylarger that the Leave Timer setting to minimise the amount of traffic generated by nodesrejoining the group. The default value is 1000 seconds.

Management can prohibit ports from participating in GVRP, as well as change the timerdefaults. The default values for the GARP timers are independent of the media access

method or data rate. These values should not be changed, unless you are experiencingdifficulties with GVRP registration/deregistration. If changed, they must be changed to thesame values on all switches in the network.



67/440


Switch 1 and 4 have VLAN 60 configured and the edge ports to PC1 and PC2 have aPVID of 60

Switch 1s uplink to Switch is configured for VLAN 60 as tagged, the same for Switch 4


68/440

Switch PortfolioOn all our switches GVRP is globally enabled by default.Setting a port to forbidden prevents it from participating in the specified VLAN and ensuresthat any dynamic requests (either through GVRP or Dynamic Egress) for the port to join the

VLAN will be ignored. If GVRP is enabled, VLANS will be propagated dynamically throughthe network.



69/440

Classification is discussed in more detail in the Traffic Management module of this course.



70/440

CONFIGURING PROTECTED PORTSThe Protected Port feature is used to prevent ports from forwarding traffic to each other, evenwhen they are on the same VLAN. Ports may be designated as either protected orunprotected. Ports are unprotected by default. Multiple groups of protected ports are

supported.Protected Port OperationPorts that are configured to be protected cannot forward traffic to other protected ports in thesame group, regardless of having the same VLAN membership. However, protected portscan forward traffic to ports which are unprotected (not listed in any group). Protected portscan also forward traffic to protected ports in a different group, if they are in the same VLAN.Unprotected ports can forward traffic to both protected and unprotected ports. A port maybelong to only one set of protected ports.This feature only applies to ports within a switch. It does not apply across multiple switches ina network.



71/440



72/440



73/440



74/440

The NetSight clients access the Console database to collect the device tree for theirindividual usage in each Plug-in application. The server synchronizes all of the event logsand makes them available to all the clients connected to the server.The current applications that require a license are:

Console, which includes:Inventory ManagerPolicy Manager

Automated Security ManagerNetwork Access Control ManagerOneView

The client of Console will perform localised functions such as FlexView and Compasssearches. Since these functions normally are tactical diagnostic tools, the searches are kepton the local machines, unless the user chooses to upload them to the server.

Encrypted Java Message Service and Enterprise JavaBean calls are made between the

client and server over SSL v3 (Secure Socket Layer).



75/440

This window provides an area where you can paste the license information for eachapplication. Your license unlocks application functionality and allows clients to connect to theserver. If you have licensed multiple Enterasys NetSight applications, you can paste eachlicense into this window, or update the license in the Server Information > License tab of

NetSight applications later.

Click Next to continue.



76/440

The NetSight Server runs on a set of non-standard ports. These TCP ports (4530-4533) mustbe accessible through firewalls for clients to connect to the server.4530/4531 -- JNP (JNDI)4532 -- JRMP (RMI)

4533 -- UIL (JMS)Port 8080 (Default HTTP traffic) must be accessible through firewalls for users to install andlaunch NetSight client applications.Port 8443 (Default HTTPS traffic) must be accessible through firewalls for clients to accessthe Server Administration web pages.



77/440

Enterasys NetSight Services are automatically stopped during a NetSight upgrade. TheNetSight Services Manager is provided on Windows platforms to allow easy access to theassociated services.

On Windows operating systems, the arrow in the NetSight Services Manager icon shows ifthe server is running (green) or not (red); yellow indicates the server is starting.To stop the running services including JBOSS and DeskTray, right click on the Servicesmanager icon, select Stop running services then go to the Server option and select StopServer and Database. Next click to Exit the Services Manager.

On Linux /etc/rc2.d contains the Enterasys NetSight background services.



78/440



79/440

The Server Information Window allows you to view and configure certain NetSight Serverfunctions including management of client connections, database backup and restore options,locks, logs and licenses. It also provides access to the server log and server statistics. Toaccess this information you would choose Tools > Server Information or click on the icon as

shown above.

The first tab (Client Connections) shows who is currently connected to the server. If desiredyou can disconnect users from the server.



80/440

Database Server PropertiesDatabase server properties are used by the NetSight Server when it connects to thedatabase. The database is secured with a credential composed of a user name andpassword. It is recommend to change this password, the Connection URL almost

never needs editing. You must restart both the NetSight server and client after youchange the database password.Backup Button

Opens the backup database window where you can save the currently activedatabase to a file. If the NetSight Server is local, you can specify a directory pathwhere you would like the backup file stored. If the server is remote, the database willbe saved to the default database backup location.

