ZyXEL Communications MES-3528 -, User Manual

Page 1: ... com MES 3528 Layer 2 Metro Ethernet Switch Copyright 2009 ZyXEL Communications Corporation Firmware Version 3 90 Edition 1 3 2009 Default Login Details IP Address http 192 168 1 1 User Name admin Password 1234 ...

Page 2: ......

Page 3: ...e the Switch Web Configurator Online Help The embedded Web Help contains descriptions of individual screens and supplementary information Note It is recommended you use the web configurator to configure the Switch Support Disc Refer to the included CD for support documents Documentation Feedback Send your comments questions or suggestions to techwriters zyxel com tw Thank you The Technical Writing...

Page 4: ...stions about ZyXEL products Forum This contains discussions on ZyXEL products Learn from others who use ZyXEL products and share your experiences as well Customer Support Should problems arise that cannot be solved by the methods listed above you should contact your vendor If you cannot contact your vendor then contact a ZyXEL office for the region in which you bought the device See http www zyxel...

Page 5: ...ey stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click M...

Page 6: ... s Guide 6 Icons Used in Figures Figures in this User s Guide may use the following generic icons The Switch icon is not an exact representation of your device The Switch Computer Notebook computer Server DSLAM Firewall Telephone Router ...

Page 7: ...propriate power adaptor or cord for your device Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe Use ONLY power wires of the appropriate wire gauge see Chapter 41 on page 335 for details for your device Connect it to a power supply of the correct voltage see Chapter 41 on page 335 for details Do NOT allow anything to rest on the power adaptor or cord...

Page 8: ...Safety Warnings MES 3528 User s Guide 8 ...

Page 9: ...tics 71 Basic Setting 77 Advanced 89 VLAN 91 Static MAC Forward Setup 111 Static Multicast Forward Setup 115 Filtering 119 Spanning Tree Protocol 121 Bandwidth Control 143 Broadcast Storm Control 147 Mirroring 149 Link Aggregation 151 Port Authentication 161 Port Security 165 Classifier 169 Policy Rule 175 Queuing Method 181 VLAN Stacking 185 Multicast 193 AAA 209 IP Source Guard 223 Loop Guard 24...

Page 10: ...gement 275 Maintenance 277 Access Control 285 Diagnostic 307 Syslog 309 Cluster Management 313 MAC Table 321 ARP Table 325 Configure Clone 327 Troubleshooting Product Specifications 329 Troubleshooting 331 Product Specifications 335 Appendices and Index 343 ...

Page 11: ...1 4 IEEE 802 1Q VLAN Application Examples 25 1 1 5 Metro Ethernet 26 1 2 Ways to Manage the Switch 27 1 3 Good Habits for Managing the Switch 28 Chapter 2 Hardware Installation and Connection 29 2 1 Installation Scenarios 29 2 2 Desktop Installation Procedure 29 2 3 Mounting the Switch on a Rack 29 2 3 1 Rack mounted Installation Requirements 30 2 3 2 Attaching the Mounting Brackets to the Switch ...

Page 12: ...ion File 52 4 7 Logging Out of the Web Configurator 53 4 8 Help 54 Chapter 5 Initial Setup Example 55 5 1 Overview 55 5 1 1 Creating a VLAN 55 5 1 2 Setting Port VID 57 5 2 Configuring Switch Management IP Address 58 Chapter 6 Tutorials 61 6 1 How to Use DHCP Snooping on the Switch 61 6 2 How to Use DHCP Relay on the Switch 65 6 2 1 DHCP Relay Tutorial Introduction 65 6 2 2 Creating a VLAN 66 6 2 ...

Page 13: ...ration 92 9 2 1 GARP 92 9 2 2 GVRP 92 9 3 Port VLAN Trunking 93 9 4 Select the VLAN Type 94 9 5 Static VLAN 94 9 5 1 VLAN Status 95 9 5 2 VLAN Details 96 9 5 3 Configure a Static VLAN 97 9 5 4 Configure VLAN Port Settings 99 9 6 Subnet Based VLANs 100 9 7 Configuring Subnet Based VLAN 101 9 8 Protocol Based VLANs 103 9 9 Configuring Protocol Based VLAN 104 9 10 Create an IP based VLAN Example 106 ...

