TP-Link JetStream T2600G-28TS, User Manual

Page 1: ...User Guide T2600G Series Switches T2600G 18TS T2600G 28TS TL SG3424 T2600G 28TS DC T2600G 28MPS TL SG3424P T2600G 28SQ T2600G 52TS TL SG3452 1910012657 REV4 2 0 December 2019 ...

Page 2: ...with console port 10 Telnet Login 12 SSH Login 13 Disable Telnet login 17 Disable SSH login 18 Copy running config startup config 18 Change the Switch s IP Address and Default Gateway 19 Managing System System 21 Overview 21 Supported Features 21 System Info Configurations 23 Using the GUI 23 Viewing the System Summary 23 Configuring the Device Description 27 Configuring the System Time 27 Configu...

Page 3: ...l 46 Rebooting the switch 48 Reseting the Switch 49 Using the CLI 49 Configuring the Boot File 49 Restoring the Configuration of the Switch 51 Backing up the Configuration File 51 Upgrading the Firmware 52 Configuring DHCP Auto Install 52 Rebooting the Switch 54 Reseting the Switch 55 EEE Configuration 56 Using the CLI 56 PoE Configurations Only for Certain Devices 58 Using the GUI 59 Configuring ...

Page 4: ...sical Interfaces Physical Interface 88 Overview 88 Supported Features 88 Basic Parameters Configurations 89 Using the GUI 89 Using the CLI 90 Port Isolation Configurations 93 Using the GUI 93 Using the CLI 94 Loopback Detection Configuration 96 Using the GUI 96 Using the CLI 98 Configuration Examples 100 Example for Port Isolation 100 Network Requirements 100 Configuration Scheme 100 Using the GUI...

Page 5: ...iguration Examples 118 Example for Static LAG 118 Network Requirements 118 Configuration Scheme 118 Using the GUI 118 Using the CLI 119 Example for LACP 120 Network Requirements 120 Configuration Scheme 120 Using the GUI 121 Using the CLI 122 Appendix Default Parameters 124 Configuring DDM Only for Certain Devices Overview 126 DDM Configuration 127 Using the GUI 127 Configuring DDM Globally 127 Co...

Page 6: ...51 Adding Static MAC Address Entries 151 Modifying the Aging Time of Dynamic Address Entries 152 Adding MAC Filtering Address Entries 153 Security Configurations 155 Using the GUI 155 Configuring MAC Notification Traps 155 Limiting the Number of MAC Addresses Learned in VLANs 156 Using the CLI 158 Configuring MAC Notification Traps 158 Limiting the Number of MAC Addresses in VLANs 160 Example for ...

Page 7: ...ring MAC VLAN Overview 184 MAC VLAN Configuration 185 Using the GUI 185 Configuring 802 1Q VLAN 185 Binding the MAC Address to the VLAN 185 Enabling MAC VLAN for the Port 186 Using the CLI 187 Configuring 802 1Q VLAN 187 Binding the MAC Address to the VLAN 187 Enabling MAC VLAN for the Port 188 Configuration Example 189 Network Requirements 189 Configuration Scheme 189 Using the GUI 190 Using the ...

Page 8: ... 223 Overview 223 Supported Features 224 Basic VLAN VPN Configuration 225 Using the GUI 225 Configuring 802 1Q VLAN 225 Configuring Basic VLAN VPN 226 Using the CLI 227 Configuring 802 1Q VLAN 227 Configuring Basic VLAN VPN 227 Flexible VLAN VPN Configuration 230 Using the GUI 230 Using the CLI 231 Configuration Examples 233 Example for Basic VLAN VPN 233 Network Requirements 233 Configuration Sch...

Page 9: ...ng Private VLAN Overview 274 Private VLAN Configurations 276 Using the GUI 276 Using the CLI 277 Creating Private VLAN 277 Configuring the Up link Port 279 Configuring the Down link Port 281 Configuration Example 283 Network Requirements 283 Configuration Scheme 283 Network Topology 283 Using the GUI 284 Using the CLI 288 Appendix Default Parameters 292 Configuring Layer 2 Multicast Layer 2 Multic...

Page 10: ...LD Snooping for VLANs 317 Configuring MLD Snooping for Ports 320 Configuring Hosts to Statically Join a Group 320 Using the CLI 321 Configuring MLD Snooping Globally 321 Configuring MLD Snooping for VLANs 322 Configuring MLD Snooping for Ports 327 Configuring Hosts to Statically Join a Group 328 MVR Configuration 330 Using the GUI 330 Configuring 802 1Q VLANs 330 Configuring MVR Globally 331 Addin...

Page 11: ...ooping 355 Network Requirements 355 Configuration Scheme 355 Using the GUI 356 Using the CLI 358 Example for Configuring MVR 360 Network Requirements 360 Network Topology 360 Configuration Scheme 361 Using the GUI 361 Using the CLI 364 Example for Configuring Unknown Multicast and Fast Leave 367 Network Requirement 367 Configuration Scheme 368 Using the GUI 368 Using the CLI 370 Example for Config...

Page 12: ...g Global STP RSTP Parameters 399 Enabling STP RSTP Globally 401 MSTP Configurations 403 Using the GUI 403 Configuring Parameters on Ports in CIST 403 Configuring the MSTP Region 406 Configuring MSTP Globally 410 Verifying the MSTP Configurations 412 Using the CLI 413 Configuring Parameters on Ports in CIST 413 Configuring the MSTP Region 416 Configuring Global MSTP Parameters 419 Enabling Spanning...

Page 13: ...454 Using the GUI 454 Configuring LLDP Globally 454 Configuring LLDP MED Globally 454 Configuring LLDP MED for Ports 455 Using the CLI 457 Global Config 457 Port Config 458 Viewing LLDP Settings 461 Using GUI 461 Viewing LLDP Device Info 461 Viewing LLDP Statistics 464 Using CLI 465 Viewing LLDP MED Settings 466 Using GUI 466 Using CLI 468 Configuration Examples 469 Example for LLDP 469 Network Re...

Page 14: ...PPoE ID Insertion Overview 496 PPPoE ID Insertion Configuration 497 Using the GUI 497 Using the CLI 498 Appendix Default Parameters 501 Configuring Layer 3 Interfaces Overview 503 Layer 3 Interface Configurations 504 Using the GUI 504 Creating a Layer 3 Interface 504 Configuring IPv4 Parameters of the Interface 506 Configuring IPv6 Parameters of the Interface 507 Viewing Detail Information of the ...

Page 15: ...CLI 526 Viewing Routing Table 527 Using the GUI 527 Viewing IPv4 Routing Table 527 Viewing IPv6 Routing Table 528 Using the CLI 528 Viewing IPv4 Routing Table 528 Viewing IPv6 Routing Table 529 Example for Static Routing 530 Network Requirements 530 Configuration Scheme 530 Using the GUI 530 Using the CLI 532 Configuring DHCP Service DHCP 536 Overview 536 Supported Features 536 DHCP Server Configu...

Page 16: ...61 DHCP L2 Relay Configuration 564 Using the GUI 564 Enabling DHCP L2 Relay 564 Configuring Option 82 for Ports 565 Using the CLI 566 Enabling DHCP L2 Relay 566 Configuring Option 82 for Ports 567 Configuration Examples 570 Example for DHCP Server 570 Network Requirements 570 Configuration Scheme 570 Using the GUI 570 Using the CLI 572 Example for DHCP Interface Relay 572 Network Requirements 572 ...

Page 17: ...ations 607 Using the GUI 607 Viewing the ARP Entries 607 Adding Static ARP Entries Manually 608 Configuring Gratuitous ARP 608 Configuring Proxy ARP 609 Configuring Local Proxy ARP 610 Using the CLI 611 Configuring the ARP Entry 611 Configuring the Gratuitous ARP 613 Configuring Proxy ARP 615 Appendix Default Parameters 618 Configuring QoS QoS 620 Overview 620 Supported Features 620 Class of Servi...

Page 18: ...onfiguring OUI Addresses 653 Configuring Voice VLAN Globally 654 Adding Ports to Voice VLAN 655 Using the CLI 656 Auto VoIP Configuration 659 Using the GUI 659 Using the CLI 660 Configuration Examples 664 Example for Class of Service 664 Network Requirements 664 Configuration Scheme 664 Using the GUI 665 Using the CLI 667 Example for Voice VLAN 669 Network Requirements 669 Configuration Scheme 670...

Page 19: ...nction 708 Configuring the HTTPS Function 710 Configuring the SSH Feature 713 Configuring the Telnet Function 715 Configuring the Serial Port Parameters 715 Appendix Default Parameters 717 Configuring AAA Overview 720 AAA Configuration 721 Using the GUI 722 Adding Servers 722 Configuring Server Groups 724 Configuring the Method List 724 Configuring the AAA Application List 726 Configuring Login Ac...

Page 20: ...r State 756 Using the CLI 757 Configuring the RADIUS Server 757 Configuring 802 1x Globally 759 Configuring 802 1x on Ports 761 Viewing Authenticator State 763 Configuration Example 765 Network Requirements 765 Configuration Scheme 765 Network Topology 765 Using the GUI 766 Using the CLI 768 Appendix Default Parameters 771 Configuring Port Security Overview 773 Port Security Configuration 774 Usin...

Page 21: ...uring Policy 814 Configuring ACL Binding 816 Viewing ACL Counting 817 Configuration Example for ACL 818 Configuration Example for MAC ACL 818 Network Requirements 818 Configuration Scheme 818 Using the GUI 819 Using the CLI 825 Configuration Example for IP ACL 826 Network Requirements 826 Configuration Scheme 827 Using the GUI 827 Using the CLI 833 Configuration Example for Combined ACL 835 Networ...

Page 22: ...iguring ARP Detection on Ports 859 Viewing ARP Statistics 860 Using the CLI 861 Adding IP MAC Binding Entries 861 Enabling ARP Detection 861 Configuring ARP Detection on Ports 863 Viewing ARP Statistics 864 IPv4 Source Guard Configuration 865 Using the GUI 865 Adding IP MAC Binding Entries 865 Configuring IPv4 Source Guard 865 Using the CLI 866 Adding IP MAC Binding Entries 866 Configuring IPv4 So...

Page 23: ...ing 890 Binding Entries via DHCPv6 Snooping 891 Viewing Binding Entries 892 ND Detection Configuration 893 Using the GUI 893 Adding IPv6 MAC Binding Entries 893 Enabling ND Detection 893 Configuring ND Detection on Ports 894 Viewing ND Statistics 894 Using the CLI 895 Adding IPv6 MAC Binding Entries 895 Enabling ND Detection 895 Configuring ND Detection on Ports 896 Viewing ND Statistics 897 IPv6 ...

Page 24: ...uration 914 Using the GUI 914 Configuring the Basic DHCPv4 Filter Parameters 914 Configuring Legal DHCPv4 Servers 916 Using the CLI 916 Configuring the Basic DHCPv4 Filter Parameters 916 Configuring Legal DHCPv4 Servers 918 DHCPv6 Filter Configuration 920 Using the GUI 920 Configuring the Basic DHCPv6 Filter Parameters 920 Configuring Legal DHCPv6 Servers 921 Using the CLI 922 Configuring the Basi...

Page 25: ...ng the CLI 936 Appendix Default Parameters 939 Monitoring the System Overview 941 Monitoring the CPU 942 Using the GUI 942 Using the CLI 942 Monitoring the Memory 944 Using the GUI 944 Using the CLI 944 Monitoring Traffic Traffic Monitor 947 Using the GUI 947 Using the CLI 951 Appendix Default Parameters 952 Mirroring Traffic Mirroring 954 Using the GUI 954 Using the CLI 956 Configuration Examples...

Page 26: ...70 Using the GUI 970 Using the CLI 971 Appendix Default Parameters 973 Configuring OAM Ethernet OAM 975 Overview 975 Supported Features 976 Ethernet OAM Configurations 979 Using the GUI 979 Enabling OAM and Configuring OAM Mode 979 Configuring Link Monitoring 980 Configuring RFI 982 Configuring Remote Loopback 983 Viewing OAM Status 984 Using the CLI 986 Enabling OAM and Configuring OAM Mode 986 C...

Page 27: ...ing the GUI 1016 Using the CLI 1018 Appendix Default Parameters 1020 Configuring SNMP RMON SNMP 1022 Overview 1022 Basic Concepts 1022 SNMP Configurations 1026 Using the GUI 1026 Enabling SNMP 1026 Creating an SNMP View 1027 Creating SNMP Communities For SNMP v1 v2c 1028 Creating an SNMP Group For SNMP v3 1029 Creating SNMP Users For SNMP v3 1030 Using the CLI 1031 Enabling SNMP 1031 Creating an S...

Page 28: ...58 Using the CLI 1060 Configuring Statistics 1060 Configuring History 1062 Configuring Event 1063 Configuring Alarm 1064 Configuration Example 1067 Network Requirements 1067 Configuration Scheme 1068 Using the GUI 1068 Using the CLI 1073 Appendix Default Parameters 1079 Diagnosing the Device Network Diagnosing the Device 1084 Using the GUI 1084 Using the CLI 1085 Diagnosing the Network 1086 Using ...

Page 29: ...he Local Logs 1094 Configuring the Remote Logs 1094 Backing up the Logs 1095 Viewing the Log Table 1096 Using the CLI 1097 Configuring the Local Logs 1097 Configuring the Remote Logs 1098 Configuration Example 1100 Network Requirements 1100 Configuration Scheme 1100 Using the GUI 1100 Using the CLI 1101 Appendix Default Parameters 1102 ...

Page 30: ...nge without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statements information and recommendations in this document do not constitute the warranty of any kind express or implied Users must take full responsibility for their application of any products In this Guide the following conventions are used PoE budget calculations are ba...

Page 31: ...e occasions bandwidth ingress ingress rate is used to restrict ingress bandwidth bandwidth egress egress rate is used to restrict egress bandwidth bandwidth ingress ingress rate egress egress rate is used to restrict ingress and egress bandwidth More Information The latest software and documentations can be found at Download Center at https www tp link com support The Installation Guide IG can be ...

Page 32: ...Part 1 Accessing the Switch CHAPTERS 1 Overview 2 Web Interface Access 3 Command Line Interface Access ...

Page 33: ...using the CLI Command Line Interface There are equivalent functions in the web interface and the command line interface while web configuration is easier and more visual than the CLI configuration You can choose the method according to their available applications and preference Note The first time you log in change the password to better protect your network and devices ...

Page 34: ...hat the route between the host PC and the switch is available 2 Launch a web browser The supported web browsers include but are not limited to the following types IE 8 0 9 0 10 0 11 0 Firefox 26 0 27 0 Chrome 32 0 33 0 3 Enter the switch s IP address in the web browser s address bar The switch s default IP address is 192 168 0 1 Figure 2 1 Enter the Switch s IP Address in the Browser 4 Enter the u...

Page 35: ...fall into two types the running configuration file and the start up configuration file After you perform configurations on the sub interfaces and click Apply the modifications will be saved in the running configuration file The configurations will be lost when the switch reboots If you need to keep the configurations after the switch reboots please click on the main interface to save the configura...

Page 36: ...HTTP server and HTTPS server to block any access to the web interface Go to SECURITY Access Security HTTP Config disable the HTTP server and click Apply Figure 2 5 Shut Down HTTP Server Go to SECURITY Access Security HTTPS Config disable the HTTPS server and click Apply Figure 2 6 Disbale the HTTPS Server ...

Page 37: ...VLAN 1 with the VLAN interface IP 192 168 0 1 The following example shows how to change the switch s default access IP address 192 168 0 1 1 Go to L3 FEATURES Interface The default access IP address in VLAN 1 in the Interface List Click Edit IPv4 to modify VLAN1 s IP address Figure 2 7 Change VLAN1 s IP Address 2 Choose the IP Address Mode as Static Enter the new access address in the IP Address f...

Page 38: ... and configure the parameters related to the switch s gateway Then click Create Figure 2 9 Configure the Default Gateway Destination Specify the destination as 0 0 0 0 Subnet Mask Specify the subnet mask as 0 0 0 0 Next Hop Configure your desired default gateway as the next hop s IP address Distance Specify the distance as 1 2 Click to save the settings 3 Check the routing table to verify the defa...

Page 39: ...thod list Method Using Port Typical Applications Console Console port connected directly Hyper Terminal Telnet RJ 45 port CMD SSH RJ 45 port Putty 3 1 Console Login only for switch with console port Follow these steps to log in to the switch via the Console port 1 Connect the PC or terminal to the Console port on the switch with the serial cable 2 Start the terminal emulation program such as the H...

Page 40: ...n Window Note The first time you log in change the password to better protect your network and devices 4 Enter enable to enter the User EXEC Mode to further configure the switch Figure 3 2 User EXEC Mode Note In Windows XP go to Start All Programs Accessories Communications Hyper Terminal to open the Hyper Terminal and configure the above settings to log in to the switch ...

Page 41: ...e 3 3 Open the CMD Window 2 Type in telnet 192 168 0 1 in the CMD window and press Enter Figure 3 4 Log In to the Switch 3 Type in the login username and password both admin by default Press Enter and you will enter User EXEC Mode Figure 3 5 Enter User EXEC Mode Note The first time you log in change the password to better protect your network and devices 4 Type in enable command and you will enter...

Page 42: ...tion Mode Recommended A public key for the switch and a private key for the client software PuTTY are required You can generate the public key and the private key through the PuTTY Key Generator Before logging in via SSH follow the steps below to enable SSH on the terminal emulation program Figure 3 7 Enable SSH Password Authentication Mode 1 Open PuTTY and go to the Session page Enter the IP addr...

Page 43: ... 9 Log In to the Switch Note The first time you log in change the password to better protect your network and devices Key Authentication Mode 1 Open the PuTTY Key Generator In the Parameters section select the key type and enter the key length In the Actions section click Generate to generate a public private key pair In the following figure an SSH 2 RSA key pair is generated and the length of eac...

Page 44: ... be between 512 and 3072 bits You can accelerate the key generation process by moving the mouse quickly and randomly in the Key section 2 After the keys are successfully generated click Save public key to save the public key to a TFTP server click Save private key to save the private key to the host PC Figure 3 11 Save the Generated Keys ...

Page 45: ... CLI v1 corresponds to SSH 1 RSA and v2 corresponds to SSH 2 RSA and SSH 2 DSA The key downloading process cannot be interrupted 4 After the public key is downloaded open PuTTY and go to the Session page Enter the IP address of the switch and select SSH as the Connection type keep the default value in the Port field Figure 3 13 Configure the Host Name and Connection Type 5 Go to Connection SSH Aut...

Page 46: ...ring the password the key authentication completed successfully Figure 3 15 Log In to the Switch Note The first time you log in change the password to better protect your network and devices 3 4 Disable Telnet login You can shut down the Telnet function to block any Telnet access to the CLI interface Using the GUI Go to SECURITY Access Security Telnet Config disable the Telnet function and click A...

Page 47: ...CURITY Access Security SSH Config disable the SSH server and click Apply Figure 3 17 Shut down SSH server Using the CLI Switch configure Switch config no ip ssh server 3 6 Copy running config startup config The switch s configuration files fall into two types the running configuration file and the start up configuration file After you enter each command line the modifications will be saved in the ...

Page 48: ...ault all the ports belong to VLAN 1 with the VLAN interface IP 192 168 0 1 24 In the following example we will show how to replace the switch s default access IP address 192 168 0 1 24 with 192 168 0 10 24 Switch configure Switch config interface vlan 1 Switch config if ip address 192 168 0 10 255 255 255 0 The connection will be interrupted and you should telnet to the switch s new IP address 192...

Page 49: ...figurations 3 User Management Configurations 4 System Tools Configurations 5 EEE Configuration 6 PoE Configurations Only for Certain Devices 7 SDM Template Configuration 8 Time Range Configuration 9 Example for PoE Configurations 10 Appendix Default Parameters ...

Page 50: ... of the switch backup and restore the configurations update the firmware reset the switch and reboot the switch EEE EEE Energy Efficient Ethernet is used to save power consumption of the switch during periods of low data activity You can simply enable this feature on ports to allow power reduction PoE Note Only T2600G 28MPS supports PoE feature Power over Ethernet PoE is a remote power supply func...

Page 51: ...ce PD is a device receiving power from the PSE for example IP phones and access points According to whether PDs comply with IEEE standard they can be classified into standard PDs and non standard PDs Only standard PDs can be powered via TP Link PoE switches SDM Template SDM Switch Database Management Template is used to prioritize hardware resources for certain features The switch provides three t...

Page 52: ...ch Viewing the Port Status In the Port Status section you can view the status and bandwidth utilization of each port Figure 2 1 Viewing the System Summary The following table introduces the meaning of each port status Port Status Indication Indicates that the corresponding 1000Mbps port is not connected to a device Indicates that the corresponding 1000Mbps port is at the speed of 1000Mbps Indicate...

Page 53: ...ation Indication Port Displays the port number Type Displays the type of the port Speed Displays the maximum transmission rate and duplex mode of the port Status Displays the connection status of the port You can click a port to view the bandwidth utilization on this port Figure 2 3 Bnadwidth Utilization RX Displays the bandwidth utilization of receiving packets on this port ...

Page 54: ...iption Displays the system description of the switch Device Name Displays the name of the switch You can edit it on the Device Description page Device Location Displays the location of the switch You can edit it on the Device Description page Contact Information Displays the contact information of the switch You can edit it on the Device Description page Hardware Version Displays the hardware vers...

Page 55: ...bled You can click Settings to jump to the IGMP Snooping configuration page SNMP Displays whether SNMP is enabled You can click Settings to jump to the SNMP configuration page Spanning Tree Displays whether Spanning Tree is enabled You can click Settings to jump to the Spanning Tree configuration page DHCP Relay Displays whether DHCP Relay is enabled You can click Settings to jump to the DHCP Rela...

Page 56: ...vice Description section configure the following parameters Device Name Specify a name for the switch Device Location Enter the location of the switch System Contact Enter the contact information 2 Click Apply 2 1 3 Configuring the System Time Choose the menu SYSTEM System Info System Time to load the following page Figure 2 6 Configuring the System Time In the Time Info section you can view the c...

Page 57: ... the switch to the internet first Time Zone Select your local time zone Primary Server Enter the IP Address of the primary NTP server Secondary Server Enter the IP Address of the secondary NTP server Once the primary NTP server is down the EAP can get the system time from the secondary NTP server Update Rate Specify the interval the switch fetching time from NTP server which ranges from 1 to 24 ho...

Page 58: ... clock forward by Start Time Specify the start time of Daylight Saving Time The interval between start time and end time should be more than 1 day and less than 1 year 365 days End Time Specify the end time of Daylight Saving Time The interval between start time and end time should be more than 1 day and less than 1 year 365 days Date Mode If you select Date Mode specify an absolute time range for...

Page 59: ...2 LinkDown N A N A N A Disable Copper Gi1 0 3 LinkUp 1000M Full Disable Disable Copper Switch show system info System Description JetStream 24 Port Gigabit L2 Managed Switch with 4 SFP Slots System Name T2600G 28TS System Location SHENZHEN Contact Information www tp link com Hardware Version T2600G 28TS 3 0 Software Version 3 0 0 Build 20170820 Rel 65183 s Bootloader Version TP LINK BOOTUTIL v1 0 ...

Page 60: ...em info Verify the system information including system Description Device Name Device Location System Contact Hardware Version Firmware Version System Time Run Time and so on Step 6 end Return to privileged EXEC mode Step 7 copy running config startup config Save the settings in the configuration file The following example shows how to set the device name as Switch_A set the location as BEIJING an...

Page 61: ...e switch to the internet first system time ntp timezone ntp server backup ntp server fetching rate timezone Enter your local time zone which ranges from UTC 12 00 to UTC 13 00 The detailed information of each time zone are displayed as follows UTC 12 00 TimeZone for International Date Line West UTC 11 00 TimeZone for Coordinated Universal Time 11 UTC 10 00 TimeZone for Hawaii UTC 09 00 TimeZone fo...

Page 62: ... Brisbane UTC 11 00 TimeZone for Solomon Is New Caledonia Vladivostok UTC 12 00 TimeZone for Fiji Magadan Auckland Welington UTC 13 00 TimeZone for Nuku alofa Samoa ntp server Specify the IP address of the primary NTP server backup ntp server Specify the IP address of the backup NTP server fetching rate Specify the interval fetching time from the NTP server Step 3 Use the following command to veri...

Page 63: ...mode Step 2 Use the following command to select a predefined Daylight Saving Time configuration system time dst predefined USA Australia Europe New Zealand Specify the Daylight Saving Time using a predefined schedule USA Australia Europe New Zealand Select one mode of Daylight Saving Time USA 02 00 a m on the Second Sunday in March 02 00 a m on the First Sunday in November Australia 02 00 a m on t...

Page 64: ...ec etime Enter the end time of Daylight Saving Time in the format of HH MM offset Enter the offset of Daylight Saving Time The default value is 60 Use the following command to set the Daylight Saving Time in date mode system time dst date smonth sday stime syear emonth eday etime eyear offset Specify the Daylight Saving Time in Date mode smonth Enter the start month of Daylight Saving Time There a...

Page 65: ...set the end time as 01 00 September 1st 2017 and set the offset as 50 Switch configure Switch config system time dst date Aug 1 01 00 2017 Sep 1 01 00 2017 50 Switch config show system time dst DST starts at 01 00 00 on Aug 1 2017 DST ends at 01 00 00 on Sep 1 2017 DST offset is 50 minutes DST configuration is one off Switch config end Switch copy running config startup config ...

Page 66: ...s account are both admin You can also create more Admin accounts If you create Operator Power User or User accounts you need go to the AAA section to create an Enable Password If needed these types of users can use the Enable Password to change their access level to Admin 3 1 1 Creating Accounts Choose the menu SYSTEM User Management User Config to load the following page Figure 3 1 User Config Pa...

Page 67: ...w all the settings of different functions Operator Operator can edit modify and view most of the settings of different functions Power User Power User can edit modify and view some of the settings of different functions User User can only view the settings without the right to edit or modify Password Specify a password for the account It contains 6 31 alphanumeric characters case sensitive and sym...

Page 68: ...ive privileges 3 2 Using the CLI There are four types of user accounts with different access levels Admin Operator Power User and User There is a default Admin account which cannot be deleted The default username and password of this account are both admin You can also create more Admin accounts If you create Operator Power User or User accounts you need go to the AAA section to create an Enable P...

Page 69: ...another switch s configuration file After the encrypted password is configured you should use the corresponding unencrypted password to reenter this mode Use the following command to create an account MD5 encrypted user name name privilege admin operator power_user user secret 0 password 5 encrypted password Create an account whose access level is Admin name Enter a user name for users login It co...

Page 70: ... password Enter a symmetric encrypted password with fixed length which you can copy from another switch s configuration file After the encrypted password is configured you should use the corresponding unencrypted password to reenter this mode Use the following command to create an enable password unencrypted or MD5 encrypted enable admin secret 0 password 5 encrypted password Create an Enable Pass...

Page 71: ... get the administrative privileges The following example shows how to create a uesr with the access level of Operator set the username as user1 and password as 123 and set the enable password as abc123 Switch configure Switch config user name user1 privilege operator password 123 Switch config enable admin password abc123 Switch config show user account list Index User Name User Type 1 user1 Opera...

Page 72: ... boot file Restore the configuration of the switch Back up the configuration file Upgrade the firmware Configure DHCP Auto Install Reboot the switch Reset the switch 4 1 Using the GUI 4 1 1 Configuring the Boot File Choose the menu SYSTEM System Tools Boot Config to load the following page Figure 4 1 Configuring the Boot File ...

Page 73: ... not be the same Current Startup Config Displays the current startup configuration Next Startup Config Specify the next startup configuration When the switch is powered on it will try to start up with the next startup configuration The next startup configuration and backup configuration should not be the same Backup Config Specify the backup configuration When the switch fails to start up with the...

Page 74: ...ported 3 Choose whether to reboot the switch after restoring is completed Only after the switch is rebooted will the imported configuration take effect 4 Click Import to import the configuration file Note It will take some time to restore the configuration Please wait without any operation 4 1 3 Backing up the Configuration File Choose the menu SYSTEM System Tools Backup Config to load the followi...

Page 75: ...teps to upgrade the firmware of the switch 1 Click Browse and select the proper firmware upgrade file 2 Choose whether to reboot the switch after upgrading is completed Only after the switch is rebooted will the new firmware take effect 3 Click Upgrade to upgrade the system Note It will take some time to upgrade the switch Please wait without any operation It is recommended to backup your configur...

Page 76: ...r the next reboot Auto Reboot Mode Enable or disable Auto Reboot Mode With this mode enabled the switch will reboot automatically once the auto install process is completed Auto Install Retry Count Specify how many times the switch can try to get the configuration file or image file from the TFTP server in one cycle If the number of tries has reached this limit the switch will wait for 10 minutes ...

Page 77: ...ect the desired unit 2 Choose whether to save the current configuration before reboot 3 Click Reboot Configuring Reboot Schedule Choose the menu SYSTEM System Tools System Reboot Reboot Schedule to load the following page Figure 4 7 Configuring the Reboot Schedule Follow these steps to configure the reboot schedule 1 Enable Reboot Schedule and select one time schedule for the switch to reboot Time...

Page 78: ...n click Delete and the configurations will be empty 4 1 7 Reseting the Switch Choose the menu SYSTEM System Tools System Reset to load the following page Figure 4 8 Reseting the Switch Follow these steps to reset the switch 1 In the System Reset section select the desired unit 2 Choose whether to maintain the IP address of selected unit when resetting 3 Click Reset After reset all configurations o...

Page 79: ...e configuration file Step 4 show boot Verify the boot configuration of the system Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to set the next startup image as image1 the backup image as image2 the next startup configuration file as config1 and the backup configuration file as config2...

Page 80: ...e the configuration file named file1 from the TFTP server with IP address 192 168 0 100 Switch enable Switch copy tftp startup config ip address 192 168 0 100 filename file1 Start to load user config file Operation OK Now rebooting system 4 2 3 Backing up the Configuration File Follow these steps to back up the current configuration of the switch in a file Step 1 enable Enter privileged mode Step ...

Page 81: ... TFTP server is 190 168 0 100 Switch enable Switch firmware upgrade ip address 192 168 0 100 filename file3 bin It will only upgrade the backup image Continue Y N Y Operation OK Reboot with the backup image Y N Y 4 2 5 Configuring DHCP Auto Install This feature is used to download configuration files and images from the TFTP server automatically It requires a TFTP server and a DHCP server that sup...

Page 82: ...nd Return to privileged EXEC mode Step 8 copy running config startup config Save the settings in the configuration file Note The switch will obtain a new IP address from the DHCP server during the process of Auto Install If you want to access to the switch you should check the new IP address on the DHCP server If the Auto Install process fails the switch will restart the process every 10 minutes Y...

Page 83: ...onfiguration file before the switch reboots To make this schedule recur you can add this part to the command Use the following command to set the special time of reboot reboot schedule at time date save_before_reboot Optional Specify the reboot schedule time Specify the time for the switch to reboot in the format of HH MM date Specify the date for the switch to reboot in the format of DD MM YYYY T...

Page 84: ...eting the Switch Follow these steps to reset the switch Step 1 enable Enter privileged mode Step 2 reset except ip Reset the switch and all configurations of the switch will be reset to the factory defaults except ip To maintain the IP address when resetting the switch add this part to the command Follow these steps to disable the reset function of console port or reset button Step 1 configure Ent...

Page 85: ...ports to be configured 2 Enable or disable EEE on the selected port s 3 Click Apply 5 1 Using the CLI Follow these steps to configure EEE Step 1 configure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list Enter interface configuration mode ...

Page 86: ... the settings in the configuration file The following example shows how to enable the EEE feature on port 1 0 1 Switch config Switch config interface gigabitEthernet 1 0 1 Switch config if eee Switch config if show interface eee Port EEE status Gi1 0 1 Enable Gi1 0 2 Disable Switch config if end Switch copy running config startup config ...

Page 87: ...feature With the PoE feature you can Configure the PoE parameters manually Configure the PoE parameters using the profile You can configure the PoE parameters one by one via configuring the PoE parameters manually You can also set a profile with the desired parameters and bind the profile to the corresponding ports to quickly configure the PoE parameters ...

Page 88: ...Follow these steps to configure the basic PoE parameters 1 In the PoE Config section you can view the current PoE parameters System Power Limit w Displays the maximum power the PoE switch can supply System Power Consumption w Displays the real time system power consumption of the PoE switch System Power Remain w Displays the real time system remaining power of the PoE switch In addition you can cl...

Page 89: ...her PDs Power Limit Specify the maximum power the corresponding port can supply The following options are provided Auto The switch will allocate a value as the maximum power that the port can supply automatically Class1 The maximum power that the port can supply is 4W Class2 The maximum power that the port can supply is 7W Class3 The maximum power that the port can supply is 15 4W Class4 The maxim...

Page 90: ...odify PoE status PoE priority or power limit manually For how to create a profile refer to Configuring the PoE Parameters Using the Profile Power w Displays the port s real time power supply Current mA Displays the port s real time current Voltage v Displays the port s real time voltage PD Class Displays the class the linked PD belongs to Power Status Displays the port s real time power status ...

Page 91: ...ty level for the PoE profile The following options are provided High Middle and Low When the supply power exceeds the system power limit the switch will power off PDs on low priority ports to ensure stable running of other PDs Power Limit Specify the maximum power the port can supply for the PoE profile The following options are provided Auto The switch will allocate a value as the maximum power t...

Page 92: ...hese steps to bind the profile to the corresponding ports 1 In the PoE Config section you can view the current PoE parameters System Power Limit w Displays the maximum power the PoE switch can supply System Power Consumption w Displays the real time system power consumption of the PoE switch System Power Remain w Displays the real time system remaining power of the PoE switch In addition you can c...

Page 93: ...ing port When the supply power exceeds the system power limit the switch will power off PDs on low priority ports to ensure stable running of other PDs Power Limit Displays the maximum power the corresponding port can supply Power Limit Value 0 1W 30 0W Displays the power limit value Time Range Select a time range then the port will supply power only during the time range For how to create a time ...

Page 94: ...or the corresponding port low middle high Select the priority level for the corresponding port When the supply power exceeds the system power limit the switch will power off PDs on low priority ports to ensure stable running of other PDs The default setting is low Step 6 power inline consumption power limit auto class1 class2 class3 class4 Specify the maximum power the corresponding port can suppl...

Page 95: ... 0 1 3 1 0 5 Step 11 end Return to privileged EXEC mode Step 12 copy running config startup config Save the settings in the configuration file The following example shows how to set the system power limit as 160W Set the priority as middle and set the power limit as class3 for the port 1 0 5 Switch configure Switch config power inline consumption 160 Switch config interface gigabitEthernet 1 0 5 S...

Page 96: ...o 16 characters If the name contains spaces enclose the name in double quotes enable disable Specify the PoE status for the profile By default it is enable low middle high Select the priority level for the profile When the supply power exceeds the system power limit the switch will power off PDs on low priority ports to ensure stable running of other PDs power limit auto class1 class2 class3 class...

Page 97: ...he PoE configuration of the corresponding port port Specify the Ethernet port number for example 1 0 1 port list Specify the list of Ethernet ports in the format of 1 0 1 3 1 0 5 Step 9 show power inline information interface fastEthernet port port list gigabitEthernet port port list ten gigabitEthernet port port list Verify the real time PoE status of the corresponding port port Specify the Ether...

Page 98: ...if power inline profile profile1 Switch config if show power inline configuration interface gigabitEthernet 1 0 6 Interface PoE Status PoE Prio Power Limit w Time Range PoE Profile Gi1 0 6 Enable Middle Class2 No Limit profile1 Switch config if end Switch copy running config startup config ...

Page 99: ...d the following page Figure 7 1 Configuring SDM Template For T2600G 28TS T2600G 28MPS T2600G 28SQ T2600G 52TS Figure 7 2 Configuring SDM Template For T2600G 18TS In SDM Template Config section select one template and click Apply The setting will be effective after the switch is rebooted Current Template Displays the template currently in effect ...

Page 100: ...t for different switch models SDM Template Displays the name of the templates IP ACL Rules Displays the number of IP ACL Rules including Layer 3 ACL Rules and Layer 4 ACL Rules MAC ACL Rules Displays the number of Layer 2 ACL Rules Combined ACL Rules Displays the number of combined ACL rules IPv6 ACL Rules Displays the number of IPv6 ACL rules IPv4 Source Guard Entries Displays the number of IPv4 ...

Page 101: ...ction entries enterpriseV4 Select the template of enterpriseV4 It maximizes system resources for IP ACL rules and MAC ACL rules enterpriseV6 Select the template of enterpriseV4 It allocates resources to IPv6 ACL rules Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Save the settings in the configuration file The following example shows how to set the SDM templat...

Page 102: ...lowing page Figure 8 1 Configuring Time Range Follow these steps to add time range entries 1 In the Time Range Config section specify a name for the entry and select the Holiday mode Name Specify a name for the entry Holiday Select to include or exclude the holiday in the time range Exclude The time range will not take effect on holiday Include The time range will not be affected by holiday To con...

Page 103: ...ate Date Specify the start date and end date of this time range Time Specify the start time and end time of a day Day of Week Select days of a week as the period of this time range 3 Similarly you can add more entries of period time according to your needs The final period time is the sum of all the periods in the table Click Create ...

Page 104: ... the following page Figure 8 1 Configuring Holiday Configure the following parameters and click Create to add a Holiday entry Holiday Name Specify a name for the entry Start Date Specify the start date of the Holiday time range End Date Specify the end date of the Holiday time range Similarly you can add more Holiday entries The final Holiday time range is the sum of all the entries ...

Page 105: ...y the start date and end date of this time range start date Specify the start date in the format MM DD YYYY end date Specify the end date in the format MM DD YYYY Step 5 periodic start start time end end time day of the week week day Specify days of a week as the period of this time range start time Specify the start end time of a day in the format HH MM end time Specify the end time and end time ...

Page 106: ...tch config time range show time range Time range entry 12 Inactive Time range entry time1 Inactive holiday exclude number of time slice 1 01 10 01 2017 to 10 31 2017 08 00 to 20 00 on 1 2 Switch config time range end Switch copy running config startup config 8 2 2 Configuring Holiday Follow these steps to configure Holiday time range Step 1 configure Enter global configuration mode Step 2 holiday ...

Page 107: ...owing example shows how to create a holiday entry and set the entry name as holiday1 and set start date and end date as 07 01 and 09 01 Switch config Switch config holiday holiday1 start date 07 01 end date 09 01 Switch config show holiday Index Holiday Name Start End 1 holiday1 07 01 09 01 Switch config end Switch copy running config startup config ...

Page 108: ...i1 0 4 Camera1 Camera2 AP1 AP2 Switch A 9 2 Configuring Scheme To implement this requirement you can set a PoE time range as the office time for example from 08 30 to 18 00 on work days Then apply the settings to port 1 0 3 and 1 0 4 Port 1 0 1 and port1 0 2 need to supply power all the time so the time range configurations can be left as the default settings here 9 3 Using the GUI The configurati...

Page 109: ...Configurations Figure 9 2 Creating Time Range 2 Click and the following window will pop up Set Date Time and Day of Week as the following figure shows Click Create Figure 9 3 Creating a Periodic Time 3 Specify a name for the time range Click Create ...

Page 110: ...ons User Guide 81 Figure 9 4 Configuring Time Range 4 Choose the menu SYSTEM PoE PoE Config to load the following page Select port 1 0 3 and set the Time Range as OfficeTime Click Apply Figure 9 5 Configure the Port 5 Click to save the settings ...

Page 111: ...le the PoE function on the port 1 0 3 Specify the basic parameters for the port 1 0 3 and bind the time range office time to the port Switch_A config interface gigabitEthernet 1 0 3 Switch_A config if power inline supply enable Switch_A config if power inline time range office time Switch_A config if end Switch_A copy running config startup config Verify the Configuration Verify the configuration ...

Page 112: ...Managing System Example for PoE Configurations User Guide 83 Interface PoE Status PoE Prio Power Limit w Time Range PoE Profile Gi1 0 3 Enable Low Class4 office time None ...

Page 113: ...g Time Source Manual Table 10 3 Default Settings of Daylight Saving Time Configuration Parameter Default Setting DST status Disabled Default settings of User Management are listed in the following table Table 10 4 Default Settings of User Configuration Parameter Default Setting User Name admin Password admin Access Level Admin Default settings of System Tools are listed in the following table Tabl...

Page 114: ...g table Table 10 7 Default Settings of PoE Configuration Parameter Default Setting PoE Config System Power Limit 384 0W Port Config PoE Status Enabled PoE Priority Low Power Limit 0 1w 30 0w Class 4 Time Range No Limit PoE Profile None Profile Config Profile Name None PoE Status Enabled PoE Priority Low Power Limit Auto Default settings of SDM Template are listed in the following table Table 10 8 ...

Page 115: ...e 86 Managing System Appendix Default Parameters Default settings of Time Range are listed in the following table Table 10 9 Default Settings of Time Range Configuration Parameter Default Setting Holiday Include ...

Page 116: ...aging Physical Interfaces CHAPTERS 1 Physical Interface 2 Basic Parameters Configurations 3 Port Isolation Configurations 4 Loopback Detection Configuration 5 Configuration Examples 6 Appendix Default Parameters ...

Page 117: ...g and inter VLAN routing This chapter introduces the configurations for physical interfaces 1 2 Supported Features The switch supports the following features about physical interfaces Basic Parameters You can configure port status speed mode duplex mode flow control and other basic parameters for ports Port Isolation You can use this feature to restrict a specific port to send packets to only the ...

Page 118: ...then click Apply Jumbo Configure the size of jumbo frames By default it is 1518 bytes Generally the MTU Maximum Transmission Unit size of a normal frame is 1518 bytes If you want the switch supports to transmit frames of which the MTU size is greater than 1518 bytes you can configure the MTU size manually here 2 Select one or more ports to configure the basic parameters Then click Apply UNIT LAGS ...

Page 119: ...on enabled when a device gets overloaded it will send a PAUSE frame to notify the peer device to stop sending data for a specified period of time thus avoiding the packet loss caused by congestion By default it is disabled Note We recommend that you set the ports on both ends of a link as the same speed and duplex mode 2 2 Using the CLI Follow these steps to set basic parameters for the ports Step...

Page 120: ...ode for the port auto full half Duplex mode of the port The device connected to the port should be in the same speed and duplex mode with the port When auto is selected the duplex mode will be determined by auto negotiation flow control Enable the switch to synchronize the data transmission speed with the peer device avoiding the packet loss caused by congestion By default it is disabled Step 5 sh...

Page 121: ... auto Switch config if duplex auto Switch config if flow control Switch config if show interface configuration gigabitEthernet 1 0 1 Port State Speed Duplex FlowCtrl Description Gi1 0 1 Enable Auto Auto Enable router connection Switch config if show jumbo size Global jumbo size 9216 Switch config if end Switch copy running config startup config ...

Page 122: ... limit the data transmitted by a port The isolated port can only send packets to the ports specified in its forwarding Port list Choose the menu L2 FEATURES Switching Port Port Isolation to load the following page Figure 3 1 Port Isolation List The above page displays the port isolation list Click to configure Port Isolation on the following page ...

Page 123: ...olated ports can only communicate with It is multi optional 3 Click Apply 3 2 Using the CLI Follow these steps to configure Port Isolation Step 1 configure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port ten range gigabitEthernet port list port channel port channel range po...

Page 124: ...rnet port gigabitEthernet port ten gigabitEthernet port port channel port channel Verify the Port Isolation configuration of the specified port Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to add ports 1 0 1 3 and LAG 4 to the forwarding list of port 1 0 5 Switch configure Switch conf...

Page 125: ...re loopback detection is enabled For detailed introductions about storm control refer to Configuring QoS Choose the menu L2 FEATURES Switching Port Loopback Detection to load the following page Figure 4 1 Configuring Loopback Detection Follow these steps to configure loopback detection 1 In the Loopback Detection section enable loopback detection and configure the global parameters Then click Appl...

Page 126: ... loopback detection for the port Operation Mode Select the operation mode when a loopback is detected on the port Alert The Loop Status will display whether there is a loop detected on the corresponding port It is the default setting Port Based In addition to displaying alerts the switch will block the port on which the loop is detected VLAN Based If a loop is detected in a VLAN on that port in ad...

Page 127: ...n gigabitEthernet port ten range gigabitEthernet port list port channel port channel range port channel port channel list Enter interface configuration mode Step 6 loopback detection Enable loopback detection for the port By default it is disabled Step 7 loopback detection config process mode alert port based vlan based recovery mode auto manual Set the process mode when a loopback is detected on ...

Page 128: ...nfig show loopback detection global Loopback detection global status enable Loopback detection interval 30s Loopback detection recovery time 3 intervals Switch config if end Switch copy running config startup config The following example shows how to enable loopback detection of port 1 0 3 and set the process mode as alert and recovery mode as auto Switch configure Switch config interface gigabitE...

Page 129: ...4 Gi1 0 3 Host A Host B Host C Server 5 1 2 Configuration Scheme You can configure port isolation to implement the requirement Set port 1 0 4 as the only forwarding port for port 1 0 1 thus forbidding Host A to forward packets to the other hosts Since communications are bidirectional if you want Host A and the server to communicate normally you also need to add port 1 0 1 as the forwarding port fo...

Page 130: ...Click Edit on the above page to load the following page Select port 1 0 1 as the port to be isolated and select port 1 0 4 as the forwarding port Click Apply Figure 5 3 Port Isolation Configuration 3 Select port 1 0 4 as the port to be isolated and select port 1 0 1 as the forwarding port Click Apply ...

Page 131: ...config interface gigabitEthernet 1 0 1 Switch config if port isolation gi forward list 1 0 4 Switch config if exit Switch config interface gigabitEthernet 1 0 4 Switch config if port isolation gi forward list 1 0 1 Switch config if end Switch copy running config startup config Verify the Configuration Switch show port isolation interface Port LAG Forward List Gi1 0 1 N A Gi1 0 4 ...

Page 132: ...egrading the network performance To reduce the impacts of broadcast storms users need to detect loops in the network via Switch A and timely block the port on which a loop is detected Figure 5 5 Network Topology Switch A Management Host Access layer Switches Gi1 0 1 Gi1 0 2 Loop Gi1 0 3 5 2 2 Configuration Scheme Enable loopback detection on ports 1 0 1 3 and configure SNMP to receive the trap not...

Page 133: ...fault values and click Apply Figure 5 6 Global Configuration 3 In the Port Config section enable ports 1 0 1 3 select the operation mode as Port Based so that the port will be blocked when a loop is detected and keep the recovery mode as Auto so that the port will automatically be recovered to normal status after the auto recovery time Click Apply Figure 5 7 Port Configuration 4 Monitor the detect...

Page 134: ...ig if range loopback detection Switch config if range loopback detection config process mode port based recovery mode auto Switch config if range end Switch copy running config startup config Verify the Configuration Verify the global configuration Switch show loopback detection global Loopback detection global status enable Loopback detection interval 30 s Loopback detection recovery time 90 s Ve...

Page 135: ...Config Jumbo 1518 bytes Type Copper For RJ45 Ports Fiber For SFP Ports Status Enabled Speed Auto For RJ45 Ports 1000M For SFP Ports Duplex Auto For RJ45 Ports Full For SFP Ports Flow Control Disabled Loopback Detection Loopback Detection Status Disabled Detection Interval 30 seconds Auto recovery Time 90 seconds Web Refresh Status Disabled Web Refresh Interval 6 seconds Port Status Disabled Operat...

Page 136: ...Part 4 Configuring LAG CHAPTERS 1 LAG 2 LAG Configuration 3 Configuration Examples 4 Appendix Default Parameters ...

Page 137: ...ackup ports to enhance the connection reliability 1 2 Supported Features You can configure LAG in two ways static LAG and LACP Link Aggregation Control Protocol Static LAG The member ports are manually added to the LAG LACP The switch uses LACP to implement dynamic link aggregation and disaggregation by exchanging LACP packets with its peer device LACP extends the flexibility of the LAG configurat...

Page 138: ... share the bandwidth evenly If an active link fails the other active links share the bandwidth evenly One LACP LAG supports multiple member ports but at most eight of them can work simultaneously and the other member ports are backups Using LACP protocol the switches negotiate parameters and determine the working ports When a working port fails the backup port with the highest priority will replac...

Page 139: ...omputation is based on the destination MAC addresses of the packets SRC MAC DST MAC The computation is based on the source and destination MAC addresses of the packets SRC IP The computation is based on the source IP addresses of the packets DST IP The computation is based on the destination IP addresses of the packets SRC IP DST IP The computation is based on the source and destination IP address...

Page 140: ... one port you can choose only one LAG mode Static LAG or LACP And make sure both ends of a link use the same LAG mode Configuring Static LAG Choose the menu L2 FEATURES Switching LAG Static LAG to load the following page Figure 2 3 Static LAG Follow these steps to configure the static LAG 1 Select an LAG for configuration Group ID Select an LAG for static LAG configuration Description Displays the...

Page 141: ...he switch A smaller value means a higher priority To keep active ports consistent at both ends you can set the system priority of one device to be higher than that of the other device The device with higher priority will determine its active ports and the other device can select its active ports according to the selection result of the device with higher priority If the two ends have the same syst...