Restore ButtonOpens the restore database window where you can restore the initial database orrestore a saved database. Restoring an initial database removes all data elementsfrom the database and populates the NetSight Administrator Authorisation group withthe name of the user performing the restore. Both functions will cause all current

client connections and operations in progress to be terminated. You must restart boththe NetSight Server and the client following an initialise database operation. Whenrestoring a database, if the server is remote, you only have access to databases inthe default database backup directory. .



81/440

The Locks tab lets you view a list of currently held operational locks. Operational locks areused to control the concurrency of certain server operations. They are used to lock certainfunctionality so that only one user can access it at a time. For example, you would not wanttwo users in Authorisation/Device Access both configuring SNMP at the same time.



82/440

The license tab displays a list of all NetSight applications that require a license, and theirrespective license information.You can also use this tab to change a license. You would change a license in the event thatyou want to upgrade from an evaluation copy to a purchased copy or upgrade to a license

that supports more users/devices.



83/440

You can customize many of Console's features to suit your needs or the needs of yournetwork. You can set Suite Wide options that affect all NetSight applications and Console-specific options.Options are set in the options window and like many of the Console windows, the information

found in the right panel depends on what you have selected in the left-panel. The left panellists suite-wide and NetSight Console options.



84/440



85/440

Status Polling displays how NetSight polls the network devices to ensure they are up andrunning. The Maximum number of devices polled at once (100) may need to be lowered ifthere a large number of devices on the network, otherwise performance may suffer. PollGroups allow the Administrator to have critical devices polled more frequently than non

critical devices. From the main Console window under the Properties tab with the Accessradio button selected you can configure devices to use Fast, Default, or Slow polling.System Browser provides the view where you can specify the web browser for NetSight touse when launching web pages from NetSight applications. The browser selections displayeddepend on the web browsers installed on your system. Select Default to specify the systemdefault browser. This setting applies to the current logged-in user.Web Server provides the view where you can specify the port ID for HTTP web server traffic.This port must be accessible through firewalls for users to install and launch clientapplications. By default, NetSight uses port ID 8080. If you change the port ID, you mustrestart the NetSight Server for the change to take effect. This setting applies to all users. Youmust be assigned the appropriate user capability to change this setting.Web Updates checks for updates on the NetSight Suite, it does not check for newer

firmware.



86/440

In the CDP Seed IP tab, enter the IP address for your CDP seed device into the appropriatecolumn. Discover will use the seed device's CDP Neighbor Table to begin discovering allCDP-compliant devices.In the IP Range tab is a table where you specify the IP address ranges. Each row defines a

single range. When you first open the tab, a default range is displayed based on the IPaddress of the Console workstation. To add a new range, right-click on an existing row andselect Insert Row. The position of a row determines the range's Precedence, as indicated inthe second column. Precedence determines which parameters will be used if a device is inmore than one range (the lower number yields higher precedence). To edit a range, simplytab through the parameters and either enter a new value or use the drop-down list to select avalue.



87/440

You can restrict users from using specific applications like Policy Manager or Console. Youcan also create more granular restrictions, like access to TFTP download, FlexViews, or MIBTools.You can add users that you want to be able to use Console from the Authorisation

Configuration window.It is necessary to have at least one administrative user.The administrative user is capable of creating additional Console users and assigning theiraccess levels.Console access levels are actually defined for groups and users within a particular group aregranted the access level defined for that group.

The last three tabs of Authorisation/Device Access are used to configure SNMP.



88/440

The security deficiency of both SNMPv1 and SNMPv2 was finally fixed with the release of theSNMPv3 standard. Designed to enable better support of the complex networks beingdeployed in recent years and additional requirements of applications used in networkedenvironments, SNMPv3 defined standards for both enhanced security and administration.

The most noteworthy enhancement in SNMPv3 is the strong security protection it provides forremote management, protecting SNMP itself from being used to automate exploitingcascading vulnerabilities. As defined in RFCs 2571-2575, SNMPv3 added robust user-levelauthentication, message integrity checking, message encryption, and role-basedAuthorisation.Authentication Determines the message is from a valid sourceMessage integrity Collects data securely without being tampered with or corruptedEncryption Scrambles the contents of a frame to prevent it from being seen by anunAuthorized sourceRole-based Authorization Provides access to specific MIB information

To understand how these security enhancements are implemented, we need to take a look atthe architecture of SNMPv3.