Page 14: ...e Rapid Spanning Tree Protocol 129 13 5 Rapid Spanning Tree Protocol Status 131 13 6 Configure Multiple Rapid Spanning Tree Protocol 133 13 7 Multiple Rapid Spanning Tree Protocol Status 135 13 8 Configure Multiple Spanning Tree Protocol 137 13 9 Multiple Spanning Tree Protocol Status 140 Chapter 14 Bandwidth Control 143 14 1 Bandwidth Control Overview 143 14 2 Bandwidth Control Setup 144 Chapter ...

Page 15: ...9 20 1 About the Classifier and QoS 169 20 2 Configuring the Classifier 169 20 3 Viewing and Editing Classifier Configuration 172 20 4 Classifier Example 173 Chapter 21 Policy Rule 175 21 1 Policy Rules Overview 175 21 2 Configuring Policy Rules 175 21 3 Viewing and Editing Policy Configuration 178 21 4 Policy Example 179 Chapter 22 Queuing Method 181 22 1 Queuing Method Overview 181 22 1 1 Strict...

Page 16: ... 201 24 6 2 MVR Modes 202 24 6 3 How MVR Works 202 24 7 General MVR Configuration 203 24 8 MVR Group Configuration 205 24 8 1 MVR Configuration Example 206 Chapter 25 AAA 209 25 1 Authentication Authorization and Accounting AAA 209 25 1 1 Local User Accounts 210 25 1 2 RADIUS and TACACS 210 25 2 AAA Screens 210 25 2 1 RADIUS Server Setup 211 25 2 2 TACACS Server Setup 213 25 2 3 AAA Setup 215 25 2...

Page 17: ...re 246 Chapter 27 Loop Guard 249 27 1 Loop Guard Overview 249 27 2 Loop Guard Setup 251 Chapter 28 Layer 2 Protocol Tunneling 253 28 1 Layer 2 Protocol Tunneling Overview 253 28 1 1 Layer 2 Protocol Tunneling Mode 254 28 2 Configuring Layer 2 Protocol Tunneling 255 Part IV IP Application 257 Chapter 29 Static Route 259 29 1 Static Routing Overview 259 29 2 Configuring Static Routing 260 Chapter 30...

Page 18: ...ctory Default 278 32 3 Save Configuration 279 32 4 Reboot System 279 32 5 Firmware Upgrade 279 32 6 Restore a Configuration File 280 32 7 Backup a Configuration File 281 32 8 FTP Command Line 281 32 8 1 Filename Conventions 281 32 8 2 FTP Command Line Procedure 282 32 8 3 GUI based FTP Clients 283 32 8 4 FTP Restrictions 283 Chapter 33 Access Control 285 33 1 Access Control Overview 285 33 2 The A...

Page 19: ...nostic 307 34 1 Diagnostic 307 Chapter 35 Syslog 309 35 1 Syslog Overview 309 35 2 Syslog Setup 310 35 3 Syslog Server Setup 311 Chapter 36 Cluster Management 313 36 1 Cluster Management Status Overview 313 36 2 Cluster Management Status 314 36 2 1 Cluster Member Switch Management 315 36 3 Clustering Management Configuration 318 Chapter 37 MAC Table 321 37 1 MAC Table Overview 321 37 2 Viewing the...

Page 20: ... Troubleshooting 331 40 1 Power Hardware Connections and LEDs 331 40 2 Switch Access and Login 332 40 3 Switch Configuration 334 Chapter 41 Product Specifications 335 Part VII Appendices and Index 343 Appendix A Changing a Fuse 345 Appendix B Common Services 347 Appendix C Legal Information 351 Index 355 ...

Page 21: ...21 PART I Introduction and Hardware Getting to Know Your Switch 23 Hardware Installation and Connection 29 Hardware Overview 33 ...