Page 142: ...he same priority value the port with a smaller port number has the higher priority Mode Select the LACP mode for the port In LACP the switch uses LACPDU Link Aggregation Control Protocol Data Unit to negotiate the parameters with the peer end In this way the two ends select active ports and form the aggregation link The LACP mode determines whether the port will take the initiative to send the LAC...

Page 143: ...rc dst ip The computation is based on the source and destination IP addresses of the packets Step 3 show etherchannel load balance Verify the configuration of load balancing algorithm Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Save the settings in the configuration file The following example shows how to set the global load balancing mode as src dst mac Swi...

Page 144: ...of the LAG Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to add ports1 0 5 8 to LAG 2 and set the mode as static LAG Switch configure Switch config interface range gigabitEthernet 1 0 5 8 Switch config if range channel group 2 mode on Switch config if range show etherchannel 2 summary ...

Page 145: ...ace configuration mode Step 4 channel group num mode active passive Add the port to an LAG and set the mode as LACP num The group ID of the LAG mode LAG mode Here you need to select LACP mode active or passive In LACP the switch uses LACPDU Link Aggregation Control Protocol Data Unit to negotiate the parameters with the peer end In this way the two ends select active ports and form the aggregation...

Page 146: ...LACP and select the LACPDU sending mode as active Switch configure Switch config interface range gigabitEthernet 1 0 1 4 Switch config if range channel group 6 mode active Switch config if range show lacp internal Flags S Device is requesting Slow LACPDUs F Device is requesting Fast LACPDUs A Device is in active mode P Device is in passive mode Channel group 6 Port Flags State LACP Port Priority A...

Page 147: ...ndle multiple physical ports into one logical interface to increase bandwidth and improve reliability In this case we can configure static LAG to meet the requirement The overview of the configuration is as follows 1 Considering there are multiple devices on each end configure the load balancing algorithm as SRC MAC DST MAC 2 Add ports 1 0 1 8 to a static LAG Demonstrated with T2600G 28TS the foll...

Page 148: ...re similar The following introductions take switch A as an example 1 Configure the load balancing algorithm as src dst mac Switch configure Switch config port channel load balance src dst mac 2 Add ports 1 0 1 8 to static LAG 1 Switch config interface range gigabitEthernet 1 0 1 8 Switch config if range channel group 1 mode on Switch config if end Switch copy running config startup config Verify t...

Page 149: ... 1 Gi1 0 10 Gi1 0 10 Servers 3 2 2 Configuration Scheme LAG function can bundle multiple physical ports into one logical interface to increase bandwidth and improve reliability We can configure LACP to meet the requirement The overview of the configuration is as follows 1 Considering there are multiple devices on each end configure the load balancing algorithm as SRC MAC DST MAC 2 Specify the syst...

Page 150: ...e 3 5 Global Configuration 2 Choose the menu L2 FEATURES Switching LAG LACP Config to load the following page In the Global Config section specify the system priority of Switch A as 0 and Click Apply Remember to ensure that the system priority value of Switch B is bigger than 0 Figure 3 6 System Priority Configuration 3 In the LACP Config section select ports 1 0 1 10 and respectively set the stat...

Page 151: ...active Switch config if range lacp port priority 0 Switch config if range exit 4 Add port 1 0 9 to LAG 1 and set the mode as LACP Then specify the port priority as 1 to set it as a backup port When any of the active ports is down this port will be preferentially selected to work as an active port Switch config interface gigabitEthernet 1 0 9 Switch config if channel group 1 mode active Switch conf...

Page 152: ...is in passive mode Channel group 1 Port Flags State LACP Port Priority Admin Key Oper Key Port Number Port State Gi1 0 1 SA Down 0 0x1 0 0x1 0x45 Gi1 0 2 SA Down 0 0x1 0 0x2 0x45 Gi1 0 3 SA Down 0 0x1 0 0x3 0x45 Gi1 0 4 SA Down 0 0x1 0 0x4 0x45 Gi1 0 5 SA Down 0 0x1 0 0x5 0x45 Gi1 0 6 SA Down 0 0x1 0 0x6 0x45 Gi1 0 7 SA Down 0 0x1 0 0x7 0x45 Gi1 0 8 SA Down 0 0x1 0 0x8 0x45 Gi1 0 9 SA Down 1 0x1 0...

Page 153: ...ult Parameters Default settings of Switching are listed in the following tables Table 4 1 Default Settings of LAG Parameter Default Setting LAG Table Hash Algorithm SRC MAC DST MAC LACP Config System Priority 32768 Admin Key 0 Port Priority 32768 Mode Passive Status Disabled ...

Page 154: ...Part 5 Configuring DDM Only for Certain Devices CHAPTERS 1 Overview 2 DDM Configuration 3 Appendix Default Parameters ...

Page 155: ...M Digital Diagnostic Monitoring function is used to monitor the status of the SFP modules inserted into the SFP ports on the switch The user can choose to shut down the monitored SFP port automatically when the specified parameter exceeds the alarm threshold or warning threshold The monitored parameters include Temperature Voltage Bias Current Tx Power and Rx Power ...

Page 156: ...re DDM Globally Follow these steps to configure the DDM parameters on SFP ports 1 In the Port Config section select one or multiple SFP ports to configure DDM parameters DDM Status Enable or disable DDM feature on the SFP port Shutdown Specify whether to shut down the port when the alarm threshold or warning threshold is exceeded Alarm Shut down the port when the alarm threshold is exceeded Warnin...

Page 157: ... When the operating parameter rises above this value action associated with the alarm will be taken The valid values are from 128 to 127 996 Low Alarm Specify the low temperature threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken The valid values are from 128 to 127 996 High Warning Specify the high temperature threshold for t...

Page 158: ... from 0 to 6 5535 Low Alarm Specify the low voltage threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken The valid values are from 0 to 6 5535 High Warning Specify the high voltage threshold for the warning When the operating parameter rises above this value action associated with the warning will be taken The valid values are f...

Page 159: ...id values are from 0 to 131 Low Alarm Specify the low bias current threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken The valid values are from 0 to 131 High Warning Specify the high bias current threshold for the warning When the operating parameter rises above this value action associated with the warning will be taken The v...

Page 160: ...e from 0 to 6 5535 Low Alarm Specify the low Rx power threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken The valid values are from 0 to 6 5535 High Warning Specify the high Rx power threshold for the warning When the operating parameter rises above this value action associated with the warning will be taken The valid values ar...

Page 161: ...e from 0 to 6 5535 Low Alarm Specify the low Tx power threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken The valid values are from 0 to 6 5535 High Warning Specify the high Tx power threshold for the warning When the operating parameter rises above this value action associated with the warning will be taken The valid values ar...

Page 162: ... current Tx power of the SFP module inserted into this port Rx Power The current Rx power of the SFP module inserted into this port Data Ready Indicates whether SFP module is operational The values are True and False Loss of Signal Reports local SFP module signal loss The values are True and False Transmit Fault Reports remote SFP module signal loss The values are True False and No Signal 2 2 Usin...

Page 163: ...n Gi1 0 25 Enable None Switch config if end Switch copy running config startup config 2 2 2 Configuring DDM Shutdown Follow these steps to configure settings for shutting down SFP ports when the alarm threshold or warning threshold is exceeded Step 1 configure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet ...

Page 164: ...itEthernet 1 0 25 Switch config if ddm shutdown warning Switch config if show ddm configuration state DDM Status Shutdown Gi1 0 25 Enable Warning Switch config if end Switch copy running config startup config 2 2 3 Configuring the Threshold Configuring Temperature Threshold Follow these steps to configure the threshold of the DDM temperature on the specified SFP port Step 1 configure Enter global ...

Page 165: ...the warning When the operating parameter falls below this value action associated with the warning will be taken value Enter the threshold value in Celsius The valid values are from 128 to 127 996 Step 4 show ddm configuration temperature Display the DDM temperature threshold on the SFP ports Step 5 end Return to Privileged EXEC Mode Step 6 copy running config startup config Save the settings in t...

Page 166: ... value action associated with the warning will be taken low_alarm Specify the low threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken low_warning Specify the low threshold for the warning When the operating parameter falls below this value action associated with the warning will be taken value Enter the threshold value in V The...

Page 167: ...operating parameter rises above this value action associated with the warning will be taken low_alarm Specify the low threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken low_warning Specify the low threshold for the warning When the operating parameter falls below this value action associated with the warning will be taken valu...

Page 168: ... the high threshold for the warning When the operating parameter rises above this value action associated with the warning will be taken low_alarm Specify the low threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken low_warning Specify the low threshold for the warning When the operating parameter falls below this value action a...

Page 169: ...erating parameter rises above this value action associated with the alarm will be taken high_warning Specify the high threshold for the warning When the operating parameter rises above this value action associated with the warning will be taken low_alarm Specify the low threshold for the alarm When the operating parameter falls below this value action associated with the alarm will be taken low_wa...

Page 170: ...emperature voltage bias_current tx_power rx_power state Displays the DDM configuration state temperature Displays the threshold of the DDM temperature value voltage Displays the threshold of the DDM voltage value bias_current Displays the threshold of the DDM bias current value tx_power Displays the threshold of the DDM Tx Power value rx_power Displays the threshold of the DDM Rx Power value Step ...

Page 171: ...inserted into the switch s SFP ports Step 1 configure Enter global configuration mode Step 2 show ddm status Displays all the monitoring status of SFP modules Step 3 end Return to Privileged EXEC Mode The following example shows how to view SFP ports DDM status Switch configure Switch config show ddm status Temperature C Voltage V Bias Current mA Tx Power mW Rx Power mW Data Ready Rx Los Tx Fault ...

Page 172: ...ix Default Parameters Default settings of DDM are listed in the following table Table 3 1 Default Settings of DDM Parameter Default Setting DDM Status Enabled All the SFP ports are being monitored Shutdown None The port will not be shut down even if the alarm or warning threshold is exceeded ...

Page 173: ...Part 6 Managing MAC Address Table CHAPTERS 1 MAC Address Table 2 Address Configurations 3 Security Configurations 4 Example for Security Configurations 5 Appendix Default Parameters ...

Page 174: ...ble of the switch contains dynamic addresses static addresses and filtering addresses Furthermore you can configure notification traps and limit the number of MAC addresses in a VLAN for traffic safety Address Configurations Dynamic address Dynamic addresses are addresses learned by the switch automatically and the switch regularly ages out those that are not in use That is the switch removes the ...

Page 175: ...tifications of the usage of the MAC address table and the MAC address change activity For example you can configure the switch to send notifications when a new MAC address is learned so the administrator knows a new users accesses the network Limiting the Number of MAC Addresses in VLANs You can configure VLAN Security to limit the number of MAC addresses that can be learned in specified VLANs The...

Page 176: ...ddress entries View address table entries 2 1 Using the GUI 2 1 1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries Adding MAC Addresses Manually Choose the menu L2 FEATURES Switching MAC Address Static Address and click to load the following page Figure 2 1 Adding MAC Addresses Manually ...

Page 177: ...static MAC address if the corresponding port number of the MAC address is not correct or the connected port or the device has been changed the switch cannot forward the packets correctly Please reset the static address entry appropriately 2 Click Create Binding Dynamic Address Entries If some dynamic address entries are frequently used you can bind these entries as static entries Choose the menu L...

Page 178: ...s Entries Follow these steps to modify the aging time of dynamic address entries 1 In the Aging Config section enable Auto Aging and enter your desired length of time Auto Aging Enable Auto Aging then the switch automatically updates the dynamic address table with the aging mechanism By default it is enabled Aging Time Set the length of time that a dynamic entry remains in the MAC address table af...

Page 179: ... and VLAN ID MAC Address Specify the MAC address to be used by the switch to filter the received packets VLAN ID Specify an existing VLAN in which packets with the specific MAC address are dropped 2 Click Create Note In the same VLAN once an address is configured as a filtering address it cannot be set as a static address and vice versa Multicast or broadcast addresses cannot be set as filtering a...

Page 180: ... static mac addr vid vid interface fastEthernet port gigabitEthernet port ten gigabitEthernet port Bind the MAC address VLAN and port together to add a static address to the VLAN mac addr Enter the MAC address and packets with this destination address received in the specified VLAN are forwarded to the specified port The format is xx xx xx xx xx xx for example 00 00 00 00 00 01 vid Specify an exis...

Page 181: ...MAC address entry with MAC address 00 02 58 4f 6c 23 VLAN 10 and port 1 When a packet is received in VLAN 10 with this address as its destination the packet will be forwarded only to port 1 0 1 Switch configure Switch config mac address table static 00 02 58 4f 6c 23 vid 10 interface gigabitEthernet 1 0 1 Switch config show mac address table static MAC Address Table MAC VLAN Port Type Aging 00 02 ...

Page 182: ...s after the entry is used or updated Switch configure Switch config mac address table aging time 500 Switch config show mac address table aging time Aging time is 500 sec Switch config end Switch copy running config startup config 2 2 3 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries Step 1 configure Enter global configuration mode Step 2 mac address ta...

Page 183: ... how to add the MAC filtering address 00 1e 4b 04 01 5d to VLAN 10 Then the switch will drop the packet that is received in VLAN 10 with this address as its source or destination Switch configure Switch config mac address table filtering 00 1e 4b 04 01 5d vid 10 Switch config show mac address table filtering MAC Address Table MAC VLAN Port Type Aging 00 1e 4b 04 01 5d 10 filter no aging Total MAC ...

Page 184: ...ations of the MAC address table you can Configure MAC notification traps Limit the number of MAC addresses in VLANs 3 1 Using the GUI 3 1 1 Configuring MAC Notification Traps Choose the menu L2 FEATURES Switching MAC Address MAC Notification to load the following page Figure 3 1 Configuring MAC Notification Traps ...

Page 185: ...y Learned Mode Change Enable Learned Mode Change and when the learned mode of the specified port is changed a notification will be generated and sent to the management host New MAC Learned Enable New MAC Learned and when the specified port learns a new MAC address a notification will be generated and sent to the management host 3 Configure SNMP and set a management host For detailed SNMP configura...

Page 186: ... of MAC addresses in the specific VLAN It ranges from 0 to 16383 You can control the available address table space by setting maximum learned MAC number for VLANs However an improper maximum number can cause unnecessary floods in the network or a waste of address table space Therefore before you set the number limit please be sure you are familiar with the network topology and the switch system co...

Page 187: ...ses in the specified VLAN is exceeded Forward Packets of new source MAC addresses will be forwarded but the addresses will not be learned when the maximum number of MAC addresses in the specified VLAN is exceeded 4 Click Create 3 2 Using the CLI 3 2 1 Configuring MAC Notification Traps Follow these steps to configure MAC notification traps Step 1 configure Enter global configuration mode Step 2 ma...

Page 188: ...ns a new MAC address a notification will be generated and sent to the management host Step 7 end Return to privileged EXEC mode Step 8 copy running config startup config Save the settings in the configuration file Now you have configured MAC notification traps To receive notifications you need to further enable SNMP and set a management host For detailed SNMP configurations please refer to Configu...

Page 189: ...n the maximum number of MAC addresses in the specified VLAN is exceeded Step 3 mac address table vlan security vid vid max learn num Configure the maximum number of MAC addresses in the specified VLAN and select a mode for the switch to adopt when the maximum number is exceeded vid Specify an existing VLAN in which you want to limit the number of MAC addresses num Set the maximum number of MAC add...

Page 190: ...hen the maximum number of MAC addresses in the specified VLAN is exceeded drop Packets of new source MAC addresses in the VLAN will be dropped when the maximum number of MAC addresses in the specified VLAN is exceeded forward Packets of new source MAC addresses will be forwarded but the addresses not learned when the maximum number of MAC addresses in the specified VLAN is exceeded Step 3 end Retu...

Page 191: ...ith notifications of any new access users Figure 4 1 The Network Topology Gi1 0 1 Gi1 0 3 Gi1 0 2 R D Department VLAN 30 Marketing Department VLAN 10 Switch Internet 4 2 Configuration Scheme VLAN Security can be configured to limit the number of access users and in this way to prevent illegal accesses and MAC address attacks MAC Notification and SNMP can be configured to monitor the interface whic...

Page 192: ...ode and click Create Figure 4 2 Configuring VLAN Security 2 Choose the menu L2 FEATURES Switching MAC Address MAC Notification to load the following page Enable Global Status set notification interval as 10 seconds and click Apply Then enable new mac learned trap on port 1 0 2 and click Apply Figure 4 3 Configuring New MAC learned Traps 3 Click to save the settings 4 Enable SNMP and set a manageme...

Page 193: ... interval 10 Switch config interface gigabitEthernet 1 0 2 Switch config if mac address table notification new mac learned enable Switch config if end Switch copy running config startup config 3 Configure SNMP and set a management host For detailed SNMP configurations please refer to Configuring SNMP RMON Verify the Configurations Verify the configuration of VLAN Security Switch show mac address t...

Page 194: ...ne Dynamic Address Entries Auto learning Filtering Address Entries None Table 5 2 Default Settings of Dynamic Address Table Parameter Default Setting Auto Aging Enabled Aging Time 300 seconds Table 5 3 Default Settings of MAC Notification Parameter Default Setting Global Status Disabled Table Full Notification Disabled Notification Interval 1 Second Learned Mode Change Notification Disabled Exceed...

Page 195: ...Part 7 Configuring 802 1Q VLAN CHAPTERS 1 Overview 2 802 1Q VLAN Configuration 3 Configuration Example 4 Appendix Default Parameters ...

Page 196: ...l VLAN traffic remains within its VLAN It reduces the influence of broadcast traffic in Layer 2 network to the whole network To enhance network security Devices from different VLANs cannot achieve Layer 2 communication and thus users can group and isolate devices to enhance network security For easier management VLANs group devices logically instead of physically so devices in the same VLAN need n...

Page 197: ...802 1Q VLAN Configuration 2802 1Q VLAN Configuration To complete 802 1Q VLAN configuration follow these steps 1 Configure the VLAN including creating a VLAN and adding the desired ports to the VLAN 2 Configure port parameters for 802 1Q VLAN ...

Page 198: ...re 2 1 Configuring VLAN Follow these steps to configure VLAN 1 Enter a VLAN ID and a description for identification to create a VLAN VLAN ID Enter a VLAN ID for identification with the values between 2 and 4094 VLAN Name Give a VLAN description for identification with up to 16 characters 2 Select the untagged port s and the tagged port s respectively to add to the created VLAN based on the network...

Page 199: ...ort Valid values are from 1 to 4094 It is used mainly in the following two ways When the port receives an untagged packet the switch inserts a VLAN tag to the packet based on the PVID Ingress Checking Enable or disable Ingress Checking With this function enabled the port will accept the packet of which the VLAN ID is in the port s VLAN list and discard others With this function disabled the port w...

Page 200: ...e VLAN s for configuration Valid values are from 2 to 4094 for example 2 3 5 Step 3 name descript Optional Specify a VLAN description for identification descript The length of the description should be 1 to 16 characters Step 4 show vlan id vlan list Show the global information of the specified VLAN s When no VLAN is specified this command shows global information of all 802 1Q VLANs vlan list Spe...

Page 201: ... allowed vlan vlan list tagged untagged Add ports to the specified VLAN vlan list Specify the ID or ID list of the VLAN s that the port will be added to The ID ranges from 1 to 4094 tagged untagged Select the egress rule for the port Step 4 show interface switchport fastEthernet port gigabitEthernet port ten gigabitEthernet port port channel lag id Verify the information of the port Step 5 end Ret...

Page 202: ...erface configuration mode Step 3 switchport pvid vlan id Configure the PVID of the port s By default it is 1 vlan id The default VLAN ID of the port with the values between 1 and 4094 Step 4 switchport check ingress Enable or disable Ingress Checking With this function enabled the port will accept the packet of which the VLAN ID is in the port s VLAN list and discard others With this function disa...

Page 203: ...ace gigabitEthernet 1 0 5 Switch config if switchport pvid 2 Switch config if switchport check ingress Switch config if switchport acceptable frame all Switch config if show interface switchport gigabitEthernet 1 0 5 Port Gi1 0 5 PVID 2 Acceptable frame type All Ingress Checking Enable Member in LAG N A Link Type General Member in VLAN Vlan Name Egress rule 1 System VLAN Untagged Switch config if ...

Page 204: ...e department but not with computers in the other department 3 2 Configuration Scheme Divide computers in Department A and Department B into two VLANs respectively so that computers can communicate with each other in the same department but not with computers in the other department Terminal devices like computers usually do not support VLAN tags Add untagged ports to the corresponding VLANs and sp...

Page 205: ...s connected to port 1 0 8 on Switch 2 Figure 3 1 Network Topology VLAN 10 VLAN 20 Host A1 Host A2 Host B1 Host B2 Switch 1 Switch 2 Gi1 0 2 Gi1 0 3 Gi1 0 4 Gi1 0 6 Gi1 0 7 Gi1 0 8 Demonstrated with T2600G 28TS the following sections provide configuration procedure in two ways using the GUI and using the CLI 3 4 Using the GUI The configurations of Switch 1 and Switch 2 are similar The following int...

Page 206: ... Creating VLAN 10 for Department A 2 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 20 with the description of Department_B Add port 1 0 3 as an untagged port and port 1 0 4 as a tagged port to VLAN 20 Click Create ...

Page 207: ...guration Example Figure 3 3 Creating VLAN 20 for Department B 3 Choose the menu L2 FEATURES VLAN 802 1Q VLAN Port Config to load the following page Set the PVID of port 1 0 2 as 10 and click Apply Set the PVID of port 1 0 3 as 20 and click Apply ...

Page 208: ...ent A Similarly create VLAN 20 for Department B and configure the description as Department B Switch_1 configure Switch_1 config vlan 10 Switch_1 config vlan name Department A Switch_1 config vlan exit Switch_1 config vlan 20 Switch_1 config vlan name Department B Switch_1 config vlan exit 2 Add untagged port 1 0 2 and tagged port 1 0 4 to VLAN 10 Add untagged port 1 0 3 and tagged port 1 0 4 to V...

Page 209: ...erface gigabitEthernet 1 0 2 Switch_1 config if switchport pvid 10 Switch_1 config if exit Switch_1 config interface gigabitEthernet 1 0 3 Switch_1 config if switchport pvid 20 Switch_1 config if end Switch_1 copy running config startup config Verify the Configurations Verify the VLAN configuration Switch_1 show vlan VLAN Name Status Ports 1 System VLAN active Gi1 0 1 Gi1 0 2 Gi1 0 3 Gi1 0 4 Gi1 0...

Page 210: ...rify the VLAN configuration Switch_1 config show interface switchport Port LAG Type PVID Acceptable frame type Ingress Checking Gi1 0 1 N A General 1 All Enable Gi1 0 2 N A General 10 All Enable Gi1 0 3 N A General 20 All Enable Gi1 0 4 N A General 1 All Enable Gi1 0 5 N A General 1 All Enable ...

Page 211: ...ault Parameters 4Appendix Default Parameters Default settings of 802 1Q VLAN are listed in the following table Table 4 1 Default Settings of 802 1Q VLAN Parameter Default Setting VLAN ID 1 PVID 1 Ingress Checking Enabled Acceptable Frame Types Admit All ...

Page 212: ...Part 8 Configuring MAC VLAN CHAPTERS 1 Overview 2 MAC VLAN Configuration 3 Configuration Example 4 Appendix Default Parameters ...

Page 213: ...o their MAC VLANs even when their access ports change The figure below shows a common application scenario of MAC VLAN Figure 1 1 Common Application Scenario of MAC VLAN Meeting Room 1 Laptop A Laptop B Meeting Room 2 Switch 3 Switch 1 Switch 2 Server B VLAN 20 Server A VLAN 10 Two departments share all the meeting rooms in the company but use different servers and laptops Department A uses Server...

Page 214: ...nue to match the data packet with the matching rules of other VLANs such as the protocol VLAN If there is a match the switch will forward the data packet Otherwise the switch will process the data packet according to the processing rule of the 802 1 Q VLAN When the port receives a tagged data packet the switch will directly process the data packet according to the processing rule of the 802 1 Q VL...

Page 215: ... the 802 1Q VLAN that will be bound to the MAC VLAN 2 Click Create Note One MAC address can be bound to only one VLAN 2 1 3 Enabling MAC VLAN for the Port By default MAC VLAN is disabled on all ports You need to enable MAC VLAN for your desired ports manually Choose the menu L2 FEATURES VLAN MAC VLAN to load the following page Figure 2 2 Enabling MAC VLAN for the Port In the Port Enable section se...

Page 216: ... xx xx xx xx xx vlan id Enter the ID number of the 802 1Q VLAN that will be bound to the MAC VLAN descript Specify the MAC address description for identification with up to 8 characters Step 3 show mac vlan all mac address mac addr vlan vlan id Verify the configuration of MAC VLAN vid Specify the MAC VLAN to be displayed Step 4 end Return to privileged EXEC mode Step 5 copy running config startup ...

Page 217: ...nel id range port channel port channel list Enter interface configuration mode Step 3 mac vlan Enable MAC VLAN for the port Step 4 show mac vlan interface Verify the configuration of MAC VLAN on each interface Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to enable MAC VLAN for port 1 ...

Page 218: ...twork Topology Meeting Room 1 Laptop A 00 19 56 8A 4C 71 Laptop B 00 19 56 82 3B 70 Meeting Room 2 Switch 3 Gi1 0 3 Gi1 0 2 Gi1 0 2 Gi1 0 2 Gi1 0 1 Gi1 0 1 Gi1 0 5 Gi1 0 4 Switch 1 Switch 2 Server B VLAN 20 Server A VLAN 10 3 2 Configuration Scheme You can configure MAC VLAN to meet this requirement On Switch 1 and Switch 2 bind the MAC addresses of the laptops to the corresponding VLANs respectiv...

Page 219: ...Demonstrated with T2600G 28TS the following sections provide configuration procedure in two ways using the GUI and using the CLI 3 3 Using the GUI Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are similar The following introductions take Switch 1 as an example 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Crea...

Page 220: ... Example User Guide 191 Figure 3 2 Creating VLAN 10 2 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 20 and add untagged port 1 0 1 and tagged port 1 0 2 to VLAN 20 Click Create ...

Page 221: ... the following page Specify the corresponding parameters and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20 Figure 3 4 Creating MAC VLAN 4 Choose the menu L2 FEATURES VLAN MAC VLAN to load the following page In the Port Enable section select port 1 0 1 and click Apply to enable MAC VLAN ...

Page 222: ...abing MAC VLAN for the Port 5 Click to save the settings Configurations for Switch 3 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 10 and add untagged port 1 0 4 and tagged ports 1 0 2 3 to VLAN 10 Click Create ...

Page 223: ...e 194 Configuring MAC VLAN Configuration Example Figure 3 6 Creating VLAN 10 2 Click Create to load the following page Create VLAN 20 and add untagged port 1 0 5 and tagged ports 1 0 2 3 to VLAN 20 Click Create ...

Page 224: ... CLI Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are the same The following introductions take Switch 1 as an example 1 Create VLAN 10 for Department A and create VLAN 20 for Department B Switch_1 configure Switch_1 config vlan 10 Switch_1 config vlan name deptA Switch_1 config vlan exit ...

Page 225: ... of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20 Switch_1 config mac vlan mac address 00 19 56 8A 4C 71 vlan 10 description PCA Switch_1 config mac vlan mac address 00 19 56 82 3B 70 vlan 20 description PCB Switch_1 config end Switch_1 copy running config startup config Configurations for Switch 3 1 Create VLAN 10 for Department A and create VLAN 20 for Department B Switch_3...

Page 226: ...4 Switch_3 config if switchport general allowed vlan 10 untagged Switch_3 config if exit Switch_3 config interface gigabitEthernet 1 0 5 Switch_3 config if switchport general allowed vlan 20 untagged Switch_3 config if end Switch_3 copy running config startup config Verify the Configurations Switch 1 Switch_1 show mac vlan all MAC Add Name VLAN ID 00 19 56 8A 4C 71 PCA 10 00 19 56 82 3B 70 PCB 20 ...

Page 227: ...Configuration Example Switch 3 Switch_3 show vlan VLAN Name Status Ports 1 System VLAN active Gi1 0 1 Gi1 0 2 Gi1 0 3 Gi1 0 4 Gi1 0 5 Gi1 0 6 Gi1 0 7 Gi1 0 8 10 DeptA active Gi1 0 2 Gi1 0 3 Gi1 0 4 20 DeptB active Gi1 0 2 Gi1 0 3 Gi1 0 5 ...

Page 228: ...eters User Guide 199 4Appendix Default Parameters Default settings of MAC VLAN are listed in the following table Table 4 1 Default Settings of MAC VLAN Parameter Default Setting MAC Address None Description None VLAN ID None Port Enable Disabled ...

Page 229: ...Part 9 Configuring Protocol VLAN CHAPTERS 1 Overview 2 Protocol VLAN Configuration 3 Configuration Example 4 Appendix Default Parameters ...

Page 230: ...o the corresponding VLANs Since different applications and services use different protocols network administrators can use protocol VLAN to manage the network based on specific applications and services The figure below shows a common application scenario of protocol VLAN With protocol VLAN configured Switch 2 can forward IPv4 and IPv6 packets from different VLANs to the IPv4 and IPv6 networks res...

Page 231: ...g the protocol type value of the packet If MAC VLAN is also configured the switch will first process MAC VLAN If there is a match the switch will insert the corresponding VLAN tag to the data packet and forward it within the VLAN Otherwise the switch will forward the data packet to the default VLAN based on the PVID Port VLAN ID of the receiving port When the port receives a tagged data packet the...

Page 232: ...o identify the protocol template Frame Type Select the frame type of the new protocol template Ethernet II A common Ethernet frame format Select to specify the Frame Type by entering the Ether Type SNAP An Ethernet 802 3 frame format based on IEEE 802 3 and IEEE 802 2 SNAP Select to specify the Frame Type by entering the Ether Type LLC An Ethernet 802 3 frame format based on IEEE 802 3 and IEEE 80...

Page 233: ...identify the data type of the frame 2 Click Create Note A protocol template that is bound to a VLAN cannot be deleted 2 1 3 Configuring Protocol VLAN Choose the menu L2 FEATURES VLAN Protocol VLAN Protocol VLAN Group and click to load the following page Figure 2 3 Configure the Protocol VLAN Group Follow these steps to configure the protocol group 1 In the Protocol Group Config section specify the...

Page 234: ... a protocol template Step 1 configure Enter global configuration mode Step 2 protocol vlan template name protocol name frame ether_2 ether type type snap ether type type llc dsap dsap_type ssap ssap_type Create a protocol template protocol name Specify the protocol name with 1 to 8 characters type Enter4 hexadecimal numbers as the Ethernet protocol type for the protocol template It is the Ether Ty...

Page 235: ...2 2 3 Configuring Protocol VLAN Follow these steps to configure protocol VLAN Step 1 configure Enter global configuration mode Step 2 show protocol vlan template Check the index of each protocol template Step 3 protocol vlan vlan vid priority priority template index Bind the protocol template to the VLAN vid Enter the ID number of the 802 1Q VLAN that will be bound to the Protocol VLAN priority Sp...

Page 236: ...g startup config Save the settings in the configuration file The following example shows how to bind the IPv6 protocol template to VLAN 10 and add port 1 0 2 to protocol VLAN Switch configure Switch config show protocol vlan template Index Protocol Name Protocol Type 1 IP EthernetII ether type 0800 2 ARP EthernetII ether type 0806 3 RARP EthernetII ether type 8035 4 IPX SNAP ether type 8137 5 AT S...

Page 237: ...User Guide 208 Configuring Protocol VLAN Protocol VLAN Configuration Index Protocol Name VID Priority Member 1 IPv6 10 5 Gi1 0 2 Switch config if end Switch copy running config startup config ...

Page 238: ...to VLAN 20 and these hosts access the network via Switch 1 Switch 2 is connected to two routers to access the IPv4 network and IPv6 network respectively The routers belong to VLAN 10 and VLAN 20 respectively Figure 3 1 Network Topology IPv4 Host IPv6 Host Switch 2 Gi1 0 3 VLAN 20 Gi1 0 2 VLAN 20 Gi1 0 1 VLAN 10 Gi1 0 1 Gi1 0 3 Gi1 0 2 VLAN 10 Switch 1 Router 2 Router 1 IPv4 Internet IPv6 Internet ...

Page 239: ...te provided by the switch and create the IPv6 protocol template 3 Bind the protocol templates to the corresponding VLANs to form protocol groups and add port 1 0 1 to the groups For Switch 1 configure 802 1Q VLAN according to the network topology Demonstrated with T2600G 28TS this chapter provides configuration procedures in two ways using the GUI and using the CLI ...

Page 240: ...11 3 3 Using the GUI Configurations for Switch 1 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 10 and add untagged port 1 0 1 and untagged port 1 0 3 to VLAN 10 Click Create Figure 3 2 Create VLAN 10 ...

Page 241: ... 212 Configuring Protocol VLAN Configuration Example 2 Click to load the following page Create VLAN 20 and add untagged ports 1 0 2 3 to VLAN 20 Click Create Figure 3 3 Create VLAN 20 3 Click to save the settings ...

Page 242: ...er Guide 213 Configurations for Switch 2 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 10 and add tagged port 1 0 1 and untagged port 1 0 2 to VLAN 10 Click Create Figure 3 4 Create VLAN 10 ...

Page 243: ...Guide 214 Configuring Protocol VLAN Configuration Example 2 Click to load the following page Create VLAN 20 and add tagged port 1 0 1 and untagged port 1 0 3 to VLAN 20 Click Create Figure 3 5 Create VLAN 20 ...

Page 244: ...col name select the Ethernet II frame type enter 86DD in the Ether Type field and click Create to create the IPv6 protocol template Tips The IPv4 protocol template is already provided by the switch You only need to create the IPv6 protocol template Figure 3 7 Create the IPv6 Protocol Template 5 Choose the menu L2 FEATURES VLAN Protocol VLAN Protocol VLAN Group and click to load the following page ...

Page 245: ...User Guide 216 Configuring Protocol VLAN Configuration Example Figure 3 8 Configure the IPv4 Protocol Group Figure 3 9 Configure the IPv6 Protocol Group 6 Click to save the settings ...

Page 246: ...AN 20 Switch_1 config interface gigabitEthernet 1 0 1 Switch_1 config if switchport general allowed vlan 10 untagged Switch_1 config if exit Switch_1 config interface gigabitEthernet 1 0 2 Switch_1 config if switchport general allowed vlan 20 untagged Switch_1 config if exit Switch_1 config interface gigabitEthernet 1 0 3 Switch_1 config if switchport general allowed vlan 10 20 untagged Switch_1 c...

Page 247: ...10 untagged Switch_2 config if exit Switch_2 config interface gigabitEthernet 1 0 3 Switch_2 config if switchport mode general Switch_2 config if switchport pvid 20 Switch_2 config if switchport general allowed vlan 20 untagged Switch_2 config if exit 3 Create the IPv6 protocol template Switch_2 config protocol vlan template name IPv6 frame ether_2 ether type 86dd Switch_2 config show protocol vla...

Page 248: ...ol vlan group 1 Switch_2 config if protocol vlan group 2 Switch_2 config if exit Switch_2 config end Switch_2 copy running config startup config Verify the Configurations Switch 1 Verify 802 1Q VLAN configuration Switch_1 show vlan VLAN Name Status Ports 1 System VLAN active Gi1 0 1 Gi1 0 2 Gi1 0 3 Gi1 0 4 Gi1 0 25 Gi1 0 26 Gi1 0 27 Gi1 0 28 10 IPv4 active Gi1 0 1 Gi1 0 3 20 IPv6 active Gi1 0 2 Gi...

Page 249: ...tem VLAN active Gi1 0 1 Gi1 0 2 Gi1 0 3 Gi1 0 4 Gi1 0 25 Gi1 0 26 Gi1 0 27 Gi1 0 28 10 IPv4 active Gi1 0 1 Gi1 0 2 20 IPv6 active Gi1 0 1 Gi1 0 3 Verify protocol group configuration Switch_2 show protocol vlan vlan Index Protocol Name VID Priority Member 1 IP 10 0 Gi1 0 1 2 IPv6 20 0 Gi1 0 1 ...

Page 250: ...settings of Protocol VLAN are listed in the following table Table 4 1 Default Settings of Protocol VLAN Parameter Default Setting Protocol Template Table 1 IP Ethernet II ether type 0800 2 ARP Ethernet II ether type 0806 3 RARP Ethernet II ether type 8035 4 IPX SNAP ether type 8137 5 AT SNAP ether type 809B ...

Page 251: ...Part 10 Configuring VLAN VPN CHAPTERS 1 VLAN VPN 2 Basic VLAN VPN Configuration 3 Flexible VLAN VPN Configuration 4 Configuration Examples 5 Appendix Default Parameters ...

Page 252: ...ag of the ISP network while the inner VLAN tag is treated as part of the payload When forwarding packets from the ISP network to the customer network the switch remove the outer VLAN tag of the packets Thus packets are forwarded according to the inner VLAN tag VLAN tag of the customer network in the customer network The following figure shows the typical application scenario of VLAN VPN To realize...

Page 253: ...ork Flexible VLAN VPN You can configure different VLANs in the customer network to map to different VLANs in the ISP network When the switch receives a packet with the customer network tag the switch will check the VLAN Mapping List If a match is found the switch encapsulates the packet with the corresponding VLAN tag of the ISP network and forwards it to the corresponding port If no match is foun...

Page 254: ... be recognized and forwarded by devices of other manufacturers You can go to 802 1Q VLAN section to specify the Ingress Checking feature according to your needs If the Ingress Checking is enabled the port will perform this operation first then process the packets based on the VLAN VPN configuration If Ingress Checking is disabled the port will process the packets directly based on the VLAN VPN con...

Page 255: ...VPN Port Config section select on or more ports and configure the corresponding parameters Click Apply Port Role Select the port role that will take effect in the VLAN VPN function NNI NNI ports are usually connected to the ISP network and the packets forwarded by these port have outer VLAN tags UNI UNI ports are usually connected to the customer network The outer VLAN tags will be added or remove...

Page 256: ...e is UNI Note The PVID of the UNI port should be specified as the VLAN ID of the ISP VLAN The member port of an LAG Link Aggregation Group follows the configuration of the LAG and not its own The configurations of the port can take effect only after it leaves the LAG 2 2 Using the CLI 2 2 1 Configuring 802 1Q VLAN Before configuring VLAN VPN create 802 1Q VLAN add ports to corresponding VLANs and ...

Page 257: ... Enter the IPID for the port It must be 4 Hex integers By default it is 8100 Step 6 switchport dot1q tunnel missdrop Enable the Missdrop feature This option only can take effect on tagged packets With Missdrop enabled the tagged packets that don t match the VLAN Mapping entries will be dropped By default it is disabled Note For T2600G 28TS T2600G 28MPS T2600G 28SQ T2600G 52TS Missdrop can only be ...

Page 258: ...igabitEthernet 1 0 1 Switch config if switchport dot1q tunnel mode uni Switch config if exit Switch config interface gigabitEthernet 1 0 2 Switch config if switchport dot1q tunnel mode nni Switch config if show dot1q tunnel VLAN VPN Mode Enabled Mapping Mode Disabled Switch config if show dot1q tunnel interface Port Type Tpid Use Inner Priority LAG Gi1 0 1 UNI 0x8100 Disable N A Gi1 0 2 NNI 0x8100...

Page 259: ...UNI port according to your needs The untagged packets and the tagged packets that don t the VLAN mapping entry may be added the outer VLAN tag with this PVID according to your configuration 3 1 Using the GUI Choose the menu L2 FEATURES VLAN VLAN VPN VLAN Mapping to load the following page Figure 3 1 Enable Flexible VLAN VPN Follow these steps to configure flexible VLAN VPN 1 In the Global Config s...

Page 260: ...ption Give a description to identify the VLAN Mapping 3 Click Create 3 2 Using the CLI Follow these steps to configure flexible VLAN VPN Step 1 configure Enter global configuration mode Step 2 dot1q tunnel mapping Enable VLAN mapping globally Step 3 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigab...

Page 261: ...Save the settings in the configuration file The following example shows how to enable VLAN mapping and set a VLAN mapping entry named mapping1 on port 1 0 3 to map customer network VLAN 15 to ISP network VLAN 1040 Switch configure Switch config dot1q tunnel mapping Switch config show dot1q tunnel VLAN VPN Mode Enabled Mapping Mode Enabled Switch config interface gigabitEthernet 1 0 3 Switch config...

Page 262: ...100 and VLAN 200 should be transmitted in VLAN 1050 Figure 4 1 Network Topology 4 1 2 Configuration Scheme To meet the requirement that all the traffic from VLAN 100 and VLAN 200 should be transmitted through VLAN 1050 users can configure basic VLAN VPN on Switch 1 and Switch 2 to allow packets sent with double VLAN tags and thus ensure the communication between them The general configuration proc...

Page 263: ...200 Port 1 0 3 Tagged Tagged Keep the default value 3 Configure VLAN VPN on switch 1 Set port 1 0 1 as NNI port and port 1 0 2 as UNI port configure the TPID as 0x9100 Demonstrated with T2600G 28TS this chapter provides configuration procedures in two ways using the GUI and using the CLI 4 1 3 Using the GUI Configuring Switch 1 1 Go to L2 FEATURES VLAN 802 1Q VLAN to create VLAN 100 VLAN 200 and V...

Page 264: ...Configuring VLAN VPN Configuration Examples User Guide 235 Figure 4 2 Create VLAN 100 ...

Page 265: ...User Guide 236 Configuring VLAN VPN Configuration Examples Figure 4 3 Create VLAN 200 ...

Page 266: ...FEATURES VLAN Port Config to set the PVID as 1050 for port 1 0 2 and leave the default vaule 1 for port 1 0 1 Figure 4 5 Configuring PVID 3 Go to L2 FEATURES VLAN VLAN VPN VPN Config enable VLAN VPN globally set port 1 0 1 as NNI port and port 1 0 2 as UNI port Specify the TPID of port 1 0 1 as 9100 ...

Page 267: ...ring the Ports 4 Click to save the settings Configuring Switch 3 1 Go to L2 FEATURES VLAN 802 1Q VLAN to create VLAN 100 and VLAN 200 Configure the egress rules of port 1 0 1 in VLAN 100 as Untagged egress rules of port 1 0 2 in VLAN 200 as Untagged egress rule of port 1 0 3 in VLAN 100 and VLAN 200 as Tagged ...

Page 268: ...Configuring VLAN VPN Configuration Examples User Guide 239 Figure 4 7 Creating VLAN 100 ...

Page 269: ...t Config to set the PVID as 100 for port 1 0 1 and 200 for port 1 0 2 Figure 4 9 Configuring PVID 3 Click to save the settings 4 1 4 Using the CLI The configurations of Switch 1 and Switch 2 are similar The following introductions take Switch 1 as an example 1 Create VLAN 1050 VLAN 100 and VLAN 200 Switch_1 configure ...

Page 270: ...itchport pvid1050 Switch_1 config if switchport dot1q tunnel mode nni Switch_1 config if switchport dot1q tunnel tpid 9100 Switch_1 config if exit 3 Add port 1 0 2 to VLAN 1050 as untagged port and add it to VLAN 100 and VLAN 200 as tagged port Modify PVID of the port as 1050 Set the port as the UNI port Switch_1 config interface gigabitEthernet 1 0 2 Switch_1 config if switchport general allowed ...

Page 271: ...chport general allowed vlan 100 untagged Switch_3 config if switchport pvid 100 Switch_3 config if exit Switch_3 config interface gigabitEthernet 1 0 2 Switch_3 config if switchport general allowed vlan 200 untagged Switch_3 config if switchport pvid 200 Switch_3 config if exit Switch_3 config interface gigabitEthernet 1 0 3 Switch_3 config if switchport general allowed vlan 100 200 tagged Switch_...

Page 272: ...configuration Switch_3 show interface switchport gigabitEthernet 1 0 1 Port Gi1 0 1 PVID 1050 Acceptable frame type All Ingress Checking Enable Member in LAG N A Link Type General Member in VLAN Vlan Name Egress rule 1 System VLAN Untagged 1050 SP_VLAN Tagged Switch_3 show interface switchport gigabitEthernet 1 0 2 Port Gi1 0 2 PVID 1050 Acceptable frame type All Ingress Checking Enable Member in ...

Page 273: ...adopted by the ISP network is 0x9100 The two stations need to communicate with each other through the ISP network And it is required that the traffic from VLAN 100 should be transmitted in VLAN 1050 while the traffic from VLAN 200 should be transmitted in VLAN 1060 Figure 4 10 Network Topology 4 2 2 Configuration Scheme To meet the requirement that all the traffic from VLAN 100 and VLAN 200 need t...

Page 274: ...ch 3 The parameters are shown below VLAN 100 VLAN 200 PVID Port 1 0 1 Untagged 100 Port 1 0 2 Untagged 200 Port 1 0 3 Tagged Tagged Keep the default value 3 Configure VLAN VPN on Switch 1 Set port 1 0 1 as NNI port and port 1 0 2 as UNI port configure the TPID as 0x9100 map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060 Demonstrated with T2600G 28TS this chapter provides configuration procedures ...

Page 275: ...User Guide 246 Configuring VLAN VPN Configuration Examples Figure 4 11 Create VLAN 100 ...

Page 276: ...Configuring VLAN VPN Configuration Examples User Guide 247 Figure 4 12 Create VLAN 200 ...

Page 277: ...User Guide 248 Configuring VLAN VPN Configuration Examples Figure 4 13 Create VLAN 1050 ...

Page 278: ...N VPN Config enable VLAN VPN globally set port 1 0 1 as NNI port and port 1 0 2 as UNI port Specify the TPID of port 1 0 1 as 9100 Figure 4 15 Enabling VLAN VPN Globally and Configuring the Ports 3 Go to L2 FEATURES VLAN VLAN VPN VLAN Mapping enable VLAN Mapping globally Then configure VLAN mapping for the UNI port 1 0 2 ...

Page 279: ...ng VLAN 200 to VLAN 1060 4 Click to save the settings Configuring Switch 3 1 Go to L2 FEATURES VLAN 802 1Q VLAN to create VLAN 100 and VLAN 200 Configure the egress rules of port 1 0 1 in VLAN 100 as Untagged egress rules of port 1 0 2 in VLAN 200 as Untagged egress rule of port 1 0 3 in VLAN 100 and VLAN 200 as Tagged ...

Page 280: ...Configuring VLAN VPN Configuration Examples User Guide 251 Figure 4 18 Creating VLAN 100 ...

Page 281: ...ng VLAN 200 2 Go to L2 FEATURES VLAN Port Config to set the PVID as 100 for port 1 0 1 and 200 for port 1 0 2 Figure 4 20 Configuring PVID 3 Click to save the settings 4 2 4 Using the CLI Configuring Switch 1 1 Create VLAN 100 VLAN 200 VLAN 1050 and VLAN 1060 Switch_1 configure ...

Page 282: ...d Switch_1 config if switchport dot1q tunnel mode nni Switch_1 config if switchport dot1q tunnel tpid 9100 Switch_1 config if exit 3 Add port 1 0 2 to VLAN 1050 and VLAN 1060 as untagged port and add it to VLAN 100 and VLAN 200 as tagged port Set the port as the UNI port Switch_1 config interface gigabitEthernet 1 0 2 Switch_1 config if switchport general allowed vlan 1050 1060 untagged Switch_1 c...

Page 283: ... 1 0 2 to VLAN 200 as untagged ports add port 1 0 3 to VLAN 100 and VLAN 200 as tagged ports Configure the PVID as 100 for port 1 0 1 and 200 for port 1 0 2 Switch_3 config interface gigabitEthernet 1 0 1 Switch_3 config if switchport general allowed vlan 100 untagged Switch_3 config if switchport pvid 100 Switch_3 config if exit Switch_3 config interface gigabitEthernet 1 0 2 Switch_3 config if s...

Page 284: ... Default Parameters Default settings of VLAN VPN are listed in the following table Table 5 1 Default Settings of VLAN VPN Parameter Default Setting Global VLAN VPN Disabled Port Role None Global TPID 0x8100 Missdrop Disabled Use Inner Priority Disabled VLAN Mapping Disabled ...

Page 285: ...Part 11 Configuring GVRP CHAPTERS 1 Overview 2 GVRP Configuration 3 Configuration Example 4 Appendix Default Parameters ...

Page 286: ... C can receive messages sent from Switch A in VLAN 10 only when the network administrator has manually created VLAN 10 on Switch B and Switch C Figure 1 1 VLAN Topology Switch A Switch B VLAN 10 Switch C The configuration may seem easy in this situation However for a larger or more complex network such manual configuration would be time consuming and fallible GVRP can be used to implement dynamic ...

Page 287: ...other ports And a port registers VLANs only when it receives GVRP messages As the messages can only be sent from one GVRP participant to another two way registration is required to configure a VLAN on all ports in a link To implement two way registration you need to manually configure the same static VLAN on both ends of the link As shown in the figure below VLAN registration from Switch A to Swit...

Page 288: ...t the desired port for GVRP configuration It is multi optional Status Enable or disable GVRP on the port By default it is disabled Registration Mode Select the GVRP registration mode for the port Normal In this mode the port can dynamically register and deregister VLANs and transmit both dynamic and static VLAN registration information Fixed In this mode the port is unable to dynamically register ...