89/440

An SNMP security model is an authentication strategy that is set up for a user and the groupin which the user resides. A security level is the permitted level of security within a securitymodel. The three levels of SNMP security are: No authentication required (NoAuthNoPriv);authentication required (AuthNoPriv); and privacy (authPriv). A combination of a security

model and a security level determines which security mechanism is employed when handlingan SNMP frame.

Configuring authentication and privacy for SNMPv3 is optional, but highly recommended.



90/440

To create a credential:Click or choose authorization/Device Access from the Tools menu. Select theProfiles/Credentials tab in the authorization/Device Access window.In the lower half of the tab, click Add Credential. The Add Credential window opens.

Type a name (up to 32 characters) for your new credential and select a SNMP version. If youselect SNMPv1 or SNMPv2, the window lets you enter a community name as the passwordfor this credential. If you select SNMPv3, you can specify passwords for Authentication andPrivacy.



91/440

To create a credential:Click or choose authorization/Device Access from the Tools menu. Select theProfiles/Credentials tab in the authorization/Device Access window.In the upper half of the tab, click Add Profile. The Add Profile window opens.

Type a name (up to 32 characters) for your new credential and select a SNMP version. If youselect SNMPv1 or SNMPv2, you can select credentials for Read, Write, and Max Access. Ifyou select SNMPv3, you can select credentials and security levels for Read, Write, and MaxAccess. SNMPv1/SNMPv2 - Select credentials for Read, Write, and Max Access.SNMPv3 - Select credentials and security levels to be used for Read, Write, and Max Access.Click Apply. You can add another profile or click Close to dismiss the Add Profile window.Your new profile(s) appears in the Device Access Profiles table.



92/440

Use the Profile/Device Mapping tab to specify which profile will be used by each authorizationGroup when communicating with a specific device. The Read credential of the NetSightAdministrator profile is used for device Discovery and status polling. All other SNMPcommunications will use the profiles specified here.

Devices selected from the left panel appear in the table in the right panel together with thecurrent profile assignments associated with each authorization Group. The Table Editorbutton activates the editing row where specific profile selections can be made. To assignprofiles:Click or choose authorization/Device Access from the Tools menu.Select the Profile/Device Mapping tab in the authorization/Device Access window.Select one or more devices or device groups in the left (tree) panel.Select one or more rows (devices) in the table and click the Table Editor button.Click in the Table Editor Row for the authorization Group that you are configuring and selecta profile from the drop-down list.Repeat steps 3 and 4 until you have finished assigning profiles.



93/440

When a device is created, discovered, or imported, it automatically becomes a member of theappropriate system-created group:All Devices - contains all the devices in the NetSight database.Grouped By - contains five subgroups:

Chassis - contains subgroups for specific chassis in your network.Contact - contains subgroups based on the system contact.Device Types - contains subgroups for the specific product families and device typesin your network.IP - contains subgroups based on the IP subnets in your network.Location - contains subgroups based on the system location.

Additionally, you can add your own device groups and subgroups under the My Networkfolder, however you cannot add groups under the system-created groups. A device groupcannot have the same name as another device group at the same level. You cannot renameor delete a system-created group. A device can be a member of more than one group.TIP: System-created groups are displayed with blue folders in the left-panel tree. Any groupyou add will display a yellow folder.



94/440

As with Device Groups logically grouping ports can allow FlexViews to only look at certainports; for instance Uplink ports or Server ports.You can add ports to the My Network or to any user-created group by choosing Add PortElements to Group from the right-click menu in a FlexView table. You can remove a port from

a specific group, or you can delete the port from the NetSight database, thereby removing itfrom all groups where it is a member.There are several ways to add ports to a group. You can add selected ports from a FlexViewtable, drag and drop them in the tree, or copy and paste one or more ports from anothergroup.Adding Selected Ports From a FlexView TableOpen a FlexView for the devices containing the ports that you want to add and click theRetrieve button.Click the right mouse button on the ports that you want to add to a particular group. The PortGroup Selection window opens.Expand the tree and select the group where the selected port(s) will be placed.Click Ok to confirm your choice and close the window. The ports are added to the selected

group and to the All Port Elements folder.You can now select specific ports and use FlexViews to query information about thosespecific ports. You should use the appropriate FlexView to view the type of port beingqueried.