Page 22: ...22 ...

Page 23: ...at a time With its built in web configurator managing and configuring the Switch is easy In addition the Switch can also be managed via Telnet any terminal emulator program on the console port or third party SNMP management See Chapter 41 on page 335 for a full list of software features available on the Switch This section shows a few examples of using the Switch in various network environments 1 ...

Page 24: ...tch connects different company departments RD and Sales to the corporate backbone It can alleviate bandwidth contention and eliminate server and network bottlenecks All users that need high bandwidth can connect to high speed department servers via the Switch You can provide a super fast uplink connection by using a Gigabit Ethernet mini GBIC port on the Switch Moreover the Switch eases supervisio...

Page 25: ...e can be retained as all ports can freely communicate with each other Figure 3 High Performance Switched Workgroup Application 1 1 4 IEEE 802 1Q VLAN Application Examples A VLAN Virtual Local Area Network allows a physical network to be partitioned into multiple logical networks Stations on a logical network belong to one group A station can belong to more than one group With VLAN a station cannot...

Page 26: ...AN 1 Ports can belong to other VLAN groups too Figure 4 Shared Server Using VLAN Example 1 1 5 Metro Ethernet The Switch is ideal for connecting users to an Ethernet network that spans a metropolitan area In the following example the Switch is one of many switches that connect users in the metropolitan area to the Internet The metro ethernet is based on a star or hub and spoke topology though othe...

Page 27: ...ment of the Switch using a supported web browser See Chapter 4 on page 45 Command Line Interface Line commands offer an alternative to the web configurator and in some cases are necessary to configure advanced features See the CLI Reference Guide FTP Use FTP for firmware upgrades and configuration backup restore See Section 32 8 on page 281 SNMP The Switch can be monitored by an SNMP manager See S...

Page 28: ... of characters such as numbers and letters Write down the password and put it in a safe place Back up the configuration and make sure you know how to restore it Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes If you forget your password you will have to reset the Switch to its factory default settings If you backed up an earlier configuration...

Page 29: ...ch This is especially important for enclosed rack installations 2 2 Desktop Installation Procedure 1 Make sure the Switch is clean and dry 2 Set the Switch on a smooth level surface strong enough to support the weight of the Switch and the connected cables Make sure there is a power outlet nearby 3 Make sure there is enough clearance around the Switch to allow air circulation and the attachment of...

Page 30: ...does not make the rack unstable or top heavy Take all necessary precautions to anchor the rack securely before installing the unit 2 3 2 Attaching the Mounting Brackets to the Switch 1 Position a mounting bracket on one side of the Switch lining up the four screw holes on the bracket with the screw holes on the side of the Switch Figure 6 Attaching the Mounting Brackets 2 Using a 2 Philips screwdr...

Page 31: ...the Switch on one side of the rack lining up the two screw holes on the bracket with the screw holes on the side of the rack Figure 7 Mounting the Switch on a Rack 2 Using a 2 Philips screwdriver install the M5 flat head screws through the mounting bracket holes into the rack 3 Repeat steps 1 and 2 to attach the second mounting bracket on the other side of the rack ...

Page 32: ...Chapter 2 Hardware Installation and Connection MES 3528 User s Guide 32 ...

Page 33: ...front panel of the Switch Figure 8 Front Panel The following table describes the port labels on the front panel Ethernet Ports Dual Personality Interfaces Console Port LEDs ALARM slot Power Connection Table 1 Front Panel Connections LABEL DESCRIPTION Power Connection Connect an appropriate power supply to this port 24 10 100 Mbps RJ 45 Ethernet Ports Connect these ports to a computer a hub an Ethe...

Page 34: ...rnet speed 10 100 1000 Mbps and duplex mode full duplex or half duplex of the connected device Four Dual Personality Interfaces Each interface has one 1000BASE T RJ 45 port and one Small Form Factor Pluggable SFP slot also called a mini GBIC slot with one port or transceiver active at a time Four 100 1000 Mbps RJ 45 Ports Connect these ports to high bandwidth backbone network Ethernet switches usi...