Page 289: ...articipant will send a Leave message if it wants other participants to deregister some of its attributes The participant receiving the message starts the Leave timer If the participant does not receive any Join message of the corresponding attribute before the Leave timer expires the participant deregisters the attribute The timer ranges from 60 to 3000 centiseconds The default value is 60 centise...

Page 290: ...s to re register all its attributes After that the participant restarts the LeaveAll timer join Join timer controls the sending of Join messages A GVRP participant starts the Join timer after sending the first Join message If the participant does not receive any response it will send the second Join message when the Join timer expires to ensures that the Join message can be sent to other participa...

Page 291: ...tion value for LeaveAll Timer should be greater than or equal to ten times the Leave Timer value The value for Leave Timer should be greater than or equal to two times the Join Timer value The following example shows how to enable GVRP globally and on port 1 0 1 configure the GVRP registration mode as fixed and keep the values of timers as default Switch configure Switch config gvrp Switch config ...

Page 292: ... Switch 3 Dept A VLAN 10 Gi1 0 1 Switch 4 Dept B VLAN 20 Gi1 0 1 3 2 Configuration Scheme To reduce manual configuration and maintenance workload GVRP can be enabled to implement dynamic VLAN registration and update on the switches When configuring GVRP please note the following The two departments are in separate VLANs To make sure the switches only dynamically create the VLAN of their own depart...

Page 293: ...r Switch 3 are the same as Switch 1 and Switch 4 are the same as Switch 2 Other switches share similar configurations The following configuration procedures take Switch 1 Switch 2 and Switch 5 as examples Configurations for Switch 1 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 10 and add port 1 0 1 as a tagged port to it Click Create F...

Page 294: ...rt 1 0 1 set Status as Enable and set Registration Mode as Fixed Keep the values of the timers as default Click Apply Figure 3 3 GVRP Configuration 3 Click to save the settings Configurations for Switch 2 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 20 and add port 1 0 1 as a tagged port to it Click Create ...

Page 295: ...igure 3 4 Create VLAN 20 2 Choose the menu L2 FEATURES VLAN GVRP to load the following page Enable GVRP globally then click Apply Select port 1 0 1 set Status as Enable and set Registration Mode as Fixed Keep the values of the timers as default Click Apply ...

Page 296: ...3 Click to save the settings Configurations for Switch 5 1 Choose the menu L2 FEATURES VLAN GVRP to load the following page Enable GVRP globally then click Apply Select ports 1 0 1 3 set Status as Enable and keep the Registration Mode and the values of the timers as default Click Apply ...

Page 297: ...r switches share similar configurations The following configuration procedures take Switch 1 Switch 2 and Switch 5 as examples Configurations for Switch 1 1 Enable GVRP globally Switch_1 configure Switch_1 config gvrp 2 Create VLAN 10 Switch_1 config vlan 10 Switch_1 config vlan name Department_A Switch_1 config vlan exit 3 Add port 1 0 1 as a tagged port to VLAN 10 Enable GVRP on the port and set...

Page 298: ...nfig vlan name Department_B Switch_2 config vlan exit 3 Add port 1 0 1 as a tagged port to VLAN 20 Enable GVRP on the port and set the registration mode as Fixed Switch_2 config interface gigabitEthernet 1 0 1 Switch_2 config if switchport general allowed vlan 20 tagged Switch_2 config if gvrp Switch_2 config if gvrp registration fixed Switch_2 config if end Switch_2 copy running config startup co...

Page 299: ... configuration for port 1 0 1 Switch_1 show gvrp interface Port Status Reg Mode LeaveAll JoinIn Leave LAG Gi1 0 1 Enabled Fixed 1000 20 60 N A Gi1 0 2 Disabled Normal 1000 20 60 N A Switch 2 Verify the global GVRP configuration Switch_2 show gvrp global GVRP Global Status Enabled Verify GVRP configuration for port 1 0 1 Switch_2 show gvrp interface Port Status Reg Mode LeaveAll JoinIn Leave LAG Gi...

Page 300: ...GVRP configuration GVRP Global Status Enabled Verify GVRP configuration for ports 1 0 1 3 Switch_5 show gvrp interface Port Status Reg Mode LeaveAll JoinIn Leave LAG Gi1 0 1 Enabled Normal 1000 20 60 N A Gi1 0 2 Enabled Normal 1000 20 60 N A Gi1 0 3 Enabled Normal 1000 20 60 N A Gi1 0 4 Disabled Normal 1000 20 60 N A ...

Page 301: ... Default settings of GVRP are listed in the following tables Table 4 1 Default Settings of GVRP Parameter Default Setting Global Config GVRP Disabled Port Config Status Disabled Registration Mode Normal LeaveAll Timer 1000 centiseconds Join Timer 20 centiseconds Leave Timer 60 centiseconds ...

Page 302: ...Part 12 Configuring Private VLAN CHAPTERS 1 Overview 2 Private VLAN Configurations 3 Configuration Example 4 Appendix Default Parameters ...

Page 303: ...LAN with a primary VLAN A primary VLAN can pair with more than one secondary VLANs to compose several private VLANs In a private VLAN Layer 2 isolation can be achieved between end users with secondary VLANs while upper layer devices only need to recognize primary VLANs which solves the problem of VLAN shortage Meanwhile private VLAN resolves the conflicts triggered when users need of VLANs is diff...

Page 304: ...AN is configured on Switch B Switch A only needs to recognize primary VLAN VLAN5 and end users can be isolated by secondary VLANs VLAN2 VLAN3 and VLAN4 saving VLAN resources for Switch A Figure 1 2 Topology of Private VLAN Switch A Switch B VLAN5 VLAN2 VLAN3 VLAN4 ...

Page 305: ...igurations 2 1 Using the GUI Note If you need to create a private VLAN with existing VLANs delete all member ports of the existing VLANs before creating the private VLAN Choose the menu L2 FEATURES VLAN Private VLAN and click to load the following page Figure 2 1 Configuring Private VLAN ...

Page 306: ...romiscuous ports to be added to the VLAN The port type of up link port in a primary VLAN must be Promiscuous This type of port is used to connect upper layer devices or connect the switch with other switches The PVID of this port is its primary VLAN ID and the egress rule is untagged Host Ports Select host ports to be added to the VLAN The port type of down link port in a secondary VLAN must be Ho...

Page 307: ...VLAN type community Set the secondary VLAN type as Community Users in the same isolated VLAN cannot communicate with each other isolated Set the secondary VLAN type as Isolated Users in the same community VLAN can communicate with each other Step 7 exit Exit VLAN configuration mode Step 8 vlan vlan id Specify the primary VLAN ID and enter VLAN configuration mode Step 9 private vlan association vla...

Page 308: ...Ports 6 5 Community Switch config end Switch copy running config startup config 2 2 2 Configuring the Up link Port Follow these steps to add up link ports to Private VLAN Step 1 configure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list po...

Page 309: ...w information Step 7 end Return to Privileged EXEC Mode Step 8 copy running config startup config Save the settings in the configuration file Note When configuring the up link port you only need to add the port to one private VLAN and set the port type as Promiscuous The switch will automatically add the port to private VLANs with the same primary VLAN The following example shows how to configure ...

Page 310: ...secondary VLAN ID Step 4 switchport private vlan host association primary vlan id secondary vlan id vlantype Add the specified port s to the private VLAN primary vlan id Specify the ID of the primary VLAN The ID ranges from 2 to 4094 secondary vlan id Specify the ID of the secondary VLAN The ID ranges from 2 to 4094 vlantype Specify the secondary VLAN type either community or isolated Step 5 show ...

Page 311: ...ate vlan host Swtich config if switchport private vlan host association 6 5 community Switch config if exit Switch config show vlan private vlan Primary Secondary Type Ports 6 5 Community Gi1 0 3 Switch config show vlan private vlan interface gigabitEthernet 1 0 3 Port type Gi1 0 3 Host Switch config end Switch copy running config startup config ...

Page 312: ...o private VLAN This allows upper layer switch to recognize only the primary VLAN instead of all the secondary VLANs Also Company A can achieve Layer 2 isolation by using secondary VLAN Since it is required that users in the same department can communicate with each other secondary VLAN type should be configured as Community 3 3 Network Topology As shown in the following figure Switch C is the ISP ...

Page 313: ...tch A VLAN5 VLAN7 Switch C Gi1 0 3 Company A 3 4 Using the GUI Configurations for Switch A 1 Choose the menu L2 FEATURES VLAN Private VLAN and click to load the following page Create primary VLAN 6 and secondary VLAN 5 select Community as the Secondary VLAN Type Add promiscuous port 1 0 2 and host port 1 0 10 to private VLAN ...

Page 314: ...ating Primary VLAN 6 and Secondary VLAN 5 2 Choose the menu L2 FEATURES VLAN Private VLAN and click to load the following page Create primary VLAN 6 and secondary VLAN 7 select Community as the Secondary VLAN Type Add promiscuous port 1 0 2 and host port 1 0 11 to private VLAN ...

Page 315: ...e 3 3 Creating Primary VLAN 6 and Secondary VLAN 7 3 Click to save the settings Configurations for Switch C 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 6 and add untagged port 1 0 3 to VLAN 6 Click Create ...

Page 316: ...ing Private VLAN Configuration Example User Guide 287 Figure 3 4 Creating VLAN 6 2 Choose the menu L2 FEATURES VLAN 802 1Q VLAN Port Config to load the following page Set the PVID of port 1 0 3 as 6 Click Apply ...

Page 317: ... 2 Create primary VLAN 6 and secondary VLAN 5 and pair them into a private VLAN Switch_A config vlan 6 Switch_A config vlan private vlan primary Switch_A config vlan exit Switch_A config vlan 5 Switch_A config vlan private vlan community Switch_A config vlan exit Switch_A config vlan 6 Switch_A config vlan private vlan association 5 Switch_A config vlan exit 3 Create secondary VLAN 7 and pair it w...

Page 318: ... the corresponding private VLAN and configure the port type as Host Switch_A config interface gigabitEthernet 1 0 10 Switch_A config if switchport private vlan host Switch_A config if switchport private vlan host association 6 5 community Switch_A config if exit Switch_A config interface gigabitEthernet 1 0 11 Switch_A config if switchport private vlan host Switch_A config if switchport private vl...

Page 319: ...config Verify the Configurations Switch A Verify the configuration of private VLAN Switch_A show vlan private vlan Primary Secondary Type Ports 6 5 Community Gi1 0 2 1 0 10 6 7 Community Gi1 0 2 1 0 11 Verify the configuration of ports Swtich_A show vlan private vlan interface Port type Gi1 0 1 Normal Gi1 0 2 Promiscuous Gi1 0 3 Normal Gi1 0 4 Normal Gi1 0 5 Normal Gi1 0 6 Normal Gi1 0 7 Normal Gi...

Page 320: ...N Name Status Ports 1 System VLAN active Gi1 0 1 Gi1 0 2 Gi1 0 3 Gi1 0 4 Gi1 0 5 Gi1 0 6 Gi1 0 7 Gi1 0 8 Gi1 0 9 Gi1 0 10 Gi1 0 11 Gi1 0 12 Gi1 0 13 Gi1 0 14 Gi1 0 15 Gi1 0 16 Gi1 0 17 Gi1 0 18 Gi1 0 19 Gi1 0 20 Gi1 0 21 Gi1 0 22 Gi1 0 23 Gi1 0 24 Gi1 0 25 Gi1 0 26 Gi1 0 27 Gi1 0 28 6 vlan6 active Gi1 0 3 Primary Secondary Type Ports ...

Page 321: ...efault Parameters 4Appendix Default Parameters Default settings of Private VLAN are listed in the following tables Table 4 1 Default Settings of Private VLAN Parameter Default Setting Primary VLAN None Secondary VLAN None Secondary VLAN Type Community ...

Page 322: ...CHAPTERS 1 Layer 2 Multicast 2 IGMP Snooping Configuration 3 MLD Snooping Configuration 4 MVR Configuration 5 Multicast Filtering Configuration 6 Viewing Multicast Snooping Information 7 Configuration Examples 8 Appendix Default Parameters ...

Page 323: ...etwork multicast technology not only transmits data with high efficiency but also saves a large bandwidth and reduces network load In practical applications Internet information provider can provide value added services such as Online Live IPTV Distance Education Telemedicine Internet Radio and Real time Video Conferences more conveniently using multicast Layer 2 Multicast allows Layer 2 switches ...

Page 324: ...t group memberships for each attached network and a timer for each membership Normally only one device acts as querier per physical network If there are more than one multicast router in the network a querier election process will be implemented to determine which one acts as the querier Snooping Switch A snooping switch indicates a switch with IGMP Snooping enabled The switch maintains a multicas...

Page 325: ...in different VLANs Clients can dynamically join or leave the multicast VLAN without interfering with their relationships in other VLANs There are two types of MVR modes Compatible Mode In compatible mode the MVR switch does not forward report or leave messages from the hosts to the IGMP querier So the IGMP querier cannot learn the multicast groups membership information from the MVR switch You hav...

Page 326: ...y join a group Configure IGMP accounting and authentication features Note IGMP Snooping takes effect only when it is enabled globally in the corresponding VLAN and port at the same time 2 1 Using the GUI 2 1 1 Configuring IGMP Snooping Globally Choose the menu L2 FEATURES Multicast IGMP Snooping Global Config to load the following page Figure 2 1 Configure IGMP Snooping Globally Follow these steps...

Page 327: ...lly on the L2 FEATURES Multicast MLD Snooping Global Config page at the same time Header Validation Enable or disable Header Validation By default it is disabled Generally for IGMP packets the TTL value should be 1 ToS field should be 0xC0 and Router Alert option should be 0x94040000 The fields to be validated depend on the IGMP version being used IGMPv1 only checks the TTL field IGMPv2 checks the...

Page 328: ...re 2 2 Configure IGMP Snooping for VLAN Follow these steps to configure IGMP Snooping for a specific VLAN 1 Enable IGMP Snooping for the VLAN and configure the corresponding parameters VLAN ID Displays the VLAN ID IGMP Snooping Status Enable or disable IGMP Snooping for the VLAN ...

Page 329: ...message to the querier This helps to reduce bandwidth waste since the switch no longer sends the corresponding multicast streams to the VLAN of the port as soon as the port receives a leave message from the VLAN Report Suppression Enable or disable Report Suppression for the VLAN When enabled the switch will only forward the first IGMP report message for each multicast group to the IGMP querier an...

Page 330: ...ral query messages sent by the switch Maximum Response Time With IGMP Snooping Querier enabled specify the host s maximum response time to general query messages Last Member Query Interval With IGMP Snooping Querier enabled when the switch receives an IGMP leave message it obtains the address of the multicast group that the host wants to leave from the message Then the switch sends out group speci...

Page 331: ...ble Fast Leave for the port IGMPv1 does not support fast leave Fast Leave can be enabled on a per port basis or per VLAN basis When enabled on a per port basis the switch will remove the port from the corresponding multicast group of all VLANs before forwarding the leave message to the querier You should only use Fast Leave for a port when there is a single receiver connected to the port For more ...

Page 332: ...dress of the multicast group that the hosts need to join VLAN ID Specify the VLAN that the hosts are in Member Ports Select the ports that the hosts are connected to These ports will become the static member ports of the multicast group and will never age 2 Click Create 2 1 5 Configuring IGMP Accounting and Authentication Features You can enable IGMP accounting and authentication according to your...

Page 333: ... and Authentication Follow these steps to enable IGMP accounting 1 In the Global Config section enable IGMP Accounting globally Accounting Enable or disable IGMP Accounting 2 Click Apply Follow these steps to configure IGMP Authentication on ports 1 In the Port Config section select the ports and enable IGMP Authentication IGMP Authentication Enable or disable IGMP Authentication for the port 2 Cl...

Page 334: ...ps as Discard By default it is Forward Unknown multicast groups are multicast groups that do not match any of the groups announced in earlier IGMP membership reports and thus cannot be found in the multicast forwarding table of the switch Note IGMP Snooping and MLD Snooping share the setting of Unknown Multicast Groups you need to ensure MLD Snooping is enabled globally To enable MLD Snooping glob...

Page 335: ...config show ip igmp snooping IGMP Snooping Enable IGMP Version V3 Unknown Multicast Discard Header Validation Enable Switch config end Switch copy running config startup config 2 2 2 Configuring IGMP Snooping for VLANs Before configuring IGMP Snooping for VLANs set up the VLANs that the router ports and the member ports are in For details please refer to Configuring 802 1Q VLAN The switch supports...

Page 336: ... the switch receives an IGMP general query message from a port the switch adds this port to the router port list Router ports that are learned in this way are called dynamic router ports If the switch does not receive any IGMP general query message from a dynamic router port within the router port aging time the switch will no longer consider this port as a router port and delete it from the route...

Page 337: ...orwarding list of the corresponding multicast group That is if there are other receivers connecting to the switch the one sent leave message have to wait until the port ages out from the switch s forwarding list of the corresponding multicast group the maximum waiting time is decided by the Member Port Aging Time With Fast Leave enabled on a VLAN the switch will remove the Multicast Group Port VLA...

Page 338: ...values are from 10 to 300 seconds and the default value is 60 seconds ip addr Specify the source IP address of the general query messages sent by the switch It should be a unicast address By default it is 0 0 0 0 num Specify the number of group specific queries to be sent With IGMP Snooping Querier enabled when the switch receives an IGMP leave message it obtains the address of the multicast group...

Page 339: ...he maximum response time as 15 seconds the last member query interval as 2 seconds the last member query count as 3 and the general query source IP as 192 168 0 5 Switch configure Switch config ip igmp snooping vlan config 1 querier Switch config ip igmp snooping vlan config 1 querier query interval 100 Switch config ip igmp snooping vlan config 1 querier max response time 15 Switch config ip igmp...

Page 340: ... port Fast Leave can be enabled on a per port basis or per VLAN basis When enabled on a per port basis the switch will remove the port from the corresponding multicast group of all VLANs before forwarding the leave message to the querier You should only use Fast Leave for a port when there is a single receiver connected to the port For more details about Fast Leave see 2 2 2 Configuring IGMP Snoop...

Page 341: ...p 2 ip igmp snooping vlan config vlan id list static ip interface fastEthernet port list gigabitEthernet port list ten gigabitEthernet port list port channel lag list vlan id list Specify the ID or the ID list of the VLAN s ip Specify the IP address of the multicast group that the hosts want to join port list lag list Specify the ports that is connected to the hosts These ports will become static ...

Page 342: ...tting is 1812 acct port port id Specify the UDP destination port on the RADIUS server for accounting requests The default setting is 1813 Usually it is used in the 802 1X feature timeout time Specify the time interval that the switch waits for the server to reply before resending The valid values are from 1 to 9 seconds and the default setting is 5 seconds retransmit number Specify the number of t...

Page 343: ...channel port channel id range port channel port channel list Enter interface configuration mode Step 3 ip igmp snooping authentication Enable IGMP Snooping authentication for the port By default it is enabled Step 4 show ip igmp snooping interface fastEthernet port list gigabitEthernet port list ten gigabitEthernet port list port channel port channel list authentication Show the basic IGMP Snoopin...

Page 344: ... authentication on port 1 0 1 3 Switch configure Switch config interface range gigabitEhternet 1 0 1 3 Switch config if range ip igmp snooping authentication Switch config if range show ip igmp snooping interface gigabitEthernet 1 0 1 3 authentication Port IGMP Authentication Gi1 0 1 enable Gi1 0 2 enable Gi1 0 3 enable Switch config end Switch copy running config startup config ...

Page 345: ... 1 Configure MLD Snooping Globally Follow these steps to configure MLD Snooping globally 1 In the Global Config section enable MLD Snooping and configure the Unknown Multicast Groups feature globally MLD Snooping Enable or disable MLD Snooping globally Unknown Multicast Groups Configure the way in which the switch processes data that are sent to unknown multicast groups as Forward or Discard By de...

Page 346: ...bally you also need to enable MLD Snooping and configure the corresponding parameters for the VLANs that the router ports and the member ports are in Choose the menu L2 FEATURES Multicast MLD Snooping Global Config and click in your desired VLAN entry in the MLD VLAN Config section to load the following page Figure 3 2 Configure MLD Snooping for VLAN Follow these steps to configure MLD Snooping fo...

Page 347: ...ding the done message to the querier This helps to reduce bandwidth waste since the switch no longer sends the corresponding multicast streams to the VLAN of the port as soon as the port receives a done message from the VLAN Report Suppression Enable or disable Report Suppression for the VLAN When enabled the switch will only forward the first MLD report message for each multicast group to the MLD...

Page 348: ...terval between general query messages sent by the switch Maximum Response Time With MLD Snooping Querier enabled specify the host s maximum response time to general query messages Last Listener Query Interval With MLD Snooping Querier enabled when the switch receives a done message it obtains the address of the multicast group that the host wants to leave from the message Then the switch sends out...

Page 349: ... Enable or disable Fast Leave for the port Fast Leave can be enabled on a per port basis or per VLAN basis When enabled on a per port basis the switch will remove the port from the corresponding multicast group of all VLANs before forwarding the done message to the querier You should only use Fast Leave for a port when there is a single receiver connected to the port For more details about Fast Le...

Page 350: ... the static member ports of the multicast group Multicast IP Specify the IPv6 address of the multicast group that the hosts need to join VLAN ID Specify the VLAN that the hosts are in Member Ports Select the ports that the hosts are connected to These ports will become the static member ports of the multicast group and will never age 2 Click Create 3 2 Using the CLI 3 2 1 Configuring MLD Snooping ...

Page 351: ...eged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to enable MLD Snooping globally and the way how the switch processes multicast streams that are sent to unknown multicast groups as discard Switch configure Switch config ipv6 mld snooping Switch config ip igmp snooping Switch config ipv6 mld snooping drop unknown Sw...

Page 352: ...econds By default it is 300 seconds Once the switch receives an MLD general query message from a port the switch adds this port to the router port list Router ports that are learned in this way are called dynamic router ports If the switch does not receive any MLD general query message from a dynamic router port within the router port aging time the switch will no longer consider this port as a ro...

Page 353: ...ding list of the corresponding multicast group That is if there are other receivers connecting to the switch the one sent done message have to wait until the port ages out from the switch s forwarding list of the corresponding multicast group the maximum waiting time is decided by the Member Port Aging Time With Fast Leave enabled on a VLAN the switch will remove the Multicast Group Port VLAN entr...

Page 354: ...y messages sent by the switch ip addr Specify the source IP address of the general query messages sent by the switch It should be an IPv6 link local address num Specify the number of group specific queries to be sent With MLD Snooping Querier enabled when the switch receives a done message it obtains the address of the multicast group that the host wants to leave from the message Then the switch s...

Page 355: ...onds the last listener query count as 3 and the general query source IP as FE80 1 Switch configure Switch config ipv6 mld snooping vlan config 1 querier Switch config ipv6 mld snooping vlan config 1 querier query interval 100 Switch config ipv6 mld snooping vlan config 1 querier max response time 15 Switch config ipv6 mld snooping vlan config 1 querier last listener query interval 2 Switch config ...

Page 356: ...n a per port basis the switch will remove the port from the corresponding multicast group of all VLANs before forwarding the done message to the querier You should only use Fast Leave for a port when there is a single receiver connected to the port For more details about Fast Leave see 3 2 2 Configuring MLD Snooping for VLANs Step 5 show ipv6 mld snooping interface fastEthernet port list gigabitEt...

Page 357: ...tEthernet port list ten gigabitEthernet port list port channel lag list vlan id list Specify the ID or the ID list of the VLAN s ip Specify the IP address of the multicast group that the hosts want to join port list lag list Specify the ports that is connected to the hosts These ports will become static member ports of the group Step 3 show ipv6 mld snooping groups static Show the static MLD Snoop...

Page 358: ...onfiguring Layer 2 Multicast MLD Snooping Configuration User Guide 329 Multicast ip VLAN id Addr type Switch port ff80 1001 2 static Gi1 0 1 3 Switch config end Switch copy running config startup config ...

Page 359: ... other Both protocols can be enabled on a port at the same time When both are enabled MVR listens to the report and leave messages only for the multicast groups configured in MVR All other multicast groups are managed by IGMP Snooping 4 1 Using the GUI 4 1 1 Configuring 802 1Q VLANs Before configuring MVR create an 802 1Q VLAN as the multicast VLAN Add all source ports uplink ports that receive mu...

Page 360: ...the IGMP querier via the multicast VLAN with appropriate translation of the VLAN ID The IGMP querier can learn the multicast groups membership information through the report and leave messages and transmit the multicast streams to the switch via the multicast VLAN according to the multicast forwarding table Multicast VLAN ID Specify an existing 802 1Q VLAN as the multicast VLAN Query Response Time...

Page 361: ... Specify the IP address of the multicast groups MVR Group IP MVR Group Count Specify the start IP address and the number of contiguous series of multicast groups Multicast data sent to the address specified here will be sent to all source ports on the switch and all receiver ports that have requested to receive data from that multicast address 2 Click Create Then the added multicast groups will ap...

Page 362: ...cast group Active The MVR group is added successfully and the source port has received query messages from this multicast group Member Displays the member ports in this MVR group 4 1 4 Configuring MVR for the Port Choose the menu L2 FEATURES Multicast MVR Port Config to load the following page Figure 4 4 Configure MVR for the Port Follow these steps to add multicast groups to MVR 1 Select one or m...

Page 363: ... leave messages from the hosts Status Displays the port s status Active InVLAN The port is physically up and in one or more VLANs Active NotInVLAN The port is physically up and not in any VLAN Inactive InVLAN The port is physically down and in one or more VLANs Inactive NotInVLAN The port is physically down and not in any VLAN Fast Leave Enable or disable Fast Leave for the selected ports Only rec...

Page 364: ... compatible dynamic Configure the MVR mode as compatible or dynamic compatible In this mode the switch does not forward report or leave messages from the hosts to the IGMP querier So the IGMP querier cannot learn the multicast groups membership information from the switch You have to statically configure the IGMP querier to transmit all the required multicast streams to the switch via the multicas...

Page 365: ...ount Specify the number of the multicast groups to be added to the MVR The range is 1 to 511 Step 7 show mvr interface fastEthernet port gigabitEthernet port port channel lagid ten gigabitEthernet port members vlan vlan id Show the global MVR configuration show mvr members ip status inactive active Show the existing MVR groups ip Specify the IP address of the multicast group inactive Show all inac...

Page 366: ...et port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list port channel port channel id range port channel port channel list Enter interface configuration mode Step 3 mvr Enable MVR for the port Step 4 mvr type source receiver Configure the MVR port type as receiver or source By default the port is a non MVR port If you attempt to...

Page 367: ...dress of the multicast group Step 7 show mvr interface fastEthernet port gigabitEthernet port port channel lagid ten gigabitEthernet port members vlan vlan id Show the MVR configuration show mvr members ip status inactive active Show the membership information of all MVR groups ip Specify the IP address of the multicast group inactive Show all inactive multicast group active Show all active multic...

Page 368: ...interface gigabitEtnernet 1 0 1 3 1 0 7 Port Mode Type Status Immediate Leave Gi1 0 1 Enable Receiver INACTIVE InVLAN Enable Gi1 0 2 Enable Receiver INACTIVE InVLAN Enable Gi1 0 3 Enable Receiver INACTIVE InVLAN Enable Gi1 0 7 Enable Source INACTIVE InVLAN Disable Switch config if range show mvr members MVR Group IP status Members 239 1 2 3 active Gi1 0 1 3 1 0 7 Switch config end Switch copy runn...

Page 369: ...n create multicast profiles for both IPv4 and IPv6 network With multicast profile the switch can define a blacklist or whitelist of multicast groups so as to filter multicast sources The process for creating multicast profiles for IPv4 and IPv6 are similar The following introductions take creating an IPv4 profile as an example Choose the menu L2 FEATURES Multicast Multicast Filtering IPv4 Profile ...

Page 370: ...ile ID between 1 and 999 Mode Select Permit or Deny as the filtering mode Permit Acts as a whitelist and only allows specific member ports to join specified multicast groups Deny Acts as a blacklist and prevents specific member ports from joining specific multicast groups 2 In the IP Range section click to load the following page Configure the start IP address and end IP address of the multicast g...

Page 371: ...profiles in batches and configure the number of multicast groups a port can join and the overflow action The process for configuring multicast filtering for ports in IPv4 and IPv6 are similar The following introductions take configuring multicast filtering for ports in IPv4 as an example Choose the menu L2 FEATURES Multicast Multicast Filtering IPv4 Port Config to load the following page Note For ...

Page 372: ... when the number of multicast groups the port has joined exceeds the maximum Drop Drop all subsequent membership report messages to prevent the port joining a new multicast groups Replace Replace the existing multicast group that has the lowest multicast MAC address with the new multicast group LAG Displays the LAG the port belongs to Operation Click Clear Profile to clear the binding between the ...

Page 373: ...s of the IP range Step 5 show ip igmp profile id Show the detailed IGMP profile configuration Step 6 end Return to privileged EXEC mode Step 7 copy running config startup config Save the settings in the configuration file The following example shows how to configure Profile 1 so that the switch filters multicast streams sent to 226 0 0 5 226 0 0 10 Switch configure Switch config ip igmp snooping S...

Page 374: ...ulticast IP addresses to be filtered start ip end ip Specify the start IP address and end IP address of the IP range Step 5 show ipv6 mld profile id Show the detailed MLD profile configuration Step 6 end Return to privileged EXEC mode Step 7 copy running config startup config Save the settings in the configuration file The following example shows how to configure Profile 1 so that the switch filte...

Page 375: ... groups maxgroup Configure the maximum number of multicast groups the port can join maxgroup Specify the maximum number of multicast groups the port can join Valid values are from 1 to 1000 Step 5 ip igmp snooping max groups action drop replace Specify the action towards the new multicast group when the number of multicast groups the port joined exceeds the limit drop Drop all subsequent membershi...

Page 376: ... Profile 1 Binding Port s Gi1 0 2 Switch config if show ip igmp snooping interface gigabitEthernet 1 0 2 max groups Port Max Groups Overflow Action Gi1 0 2 50 Drops Switch config end Switch copy running config startup config Binding the MLD Profile to Ports Step 1 configure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gi...

Page 377: ...file id Show the detailed MLD profile configuration show ipv6 mld snooping interface fastEthernet port list gigabitEthernet port list ten gigabitEthernet port list port channel port channel list max groups Show the multicast group limitation on the specified port s or of all the ports Step 7 end Return to privileged EXEC mode Step 8 copy running config startup config Save the settings in the confi...

Page 378: ...t Filtering Configuration User Guide 349 Gi1 0 2 Switch config if show ipv6 mld snooping interface gigabitEthernet 1 0 2 max groups Port Max Groups Overflow Action Gi1 0 2 50 Drops Switch config end Switch copy running config startup config ...

Page 379: ...ess table shows all valid Multicast IP VLAN Port entries Multicast IP Displays the multicast source IP address VLAN ID Displays the ID of the VLAN the multicast group belongs to Source Displays the source of the multicast entry IGMP Snooping The multicast entry is learned by IGMP Snooping MVR The multicast entry is learned by MVR Type Displays how the multicast entry is generated Dynamic The entry...

Page 380: ...IPv4 multicast statistics on each port 1 To get the real time multicast statistics enable Auto Refresh or click Refresh Auto Refresh Enable or disable Auto Refresh When enabled the switch will automatically refresh the multicast statistics Refresh Interval After Auto Refresh is enabled specify the time interval for the switch to refresh the multicast statistics 2 In the Port Statistics section vie...

Page 381: ...IP address table shows all valid Multicast IP VLAN Port entries Multicast IP Displays the multicast source IP address VLAN ID Displays the ID of the VLAN the multicast group belongs to Source Displays the source of the multicast entry MLD Snooping The multicast entry is learned by IGMP Snooping Type Displays how the multicast entry is generated Dynamic The entry is dynamically learned All the memb...

Page 382: ...tistics enable Auto Refresh or click Refresh Auto Refresh Enable or disable Auto Refresh When enabled the switch will automatically refresh the multicast statistics Refresh Interval After Auto Refresh is enabled specify the time interval for the switch to refresh the multicast statistics 2 In the Port Statistics section view IPv6 multicast statistics on each port Query Packets Displays the number ...

Page 383: ...rnet port list gigabitEthernet port list ten gigabitEthernet port list packet stat Displays the packet statistics on specified ports or all ports clear ip igmp snooping statistics Clear all statistics of all IGMP packets 6 2 2 Viewing IPv6 Multicast Snooping Configurations show ipv6 mld snooping groups vlan vlan id count dynamic dynamic count static static count Displays information of specific mu...

Page 384: ...s shown in the following topology Host B Host C and Host D are connected to port 1 0 1 port 1 0 2 and port 1 0 3 respectively Port 1 0 4 is the router port connected to the multicast querier Figure 7 1 Network Topology for Basic IGMP Snooping Internet Host B Receiver Host C Receiver Host D Receiver VLAN 10 Querier Source Gi1 0 4 Gi1 0 2 Gi1 0 3 Gi1 0 1 7 1 2 Configuration Scheme Add the three memb...

Page 385: ...o ways using the GUI and using the CLI 7 1 3 Using the GUI 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 10 and add Untagged port 1 0 1 3 and Tagged port 1 0 4 to VLAN 10 Figure 7 2 Create VLAN 10 2 Choose the menu L2 FEATURES VLAN 802 1Q VLAN Port Config to load the following page Configure the PVID of port 1 0 1 4 as 10 ...

Page 386: ...lobal Config to load the following page In the Global Config section enable IGMP Snooping globally Configure the IGMP version as v3 so that the switch can process IGMP messages of all versions Then click Apply Figure 7 4 Configure IGMP Snooping Globally 4 In the IGMP VLAN Config section click in VLAN 10 to load the following page Enable IGMP Snooping for VLAN 10 ...

Page 387: ... 5 Enable IGMP Snooping in the VLAN 5 Choose the menu L2 FEATURES Multicast IGMP Snooping Port Config to load the following page Enable IGMP Snooping for ports 1 0 1 4 Figure 7 6 Enable IGMP Snooping on the Ports 6 Click to save the settings 7 1 4 Using the CLI 1 Create VLAN 10 ...

Page 388: ... if switchport general allowed vlan 10 tagged Switch config if exit 3 Set the PVID of port 1 0 1 4 as 10 Switch config interface range gigabitEthernet 1 0 1 4 Switch config if range switchport pvid 10 Switch config if range exit 4 Enable IGMP Snooping globally Switch config ip igmp snooping 5 Enable IGMP Snooping in VLAN 10 Switch config ip igmp snooping vlan config 10 6 Enable IGMP Snooping on po...

Page 389: ...Authentication Accounting Disable Enable Port Gi1 0 1 4 Enable VLAN 10 7 2 Example for Configuring MVR 7 2 1 Network Requirements Host B Host C and Host D are in three different VLANs of the switch All of them want to receive multicast streams sent to multicast group 225 1 1 1 7 2 2 Network Topology As shown in the following network topology Host B Host C and Host D are connected to port 1 0 1 por...

Page 390: ...The switch can work in either MVR compatible mode or MVR dynamic mode When in compatible mode remember to statically configure the Querier to transmit the streams of multicast group 225 1 1 1 to the switch via the multicast VLAN Here we take the MVR dynamic mode as an example Demonstrated with T2600G 28TS this section provides configuration procedures in two ways using the GUI and using the CLI 7 ...

Page 391: ...ration Examples Figure 7 8 VLAN Configurations for Port 1 0 1 3 Figure 7 9 PVID for Port 1 0 1 3 2 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 40 and add port 1 0 4 to the VLAN as Tagged port ...

Page 392: ...nu L2 FEATURES Multicast MVR MVR Config to load the following page Enable MVR globally and configure the MVR mode as Dynamic multicast VLAN ID as 40 Figure 7 11 Configure MVR Globally 4 Choose the menu L2 FEATURES Multicast MVR MVR Group Config and click to load the following page Add multicast group 225 1 1 1 to MVR ...

Page 393: ...ure 7 13 Configure MVR for the Ports 6 Click to save the settings 7 2 5 Using the CLI 1 Create VLAN 10 VLAN 20 VLAN 30 and VLAN 40 Switch configure Switch config vlan 10 20 30 40 Switch config vlan exit 2 Add port 1 0 1 3 to VLAN 10 VLAN 20 and VLAN 30 as untagged ports respectively and configure the PVID of port 1 0 1 as 10 port 1 0 2 as 20 port 1 0 3 as 30 Add port 1 0 4 to VLAN 40 as tagged por...

Page 394: ...ig interface gigabitEthernet 1 0 4 Switch config if switchport general allowed vlan 40 tagged Switch config if switchport pvid 40 Switch config if exit 3 Check whether port1 0 1 3 only belong to VLAN 10 VLAN 20 and VLAN 30 respectively If not delete them from the other VLANs By default all ports are in VLAN 1 so you need to delete them from VLAN 1 Switch config show vlan brief VLAN Name Status Por...

Page 395: ...fig interface range gigabitEthernet 1 0 1 3 Switch config if range mvr Switch config if range mvr type receiver Switch config if range exit Switch config interface gigabitEthernet 1 0 4 Switch config if mvr Switch config if mvr type source Switch config if exit 6 Save the settings Switch config end Switch copy running config startup config Verify the Configurations Show the brief information of al...

Page 396: ...R Mode Type Dynamic Show the membership of MVR groups Switch config show mvr members MVR Group IP Status Members 225 1 1 1 active Gi1 0 4 7 3 Example for Configuring Unknown Multicast and Fast Leave 7 3 1 Network Requirement A user experiences lag when he is changing channel on his IPTV He wants solutions to this problem As shown in the following network topology port 1 0 4 on the switch is connec...

Page 397: ...hange channel Host B sends a leave message about leaving the previous channel With Fast Leave enabled on port 1 0 2 the switch will then drop multicast data from the previous channel which ensures that Host B only receives multicast data from the new channel and that the multicast network is unimpeded Demonstrated with T2600G 28TS this section provides configuration procedures in two ways using th...

Page 398: ...and MLD Snooping share the setting of Unknown Multicast so you have to enable MLD Snooping globally on the L2 FEATURES Multicast MLD Snooping Global Config page at the same time 3 In the IGMP VLAN Config section click in VLAN 10 to load the following page Enable IGMP Snooping for VLAN 10 Figure 7 16 Enable IGMP Snooping for VLAN 10 ...

Page 399: ...oping and MLD Snooping globally Switch configure Switch config ip igmp snooping Switch config ipv6 mld snooping 2 Configure Unknown Multicast Groups as Discard globally Switch config ip igmp snooping drop unknown 3 Enable IGMP Snooping on port 1 0 2 and enable Fast Leave On port 1 0 4 enable IGMP Snooping Switch config interface gigabitEthernet 1 0 2 Switch config if ip igmp snooping Switch config...

Page 400: ...Ethernet 1 0 2 basic config Port IGMP Snooping Fast Leave Gi1 0 2 enable enable 7 4 Example for Configuring Multicast Filtering 7 4 1 Network Requirements Host B Host C and Host D are in the same subnet Host C and Host D only receive multicast data sent to 225 0 0 1 while Host B receives all multicast data except the one sent from 225 0 0 2 7 4 2 Configuration Scheme With the functions for managin...

Page 401: ...ceiver Host D Receiver VLAN 10 Querier Source Gi1 0 4 Gi1 0 2 Gi1 0 3 Gi1 0 1 Demonstrated with T2600G 28TS this section provides configuration procedures in two ways using the GUI and using the CLI 7 4 4 Using the GUI 1 Create VLAN 10 Add port 1 0 1 3 to the VLAN as untagged port and port 1 0 4 as tagged port Configure the PVID of the four ports as 10 For details refer to Configuring 802 1Q VLAN ...

Page 402: ...nfiguration Examples User Guide 373 Figure 7 19 Enable IGMP Snooping Globally 3 In the IGMP VLAN Config section click in VLAN 10 to load the following page Enable IGMP Snooping for VLAN 10 Figure 7 20 Enable IGMP Snooping for VLAN 10 ...

Page 403: ...g page Figure 7 21 Enable IGMP Snooping on the Port 5 Choose the menu L2 FEATURES Multicast Multicast Filtering IPv4 Profile and click to load the following page Create Profile 1 specify the mode as Permit bind the profile to port 1 0 2 3 and specify the filtering multicast IP address as 225 0 0 1 Then click Back to return to the IPv4 Profile Table page ...

Page 404: ...s User Guide 375 Figure 7 22 Configure Filtering Profile for Host C and Host D 6 Click again to load the following page Create Profile 2 specify the mode as Deny bind the profile to port 1 0 1 and specify the filtering multicast IP address as 225 0 0 2 ...

Page 405: ...itch config vlan name vlan10 Switch config vlan exit 2 Add port 1 0 1 3 to VLAN 10 and set the link type as untagged Add port 1 0 4 to VLAN 10 and set the link type as tagged Switch config interface range gigabitEthernet 1 0 1 3 Switch config if range switchport general allowed vlan 10 untagged Switch config if range exit Switch config interface gigabitEthernet 1 0 4 Switch config if switchport ge...

Page 406: ...ure the mode as permit and add an IP range with both start IP and end IP being 225 0 0 1 Switch config ip igmp profile 1 Switch config igmp profile permit Switch config igmp profile range 225 0 0 1 225 0 0 1 Switch config igmp profile exit 8 Bind Profile 1 to Port 1 0 2 and Port 1 10 3 Switch config interface range gigabitEthernet 1 0 2 3 Switch config if range ip igmp filter 1 Switch config if ra...

Page 407: ...rify the Configurations Show global settings of IGMP Snooping Switch config show ip igmp snooping IGMP Snooping Enable IGMP Version V3 Enable Port Gi1 0 1 4 Enable VLAN 10 Show all profile bindings Switch config show ip igmp profile IGMP Profile 1 permit range 225 0 0 1 225 0 0 1 Binding Port s Gi1 0 2 3 IGMP Profile 2 deny range 225 0 0 2 225 0 0 2 Binding Port s Gi1 0 1 ...

Page 408: ...Validation Disabled IGMP Snooping Settings in the VLAN IGMP Snooping Disabled Fast Leave Disabled Report Suppression Disabled Member Port Aging Time 260 seconds Router Port Aging Time 300 seconds Leave Time 1 second IGMP Snooping Querier Disabled Query Interval 60 seconds Maximum Response Time 10 seconds Last Member Query Interval 1 second Last Member Query Count 2 General Query Source IP 0 0 0 0 ...

Page 409: ...l Settings of IGMP Snooping MLD Snooping Disabled Unknown Multicast Groups Forward MLD Snooping Settings in the VLAN MLD Snooping Disabled Fast Leave Disabled Report Suppression Disabled Member Port Aging Time 260 seconds Router Port Aging Time 300 seconds Leave Time 1 second MLD Snooping Querier Disabled Query Interval 60 seconds Maximum Response Time 10 seconds Last Listener Query Interval 1 sec...

Page 410: ...uery Response Time 5 tenths of a second Maximum Multicast Groups 256 MVR Group Settings MVR Group Entries None MVR Settings on the Port MVR Mode Disabled MVR Port Type None Fast Leave Disabled MVR Static Group Members MVR Static Group Member Entries None 8 4 Default Parameters for Multicast Filtering Table 8 4 Default Parameters of Multicast Filtering Function Parameter Default Setting Profile Set...

Page 411: ...Part 14 Configuring Spanning Tree CHAPTERS 1 Spanning Tree 2 STP RSTP Configurations 3 MSTP Configurations 4 STP Security Configurations 5 Configuration Example for MSTP 6 Appendix Default Parameters ...

Page 412: ...n STP RSTP RSTP Rapid Spanning Tree Protocol provides the same features as STP Besides RSTP can provide much faster spanning tree convergence MSTP MSTP Multiple Spanning Tree Protocol also provides the fast spanning tree convergence as RSTP In addition MSTP enables VLANs to be mapped to different spanning trees MST instances and traffic in different VLANs will be transmitted along their respective...

Page 413: ...ess The priority is allowed to be configured manually on the switch and the switch with the lowest priority value will be elected as the root bridge If the priority of the switches are the same the switch with the smallest MAC address will be selected as the root bridge Port Role Root Port The root port is selected on non root bridge that can provide the lowest root path cost There is only one roo...

Page 414: ...d port with spanning tree function enabled Port Status Generally in STP the port status includes Blocking Listening Learning Forwarding and Disabled Blocking In this status the port receives and sends BPDUs The other packets are dropped Listening In this status the port receives and sends BPDUs The other packets are dropped Learning In this status the port receives and sends BPDUs It also receives...

Page 415: ...ted In this status the port is enabled with spanning tree function but not connected to any device Path Cost The path cost reflects the link speed of the port The smaller the value the higher link speed the port has The path cost can be manually configured on each port If not the path cost values are automatically calculated according to the link speed as shown below Table 1 1 The Default Path Cos...

Page 416: ...share these information to help determine the spanning tree topology 1 2 2 MSTP Concepts MSTP compatible with STP and RSTP has the same basic elements used in STP and RSTP Based on the networking topology this section will introduce some concepts only used in MSTP Figure 1 3 MSTP Topology region 1 region 3 region 4 CST IST Blocked Port region 2 MST Region An MST region consists of multiple interco...

Page 417: ...n be mapped to a same instance but one VLAN can be mapped to only one instance As Figure 1 4 shows VLAN 3 is mapped to instance 1 VLAN 4 and VLAN 5 are mapped to instance 2 the other VLANs are mapped to the IST IST The Internal Spanning Tree IST which is a special MST instance with an instance ID 0 By default all the VLANs are mapped to IST CST The Common Spanning Tree CST that is the spanning tre...

Page 418: ... along high speed links may be lead to low speed links With root protect function enabled when the port receives higher priority BDPUs it will temporarily transit to blocking state After two times of forward delay if the port does not receive any higher priority BDPUs it will transit to its normal state BPDU Protect BPDU Protect function is used to prevent the port from receiving BPUDs It is recom...

Page 419: ...ceiving TC BPDUs the packets used to announce changes in the network topology If a user maliciously sends a large number of TC BPDUs to a switch in a short period the switch will be busy with removing MAC address entries which may decrease the performance and stability of the network With TC protect function enabled if the number of the received TC BPDUs exceeds the maximum number you set in the T...

Page 420: ...fore configuring the spanning tree it s necessary to make clear the role that each switch plays in a spanning tree To avoid any possible network flapping caused by STP RSTP parameter changes it is recommended to enable STP RSTP function globally after configuring the relevant parameters 2 1 Using the GUI 2 1 1 Configuring STP RSTP Parameters on Ports Choose the menu L2 FEATURES Spanning Tree Port ...

Page 421: ... cost The default setting is Auto which means the port calculates the internal path cost automatically according to the port s link speed This parameter is only used in MSTP and you need not to configure it if the spanning tree mode is STP RSTP For MSTP internal path cost is used to calculate the path cost in IST The port with the lowest root path cost will be elected as the root port of the switc...

Page 422: ... is used to communicate with the root bridge Designated Port Indicates that the port is the designated port in the spanning tree It has the lowest path cost from the root bridge to this physical network segment and is used to forward data for the corresponding network segment Alternate Port Indicates that the port is the alternate port in the spanning tree It is the backup of the root port or mast...

Page 423: ...gher priority will be elected as the root bridge in CIST Hello Time Specify the interval between BPDUs sending The default value is 2 The root bridge sends configuration BPDUs at an interval of Hello Time It works with the MAX Age to test the link failures and maintain the spanning tree Max Age Specify the maximum time that the switch can wait without receiving a BPDU before attempting to regenera...

Page 424: ... sure that Hello Time Forward Delay and Max Age conform to the following formulas 2 Hello Time 1 Max Age 2 Forward Delay 1 Max Age 2 In the Global Config section enable spanning tree function choose the STP mode as STP RSTP and click Apply Spanning Tree Check the box to enable the spanning tree function globally Mode Select the desired spanning tree mode as STP RSTP on the switch By default it s S...

Page 425: ...Displays the bridge ID of the local bridge The local bridge is the current switch Root Bridge Displays the bridge ID of the root bridge External Path Cost Displays the root path cost from the switch to the root bridge Regional Root Bridge It is the root bridge of IST It is not displayed when you choose the spanning tree mode as STP RSTP Internal Path Cost The internal path cost is the root path co...

Page 426: ...s the topology has changed 2 2 Using the CLI 2 2 1 Configuring STP RSTP Parameters on Ports Follow these steps to configure STP RSTP parameters on ports Step 1 configure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list port channel port ch...

Page 427: ...dge ports point to point auto open close Select the status of the P2P Point to Point link to which the ports are connected During the regeneration of the spanning tree if the port of P2P link is elected as the root port or the designated port it can transit its state to forwarding directly Auto indicates that the switch automatically checks if the port is connected to a P2P link then sets the stat...

Page 428: ... config startup config 2 2 2 Configuring Global STP RSTP Parameters Follow these steps to configure global STP RSTP parameters of the switch Step 1 configure Enter global configuration mode Step 2 spanning tree priority pri Configure the priority of the switch pri Specify the priority for the switch The valid value is from 0 to 61440 which are divisible by 4096 The priority is a parameter used to ...