95/440

When a device or device group is selected from the left panel, the Properties tab shows atable listing information about your selection. Columns included here display IP Address,Display Name, Device Type, Status, Firmware, BootPROM, Base MAC, Chassis ID,Location, Contact, System Name, Nickname, and Description.

Note: Port numbers are five digit numbers on the S and K series, the first digit is the slotnumber, the second is the technology (1 = fe, 2 = ge, 3 = tg) and the last three numbers arethe port. So 12005 represents slot 1, Gigabit Ethernet, port 5.The Table Editor row is available when the Show/Hide Table Editor button is toggled to makethe Table Editor visible. Columns that contain a writable MIB object will appear in the TableEditor as an editable field or drop down list as appropriate for the object type (integer,boolean, text, etc.). Changing the value in the Table Editor row alters the value for that entryin the row selected in the table.

Clicking Apply sets the current writable table values on the devices in the currentlyselected device group.

Additionally, User Data 1, User Data 2, Notes columns can be edited to provide extrainformation about the device. The slide shows adding Notes.



96/440

When a device or device group is selected from the left panel, the Properties tab shows atable listing date and time information for your selection. The Retrieve button attempts tocontact the selected device or device group to update the table information. The Propertiesview uses the Profile for the Read Access Level of the customizations for the current user.

While retrieving information the button changes to a red octagon.Clicking in the table editor for Date/Time brings up the Change Date/Time window whereedits can be made. You can select one or more table rows where you want to change thedate/time for devices.Clicking in the Table Editor row for the Date/Time column opens the Change Date/Timewindow, where you can set a specific date and time to be set in the selected devices. Whenthe date/time are changed on a device, a green exclamation mark appears in that row toindicate that the new value needs to be applied using the Apply icon. .



97/440

IMPORTANT: The Port Properties table is not automatically updated. Instead, the table mustbe refreshed using the Retrieve button to update the table information each time you accessthis tab. The first time you access the Port Properties tab, the table is blank making itnecessary to click retrieve to display port information. If you leave the Port Properties tab,

then return, the content of the table will not have changed, even though conditions on deviceports may have changed. You must again retrieve the information.Port properties shows commonly used port specific MIBs. The information shown can befiltered down to:Statistics In/Out Octets, Errors, Discards, Unicast trafficConfiguration Show/Configure Auto Negotiation, Duplex, SpeedCapabilities - Show/Configure the ports Advertised Speed and Duplex and show theSpeed/Duplex advertised by the remote portSpecific columns can be used to configure auto negotiation for selected ports. If autonegotiation is disabled, you can manually configure the speed, duplex, and flow controlparameters of the selected ports. These columns are hidden or displayed according to yourselection from the Column Filter toolbar.

To configure parameters on multiple ports, enable the Table Editor and select the ports in thetable by swiping with your mouse or using the Ctrl or Shift keys. The information for the firstport selected will be displayed in the Table Editor row. Any changes that you make will beapplied to all of the selected ports. Use the drop-down lists in the Table Editor row tomanually configure the parameters when auto negotiation is disabled on the selected ports.NOTE: If you manually configure these parameters, be sure that the remote port supports thesame mode. Otherwise, no link between the local and remote port will be achieved.



98/440



99/440

System-created device groups are permanent and cannot be moved or deleted. However,you can add user-created device groups and populate them with devices as needed to createas many custom maps as needed to manage your network.

The Map Creation Tool guides you through the decisions to create maps. After devices havebeen selected, you choose the map attributes which include grouping and polling options.The left panel reflects your selections and indicates whether link discovery will beaccomplised.

Grouped Map will create multiple maps, the main map being the root map will have aseparate icon for each device group. Double click will open a sub-map. The sub-maps andthe devices in them will mirror the device groups in Console.Flat Map creates one map, showing all of the selected devices/device groups at the samelevel .Once maps are created (Grouped or Flat) sub maps can be created or deleted.



100/440

You can customise your view of the topology by applying overlays and attributes to maps.Overlays add visual context to the topology display such as link color, link weights, andendpoint symbols that are meaningful to a particular logical view. For example, selecting theSpanning Tree overlay for a physical map view identifies root ports, active links, and Root

Bridges in the view using colors for links and shapes superimposed on ports.Attributes are properties associated with map views that allow you to manage information.The coordinates of a mapped object, the color and weight of a type of link, the backgroundimage displayed on a view, sub-maps, the default behavior when nodes are discovered areall attributes of a particular map view.