Page 35: ...the settings of the peer Ethernet port are the same in order to connect 3 1 2 1 Default Ethernet Negotiation Settings The factory default negotiation settings for the Gigabit ports on the Switch are Speed Auto Duplex Auto Flow control Off Link Aggregation Disabled 3 1 2 2 Auto crossover All ports are auto crossover that is auto MDIX ports Media Dependent Interface Crossover so you may use either a...

Page 36: ...f PCB board facing down 2 Press the transceiver firmly until it clicks into place 3 The Switch automatically detects the installed transceiver Check the LEDs to verify that it is functioning properly 4 Close the transceiver s latch latch styles vary 5 Connect the fiber optic cables to the transceiver Figure 9 Transceiver Installation Example Figure 10 Connecting the Fiber Optic Cables 3 1 3 2 Tran...

Page 37: ...nd of the supplied power cord to a power outlet Make sure that no objects obstruct the airflow of the fans located on the side of the unit See Chapter 41 on page 335 for information on the Switch s power supply requirements 3 1 5 ALARM Slot The ALARM slot fitted with the alarm connector allows you to connect devices to the Switch such as smoke or movement detectors sensors or even other ZyXEL swit...

Page 38: ...low Figure 14 Connecting Sensors to the ALARM connector Follow these steps to connect an external sensor device to the Switch 1 Use a connector to connect wires of the correct gauge to the sensor s power output pins See Chapter 41 on page 335 for the wire specifications Check the sensor s documentation to identify its two power output pins 2 Connect these two wires to any one of the following pair...

Page 39: ...al alarm to another ZyXEL Switch which supports the external alarm feature If daisy chaining to a ZyXEL switch that is a different model check your switch s documentation for the correct pin assignments 1 Use wires of the correct gauge to connect either of the power output pin pairs 1 normal close 2 common or 2 common 3 normal open on the ALARM connector to the input power pin pairs of an ALARM co...

Page 40: ...view the LEDs to ensure proper functioning of the Switch and as an aid in troubleshooting 1 2 3 11 10 1 2 3 11 10 1 2 3 11 10 Pin Assignments Table 2 LED Descriptions LED COLOR STATU S DESCRIPTION PWR Green On The system is turned on Off The system is off SYS Green On The system is on and functioning properly Blinking The system is rebooting and performing self diagnostic tests Off The power is of...

Page 41: ...onnected ACT Green Blinking This port is receiving or transmitting data 1000Base T Ethernet Ports in Dual Personality Interface LNK ACT Green Blinking The system is transmitting receiving to from a 10 Mbps or a 1000 Mbps Ethernet network On The link to a 10 Mbps or a 1000 Mbps Ethernet network is up Amber Blinking The system is transmitting receiving to from a 100 Mbps Ethernet network On The link...

Page 42: ...Chapter 3 Hardware Overview MES 3528 User s Guide 42 ...

Page 43: ...43 PART II Basic Configuration The Web Configurator 45 Initial Setup Example 55 System Status and Port Statistics 71 Basic Setting 77 ...

Page 44: ...44 ...

Page 45: ...ape Navigator 7 0 and later versions The recommended screen resolution is 1024 by 768 pixels In order to use the web configurator you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScript enabled by default Java permissions enabled by default 4 2 System Login 1 Start your web browser 2 Type http and the IP add...

Page 46: ... is 1234 The date and time display as shown if you have not configured a time server nor manually entered a time and date in the General Setup screen Figure 17 Web Configurator Login 4 Click OK to view the first web configurator screen 4 3 The Status Screen The Status screen is the first screen that displays when you access the web configurator ...

Page 47: ...ks which allow you to perform certain tasks no matter which screen you are currently working in B Click this link to save your configuration into the Switch s nonvolatile memory Nonvolatile memory is the configuration of your Switch that stays the same even if the Switch s power is turned off C Click this link to go to the status page of the Switch D Click this link to logout of the web configurat...