Page 429: ...t works with the MAX Age to test the link failures and maintain the spanning tree max age Specify the value of Max Age It is the maximum time that the switch can wait without receiving a BPDU before attempting to regenerate a new spanning tree The valid values are from 6 to 40 in seconds and the default value is 20 Step 4 spanning tree hold count value Specify the maximum number of BPDU that can b...

Page 430: ...on globally Step 1 configure Enter global configuration mode Step 2 spanning tree mode stp rstp Configure the spanning tree mode as STP RSTP stp Specify the spanning tree mode as STP rstp Specify the spanning tree mode as RSTP Step 3 spanning tree Enable spanning tree function globally Step 4 show spanning tree active Optional View the active information of STP RSTP Step 5 end Return to privileged...

Page 431: ...0a eb 13 12 ba Local bridge is the root bridge Designated Bridge Priority 32768 Address 00 0a eb 13 12 ba Local Bridge Priority 32768 Address 00 0a eb 13 12 ba Interface State Prio Ext Cost Int Cost Edge P2p Mode Gi1 0 16 Enable 128 200000 200000 No Yes auto Rstp Gi1 0 18 Enable 128 200000 200000 No Yes auto Rstp Gi1 0 20 Enable 128 200000 200000 No Yes auto Rstp Role Status LAG Desg Fwd N A Desg ...

Page 432: ...idelines Before configuring the spanning tree it s necessary to make clear the role that each switch plays in a spanning tree To avoid any possible network flapping caused by MSTP parameter changes it is recommended to enable MSTP function globally after configuring the relevant parameter 3 1 Using the GUI 3 1 1 Configuring Parameters on Ports in CIST Choose the menu L2 FEATURES Spanning Tree Port...

Page 433: ...P RSTP external path cost indicates the path cost of the port in spanning tree The port with the lowest root path cost will be elected as the root port of the switch For MSTP external path cost indicates the path cost of the port in CST Int Path Cost Enter the value of the internal path cost The valid values are from 0 to 2000000 The default setting is Auto which means the port calculates the inte...

Page 434: ...e effect only once after that the MCheck status of the port will switch to Disabled Port Mode Displays the spanning tree mode of the port STP The spanning tree mode of the port is STP RSTP The spanning tree mode of the port is RSTP MSTP The spanning tree mode of the port is MSTP Port Role Displays the role that the port plays in the spanning tree Root Port Indicates that the port is the root port ...

Page 435: ...mapping of the switch The switches with the same region name the same revision level and the same VLAN Instance mapping are considered as in the same region Besides configure the priority of the switch the priority and path cost of ports in the desired instance Configuring the Region Name and Revision Level Choose the menu L2 FEATURES Spanning Tree MSTP Instance Region Config to load the following...

Page 436: ...lick Add and enter the instance ID Priority and corresponding VLAN ID Figure 3 4 Configuring the Instance Instance ID Enter the corresponding instance ID Priority Specify the priority for the switch in the corresponding instance The value should be an integral multiple of 4096 ranging from 0 to 61440 It is used to determine the root bridge for the instance Switches with a lower value have higher p...

Page 437: ...ct the desired unit or LAGs for configuration Priority Specify the Priority for the port in the corresponding instance The value should be an integral multiple of 16 ranging from 0 to 240 The port with lower value has the higher priority When the root path of the port is the same as other ports the switch will compare the port priorities between these ports and select a root port with the highest ...

Page 438: ...ackup of the root port or master port Backup Port Indicates that the port is the backup port in the desired instance It is the backup of the designated port Master Port Indicates the port provides the lowest root path cost from the region to the root bridge in CIST In CIST each region is regarded as a switch and the master port is the root port of the corresponding region Disabled Indicates that t...

Page 439: ...th the lower value has the higher priority In STP RSTP CIST priority is the priority of the switch in spanning tree The switch with the highest priority will be elected as the root bridge In MSTP CISP priority is the priority of the switch in CIST The switch with the higher priority will be elected as the root bridge in CIST Hello Time Specify the interval between BPDUs sending The default value i...

Page 440: ...d generates BPDUs with the new value When the hop reaches zero the switch will discard the BPDU This value can control the scale of the spanning tree in the MST region Note Max Hops is a parameter configured in MSTP You need not configure it if the spanning tree mode is STP RSTP Note To prevent frequent network flapping make sure that Hello Time Forward Delay and Max Age conform to the following f...

Page 441: ...ary section shows the summary information of CIST Spanning Tree Displays the status of the spanning tree function Spanning Tree Mode Displays the spanning tree mode Local Bridge Displays the bridge ID of the local switch The local bridge is the current switch Root Bridge Displays the bridge ID of the root bridge in CIST External Path Cost Displays the external path cost It is the root path cost fr...

Page 442: ...rent switch Regional Root Bridge Displays the bridge ID of the root bridge in the desired instance Internal Path Cost Displays the internal path cost It is the root path cost from the current switch to the regional root bridge Designated Bridge Displays the bridge ID of the designated bridge in the desired instance Root Port Displays the root port of the desired instance Latest TC Time Displays th...

Page 443: ... parameter is only used in MSTP For MSTP internal path cost is used to calculate the path cost in IST The port with the lowest root path cost will be elected as the root port of the switch in IST portfast enable disable Enable to set the port as an edge port By default it is disabled When the topology is changed the edge port can transit its state from blocking to forwarding directly For the quick...

Page 444: ...Step 8 copy running config startup config Save the settings in the configuration file This example shows how to enable spanning tree function for port 1 0 3 and configure the port priority as 32 Switch configure Switch config interface gigabitEthernet 1 0 3 Switch config if spanning tree Switch config if spanning tree common config port priority 32 Switch config if show spanning tree interface gig...

Page 445: ...nfiguration Enter MST configuration mode as to configure the VLAN Instance mapping region name and revision level Step 4 name name Configure the region name of the region name Specify the region name used to identify an MST region The valid values are from 1 to 32 characters Step 5 revision revision Configure the revision level of the region revision Specify the revision level of the region The va...

Page 446: ...stance 5 vlan 2 6 Switch config mst show spanning tree mst configuration Region Name R1 Revision 100 MST Instance Vlans Mapped 0 1 7 4094 5 2 6 Switch config mst end Switch copy running config startup config Configuring the Parameters on Ports in Instance Follow these steps to configure the priority and path cost of ports in the specified instance Step 1 configure Enter global configuration mode S...

Page 447: ... port with the lowest root path cost will be elected as the root port of the switch Step 4 show spanning tree mst configuration digest instance instance id interface fastEthernet port gigabitEthernet port port channel lagid ten gigabitEthernet port Optional View the related information of MSTP Instance digest Specify to display the digest calculated by instance vlan map instance id Specify the Ins...

Page 448: ...onfigure the Forward Delay Hello Time and Max Age forward time Specify the value of Forward Delay It is the interval between the port state transition from listening to learning The valid values are from 4 to 30 in seconds and the default value is 15 Forward Delay is used to prevent the network from causing temporary loops during the regeneration of spanning tree The interval between the port stat...

Page 449: ...he switch Step 7 end Return to privileged EXEC mode Step 8 copy running config startup config Save the settings in the configuration file Note To prevent frequent network flapping make sure that Hello Time Forward Delay and Max Age conform to the following formulas 2 Hello Time 1 Max Age 2 Forward Delay 1 Max Age This example shows how to configure the CIST priority as 36864 the Forward Delay as 1...

Page 450: ...onal View the active information of MSTP Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file This example shows how to configure the spanning tree mode as MSTP and enable spanning tree function globally Switch configure Switch config spanning tree mode mstp Switch config spanning tree Switch config show spanning tree activ...

Page 451: ...ge P2p Mode Role Status Gi 0 16 Enable 128 200000 200000 No Yes auto Mstp Altn Blk Gi 0 20 Enable 128 200000 200000 No Yes auto Mstp Root Fwd MST Instance 1 Root Bridge Priority 32768 Address 00 0a eb 13 12 ba Local bridge is the root bridge Designated Bridge Priority 32768 Address 00 0a eb 13 12 ba Local Bridge Priority 32768 Address 00 0a eb 13 12 ba Interface Prio Cost Role Status Gi 0 16 128 2...

Page 452: ...UNIT Select the desired unit or LAGs for configuration Loop Protect Enable or disable Loop Protect It is recommended to enable this function on root ports and alternate ports When there are link congestions or link failures in the network the switch will not receive BPDUs from the upstream device in time Loop Protect is used to avoid loop caused by the recalculation in this situation With Loop Pro...

Page 453: ...the TC BPDUs together after receiving the first TC BPDU then it will restart timing BPDU Protect Enable or disable the BPDU Protect function It is recommended to enable this function on edge ports Edge ports in spanning tree are used to connect to the end devices and it doesn t receive BPDUs in the normal situation If edge ports receive BPDUs it may be an attack BPDU Protect is used to protect the...

Page 454: ...port will temporarily transit to blocking state when it receives higher priority BDPUs After two forward delays if the port does not receive any other higher priority BDPUs it will transit to its normal state Step 5 spanning tree guard tc Optional Enable the TC Guard function It is recommended to enable this function on the ports of non root switches TC Guard function is used to prevent the switch...

Page 455: ...ify the port number lagid Specify the ID of the LAG Step 10 end Return to privileged EXEC mode Step 11 copy running config startup config Save the settings in the configuration file This example shows how to enable Loop Protect Root Protect BPDU Filter and BPDU Protect functions on port 1 0 3 Switch configure Switch config interface gigabitEthernet 1 0 3 Switch config if spanning tree guard loop S...

Page 456: ... the switches is 100Mb s the default path cost of the port is 200000 It is required that traffic in VLAN 101 VLAN 103 and traffic in VLAN 104 VLAN 106 should be transmitted along different paths Figure 5 1 Network Topology Switch A MAC 00 0A EB 13 23 97 Switch B MAC 00 0A EB 13 12 97 Switch C MAC 3C 46 D8 9D 88 F7 Gi1 0 2 Gi1 0 2 Gi1 0 2 Gi1 0 1 Gi1 0 1 Gi1 0 1 2 0 0 0 0 0 200000 2 0 0 0 0 0 5 2 C...

Page 457: ...configure the priority of Switch C as 0 to set it as the root bridge in instance 2 5 Configure the path cost to block the specified ports For instance 1 set the path cost of port 1 0 1 of Switch A to be greater than the default path cost 200000 for instance 2 set the path cost of port 1 0 2 of Switch B to be greater than the default path cost 200000 After this configuration port 1 0 2 of Switch A ...

Page 458: ...rt Config to load the following page Enable spanning tree function on port 1 0 1 and port 1 0 2 Here we leave the values of the other parameters as default settings Click Apply Figure 5 4 Enable Spanning Tree Function on Ports 3 Choose the menu L2 FEATURES Spanning Tree MSTP Instance Region Config to load the following page Set the region name as 1 and the revision level as 100 Click Apply ...

Page 459: ...LAN103 to instance 1 and set the priority as 32768 map VLAN104 VLAN106 to instance 2 and set the priority as 32768 Click Create Figure 5 6 Configuring the VLAN Instance Mapping 5 Choose the menu L2 FEATURES Spanning Tree MSTP Instance Instance Port Config to load the following page Set the path cost of port 1 0 1 in instance 1 as 300000 so that port 1 0 1 of switch C can be selected as the designa...

Page 460: ... Config to load the following page Enable MSTP function globally here we leave the values of the other global parameters as default settings Click Apply Figure 5 8 Configure the Global MSTP Parameters of the Switch 2 Choose the menu L2 FEATURES Spanning Tree STP Config Port Config to load the following page Enable the spanning tree function on port 1 0 1 and port 1 0 2 Here we leave the values of ...

Page 461: ...ig to load the following page Set the region name as 1 and the revision level as 100 Click Apply Figure 5 10 Configuring the Region 4 Choose the menu L2 FEATURES Spanning Tree MSTP Instance Instance Config Map VLAN101 VLAN103 to instance 1 and set the Priority as 0 map VLAN104 VLAN106 to instance 2 and set the priority as 32768 Click Create Figure 5 11 Configuring the VLAN Instance Mapping ...

Page 462: ... 0 1 of switch A can be selected as the designated port Figure 5 12 Configure the Path Cost of Port 1 0 2 in Instance 2 6 Click to save the settings Configurations for Switch C 1 Choose the menu L2 FEATURES Spanning Tree STP Config STP Config to load the following page Enable MSTP function globally here we leave the values of the other global parameters as default settings Click Apply Figure 5 13 ...

Page 463: ...able Spanning Tree Function on Ports 3 Choose the menu Spanning Tree MSTP Instance Region Config to load the following page Set the region name as 1 and the revision level as 100 Click Apply Figure 5 15 Configuring the Region 4 Choose the menu L2 FEATURES Spanning Tree MSTP Instance Instance Config Click Add map VLAN101 VLAN103 to instance 1 and set the priority as 32768 map VLAN104 VLAN106 to ins...

Page 464: ...e mst instance 1 cost 300000 Switch config if exit Switch config interface gigabitEthernet 1 0 2 Switch config if spanning tree Switch config if exit 3 Configure the region name as 1 the revision number as 100 map VLAN101 VLAN103 to instance 1 map VLAN104 VLAN106 to instance 2 Switch config spanning tree mst configuration Switch config mst name 1 Switch config mst revision 100 Switch config mst in...

Page 465: ...re the priority of Switch B in instance 1 as 0 to set it as the root bridge in instance 1 Switch config spanning tree mst configuration Switch config mst name 1 Switch config mst revision 100 Switch config mst instance 1 vlan 101 103 Switch config mst instance 2 vlan 104 106 Switch config mst exit Switch config spanning tree mst instance 1 priority 0 Switch config end Switch copy running config st...

Page 466: ...ig mst revision 100 Switch config mst instance 1 vlan 101 103 Switch config mst instance 2 vlan 104 106 Switch config mst exit Switch config spanning tree mst instance 2 priority 0 Switch config end Switch copy running config startup config Verify the Configurations Switch A Verify the configurations of Switch A in instance 1 Switch config show spanning tree mst instance 1 MST Instance 1 Root Brid...

Page 467: ...T Instance 2 Root Bridge Priority 0 Address 3c 46 d8 9d 88 f7 Internal Cost 200000 Root Port 2 Designated Bridge Priority 0 Address 3c 46 d8 9d 88 f7 Local Bridge Priority 32768 Address 00 0a eb 13 23 97 Interface Prio Cost Role Status LAG Gi1 0 1 128 200000 Desg Fwd N A Gi1 0 2 128 200000 Root Fwd N A Switch B Verify the configurations of Switch B in instance 1 Switch config show spanning tree ms...

Page 468: ... 0 1 128 200000 Desg Fwd Gi1 0 2 128 200000 Desg Fwd Verify the configurations of Switch B in instance 2 Switch config show spanning tree mst instance 2 MST Instance 2 Root Bridge Priority 0 Address 3c 46 d8 9d 88 f7 Internal Cost 400000 Root Port 2 Designated Bridge Priority 0 Address 3c 46 d8 9d 88 f7 Local Bridge Priority 32768 Address 00 0a eb 13 12 ba Interface Prio Cost Role Status Gi1 0 1 1...

Page 469: ...000 Root Port 2 Designated Bridge Priority 0 Address 00 0a eb 13 12 ba Local Bridge Priority 32768 Address 3c 46 d8 9d 88 f7 Interface Prio Cost Role Status Gi1 0 1 128 200000 Desg Fwd Gi1 0 2 128 200000 Root Fwd Verify the configurations of Switch C in instance 2 Switch config show spanning tree mst instance 2 MST Instance 2 Root Bridge Priority 0 Address 3c 46 d8 9d 88 f7 Local bridge is the roo...

Page 470: ...iguring Spanning Tree Configuration Example for MSTP User Guide 441 Local Bridge Priority 0 Address 3c 46 d8 9d 88 f7 Interface Prio Cost Role Status Gi1 0 1 128 200000 Desg Fwd Gi1 0 2 128 200000 Desg Fwd ...

Page 471: ...Setting Spanning tree Disabled Mode STP CIST Priority 32768 Hello Time 2 seconds Max Age 20 seconds Forward Delay 15 seconds Tx Hold Count 5 pps Max Hops 20 hops Table 6 2 Default Settings of the Port Parameters Parameter Default Setting Status Disabled Priority 128 Ext Path Cost Auto In Path Cost Auto Edge Port Disabled P2P Link Auto MCheck Table 6 3 Default Settings of the MSTP Instance Paramete...

Page 472: ...arameter Default Setting Priority 32768 Port Priority 128 Path Cost Auto Table 6 4 Default Settings of the STP Security Parameter Default Setting Loop Protect Disabled Root Protect Disabled TC Guard Disabled BPDU Protect Disabled BPDU Filter Disabled BPDU Forward Enabled ...

Page 473: ...Part 15 Configuring LLDP CHAPTERS 1 LLDP 2 LLDP Configurations 3 LLDP MED Configurations 4 Viewing LLDP Settings 5 Viewing LLDP MED Settings 6 Configuration Examples 7 Appendix Default Parameters ...

Page 474: ...otocol to allow VoIP device to access the network VoIP devices can use LLDP MED for auto configuration to minimize the configuration effort 1 2 Supported Features The switch supports LLDP and LLDP MED LLDP allows the local device to encapsulate its management address device ID interface ID and other information into a LLDPDU Link Layer Discovery Protocol Data Unit and periodically advertise this L...

Page 475: ...configure LLDP function follow the steps 1 Configure the LLDP feature globally 2 Configure the LLDP feature for the port 2 1 Using the GUI 2 1 1 Configuring LLDP Globally Choose the L2 FEATURES LLDP LLDP Config Global Config to load the following page Figure 2 1 Global Config ...

Page 476: ...ice waits before sending another LLDP packet to its neighbor When the local information changes the local device will send LLDP packets to inform its neighbors If frequent changes occur to the local device LLDP packets will flood After specifying a transmit delay time the local device will wait for a delay time to send LLDP packets when changes occur to avoid frequent LLDP packet forwarding The de...

Page 477: ...rt transmits LLDP packets and receives LLDP packets Rx_Only The port only receives LLDP packets Tx_Only The port only transmits LLDP packets Disable The port will not transmit LLDP packets or drop the received LLDP packets Notification Mode Optional Enable the switch to send trap messages to the NMS when the information of the neighbor device connected to this port changes Management Address Speci...

Page 478: ... to advertise the name of the VLAN which the port is in LA Used to advertise whether the link is capable of being aggregated whether the link is currently in an aggregation and the port ID when it is in an aggregation PS Used to advertise the port s attributes including the duplex and bit rate capability of the sending IEEE 802 3 LAN node that is connected to the physical medium the current duplex...

Page 479: ...er the interval between successive LLDP packets that are periodically sent from the local device to its neighbors tx delay Specify the amount of time that the local device waits before sending another LLDP packet to its neighbors The default is 2 seconds reinit delay Specify the amount of time that the local device waits before sending another LLDP packet to its neighbors The default is 2 seconds ...

Page 480: ...ure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list Enter interface configuration mode Step 3 lldp receive Optional Set the mode for the port to receive LLDP packets It is enabled by default Step 4 lldp transmit Optional Set the mode for ...

Page 481: ...mit LLDP packets its notification mode is enabled and the outgoing LLDP packets include all TLVs Switch configure Switch config lldp Switch config interface gigabitEthernet 1 0 1 Switch config if lldp receive Switch config if lldp transmit Switch config if lldp snmp trap Switch config if lldp tlv select all Switch config if show lldp interface gigabitEthernet 1 0 1 LLDP interface config gigabitEth...

Page 482: ...Configuring LLDP LLDP Configurations User Guide 453 Link Aggregation Yes MAC Physic Yes Max Frame Size Yes Power Yes Switch config if end Switch copy running config startup config ...

Page 483: ... Enable LLDP globally and configure the LLDP parametres for the ports For the details of LLDP configuration refer to LLDP Configuration 3 1 1 Configuring LLDP MED Globally Choose the menu L2 FEATURES LLDP LLDP MED Config Global Config to load the following page Figure 3 1 LLDP MED Parameters Config Configure the Fast Start Count and view the current device class Click Apply Fast Start Repeat Count...

Page 484: ... Ports Choose the menu L2 FEATURES LLDP LLDP MED Config Port Config to load the following page Figure 3 2 LLDP MED Port Config Follow these steps to enable LLDP MED 1 Select the desired port and enable LLDP MED Click Apply 2 Click Detail to enter the following page Configure the TLVs included in the outgoing LLDP packets If Location Identification is selected you need configure the Emergency Numbe...

Page 485: ...ndpoint device in the Location Identification Parameters section Extended Power Via MDI Used to advertise the detailed PoE information including power supply priority and supply status between LLDP MED Endpoint devices and Network Connectivity devices Inventory Used to advertise the inventory information The Inventory TLV set contains seven basic Inventory management TLVs that is Hardware Revision...

Page 486: ...fast count count Optional Specify the number of successive LLDP MED frames that the local device sends when fast start mechanism is activated When the fast start mechanism is activated the local device will send the specified number of LLDP packets carrying LLDP MED information count The valid value are from 1 to 10 The default is 4 Step 4 show lldp Display the LLDP information Step 5 end Return t...

Page 487: ...nagement all Optional Configure the LLDP MED TLVs included in the outgoing LLDP packets By default the outgoing LLDP packets include all TLVs If LLDP MED Location TLV is selected configure the parameters as follows lldp med location emergency number identifier civic address language language province state province state lci county name county lci city city street street house number house number ...

Page 488: ...ldp Switch config lldp med fast count 4 Switch config interface gigabitEthernet 1 0 1 Switch config if lldp med status Switch config if lldp med tlv select all Switch config if show lldp interface gigabitEthernet 1 0 1 LLDP interface config gigabitEthernet 1 0 1 Admin Status TxRx SNMP Trap Enabled TLV Status Port Description Yes System Capability Yes System Description Yes System Name Yes Manageme...

Page 489: ...ng LLDP LLDP MED Configurations LLDP MED Status Enabled TLV Status Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Yes Switch config end Switch copy running config startup config ...

Page 490: ...g LLDP Settings This chapter introduces how to view the LLDP settings on the local device 4 1 Using GUI 4 1 1 Viewing LLDP Device Info Viewing the Local Info Choose the menu L2 FEATURES LLDP LLDP Config Local Info to load the following page Figure 4 1 Local Info ...

Page 491: ... of the Chassis ID Port ID Subtype Displays the Port ID type Port ID Displays the value of the Port ID TTL Specify the amount of time in seconds the neighbor device should hold the received information before discarding it Port Description Displays the description of the local port System Name Displays the system name of the local device System Description Displays the system description of the lo...

Page 492: ...set the Refresh Rate according to your needs Click Apply 2 In the Neighbor Info section select the desired port and view its associated neighbor device information System Name Displays the system name of the neighbor device Chassis ID Displays the Chassis ID of the neighbor device System Description Displays the system description of the neighbor device Neighbor Port Displays the port ID of the ne...

Page 493: ...istics section view the global statistics of the local device Last Update Displays the time when the statistics updated Total Inserts Displays the total number of neighbors during latest update time Total Deletes Displays the number of neighbors deleted by the local device The port will delet neighbors when the port is disabled or the TTL of the LLDP packets sent by the neighbor is 0 Total Drops D...

Page 494: ...ted to the port TLV Discards Displays the total number of the TLVs discarded by the port when receiving LLDP packets TLV Unknowns Displays the total number of the unknown TLVs included in the received LLDP packets 4 2 Using CLI Viewing the Local Info show lldp local information interface fastEthernet port gigabitEthernet port ten gigabitEthernet port View the LLDP details of a specific port or all...

Page 495: ...gure 5 1 LLDP MED Local Info Follow these steps to view LLDP MED local information 1 In the Auto Refresh section enable the Auto Refresh feature and set the Refresh Rate according to your needs Click Apply 2 In the LLDP MED Local Info section select the desired port and view the LLDP MED settings Local Interface Displays the local port ID Device Type Displays the local device type defined by LLDP ...

Page 496: ...c application Media Policy DSCP Displays the DSCP value used in the specific application Viewing the Neighbor Info Choose the menu L2 FEATURES LLDP LLDP MED Config Neighbor Info to load the following page Figure 5 2 LLDP MED Neighbor Info Follow these steps to view LLDP MED neighgbor information 1 In the Auto Refresh section enable the Auto Refresh feature and set the Refresh Rate according to you...

Page 497: ...erface fastEthernet port gigabitEthernet port ten gigabitEthernet port View the LLDP details of a specific port or all the ports on the local device Viewing the Neighbor Info show lldp neighbor information interface fastEthernet port gigabitEthernet port ten gigabitEthernet port Display the information of the neighbor device which is connected to the port Viewing LLDP Statistics show lldp traffic ...

Page 498: ...1 LLDP Network Topology Gi1 0 1 Gi1 0 2 Switch A Switch B PC 6 1 2 Configuration Scheme LLDP can meet the network requirements Enable the LLDP feature globally on Switch A and Switch B Configure the related LLDP parameters on the corresponding ports Configuring Switch A and Switch B The configurations of Switch A and Switch B are similar The following introductions take Switch A as an example Demo...

Page 499: ...nfig Port Config to load the following page Set the Admin Status of port Gi1 0 1 as Tx Rx enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets Figure 6 3 LLDP Port Config 6 1 4 Using CLI 1 Enable LLDP globally and configure the corresponding parameters Switch_A configure Switch_A config lldp ...

Page 500: ...ch_A config if lldp transmit Switch_A config if lldp snmp trap Switch_A config if lldp tlv select all Switch_A config if end Switch_A copy running config startup config Verify the Configurations View LLDP settings globally Switch_A show lldp LLDP Status Enabled LLDP Forward Message Disabled Tx Interval 30 seconds TTL Multiplier 4 Tx Delay 2 seconds Initialization Delay 2 seconds Trap Notification ...

Page 501: ...s Max Frame Size Yes Power Yes LLDP MED Status Disabled TLV Status Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Yes View the Local Info Switch_A show lldp local information interface gigabitEthernet 1 0 1 LLDP local Information gigabitEthernet 1 0 1 Chassis type MAC address Chassis ID 00 0A EB 13 23 97 Port ID type Interface name Port ID GigabitEth...

Page 502: ...ent address interface ID 1 Management address OID 0 Port VLAN ID PVID 1 Port and protocol VLAN ID PPVID 0 Port and protocol VLAN supported Yes Port and protocol VLAN enabled No VLAN name of VLAN 1 System VLAN Protocol identity Auto negotiation supported Yes Auto negotiation enabled Yes OperMau speed 1000 duplex Full Link aggregation supported Yes Link aggregation enabled No Aggregation port ID 0 P...

Page 503: ...28TS 3 0 Firmware Revision Reserved Software Revision 3 0 0 Build 20170918 Rel 71414 s Serial Number Reserved Manufacturer Name TP Link Model Name T2600G 28TS 3 0 Asset ID unknown View the Neighbor Info Switch_A show lldp neighbor information interface gigabitEthernet 1 0 1 LLDP Neighbor Information gigabitEthernet 1 0 1 Neighbor index 1 Chassis type MAC address Chassis ID 00 0A EB 13 18 2D Port I...

Page 504: ...interface type IfIndex Management address interface ID 1 Management address OID 0 Port VLAN ID PVID 1 Port and protocol VLAN ID PPVID 0 Port and protocol VLAN supported Yes Port and protocol VLAN enabled No VLAN name of VLAN 1 System VLAN Protocol identity Auto negotiation supported Yes Auto negotiation enabled Yes OperMau speed 1000 duplex Full Link aggregation supported Yes Link aggregation enab...

Page 505: ...e Auto VoIP and LLDP MED to meet the network requirements The configuration overview is as follows 3 Create VLAN2 for the voice data and keep the PVID of port 1 0 1 as the default value 1 In this way all the untagged packets from the PC are sent to VLAN1 all the packets with VLAN Tag 2 from the IP phone are sent to VLAN2 4 Configure Auto VoIP on port 1 0 1 5 Enable LLDP globally 6 Configure LLDP M...

Page 506: ...onfiguration Examples User Guide 477 Figure 6 2 VLAN Config 2 Choose the menu QoS Auto VoIP to load the following page Select port 1 0 1 configure the interface mode as VLAN ID and set the VLAN ID value as 2 Click Apply ...

Page 507: ... the menu L2 FEATURES LLDP LLDP Config Global Config to load the following page Enable LLDP globally and click Apply Figure 6 4 LLDP Global Config 4 Choose the menu L2 FEATURES LLDP LLDP Config Global Config Port Config to load the following page Enable LLDP MED on port 1 0 1 and click Apply ...

Page 508: ...lan Switch config vlan exit Switch config interface gigabitEthernet 1 0 1 Switch config if switch general allowed vlan 2 untagged Switch config if exit 2 Enable Auto VoIP globally Switch config auto voip 3 Configure Auto VoIP On port 1 0 1 configure the interface mode as VLAN ID and set the VLAN ID value as 2 Switch config interface gigabitEthernet 1 0 1 Switch config if auto voip 2 Switch config ...

Page 509: ...tus Ports 1 System VLAN active Gi1 0 1 Gi1 0 2 Gi1 0 3 Gi1 0 4 Gi1 0 5 Gi1 0 6 Gi1 0 7 Gi1 0 8 Gi1 0 9 Gi1 0 10 Gi1 0 11 Gi1 0 12 Gi1 0 13 Gi1 0 14 Gi1 0 15 Gi1 0 16 Gi1 0 17 Gi1 0 18 Gi1 0 19 Gi1 0 20 Gi1 0 21 Gi1 0 22 Gi1 0 23 Gi1 0 24 Gi1 0 25 Gi1 0 26 Gi1 0 27 Gi1 0 28 2 voice_vlan active Gi1 0 1 View VoIP settings Switch show auto voip interface Interface Gi1 0 1 Auto VoIP Interface Mode Enab...

Page 510: ...atus Enabled LLDP Forward Message Disabled View LLDP MED settings on port 1 0 1 Switch_A show lldp interface gigabitEthernet 1 0 1 LLDP interface config gigabitEthernet 1 0 1 LLDP MED Status Enabled TLV Status Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Yes ...

Page 511: ...isabled Transmit Interval 30 seconds Hold Multiplier 4 Transmit Delay 2 seconds Reinitialization Delay 2 seconds Notification Interval 5 seconds Fast Start Repeat Count 3 Table 7 2 Default LLDP Settings on the Port Parameter Default Setting Admin Status Tx Rx Notification Mode Disabled Included TLVs All Default LLDP MED Settings Table 7 3 Default LLDP MED Settings Parameter Default Setting Fast St...

Page 512: ...Part 16 Configuring L2PT CHAPTERS 1 Overview 2 L2PT Configuration 3 Configuration Example 4 Appendix Default Parameters ...

Page 513: ... between them must be transmitted through the ISP network to perform Layer 2 protocol calculation for example calculating a spanning tree Generally the PDUs of the same Layer 2 protocol use the same destination MAC address Therefore when a Layer 2 PDU from a customer network reaches a edge switch in the ISP network the switch cannot identify whether the PDU comes from a customer network or the ISP...

Page 514: ...the other end 3 PE2 receives the PDU via its NNI port and restores the destination MAC address of the PDU to its original destination MAC address With L2PT feature configured accordingly the switch can transparently transmit the PDUs of the following Layer 2 protocols STP Spanning Tree Protocol GVRP GARP VLAN Registration Protocol LACP Link Aggregation Control Protocol CDP Cisco Discovery Protocol...

Page 515: ...Apply 2 In the Port Config section configure the port that is connected to the customer network as a UNI port and specify your desired protocols on the port In addition you can also set the threshold for packets per second to be processed on the UNI port Port Displays the port number Type Select UNI as the port type for the selected port Usually the UNI port is connected to the customer network Th...

Page 516: ... the threshold is exceeded the port drops the specified Layer 2 protocol packets This value ranges from 1 to 1000 packets per second 0 indicates that the threshold feature is disabled LAG Displays the LAG that the port is in 3 In the Port Config section configure the port that is connected to the ISP network as an NNI port Note that the protocols and threshold cannot be configured on the NNI port ...

Page 517: ...ol tunneling for the GVRP packets stp Enable protocol tunneling for the STP packets lacp Enable protocol tunneling for the LACP packets all All the above Layer 2 protocols are supported for tunneling threshold Set a threshold which determines the maximum number of packets to be processed for the specified protocol on the port in one second When the threshold is exceeded the port drops the specifie...

Page 518: ...rotocol tunnel global l2protocol tunnel State Enable Switch config end Switch copy running config startup config This example shows how to configure port 1 0 1 as a UNI port for the Layer 2 protocol GVRP and set the threshold as 1000 Switch configure Switch config interface gigabitEthernet 1 0 1 Switch config if l2protocol tunnel type uni gvrp threshold 1000 Switch config if show l2protocol tunnel...

Page 519: ...iguration Switch config if l2protocol tunnel type nni Switch config if show l2protocol tunnel interface gigabitEthernet 1 0 5 Interface Type Protocol Threshold LAG Gi1 0 5 nni N A Switch config if end Switch copy running config startup config ...

Page 520: ...ches Switch A and Switch B With the L2PT feature the STP packets can be encapsulated as normal data packets and sent to the other side without being processed by the devices in the ISP network The overview of configuration is as follows 1 Enable the L2PT feature globally 2 Specify port 1 0 1 which is connected to the ISP network as an NNI port 3 Specify port 1 0 2 which is connected to the custome...

Page 521: ... Apply The configuration result is as follows Figure 3 2 Global Config 3 Click to save the settings 3 4 Using the CLI The configurations of Switch A and Switch B are similar The following introductions take Switch A as an example Switch_A configure Switch_A config l2protocol tunnel Switch_A config interface gigabitEthernet 1 0 1 Switch_A config if l2protocol tunnel type nni Switch_A config if exit...

Page 522: ..._A show l2protocol tunnel global l2protocol tunnel State Enable Verify the configuration on port 1 0 1 Switch_A show l2protocol tunnel interface gigabitEthernet 1 0 1 Interface Type Protocol Threshold LAG Gi1 0 1 nni N A Verify the configuration on port 1 0 2 Switch_A show l2protocol tunnel interface gigabitEthernet 1 0 2 Interface Type Protocol Threshold LAG Gi1 0 2 uni stp 1000 N A ...

Page 523: ...ameters 4Appendix Default Parameters Default settings of L2PT are listed in the following table Table 4 1 Default Settings of L2PT Parameter Defualt Setting L2PT Config Layer 2 Protocol Tunneling Disable Port Config Type None Protocol None Threshold None ...

Page 524: ...Part 17 Configuring PPPoE ID Insertion CHAPTERS 1 Overview 2 PPPoE ID Insertion Configuration 3 Appendix Default Parameters ...

Page 525: ...s Server The tag records the client information such as the connected port number and the MAC address of the client The BRAS uses the tag as a NAS Port ID attribute in the RADIUS packet and send it to the RADIUS server for PPP Point to Point Protocol authentication If the tag information is different from the configured one the authentication will fail In this way the illegal users cannot embezzle...

Page 526: ...se the menu L2 FEATURES PPPoE to load the following page Figure 2 1 Configuring PPPoE ID Insertion Follow these steps to configure PPPoE ID Insertion 1 In the PPPoE ID Insertion section enable PPPoE ID Insertion and click Apply 2 In the Port Config section select one or more ports and configure the relevant parameters Then click Apply ...

Page 527: ...DF Only is selected specify a string with at most 40 characters to encode the Circuit ID option Remote ID Enable or disable the Remote ID Insertion feature With this option enabled the switch will insert a Remote ID to the received PPPoE Discovery packet on this port Remote ID Value Specify a string with at most 40 characters to encode the Remote iID option Note The member port of an LAG Link Aggr...

Page 528: ...le Remote ID Insertion feature and specify the Remote ID Value Specify a string with at most 40 characters The source MAC address of the packet and the specified string will be used to encode the Remote ID option Step 7 show pppoe id insertion global Verify the global configuration of PPPoE ID Insertion Step 8 show pppoe id insertion interface fastEthernet port gigabitEthernet port ten gigabitEthe...

Page 529: ...1 Port Circuit ID C ID Type C ID Value UDF Remote ID R ID Value Gi1 0 1 Enabled UDF ONLY 123 Enabled host1 Switch config if end Switch copy running config startup config Note The member port of an LAG Link Aggregation Group follows the configuration of the LAG and not its own The configurations of the port can take effect only after it leaves the LAG ...

Page 530: ...ix Default Parameters Default settings of L2PT are listed in the following table Table 3 1 PPPoE ID Insertion Parameter Default Setting Global Config PPPoE ID Insertion Disabled Port Config Circuit ID Disabled Circuit ID Type IP UDF Value None Remote ID Disabled Remote ID Value None ...

Page 531: ...Part 18 Configuring Layer 3 Interfaces CHAPTERS 1 Overview 2 Layer 3 Interface Configurations 3 Configuration Example 4 Appendix Default Parameters ...

Page 532: ...mic routing protocols You can use Layer 3 interfaces for IP routing and inter VLAN routing This chapter introduces the configurations for Layer 3 interfaces The supported types of Layer 3 interfaces are shown as below Table 1 1 Supported Types of Layer 3 interfaces Type Description VLAN Interface A Layer 3 interface with which acts as the default gateway of all the hosts in the corresponding VLAN ...

Page 533: ...ion follow these steps 1 Create a Layer 3 interface 2 Configure IPv6 parameters of the created interface 3 View detailed information of the created interface 2 1 Using the GUI 2 1 1 Creating a Layer 3 Interface Choose the menu L3 FEATURES Interface to load the following page Figure 2 1 Interface Configuration Follow these steps to create a Layer 3 interface 1 In the Routing Config section enable I...

Page 534: ... the interface Static Assign an IP address to the interface manually DHCP Assign an IP address to the interface through the DHCP server BOOTP Assign an IP address to the interface through the BOOTP server DHCP Option 12 If you select DHCP as the IP Address Mode configure the Option 12 here DHCP Option 12 is used to specify the client s name IP Address Specify the IP address of the interface if you...

Page 535: ...figure relevant parameters for the interface according to your actual needs Then click Apply Interface ID Displays the interface ID Admin Status Enable the Layer 3 capabilities for the interface Interface Name Optional Enter a name for the interface IP Address Mode Specify the IP address assignment mode of the interface None No IP address will be assigned Static Assign an IP address manually DHCP ...

Page 536: ...eate Figure 2 4 Add a Secondary IP Entry IP Address Specify the secondary IP address of the interface Subnet Mask Specify the subnet mask of the secondary IP address 3 Optional In the Secondary IP Table section you can view the corresponding secondary IP entry you have created 2 1 3 Configuring IPv6 Parameters of the Interface In Figure 2 1 you can view the corresponding interface entry you have c...

Page 537: ...splays the interface ID Admin Status Enable the Layer 3 capabilities for the interface IPv6 Enable Enable the IPv6 feature of the interface Link local Address Mode Select the link local address configuration mode Manual With this option selected you can assign a link local address manually Auto With this option selected the switch generates a link local address automatically Link local Address Ent...

Page 538: ...obal address auto configuration via RA message With this option enabled the interface automatically generates a global address and other information according to the address prefix and other configuration parameters from the received RA Router Advertisement message Via DHCPv6 Server Enable global address auto configuration via DHCPv6 Server With this option enabled the switch will try to obtain th...

Page 539: ...time Displays the valid lifetime of the global address Valid lifetime is the length of time that an IPv6 address is in the valid state When the valid lifetime expires the address become invalid and can be no longer usable Status Displays the status of the link local address An IPv6 address cannot be used before pass the DAD Duplicate Address Detection which is used to detect the address conflicts ...

Page 540: ...etail information of the interface 2 2 Using the CLI 2 2 1 Creating a Layer 3 Interface Follow these steps to create a Layer 3 interface You can create a VLAN interface a loopback interface a routed port or a port channel interface according to your needs Step 1 configure Enter global configuration mode ...

Page 541: ... Switch the Layer 2 port into the Layer 3 routed port Create a port channel interface interface port cahnnel port channel range port channel port channel list Enter interface configuration mode port channel Specify the port channel the valid value ranges from 1 to 14 port channel list Specify the list of the port channel interface for example 1 3 5 no switchport Switch the port channel to a Layer ...

Page 542: ...ddress from the BOOTP Server Manually assign an IP Address for the interface ip address ip addr mask secondary Configure the IP address and subnet mask for the specified interface manually ip addr Specify thse IP address of the Layer 3 interface mask Specify the subnet mask of the Layer 3 interface secondary Specify the interface s secondary IP address which allows you to have two logical subnets ...

Page 543: ...ayer 3 interface including fastEthernet gigabitEthernet ten gigabitEthernet loopback and VLAN interface id The interface ID Step 3 ipv6 enable Enable the IPv6 feature on the specified Layer 3 interface By default it is enabled on VLAN interface 1 IPv6 function can only be enabled on one Layer 3 interface at a time Step 4 Configure the IPv6 link local address for the specified interface Manually co...

Page 544: ...addr eui 64 Specify a global IPv6 address with an extended unique identifier EUI in the low order 64 bits of the IPv6 address Specify only the network prefix the last 64 bits are automatically computed from the switch MAC address This enables IPv6 processing on the interface Step 6 show ipv6 interface Verify the configured ipv6 information of the interface Step 7 end Return to privileged EXEC mode...

Page 545: ...MP error messages limited to one every 1000 milliseconds ICMP redirects are enable MTU is 1500 bytes ND DAD is enable number of DAD attempts 1 ND retrans timer is 1000 milliseconds ND reachable time is 30000 milliseconds Switch config if end Switch copy running config startup config ...

Page 546: ...ost to access the internet we need to configure a VLAN interface on the switch for each VLAN The VLAN interface can be considered as the default gateway for the hosts in the VLAN All the requests to internet are sent to the VLAN interface first then the VLAN interface will forward the packets to the internet according to the routing table Demonstrated with T2600G 28TS this chapter provides configu...

Page 547: ...LAN 2 2 Go to L3 FEATURES Interface to enable IPv4 routing enabled by default then click to create VLAN interface 2 Here we choose the IP address mode as Static and manually assign an IP address 192 168 2 1 to the interface Figure 3 3 Create VLAN Interface 2 3 Click to save the settings 3 4 Using the CLI 1 Create VLAN 2 and add port 1 0 2 to VLAN 2 with its egress rule as Untagged Switch configure...

Page 548: ...nterface 2 for VLAN 2 Configure the IP address of VLAN interface 2 as 192 168 2 1 Switch config interface vlan 2 Switch config if ip address 192 168 2 1 255 255 255 0 Switch config if end Switch copy running config startup config Verify the VLAN Interface Configurations Verify the configurations of VLAN interface 2 Switch show interface vlan 2 VLAN2 is down line protocol is down Hardware is CPU In...

Page 549: ...led IPv6 Routing Disabled Table 4 2 Configuring the IPv4 Parameters of the Interface Parameter Default Setting Interface ID VLAN IP Address Mode None Admin Status Enabled Table 4 3 Configuring the IPv6 Parameters of the Interface Parameter Default Setting Admin Status Enabled IPv6 Enable Enabled Link local Address Mode Auto Enable global address auto configuration via RA message Enabled Enable glo...

Page 550: ...Part 19 Configuring Routing CHAPTERS 1 Overview 2 IPv4 Static Routing Configuration 3 IPv6 Static Routing Configuration 4 Viewing Routing Table 5 Example for Static Routing ...

Page 551: ...nd static routing entries Dynamic routing entries are automatically generated by the switch The switch use dynamic routing protocols to automatically calculate the best route to forward packets Static routing entries are manually added none aging routing entries In a simple network with a small number of devices you only need to configure static routes to ensure that the devices from different sub...

Page 552: ...n click Create Destination Specify the destination IPv4 address of the packets Subnet Mask Specify the subnet mask of the destination IPv4 address Next Hop Specify the IPv4 gateway address to which the packet should be sent next Distance Specify the administrative distance which is the trust rating of a routing entry A higher value means a lower trust rating Among the routes to the same destinatio...

Page 553: ...ve routes to the same destination only the route that has the shortest distance will be recorded in the IP routing table The valid values are from 1 to 255 and the default value is 1 Step 3 show ip route static connected Verify the IPv4 route entries of the specified type Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Save the settings in the configuration file...

Page 554: ...outing entry Then click Create IPv6 Address Specify the destination IPv6 address of the packets Prefix Length Specify the prefix length of the IPv6 address Next Hop Specify the IPv6 gateway address to which the packet should be sent next Distance Specify the administrative distance which is the trust rating of a routing entry A higher value means a lower trust rating Among the routes to the same d...

Page 555: ...A higher value means a lower trust rating When more than one routing protocols have routes to the same destination only the route that has the shortest distance will be recorded in the IP routing table The valid values are from 1 to 255 and the default value is 1 Step 4 show ipv6 route static connected Verify the IPv6 route entries of the specified type Step 5 end Return to privileged EXEC mode St...

Page 556: ...onnected The destination network is directed connected to the switch Static The routing entry is a manually added static routing entry Destination Network Displays the destination IP address and subnet mask Next Hop Displays the IPv4 gateway address to which the packet should be sent next Distance Displays the administrative distance which is the trust rating of a routing entry A higher value mean...

Page 557: ...ld be sent next Distance Displays the administrative distance which is the trust rating of a routing entry A higher value means a lower trust rating Among the routes to the same destination the route with the lowest distance value will be recorded in the IPv6 routing table Metric Displays the metric to reach the destination IPv6 address Interface Name Displays the name of the gateway interface 4 2...

Page 558: ... or any other configuration mode you can use the following command to view IPv6 routing table show ipv6 route static connected View the IPv6 route entries of the specified type If not specified all types of route entries will be displayed static View the static IPv6 routes connected View the connected IPv6 routes ...

Page 559: ...way of host A as 10 1 1 1 24 the default gateway of host B as 10 1 2 1 24 and configure IPv4 static routes on Switch A and Switch B so that hosts on different network segments can communicate with each other Demonstrated with T2600G 28TS the following sections provide configuration procedure in two ways using the GUI and using the CLI 5 3 Using the GUI The configurations of Switch A and Switch B a...

Page 560: ...gure 5 2 Create a Routed Port Gi1 0 1 for Switch A Figure 5 3 Create a Routed Port Gi1 0 2 for Switch A 2 Choose the menu L3 FEATURES Static Routing IPv4 Static Routing to load the following page Add a static routing entry with the destination as 10 1 2 0 the subnet ...

Page 561: ... the admin status as Enable Create a routed port Gi1 0 2 with the mode as static the IP address as 10 1 10 1 the mask as 255 255 255 0 and the admin status as Enable Switch_A configure Switch_A config interface gigabitEthernet 1 0 1 Switch_A config if no switchport Switch_A config if ip address 10 1 1 1 255 255 255 0 Switch_A config if exit Switch_A config interface gigabitEthernet 1 0 2 Switch_A ...

Page 562: ...0 S 10 1 2 0 24 1 0 via 10 1 10 2 Vlan20 Switch B Verify the static routing configuration Switch_B show ip route Codes C connected S static candidate default C 10 1 2 0 24 is directly connected Vlan30 C 10 1 10 0 24 is directly connected Vlan20 S 10 1 1 0 24 1 0 via 10 1 10 1 Vlan20 Connectivity Between Switch A and Switch B Run the ping command on switch A to verify the connectivity Switch_A ping...

Page 563: ...Guide 534 Configuring Routing Example for Static Routing Ping statistics for 10 1 2 1 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum 1ms Maximum 3ms Average 1ms ...

Page 564: ...Part 20 Configuring DHCP Service CHAPTERS 1 DHCP 2 DHCP Server Configuration 3 DHCP Relay Configuration 4 DHCP L2 Relay Configuration 5 Configuration Examples 6 Appendix Default Parameters ...

Page 565: ...s Switch DHCP Server DHCP Relay DHCP Relay is used to process and forward DHCP packets between different subnets or VLANs DHCP clients broadcast DHCP request packets to require for IP addresses Without this function clients cannot obtain IP addresses from a DHCP server in the different LAN because the broadcast packets can be transmitted only in the same LAN To equip each LAN with a DHCP server ca...

Page 566: ...To allocate network addresses using Option 82 you need to define the two sub options on the DHCP relay agent and create a DHCP class on the DHCP server to identify the Option 82 payload TP Link switches preset a default circuit ID and remote ID in TLV Type Length and Value format You can also configure the format to include Value only and customize the Value Table 1 1 and Table 1 2 show the packet...

Page 567: ...nt is connected to port 1 0 1 in VLAN 2 this field is 00 02 00 01 in hexadecimal Default remote ID A 6 byte value which indicates the MAC address of the DHCP relay agent Customized circuit remote ID You can configure a string using up to 64 characters The switch encodes the string using ASCII When configuring your DHCP server to identify the string use the correct notation that is used by your DHC...

Page 568: ...i1 0 1 Routed Port 192 168 3 1 24 DHCP Server Pool A 192 168 2 0 24 Pool B 192 168 3 0 24 DHCP Clients VLAN 20 192 168 2 0 24 PC 1 DHCP Client 192 168 3 2 24 Switch DHCP Relay DHCP VLAN Relay DHCP VLAN Relay allows clients in different VLANs to obtain IP addresses from the DHCP server using the IP address of a single agent interface In DHCP Interface Relay to achieve this goal you need to create a...