Maps can be populated manually or automatically, using the Create Map tool. You can addimages, text for descriptive labeling and a variety of symbols to your map. The Edit menu atthe top of the Map, provides tools for selecting and adding symbols and graphic elements anda variety of alignment and sizing tools. Right-click menus let you manage objects in a map,delete objects, or display object properties.



101/440

Map Creation SummaryThis view gives you the opportunity to review your map configuration prior to creating themap. You can change your settings by clicking in the left panel on the step where you want tomake a change. Once you are satisfied with your map configuration, click Finish to create the

map. Topology Manager performs a discovery of the area of your network that you aremapping and shows the results in the Discovery Results window.

Discovery Results WindowTopology Manager performs a discovery when a map is created, when an existing map isopened, or when you refresh your map. Newly discovered devices and links as well asnetwork elements that no longer exist are listed in this window. You can selectively (bychecking rows) add/remove the discoveries to your map.



102/440

In this view, you set the poll interval for Topology Manager's poll groups (More Frequent,Default and Less Frequent). These groups correspond to the poll groups in Console, but thefrequencies set here determine the poll frequency for each group used when retrieving devicestatus in Topology maps. The interval for individual poll groups can be set according to your

network's needs. Keep in mind that these values affect devices while they populate an openmap.



103/440

Polling Update Overlay Data - Refreshes the overlay information for all submaps in thecurrent map.Update Submap Overlay Data - Refreshes the overlay information in the current submap.Rediscover Network - This option reruns the discovery process.

Synchronize Map to Console Groups - This option lets you update the groups in your map tomatch changes to the groupings that were selected. This option is only available for groupedmaps.Remove Missing Groups and Devices - Removes any groups/devices that no longer exist inyour the Console groups that were used to create the map.Descend Sub Groups to perform actions - Performs the above actions recursively.Add Devices to Submap - Opens the Add Devices to Current Submap window showing adevice tree containing all of the devices that have been modeled in the NetSight database.You can expand the tree to select specific devices/device groups that you want to add to thecurrent submap.Cancel Polling - This option is only active while the Topology Server is actually polling. Itaborts the current polling operation.

Polling Statistics - Opens the Polling Statistics window where you can view both a summaryof polling statistics and statistics for individual devices.



104/440

You can use Compass to search one or more devices or device groups selected in theConsole left panel. If you do a search on a user-created group that contains interfaces, thewhole device on which the interface is located will be searched. The search is based on thefollowing:

The selection you make in the Console left panel (Search Scope) The Search Type you select on the Compass tab The Search Parameters you provide on the Compass tab

The Search Log tab displays a log of the progress of the search and notifies you ofunsupported devices. The Results tab displays the results of the Compass search. You cancustomize table settings and find, filter, sort, print, and export the information in the SearchLog and Results tabs. Access these Table Tools through a right-click on a column heading oranywhere in the table body.

Here a search was done on 172.26.2.200, a PC in the lab network. Compass works bypolling various MIBs on each switch that is selected for the search and then displays the

results. The column Active indicates that the user has been seen recently on the indicatedport, this is typically from one of the dot1* MIBs. Notice the green check marks indicating thePC could be located off port fe.1.12 on 172.10.1.101.



105/440

If you provide specific search parameters, Compass returns information on those parameters,if it finds them within the search scope. If you do not provide specific search parameters,Compass returns information on everything within the search scope.

Search Type: For a Search Type of Auto Compass will establish if the entry is an IP (fouroctets) a MAC (six octets) or if the entry is neither Compass will assume the entry is a UserName. The entry determines which MIBs will be polled.

All: For the Search Type of All Compass returns all IP, MAC, and user data from the MIBs.This would be the equivalent to doing a search with Auto but leaving the Address field blank.

A search on an IP that results in different MAC addresses indicates DHCP (the Node/AliasTables does not timeout) in which case you may want to do a Select All on the results thenanother right click and Delete Node/Alias Entries.

When the Search Type is set to IP Address a PING button appears so you can force the IP to

generate some traffic before doing the search.



106/440

Accessed from Console, Tools > Options > Compass or from the Options button within theCompass tab.For larger networks you may want to increase the Number of SNMP Retries to ensure gettingthe most information.



107/440

When Console is initially installed, the Interface Summary tab is accessible in the right panel.It is one of many FlexViews available with Console. In Console, you can use the FlexViewProperties window to customize pre-defined views and create your own FlexViews to providethe kind of information you need to manage your network.