Page 48: ...eral identification information about the Switch Switch Setup This link takes you to a screen where you can set up global Switch parameters such as VLAN type GARP and priority queues IP Setup This link takes you to a screen where you can configure the IP address subnet mask necessary for Switch management and DNS domain name server and set up to 64 IP routing domains Port Setup This link takes you...

Page 49: ...o screens where you can activate MAC address learning and set the maximum number of MAC addresses to learn on a port Classifier This link takes you to a screen where you can configure the Switch to group packets based on the specified criteria Policy Rule This link takes you to a screen where you can configure the Switch to perform special treatment on the grouped packets Queuing Method This link ...

Page 50: ...his link takes you to screens where you can change the system login password and configure SNMP and remote management Diagnostic This link takes you to a screen where you can view system logs and test port s Syslog This link takes you to screens where you can setup system logs and a system log server Cluster Management This link takes you to screens where you can configure clustering management an...

Page 51: ...our Configuration When you are done modifying the settings in a screen click Apply to save your changes back to the run time memory Settings in the run time memory are lost when the Switch s power is turned off Click the Save link in the upper right hand corner of the web configurator to save your configuration to nonvolatile memory Nonvolatile memory refers to the Switch s storage that remains ev...

Page 52: ...ut of the Switch 4 6 Resetting the Switch If you lock yourself and others from the Switch or forget the administrator password you will need to reload the factory default configuration file or reset the Switch back to the factory defaults 4 6 1 Reload the Configuration File Uploading the factory default configuration file replaces the current configuration file with the factory default configurati...

Page 53: ...ing the Switch Via the Console Port The Switch is now reinitialized with a default configuration file including the default password of 1234 4 7 Logging Out of the Web Configurator Click Logout in a screen to exit the web configurator You have to log in with your password again after you log out This is recommended after you finish a management session for security reasons Figure 21 Web Configurat...

Page 54: ...528 User s Guide 54 4 8 Help The web configurator s online help has descriptions of individual screens and some supplementary information Click the Help link from a web configurator screen to view an online help description of that screen ...

Page 55: ... the initial setup Create a VLAN Set port VLAN ID Configure the Switch IP management address 5 1 1 Creating a VLAN VLANs confine broadcast frames to the VLAN group in which the port s belongs You can do this with port based VLAN or tagged static VLAN with fixed port members In this example you want to configure port 1 as a member of VLAN 2 Figure 22 Initial Setup Network Example VLAN ...

Page 56: ...his screen and the VID field in the IP Setup screen refer to the same VLAN ID 3 Since the VLAN2 network is connected to port 1 on the Switch select Fixed to configure port 1 to be a permanent member of the VLAN only 4 To ensure that VLAN unaware devices such as computers and hubs can receive frames properly clear the TX Tagging check box to set the Switch to remove VLAN tags before sending 5 Click...

Page 57: ...etwork configure 2 as the port VID on port 1 so that any untagged frames received on that port get sent to VLAN 2 Figure 23 Initial Setup Network Example Port VID 1 Click Advanced Applications VLAN in the navigation panel Then click the VLAN Port Setting link 2 Enter 2 in the PVID field for port 1 and click Apply to save your changes back to the run time memory Settings in the run time memory are ...

Page 58: ... sure your computer is in the same subnet as the Switch 2 Open your web browser and enter 192 168 1 1 the default IP address in the address bar to access the web configurator See Section 4 2 on page 45 for more information 3 Click Basic Setting IP Setup in the navigation panel 4 Configure the related fields in the IP Setup screen 5 For the VLAN2 network enter 192 168 2 1 as the IP address and 255 ...

Page 59: ...Chapter 5 Initial Setup Example MES 3528 User s Guide 59 7 Click Add to save your changes back to the run time memory Settings in the run time memory are lost when the Switch s power is turned off ...

Page 60: ...Chapter 5 Initial Setup Example MES 3528 User s Guide 60 ...