Page 569: ... VLAN DHCP L2 Relay Unlike DHCP relay DHCP L2 Relay is used in the situation that the DHCP server and clients are in the same VLAN In DHCP L2 Relay in addition to normally assigning IP addresses to clients from the DHCP server the switch can inform the DHCP server of some specified information such as the location information of clients by inserting an Option 82 payload to DHCP request packets bef...

Page 570: ...2 Configure DHCP Server Pool 3 Optional Manually assign static IP addresses for some clients 2 1 Using the GUI 2 1 1 Enabling DHCP Server Choose the menu L3 FEATURES DHCP Service DHCP Server DHCP Server to load the following page Figure 2 1 Configure DHCP Server Follow these steps to configure DHCP Server 1 In the Global Config section enable DHCP Server Click Apply DHCP Server Enable DHCP Server ...

Page 571: ...ackets the server can broadcast to test whether the IP address is occupied The valid values are from 1 to 10 and the default is 1 When the switch is configured as a DHCP server to dynamically assign IP addresses to clients the switch will deploy ping tests to avoid IP address conflicts resulted from assigning IP addresses repeatedly Ping Timeout Specify the timeout period for ping tests in millise...

Page 572: ...eters that will be assigned to DHCP clients Choose the menu L3 FEATURES DHCP Service DHCP Server Pool Setting and click to load the following page Figure 2 3 Pool Setting Configure the parameters for DHCP Server Pool Then click Create Pool Name Specify a pool name for identification Network Address Subnet Mask Configure the network address and subnet mask of the DHCP server pool The network addres...

Page 573: ...f you leave this field blank the DHCP server will not assign this parameter to clients The following options are provided b node Broadcast The client sends query messages via broadcast p node Peer to Peer The client sends query messages via unicast m node Mixed The client sends query messages via broadcast first If it fails the client will try again via unicast h node Hybrid The client sends query...

Page 574: ... client ID of the client Client ID in ASCII Bind the IP address to the client ID in ASCII format Hardware Address Bind the IP address to the MAC address of the client Client ID If you select Client ID as the binding mode enter the client ID in this field Hardware Address If you select Hardware Address as the binding mode enter the MAC address in this field Hardware Type If you select Hardware Addr...

Page 575: ...fied number without response the server will assign the IP address Otherwise the server will record the IP address as a conflicted IP address and assign another IP address to the client value Specify the timeout period for ping tests in milliseconds It ranges from 100 to 10000 ms and the default is 100 ms Step 6 ip dhcp server ping packets num Specify the number of ping packets the server can broa...

Page 576: ...h config service dhcp server Switch config ip dhcp server ping packets 2 Switch config ip dhcp server ping timeout 200 Switch config show ip dhcp server status DHCP server is enable Ping packet number 2 Ping packet timeout 200 milliseconds Switch config end Switch copy running config startup config The following example shows how to configure the Option 60 as abc and Option 138 as 192 168 0 155 Sw...

Page 577: ...ork address subnet mask Configure the network address and subnet mask of the DHCP server pool The network address and subnet mask decide the range of the DHCP server pool On the same subnet all addresses can be assigned except the excluded addresses and addresses for special uses network address Configure the network address of the DHCP server pool subnet mask Configure the subnet mask of the DHCP...

Page 578: ...on type Specify the NetBIOS type The following options are provided b node The client sends query messages via broadcast p node The client sends query messages via unicast m node The client sends query messages via broadcast first If it fails the client will try again via unicast h node The client sends query messages via unicast first If it fails the client will try again via broadcast Step 9 nex...

Page 579: ...efault Gateway 192 168 1 1 DNS Server 192 168 1 4 NetBIOS Server 192 168 1 19 NetBIOS Node Type B node Broadcast TFTP server 192 168 1 30 Domain Name com Bootfile bootfile Switch configure Switch config ip dhcp server pool pool1 Switch dhcp config network 192 168 1 0 255 255 255 0 Switch dhcp config lease 180 Switch dhcp config default gateway 192 168 1 1 Switch dhcp config dns server 192 168 1 4 ...

Page 580: ...file Name bootfile Switch dhcp config end Switch copy running config startup config 2 2 3 Configuring Manual Binding Some hosts WWW server for example requires a static IP address To satisfy this requirement you can manually bind the MAC address or client ID of the host to an IP address and the DHCP server will reserve the bound IP address to this host at all times Follow these steps to configure ...

Page 581: ...fy the IP address to be bound hardware address Enter the MAC address of the client ethernet ieee802 Specify a hardware type for the client either Ethernet or IEEE802 Step 4 show ip dhcp server manual binding Verify the manual binding configuration Step 5 end Return to Privileged EXEC Mode Step 6 copy running config startup config Save the settings in the configuration file The following example sh...

Page 582: ... the Interface or VLAN 3 1 Using the GUI 3 1 1 Enabling DHCP Relay and Configuring Option 82 Choose the menu L3 FEATURES DHCP Service DHCP Relay DHCP Relay Config to load the following page Figure 3 1 Enable DHCP Relay and Configure Option 82 Follow these steps to enable DHCP Relay and configure Option 82 1 In the Global Config section enable DHCP Relay globally and configure the relay hops and ti...

Page 583: ...receiving DHCP packets that include the Option 82 field Keep The switch keeps the Option 82 field of the packets Replace The switch replaces the Option 82 field of the packets with a new one The switch presets a default circuit ID and remote ID in TLV Type Length and Value format You can also configure the format to include Value only and customize the Value Drop The switch discards the packets th...

Page 584: ...et Choose the menu L3 FEATURES DHCP Service DHCP Relay DHCP Interface Relay and click to load the following page Figure 3 2 Configuring DHCP Interface Relay Select the interface type and enter the interface ID then enter the IP address of the DHCP server Click Create Interface ID Specify the type and ID of the interface It is the Layer 3 interface which is connecting to the DHCP clients The interf...

Page 585: ...ay agent interface The DHCP server will assign IP addresses in the same subnet with this relay agent interface to the clients who use this relay agent interface to apply for IP addresses IP Address Displays the IP address of this interface Note If the VLAN the clients belong to already has an IP address the switch will use the client s own VLAN interface as the relay agent interface The manually s...

Page 586: ...is 4 Step 4 ip dhcp relay time time Specify the threshold for the DHCP relay time DHCP relay time is the time elapsed since the client began address acquisition or renewal process There is a field in DHCP packets which specially records this time and the switch will drop the packets if the value of this field is greater than the threshold Value 0 means the switch will not examine this field of the...

Page 587: ... Mode Step 3 ip dhcp relay information option Enable the Option 82 feature on the port Step 4 ip dhcp relay information strategy keep replace drop Specify the operation for the switch to take when receiving DHCP packets that include the Option 82 field keep The switch keeps the Option 82 field of the packets replace The switch replaces the Option 82 field of the packets with a new one The switch p...

Page 588: ...d the DHCP server should be compatible with each other string Enter the remote ID with up to 64 characters Step 8 show ip dhcp relay information interface fastEthernet port gigabitEthernet port ten gigabitEthernet port port channel port channel id Verify the Option 82 configurations of the port Step 9 end Return to Privileged EXEC Mode Step 10 copy running config startup config Save the settings i...

Page 589: ...rt Configuration Mode interface fastEthernet port gigabitEthernet port ten gigabitEthernet port Enter Interface Configuration Mode port Specify the Ethernet port number for example 1 0 1 no switchport Switch the Layer 2 port into the Layer 3 routed port Enter Port channel Interface Configuration Mode interface port cahnnel port channel Enter Interface Configuration Mode port channel Specify the po...

Page 590: ...terface vlan 66 Switch config if ip helper address 192 168 1 7 Switch config if show ip dhcp relay DHCP relay helper address is configured on the following interfaces Interface Helper address VLAN 66 192 168 1 7 Switch config if end Switch copy running config startup config 3 2 4 Configuring DHCP VLAN Relay Follow these steps to configure DHCP VLAN Relay Step 1 configure Enter Global Configuration...

Page 591: ...id values are from 1 to 14 no switchport Switch the port channel to a Layer 3 port channel interface Step 3 ip dhcp relay default interface Set the interface as the default relay agent interface If the VLAN that the clients belong to does not have an IP address the switch will use the IP address of this interface to fill in the Relay Agent IP Address field of DHCP packets from the DHCP clients Ste...

Page 592: ... Switch configure Switch config interface gigabitEthernet 1 0 2 Switch config if no switchport Switch config if ip dhcp relay default interface Switch config if exit Switch config ip dhcp relay vlan 10 helper address 192 168 1 8 Switch config show ip dhcp relay DHCP VLAN relay helper address is configured on the following vlan vlan Helper address VLAN 10 192 168 1 8 Switch config end Switch copy r...

Page 593: ...e menu L3 FEATURES DHCP Service DHCP L2 Relay Global Config to load the following page Figure 4 1 Enable DHCP L2 Relay Follow these steps to enable DHCP L2 Relay globally for the specified VLAN 1 In the Global Config section enable DHCP L2 Relay globally Click Apply DHCP L2 Relay Enable DHCP Relay globally 2 In the VLAN Config section enable DHCP L2 Relay for the specified VLAN Click Apply VLAN Di...

Page 594: ...ifferent groups from the same DHCP server Option 82 Policy Select the operation for the switch to take when receiving DHCP packets that include the Option 82 field Keep The switch keeps the Option 82 field of the packets Replace The switch replaces the Option 82 field of the packets with a new one The switch presets a default circuit ID and remote ID in TLV Type Length and Value format You can als...

Page 595: ...HCP server should be compatible with each other Remote ID Customization Enable or disable Remote ID Customization Enable it if you want to manually configure the remote ID Otherwise the switch uses its own MAC address as the remote ID Remote ID Enter the customized remote ID with up to 64 characters The remote ID configurations of the switch and the DHCP server should be compatible with each other...

Page 596: ...ation Mode Step 3 ip dhcp l2relay information option Enable the Option 82 feature on the port Step 4 ip dhcp l2relay information strategy keep replace drop Specify the operation for the switch to take when receiving DHCP packets that include the Option 82 field keep The switch keeps the Option 82 field of the packets replace The switch replaces the Option 82 field of the packets with a new one The...

Page 597: ... switch and the DHCP server should be compatible with each other string Enter the remote ID with up to 64 characters Step 8 show ip dhcp l2relay information interface fastEthernet port gigabitEthernet port port channel port channel id Verify the Option 82 configuration of the port Step 9 end Return to Privileged EXEC Mode Step 10 copy running config startup config Save the settings in the configur...

Page 598: ...Configuring DHCP Service DHCP L2 Relay Configuration User Guide 569 Switch config if end Switch copy running config startup config ...

Page 599: ...Configuration Scheme You can enable the DHCP Server service on the switch and create a DHCP IP pool for all the connected devices Then manually bind the MAC address of the FTP server to an IP address specified for the FTP server Demonstrated with T2600G 52TS the following sections provide configuration procedures in two ways using the GUI and using the CLI 5 1 3 Using the GUI 1 Choose the menu L3 ...

Page 600: ...P Service DHCP Server Manual Binding and click to load the following page Select the DHCP server pool you just created and enter the IP address of the FTP server in the IP Address field Select Hardware Address as the binding mode and enter the MAC address of the FTP server in the Hardware Address field Select Ethernet as the Hardware Type Click Create Figure 5 4 Configuring Manual Binding 4 Click ...

Page 601: ...ver binding IP Address Client id Hardware Address Type Lease Time Left 192 168 0 2 01 d43d 7ebf 615f Automatic 01 57 27 192 168 0 8 01 fcaa 1459 e94a Manual Infinite 5 2 Example for DHCP Interface Relay 5 2 1 Network Requirements The administrator deploys one DHCP server on the network and wants the server to assign IP addresses to the computers in the Marketing department and the R D department I...

Page 602: ...you to configure DHCP Interface Relay to satisfy the requirement The overview of the configurations are as follows 1 Before configuring DHCP Interface Relay create two DHCP IP pools on the DHCP server for the two departments respectively Then create static routes or enable dynamic routing protocol like RIP on the DHCP server to make sure the DHCP server can reach the clients in the two VLANs 2 Con...

Page 603: ...ad the following page In the Global Config section enable DHCP Server globally Figure 5 6 Configuring DHCP Server 2 Choose the menu L3 FEATURES DHCP Service DHCP Server Pool Setting and click to load the following page Create pool 1 for VLAN 10 and pool 2 for VLAN 20 Configure the corresponding parameters as the following pictures show Figure 5 7 Configuring DHCP Pool 1 for VLAN 10 ...

Page 604: ... for VLAN 20 3 Choose the menu L3 FEATURES Static Routing IPv4 Static Routing and click to load the following page Create two static routing entries for the DHCP server to make sure that the DHCP server can reach the clients in the two VLANs Figure 5 9 Creating the Static Routing Entry for VLAN 10 ...

Page 605: ...atic Routing Entry for VLAN 20 Configuring the VLANs on the Relay Agent 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 10 for the Marketing department and add port 1 0 1 as an untagged port to the VLAN Figure 5 11 Creating VLAN 10 ...

Page 606: ...uring DHCP Service Configuration Examples User Guide 577 2 On the same page click again to create VLAN 20 for the R D department and add port 1 0 2 as an untagged port to the VLAN Figure 5 12 Creating VLAN 20 ...

Page 607: ...y Agent 1 Choose the menu L3 FEATURES Interface and click to load the following page Create VLAN interface 10 and VLAN interface 20 Configure port 1 0 5 as the routed port Figure 5 13 Creating VLAN Interface 10 Figure 5 14 Creating VLAN Interface 20 2 On the same page click again to configure port 1 0 5 as the routed port ...

Page 608: ...CP Service DHCP Relay DHCP Relay Config to load the following page In the Global Config section enable DHCP Relay and click Apply Figure 5 16 Enable DHCP Relay 2 Choose the menu L3 FEATURES DHCP Service DHCP Relay DHCP Interface Relay and click to load the following page Specify the DHCP server for the clients in VLAN 10 and VLAN 20 Figure 5 17 Specify DHCP Server for Interface VLAN 10 ...

Page 609: ...sk as 255 255 255 0 lease time as 120 minutes default gateway as 192 168 3 1 Switch config ip dhcp server pool pool1 Switch dhcp config network 192 168 2 0 255 255 255 0 Switch dhcp config lease 120 Switch dhcp config default gateway 192 168 2 1 Switch dhcp config exit Switch config ip dhcp server pool pool2 Switch dhcp config network 192 168 2 0 255 255 255 0 Switch dhcp config lease 120 Switch d...

Page 610: ...ig interface gigabitEthernet 1 0 2 Switch config if switchport general allowed vlan 20 untagged Switch config if exit Configuring the VLAN Interfaces Routed Port on the Relay Agent Switch config interface vlan 10 Switch config if ip address 192 168 2 1 255 255 255 0 Switch config if exit Switch config interface vlan 20 Switch config if ip address 192 168 3 1 255 255 255 0 Switch config if exit Swi...

Page 611: ...s of the DHCP Relay Agent Switch show ip dhcp relay DHCP relay is enabled DHCP relay helper address is configured on the following interfaces Interface Helper address VLAN10 192 168 0 59 VLAN20 192 168 0 59 5 3 Example for DHCP VLAN Relay 5 3 1 Network Requirements The administrator needs to deploy the office network for the Marketing department and the R D department The detailed requirements are...

Page 612: ... satisfy the requirement The overview of the configurations are as follows 1 Create one DHCP IP pool on the DHCP server which is on 192 168 0 0 24 network segment 2 Configure 802 1Q VLAN on the DHCP relay agent Add all computers in the marketing department to VLAN 10 and add all computers in the R D department to VLAN 20 3 Configure DHCP VLAN Relay on the DHCP relay agent Enable DHCP Relay globall...

Page 613: ... to load the following page In the Global Config section enable DHCP Server globally Figure 5 20 Configuring DHCP Server 2 Choose the menu L3 FEATURES DHCP Service DHCP Server Pool Setting and click to load the following page Create a DHCP pool for the clients Configure the corresponding parameters as the following picture shows Figure 5 21 Configuring DHCP Pool 1 for VLAN 10 ...

Page 614: ...585 Configuring the VLANs on the Relay Agent 1 Choose the menu L2 FEATURES VLAN 802 1Q VLAN VLAN Config and click to load the following page Create VLAN 10 for the Marketing department and add port 1 0 1 as untagged port to the VLAN Figure 5 22 Creating VLAN 10 ...

Page 615: ...ting VLAN 20 Configuring DHCP VLAN Relay on the Relay Agent 1 Choose the menu L3 FEATURES DHCP Service DHCP Relay DHCP Relay Config to load the following page In the Global Config section enable DHCP Relay and click Apply Figure 5 24 Enable DHCP Relay 2 Choose the menu L3 FEATURES DHCP Service DHCP Relay DHCP VLAN Relay to load the following page In the Default Relay Agent Interface section specif...

Page 616: ...e clients in VLAN 10 and VLAN 20 Figure 5 26 Specify DHCP Server for Interface VLAN 10 Figure 5 27 Specify DHCP Server for Interface VLAN 20 4 Click to save the settings 5 3 4 Using the CLI Configurting the DHCP Server 1 Enable DHCP service globally Switch configure Switch config service dhcp server 2 Create a DHCP pool and name it as pool and configure its network address as 192 168 0 0 subnet ma...

Page 617: ...Switch config if exit Switch config vlan 20 Switch config vlan name RD Switch config vlan exit Switch config interface gigabitEthernet 1 0 2 Switch config if switchport general allowed vlan 20 untagged Switch config if exit Configuring DHCP VLAN Relay on the Relay Agent 1 Enable DHCP Relay Switch config service dhcp relay 2 Specify the routed port 1 0 5 as the default relay agent interface Switch ...

Page 618: ...n the following vlan vlan Helper address VLAN 10 192 168 0 59 VLAN 20 192 168 0 59 5 4 Example for Option 82 in DHCP Relay 5 4 1 Network Requirements As the following figure shows there are two groups of computers Group 1 is connected to Switch A via port 1 0 1 and Group 2 is connected via port 1 0 2 All computers are in the same VLAN but the computers and the DHCP server are in different subnets ...

Page 619: ...t groups The overview of the configurations are as follows 1 Configuring Switch A a Configure 802 1Q VLAN Add all computers to VLAN 2 For details refer to Configuring 802 1Q VLAN b Configure the interface address of VLAN 2 For details refer to Configuring Layer 3 Interfaces c Configure DHCP relay and enable Option 82 in DHCP Relay In this example both DHCP Interface Relay and DHCP VLAN Relay can i...

Page 620: ...y Config to load the following page In the Global Config section enable DHCP Relay and click Apply Figure 5 29 Enable DHCP Relay 2 In the Option 82 Config section select port 1 0 1 and port 1 0 2 enable Option 82 Support and set Option 82 Policy as Replace You can configure other parameters according to your needs In this example the Format is set as Normal and Circuit ID Customization and Remote ...

Page 621: ...or port 1 0 1 and port 1 0 2 Set Option 82 policy as Replace You can configure other parameters according to your needs In this example the Format is set as Normal and Circuit ID Customization and Remote ID Customization as Disabled Switch config interface range gigabitEthernet 1 0 1 2 Switch config if ip dhcp relay information option Switch config if ip dhcp relay information strategy replace Swi...

Page 622: ...le dynamic routing protocol like RIP on the DHCP server In this section we use different notations to distinguish ASCII strings from hexadecimal numbers An ASCII string is enclosed with quotation marks such as 123 while a hexadecimal number is divided by colon into parts of two digits such as 31 32 33 On the DHCP server you need to create two DHCP classes to identify the Option 82 payloads of DHCP...

Page 623: ...y the offset of the agent remote ID is 2 and the length is 6 class VLAN2Port1 match if substring option agent circuit id 2 4 00 02 00 01 and substring option agent remote id 2 6 00 00 ff ff 27 12 class VLAN2Port2 match if substring option agent circuit id 2 4 00 02 00 02 and substring option agent remote id 2 6 00 00 ff ff 27 12 Create two IP Address pools in the same subnet Assign different IP ad...

Page 624: ... 0 1 Group 1 Group 2 DHCP Server 192 168 10 1 24 Switch A DHCP Relay 00 00 FF FF 27 12 192 168 10 100 192 168 10 150 192 168 10 151 192 168 10 200 PC PC PC PC 5 5 2 Configuration Scheme To meet the requirements you can configure DHCP L2 Relay on Switch A to inform the DHCP server of the group information of each PC so that the DHCP server can assign IP addresses of different address pools to the P...

Page 625: ... 1 Choose the menu L3 FEATURES DHCP Service DHCP L2 Relay Global Config to load the following page In the Global Config section enable DHCP L2 Relay globally and click Apply Enable DHCP L2 Relay on VLAN 1 and click Apply Figure 5 33 Enabling DHCP L2 Relay 2 Choose the menu L3 FEATURES DHCP Service DHCP L2 Relay Port Config to load the following page Select port 1 0 1 enable Option 82 Support and s...

Page 626: ... 82 Policy as Replace You can configure other parameters according to your needs In this example keep Format as Normal and Remote ID Customization as Disabled Enable Circuit ID Customization and specify the Circuit ID as Group2 Click Apply Figure 5 35 Configuring Port 1 0 2 4 Click to save the settings Using the CLI 1 Enable DHCP L2 Relay globally and on VLAN1 Switch configure ...

Page 627: ...3 On port 1 0 2 enable Option 82 and select Option 82 Policy as Replace You can configure other parameters according to your needs In this example keep Format as Normal and Remote ID Customization as Disabled Enable Circuit ID Customization and specify the Circuit ID as Group2 Switch config interface gigabitEthernet 1 0 2 Switch config if ip dhcp l2relay information Switch config if ip dhcp l2rela...

Page 628: ...of DHCP request packets from Group 1 and Group 2 respectively In this example the DHCP relay agent uses the customized circuit ID and default remote ID in TLV format According to packet format described in Table 1 1 and Table 1 2 the sub options of the two groups are as shown in the following table Table 5 2 Sub options of Group1 and Group 2 Group Sub option Type Hex Length Hex Value 1 Circuit ID ...

Page 629: ...ubstring option agent remote id 2 6 00 00 ff ff 27 12 Create two IP Address pools in the same subnet Assign different IP addresses to the DHCP clients in different groups subnet 192 168 10 0 netmask 255 255 255 0 option routers 192 168 10 1 option subnet mask 255 255 255 0 option domain name servers 192 168 10 1 option domain name example com default lease time 600 max lease time 7200 authoritativ...

Page 630: ...Default Setting Global Config DHCP Server Disabled Option 60 None Option 138 None Ping Time Config Ping Packets 1 Ping Timeout 100 ms Excluded IP Address Start IP Address None End IP Address None Pool Setting Pool Name None Network Address None Subnet Mask None Lease Time 120 min Default Gateway None DNS Server None NetBIOS Server None NetBIOS Node Type None Next Server Address None Domain Name No...

Page 631: ...gs of DHCP Relay are listed in the following table Table 6 2 Default Settings of DHCP Relay Parameter Default Setting DHCP Relay DHCP Relay Disabled DHCP Relay Hops 4 DHCP Relay Time Threshold 0 Option 82 Configuration Option 82 Support Disabled Option 82 Policy Keep Format Normal Circuit ID Customization Disabled Circuit ID None Remote ID Customization Disabled Remote ID None DHCP Interface Relay...

Page 632: ...efault settings of DHCP L2 Relay are listed in the following table Table 6 3 Default Settings of DHCP L2 Relay Parameter Default Setting Global Config DHCP Relay Disabled VLAN Status Disabled Port Config Option 82 Support Disabled Option 82 Policy Keep Format Normal Circuit ID Customization Disabled Circuit ID None Remote ID Customization Disabled Remote ID None ...

Page 633: ...Part 21 Configuring ARP CHAPTERS 1 Overview 2 ARP Configurations 3 Appendix Default Parameters ...

Page 634: ...atuitous ARP packet are the sender its own IP address It is used to detect duplicate IP address If an interface sends a gratuitous ARP packet and no replies are received then the sender knows its IP address is not used by other devices Proxy ARP Normally the ARP packets can only be transmitted in one broadcast domain which means if two devices in the same network segment are connected to different...

Page 635: ...he hosts cannot receive each other s ARP request So they cannot communicate with each other because they cannot learn each other s MAC address using ARP packets To solve this problem you can enable Local Proxy ARP on the Layer 3 interface and the interface will respond the ARP request sender with its own MAC address After that the ARP request sender sends packets to the Layer 3 interface and the i...

Page 636: ...eature Enable Local Proxy function for VLAN interfaces or routed ports 2 1 Using the GUI 2 1 1 Viewing the ARP Entries The ARP table consists of two kinds of ARP entries dynamic and static Dynamic Entry Automatically learned and will be deleted after aging time Static Entry Added manually and will be remained unless modified or deleted manually Choose the menu L3 FEATURES ARP ARP Table ARP Table t...

Page 637: ...it 2 1 2 Adding Static ARP Entries Manually You can add desired static ARP entries by mannually specifying the IP addresses and MAC addresses Choose the menu L3 FEATURES ARP Static ARP and click to load the following page Figure 2 2 Adding Static ARP Entries Enter the IP address and MAC address then click Create IP address Specify the IP address of the static ARP entry MAC address Specify the MAC ...

Page 638: ...or the correct owner the interface sends gratuitous ARP packets It is disabled by default Gratuitous ARP Learning Normally the switch only updates the MAC address table by learning from the ARP reply packet or normal ARP request packet With this option enabled the switch will also update the MAC address table by learning from the received gratuitous ARP packets It is disabled by default 2 In the G...

Page 639: ... 2 1 5 Configuring Local Proxy ARP Local Proxy ARP is used in the situation that two devices are in the same VLAN but isolated on the layer 2 ports Choose the menu L3 FEATURES ARP Proxy ARP Local Proxy ARP to load the following page Figure 2 5 Configuring Local Proxy ARP Select the desired interface and enable local proxy ARP Then click Apply IP Address Displays the IP address of the Layer 3 inter...

Page 640: ...red ARP entry mac Specify the MAC address of your desired ARP entry Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Save the settings in the configuration file This example shows how to create a static ARP entry with the IP as 192 168 0 1 and the MAC as 00 11 22 33 44 55 Switch configure Switch config arp 192 168 0 1 00 11 22 33 44 55 arpa Switch config show arp...

Page 641: ...s how to configure the aging time of dynamic ARP entries as 1000 seconds for VLAN interface 2 Switch configure Switch config arp timeout 1000 Switch config end Switch copy running config startup config Clearing Dynamic Entries Step 1 configure Enter global configuration mode Step 2 clear arp cache Clear all the dynamic ARP entries Step 3 copy running config startup config Save the settings in the ...

Page 642: ... Layer 3 interface to send a gratuitous ARP packet to detect if its IP address is used by other devices It is enabled by default Step 3 gratuitous arp dup ip detected enable Optional Enable the Layer 3 interface to send a gratuitous packet when the interface received a gratuitous ARP packet with the same IP address with its own It is disabled by default Step 4 gratuitous arp learning enable Option...

Page 643: ...p 2 There are three types of Layer 3 interface that are able to send gratuitous ARP packets routed port port channel and VLAN interface interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port ten range gigabitEthernet port list port channel port channel range port channel port channel list no switch port Enter interface...

Page 644: ...ets for VLAN interface 1 as 10 seconds Switch configure Switch config interface vlan 1 Switch config if gratuitous arp send interval 10 Switch config if show gratuitous arp Interface Gratuitous ARP Periodical Send Interval VLAN1 10 Switch config if end Switch copy running config startup config 2 2 3 Configuring Proxy ARP You can configure proxy ARP and local proxy ARP Configuring Proxy ARP Follow ...

Page 645: ...an id Enter the interface VLAN ID Step 3 ip proxy arp Enable Proxy ARP function on the specified Layer 3 interface Step 4 show ip proxy arp Show the Proxy ARP configuration Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file This example shows how to enable Proxy ARP function for VLAN interface 1 Switch configure Switch co...

Page 646: ...face vlan vlan id Enter the vlan interface configuration mode vlan id Enter the interface VLAN ID Step 3 ip local proxy arp Enable Local Proxy ARP function on the specified Layer 3 interface Step 4 show ip local proxy arp Show the Local Proxy ARP configuration Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file This exampl...

Page 647: ...ters Default ARP settings are listed in the following tables Table 3 1 Default Gratuitous Settings Parameter Default Setting Send on IP Interface Status Up Enabled Send on Duplicate IP Detected Disabled Gratuitous ARP Learning Disabled Gratuitous ARP Periodical Send Interval 0 second ...

Page 648: ...2 Configuring QoS CHAPTERS 1 QoS 2 Class of Service Configuration 3 Bandwidth Control Configuration 4 Voice VLAN Configuration 5 Auto VoIP Configuration 6 Configuration Examples 7 Appendix Default Parameters ...

Page 649: ...maps the packets to different priority queues and then forwards the packets according to specified scheduler settings to implement QoS function Priority Mode Three modes are supported Port Priority 802 1p Priority and DSCP Priority Scheduler Mode Two scheduler type are supported Strict and Weighted Bandwidth Control Bandwidth Control functions to control the traffic rate and traffic threshold on e...

Page 650: ...uto VoIP These two features can be enabled on the ports that transmit voice traffic only or transmit both voice traffic and data traffic Voice VLAN can change the voice packets 802 1p priority and transmit the packets in desired VLAN Auto VoIP can inform the voice devices of send the packets with specific configuration by working with the LLDP MED feature ...

Page 651: ... field The PRI values are from 0 to 7 802 1P priority determines the priority of packets based on the PRI value In this mode the switch only prioritizes packets with VLAN tag regardless of the IP header of the packets DSCP Priority DSCP priority determines the priority of packets based on the ToS Type of Service field in their IP header RFC2474 re defines the ToS field in the IP packet header as D...

Page 652: ... the desired ports specify the 802 1p priority and set the trust mode as Untrusted 802 1p Priority Specify the port to 802 1p mapping for the desired port The ingress packets from one port are first mapped to 802 1p priority based on the port to 802 1p mapping then to TC queues based on the 802 1p to queue mapping The untagged packets from one port will be added an 802 1p priority value according ...

Page 653: ...igure 2 2 Configuring the 802 1p to Queue Mapping In the 802 1p to Queue Mapping section configure the mappings and click Apply 802 1p Priority Displays the number of 802 1p priority In QoS 802 1p priority is used to represent class of service Queue Select the TC queue for the desired 802 1p priority The packets with the desired 802 1p priority will be put in the corresponding queue ...

Page 654: ...e Figure 2 3 Configuring the Trust Mode Follow these steps to configure the trust mode 1 Select the desired ports and set the trust mode as Trust 802 1p Trust Mode Select the Trust mode as Trust 802 1p In this mode the tagged packets will be processed according to the 802 1p priority configuration and the untagged packets will be processed according to the port priority configuration 2 Click Apply...

Page 655: ... the 802 1p priority 1 In the 802 1p to Queue Mapping section configure the mappings and click Apply 802 1p Priority Displays the number of 802 1p priority In QoS 802 1p priority is used to represent class of service IEEE 802 1p standard defines three bits in 802 1Q tag as PRI filed The PRI values are called 802 1p priority and used to represent the priority of the layer 2 packets This function re...

Page 656: ...g to the map For T2600G 18TS Choose the menu QoS Class of Service 802 1p Priority to load the following page Figure 2 5 Configuring the 802 1p to Queue Mapping and 802 1p Remap Follow these steps to configure the parameters of the 802 1p priority 1 In the 802 1p to Queue Mapping section configure the mappings and click Apply 802 1p Priority Displays the number of 802 1p priority In QoS 802 1p prio...

Page 657: ...ckets This function requires packets with VLAN tags Remap Select the number of 802 1p priority to which the original 802 1p priority will be remapped 802 1p Remap is used to modify the 802 1p priority of the ingress packets When the switch detects the packets with desired 802 1p priority it will modify the value of 802 1p priority according to the map Note In Trust 802 1p mode the untagged packets...

Page 658: ...nfiguring the 802 1p to Queue Mapping Choose the menu QoS Class of Service 802 1p Priority to load the following page Figure 2 7 Configuring the 802 1p to Queue Mapping In the 802 1p to Queue Mapping section configure the mappings and click Apply 802 1p Priority Displays the number of 802 1p priority In QoS 802 1p priority is used to represent class of service Queue Select the TC queue for the des...

Page 659: ...rity DSCP Priority is used to classify the packets based on the value of DSCP and map them to different queues ToS Type of Service is a part of IP header and DSCP uses the first six bits of ToS to represent the priority of IP packets The DSCP values range from 0 to 63 802 1p Priority Specify the DSCP to 802 1p mapping for the desired port The ingress packets are first mapped to 802 1p priority the...

Page 660: ...02 1p Priority Specify the DSCP to 802 1p mapping The ingress packets are first mapped to 802 1p priority based on the DSCP to 802 1p mappings then to TC queues according to the 802 1p to queue mappings The untagged IP packets with the desired DSCP value will be added an 802 1p priority value according to the DSCP to 802 1p mapping DSCP Remap Optional Select the DSCP priority to which the original...

Page 661: ...uring QoS Class of Service Configuration Choose the menu QoS Class of Service Scheduler Settings to load the following page Figure 2 10 Specifying the Scheduler Settings For T2600G 28TS T2600G 28MPS T2600G 28SQ T2600G 52TS ...

Page 662: ...ode the egress queue will use SP Strict Priority to process the traffic in different queues When congestion occurs the traffic will be transmitted according to its queue priority strictly The queue with higher priority occupies the whole bandwidth Packets in the queue with lower priority are sent only when the queue with higher priority is empty Weighted In this mode the egress queue will use WRR ...

Page 663: ... to 802 1p Mapping Follow these steps to configure the trust mode and the port to 802 1p mapping Step 1 configure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list port channel port channel id range port channel port channel list Enter inte...

Page 664: ...1p to Queue Mapping Follow these steps to configure the 802 1p to queue mapping Step 1 configure Enter global configuration mode Step 2 qos cos map dot1p priority tc queue Specify the 802 1p to queue mapping The packets with the desired 802 1p priority will be put in the corresponding queues By default the 802 1p priority 0 to 7 is respectively mapped to TC 1 TC 0 TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 dot...

Page 665: ...Switch config if exit Switch config qos cos map 1 3 Switch config show qos trust interface gigabitEthernet 1 0 1 Port Trust Mode LAG Gi1 0 1 untrust N A Switch config show qos port priority interface gigabitEthernet 1 0 1 Port CoS Value LAG Gi1 0 1 CoS 1 N A Switch config show qos cos map Tag 0 1 2 3 4 5 6 7 TC TC0 TC3 TC2 TC3 TC4 TC5 TC6 TC7 Switch config end Switch copy running config startup co...

Page 666: ...ration Step 4 show qos trust interface fastEthernet port gigabitEthernet port ten gigabitEthernet port port channel port channel id Verify the trust mode of the ports Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file Configuring the 802 1p to Queue Mapping and 802 1p Remap Follow these steps to configure the 802 1p to qu...

Page 667: ...02 1p priority The valid values are from 0 to 7 For T2600G 18TS qos dot1p remap dot1p priority new dot1p priority Optional Specify the 802 1p to 802 1p mappings 802 1p Remap is used to modify the 802 1p priority of the ingress packets When the switch detects the packets with desired 802 1p priority it will modify the value of 802 1p priority according to the map By default the original 802 1p prio...

Page 668: ...cos map 3 4 Switch config interface gigabitEthernet 1 0 1 Switch config if qos dot1p remap 1 3 Switch config if show qos trust interface gigabitEthernet 1 0 1 Port Trust Mode LAG Gi1 0 1 trust 802 1P N A Switch config if show qos cos map Tag 0 1 2 3 4 5 6 7 TC TC0 TC1 TC2 TC4 TC4 TC5 TC6 TC7 Switch config if show qos dot1p remap interface gigabitEthernet 1 0 1 Port 0 1 2 3 4 5 6 7 LAG Gi1 0 1 0 3 ...

Page 669: ...igabitEthernet port ten gigabitEthernet port port channel port channel id Verify the trust mode of the ports Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file Configuring the 802 1p to Queue Mapping Follow these steps to configure the 802 1p to queue mapping Step 1 configure Enter global configuration mode Step 2 qos cos...

Page 670: ... T2600G 18TS qos dscp map dscp value list dot1p priority Specify the DSCP to 802 1p mapping The ingress packets with the desired DSCP priority are first mapped to 802 1p priority based on the DSCP to 802 1p mapping then to TC queues based on the 802 1p to queue mapping The untagged packets with the desired DSCP priority will be added an 802 1p priority value according to the DSCP to 802 1p mapping...

Page 671: ... 6 end Return to privileged EXEC mode Step 8 copy running config startup config Save the settings in the configuration file Note For T2600G 18TS in Trust DSCP mode non IP packets will be added an 802 1p priority based on the port to 802 1p mapping and will be forwarded according to the 802 1p to queue mapping The following example shows how to configure the trust mode of port 1 0 1 as dscp map 802...

Page 672: ...p interface gigabitEthernet 1 0 1 Gi1 0 1 LAG N A DSCP 0 1 2 3 4 5 6 7 DSCP to 802 1P 0 3 3 3 0 3 0 3 DSCP 8 9 10 11 12 13 14 15 DSCP to 802 1P 1 1 1 1 1 1 1 1 DSCP 16 17 18 19 20 21 22 23 DSCP to 802 1P 2 2 2 2 2 2 2 2 DSCP 24 25 26 27 28 29 30 31 DSCP to 802 1P 3 3 3 3 3 3 3 3 DSCP 32 33 34 35 36 37 38 39 DSCP to 802 1P 4 4 4 4 4 4 4 4 DSCP 40 41 42 43 44 45 46 47 DSCP to 802 1P 5 5 5 5 5 5 5 5 ...

Page 673: ...ap value 0 1 2 3 4 5 6 7 DSCP 8 9 10 11 12 13 14 15 DSCP remap value 8 5 10 11 12 13 14 15 DSCP 16 17 18 19 20 21 22 23 DSCP remap value 16 17 18 19 20 21 22 23 DSCP 24 25 26 27 28 29 30 31 DSCP remap value 24 25 26 27 28 29 30 31 DSCP 32 33 34 35 36 37 38 39 DSCP remap value 32 33 34 35 36 37 38 39 DSCP 40 41 42 43 44 45 46 47 DSCP remap value 40 41 42 43 44 45 46 47 DSCP 48 49 50 51 52 53 54 55 ...

Page 674: ...rict Priority to process the traffic in different queues When congestion occurs the traffic will be transmitted according to its queue priority strictly The queue with higher priority occupies the whole bandwidth Packets in the queue with lower priority are sent only when the queue with higher priority is empty wrr In wrr mode the egress queue will use WRR Weighted Round Robin to process the traff...

Page 675: ...s section The following example shows how to specify the scheduler settings for port 1 0 1 Set the scheduler mode of TC1 as sp mode set the scheduler mode of TC4 as wrr mode and set the queue weight as 5 Set the minimum bandwidth of TC4 as 10 Switch configure Switch config interface gigabitEthernet 1 0 1 Switch config if qos queue 1 mode sp Switch config if qos queue 4 mode wrr weight 5 Switch con...

Page 676: ...ng Rate Limit Follow these steps to configure the Rate Limit function 1 Select the desired port and configure the upper rate limit to receive and send packets Ingress Rate 0 1 000 000Kbps Configure the upper rate limit for receiving packets on the port The valid values are from 0 to 1000000 Kbps and 0 means the ingress rate limit is disabled Egress Rate 0 1 000 000Kbps Configure the bandwidth for ...

Page 677: ... threshold and UL Frame threshold on the desired port kbps The switch will limit the maximum speed of the specific kinds of traffic in kilo bits per second ratio The switch will limit the percentage of bandwidth utilization for specific kinds of traffic pps The switch will limit the maximum number of packets per second for specific kinds of traffic Note pps is not available for T2600G 18TS Broadca...

Page 678: ... will be shutdown when the traffic exceeds the limit Recover Time Specify the recover time for the port It takes effect only when the action is set as shutdown The valid values are from 0 to 3600 seconds When the port is shutdown it can recover to its normal state after the recover time passed If the recover time is specified as 0 which means the port will not recover to its normal state automatic...

Page 679: ...s specified it displays the upper ingress egress rate limit for all ports or LAGs Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to configure the ingress rate as 5120 Kbps and egress rate as 1024 Kbps for port 1 0 5 Switch configure Switch config interface gigabitEthernet 1 0 5 Switch c...

Page 680: ...adcast packets The broadcast traffic exceeding the limit will be processed according to the Action configurations rate Enter the upper rate In kbps mode the valid values are from 1 to 1000000 Kbps In ratio mode the valid values are from 1 to100 percent In pps mode the valid values are from 1 to 1488000 packets per second Step 5 storm control multicast rate Specify the upper rate limit for receivin...

Page 681: ...ill not recover to its normal state automatically In this condition you need to use this command to recover the port manually Step 9 show storm control interface fastEthernet port gigabitEthernet port ten gigabitEthernet port port channel port channel id Verify the storm control configurations of the port or LAG If no port or LAG is specified it displays the storm control configuration for all por...

Page 682: ...on please refer to 802 1Q VLAN Configuration VLAN 1 is a default VLAN and cannot be configured as the voice VLAN Only one VLAN can be set as the voice VLAN on the switch 4 1 Using the GUI 4 1 1 Configuring OUI Addresses The OUI address is assigned as a unique identifier by IEEE Institute of Electrical and Electronics Engineers to a device vendor It is used by the switch to determine whether a pack...

Page 683: ...her a packet is a voice packet An OUI address is the first 24 bits of a MAC address and is assigned as a unique identifier by IEEE Institute of Electrical and Electronics Engineers to a device vendor If the source MAC address of a packet matches the OUI addresses in the OUI list the switch identifies the packet as a voice packet and prioritizes it in transmission Description Give an OUI address de...

Page 684: ...voice packets A bigger value means a higher priority This is an IEEE 802 1p priority and you can further configure its scheduler mode in Class of Service if needed 2 Click Apply 4 1 1 Adding Ports to Voice VLAN Choose the menu QoS Voice VLAN Port Config to load the following page Figure 4 4 Adding Ports to Voice VLAN Follow these steps to configure voice VLAN globally 1 Select the desired ports an...

Page 685: ...UI address of your voice device is not in the OUI table add the OUI address to the table oui prefix Enter the OUI address for your voice device in the format of XX XX XX string Give an OUI address description for identification It contains 16 characters at most Step 4 voice vlan vid Enable the voice VLAN feature and specify an existing 802 1Q VLAN as the voice VLAN vid Enter the 802 1Q VLAN ID to ...

Page 686: ...1 0 3 Switch configure Switch config show voice vlan oui table 00 01 E3 Default SIEMENS 00 03 6B Default CISCO1 00 12 43 Default CISCO2 00 0F E2 Default H3C 00 60 B9 Default NITSUKO 00 D0 1E Default PINTEL 00 E0 75 Default VERILINK 00 E0 BB Default 3COM 00 04 0D Default AVAYA1 00 1B 4F Default AVAYA2 00 04 13 Default SNOM Switch config voice vlan 8 Switch config voice vlan priority 6 Switch config...

Page 687: ...e 658 Configuring QoS Voice VLAN Configuration Gi1 0 2 disabled Down N A Gi1 0 3 enabled Up N A Gi1 0 4 disabled Down N A Gi1 0 5 disabled Down N A Switch config if end Switch copy running config startup config ...

Page 688: ...ptimizing the voice traffic It can work with other features such as VLAN and Class of Service to process the voice packets with specific fields You can choose and configure Auto VoIP and other features according to your needs 5 1 Using the GUI Choose the menu QoS Auto VoIP to load the following page Figure 5 1 Configuring Auto VoIP Follow these steps to configure the OUI addresses 1 In the Global ...

Page 689: ...send untagged voice packets Value Enter the value of VLAN ID or 802 1p priority for the port according to the Interface Mode configurations CoS Override Mode Enable or disable the Class of Service override mode Enabled Enable CoS override The switch will ignore Class of Service settings and put the packets in TC 5 directly Disabled Disable CoS override The switch will then put the voice packets in...

Page 690: ...ecify the interface mode as dot1p In this mode the voice devices will send voice packets with desired 802 1p priority If this mode is selected it is necessary to specify 802 1p priority The valid values are from 0 to 7 In addition you can configure the Class of Service to make the switch process the packets according to the 802 1p priority auto voip untagged Specify the interface mode as untagged ...

Page 691: ...SCP priority as 10 and enable the CoS override mode for port 1 0 3 Switch configure Switch config auto voip Switch config interface gigabitEthernet 1 0 3 Switch config if auto voip dot1p 4 Switch config if auto voip dscp 10 Switch config if auto voip data priority untrust Switch config if show auto voip Administrative Mode Enabled Switch config if show auto voip interface Interface Gi1 0 1 Auto Vo...

Page 692: ...tion User Guide 663 Interface Gi1 0 3 Auto VoIP Interface Mode Enabled Auto VoIP Priority 4 Auto VoIP COS Override True Auto VoIP DSCP Value 10 Auto VoIP Port Status Enabled Switch config if end Switch copy running config startup config ...

Page 693: ...oS Application Topology RD Dept Marketing Dept Router Gi1 0 3 Gi1 0 1 Gi1 0 2 Switch A Internet 6 1 2 Configuration Scheme To implement this requirement you can configure Port Priority to put the packets from the Marketing department into the queue with the higher priority than the packets from the RD department 1 Configure the trust mode of port 1 0 1 and port 1 0 2 as untrusted and map the ports...

Page 694: ...Class of Service Port Priority to load the following page Set the trust mode of port 1 0 1 and 1 0 2 as untrusted Specify the 802 1p priority of port 1 0 1 as 1 and specify the 802 1p priority of port 1 0 2 as 0 Click Apply Figure 6 2 Configuring Port Priority 2 Choose the menu QoS Class of Service 802 1p Priority to load the following page Map the 802 1p priority 0 to TC 1 and map the 802 1p prio...

Page 695: ...e 802 1p to Queue Mappings 3 Choose the menu QoS Class of Service Scheduler Settings to load the following page Select the port 1 0 3 and set the scheduler type of TC 0 and TC 1 as Weighted Specify the queue weight of TC 0 as 1 and specify the queue weight of TC 1 as 5 Click Apply ...

Page 696: ...e gigabitEthernet 1 0 1 Switch_A config if qos trust mode untrust Switch_A config if qos port priority 1 Switch_A config if exit 2 Set the trust mode of port 1 0 2 as untrusted and specify the 802 1p priority as 0 Switch_A config interface gigabitEthernet 1 0 2 Switch_A config if qos trust mode untrust Switch_A config if qos port priority 0 Switch_A config if exit 3 Map the 802 1p priority 0 to TC...

Page 697: ... wrr weight 1 Switch_A config if qos queue 1 mode wrr weight 5 Switch_A config if end Switch_A copy running config startup config Verify the configurations Verify the trust mode of the port Switch_A show qos trust interface Port Trust Mode LAG Gi1 0 1 untrust N A Gi1 0 2 untrust N A Gi1 0 3 untrust N A Gi1 0 4 untrust N A Verify the port to 802 1p mappings Switch_A show qos port priority interface...

Page 698: ...A Queue Schedule Mode Weight Min Bandwidth TC0 WRR 1 0 TC1 WRR 5 0 TC2 WRR 1 0 TC3 WRR 1 0 TC4 WRR 1 0 TC5 WRR 1 0 TC6 WRR 1 0 TC7 WRR 1 0 6 2 Example for Voice VLAN 6 2 1 Network Requirements As shown below the company plans to install IP phones in the office area To ensure the good voice quality IP phones and the computers will be connected to the different ports of the switch and the voice traf...

Page 699: ... another VLAN In addition specify the priority to make the voice traffic can take precedence when the congestion occurs 1 Configure 802 1Q VLAN for port 1 0 1 port 1 0 2 port 1 0 3 and port 1 0 4 2 Configure Voice VLAN feature on port 1 0 1 and port 1 0 2 Demonstrated with T2600G 28TS the following sections provide configuration procedure in two ways using the GUI and using the CLI 6 2 3 Using the...

Page 700: ...Configuring QoS Configuration Examples User Guide 671 Figure 6 6 Configuring VLAN 2 2 Click to load the following page Create VLAN 3 and add untagged port 1 0 3 and port 1 0 4 to VLAN 3 Click Create ...

Page 701: ...guration Examples Figure 6 7 Configuring VLAN 3 3 Choose the menu L2 FEATURES VLAN 802 1Q VLAN Port Config to load the following page Disable the Ingress Checking feature on port 1 0 1 and port 1 0 2 and specify the PVID as 2 Click Apply ...

Page 702: ...he Ports 4 Choose the menu QoS Voice VLAN OUI Config to load the following page Check the OUI table Figure 6 9 Checking the OUI Table 5 Choose the menu QoS Voice VLAN Global Config to load the following page Enable Voice VLAN globally Specify the VLAN ID as 2 and set the priority as 7 Click Apply ...

Page 703: ...Enabling Voice VLAN on Ports 7 Click to save the settings 6 2 4 Using the CLI 1 Create VLAN 2 and add untagged port 1 0 1 port 1 0 2 and port 1 0 4 to VLAN 2 Switch_A configure Switch_A config vlan 2 Switch_A config vlan name VoiceVLAN Switch_A config vlan exit Switch_A config interface gigabitEthernet 1 0 1 Switch_A config if switchport general allowed vlan 2 untagged Switch_A config if exit Swit...