These views provide information and configuration capabilities across the entire system. TheFlexView tables can be filtered, searched, and sorted, making it possible to view specificnetwork conditions: for example, the top ten instances of an object such as the highest CRCcount on ports or the highest packet transmissions by port.

One or more FlexViews can be "Floated" into a separate window by clicking in a blank areaof the FlexView toolbar and dragging the FlexView out of the Console main window. Thisallows viewing information from different FlexViews at the same time.



108/440

Predefined FlexViews allow you to view/configure CDP, FST, Link Aggregation, PoE, RMON,and many other functions. Highlighting any FlexView will show a short description as shownabove with Broadcast Suppression. The folders represent directories that contain relatedFlexViews.

The Export Catalog button creates a file that lists all FlexViews and their descriptions for yourreference.

FlexViews you have created are saved to a directory called My FlexViews that exists insidethe Console directory to preserve your FlexViews during upgrades.



109/440

Export Type allows you automatically export FlexView data (HTML or CSV) every time thetable is refreshed. Data is exported to the directory specified in the FlexView Options. Forexample, you can select a FlexView that contains columns of various errors and set a filter toshow rows that contain greater than zero errors . Use MaxAccess/SuperUser - When

checked, this FlexView will use the Max Secure or SuperUser passwords for access toretrieve information and set values on devices.Read Only disables the table editor for this FlexView.Hide instance column - This is the Interface column which can not be deleted but can behidden.Enable event notification - When checked, the information in the table can be used with thetable filter feature to create an alarm for a specific condition.Edit or add notes for your FlexView - Use this text field to create a detailed description of thisFlexView.FlexView Editing Instructions - Use this text field to provide detailed instructions for how thisFlexView should be edited by the FlexView Guided Editor or Table Editor. Column DefinitionsTable - This table shows how the attributes for each of the columns are configured for this

FlexView Every FlexView contains three permanent columns (ReqID, IP Address, andInterface). When creating a new FlexView, this table contains only the three permanentcolumns. Columns can be repositioned by clicking the heading for a column and dragging itto the left or right.



110/440

The Columns tab in the FlexView Properties window lets you define the content andarrangement of information in your FlexViews. You can define columns that present thevalues for particular MIB objects; or create expressions that combine specific MIB objects, topresent information that shows the relationship between those objects. With SNMP selected,

the Columns tab lets you configure columns to show the values for specific MIB objects.When Expression is selected, the Columns tab becomes an expression editor, providingfunctions that allow you to combine the values of specific MIB objects. For information oncreating FlexViews with expressions, please refer to the help documentation.

Any MIB object copied to the directory defined above is available to be included in existing ornewly created FlexViews. This allows you to extend NetSights capability to manage othervendors hardware.



111/440

The Table Editor row is visible when the Show/Hide Table Editor button is toggled to makethe Table Editor visible. Columns that contain a writable MIB object will appear in the TableEditor as an editable field or drop down list as appropriate for the object type (integer,Boolean, text, etc.). Changing the value in the Table Editor row alters the value for that entry

in the row(s) selected in the table. The Table Editor feature cannot be used at the same timeas the Guided Editor.

As values are changed for your selected columns, a green exclamation point marks the cellsthat have been changed (but not Applied) and the Apply button becomes active. Clicking the(Show/Hide Table Editor button) at this point will cancel your changes, restore the originalvalues, and hide the Table Editor. Clicking Apply sets the values that you've changed in theselected devices and hides the Table Editor row. If the set is not successful, a red X appearsin the rows where the set has failed.

CAUTION: Enforcing certain MIB objects can disable devices and cause interruptions tonetwork operation. Do Not enforce MIB values unless you are sure of the outcome.



112/440

Remember that we discussed setting the Options for the NetSight suite in the Getting Startedmodule. One of the tasks you must accomplish is setting the TFTP server root directory andIP address prior to using the TFTP capabilities in Console. If there are multiple NICs on theserver and the wrong address is used, TFTP will fail. The Root Path defines where the TFTP

application has access to the hard drive. This can be configured through Options > Servicesfor NetSight Server. The Full Image Path: Points to the location of image on the Server. Theimage must exist in the Root Path.

The Firmware Image Download window enables you to download a firmware image file to asingle device. You must have one TFTP Server running to perform the download operation.To access the Firmware Image Download window from the main Console window, right-clickthe device in the left panel and select Firmware Image Download from the menu. From theDevice Manager, you can select Utilities > Firmware Image Download from the Device Viewmenu bar.