Page 704: ...3 untagged Switch_A config if exit Switch_A config interface gigabitEthernet 1 0 4 Switch_A config if switchport general allowed vlan 3 untagged Switch_A config if exit 3 Disable the Ingress Checking feature on port 1 0 1 and port 1 0 2 and specify the PVID as 2 Switch_A config interface gigabitEthernet 1 0 1 Switch_A config if no switchport check ingress Switch_A config if switchport pvid 2 Switc...

Page 705: ...ch_A config interface gigabitEthernet 1 0 1 Switch_A config if voice vlan Switch_A config if exit Switch_A config interface gigabitEthernet 1 0 2 Switch_A config if voice vlan Switch_A config if end Switch_A copy running config startup config Verify the configurations Verify the basic VLAN configuration Switch_A config show vlan brief VLAN Name Status Ports 1 System VLAN active Gi1 0 1 Gi1 0 2 Gi1...

Page 706: ... LAG Gi1 0 1 enabled Up N A Gi1 0 2 enabled Up N A Gi1 0 3 disabled Down N A Gi1 0 4 disabled Down N A Gi1 0 5 disabled Down N A Gi1 0 28 disabled Down N A 6 3 Example for Auto VoIP 6 3 1 Network Requirements As shown below the company plans to install IP phones in the office area IP phones share switch ports used by computers because no more ports are available for IP phones To ensure the good vo...

Page 707: ...e traffic can take precedence when congestion occurs 1 Enable the Auto VoIP feature and configure the DSCP value of ports 2 Configure Class of Service 3 Enable LLDP MED and configure the corresponding parameters Demonstrated with T2600G 28TS the following sections provide configuration procedure in two ways using the GUI and using the CLI 6 3 3 Using the GUI Auto VoIP configurations for port1 0 1 ...

Page 708: ... of Service Port Priority to load the following page Set the trust mode of port 1 0 1 as trust DSCP Click Apply Figure 6 14 Configuring Port Priority 3 Choose the menu QoS Class of Service DSCP Priority to load the following page Select port 1 0 1 and specify the 802 1p priority as 7 for DSCP priority 63 Click Apply ...

Page 709: ...Guide 680 Configuring QoS Configuration Examples Figure 6 15 Specifying the 802 1p priority for DSCP priority 63 4 Select port 1 0 1 and specify the 802 1p priority as 5 for other DSCP priorities Click Apply ...

Page 710: ...ure 6 16 Specifying the 802 1p priority for Other DSCP priorities 5 Choose the menu QoS Class of Service Scheduler Settings to load the following page Select port 1 0 2 Set the scheduler mode as weighted and specify the queue weight as 1 for TC 5 Click Apply ...

Page 711: ... Guide 682 Configuring QoS Configuration Examples Figure 6 17 Configuring the TC 5 for the Port 6 Select port 1 0 2 Set the scheduler mode as weighted and specify the queue weight as 10 for TC 7 Click Apply ...

Page 712: ...Examples User Guide 683 Figure 6 18 Configuring the TC 7 for the Port 7 Choose the menu L2 FEATURES LLDP LLDP MED Config Port Config click Detail to of port1 0 1 to load the following page Check the boxes of all the TLVs Click Save ...

Page 713: ... Examples Figure 6 19 Configuring the TLVs 8 Choose the menu L2 FEATURES LLDP LLDP MED Config Port Config to load the following page Enable LLDP MED on port 1 0 1 Click Apply Figure 6 20 Enabling LLDP MED on the Port 9 Click to save the settings ...

Page 714: ...ust mode dscp Switch_A config if qos dscp map 63 7 Switch_A config if qos dscp map 0 62 5 Switch_A config if exit 3 On port 1 0 1 set the scheduler mode as weighted and specify the queue weight as 1 for TC 5 Set the scheduler mode as weighted and specify the queue weight as 10 for TC 7 Switch_A config interface gigabitEthernet 1 0 1 Switch_A config if qos queue 5 mode wrr weight 1 Switch_A config ...

Page 715: ...abled Auto VoIP COS Override False Auto VoIP DSCP Value 63 Auto VoIP Port Status Disabled Interface Gi1 0 2 Auto VoIP Interface Mode Disabled Auto VoIP COS Override False Auto VoIP DSCP Value 0 Auto VoIP Port Status Disabled Interface Gi1 0 3 Auto VoIP Interface Mode Disabled Auto VoIP COS Override False Auto VoIP DSCP Value 0 Auto VoIP Port Status Disabled Verify the configuration of Class of Ser...

Page 716: ... 1 2 3 4 5 6 7 DSCP to 802 1P 5 5 5 5 5 5 5 5 DSCP 8 9 10 11 12 13 14 15 DSCP to 802 1P 5 5 5 5 5 5 5 5 DSCP 16 17 18 19 20 21 22 23 DSCP to 802 1P 5 5 5 5 5 5 5 5 DSCP 24 25 26 27 28 29 30 31 DSCP to 802 1P 5 5 5 5 5 5 5 5 DSCP 32 33 34 35 36 37 38 39 DSCP to 802 1P 5 5 5 5 5 5 5 5 DSCP 40 41 42 43 44 45 46 47 DSCP to 802 1P 5 5 5 5 5 5 5 5 DSCP 48 49 50 51 52 53 54 55 DSCP to 802 1P 5 5 5 5 5 5 ...

Page 717: ...fig gigabitEthernet 1 0 1 Admin Status TxRx SNMP Trap Disabled TLV Status Port Description Yes System Capability Yes System Description Yes System Name Yes Management Address Yes Port VLAN ID Yes Protocol VLAN ID Yes VLAN Name Yes Link Aggregation Yes MAC Physic Yes Max Frame Size Yes Power Yes LLDP MED Status Enabled TLV Status Network Policy Yes Location Identification Yes ...

Page 718: ...Configuring QoS Configuration Examples User Guide 689 Extended Power Via MDI Yes Inventory Management Yes ...

Page 719: ... Parameter Default Setting 802 1P Priority 0 Trust Mode Untrusted Table 7 2 Default Settings of 802 1p to Queue Mapping 802 1p Priority Queues 8 0 TC1 1 TC0 2 TC2 3 TC3 4 TC4 5 TC5 6 TC6 7 TC7 Table 7 3 Default Settings of 802 1p Remap Configuration Original 802 1p Priority New 802 1p Priority 0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 Table 7 4 Default Settings of DSCP to 802 1p Mapping DSCP 802 1p Priority...

Page 720: ...3 011000 46 46 ef 101110 3 3 25 25 47 47 4 4 26 26 af31 011010 48 48 cs6 110000 5 5 27 27 49 49 6 6 28 28 af32 011100 50 50 7 7 29 29 51 51 8 8 cs1 001000 30 30 af33 011110 52 52 9 9 31 31 53 53 10 10 af11 001010 32 32 cs4 100000 54 54 11 11 33 33 55 55 12 12 af12 001100 34 34 af41 100010 56 56 cs7 111000 13 13 35 35 57 57 14 14 af13 001110 36 36 af42 100100 58 58 15 15 37 37 59 59 16 16 cs2 01000...

Page 721: ...ult Settings of Bandwidth Control Parameter Default Setting Ingress Rate 0 1 000 000Kbps 0 Egress Rate 0 1 000 000Kbps 0 Table 7 8 Default Settings of Storm Control Parameter Default Setting Rate Mode kbps Broadcast Threshold 0 1 000 000 0 Multicast Threshold 0 1 000 000 0 UL Frame Threshold 0 1 000 000 0 Action Drop Recover Time 0 Default settings of Voice VLAN are listed in the following tables ...

Page 722: ...S 00 03 6B Default CISCO1 00 12 43 Default CISCO2 00 0F E2 Default H3C 00 60 B9 Default NITSUKO 00 D0 1E Default PINTEL 00 E0 75 Default VERILINK 00 E0 BB Default 3COM 00 04 0D Default AVAYA1 00 1B 4F Default AVAYA2 00 04 13 Default SNOM Default settings of Auto VoIP are listed in the following tables Table 7 12 Default Settings of Auto VoIP Parameter Default Setting Interface Mode Disabled Value ...

Page 723: ...Part 23 Configuring Access Security CHAPTERS 1 Access Security 2 Access Security Configurations 3 Appendix Default Parameters ...

Page 724: ...can allow or deny users to access the switch via a web browser HTTPS This function is based on the SSL or TLS protocol working in transport layer It supports a security access via a web browser SSH This function is based on the SSH protocol a security protocol established on application and transport layers The function with SSH is similar to a telnet connection but SSH can provide information sec...

Page 725: ...eature Configure the HTTPS feature Configure the SSH feature Configure the Telnet function Configure the Serial Port parameters 2 1 Using the GUI 2 1 1 Configuring the Access Control Feature Choose the menu SECURITY Access Security Access Control to load the following page Figure 2 1 Configuring the Access Control 1 In the Global Config section enable Access Control select one control mode and cli...

Page 726: ...based mode is selected the following window will pop up Figure 2 2 Configuring Access Control Based on IP Range Access Interface Select the interfaces where to apply the Access Control rule If an interface is unselected all users can access the switch via it SNMP A function to manage the network devices via NMS Telnet A connection type for users to remote login SSH A connection type based on SSH p...

Page 727: ...NMP A function to manage the network devices via NMS Telnet A connection type for users to remote login SSH A connection type based on SSH protocol HTTP A connection type based on HTTP protocol HTTPS A connection type based on SSL protocol Ping A communication protocol to test the connection of the network MAC Address Enter the MAC address Only the users with this MAC address can access the switch...

Page 728: ...TP protocol HTTPS A connection type based on SSL protocol Ping A communication protocol to test the connection of the network Port Select one or more ports Only the users who are connected to these ports can access the switch via the specified interfaces 3 Click Create Then you can view the created entries in the table 2 1 2 Configuring the HTTP Function Choose the menu SECURITY Access Security HT...

Page 729: ...ection enable Number Control function specify the following parameters and click Apply Number Control Enable or disable Number Control With this option enabled you can control the number of the users logging on to the web management page at the same time The total number of users should be no more than 16 Number of Admins Specify the maximum number of users whose access level is Admin Number of Op...

Page 730: ...e HTTPS Function Choose the menu SECURITY Access Security HTTPS Config to load the following page Figure 2 6 Configuring the HTTPS Function 1 In the Global Config section enable HTTPS function select the protocol version that the switch supports and specify the port number for HTTPS Click Apply ...

Page 731: ...tiate the protocol each time Port Specify the port number for HTTPS service 2 In the CipherSuite Config section select the algorithm to be enabled and click Apply RSA_WITH_ RC4_128_MD5 128 bit RC4 encryption with MD5 message authentication and RSA key exchange RSA_WITH_ RC4_128_SHA 128 bit RC4 encryption with SHA 1 message authentication and RSA key exchange RSA_WITH_ DES_CBC_SHA 56 bit DES encryp...

Page 732: ... the maximum number of users whose access level is Operator Number of Power Users Specify the maximum number of users whose access level is Power User Number of Users Specify the maximum number of users whose access level is User 5 In the Load Certificate and Load Key section download the certificate and key Certificate File Select the desired certificate to download to the switch The certificate ...

Page 733: ... page Figure 2 7 Configuring the SSH Feature 1 In the Global Config section select Enable to enable SSH function and specify following parameters SSH Select Enable to enable the SSH function SSH is a protocol working in application layer and transport layer It can provide a secure remote connection to a device It is more secure than Telnet protocol as it provides strong encryption ...

Page 734: ...t the switch to support and click Apply 4 In Import Key File section select key type from the drop down list and click Browse to download the desired key file Key Type Select the key type The algorithm of the corresponding type is used for both key generation and authentication Key File Select the desired public key to download to the switch The key length of the downloaded file ranges of 512 to 3...

Page 735: ...ing the Serial Port Parameters Configure the Baud Rate and click Apply Baud Rate Configure the baud rate of the console connection The default value is 38400 bps Data Bits Displays the data bits Parity Bits Displays the parity bits Stop Bits Displays the stop bits 2 2 Using the CLI 2 2 1 Configuring the Access Control Feature Follow these steps to configure the access control Step 1 configure Ente...

Page 736: ...a the specified interfaces mac addr Specify the MAC address of the user snmp telnet ssh http https ping all Select the interfaces where to apply the Access Control rule If an interface is unselected all users can access the switch via it By default all the interfaces are selected Use the following command to control the users access by limiting the ports connected to the users user access control ...

Page 737: ... 255 255 255 255 snmp telnet http https Switch config show user configuration User authentication mode IP based Index IP Address Access Interface 1 192 168 0 100 24 SNMP Telnet HTTP HTTPS Switch config end Switch copy running config startup config 2 2 2 Configuring the HTTP Function Follow these steps to configure the HTTP function Step 1 configure Enter global configuration mode Step 2 ip http se...

Page 738: ... show ip http configuration Verify the configuration information of the HTTP server including status session timeout access control max user number and the idle timeout etc Step 6 end Return to privileged EXEC mode Step 7 copy running config startup config Save the settings in the configuration file The following example shows how to set the session timeout as 9 set the maximum admin number as 6 a...

Page 739: ...Version 1 2 as the protocol for HTTPS all Enable all the above protocols for HTTPS The HTTPS server and client will negotiate the protocol each time Step 4 ip http secure ciphersuite rc4 128 md5 rc4 128 sha des cbc sha 3des ede cbc sha ecdhe a128 g s256 ecdhe a256 g s384 Enable the corresponding ciphersuite By default these types are all enabled rc4 128 md5 128 bit RC4 encryption with MD5 message ...

Page 740: ...ificate ssl cert ip address ip addr Download the desired certificate to the switch from TFTP server ssl cert Specify the name of the SSL certificate which ranges from 1 to 25 characters The certificate must be BASE64 encoded The SSL certificate and key downloaded must match each other ip addr Specify the IP address of the TFTP server Both IPv4 and IPv6 addresses are supported Step 8 ip http secure...

Page 741: ...2 2 2 Switch config ip http secure server download certificate ca crt ip address 192 168 0 100 Start to download SSL certificate Download SSL certificate OK Switch config ip http secure server download key ca key ip address 192 168 0 100 Start to download SSL key Download SSL key OK Switch config show ip http secure server HTTPS Status Enabled HTTPS Port 443 SSL Protocol Level s all SSL CipherSuit...

Page 742: ...ches the maximum number you set num Enter the number of the connections which ranges from 1 to 5 The default value is 5 Step 6 ip ssh algorithm AES128 CBC AES192 CBC AES256 CBC Blowfish CBC Cast128 CBC 3DES CBC HMAC SHA1 HMAC MD5 Enable the corresponding algorithm By default these types are all enabled AES128 CBC AES192 CBC AES256 CBC Blowfish CBC Cast128 CBC 3DES CBC Specify the encryption algori...

Page 743: ...he HMAC MD5 data integrity algorithm Choose the key type as SSH 2 RSA DSA Switch config ip ssh server Switch config ip ssh version v1 Switch config ip ssh version v2 Switch config ip ssh timeout 100 Switch config ip ssh max client 4 Switch config ip ssh algorithm AES128 CBC Switch config ip ssh algorithm Cast128 CBC Switch config ip ssh algorithm HMAC MD5 Switch config ip ssh download v2 publickey...

Page 744: ...running config startup config 2 2 5 Configuring the Telnet Function Follow these steps enable the Telnet function Step 1 configure Enter global configuration mode Step 2 telnet enable Enable the telnet function By default it is enabled Step 3 telnet port port Specify the port using for Telnet It ranges from 1 to 65535 Step 4 end Return to privileged EXEC mode Step 4 copy running config startup con...

Page 745: ..._port baud_rate 9600 19200 38400 57600 115200 Specify the baud rate of the console connection 9600 19200 38400 57600 115200 Specify the communication baud rate on the console port The default value is 38400 bps Step 3 end Return to privileged EXEC mode Step 4 copy running config startup config Save the settings in the configuration file ...

Page 746: ...nabled Port 80 Session Timeout 10 minutes Number Control Disabled Table 3 3 Default Settings of HTTPS Configuration Parameter Default Setting HTTPS Enabled Protocol Version All Port 443 RSA_WITH_RC4_128_MD5 Enabled RSA_WITH_RC4_128_SHA Enabled RSA_WITH_DES_CBC_SHA Enabled RSA_WITH_3DES_EDE_CBC_ SHA Enabled ECDHE_WITH_AES_128_GCM_ SHA256 Enabled ECDHE_WITH_AES_256_GCM_ SHA384 Enabled Session Timeou...

Page 747: ...128 CBC Enabled AES192 CBC Enabled AES256 CBC Enabled Blowfish CBC Enabled Cast128 CBC Enabled 3DES CBC Enabled HMAC SHA1 Enabled HMAC MD5 Enabled Key Type SSH 2 RSA DSA Table 3 5 Default Settings of Telnet Configuration Parameter Default Setting Telnet Enabled Port 23 Table 3 6 Default Settings of Serial Port Parameter Default Setting Baud Rate 38400 bps ...

Page 748: ...Part 24 Configuring AAA CHAPTERS 1 Overview 2 AAA Configuration 3 Configuration Examples 4 Appendix Default Parameters ...

Page 749: ...do not have administrative privileges without the Enable password provided AAA provides a safe and efficient authentication method The authentication can be processed locally on the switch or centrally on the RADIUS TACACS server s As the following figure shows the network administrator can centrally configure the management accounts of the switches on the RADIUS server and use this server to auth...

Page 750: ...p will authenticate the users in the order they are added The server that is first added to the group has the highest priority and is responsible for authentication under normal circumstances If the first one breaks down or doesn t respond to the authentication request for some reason the second sever will start working for authentication and so on Method List A server group is regarded as a metho...

Page 751: ...to access the switch The others act as backup servers in case the first one breaks down Adding RADIUS Server Choose the menu SECURITY AAA RADIUS Config and click to load the following page Figure 2 1 RADIUS Server Configuration Follow these steps to add a RADIUS server 1 Configure the following parameters Server IP Enter the IP address of the server running the RADIUS secure protocol Shared Key En...

Page 752: ...s of the switch Generally the NAS indicates the switch itself 2 Click Create to add the RADIUS server on the switch Adding TACACS Server Choose the menu SECURITY AAA TACACS Config and click to load the following page Figure 2 2 TACACS Server Configuration Follow these steps to add a TACACS server 1 Configure the following parameters Server IP Enter the IP address of the server running the TACACS s...

Page 753: ...r follow these steps to configure a new server group 1 Click and the following window will pop up Figure 2 4 Add Server Group Configure the following parameters Server Group Specify a name for the server group Server Type Select the server type for the group The following options are provided RADIUS and TACACS Server IP Select the IP address of the server which will be added to the server group 2 ...

Page 754: ...ion and the Enable authentication You can edit the default methods or follow these steps to add a new method 1 Click in the Authentication Login Method Config section or Authentication Enable Method Config section to add corresponding type of method list The following window will pop up Figure 2 6 Add New Method Configure the parameters for the method to be added Method List Name Specify a name fo...

Page 755: ...entication 2 Click Create to add the new method 2 1 4 Configuring the AAA Application List Choose the menu SECURITY AAA Global Config to load the following page Figure 2 7 Configure Application List Follow these steps to configure the AAA application list 1 In the AAA Application List section select an access application and configure the Login list and Enable list Module Displays the configurable...

Page 756: ...istrative privileges Click Apply Tips The logged in guests can enter the local Enable password on this page to get administrative privileges On the Server The accounts created by the RADIUS TACACS server can only view the configurations and some network information without the Enable password Some configuration principles on the server are as follows For Login authentication configuration more tha...

Page 757: ...e timeout time Specify the time interval that the switch waits for the server to reply before resending The valid values are from 1 to 9 seconds and the default setting is 5 seconds retransmit number Specify the number of times a request is resent to the server if the server does not respond The valid values are from 1 to 3 and the default setting is 2 nas id nas id Specify the name of the NAS Net...

Page 758: ...7 encrypted string Add the RADIUS server and configure the related parameters as needed host ip address Enter the IP address of the server running the TACACS protocol port port id Specify the TCP destination port on the TACACS server for authentication requests The default setting is 49 timeout time Specify the time interval that the switch waits for the server to reply before resending The valid ...

Page 759: ...Switch copy running config startup config 2 2 2 Configuring Server Groups The switch has two built in server groups one for RADIUS and the other for TACACS The servers running the same protocol are automatically added to the default server group You can add new server groups as needed The two default server groups cannot be deleted or edited Follow these steps to add a server group Step 1 configur...

Page 760: ...figuring the Method List A method list describes the authentication methods and their sequence to authenticate the users The switch supports Login Method List for users of all types to gain access to the switch and Enable Method List for guests to get administrative privileges Follow these steps to configure the method list Step 1 configure Enter global configuration mode Step 2 aaa authentication...

Page 761: ...in the configuration file The following example shows how to create a Login method list named Login1 and configure the method 1 as the default radius server group and the method 2 as local Switch configure Switch config aaa authentication login Login1 radius local Switch config show aaa authentication login Methodlist pri1 pri2 pri3 pri4 default local Login1 radius local Switch config end Switch c...

Page 762: ...e Step 3 login authentication method list Apply the Login method list for the application Console method list Specify the name of the Login method list Step 4 enable authentication method list Apply the Enable method list for the application Console method list Specify the name of the Enable method list Step 5 show aaa global Verify the configuration of application list Step 6 end Return to privil...

Page 763: ...lication Telnet method list Specify the name of the Login method list Step 4 enable authentication method list Apply the Enable method list for the application Telnet method list Specify the name of the Enable method list Step 5 show aaa global Verify the configuration of application list Step 6 end Return to privileged EXEC mode Step 7 copy running config startup config Save the settings in the c...

Page 764: ...list Apply the Login method list for the application SSH method list Specify the name of the Login method list Step 4 enable authentication method list Apply the Enable method list for the application SSH method list Specify the name of the Enable method list Step 5 show aaa global Verify the configuration of application list Step 6 end Return to privileged EXEC mode Step 7 copy running config sta...

Page 765: ...st for the application HTTP method list Specify the name of the Login method list Step 3 ip http enable authentication method list Apply the Enable method list for the application HTTP method list Specify the name of the Enable method list Step 4 show aaa global Verify the configuration of application list Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the...

Page 766: ...g Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS TACACS server s On the Switch The local username and password for login can be configured in the User Management feature For details refer to Managing System To configure the local Enable password for getting administrative privileges follow these steps Step ...

Page 767: ...will follow password is a string with 31 characters at most which can contain only English letters case sensitive digits and 17 kinds of special characters The special characters are _ 5 indicates that an MD5 encrypted password with fixed length will follow By default the encryption type is 0 encrypted password is an MD5 encrypted password with fixed length which you can copy from another switch s...

Page 768: ...he value of enable 15 as the Enable password in the configuration file All the users trying to get administrative privileges share this Enable password Tips The logged in guests can get administrative privileges by using the command enable admin and providing the Enable password ...

Page 769: ...ure the stability of the authentication system Figure 3 1 Network Topology RADIUS Server 1 192 168 0 10 24 Auth Port 1812 RADIUS Server 2 192 168 0 20 24 Auth Port 1812 Switch Administrator Management Network 3 2 Configuration Scheme To implement this requirement the senior administrator can create the login account and the Enable password on the two RADIUS servers and configure the AAA feature on...

Page 770: ...he following page Configure the Server IP as 192 168 0 10 the Shared Key as 123456 the Authentication Port as 1812 and keep the other parameters as default Click Create to add RADIUS Server 1 on the switch Figure 3 2 Add RADIUS Server 1 2 On the same page click to load the following page Configure the Server IP as 192 168 0 20 the Shared Key as 123456 the Auth Port as 1812 and keep the other param...

Page 771: ...e server type as RADIUS Select 192 168 0 10 and 192 168 0 20 to from the drop down list Click Create to create the server group Figure 3 4 Create Server Group 4 Choose the menu SECURITY AAA Method Config and click in the Authentication Login Method Config section Specify the Method List Name as MethodLogin and select the Pri1 as RADIUS1 Click Create to set the method list for the Login authenticat...

Page 772: ... List Name as MethodEnable and select the Pri1 as RADIUS1 Click Create to set the method list for the Enable password authentication Figure 3 6 Configure Enable Method Config 6 Choose the menu SECURITY AAA Global Config to load the following page In the AAA Application List section select telnet and configure the Login List as Method Login and Enable List as Method Enable Then click Apply ...

Page 773: ...ADIUS1 Switch aaa group server 192 168 0 10 Switch aaa group server 192 168 0 20 Switch aaa group exit 3 Create two method lists Method Login and Method Enable and configure the server group RADIUS1 as the authentication method for the two method lists Switch config aaa authentication login Method Login RADIUS1 Switch config aaa authentication enable Method Enable RADIUS1 4 Configure Method Login ...

Page 774: ...1 Switch show aaa group RADIUS1 192 168 0 10 192 168 0 20 Verify the configuration of the method lists Switch show aaa authentication Authentication Login Methodlist Methodlist pri1 pri2 pri3 pri4 default local Method Login RADIUS1 Authentication Enable Methodlist Methodlist pri1 pri2 pri3 pri4 default none Method Enable RADIUS1 Verify the status of the AAA feature and the configuration of the AAA...

Page 775: ...ADIUS Config Server IP None Shared Key None Auth Port 1812 Acct Port 1813 Retransmit 2 Timeout 5 seconds NAS Identifier The MAC address of the switch TACACS Config Server IP None Timeout 5 seconds Shared Key None Port 49 Server Group There are two default server groups radius and tacacs Method List Authentication Login Method List List name default Pri1 local Authentication Enable Method List List...

Page 776: ...s User Guide 747 Parameter Default Setting AAA Application List console Login List default Enable List default telnet Login List default Enable List default ssh Login List default Enable List default http Login List default Enable List default ...

Page 777: ...Part 25 Configuring 802 1x CHAPTERS 1 Overview 2 802 1x Configuration 3 Configuration Example 4 Appendix Default Parameters ...

Page 778: ... you install TP Link 802 1x authentication client software on the client hosts enabling them to request 802 1x authentication to access the LAN Authenticator An authenticator is usually a network device that supports 802 1x protocol As the above figure shows the switch is an authenticator The authenticator acts as an intermediate proxy between the client and the authentication server The authentic...

Page 779: ...ion Guidelines 802 1x authentication and Port Security cannot be enabled at the same time Before enabling 802 1x authentication make sure that Port Security is disabled 2 1 Using the GUI 2 1 1 Configuring the RADIUS Server Configure the parameters of RADIUS sever and configure the RADIUS server group Adding the RADIUS Server Choose the menu SECURITY AAA RADIUS Config and click to load the followin...

Page 780: ...request is resent to the server if the server does not respond The default setting is 2 Timeout Specify the time interval that the switch waits for the server to reply before resending The default setting is 5 seconds NAS Identifier Specify the name of the NAS Network Access Server to be contained in RADIUS packets for identification It ranges from 1 to 31 characters The default value is the MAC a...

Page 781: ...the RADIUS server Click Save Figure 2 4 Adding Server Group Configuring the Dot1x List Choose the menu SECURITY AAA Dot1x List to load the following page Figure 2 5 Configuring the Dot1x List Follow these steps to configure RADIUS server groups for 802 1x authentication and accounting 1 In the Authentication Dot1x Method section select an existing RADIUS server group for authentication from the Pr...

Page 782: ...ween the switch and the client The transmission of EAP Extensible Authentication Protocol packets is terminated at the switch and the EAP packets are converted to other protocol such as RADIUS packets and transmitted to the authentication server EAP The 802 1x authentication system uses EAP packets to exchange information between the switch and the client The EAP packets with authentication data a...

Page 783: ...N If the assigned VLAN exists on the switch the switch will directly add the authenticated port to the related VLAN and change the PVID instead of creating a new VLAN If no VLAN is supplied by the RADIUS server or if 802 1x authentication is disabled the port will be in its original VLAN after successful authentication 2 Click Apply 2 1 3 Configuring 802 1x on Ports Choose the menu SECURITY 802 1x...

Page 784: ...he port can access the network only when it is authenticated Force Authorized If this option is selected the port can access the network without authentication Force Unauthorized If this option is selected the port can never be authenticated Port Method Select the port method By default it is MAC Based MAC Based All clients connected to the port need to be authenticated Port Based If a client conn...

Page 785: ...is Port Based the MAC address of the first authenticated device wil be displayed with a suffix p PAE State Displays the current state of the authenticator PAE state machine Possible values are Initialize Disconnected Connecting Authenticating Authenticated Aborting Held ForceAuthorized and ForceUnauthorized Backend State Displays the current state of the backend authentication state machine Possib...

Page 786: ... request is resent to the server if the server does not respond The valid values are from 1 to 3 and the default setting is 2 nas id nas id Specify the name of the NAS Network Access Server to be contained in RADIUS packets for identification It ranges from 1 to 31 characters The default value is the MAC address of the switch Generally the NAS indicates the switch itself key 0 string 7 encrypted s...

Page 787: ...r Optional Verify the configuration of RADIUS server Step 8 show aaa group group name Optional Verify the configuration of server group Step 9 show aaa authentication dot1x Optional Verify the authentication method list Step 10 show aaa accounting dot1x Optional Verify the accounting method list Step 11 end Return to privileged EXEC mode Step 12 copy running config startup config Save the settings...

Page 788: ...Ip Auth Port Acct Port Timeout Retransmit NAS Identifier Shared key 192 168 0 100 1812 1813 5 2 000AEB132397 123456 Switch config show aaa group radius1 192 168 0 100 Switch config show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default radius1 Switch config show aaa accounting dot1x Methodlist pri1 pri2 pri3 pri4 default radius1 Switch config end Switch copy running config startup co...

Page 789: ... status between the TP Link 802 1x Client and the switch Please disable Handshake feature if you are using other client softwares instead of TP Link 802 1x Client Step 6 dot1x vlan assignment Optional Enable or disable the 802 1x VLAN assignment feature 802 1x VLAN assignment is a technology allowing the RADIUS server to send the VLAN assignment to the port when the port is authenticated If the as...

Page 790: ...igabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list Enter interface configuration mode port Enter the ID of the port to be configured Step 3 dot1x Enable 802 1x authentication for the port Step 4 dot1x mab Enable the MAB MAC Based Authentication Bypass feature for the port With MAB feature enabled the switch automatically sends the authentication server a RADIUS a...

Page 791: ... port is authenticated other clients can access the LAN without authentication Step 8 dot1x max req times Specify the maximum number of attempts to send the authentication packet for the client times The maximum attempts for the client to send the authentication packet It ranges from 1 to 9 and the default is 3 Step 9 dot1x quiet period time Optional Enable the quiet feature for 802 1x authenticat...

Page 792: ...ot1x port method port based Switch config if show dot1x interface gigabitEthernet 1 0 2 Port State MAB State GuestVLAN PortControl PortMethod Gi1 0 2 disabled disabled 0 auto port based MaxReq QuietPeriod SuppTimeout Authorized LAG 3 10 30 unauthorized N A Switch config if end Switch copy running config startup config 2 2 4 Viewing Authenticator State You can view the authenticator state If needed...

Page 793: ...dot1x auth init mac mac address Initialize the specific client To access the network the client needs to provide the correct information to pass the authentication again mac address Enter the MAC address of the client that will be unauthorized Step 5 dot1x auth reauth mac mac address Reauthenticate the specific client mac address Enter the MAC address of the client that will be reauthenticated Ste...

Page 794: ...enable 802 1x authentication configure the control mode as auto and set the control type as MAC based Enable 802 1x authentication on the ports connected to clients Keep 802 1x authentication disabled on ports connected to the authentication server and the internet which ensures unrestricted connections between the switch and the authentication server or the internet 3 3 Network Topology As shown ...

Page 795: ... 168 0 10 24 Auth Port 1812 Demonstrated with T2600G 28TS acting as the authenticator the following sections provide configuration procedure in two ways using the GUI and using the CLI 3 4 Using the GUI 1 Choose the menu SECURITY AAA RADIUS Config and click to load the following page Configure the parameters of the RADIUS server and click Create Figure 3 2 Adding RADIUS Server ...

Page 796: ...US1 as the RADIUS server group for authentication and click Apply Figure 3 4 Configuring Authentication RADIUS Server 4 Choose the menu SECURITY 802 1x Global Config to load the following page Enable 802 1x authentication and configure the Authentication Method as EAP Keep the default authentication settings Click Apply Figure 3 5 Configuring Global Settings 5 Choose the menu SECURITY 802 1x Port ...

Page 797: ... 0 10 Switch_A aaa group exit Switch_A config aaa authentication dot1x default RADIUS1 2 Globally enable 802 1x authentication and set the authentication protocol Switch_A config dot1x system auth control Switch_A config dot1x auth protocol eap 3 Disable 802 1x authentication on port 1 0 2 and port 1 0 3 Enable 802 1x authentication on port 1 0 1 set the control mode as auto and set the control ty...

Page 798: ...bal configurations of 802 1x authentication Switch_A show dot1x global 802 1X State Enabled Authentication Protocol EAP Handshake State Enabled 802 1X Accounting State Disabled 802 1X VLAN Assignment State Disabled Verify the configurations of 802 1x authentication on the port Switch_A show dot1x interface Port State MAB State GuestVLAN PortControl PortMethod Gi1 0 1 enabled disabled 0 auto mac ba...

Page 799: ...nfigurations of RADIUS Switch_A show aaa global Module Login List Enable List Console default default Telnet default default Ssh default default Http default default Switch_A show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default RADIUS1 Switch_A show aaa group RADIUS1 192 168 0 10 ...

Page 800: ...Authentication Disabled Authentication Method EAP Handshake Enabled Accounting Disabled VLAN Assignment Disabled Port Config 802 1x Status Disabled MAB Disabled Guest VLAN Disabled Port Control Auto Guest VLAN 0 Maximum Request 3 Quiet Period 10 seconds Supplicant Timeout 30 seconds Port Method MAC Based Dot1X List Authentication Dot1x Method List List Name default Pri1 radius Accounting Dot1x Met...

Page 801: ...Part 26 Configuring Port Security CHAPTERS 1 Overview 2 Port Security Configuration 3 Appendix Default Parameters ...

Page 802: ...Security feature to limit the number of MAC addresses that can be learned on each port thus preventing the MAC address table from being exhausted by the attack packets In addtion the switch can send a notification if the number of learned MAC addresses on the port exceeds the limit ...

Page 803: ...t number Max Learned Number of MAC Specify the maximum number of MAC addresses that can be learned on the port When the learned MAC address number reaches the limit the port will stop learning It ranges from 0 to 64 The default value is 64 Current Learned MAC Displays the current number of MAC addresses that have been learned on the port Exceed Max Learned Trap Enable Exceed Max Learned and when t...

Page 804: ...MAC addresses reaches the limit the port will stop learning and discard the packets with the MAC addresses that have not been learned Forward When the number of learned MAC addresses reaches the limit the port will stop learning but send the packets with the MAC addresses that have not been learned Disable The number limit on the port is not effective and the switch follows the original forwarding...

Page 805: ...ven the switch is rebooted status Status of port security feature By default it is disabled drop When the number of learned MAC addresses reaches the limit the port will stop learning and discard the packets with the MAC addresses that have not been learned forward When the number of learned MAC addresses reaches the limit the port will stop learning but send the packets with the MAC addresses tha...

Page 806: ...ount max number 30 exceed max learned enable mode permanent status drop Switch config if show mac address table max mac count interface gigabitEthernet 1 0 1 Port Max learn Current learn Exceed Max Limit Mode Status Gi1 0 1 30 0 disable permanent drop Switch config if end Switch copy running config startup config ...

Page 807: ...arameters Default settings of Port Security are listed in the following table Table 3 1 Default Parameters of Port Security Parameter Default Setting Max Learned Number of MAC 64 Current Learned Number 0 Exceed Max Learned Trap Disabled Learn Address Mode Delete on Timeout Status Disabled ...

Page 808: ...Part 27 Configuring ACL CHAPTERS 1 Overview 2 ACL Configuration 3 Configuration Example for ACL 4 Appendix Default Parameters ...

Page 809: ... To configure ACL follow these steps 1 Configure a time range during which the ACL is in effect 2 Create an ACL and configure the rules to filter different packets 3 Bind the ACL to a port or VLAN to make it effective Configuration Guidelines A packet matches an ACL rule when it meets the rule s matching criteria The resulting action will be either to permit or deny the packet that matches the rul...

Page 810: ... and destination MAC address for matching operations IP ACL IP ACL uses source and destination IP address IP protocols and so on for matching operations Combined ACL Combined ACL uses source and destination MAC address and source and destination IP address for matching operations IPv6 ACL IPv6 ACL uses source and destination IPv6 address for matching operations Packet Content ACL Packet Content AC...

Page 811: ...applied to a packet and none of the explicit rules match then the final implicit deny all rule takes effect and the packet is dropped The created ACL will be displayed on the SECURITY ACL ACL Config page Figure 2 2 Editing ACL Click Edit ACL in the Operation column Then you can configure rules for this ACL The following sections introduce how to configure MAC ACL IP ACL Combined ACL IPv6 ACL and P...

Page 812: ...le ID in the same ACL For the convenience of inserting new rules to an ACL you should set the appropriate interval between rule IDs If you select Auto Assign the rule ID will be assigned automatically by the system and the default increment between neighboring rule IDs is 5 Operation Select an action to be taken when a packet matches the rule Permit To forward the matched packets Deny To discard t...

Page 813: ...e Time Range referenced here can be created on the SYSTEM Time Range page Logging Enable Logging function for the ACL rule Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated You can refer to Total Matched Counter in the ACL Rules Table to view the matching times 2 In the Policy section enable or disable the Mirroring feature for the matched ...

Page 814: ...ts will be forwarded normally Drop The packets will be discarded Remark DSCP You can specify a DSCP value and the DSCP field of the packets will be changed to the specified one Note Remark DSCP is not available for T2600G 18TS 5 In the Policy section enable or disable the QoS Remark feature for the matched packets With this option enabled configure the related parameters and the remarked values wi...

Page 815: ...guring ACL ACL Configuration Configuring IP ACL Rule Click Edit ACL for an IP ACL entry to load the following page Figure 2 9 Configuring the IP ACL Rule In ACL Rules Table section click and the following page will appear ...

Page 816: ...y current rule ID in the same ACL If you select Auto Assign the rule ID will be assigned automatically and the interval between rule IDs is 5 Operation Select an action to be taken when a packet matches the rule Permit To forward the matched packets Deny To discard the matched packets Fragment With this option selected the rule will be applied to all fragment packets except for the last fragment p...

Page 817: ...S Port D Port If TCP UDP is selected as the IP protocol specify the source and destination port number with a mask Value Specify the port number Mask Specify the port mask with 4 hexadacimal numbers DSCP Specify a DSCP value to be matched between 0 and 63 The default is No Limit IP ToS Specify an IP ToS value to be matched between 0 and 15 The default is No Limit IP Pre Specify an IP Precedence va...

Page 818: ...ature the matched packets will be copied to the destination port and the original forwarding will not be affected While in the Redirect feature the matched packets will be forwarded only on the destination port 4 In the Policy section enable or disable the Rate Limit feature for the matched packets With this option enabled configure the related parameters Figure 2 13 Configuring Rate Limit Rate Sp...

Page 819: ...figure the related parameters and the remarked values will take effect in the QoS processing on the switch Figure 2 14 Configuring QoS Remark DSCP Specify the DSCP field for the matched packets The DSCP field of the packets will be changed to the specified one Local Priority Specify the local priority for the matched packets The local priority of the packets will be changed to the specified one 80...

Page 820: ...de 791 In ACL Rules Table section click and the following page will appear Figure 2 16 Configuring the Combined ACL Rule Follow these steps to configure the Combined ACL rule 1 In the Combined ACL Rule section configure the following parameters ...

Page 821: ...using 4 hexadecimal numbers S IP Mask Enter the source IP address with a mask A value of 1 in the mask indicates that the corresponding bit in the address will be matched D IP Mask Enter the destination IP address with a mask A value of 1 in the mask indicates that the corresponding bit in the address will be matched IP Protocol Select a protocol type from the drop down list The default is No Limi...

Page 822: ...SYSTEM Time Range page Logging Enable Logging function for the ACL rule Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated You can refer to Total Matched Counter in the ACL Rules Table to view the matching times 2 In the Policy section enable or disable the Mirroring feature for the matched packets With this option enabled choose a destinati...

Page 823: ...ts will be forwarded normally Drop The packets will be discarded Remark DSCP You can specify a DSCP value and the DSCP field of the packets will be changed to the specified one Note Remark DSCP is not available for T2600G 18TS 5 In the Policy section enable or disable the QoS Remark feature for the matched packets With this option enabled configure the related parameters and the remarked values wi...

Page 824: ...95 Configuring the IPv6 ACL Rule Click Edit ACL for an IPv6 ACL entry to load the following page Figure 2 21 Configuring the IPv6 ACL Rule In ACL Rules Table section click and the following page will appear Figure 2 22 Configuring the IPv6 ACL Rule ...

Page 825: ...e IPv6 address to match the rule A value of 1 in the mask indicates that the corresponding bit in the address will be matched IPv6 Destination IP Enter the destination IPv6 address to be matched All types of IPv6 address will be checked You may enter a complete 128 bit IPv6 address but only the first 64 bits will be valid Mask The mask is required if the destination IPv6 address is entered Enter t...

Page 826: ...choose a destination port to which the packets will be redirected Figure 2 24 Configuring Redirect Note In the Mirroring feature the matched packets will be copied to the destination port and the original forwarding will not be affected While in the Redirect feature the matched packets will be forwarded only on the destination port 4 In the Policy section enable or disable the Rate Limit feature f...

Page 827: ... section enable or disable the QoS Remark feature for the matched packets With this option enabled configure the related parameters and the remarked values will take effect in the QoS processing on the switch Figure 2 26 Configuring QoS Remark DSCP Specify the DSCP field for the matched packets The DSCP field of the packets will be changed to the specified one Local Priority Specify the local prio...

Page 828: ...User Guide 799 Configuring the Packet Content ACL Rule Note Packet Content ACL is not available for T2600G 18TS Click Edit ACL for a Packet Content ACL entry to load the following page Figure 2 27 Configuring the Packet Content ACL Rule ...

Page 829: ...rocesses data packets based on 4 chunk match conditions and each chunk can specify a user defined 4 byte segment carried in the packet s first 128 bytes Offset 31 matches the 127 128 1 2 bytes of the packet offset 0 matches the 3 4 5 6 bytes of the packet and so on for the rest of the offset value Note All 4 chunks must be set at the same time In ACL Rules Table section click and the following pag...

Page 830: ...Enter the 4 byte mask in hexadecimal for the desired chunk The mask must be written completely in 4 byte hex mode like 0000ffff The mask specifies which bits to match the rule Time Range Select a time range during which the rule will take effect The default value is No Limit which means the rule is always in effect The Time Range referenced here can be created on the SYSTEM Time Range page Logging...

Page 831: ...iguring Rate Limit Rate Specify the transmission rate for the matched packets Burst Size Specify the maximum number of bytes allowed in one second Out of Band Select the action for the packets whose rate is beyond the specified rate None The packets will be forwarded normally Drop The packets will be discarded Remark DSCP You can specify a DSCP value and the DSCP field of the packets will be chang...

Page 832: ...ops the match process and performs the action defined in the rule Click Edit ACL for an entry you have created and you can view the rule table We take IP ACL rules table for example Figure 2 33 Viewing ACL Rules Table Here you can view and edit the ACL rules You can also click Resequence to resequence the rules by providing a Start Rule ID and Step value 2 1 4 Configuring ACL Binding You can bind ...

Page 833: ...Figure 2 34 Binding the ACL to a Port Follow these steps to bind the ACL to a Port 1 Choose ID or Name to be used for matching the ACL Then select an ACL from the drop down list 2 Specify the port to be bound 3 Click Create Binding the ACL to a VLAN Choose the menu SECURITY ACL ACL Binding VLAN Binding to load the following page Figure 2 35 Binding the ACL to a VLAN ...

Page 834: ...me period In this case you can configure a time range for the ACL For details about Time Range Configuration please refer to Managing System 2 2 2 Configuring ACL Follow the steps to create different types of ACL and configure the ACL rules You can define the rules based on source or destination IP address source or destination MAC address protocol type port number and others MAC ACL Step 1 config...

Page 835: ... Enter the source MAC address The format is FF FF FF FF FF FF source mac mask Enter the mask of the source MAC address This is required if a source MAC address is entered The format is FF FF FF FF FF FF destination mac Enter the destination MAC address The format is FF FF FF FF FF FF destination mac mask Enter the mask of the destination MAC address This is required if a destination MAC address is...

Page 836: ... port s port number s port mask s port mask d port d port number d port mask d port mask tcpflag tcpflag tseg time range name Add rules to the ACL acl id or name Enter the ID or name of the ACL that you want to add a rule for auto The rule ID will be assigned automatically and the interval between rule IDs is 5 rule id Assign an ID to the rule deny permit Specify the action to be taken with the pa...

Page 837: ...P configured as the protocol specify the destination port mask with 4 hexadacimal numbers tcpflag With TCP configured as the protocol specify the flag value using either binary numbers or for example 01 010 The default is which indicates that the flag will not be matched The flags are URG Urgent flag ACK Acknowledge Flag PSH Push Flag RST Reset Flag SYN Synchronize Flag and FIN Finish Flag time ra...

Page 838: ...e Deny means to discard permit means to forward By default it is set to permit logging enable disable Enable or disable Logging function for the ACL rule If enable is selected the times that the rule is matched will be logged every 5 minutes With ACL Counter trap enabled a related trap will be generated if the matching times changes source mac address Enter the source MAC address source mac mask E...

Page 839: ...ags are URG Urgent flag ACK Acknowledge Flag PSH Push Flag RST Reset Flag SYN Synchronize Flag and FIN Finish Flag time range name The name of the time range The default is No Limit Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Save the settings in the configuration file The following example shows how to create Combined ACL 1100 and configure Rule 1 to deny p...

Page 840: ...alue to be matched It ranges from 0 to 63 flow label value Specify a Flow Label value to be matched source ip address Enter the source IP address Enter the destination IPv6 address to be matched All types of IPv6 address will be checked You may enter a complete 128 bit IPv6 address but only the first 64 bits will be valid source ip mask Enter the source IP address mask The mask is required if the ...

Page 841: ...opy running config startup config Packet Content ACL Note Packet Content ACL is not available for T2600G 18TS Step 1 configure Enter global configuration mode Step 2 access list create acl id name acl name Create a Packet Content ACL acl id Enter an ACL ID The ID ranges from 2000 to 2499 acl name Enter a name to identify the ACL Step 3 access list packet content profile chunk offset0 offset0 chunk...

Page 842: ... hexadecimal for the desired chunk like 0000ffff The Packet Content ACL will check this chunk of packets to examine if the packets match the rule or not mask Enter the 4 byte mask in hexadecimal for the desired chunk The mask must be written completely in 4 byte hex mode like 0000ffff The mask specifies which bits to match the rule time range name The name of the time range The default is No Limit...

Page 843: ... example shows how to resequence the rules of MAC ACL 100 set the start rule ID as 1 and the step value as 10 Switch configure Switch config access list resequence 100 start 1 step 10 Switch config show access list 100 MAC access list 100 name ACL_100 rule 1 deny logging disable smac aa bb cc dd ee ff smask ff ff ff ff ff ff rule 11 permit logging disable vid 18 rule 21 permit logging disable dmac...

Page 844: ... a rate from 1 to 1000000 kbps burst size Specify the number of bytes allowed in one second ranging from 1 to 128 osd Select either none discard or remark dscp as the action to be taken for the packets whose rate is beyond the specified rate The default is None When remark dscp is selected you also need to specify the DSCP value for the matched packets The DSCP value ranges from 0 to 63 Note Remar...

Page 845: ...kets using the ACLs in order The ACL that is bound earlier has a higher priority Follow the steps below to bind ACL to a port or a VLAN Step 1 configure Enter global configuration mode Step 2 access list bind acl id or name interface vlan vlan list fastEthernet port list gigabitEthernet port list ten gigabitEthernet port list Bind the ACL to a port or a VLAN acl id or name Enter the ID or name of ...

Page 846: ...i1 0 3 Ingress Port 1 ACL_1 4 Ingress VLAN Switch config end Switch copy running config startup config 2 2 5 Viewing ACL Counting You can use the following command to view the number of matched packets of each ACL in the privileged EXEC mode and any other configuration mode show access list acl id or name counter View the number of matched packets of the specific ACL acl id or name Specify the ID ...

Page 847: ...rum server is connected to the switch via port 1 0 1 and computers in the R D department are connected to the switch via port 1 0 2 Figure 3 1 Network Topology Gi1 0 1 R D manager s PC MAC 8C DC D4 40 A1 79 R D Department Internal Forum Server MAC 40 61 86 FC 71 56 Gi1 0 2 3 1 2 Configuration Scheme To meet the requirements above you can set up packet filtering by creating an MAC ACL and configuri...

Page 848: ...rk hours Configure a permit rule to match all the packets that do not match neither of the above rules Binding Configuration Bind the MAC ACL to port 1 0 2 so that the ACL rules will be applied to the computer of the devices in the R D department which are restricted to the internal forum during work hours Demonstrated with T2600G 28TS the following sections explain the configuration procedure in ...

Page 849: ...Figure 3 3 Adding Period Time 3 After adding the Period Time click Create to save the time range entry Figure 3 4 Creating Time Range 4 Choose the menu SECURITY ACL ACL Config and click to load the following page Then create a MAC ACL for the marketing department ...

Page 850: ...g a MAC ACL 5 Click Edit ACL in the Operation column Figure 3 6 Editing the MAC ACL 6 On the ACL configuration page click Figure 3 7 Editing the MAC ACL 7 Configure rule 5 to permit packets with the source MAC address 8C DC D4 40 A1 79 and destination MAC address 40 61 86 FC 71 56 ...

Page 851: ...2 Configuring ACL Configuration Example for ACL Figure 3 8 Configuring Rule 5 8 In the same way configure rule 15 to deny packets with destination MAC address 40 61 86 FC 71 56 and apply the time range of work hours ...

Page 852: ...Configuring ACL Configuration Example for ACL User Guide 823 Figure 3 9 Configuring Rule 15 9 Configure rule 25 to permit all the packets that do not match neither of the above rules ...

Page 853: ...onfiguration Example for ACL Figure 3 10 Configuring Rule 25 10 Choose the menu SECURITY ACL ACL Binding and click to load the following page Bind ACL 100 to port 1 0 2 to make it take effect Figure 3 11 Binding the ACL to Port 1 0 2 ...

Page 854: ... FC 71 56 Switch config access list mac 100 rule 5 permit logging disable smac 8C DC D4 40 A1 79 smask FF FF FF FF FF FF dmac 40 61 86 FC 71 56 dmask FF FF FF FF FF FF 4 Configure rule 15 to deny packets with destination MAC address 40 61 86 FC 71 56 Switch config access list mac 100 rule 15 deny logging disable dmac 40 61 86 FC 71 56 dmask FF FF FF FF FF FF tseg Work_time 5 Configure rule 25 to p...

Page 855: ...Ingress Port 3 2 Configuration Example for IP ACL 3 2 1 Network Requirements As shown below a company s internal server group can provide different types of services Computers in the Marketing department are connected to the switch via port 1 0 1 and the internal server group is connected to the switch via port 1 0 2 Figure 3 12 Network Topology Internet Gi1 0 1 Marketing IP 10 10 70 0 24 Server G...

Page 856: ... and TCP UDP 53 These allow the Marketing department to visit http and https websites on the internet The switch matches the packets with the rules in order starting with Rule 1 If a packet matches a rule the switch stops the matching process and initiates the action defined in the rule If no rules are matched the packet will be dropped Binding Configuration Bind the IP ACL to port 1 0 1 so that t...

Page 857: ...le for ACL Figure 3 14 Editing IP ACL 3 On the ACL configuration page click Figure 3 15 Editing IP AC 4 Configure rule 1 to permit packets with the source IP address 10 10 70 0 24 and destination IP address 10 10 80 0 24 Figure 3 16 Configuring Rule 1 ...

Page 858: ...n Example for ACL User Guide 829 5 In the same way configure rule 2 and rule 3 to permit packets with source IP 10 10 70 0 and destination port TCP 80 http service port and TCP 443 https service port Figure 3 17 Configuring Rule 2 ...

Page 859: ...User Guide 830 Configuring ACL Configuration Example for ACL Figure 3 18 Configuring Rule 3 ...

Page 860: ...iguration Example for ACL User Guide 831 6 In the same way configure rule 4 and rule 5 to permit packets with source IP 10 10 70 0 and with destination port TCP 53 or UDP 53 DNS service port Figure 3 19 Configuring Rule 4 ...

Page 861: ...User Guide 832 Configuring ACL Configuration Example for ACL Figure 3 20 Configuring Rule 5 7 In the same way configure rule 6 to deny packets with source IP 10 10 70 0 Figure 3 21 Configuring Rule 6 ...

Page 862: ... 70 0 sip mask 255 255 255 0 dip 10 10 80 0 dmask 255 255 255 0 3 Configure rule 2 and Rule 3 to permit packets with source IP 10 10 70 0 24 and destination port TCP 80 http service port or TCP 443 https service port Switch config access list ip 500 rule 2 permit logging disable sip 10 10 70 0 sip mask 255 255 255 0 protocol 6 d port 80 d port mask ffff Switch config access list ip 500 rule 3 perm...

Page 863: ...artup config Verify the Configurations Verify the IP ACL 500 Switch show access list 500 rule 1 permit logging disable sip 10 10 70 0 smask 255 255 255 0 dip 10 10 80 0 dmask 255 255 255 0 rule 2 permit logging disable sip 10 10 70 0 smask 255 255 255 0 protocol 6 d port 80 rule 3 permit logging disable sip 10 10 70 0 smask 255 255 255 0 protocol 6 d port 443 rule 4 permit logging disable sip 10 1...

Page 864: ...uration Create a Combined ACL and configure the following rules for it Configure a permit rule to match packets with source MAC address 6C 62 6D F5 BA 48 and destination port TCP 23 This rule allows the computer of the network administrator to access the switch through Telnet connection Configure a deny rule to match all the packets except the packets with source MAC address 6C 62 6D F5 BA 48 and ...

Page 865: ...t connection Demonstrated with T2600G 28TS the following sections explain the configuration procedure in two ways using the GUI and using the CLI 3 3 3 Using the GUI 1 Choose the menu SECURITY ACL ACL Config and click to load the following page Then create a Combined ACL for the marketing department Figure 3 24 Creating an Combined ACL 2 Click Edit ACL in the Operation column Figure 3 25 Editing C...

Page 866: ... ACL Configuration Example for ACL User Guide 837 Figure 3 26 Editing Combined ACL 4 Configure rule 5 to permit packets with the source MAC address 6C 62 6D F5 BA 48 and destination port TCP 23 Telnet service port ...

Page 867: ...uring ACL Configuration Example for ACL Figure 3 27 Configuring Rule 5 5 Configure rule 15 to deny all the packets except the packet with source MAC address 6C 62 6D F5 BA 48 and destination port TCP 23 Telnet service port ...

Page 868: ... Configuration Example for ACL User Guide 839 Figure 3 28 Configuring Rule 15 6 In the same way configure rule 25 to permit all the packets The rule makes sure that all devices can get other network services normally ...

Page 869: ...nfiguring ACL Configuration Example for ACL Figure 3 29 Configuring Rule 25 7 Choose the menu SECURITY ACL ACL Binding and click to load the following page Bind the Policy ACL_Telnet to port 1 0 2 to make it take effect ...

Page 870: ...0 protocol 6 d port 23 d port mask FFFF 3 Configure rule 15 to deny all the packets except the packet with source MAC address 6C 62 6D F5 BA 48 and destination port TCP 23 Telnet service port Switch config access list combined 1000 rule 15 deny logging disable type 0800 protocol 6 d port 23 d port mask FFFF 4 Configure rule 25 to permit all the packets The rule makes sure that all devices can get ...

Page 871: ...mbined access list 1000 name ACL_Telnet rule 5 permit logging disable smac 6c 62 6d f5 ba 48 smask ff ff ff ff ff ff type 0800 protocol 6 d port 23 rule 15 deny logging disable type 0800 protocol 6 d port 23 rule 25 permit logging disable Switch show access list bind ACL ID ACL NAME Interface VID Direction Type 1000 ACL_Telnet Gi1 0 2 Ingress Port ...

Page 872: ...fault Setting Operation Permit User Priority No Limit Time Range No Limit Table 4 2 IP ACL Parameter Default Setting Operation Permit IP Protocol All DSCP No Limit IP ToS No Limit IP Pre No Limit Time Range No Limit Table 4 3 IPv6 ACL Parameter Default Setting Operation Permit Time Range No Limit Table 4 4 Combined ACL Parameter Default Setting Operation Permit Time Range No Limit ...

Page 873: ...endix Default Parameters Table 4 5 Packet Content ACL Parameter Default Setting Operation Permit Time Range No Limit Table 4 6 Policy Parameter Default Setting Mirroring Disabled Redirect Disabled Rate Limit Disabled QoS Remark Disabled ...

Page 874: ...Configuring ACL User Guide 845 ...

Page 875: ...Part 28 Configuring IPv4 IMPB CHAPTERS 1 IPv4 IMPB 2 IP MAC Binding Configuration 3 ARP Detection Configuration 4 IPv4 Source Guard Configuration 5 Configuration Examples 6 Appendix Default Parameters ...

Page 876: ...MAC Binding entries ARP Detection In an actual complex network there are high security risks during ARP implementation procedure The cheating attacks against ARP such as imitating gateway cheating gateway cheating terminal hosts and ARP flooding attack frequently occur to the network ARP Detection can prevent the network from these ARP attacks Prevent ARP Cheating Attacks Based on the IP MAC Bindi...

Page 877: ...e ways Manual Binding Via ARP Scanning Via DHCP Snooping Additionally you can view search and edit the entries in the Binding Table 2 1 Using the GUI 2 1 1 Binding Entries Manually You can manually bind the IP address MAC address VLAN ID and the Port number together on the condition that you have got the detailed information of the hosts ...

Page 878: ... for identification IP Address Enter the IP address MAC Address Enter the MAC address VLAN ID Enter the VLAN ID 2 Select protect type for the entry Protect Type Select the protect type for the entry The entry will be applied to to the specific feature The following options are provided None This entry will not be applied to any feature ARP Detection This entry will be applied to the ARP Detection ...

Page 879: ... feature make sure that your network is safe and the hosts are not suffering from ARP attacks at present otherwise you may obtain incorrect IP MAC Binding entries If your network is being attacked it s recommended to bind the entries manually Choose the menu SECURITY IPv4 IMPB IP MAC Binding ARP Scanning to load the following page Figure 2 2 ARP Scanning Follow these steps to configure IP MAC Bind...

Page 880: ...Select the protect type for the entry The entry will be applied to to the specific feature The following options are provided None This entry will not be applied to any feature ARP Detection This entry will be applied to the ARP Detection feature IP Source Guard This entry will be applied to the IP Source Guard feature Both This entry will be applied to both of the features 2 1 3 Binding Entries v...

Page 881: ...Binding via DHCP Snooping 1 In the Global Config section globally enable DHCP Snooping Click Apply 2 In the VLAN Config section enable DHCP Snooping on a VLAN or range of VLANs Click Apply VLAN ID Displays the VLAN ID Status Enable or disable DHCP Snooping on the VLAN 3 In the Port Config section configure the maximum number of binding entries a port can learn via DHCP snooping Click Apply Port Di...

Page 882: ... Binding Binding Table to load the following page Figure 2 4 Binding Table You can specify the search criteria to search your desired entries Source Select the source of the entry and click Search All Displays the entries from all sources Manual Binding Displays the manually bound entries ARP Scanning Displays the binding entries learned from ARP Scanning DHCP Snooping Displays the binding entries...

Page 883: ...ll be applied to the IP Source Guard feature Both This entry will be applied to both of the features Source Displays the source of the entry 2 2 Using the CLI Binding entries via ARP scanning is not supported by the CLI The following sections introduce how to bind entries manually and via DHCP Snooping and view the binding entries 2 2 1 Binding Entries Manually You can manually bind the IP address...

Page 884: ... this entry will not be applied to any feature arp detection indicates this entry will be applied to ARP Detection ip verify source indicates this entry will be applied to IPv4 Source Guard Step 3 show ip source binding Verify the binding entry Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Save the settings in the configuration file The following example shows...

Page 885: ...st Enter interface configuration mode Step 5 ip dhcp snooping max entries value Configure the maximum number of binding entries the port can learn via DHCP snooping value Enter the value of maximum number of entries The valid values are from 0 to 512 Step 6 show ip dhcp snooping Verify global configuration of DHCP Snooping Step 7 end Return to privileged EXEC mode Step 8 copy running config startu...

Page 886: ...AG Gi1 0 1 100 N A Switch config if end Switch copy running config startup config 2 2 3 Viewing Binding Entries On privileged EXEC mode or any other configuration mode you can use the following command to view binding entries show ip source binding View the information of binding entries including the host name IP address MAC address VLAN ID port number and protect type ...

Page 887: ...on the switch detects the ARP packets based on the binding entries in the IP MAC Binding Table So before configuring ARP Detection you need to complete IP MAC Binding configuration For details refer to IP MAC Binding Configuration 3 1 2 Enabling ARP Detection Choose the menu SECURITY IPv4 IMPB ARP Detection Global Config to load the following page Figure 3 1 ARP Detection Global Config Follow thes...

Page 888: ...itch to check whether the sender IP address of all ARP packets and the target IP address of ARP reply packets are legal The illegal ARP packets will be discarded including broadcast addresses multicast addresses Class E addresses loopback addresses 127 0 0 0 8 and the following address 0 0 0 0 2 In the VLAN Config section enable ARP Detection on the selected VLANs Click Apply VLAN ID Displays the ...

Page 889: ...P packets in this time range reaches the limit the port will be shut down Status Displays the status of the ARP attack Normal The forwarding of ARP packets on the port is normal Down The transmission speed of the legal ARP packet exceeds the defined value The port will be shut down for 300 seconds You can also click the Recovery button to recover Operation If Status is changed to Down there will b...

Page 890: ...ng ARP Detection Follow these steps to enable ARP Detection Step 1 configure Enter global configuration mode Step 2 ip arp inspection Globally enable the ARP Detection feature Step 3 ip arp inspection validate src mac dst mac ip Configure the switch to check the IP address or MAC address of the received packets src mac Enable the switch to check whether the source MAC address and the sender MAC ad...

Page 891: ...nfig Save the settings in the configuration file The following example shows how to enable ARP Detection globally and on VLAN 2 and enable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet Switch configure Switch config ip arp inspection Switch config ip arp inspection validate src mac Switch config ip arp inspection vlan 2 Swit...

Page 892: ...m 0 to 300 pps packets second and the default value is 100 Step 5 ip arp inspection burst interval value Specify a time range If the average speed of received ARP packets in this time range reach the limit the port will be shut down value Specify the time range The valid values are from 1 to 15 seconds and the default value is 1 second Step 6 show ip arp inspection interface View the configuration...

Page 893: ...he following example shows how to restore the port 1 0 1 that is in Down status to Normal status Switch configure Switch config interface gigabitEthernet 1 0 1 Switch config if ip arp inspection recover Switch config if end Switch copy running config startup config 3 2 4 Viewing ARP Statistics On privileged EXEC mode or any other configuration mode you can use the following command to view ARP sta...

Page 894: ...he GUI 4 1 1 Adding IP MAC Binding Entries In IPv4 Source Guard the switch filters the packets that do not match the rules of IPv4 MAC Binding Table So before configuring ARP Detection you need to complete IP MAC Binding configuration For details refer to IP MAC Binding Configuration 4 1 2 Configuring IPv4 Source Guard Choose the menu SECURITY IPv4 IMPB IPv4 Source Guard to load the following page...

Page 895: ...otherwise the packet will be discarded Note SIP is only available for T2600G 18TS SIP MAC Only the packet with its source IP address source MAC address and port number matching the IPv4 MAC binding rules can be processed otherwise the packet will be discarded LAG Displays the LAG that the port is in 4 2 Using the CLI 4 2 1 Adding IP MAC Binding Entries In IPv4 Source Guard the switch filters the p...

Page 896: ...cket will be discarded Step 4 show ip verify source interface fastEthernet port gigabitEthernet port ten gigabitEthernet port port channel port channel id Verify the IP Source Guard configuration for IPv4 packets Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to enable IPv4 Source Guard...

Page 897: ...work administrator wants to configure Switch A to prevent ARP attacks from the LAN Figure 5 1 Network Topology LAN WAN Gi1 0 3 Gi1 0 1 Gi1 0 2 Router User 2 88 A9 D4 54 FD C3 192 168 0 33 24 User 1 74 D3 45 32 B6 8D 192 168 0 31 24 Attacker Switch A Internet 5 1 2 Configuration Scheme To meet the requirement you can configure ARP Detection to prevent the network from ARP attacks in the LAN The ove...

Page 898: ... in two ways using the GUI and using the CLI 5 1 3 Using the GUI 1 Choose the menu SECURITY IPv4 IMBP IP MAC Binding Manual Binding and click to load the following page Enter the host name IP address MAC address and VLAN ID of User 1 select the protect type as ARP Detection and select port 1 0 1 on the panel Click Apply Figure 5 2 Binding Entry for User 1 2 On the same page add a binding entry for...

Page 899: ...e Source MAC Validate Destination MAC and Validate IP and click Apply Select VLAN 1 change Status as Enabled and click Apply Figure 5 4 Enable ARP Detection 4 Choose the menu SECURITY IPv4 IMBP ARP Detection Port Config to load the following page By default all ports are enabled with ARP Detection and ARP flooding defend Configure port 1 0 3 as trusted port and keep other defend parameters as defa...

Page 900: ...erface gigabitEthernet 1 0 1 arp detection Switch_A config ip source binding User1 192 168 0 32 88 a9 d4 54 fd c3 vlan 1 interface gigabitEthernet 1 0 2 arp detection 2 Enable ARP Detection globally and on VLAN 1 Switch_A config ip arp inspection Switch_A config ip arp inspection vlan 1 3 Configure port 1 0 3 as trusted port Switch_A config interface gigabitEthernet 1 0 3 Switch_A config if ip arp...

Page 901: ...V S for IP Verify Source Verify the global configuration of ARP Detection Switch_A show ip arp inspection Global Status Enable Verify SMAC Enable Verify DMAC Enable Verify IP Enable Verify the ARP Detection configuration on VLAN Switch_A show ip arp inspection vlan VID Enable status Log Status 1 Enable Disable Verify the ARP Detection configuration on ports Switch_A show ip arp inspection interfac...

Page 902: ...eme To implement this requirement you can use IP MAC Binding and IP Source Guard to filter out the packets received from the unknown hosts The overview of configuration on the switch is as follows 1 Bind the MAC address IP address connected port number and VLAN ID of the legal host with IP MAC Binding 2 Enable IP Source Guard on ports 1 0 1 3 Demonstrated with T2600G 28TS the following sections pr...

Page 903: ... Binding 2 Choose the menu SECURITY IPv4 IMPB IPv4 Source Guard to load the following page Enable IPv4 Source Guard Logging to make the switch generate logs when receiving illegal packets and click Apply Select ports 1 0 1 3 configure the Security Type as SIP MAC and click Apply ...

Page 904: ... configure Switch config ip source binding legal host 192 168 0 100 74 d3 45 32 b5 6d vlan 1 interface gigabitEthernet 1 0 1 ip verify source 2 Enable the log feature and IP Source Guard on ports 1 0 1 3 Switch config ip verify source logging Switch config interface range gigabitEthernet 1 0 1 3 Switch config if range ip verify source sip mac Switch config if range end Switch copy running config s...

Page 905: ...1 192 168 0 100 74 d3 45 32 b5 6d 1 Gi1 0 1 IP V S Manual Notice 1 Here ARP D for ARP Detection and IP V S for IP Verify Source Verify the configuration of IP Source Guard Switch show ip verify source IP Source Guard log Enabled Port Security Type LAG Gi1 0 1 SIP MAC N A Gi1 0 2 SIP MAC N A Gi1 0 3 SIP MAC N A ...

Page 906: ...nfig DHCP Snooping Disabled VLAN Config Status Disabled Port Config Maximum Entry 512 Default settings of ARP Detection are listed in the following table Table 6 2 ARP Detection Parameter Default Setting Global Config ARP Detect Disabled Validate Source MAC Disabled Validate Destination MAC Disabled Validate IP Disabled VLAN Config Status Disabled Log Status Disabled Port Config Trust Status Disab...

Page 907: ...g Burst Interval 1 second ARP Statistics Auto Refresh Disabled Refresh Interval 5 seconds Default settings of IPv4 Source Guard are listed in the following table Table 6 3 ARP Detection Parameter Default Setting Global Config IPv4 Source Guard Log Disabled Port Config Security Type Disabled ...

Page 908: ...Part 29 Configuring IPv6 IMPB CHAPTERS 1 IPv6 IMPB 2 IPv6 MAC Binding Configuration 3 ND Detection Configuration 4 IPv6 Source Guard Configuration 5 Configuration Examples 6 Appendix Default Parameters ...

Page 909: ... ND packets and prevent the ND attacks The application topology of ND Detection is as the following figure shows The port that is connected to the gateway should be configured as trusted port and other ports should be configured as untrusted ports The forwarding principles of ND packets are as follows All ND packets received on the trusted port will be forwarded without checked RS Router Solicitat...

Page 910: ...ology of ND Detection Trusted Port Switch Untrusted Port Untrusted Port Attacker User A Gateway Internet IPv6 Source Guard IPv6 Source Guard is used to filter the IPv6 packets based on the IPv6 MAC Binding table Only the packets that match the binding rules are forwarded ...

Page 911: ...nooping Additionally you can view search and edit the entries in the Binding Table 2 1 Using the GUI 2 1 1 Binding Entries Manually You can manually bind the IPv6 address MAC address VLAN ID and the Port number together on the condition that you have got the detailed information of the hosts Choose the menu SECURITY IPv6 IMPB IPv6 MAC Binding Manual Binding and click to load the following page ...

Page 912: ...ss VLAN ID Enter the VLAN ID 2 Select protect type for the entry Protect Type Select the protect type for the entry The entry will be applied to to the specific feature The following options are provided None This entry will not be applied to any feature ND Detection This entry will be applied to the ND Detection feature IPv6 Source Guard This entry will be applied to the IPv6 Source Guard feature...

Page 913: ...e Before using this feature make sure that your network is safe and the hosts are not suffering from ND attacks at present otherwise you may obtain incorrect IPv6 MAC Binding entries If your network is being attacked it s recommended to bind the entries manually Choose the menu SECURITY IPv6 IMPB IPv6 MAC Binding ND Snooping to load the following page Figure 2 2 ND Snooping Follow these steps to c...

Page 914: ... Port Displays the port number Maximum Entries Configure the maximum number of binding entries a port can learn via ND snooping LAG Displays the LAG that the port is in 4 The learned entries will be displayed in the Binding Table You can go to SECURITY IPv6 IMPB IPv6 MAC Binding Binding Table to view or edit the entries 2 1 3 Binding Entries via DHCPv6 Snooping With DHCPv6 Snooping enabled the swi...

Page 915: ...Binding via DHCPv6 Snooping 1 In the Global Config section globally enable DHCPv6 Snooping Click Apply 2 In the VLAN Config section enable DHCPv6 Snooping on a VLAN or range of VLANs Click Apply VLAN ID Displays the VLAN ID Status Enable or disable DHCPv6 Snooping on the VLAN 3 In the Port Config section configure the maximum number of binding entries a port can learn via DHCPv6 snooping Click App...

Page 916: ...MAC Binding Binding Table to load the following page Figure 2 4 Binding Table You can specify the search criteria to search your desired entries Source Select the source of the entry and click Search All Displays the entries from all sources Manual Binding Displays the manually bound entries ND Snooping Displays the binding entries learned from ND Snooping DHCPv6 Snooping Displays the binding entr...

Page 917: ...Guard This entry will be applied to the IP Source Guard feature Both This entry will be applied to both of the features Source Displays the source of the entry 2 2 Using the CLI The following sections introduce how to bind entries manually and via ND Snooping and DHCP Snooping and how to view the binding entries 2 2 1 Binding Entries Manually You can manually bind the IPv6 address MAC address VLAN...

Page 918: ...entry will not be applied to any feature nd detection indicates this entry will be applied to ND Detection ipv6 verify source indicates this entry will be applied to IP Source Guard both indicates this entry will be applied to both ND Detection and IP Source Guard Step 3 show ip source binding Verify the binding entry Step 4 end Return to privileged EXEC mode Step 5 copy running config startup con...

Page 919: ...s value Configure the maximum number of ND binding entries a port can learn via ND snooping value Enter the maximum number of ND binding entries a port can learn via ND snooping The valid values are from 0 to 1024 and the default is 1024 Step 6 show ipv6 nd snooping Verify the global configuration of IPv6 ND Snooping Step 7 show ipv6 nd snooping interface fastEthernet port gigabitEthernet port ten...

Page 920: ...nfigure Enter global configuration mode Step 2 ipv6 dhcp snooping Globally enable DHCPv6 Snooping Step 3 ipv6 dhcp snooping vlan vlan range Enable DHCPv6 Snooping on the specified VLAN vlan range Enter the vlan range in the format of 1 3 5 Step 4 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitE...

Page 921: ...ing vlan 5 Switch config interface gigabitEthernet 1 0 1 Switch config if ipv6 dhcp snooping max entries 100 Switch config if show ipv6 dhcp snooping Global Status Enable VLAN ID 5 Switch config if show ipv6 dhcp snooping interface gigabitEthernet 1 0 1 Interface max entries LAG Gi1 0 1 100 N A Switch config if end Switch copy running config startup config 2 2 4 Viewing Binding Entries On privileg...

Page 922: ... IPv6 MAC Binding Table and filter out the illegal ND packets Before configuring ND Detection complete IPv6 MAC Binding configuration For details refer to IPv6 MAC Binding Configuration 3 1 2 Enabling ND Detection Choose the menu SECURITY IPv6 IMPB ND Detection Global Config to load the following page Figure 3 1 ND Detection Global Config Follow these steps to enable ND Detection 1 In the Global C...

Page 923: ...ection on Port Follow these steps to configure ND Detection on ports 1 Select one or more ports and configure the parameters Port Displays the port number Trust Status Enable or disable this port to be a trusted port On a trusted port the ND packets are forwarded directly without checked The specific ports such as up link ports and routing ports are suggested to be set as trusted LAG Displays the ...

Page 924: ... Forwarded Displays the number of forwarded ND packets in this VLAN Dropped Displays the number of dropped ND packets in this VLAN 3 2 Using the CLI 3 2 1 Adding IPv6 MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6 MAC Binding Table and filter out the illegal ND packets Before configuring ND Detection complete IPv6 MA...

Page 925: ... VLAN ID 1 Switch config end Switch copy running config startup config 3 2 3 Configuring ND Detection on Ports Follow these steps to configure ND Detection on ports Step 1 configure Enter global configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list Enter in...

Page 926: ...net 1 0 1 Switch config if ipv6 nd detection trust Switch config if show ipv6 nd detection interface gigabitEthernet 1 0 1 Interface Trusted LAG Gi1 0 1 Enable N A Switch config if end Switch copy running config startup config 3 2 4 Viewing ND Statistics On privileged EXEC mode or any other configuration mode you can use the following command to view ND statistics show ipv6 nd detection statistics...

Page 927: ...ding entries in the IPv6 MAC Binding Table and filter out the illegal ND packets Before configuring ND Detection complete IPv6 MAC Binding configuration For details refer to IPv6 MAC Binding Configuration 4 1 2 Configuring IPv6 Source Guard Before configuring IPv6 Source Guard you need to configure the SDM template as EnterpriseV6 Choose the menu SECURITY IPv6 IMPB IPv6 Source Guard to load the fo...

Page 928: ...ding Table and filter out the illegal ND packets Before configuring ND Detection complete IPv6 MAC Binding configuration For details refer to IPv6 MAC Binding Configuration 4 2 2 Configuring IPv6 Source Guard Before configuring IPv6 Source Guard you need to configure the SDM template as EnterpriseV6 Follow these steps to configure IPv6 Source Guard Step 1 configure Enter global configuration mode ...

Page 929: ...urn to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to enable IPv6 Source Guard on port 1 0 1 Switch configure Switch config interface gigabitEthernet 1 0 1 Switch config if ipv6 verify source sipv6 mac Switch config if show ipv6 verify source interface gigabitEthernet 1 0 1 Port Security Type LAG Gi1 0 1...

Page 930: ... Now the network administrator wants to configure Switch A to prevent ND attacks from the LAN Figure 5 1 Network Topology LAN WAN Gi1 0 3 Gi1 0 1 Gi1 0 2 Router User 2 88 A9 D4 54 FD C3 2001 6 User 1 74 D3 45 32 B6 8D 2001 5 Attacker Switch A Internet 5 1 2 Configuration Scheme To meet the requirement you can configure ND Detection to prevent the network from ND attacks in the LAN The overview of ...

Page 931: ... Using the GUI 1 Choose the menu SECURITY IPv6 IMBP IPv6 MAC Binding Manual Binding and click to load the following page Enter the host name IPv6 address MAC address and VLAN ID of User 1 select the protect type as ND Detection and select port 1 0 1 on the panel Click Apply Figure 5 2 Binding Entry for User 1 2 In the same way add a binding entry for User 2 Enter the host name IPv6 address MAC add...

Page 932: ...llowing page Enable ND Detection and click Apply Select VLAN 1 change Status as Enabled and click Apply Figure 5 4 Enable ND Detection 4 Choose the menu SECURITY IPv6 IMBP ND Detection Port Config to load the following page By default all ports are enabled with ND Detection Since port 1 0 3 is connected to the gateway router configure port 1 0 3 as trusted port Click Apply ...

Page 933: ... nd detection Switch_A config ip source binding User1 2001 6 88 a9 d4 54 fd c3 vlan 1 interface gigabitEthernet 1 0 2 nd detection 2 Enable ND Detection globally and on VLAN 1 Switch_A config ipv6 nd detection vlan 1 3 Configure port 1 0 3 as trusted port Switch_A config interface gigabitEthernet 1 0 3 Switch_A config if ipv6 nd detection trust Switch_A config if end Switch_A copy running config s...

Page 934: ...n Global Status Enable Verify the ND Detection configuration on VLAN Switch_A show ipv6 nd detection vlan VID Enable status Log Status 1 Enable Disable Verify the ND Detection configuration on ports Switch_A show ipv6 nd detection interface Interface Trusted LAG Gi1 0 1 Disable N A Gi1 0 2 Disable N A Gi1 0 3 Enable N A 5 2 Example for IPv6 Source Guard 5 2 1 Network Requirements As shown below th...

Page 935: ...e unknown hosts The overview of configuration on the switch is as follows 1 Bind the MAC address IPv6 address connected port number and VLAN ID of the legal host with IPv6 MAC Binding 2 Enable IPv6 Source Guard on ports 1 0 1 3 Demonstrated with T2600G 28TS the following sections provide configuration procedure in two ways using the GUI and using the CLI 5 2 3 Using the GUI 1 Choose the menu SECUR...

Page 936: ...uide 907 Figure 5 7 Manual Binding 2 Choose the menu SECURITY IPv6 IMPB IPv6 Source Guard to load the following page Select ports 1 0 1 3 configure the Security Type as SIPv6 MAC and click Apply Figure 5 8 IPv6 Source Guard 3 Click to save the settings ...

Page 937: ...tch config ipv6 verify source Switch config interface range gigabitEthernet 1 0 1 3 Switch config if range ipv6 verify source sipv6 mac Switch config if range end Switch copy running config startup config Verify the Configuration Verify the binding entry Switch show ip source binding U Host IP Addr MAC Addr VID Port ACL SOURCE 1 legal host 2001 5 74 d3 45 32 b6 8d 1 Gi1 0 1 IP V S Manual Notice 1 ...

Page 938: ...lt Setting Global Config DHCPv6 Snooping Disabled VLAN Config Status Disabled Port Config Maximum Entry 512 Default settings of ND Detection are listed in the following table Table 6 2 ND Detection Parameter Default Setting Global Config ND Detection Disabled VLAN Config Status Disabled Log Status Disabled Port Config Trust Status Disabled ND Statistics Auto Refresh Disabled Refresh Interval 5 sec...

Page 939: ...e 910 Configuring IPv6 IMPB Appendix Default Parameters Default settings of IPv6 Source Guard are listed in the following table Table 6 3 ND Detection Parameter Default Setting Port Config Security Type Disabled ...

Page 940: ...Part 30 Configuring DHCP Filter CHAPTERS 1 DHCP Filter 2 DHCPv4 Filter Configuration 3 DHCPv6 Filter Configuration 4 Configuration Examples 5 Appendix Default Parameters ...

Page 941: ...s way DHCP Filter ensures that users get IP addresses only from the legal DHCP server and enhances the network security As the following figure shows there are both legal and illegal DHCP servers on the network You can configure DHCP Server1 as a legal DHCP server by providing the IP address and port number of DHCP Server1 When receiving the DHCP respond packets the switch will forward the packets...

Page 942: ...Configuring DHCP Filter DHCP Filter User Guide 913 DHCPv4 Filter DHCPv4 Filter is used for DHCPv4 servers and IPv4 clients DHCPv6 Filter DHCPv6 Filter is used for DHCPv6 servers and IPv6 clients ...

Page 943: ...CPv4 servers 2 1 Using the GUI 2 1 1 Configuring the Basic DHCPv4 Filter Parameters Choose the menu SECURITY DHCP Filter DHCPv4 Filter Basic Config to load the following page Figure 2 1 DHCPv4 Filter Basic Config Follow these steps to complete the basic settings of DHCPv4 Filter 1 In the Global Config section enable DHCPv4 globally 2 In the Port Config section select one or more ports and configur...

Page 944: ...om being exhausted by forged MAC addresses Rate Limit Select to enable the rate limit feature and specify the maximum number of DHCPv4 packets that can be forwarded on the port per second The excessive DHCPv4 packets will be discarded Decline Protect Select to enable the decline protect feature and specify the maximum number of Decline packets that can be forwarded on the port per second The exces...

Page 945: ...re the following parameters Server IP Address Specify the IP address of the legal DHCPv4 server Client MAC Address Optional Specify the MAC address of the DHCP Client You can also keep this field empty which represents for all DHCP clients Server Port Select the port that the legal DHCPv4 server is connected 2 Click Create 2 2 Using the CLI 2 2 1 Configuring the Basic DHCPv4 Filter Parameters Foll...

Page 946: ... per second The excessive DHCP packets will be discarded value Specify the limit rate value The following options are provided 0 5 10 15 20 25 and 30 packets second The default value is 0 which indicates disabling limit rate Step 7 ip dhcp filter decline rate value Enable the decline protect feature and specify the maximum number of Decline packets can be forwarded per second on the port The exces...

Page 947: ...Interface state MAC Verify Limit Rate Dec rate LAG Gi1 0 1 Enable Enable 10 20 N A Switch config if end Switch copy running config startup config 2 2 2 Configuring Legal DHCPv4 Servers Follow these steps configure legal DHCPv4 servers Step 1 configure Enter global configuration mode Step 2 ip dhcp filter server permit entry server ip ipAddr client mac macAddr interface fastEthernet port list gigab...

Page 948: ...ry for the legal DHCPv4 server whose IP address is 192 168 0 100 and connected port number is 1 0 1 without client MAC address restricted Switch configure Switch config ip dhcp filter server permit entry server ip 192 168 0 100 client mac all interface gigabitEthernet 1 0 1 Switch config show ip dhcp filter server permit entry Server IP Client MAC Interface 192 168 0 100 all Gi1 0 1 Switch config ...

Page 949: ...1 Using the GUI 3 1 1 Configuring the Basic DHCPv6 Filter Parameters Choose the menu SECURITY DHCP Filter DHCPv6 Filter Basic Config to load the following page Figure 3 1 DHCPv6 Filter Basic Config Follow these steps to complete the basic settings of DHCPv6 Filter 1 In the Global Config section enable DHCPv6 globally 2 In the Port Config section select one or more ports and configure the related p...

Page 950: ...v6 Decline packets will be discarded LAG Displays the LAG that the port is in 3 Click Apply Note The member port of an LAG Link Aggregation Group follows the configuration of the LAG and not its own The configurations of the port can take effect only after it leaves the LAG 3 1 2 Configuring Legal DHCPv6 Servers Choose the menu SECURITY DHCP Filter DHCPv6 Filter Legal DHCPv6 Servers and click to l...

Page 951: ...rt per second The excessive DHCP packets will be discarded value Specify the limit rate value The following options are provided 0 5 10 15 20 25 and 30 packets second The default value is 0 which indicates disabling limit rate Step 6 ipv6 dhcp filter decline rate value Enable the decline protect feature and specify the maximum number of Decline packets can be forwarded per second on the port The e...

Page 952: ...ch config if show ipv6 dhcp filter Global Status Enable Switch config if show ip dhcp filter interface gigabitEthernet 1 0 1 Interface state Limit Rate Dec rate LAG Gi1 0 1 Enable 10 20 N A Switch config if end Switch copy running config startup config 3 2 2 Configuring Legal DHCPv6 Servers Follow these steps configure legal DHCPv6 servers Step 1 configure Enter global configuration mode Step 2 ip...

Page 953: ...owing example shows how to create an entry for the legal DHCPv6 server whose IPv6 address is 2001 54 and connected port number is 1 0 1 Switch configure Switch config ipv6 dhcp filter server permit entry server ip 2001 54 interface gigabitEthernet 1 0 1 Switch config show ipv6 dhcp filter server permit entry Server IP Interface 2001 54 Gi1 0 1 Switch config end Switch copy running config startup c...

Page 954: ...ses to the clients Figure 4 1 Network Topology Gi1 0 1 DHCPv4 Client DHCPv4 Client Illegal DHCPv4 Server DHCPv4 Client Switch A Legal DHCPv4 Server 192 168 0 200 4 1 2 Configuration Scheme To meet the requirements you can configure DHCPv4 Filter to filter the DHCPv4 packets from the illegal DHCPv4 server The overview of configuration is as follows 1 Enable DHCPv4 Filter globally and on all ports 2...

Page 955: ... load the following page Enable DHCPv4 Filter globally and click Apply Select all ports change Status as Enable and click Apply Figure 4 2 Basic Config 2 Choose the menu SECURITY DHCP Filter DHCPv4 Filter Legal DHCPv4 Servers and click to load the following page Specify the IP address and connected port number of the legal DHCPv4 server Click Create ...

Page 956: ...onfig interface range gigabitEthernet 1 0 1 28 Switch_A config if range ip dhcp filter Switch_A config if range exit 2 Create an entry for the legal DHCPv4 server Switch_A config ip dhcp filter server permit entry server ip 192 168 0 200 client mac all interface gigabitEthernet 1 0 1 Switch_A config end Switch_A copy running config startup config Verify the Configuration Verify the global DHCPv4 F...

Page 957: ...ble Disable N A Gi1 0 4 Enable Disable Disable Disable N A Verify the legal DHCPv4 server configuration Switch_A show ip dhcp filter server permit entry Server IP Client MAC Interface 192 168 0 200 all Gi1 0 1 4 2 Example for DHCPv6 Filter 4 2 1 Network Requirements As shown below all the DHCPv6 clients get IP addresses from the legal DHCPv6 server and any other DHCPv6 server in the LAN is regarde...

Page 958: ...from the illegal DHCPv6 server The overview of configuration is as follows 1 Enable DHCPv6 Filter globally and on all ports 2 Create an entry for the legal DHCPv6 server Demonstrated with T2600G 28TS the following sections provide configuration procedure in two ways using the GUI and using the CLI 4 2 3 Using the GUI 1 Choose the menu SECURITY DHCP Filter DHCPv6 Filter Basic Config to load the fol...

Page 959: ...onfig 2 Choose the menu SECURITY DHCP Filter DHCPv6 Filter Legal DHCPv6 Servers and click to load the following page Specify the IP address and connected port number of the legal DHCPv6 server Click Create Figure 4 3 Create Entry for Legal DHCPv6 Server 3 Click to save the settings ...

Page 960: ...1 54 interface gigabitEthernet 1 0 1 Switch_A config end Switch_A copy running config startup config Verify the Configuration Verify the global DHCPv6 Filter configuration Switch_A show ipv6 dhcp filter Global Status Enable Verify the DHCPv6 Filter configuration on ports Switch_A show ipv6 dhcp filter interface Interface state Limit Rate Dec rate LAG Gi1 0 1 Enable Disable Disable N A Gi1 0 2 Enab...

Page 961: ...lowing table Table 5 1 DHCPv4 Filter Parameter Default Setting Global Config DHCPv4 Filter Disabled Port Config Status Disabled MAC Verify Disabled Rate Limit Disabled Decline Protect Disabled Table 5 2 DHCPv6 Filter Parameter Default Setting Global Config DHCPv6 Filter Disabled Port Config Status Disabled Rate Limit Disabled Decline Protect Disabled ...

Page 962: ...Part 31 Configuring DoS Defend CHAPTERS 1 Overview 2 DoS Defend Configuration 3 Appendix Default Parameters ...

Page 963: ... hosts It results in an abnormal service or breakdown of the network With DoS Defend feature the switch can analyze the specific fields of the IP packets distinguish the malicious DoS attack packets and discard them directly Also DoS Defend feature can limit the transmission rate of legal packets When the number of legal packets exceeds the threshold value and may incur a breakdown of the network ...

Page 964: ...f DoS attack Land Attack The attacker sends a specific fake SYN synchronous packet to the destination host Because both of the source IP address and the destination IP address of the SYN packet are set to be the IP address of the host the host will be trapped in an endless circle of building the initial connection Scan SYNFIN The attacker sends the packet with its SYN field and the FIN field set t...

Page 965: ...keep on sending SYN ACK packets If the attacker sends overflowing fake request packets the network resource will be occupied maliciously and the requests of the legal clients will be denied WinNuke Attack Because the Operation System with bugs cannot correctly process the URG Urgent Pointer of TCP packets the attacker sends this type of packets to the TCP port139 NetBIOS of the host with the Opera...

Page 966: ...ked host is reduced because the Host circularly attempts to build a connection with the attacker ping flood The attacker floods the destination system with Ping packets creating a broadcast storm that makes it impossible for system to respond to legal communication syn flood The attacker uses a fake IP address to send TCP request packets to the server Upon receiving the request packets the server ...

Page 967: ...Switch configure Switch config ip dos prevent Switch config ip dos prevent type land Switch config show ip dos prevent DoS Prevention State Enabled Type Status Land Attack Enabled Scan SYNFIN Disabled Xmascan Disabled NULL Scan Disabled SYN sPort less 1024 Disabled Blat Attack Disabled Ping Flooding Disabled SYN SYN ACK Flooding Disabled WinNuke Attack Disabled Switch config end Switch copy runnin...

Page 968: ...Defend Appendix Default Parameters User Guide 939 3Appendix Default Parameters Default settings of Network Security are listed in the following tables Table 3 1 DoS Defend Parameter Default Setting DoS Defend Disabled ...

Page 969: ...Part 32 Monitoring the System CHAPTERS 1 Overview 2 Monitoring the CPU 3 Monitoring the Memory ...

Page 970: ... switch Monitor the memory utilization of the switch The CPU utilization should be always under 80 and excessive use may result in switch malfunctions For example the switch fails to respond to management requests ICMP ping SNMP timeouts slow Telnet or SSH sessions You can monitor the system to verify a CPU utilization problem ...

Page 971: ...e Figure 2 1 Monitoring the CPU Click Monitor to enable the switch to monitor and display its CPU utilization rate every five seconds 2 2 Using the CLI On privileged EXEC mode or any other configuration mode you can use the following command to view the CPU utilization show cpu utilization View the memory utilization of the switch in the last 5 seconds 1minute and 5minutes ...

Page 972: ...nitoring the System Monitoring the CPU User Guide 943 The following example shows how to monitor the CPU Switch show cpu utilization Unit CPU Utilization No Five Seconds One Minute Five Minutes 1 13 13 13 ...

Page 973: ... Memory Click Monitor to enable the switch to monitor and display its memory utilization rate every five seconds 3 2 Using the CLI On privileged EXEC mode or any other configuration mode you can use the following command to view the memory utilization show memory utilization View the current memory utilization of the switch The following example shows how to monitor the memory Switch show memory u...

Page 974: ...Monitoring the System Monitoring the Memory User Guide 945 Unit Current Memory Utilization 1 74 ...

Page 975: ...Part 33 Monitoring Traffic CHAPTERS 1 Traffic Monitor 2 Appendix Default Parameters ...

Page 976: ...eps to view the traffic summary of each port 1 To get the real time traffic summary enable Auto Refresh or click Refresh Auto Refresh With this option enabled the switch will automatically refresh the traffic summary Refresh Interval Specify the time interval for the switch to refresh the traffic summary 2 In the Traffic Summary section click UNIT1 to show the information of the physical ports and...

Page 977: ... packets are not counted Octets Rx Displays the number of octets received on the port Error octets are counted Octets Tx Displays the number of octets transmitted on the port Error octets are counted To view a port s traffic statistics in detail click Statistics on the right side of the entry Figure 1 2 Traffic Statistics ...

Page 978: ...or packets that are less than 64 bytes long 64 Octets Packets Displays the number of the received packets including error packets that are 64 bytes long 65 to 127 Octects Packets Displays the number of the received packets including error packets that are between 65 and 127 bytes long 128 to 255 Octects Packets Displays the number of the received packets including error packets that are between 12...

Page 979: ...ticast packets transmitted on the port Error frames are not counted Unicast Displays the number of valid unicast packets transmitted on the port Error frames are not counted Pkts Displays the number of packets transmitted on the port Error packets are not counted Bytes Displays the number of bytes transmitted on the port Error packets are not counted Collisions Displays the number of collisions ex...

Page 980: ...mbo packets received on the port Error frames are not counted Rx Alignment Displays the number of the received packets that have a Frame Check Sequence FCS with a non integral octet Alignment Error The size of the packet is between 64 bytes and 1518 bytes Rx UnderSize Displays the number of the received packets excluding error packets that are less than 64 bytes long Rx 64Pkts Displays the number ...

Page 981: ...de 952 Monitoring Traffic Appendix Default Parameters 2Appendix Default Parameters Table 2 1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disabled Refresh Rate 10 seconds ...

Page 982: ...Part 34 Mirroring Traffic CHAPTERS 1 Mirroring 2 Configuration Examples 3 Appendix Default Parameters ...

Page 983: ...specified sources ports LAGs or the CPU to a destination port It does not affect the switching of network traffic on source ports LAGs or the CPU 1 1 Using the GUI Choose the menu MAINTENANCE Mirroring to load the following page Figure 1 1 Port Mirroring Session List The above page displays a mirroring session and no more session can be created Click Edit to configure this mirroring session on the...

Page 984: ...ed UNIT1 Select the desired ports as the source interfaces The switch will send a copy of traffic passing through the port to the destination port LAGS Select the desired LAGs as the source interfaces The switch will send a copy of traffic passing through the LAG members to the destination port CPU When selected the switch will send a copy of traffic passing through the CPU to the destination port...

Page 985: ...rts or LAGs as the monitored interfaces session_num The monitor session number It can only be specified as 1 cpu_number The CPU number It can only be specified as 1 port list List of source ports It is multi optional mode The monitor mode There are three options rx tx and both rx The incoming packets of the source port will be copied to the destination port tx The outgoing packets of the source po...

Page 986: ... 0 1 3 both Switch config monitor session 1 source cpu 1 both Switch config show monitor session Monitor Session 1 Destination Port Gi1 0 10 Source Ports Ingress Gi1 0 1 3 Source Ports Egress Gi1 0 1 3 Source CPU Ingress cpu1 Source CPU Egress cpu1 Switch config if end Switch copy running config startup config ...

Page 987: ...s requirement you can use Mirroring feature to copy the packets from ports 1 0 2 5 to port 1 0 1 The overview of configuration is as follows 1 Specify ports 1 0 2 5 as the source ports allowing the switch to copy the packets from the hosts 2 Specify port 1 0 1 as the destination port so that the network analyzer can receive mirrored packets from the hosts Demonstrated with T2600G 28TS the followin...

Page 988: ... section select ports 1 0 2 5 as the source ports and enable Ingress and Egress to allow the received and sent packets to be copied to the destination port Then click Apply Figure 2 4 Source Port Configuration 4 Click to save the settings 2 4 Using the CLI Switch configure Switch config monitor session 1 destination interface gigabitEthernet 1 0 1 Switch config monitor session 1 source interface g...

Page 989: ...uide 960 Mirroring Traffic Configuration Examples Verify the Configuration Switch show monitor session 1 Monitor Session 1 Destination Port Gi1 0 1 Source Ports Ingress Gi1 0 2 5 Source Ports Egress Gi1 0 2 5 ...

Page 990: ...dix Default Parameters User Guide 961 3Appendix Default Parameters Default settings of Switching are listed in th following tables Table 3 1 Configurations for Ports Parameter Default Setting Ingress Disabled Egress Disabled ...

Page 991: ...Part 35 Configuring sFlow Only for Certain Devices CHAPTERS 1 Overview 2 sFlow Configuration 3 Configuration Example 4 Appendix Default Parameters ...

Page 992: ...m consists of an sFlow Agent and an sFlow Collector sFlow Agent The sFlow Agent is embedded in a switch or router or in a standalone probe It uses sampling technology to capture traffic statistics from the device it is monitoring and packages the sampled data into sFlow datagrams sFlow datagrams are used to immediately forward the sampled data to an sFlow Collector for analysis The switch provides...

Page 993: ...ors refer to https sflow org 2 1 Using the GUI 2 1 1 Configuring the sFlow Agent Choose the menu MAINTENANCE sFlow sFlow Agent to load the following page Figure 2 1 Configuring the sFlow Agent Follow these steps to configure the sFlow Agent 1 Enable the sFlow function specify the sFlow Agent IP address sFlow Agent Enable or disable sFlow Agent When enabled the switch acts as an sFlow Agent Agent A...