The S and K series, A, B, C, D, G and I switches can support multiple images. If the switch

does not have enough memory to hold another image the download will fail.

Note: Information is populated in this window through MIB queries. Last Server IP andfilename might not be available due to MIB support in the firmware currently on the device.



113/440

The Configuration Upload/Download window provides a way to upload configuration filesfrom devices to save them elsewhere as backups, or download configuration files to devices.Using these functions, you can copy configuration files from one device to another. Files aretransferred using TFTP; therefore, you must have a TFTP Server running to perform the

upload or download. To access the Configuration Upload/Download window from the mainConsole window, right-click the device in the left panel and select ConfigurationUpload/Download from the menu. In Device Manager, select Utilities > ConfigurationUpload/Download from the Device View menu bar.

Caution: Devices will reset after a configuration file has been downloaded.

Note: Information is populated in this window through MIB queries. Last Server IP andfilename might not be available due to MIB support in the firmware currently on the device.



114/440


115/440

Launch the VLAN Elements Editor from the icon shown in the VLAN tab. The left panelcontains a tree hierarchy showing all of the VLANs that have been modeled in the NetSightdatabase. The right panel lists the currently defined VLAN models and indicates the numberof VLAN Definitions and Port Template Definitions that exist for each model. You are

provided with one VLAN model to start, the Primary VLAN Model, which is pre-populated witha Default VLAN (VID 1) and a default Port Template. When a Port Template Definition isselected in the left panel, the Port Template Definitions view appears in the right panel. Whena VLAN Definition is selected in the left panel, the VLAN Definitions view appears in the rightpanel.

You can define the Primary VLAN model with VLAN definitions and port templates, and/oryou can create other VLAN models. Multiple VLAN models can be created, but only oneVLAN Model can be used in a VLAN domain.

To create a VLAN model:Select the VLAN Element Editor from the Tools menu.

In the left panel, right-click the VLAN Elements folder and select Add VLAN Model from themenu. This adds a "New VLAN Model" under the VLAN Elements folder, with its namehighlighted.Type a name for the newly created model, or leave the new name as is, and press Enter.You can now create VLANs and port templates for the VLAN model.



116/440

Creating a VLAN adds a VLAN to a model's VLAN Definitions folder. It also automaticallycreates a port template in the same model, with the new VLAN's VID set as the PVID.Console provides you with one Default VLAN (VID 1) for the Primary VLAN Model and forany other model you create. You can define this VLAN, and/or you can create and define

other VLANs.To Create VLANs:Open the VLAN Element Editor from the icon in the VLAN tabIn the left panel, expand the VLAN Elements folder, expand the VLAN model whose VLAN(s)you want to create, then select the VLAN Definitions folder. The VLAN Definitions windowappears in the right panel.In the VLAN Name text box in the lower portion of the Properties tab, change the name of theVLAN to fit your requirementsIf required, change the VID for the VLAN in the VLAN ID boxThe VLAN retains the properties of the previously displayed VLAN - Edit these as neededWhen you create a new VLAN, a new port template is automatically added to the VLANmodel, with the new VLAN's VID set as its PVID. You can also create your own port

templates.Once a VLAN is defined, you can compare it to the settings on selected devices, update themodel from device VLAN settings, and/or enforce the VLAN on selected devices.



117/440



118/440

The Device view of the VLAN tab enables you to do all of the following:Compare model VLAN definitions with VLAN settings on devices using the verify operationUpdate NetSight's model VLAN definitions with VLAN settings from devicesWrite model VLAN definitions to devices using the enforce operation

To access the Device view of the VLAN tab, select the device(s) or group(s) of interest in theleft panel. Then select the VLAN tab in the right panel and confirm that the Device radiobutton is selected. The Device view of this tab consists of an upper panel and a lower panel.Use the panel control buttons to control the display of the two panels.



119/440

The Advanced Port view of the VLAN tab enables you to do any or all of the following:Compare port templates with device port settings with a verify operationUpdate port templates with port VLAN settingsWrite port templates to ports through an enforce operation

To access the Advanced Port view of the VLAN tab, select the devices or groups of interest inthe left panel. Then select the VLAN tab in the right panel and the Advanced Port radiobutton. The Advanced Port view of the VLAN tab consists of an upper panel and a lowerpanel. The table in the upper panel displays port VLAN information for the devices selected inthe left panel. It also indicates whether there are discrepancies between the VLAN settings onthe ports and those in the port templates in the selected VLAN model. Ports on whichdifferences are detected are marked in the table by a red not-equal sign.