Page 994: ...address of the host that runs the sFlow Collector Collector Port Specify the UDP port number for the sFlow collector The default is port 6343 Maximum Datagram Size Specify the maximum number of data bytes that can be sent in a single sample datagram Valid values are from 300 to 1400 bytes and the default is 300 bytes Timeout s Specify the aging time after which the sFlow Collector will become inva...

Page 995: ... Specify the ingress sampling frequency the sampler takes one packet out of the specified number of packets Valid values are from 1024 to 65535 The default is 0 which means no packets will be sampled Egress Sampling Rate Hz Specify the egress sampling frequency the sampler takes one packet out of the specified number of packets Valid values are from 1024 to 65535 The default is 0 which means no pa...

Page 996: ...alues are from 0 to 2000000 seconds the default is 0 which means the collector is always valid Step 5 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list Configure the sampler on the specified ports port port list The number or the list of the Ethernet ports that you want to monit...

Page 997: ...0 Set the sFlow agent IP address as 192 168 0 1 the sFlow collector IP address 1 as 192 168 0 100 configure Gigabit Ethernet port 1 as the sFlow sampler the Collector ID as 1 and the ingress rate as 1024 Switch configure Switch config sflow address 192 168 0 1 Switch config sflow enable Switch config sflow collector collector ID 1 ip 192 168 0 100 Switch config sflow collector collector ID 1 port ...

Page 998: ... Certain Devices sFlow Configuration User Guide 969 Port Collector IngRate EgRate MaxHeader LAG Gi1 0 1 1 1024 0 128 N A Gi1 0 2 0 0 0 128 N A Gi1 0 3 0 0 0 128 N A Switch config if end Switch copy running config startup config ...

Page 999: ...nt that collects traffic data on port 1 0 1 and configure an sFlow Collector on the PC to process sFlow packets and display results Demonstrated with T2600G 28TS this chapter provides configuration procedures in two ways using the GUI and Using the CLI 3 3 Using the GUI 1 Choose the menu MAINTENANCE sFlow sFlow Agent to load the following page Enable sFlow Agent set the switch IP address 192 168 0...

Page 1000: ...ollowing page Select Collector 1 for port 1 0 1 set the ingress rate as 1024 then click Apply Figure 3 4 Configuring sFlow Sampler 4 Click to save the settings 3 4 Using the CLI 1 Configure the sFlow Agent Switch configure Switch config sflow address 192 168 0 26 Switch config sflow enable 2 Configure the sFlow collector Switch config sflow collector collector ID 1 ip 192 168 0 27 ...

Page 1001: ...up config Verify the Configurations Verify the configuration of global sFlow Switch show sflow global sFlow Status Enable Agent Address 192 168 0 26 sFlow Version v5 Verify the configuration of sFlow collector Switch show sflow collector Collector Col IP Col Port MaxData Timeout Lifetime Description 1 192 168 0 27 6343 300 0 0 2 0 0 0 0 6343 300 0 0 3 0 0 0 0 6343 300 0 0 4 0 0 0 0 6343 300 0 0 Ve...

Page 1002: ...4 1 Default Settings of sFlow Parameter Default Setting sFlow Agent sFlow Agent Disabled Agent Address 0 0 0 0 sFlow Version 5 sFlow Collector Collector IP 0 0 0 0 Collector Port 6343 Maximum Datagram Size 300 bytes Timeout s 0 sFlow Sampler Collector ID 0 indicates sampling feature is disabled on the port Ingress Sampling Rate Hz 0 Egress Sampling Rate Hz 0 Maximum Header Size Bytes 128 ...

Page 1003: ...Part 36 Configuring OAM CHAPTERS 1 Ethernet OAM 2 Ethernet OAM Configurations 3 Viewing OAM Statistics 4 Configuration Example 5 Appendix Default Parameters ...

Page 1004: ...on OAMPDU The Information OAMPDU is used to send state information such as local information remote information and user defined information to the remote OAM entity for maintaining OAM connection Event Notification OAMPDU The Event Notification OAMPDU is used for the Link Monitoring feature The local OAM entity can use the Event Notification OAMPDU to notify the remote OAM entity that a fault has...

Page 1005: ...ation RFI and Remote Loopback Link Monitoring Link Monitoring is for monitoring link performance under various circumstances When problems are detected on the link the OAM entity will send its remote peer the Event Notification OAMPDUs to report link events The link events are described as follows Table 1 1 OAM Link Events OAM Link Events Definition Error Symbol Period An Error Symbol Period event...

Page 1006: ...MPDU 2 Information OAMPDU 4 Non OAMPDUs back from B to A 6 Information OAMPDU Switch A Switch B Gi 1 0 1 Active mode Gi 1 0 1 Passive mode As the above figure shows the OAM connection has been established between the two entities The OAM entity on Switch A is in active mode and that on Switch B is in passive mode The working mechanism of Remote Loopback is as follows 1 Switch A sends a Loopback Co...

Page 1007: ...Loopback Control OAMPDU to disable the remote loopback mode on Switch B 6 Switch B receives the Loopback Control OAMPDU and exits remote loopback mode Besides Switch B sends an Information OAMPDU to inform its state updating TP Link switches can act as Switch A and initiate Remote Loopback request ...

Page 1008: ...cording to your needs Link Monitoring Remote Failure Indication RFI Remote Loopback 3 View the OAM status on the port 2 1 Using the GUI 2 1 1 Enabling OAM and Configuring OAM Mode Choose the menu MAINTENANCE Ethernet OAM Basic Config Basic Config to load the following page Figure 2 1 Basic Configuration Follow these steps to complete the basic OAM configuration 1 Select one or more ports configure...

Page 1009: ...onnection cannot be established between two ports in passive mode Make sure that at least one side is in active mode Status Enable or disable OAM on the port By default it is disabled 2 Click Apply 2 1 2 Configuring Link Monitoring Choose the menu MAINTENANCE Ethernet OAM Link Monitoring Link Monitoring to load the following page Figure 2 2 Configure Link Monitoring Follow these steps to configure...

Page 1010: ... from 1 to 4294967295 and the default value is 1 Threshold Error Frames If you select Error Frame or Error Frame Period as the link event type specify the threshold of error frames within a specific period of time or in specific number of received frames Valid error frame values are from 1 to 4294967295 and the default value is 1 Threshold Error Seconds If you select Error Frame Seconds as the lin...

Page 1011: ...the Dying Gasp Notification and Critical Event Notification features Dying Gasp Notification With Dying Gasp Notification enabled if the switch detects an unrecoverable fault on the network it will report this condition locally and send Information OAMPDU to notify the peer Critical Event Notification With Critical Event Notification enabled if the switch detects an unspecified critical event occu...

Page 1012: ... 1 Select one or more ports and configure the relevant options Received Remote Loopback Choose to ignore or to process the received remote loopback requests Remote Loopback Start or stop the remote loopback process The port to be configured should be in active mode and has established OAM connection with the peer Start Request the remote peer to start the OAM remote loopback mode Stop Request the ...

Page 1013: ... load the following page Figure 2 5 View OAM Status Select a port to view whether the OAM connection is established with the peer Additionally you can view the OAM information of the local and the remote entities The OAM information of the local entity is as follows OAM Status Displays whether OAM is enabled Mode Displays the OAM mode of the local entity ...

Page 1014: ...ocalAndRemote The local port has discovered the peer but has not yet accepted or rejected the configuration of the peer SendLocalAndRemoteOK The local device agrees the OAM peer entity PeeringLocallyRejected The local OAM entity rejects the remote peer OAM entity PeeringRemotelyRejected The remote OAM entity rejects the local device NonOperHalfDuplex Ethernet OAM is enabled but the port is in half...

Page 1015: ...al configuration mode Step 2 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list Enter interface configuration mode Step 3 ethernet oam Enable OAM on the port Step 4 ethernet oam mode passive active Configure the OAM mode of the port passive Specify the OAM mode as passive The por...

Page 1016: ...assive Switch config if end Switch copy running config startup config 2 2 2 Configuring Link Monitoring With Link Monitoring the following link events can be reported Error Symbol Period Error Frame Error Frame Period Error Frame Seconds Configuring Error Symbol Period Event An Error Symbol Period event occurs if the number of symbol errors exceeds the defined threshold within a specific period of...

Page 1017: ... default it is enabled Step 4 show ethernet oam configuration interface fastEthernet port port list interface gigabitEthernet port port list interface ten gigabitEthernet port port list Verify the OAM configuration Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to enable Error Frame eve...

Page 1018: ...ndow Specify the time period in units of 100ms for example 2 refers to 200ms in which if the number of received errors exceeds the threshold a link event will be generated Valid values are from 10 100 to 600 100 ms and the default value is 10 100 ms disable enable Enable or disable notifications to report the link event By default it is enabled Step 4 show ethernet oam configuration interface fast...

Page 1019: ...rnet port list Enter interface configuration mode Step 3 ethernet oam link monitor frame period threshold threshold window window notify disable enable Configure the relevant parameters of Error Frame Period threshold Specify the threshold of received symbol errors in specific number of received frames Valid values are from 1 to 4294967295 and the default value is 1 window Specify the number of fr...

Page 1020: ...t 1 0 1 Gi1 0 1 Frame Period Error Notify State Enabled Window 1488100 Frames Threshold 1 Error Frame Switch config if end Switch copy running config startup config Configuring Error Frame Seconds Event An Error Frame Seconds event occurs if the number of error frame seconds exceeds the threshold within a specific period of time A second is called an error frame second if error frames occur in the...

Page 1021: ...ow ethernet oam configuration interface fastEthernet port port list interface gigabitEthernet port port list ten gigabitEthernet port port list Verify the OAM configuration Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Save the settings in the configuration file The following example shows how to enable Error Frame Seconds notification and configure the thresh...

Page 1022: ...to notify the peer critical event Enable Critical Event Notification and if the switch detects an unspecified critical event occurs it will send Information OAMPDU to notify the peer disable enable Enable or disable notification to report the link events Step 4 show ethernet oam configuration interface fastEthernet port port list interface gigabitEthernet port port list ten gigabitEthernet port po...

Page 1023: ... or to process the received remote loopback request Step 4 ethernet oam remote loopback start stop Request the remote peer to start or stop the OAM remote loopback mode The port to be configured here should be in active mode that has established OAM connection with the peer Step 5 show ethernet oam configuration interface fastEthernet port port list interface gigabitEthernet port port list ten gig...

Page 1024: ...AMPDU Remote Loopback Displays whether the local entity supports Remote Loopback Unidirection Displays whether the local entity supports Unidireciton Link Monitoring Displays whether the local entity supports Link Monitoring Variable Request Displays whether the local entity supports Variable Request PDU Revision Displays the PDU Revision of the local entity Operation Status Displays the status of...

Page 1025: ... mode of the local entity MAC Address Displays the MAC address of the remote entity Vendor OUI Displays the Vendor s OUI of the remote entity Max OAMPDU Displays the maximum size of OAMPDU Remote Loopback Displays whether the remote entity supports Remote Loopback Unidirection Displays whether the remote entity supports Unidireciton Link Monitoring Displays whether the remote entity supports Link ...

Page 1026: ...peration Status Operational Loopback Status No Loopback Remote Client Mode Passive MAC Address 18 A6 F7 DB 63 81 Vendor OUI 000aeb Max OAMPDU 1518 Bytes Remote Loopback Supported Unidirection Not Supported Link Monitoring Supported Variable Request Not Supported PDU Revision 1 Loopback Status No Loopback Vendor Information 00000000 ...

Page 1027: ...ing OAMPDUs Choose the menu MAINTENANCE Ethernet OAM Statistics OAMPDUs Statistics to load the following page Figure 3 1 OAMPDUs Statistics Select a port and view the number of different OAMPDUs transmitted and received on it Tx Displays the number of OAMPDUs that have been transmitted on the port Rx Displays the number of OAMPDUs that have been received on the port ...

Page 1028: ...e Request OAMPDUs that have been transmitted or received on the port Variable Response OAMPDUs Displays the number of Variable Response OAMPDUs that have been transmitted or received on the port Loopback Control OAMPDUs Displays the number of Loopback Control OAMPDUs that have been transmitted or received on the port Organization Specific OAMPDUs Displays the number of Organization Specific OAMPDU...

Page 1029: ... Error Symbol Period Events Displays the number of error symbol period link events that have occurred on the local link or remote link Error Frame Events Displays the number of error frame link events that have occurred on the local link or remote link Error Frame Period Events Displays the number of error frame period link events that have occurred on the local link or remote link Error Frame Sec...

Page 1030: ...XEC mode or any other configuration mode you can use the following command to view the number of OAMPDUs received and sent on the specified port show ethernet oam statistics interface fastEthernet port port list interface gigabitEthernet port port list ten gigabitEthernet port port list View the number of different OAMPDUs transmitted and received on the specified port including Information OAMPDU...

Page 1031: ...ent Notification OAMPDU RX 0 Loopback Control OAMPDU TX 1 Loopback Control OAMPDU RX 0 Variable Request OAMPDU TX 0 Variable Request OAMPDU RX 0 Variable Response OAMPDU TX 0 Variable Response OAMPDU RX 0 Organization Specific OAMPDUs TX 0 Organization Specific OAMPDUs RX 0 Unsupported OAMPDU TX 0 Unsupported OAMPDU RX 0 Frames Lost Due To OAM 0 ...

Page 1032: ...bol Event Displays the number of error symbol period link events that have occurred on the local link or remote link Error Frame Event Displays the number of error frame link events that have occurred on the local link or remote link Error Frame Period Event Displays the number of error frame period link events that have occurred on the local link or remote link Error Frame Seconds Event Displays ...

Page 1033: ... Error Frame Event 0 Error Frame Period Event 0 Error Frame Seconds Event 0 Dying Gasp 0 Critical Event 0 Remote Event Statistics Error Symbol Event 0 Error Frame Event 0 Error Frame Period Event 0 Error Frame Seconds Event 0 Dying Gasp 0 Critical Event 1 ...

Page 1034: ...d reported with Remote Failure Indication the link failure can be monitored and reported The overview of configuration is as follows 1 Enable OAM and configure the OAM mode for port 1 0 1 on each switch Here we configure OAM mode of the port on Switch A as active and that on switch B as passive 2 Configure Link Monitoring for port 1 0 1 on each switch 3 Configure Remote Failure Indication for port...

Page 1035: ...t OAM Link Monitoring to load the following page Select each Link Event type and configure the relevant parameters on port 1 0 1 Make sure that Event Notification is enabled and specify the threshold and window according to your needs Here we keep the default parameters Click Apply Figure 4 3 Link Monitoring Configuration ...

Page 1036: ...ying Gasp Notification and Critical Event Notification Click Apply Figure 4 4 Remote Failure Indication Configuration 4 Choose the menu MAINTENANCE Ethernet OAM Basic Config Discovery Info to load the following page Select port 1 0 1 to check the OAM status When the connection status becomes Operational it indicates that OAM connection has been established and OAM works normally ...

Page 1037: ...OAM Configuration Example Figure 4 5 Discovery Infomation 5 Click to save the settings 6 Choose the menu MAINTENANCE Ethernet OAM Statistics Event Log to load the following page Select port 1 0 1 to view the event logs on the port ...

Page 1038: ...e threshold and window as the default Switch_A config if ethernet oam link monitor symbol period notify enable Switch_A config if ethernet oam link monitor frame period notify enable Switch_A config if ethernet oam link monitor frame notify enable Switch_A config if ethernet oam link monitor frame seconds notify enable 3 Configure Remote Failure Indication on the port Enable Dying Gasp Notificatio...

Page 1039: ...ation Verify the configuration of OAM Switch_A show ethernet oam configuration interface gigabitEthernet 1 0 1 Gi1 0 1 OAM Enabled Mode Active Dying Gasp Enabled Critical Event Enabled Remote Loopback OAMPDU Not Processed Symbol Period Error Notify State Enabled Window 1000 milliseconds Threshold 1 Error Symbol Frame Error Notify State Enabled Window 1000 milliseconds Threshold 1 Error Frame Frame...

Page 1040: ...t 1 0 1 Gi1 0 1 Local Client OAM Enabled Mode Active Max OAMPDU 1518 Bytes Remote Loopback Supported Unidirection Not Supported Link Monitoring Supported Variable Request Not Supported PDU Revision 2 Operation Status Operational Loopback Status No Loopback Remote Client Mode Passive MAC Address 18 A6 F7 DB 63 81 Vendor OUI 000aeb Max OAMPDU 1518 Bytes Remote Loopback Supported Unidirection Not Sup...

Page 1041: ...interface gigabitEthernet 1 0 1 Gi1 0 1 Event Listing Type Location Time Stamp Critical Event Remote 2016 01 01 08 08 00 Local Event Statistics Error Symbol Event 0 Error Frame Event 0 Error Frame Period Event 0 Error Frame Seconds Event 0 Dying Gasp 0 Critical Event 0 Remote Event Statistics Error Symbol Event 0 Error Frame Event 0 Error Frame Period Event 0 Error Frame Seconds Event 0 Dying Gasp...

Page 1042: ...eriod Threshold 1 error symbol Window 10 100 ms Event Notification Enabled Error Frame Threshold 1 error frame Window 10 100 ms Event Notification Enabled Error Frame Period Threshold 1 error frame Window 1488100 frames Event Notification Enabled Error Frame Seconds Threshold 1 error second Window 600 100 ms Event Notification Enabled Remote Failure Indication Dying Gasp Notification Enabled Criti...

Page 1043: ...Part 37 Configuring DLDP CHAPTERS 1 Overview 2 DLDP Configuration 3 Appendix Default Parameters ...

Page 1044: ...whether a unidirectional link exists A unidirectional link occurs whenever traffic sent by a local device is received by its peer device but traffic from the peer device is not received by the local device Unidirectional links can cause a variety of problems such as spanning tree topology loops Once detecting a unidirectional link DLDP can shut down the related port automatically or inform users ...

Page 1045: ...nected to a DLDP incapable port of another switch To detect unidirectional links make sure DLDP is enabled on both sides of the links 2 1 Using the GUI Choose the menu MAINTENANCE DLDP to load the following page Figure 2 1 Configure DLDP Follow these steps to configure DLDP 1 In the Global Config section enable DLDP and configure the relevant parameters Click Apply ...

Page 1046: ... Config section select one or more ports enable DLDP and click Apply Then you can view the relevant DLDP information in the table DLDP Enable or disable DLDP on the port Protocol State Displays the DLDP protocol state Initial DLDP is disabled Inactive DLDP is enabled but the link is down Active DLDP is enabled and the link is up or the neighbor entries in this device are empty Advertisement No uni...

Page 1047: ... is the default setting manual The switch displays an alert when a unidirectional link is detected Then the users can manually shut down the unidirectional link ports Step 4 interface fastEthernet port range fastEthernet port list gigabitEthernet port range gigabitEthernet port list ten gigabitEthernet port range ten gigabitEthernet port list Enter interface configuration mode Step 5 dldp Enable D...

Page 1048: ...tch config end Switch copy running config startup config The following example shows how to enable DLDP on port 1 0 1 Switch configure Switch config interface gigabitEthernet 1 0 1 Switch config if dldp Switch config if show dldp interface Port DLDP State Protocol State Link State Neighbor State Gi1 0 1 Enable Inactive Link Down N A Gi1 0 2 Disable Initial Link Down N A Switch config if end Switch...

Page 1049: ...ameters Default settings of DLDP are listed in the following table Table 3 1 Default Settings of DLDP Parameter Default Setting Global Config DLDP State Disabled Advertisement Interval 5 seconds Shut Mode Auto Auto Refresh Disabled Refresh Interval 3 seconds Port Config DLDP Disabled ...

Page 1050: ...Part 38 Configuring SNMP RMON CHAPTERS 1 SNMP 2 SNMP Configurations 3 Notification Configurations 4 RMON 5 RMON Configurations 6 Configuration Example 7 Appendix Default Parameters ...

Page 1051: ...Figure 1 1 SNMP System SNMP Agent Get or set MIB objects values Respond or send notifications SNMP Manager Host Running NMS Application Managed Device MIB 1 2 Basic Concepts The following basic concepts of SNMP will be introduced SNMP manager SNMP agent MIB Management Information Base SNMP entity SNMP engine Notification types and SNMP version SNMP Manager The SNMP manager uses SNMP to monitor and...

Page 1052: ...nizations Vendors can define private branches that include managed objects for their own products Figure 1 2 MIB Tree root iso 1 iso itu t 2 enterprise 1 tplink 11863 itu t 0 standard 0 dod 6 internet 1 directory 1 security 5 snmpv2 6 mgmt 2 mib 2 1 private 4 registration authority 1 member body 2 identified organization 3 1 3 6 1 4 1 11863 experimental 3 TP Link switches provide private MIBs that...

Page 1053: ...ies we can also use the engine ID to uniquely identify the SNMP entity within that administrative domain Notification Types Notifications are messages that the switch sends to the NMS host when important events occur Notifications facilitate the monitoring and management of the NMS There are two types of notifications Trap When the NMS host receives a Trap message it will not send a response to th...

Page 1054: ... Application Scenario SNMPv1 SNMPv1 is applicable to small scale networks with simple networking good stability and low security requirements such as campus networks and small enterprise networks SNMPv2c SNMPv2c is applicable to medium and large scale networks with low security requirements or are already secure enough like VPN networks and heavy traffic The added feature Inform helps to ensure th...

Page 1055: ...ccess rights Choose SNMPv3 1 Enable SNMP 2 Create an SNMP view for managed objects 3 Create an SNMP group and specify the security level and accessible view 4 Create SNMP users and configure the authentication mode privacy mode and corresponding passwords 2 1 Using the GUI 2 1 1 Enabling SNMP Choose the MAINTENANCE SNMP Global Config to load the following page Figure 2 1 Configuring Global Paramet...

Page 1056: ... engine on the remote device that receives Inform messages from the switch 2 Click Apply Note In SNMPv3 changing the value of the SNMP engine ID has important side effects A user s password is converted to an MD5 or SHA security digest based on the password itself and the engine ID If the value of local engine ID changes the switch will automatically delete all SNMPv3 local users as their security...

Page 1057: ...D to specify a specific function of the device When a MIB Object ID is specified all its child Object IDs are specified For specific ID rules refer to the device related MIBs 2 Click Create 2 1 3 Creating SNMP Communities For SNMP v1 v2c Choose the menu MAINTENANCE SNMP SNMP v1 v2c and click to load the following page Figure 2 4 Creating an SNMP Community Follow these steps to create an SNMP commu...

Page 1058: ...then set the security level and the read view write view and notify view Group Name Set the SNMP group name using 1 to 16 characters The identifier of a group consists of a group name security model and security level Groups of the same identifier are recognized as being in the same group Security Model Displays the security model SNMPv3 uses v3 the most secure model Security Level Set the securit...

Page 1059: ...ser type as well as the group which the user belongs to Then configure the security level User Name Set the SNMP user name using 1 to 16 characters For different entries user names cannot be the same User Type Choose a user type based on the location of the user Local User The user resides on the local engine which is the SNMP agent of the switch Remote User The user resides on the NMS Before conf...

Page 1060: ... the security level you need to set corresponding Authentication Mode or Privacy Mode If not skip this step Authentication Mode With AuthNoPriv or AuthPriv selected configure the authentication mode and password for authentication Two authentication modes are provided MD5 Enable the HMAC MD5 algorithm for authentication SHA Enable the SHA Secure Hash Algorithm algorithm for authentication SHA algo...

Page 1061: ...he SNMP engine on the remote device that receives inform messages from switch Note In SNMPv3 changing the value of the SNMP engine ID has important side effects A user s password is converted to an MD5 or SHA security digest based on the password itself and the engine ID If the value of local engine ID changes the switch will automatically delete all SNMPv3 local users as their security digests be...

Page 1062: ... output 0 Too big errors Maximum packet size 1500 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Switch config show snmp server engineID Local engine ID 80002e5703000aeb13a23d Remote engine ID 123456789a Switch config end Switch copy running config startup config 2 2 2 Creating an SNMP View Specify the OID Object Identifier of the view to determine objects to...

Page 1063: ...objects of the view cannot be managed by the NMS Step 3 show snmp server view Displays the view table Step 4 end Return to Privileged EXEC Mode Step 5 copy running config startup config Save the settings in the configuration file The following example shows how to set a view to allow the NMS to manage all function Name the view as View Switch configure Switch config snmp server view View 1 include...

Page 1064: ...ommunity entries Step 4 end Return to Privileged EXEC Mode Step 5 copy running config startup config Save the settings in the configuration file The following example shows how to set an SNMP community Name the community as the nms monitor and allow the NMS to view and modify parameters of View Switch configure Switch config snmp server community nms monitor read write View Switch config show snmp...

Page 1065: ...tes an authentication algorithm and a privacy algorithm are applied to check and encrypt packets read view Set the view to be the Read view Then the NMS can view parameters of the specified view write view Set the view to be the Write view Then the NMS can modify parameters of the specified view Note that the view in the Write view should also be in the Read view notify view Set the view to be the...

Page 1066: ...onfigure the security level as noAuthNoPriv For this level no authentication algorithm but a user name match is applied to check packets and no privacy algorithm is applied to encrypt them To create a user with the security level as AuthNoPriv snmp server username local remote group name smode v3 slev authNoPriv cmode MD5 SHA cpwdconfirm pwd authNoPriv Configure the security level as authNoPriv Fo...

Page 1067: ...nms1 The security settings are as Table 2 1 Table 2 1 Security Settings for the User Parameter Value Security Level v3 Authentication Mode SHA Authentication Password 1234 Privacy Mode DES Privacy Password 5678 Switch configure Switch config snmp server user admin remote nms1 smode v3 slev authPriv cmode SHA cpwd 1234 emode DES epwd 5678 Switch config show snmp server user No U Name U Type G Name ...

Page 1068: ... hosts 2 Enable SNMP traps Configuration Guidelines To guarantee the communication between the switch and the NMS ensure the switch and the NMS can reach one another 3 1 Using the GUI 3 1 1 Configuring the Information of NMS Hosts Choose the menu MAINTENANCE SNMP Notification Notification Config and click to load the following page Figure 3 1 Adding an NMS Host Follow these steps to add an NMS hos...

Page 1069: ...type based on the SNMP version If you choose the Inform type you need to set retry times and timeout interval Type Choose a notification type for the NMS host For SNMPv1 the supported type is Trap For SNMPv2c and SNMPv3 you can configure the type as Trap or Inform Trap The switch will send Trap messages to the NMS host when certain events occur When the NMS host receives a Trap message it will not...

Page 1070: ...ns unchanged For a switch running SNMP the trap can be triggered if you disable and then enable SNMP without changing any parameters Link Status Enable or disable Link Status Trap globally The trap includes the following two sub traps Linkup Trap Indicates that a port status changes from linkdown to linkup Linkdown Trap Indicates that a port status changes from linkup to linkdown Link Status Trap ...

Page 1071: ...her than what you have set LLDP The trap includes the following sub traps LLDP RemTablesChange Indicates that the switch senses an LLDP topology change The trap can be triggered when adding or removing a remote device and when the information of some remote devices is aged out or cannot be stored into the switch because of insufficient resources This trap can be used by an NMS to trigger LLDP remo...

Page 1072: ...n illegal ARP packet or the IPv4 Source Guard feature is enabled and the switch receives an illegal IP packet IP Duplicate Triggered when the switch detects an IP conflict DHCP Filter Triggered when the DHCPv4 Filter feature is enabled and the switch receives DHCP packets from an illegal DHCP server DDM Temperature Monitors the temperature of SFP modules inserted into the SFP ports on the switch T...

Page 1073: ...nter Monitors matched ACL information including the matched ACL ID rule ID and the number of the matched packets With both this trap and the Logging feature in the ACL rule settings enabled the switch will check the matched ACL information every five minutes and send SNMP traps if there is any updated information 2 Click Apply 3 2 Using the CLI 3 2 1 Configuring the NMS Host Configure parameters o...

Page 1074: ... Choose a notification type for the NMS host For SNMPv1 the supported type is Trap For SNMPv2c and SNMPv3 you can configure the type as Trap or Inform Trap The switch will send Trap messages to the NMS host when certain events occur When the NMS host receives a Trap message it will not send a response to the switch Thus the switch cannot tell whether a message is received or not and the messages t...

Page 1075: ... inform retries 3 timeout 100 Switch config show snmp server host No Des IP UDP Name SecMode SecLev Type Retry Timeout 1 172 16 1 222 162 admin v3 authPriv inform 3 100 Switch config end Switch copy running config startup config 3 2 2 Enabling SNMP Traps The switch supports many types of SNMP traps like SNMP standard traps ACL traps and VLAN traps and the corresponding commands are different With ...

Page 1076: ...are enabled both globally and on all ports which means that the traps will be triggered when a device is connected to or disconnected from any port of the switch If you do not want to receive notification messages about some specific ports disable the traps on those ports warmstart Indicates that the SNMP entity is reinitializing itself with its configurations unchanged For a switch running SNMP t...

Page 1077: ... topology change of media endpoints The trap can be triggered when adding or removing a media endpoint that supports LLDP such as an IP Phone An LLDP Remtableschange trap will be also triggered every time LLDP Topologychange trap is triggered loopback detection Triggered when the Loopback Detection feature is enabled and a loopback is detected or cleared storm control Monitors whether the storm ra...

Page 1078: ...d the warning or alarm threshold bias_current Monitors the bias current of SFP modules inserted into the SFP ports on the switch The trap can be triggered when the bias current of any SFP module has reached the warning or alarm threshold tx_power Monitors the TX Power of SFP modules inserted into the SFP ports on the switch The trap can be triggered when the TX Power of any SFP module has reached ...

Page 1079: ...onfig Enabling the SNMP Security Traps Globally Step 1 configure Enter Global Configuration Mode Step 2 snmp server traps security dhcp filter ip mac binding Enable the corresponding security traps By default all security traps are disabled dhcp filter Triggered when the DHCPv4 Filter feature is enabled and the switch receives DHCP packets from an illegal DHCP server ip mac binding Triggered when ...

Page 1080: ...Privileged EXEC Mode Step 4 copy running config startup config Save the settings in the configuration file The following example shows how to configure the switch to enable ACL trap Switch configure Switch config snmp server traps acl Switch config end Switch copy running config startup config Enabling the IP Traps Globally Step 1 configure Enter Global Configuration Mode Step 2 snmp server traps ...

Page 1081: ... when the total power required by the connected PDs exceeds the maximum power the PoE switch can supply port pwr deny Triggered when the switch powers off PDs on low priority PoE ports The switch powers off them to ensure stable running of the other PDs when the total power required by the connected PDs exceeds the system power limit port pwr over 30w Triggered when the power required by the conne...

Page 1082: ... 5 indicates port 1 2 3 5 Step 3 snmp server traps link status Enable Link Status Trap for the port By default it is enabled Link Status Trap including Linkup Trap and Linkdown Trap can be triggered when the link status of a port changes and the trap is enabled both globally and on the port To enable Linkup Trap and Linkdown Trap globally run the command snmp server traps snmp linkup linkdown in G...

Page 1083: ...nt to a host Based on SNMP protocol the NMS collects network data by communicating with Agents However the NMS cannot obtain every datum of RMON MIB because the device resources are limited Generally the NMS can only get information of the following four groups Statistics History Event and Alarm Statistics Collects Ethernet statistics like the total received bytes the total number of broadcast pac...

Page 1084: ...ng the Statistics Group Choose the menu MAINTENANCE SNMP RMON Statistics and click to load the following page Figure 5 1 Creating a Statistics Entry Follow these steps to configure the Statistics group 1 Specify the entry index the port to be monitored and the owner name of the entry Set the entry as Valid or Under Creation Index Enter the index of the entry Port Specify an Ethernet port to be mon...

Page 1085: ... History group 1 Select a History entry and specify a port to be monitored Index Displays the index of History entries The switch supports up to 12 History entries Port Specify a port to be monitored 2 Set the sample interval and the maximum buckets of History entries Interval seconds Specify the number of seconds in each polling cycle Valid values are from 10 to 3600 seconds Every history entry h...

Page 1086: ...g Event Group Choose the menu MAINTENANCE SNMP RMON Event to load the following page Figure 5 3 Configuring the Event Entry Follow these steps to configure the Event group 1 Choose an Event entry and specify an SNMP User for the entry Index Displays the index of Event entries The switch supports up to 12 Event entries User Choose an SNMP user name or community name for the entry Only the specified...

Page 1087: ...otifications to the NMS 3 Enter the owner name and set the status of the entry Click Apply Owner Enter the owner name of the entry with 1 to 16 characters Status Enable or disable the entry Enable The entry is enabled Disable The entry is disabled 5 1 4 Configuring Alarm Group Before you begin complete configurations of Statistics entries and Event entries because the Alarm entries must be associa...

Page 1088: ...256 511 512 1023 1024 1518 Total number of packets of the specified size Statistics Associate the Alarm entry with a Statistics entry Then the switch monitors the specified variable of the Statistics entry 2 Set the sample type the rising and falling threshold the corresponding event entries and the alarm type of the entry Sample Type Specify the sampling method of the specified variable Absolute ...

Page 1089: ...he entry Rising The alarm is triggered only when the sampling value or the difference value exceeds the rising threshold Falling The alarm is triggered only when the sampling value or the difference value is below the falling threshold All The alarm is triggered when the sampling value or the difference value exceeds the rising threshold or is below the falling threshold 3 Enter the owner name and...

Page 1090: ...ct Ethernet statistics for a Statistics entry since the entry status is configured as valid Step 3 show rmon statistics index Displays the statistics entries and their configurations index Enter the index of statistics entry that you want to view Valid values are from 1 to 65535 The command without any parameters displays all existing statistics entries Step 4 end Return to Privileged EXEC Mode St...

Page 1091: ...r of records for the history entry When the number of records exceeds the limit the earliest record will be overwritten The values are from 10 to 130 the default is 50 Step 3 show rmon history index Displays the specified History entry and related configurations To show multiple entries enter a list of indexes separated by commas or use a hyphen to indicates a range of indexes For example 1 3 5 in...

Page 1092: ...ion is empty none log notify log notify Specify the action type of the event then the switch will take the specified action to deal with the event By default the type is none None indicates the switch takes no action log indicates the switch records the event only notify indicates the switch sends notifications to the NMS only and log notify indicates the switch records the event and sends notific...

Page 1093: ...ex of the Alarm entry which ranges from 1 to 12 To configure multiple indexes enter a list of indexes separated by commas or use a hyphen to indicates a range of indexes For example 1 3 5 indicates 1 2 3 5 sindex Specify the index of the related Statistics entry which ranges from 1 to 65535 revbyte revpkt bpkt mpkt crc align undersize oversize jabber collision 64 65 127 128 255 256 511 512 1023 10...

Page 1094: ... the sampling value or difference value exceeds the rising threshold Fall indicates that the alarm is triggered only when the sampling value or difference value is below the falling threshold All indicates that the alarm is triggered when the sampling value or difference value either exceeds the rising threshold or is below the falling threshold owner name Enter the owner name of the entry using 1...

Page 1095: ...t index 1 falling threshold 2000 falling event index 2 a type all interval 10 owner monitor Switch config show rmon alarm Index State 1 Enabled Statistics index 1 Alarm variable BPkt Sample Type Absolute RHold REvent 3000 1 FHold FEvent 2000 2 Alarm startup All Interval 10 Owner monitor Switch config end Switch copy running config startup config ...

Page 1096: ... 1 0 1 and 1 0 2 on Switch A and regularly collect and save data for follow up checks Specifically Switch A should notify the NMS when the number of packets transmitted and received on the ports during the sample interval exceeds the preset rising threshold and should record but not notify the NMS when that is below the preset falling threshold The NMS host with IP address 192 168 1 222 is connect...

Page 1097: ...to record related events 3 Create an Alarm entry to monitor RecPackets Received Packets Configure the rising and falling thresholds Configure the rising event as the Notify event entry and the falling event as the Log event entry Demonstrated with T2600G 28TS this chapter provides configuration procedures in two ways using the GUI and using the CLI 6 3 Using the GUI Configuring Storm Control on Po...

Page 1098: ...to Read View and Notify View Click Create Figure 6 4 Configuring an SNMP Group 4 Choose MAINTENANCE SNMP SNMP v3 SNMP User and click to load the following page Create a user named admin for the NMS set the user type as Remote User and specify the group name Set the Security Level in accordance with that of the group nms monitor Choose SHA authentication algorithm and DES privacy algorithm and set ...

Page 1099: ...nd specify the IP address of the NMS host and the port of the host for transmitting notifications Specify the User as admin and choose the type as Inform Set the retry times as 3 with the timeout period as 100 seconds Click Create Figure 6 6 Creating an SNMP Notification Entry 6 Choose MAINTENANCE SNMP Notification Trap Config to load the following page Enable Storm Control trap and click Apply ...

Page 1100: ...orts 1 0 1 and 1 0 2 respectively Set the owner of the entries as monitor and the status as Valid Figure 6 8 Configuring Statistics Entry 1 Figure 6 9 Configuring Statistics Entry 2 2 Choose the menu MAINTENANCE SNMP RMON History to load the following page Configure entries 1 and 2 Bind entries 1 and 2 to ports 1 0 1 and 1 0 2 respectively Set the Interval as 100 seconds Maximum Buckets as 50 the ...

Page 1101: ... Configuring the Event Entries 4 Choose MAINTENANCE SNMP RMON Alarm to load the following page Configure entries 1 and 2 For entry 1 set the alarm variable as RecPackets related statistics entry ID as 1 bound to port 1 0 1 the sample type as Absolute the rising threshold as 3000 associated rising event entry ID as 1 which is the notify type the falling threshold as 2000 the associated falling even...

Page 1102: ...p server view View 1 include 3 Create a group of SNMPv3 with the name of nms monitor Enable Auth Mode and Privacy Mode and set both the Read and Notify views as View Switch_A config snmp server group nms monitor smode v3 slev authPriv read View notify View 4 Create an SNMP user named admin Set the user as a remote user and configure the security model and security level based on the group Set the ...

Page 1103: ...et 1 0 2 interval 100 owner monitor buckets 50 3 Create Event entries 1 and 2 for the SNMP user admin Set entry 1 as the Notify type and its description as rising_notify Set entry 2 as the Log type and its description as falling_log Set the owner of them as monitor Switch_A config rmon event 1 user admin description rising_notify type notify owner monitor Switch_A config rmon event 2 user admin de...

Page 1104: ...nt is enabled 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get request PDUs 0 Get next PDUs 0 Set request PDUs 0 SNMP packets output 0 Too big errors Maximum packet size 1500 0 No such name errors 0 Bad value errors 0 General errors 0 Response...

Page 1105: ...show snmp server group No Name Sec Mode Sec Lev Read View Write View Notify View 1 nms monitor v3 authPriv View View Verify SNMP user configurations Switch_A config show snmp server user No U Name U Type G Name S Mode S Lev A Mode P Mode 1 admin remote nms monitor v3 authPriv SHA DES Verify SNMP host configurations Switch_A config show snmp server host No Des IP UDP Name SecMode SecLev Type Retry ...

Page 1106: ...2 Gi1 0 2 100 50 monitor Enable Verify RMON event configurations Switch_A config show rmon event Index User Description Type Owner State 1 admin rising_notify Notify monitor Enable 2 admin falling_log Log monitor Enable Verify RMON alarm configurations Switch_A config show rmon alarm Index State 1 Enabled Statistics index 1 Alarm variable RevPkt Sample Type Absolute RHold REvent 3000 1 FHold FEven...

Page 1107: ...er Guide 1078 Configuration Example Index State 2 Enabled Statistics index 2 Alarm variable RevPkt Sample Type Absolute RHold REvent 3000 1 FHold FEvent 2000 2 Alarm startup All Interval 10 Owner monitor ...

Page 1108: ...Name View Type MIB Object ID viewDefault Include 1 viewDefault Exclude 1 3 6 1 6 3 15 viewDefault Exclude 1 3 6 1 6 3 16 viewDefault Exclude 1 3 6 1 6 3 18 Table 7 3 Default SNMP v1 v2c Settings Parameter Default Setting Community Entry No entries Community Name None Access Read only MIB View viewDefault Table 7 4 Default SNMP v3 Settings Parameter Default Setting SNMP Group Group Entry No entries...

Page 1109: ...n Password None Privacy Mode DES when Security Level is configured as AuthPriv Privacy Password None Default settings of Notification are listed in the following table Table 7 5 Default Notification Settings Parameter Default Setting Notification Config Notification Entry No entries IP Mode IPv4 IP Address None UDP Port 162 User None Security Model v1 Security Level noAuthNoPriv Type Trap Retry No...

Page 1110: ...Port 1 0 1 Interval 1800 seconds Max Buckets 50 Owner monitor Status Disabled Table 7 8 Default Settings for Event Entries Parameter Default Setting User public Description None Type None Owner monitor Status Disabled Table 7 9 Default Settings for Alarm Entries Parameter Default Setting Variable RecBytes Statistics 0 means no Statistics entry is selected Sample Type Absolute Rising Threshold 100 ...

Page 1111: ...User Guide 1082 Appendix Default Parameters Parameter Default Setting Interval 1800 seconds Owner monitor Status Disabled ...

Page 1112: ...Part 39 Diagnosing the Device Network CHAPTERS 1 Diagnosing the Device 2 Diagnosing the Network 3 Appendix Default Parameters ...

Page 1113: ...to diagnose the cable 1 Select your desired port for the test and click Apply 2 Check the test results in the Result section Pair Displays the Pair number Status Displays the cable status Test results include normal closed open and crosstalk Normal The cable is connected normally Closed A short circuit is being caused by abnormal contact of wires in the cable Open No device is connected to the oth...

Page 1114: ...cted Ethernet Port port Enter the port number in 1 0 1 format to check the result of the cable test show cable diagnostics careful interface fastEthernet port gigabitEthernet port ten gigabitEthernet port View the cable diagnostics of the connected Ethernet Port When taking the careful cable test the switch will only test the cable for the port which is in the link down status port Enter the port ...

Page 1115: ... hosts or to the gateways from the switch to the destination With Network Diagnostics you can Troubleshoot with Ping testing Troubleshoot with Tracert testing 2 1 Using the GUI 2 1 1 Troubleshooting with Ping Testing You can use the Ping tool to test connectivity to remote hosts Choose the menu MAINTENANCE Network Diagnostics Ping to load the following page Figure 2 1 Troubleshooting with Ping Tes...

Page 1116: ...e interval at which ICMP request packets are sent It is recommended to keep the default value of 1000 milliseconds 2 In the Ping Result section check the test results 2 1 2 Troubleshooting with Tracert Testing You can use the Tracert tool to find the path from the switch to the destination and test connectivity between the switch and routers along the path Choose the menu MAINTENANCE Network Diagn...

Page 1117: ...data for Ping testing The values are from 1 to 10 times the default is 4 times size Specify the size of the sending data for ping testing The values are from 1 to 1500 bytes the default is 64 bytes interval Specify the interval to send ICMP request packets The values are from 100 to 1000 milliseconds the default is 1000 milliseconds The following example shows how to test the connectivity between ...

Page 1118: ... the IP address for tracert test should be IPv6 ip_addr Enter the IP address of the destination device If the parameter ip ipv6 is not selected both IPv4 and IPv6 addresses are supported such as 192 168 0 100 or fe80 1234 maxHops Specify the maximum number of the route hops the test data can pass though The range is 1 to 30 hops the default is 4 hops The following example shows how to test the con...

Page 1119: ...twork Diagnostics are listed in the following tables Table 3 1 Default Settings of Ping Config Parameter Default Setting Destination IP 192 168 0 1 Ping Times 4 Data Size 64 bytes Interval 1000 milliseconds Table 3 2 Default Settings of Tracert Config Parameter Default Setting Destination IP 192 168 0 100 Maximum Hops 4 hops ...

Page 1120: ...Part 40 Configuring System Logs CHAPTERS 1 Overview 2 System Logs Configurations 3 Configuration Example 4 Appendix Default Parameters ...

Page 1121: ...ment System logs can be saved in various destinations such as the log buffer log file or remote log servers depending on your configuration Logs saved in the log buffer and log file are called local logs and logs saved in remote log servers are called remote logs Remote logs facilitate you to remotely monitor the running status of the network You can set the severity level of the log messages to c...

Page 1122: ... affect the functionality of the switch Alerts 1 Actions must be taken immediately The memory utilization reaches the limit Critical 2 Cause analysis or actions must be taken immediately The memory utilization reaches the warning threshold Errors 3 Error operations or unusual processing that will not affect subsequent operations but that should be noted and analyzed Wrong command or password is en...

Page 1123: ...ogs Information in the log file will not be lost after the switch is restarted and can be exported on the MAINTENANCE Logs Back Up Logs page Severity Specify the severity level of the log messages that are saved to the selected channel Only log messages with a severity level value that is the same or lower than this will be saved There are eight severity levels marked from 0 to 7 A lower value ind...

Page 1124: ...n IP address of the log server UDP Port Displays the UDP port used by the server to receive the log messages The switch uses standard port 514 to send log messages Severity Specify the severity level of the log messages sent to the selected log server Only log messages with a severity level value that is the same or lower than this will be saved Status Enable or disable the log server 2 Click Appl...

Page 1125: ...rmation Time Displays the time the log event occurred To get the exact time when the log event occurs you need to configure the system time on the SYSTEM System Info System Time Web management page Module Select a module from the drop down list to display the corresponding log information Severity Select a severity level to display the log information whose severity level value is the same or smal...

Page 1126: ...g system logs Information in the log file will not be lost after the switch is restarted You can view the logs with show logging flash command Step 5 logging file flash frequency periodic periodic immediate Specify the frequency to synchronize the system logs in the log buffer to the flash periodic Specify the frequency ranging from 1 to 48 hours By default the synchronization process takes place ...

Page 1127: ...Switch config show logging local config Channel Level Status Sync Periodic Buffer 5 enable Immediately Flash 2 enable 10 hour s Console 5 enable Immediately Monitor 5 enable Immediately Switch config end Switch copy running config startup config 2 2 2 Configuring the Remote Logs You can configure up to four hosts to receive the switch s system logs These hosts are called Log Servers The switch wil...

Page 1128: ...e log information of levels 0 to 6 will be sent to the log server Step 3 show logging loghost index View the configuration information of the log server index Enter the index of the log server to view the corresponding configuration information If no value is specified information of all log hosts will be displayed Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config...

Page 1129: ...itch s system logs Make sure the switch and the PC are reachable to each other configure a log server that complies with the syslog standard on the PC and set the PC as the log server Demonstrated with T2600G 28TS this chapter provides configuration procedures in two ways using the GUI and Using the CLI 3 3 Using the GUI 1 Choose the menu MAINTENANCE Logs Remote Logs to load the following page Ena...

Page 1130: ...mote log host Switch configure Switch config logging host index 1 1 1 0 1 5 Switch config end Switch copy running config startup config Verify the Configurations Switch show logging loghost Index Host IP Severity Status 1 1 1 0 1 5 enable 2 0 0 0 0 6 disable 3 0 0 0 0 6 disable 4 0 0 0 0 6 disable ...

Page 1131: ...fault Settings of Local Logs Parameter Default Setting Status of Log Buffer Enabled Severity of Log Buffer Level_6 Sync Periodic of Log Buffer Immediately Status of Log File Disabled Severity of Log File Level_3 Sync Periodic of Log File 24 hours Table 4 2 Default Settings of Remote Logs Parameter Default Setting Server IP 0 0 0 0 UDP Port 514 Severity Level_6 Status Disabled ...

Page 1132: ...used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense This device complies with part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may...

Page 1133: ...vice L émetteur récepteur exempt de licence contenu dans le présent appareil est conforme aux CNR d Innovation Sciences et Développement économique Canada applicables aux appareils radio exempts de licence L exploitation est autorisée aux deux conditions suivantes 1 L appareil ne doit pas produire de brouillage 2 L appareil doit accepter tout brouillage radioélectrique subi même si le brouillage e...

Page 1134: ...覆蓋開口 請勿將本產品置放於靠近熱源的地方 除非有正常的通風 否則不可放在密閉位置中 請不要私自打開機殼 不要嘗試自行維修本產品 請由授權的專業人士進行此項工作 此為甲類資訊技術設備 于居住環境中使用時 可能會造成射頻擾動 在此種情況下 使用者 會被要求採取某些適當的對策 限用物質含有情況標示聲明書 產品元件名稱 限用物質及其化學符號 鉛 Pb 鎘 Cd 汞 Hg 六價鉻 CrVI 多溴聯苯 PBB 多溴二苯醚 PBDE PCB 外殼 電源供應板 備考1 超出0 1 wt 及 超出0 01 wt 系指限用物質之百分比含量超出百分比含量基準值 備考2 系指該項限用物質之百分比含量未超出百分比含量基準值 備考3 系指該項限用物質為排除項目 Safety Information Keep the device away from water fire humidity or hot enviro...

Page 1135: ...use only RECYCLING This product bears the selective sorting symbol for Waste electrical and electronic equipment WEEE This means that this product must be handled pursuant to European directive 2012 19 EU in order to be recycled or dismantled to minimize its impact on the environment User has the choice to give his product to a competent recycling organization or to the retailer when he buys a new...

Page 1136: ... are trademarks or registered trademarks of their respective holders No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from TP Link Technologies Co Ltd Copyright 2020 TP Link Technologies Co Ltd All rights reserved https www tp link com ...