To compare the egress state as defined in a port template with the current and static egressstates of a port, select the port in the upper table and the port template in the lower left table,and click the Detail button to open the VLAN Egress Details window.

In addition to pushing a Trunk Port Template to a lag, it should also be applied to theindividual ports in the lag in case the lag should fail. Remember, user ports can also beconfigured using Port Templates and the Advanced Port window.



120/440

The Basic Port view of the VLAN tab enables you to view the port VLAN settings on selecteddevice(s) in table form. You can select a VLAN port template to enforce to some or all of theports in the table, or you can edit port data and enforce the individual changes.

Basic Port view on the VLAN tab is like any other FlexView:To create user ports:Click the Show/Hide Table Editor iconHighlight the ports you wish to configureMake the changes in the Table EditorClick the Apply buttonIn this screen ports fe.1.10 15 are being set to the Green VLAN, frames will egress inUntagged format, no Ingress Filtering, the default priority for all incoming frames is 5, and theport will accept both Tagged and Untagged frames once the Apply button is enforced.



121/440

NetSight Event View lets you view alarm, event, and trap information for Console, networkdevices, and other NetSight applications. Each tabbed view in the Event panel lets you scrollthrough the most recent 10,000 entries in the logs that are configured for that view. AConsole tab, showing Console events and a Traps tab that captures traps from devices

modeled in the NetSight database are provided when Console is initially installed. The Syslogtab shows events from devices that are configured to use the NetSight Syslog Server. Youcan add your own tabs that capture local logs. Local logs are not automatically polled, but canbe manually refreshed using the Refresh button.With the Event tables, you can:Configure your own tables to capture and combine similar information from various sources -for example, you can combine event logs from other NetSight applications or merge trap logsinto an single Event ViewFind, filter, and sort table informationPrint table information or export the information to a file in HTML or delimited text formatTrigger e-mail notification, when a particular alarm, event, or trap occurs



122/440

The purpose of Event View Manager is to control what logs are viewed in the Event View.Usually, this does not need to be changed.

To add a new tab (view) to Consoles Event View, click Add, give a name, then use the green

arrow in the middle of the window to add logs (lower left window) to your new view.



123/440

Configuring your devices to send traps to the NetSight Server is easily accomplished with theuse of the Trap Receiver Configuration window. The window has two tabs. The Configurationtab lets you create a list of trap receiver addresses. These are the addresses of the systemsthat will receive trap information from your network devices. The snmptrapd tab is where you

configure the information that is required to allow NetSight SNMP Trap Service (snmptrapd)to receive Trap and Inform messages from your network devices that are using SNMPv3.

To access this window, right-click on one or more devices in the Console left-panel tree andselect Trap Receiver Configuration.

Priority: If the switch is configured to send traps to multiple TRAP sever the prioritydetermines the order which the traps will be sentTrap Receiver IP: This is the TRAP server that the switch sends traps to typically theConsole serverTrap Credential Version: This configures what version of SNMP the switch will use whensending a trap to the server and also what passwords/community names are to be used

Update From All Device: Polls currently configured Trap configuration from the switchesApply to All Devices: Pushes the trap server information in the upper window to all theswitches listed in the lower window



124/440

Use this tab to configure the information that is required to allow the SNMP Trap Service(snmptrapd) to receive Trap and Inform messages from your network devices that are usingSNMPv3.

The engine ID looks like: 0x80003818030001f4917d80The file entry resembles:createUser -e 0x80003818030001f4917d80 bob MD5 authpasswd1 DES privpasswd1

Since the snmptrapd file is read upon startup of the SNMPTrap process, it must be restartedfor any changes to take effect.



125/440

The Alarms Manager window is where you can configure alarms when certain trap/eventconditions occur on your network. You can also configure certain actions that will be triggeredby the alarms. The table at the top of the window shows a summary of the currently definedalarms, while the fields below allow you to configure alarm parameters. Access this window

from the Tools > Alarm/Event > Alarms Manager menu option.

Configuring Alarms consists of two things: Defining the criteria to trigger an Alarm (DeviceDown, Link Down, FST limit Exceeded) and then defining the action to be taken (Email orrun an application).


switching nms and policy boot camp student guide v1.71r

Documents