Page 61: ...assign IP addresses to all devices in VLAN network V Create a VLAN containing ports 5 6 and 7 Connect a computer M to the Switch for management Figure 25 Tutorial DHCP Snooping Tutorial Overview Note For related information about DHCP snooping see Section 26 1 on page 223 The settings in this tutorial are as the following Table 5 Tutorial Settings in this Tutorial HOST PORT CONNECTED VLAN PVID DHC...

Page 62: ...default admin and password default 1234 2 Go to Advanced Application VLAN Static VLAN and create a VLAN with ID of 100 Add ports 5 6 and 7 in the VLAN by selecting Fixed in the Control field as shown Deselect Tx Tagging because you don t want outgoing traffic to contain this VLAN tag Click Add Figure 26 Tutorial Create a VLAN and Add Ports to It ...

Page 63: ... of the ports 5 6 and 7 to 100 This tags untagged incoming frames on ports 5 6 and 7 with the tag 100 Figure 27 Tutorial Tag Untagged Frames 4 Go to Advanced Application IP Source Guard DHCP snooping Configure activate and specify VLAN 100 as the DHCP VLAN as shown Click Apply Figure 28 Tutorial Specify DHCP VLAN ...

Page 64: ...l Set the DHCP Server Port to Trusted 7 Go to Advanced Application IP Source Guard DHCP snooping Configure VLAN show VLAN 100 by entering 100 in the Start VID and End VID fields and click Apply Then select Yes in the Enabled field of the VLAN 100 entry shown at the bottom section of the screen If you want to add more information in the DHCP request packets such as source VLAN ID or system name you...

Page 65: ... DHCP Snooping Works You can also telnet or log into the Switch s console Use the command show dhcp snooping binding to see the DHCP snooping binding table as shown next 6 2 How to Use DHCP Relay on the Switch This tutorial describes how to configure your Switch to forward DHCP client requests to a specific DHCP server The DHCP server can then assign a specific IP address based on the information ...

Page 66: ...enario 6 2 2 Creating a VLAN Follow the steps below to configure port 2 as a member of VLAN 102 1 Access the web configurator through the Switch s management port 2 Go to Basic Setting Switch Setup and set the VLAN type to 802 1Q Click Apply to save the settings to the run time memory Figure 33 Tutorial Set VLAN Type to 802 1Q VLAN 102 DHCP Server Port 2 PVID 102 172 16 1 18 A 192 168 2 3 ...

Page 67: ... Name field and enter 102 in the VLAN Group ID field 5 Select Fixed to configure port 2 to be a permanent member of this VLAN 6 Clear the TX Tagging check box to set the Switch to remove VLAN tags before sending 7 Click Add to save the settings to the run time memory Settings in the run time memory are lost when the Switch s power is turned off Figure 34 Tutorial Create a Static VLAN ...

Page 68: ... screen Figure 35 Tutorial Click the VLAN Port Setting Link 9 Enter 102 in the PVID field for port 2 to add a tag to incoming untagged frames received on that port so that the frames are forwarded to the VLAN group that the tag defines 10 Click Apply to save your changes back to the run time memory Figure 36 Tutorial Add Tag for Frames Received on Port 2 ...

Page 69: ...een 2 Select the Active check box 3 Enter the DHCP server s IP address 192 168 2 3 in this example in the Remote DHCP Server 1 field 4 Select the Option 82 and the Information check boxes 5 Click Apply to save your changes back to the run time memory Figure 37 Tutorial Set DHCP Server and Relay Information 6 Click the Save link in the upper right corner of the web configurator to save your configu...

Page 70: ...lient A is connected to the Switch s port 2 in VLAN 102 2 You configured the correct VLAN ID port number and system name for DHCP relay on both the DHCP server and the Switch 3 You clicked the Save link on the Switch to have your settings take effect ...

Page 71: ...nd Port Statistics This chapter describes the system status web configurator home page and port details screens 7 1 Overview The home screen of the web configurator displays a port statistical summary with links to each port showing statistical details ...

Page 72: ...ps 100M for 100Mbps or 1000M for 1000Mbps and the duplex F for full duplex or H for half It also shows the cable type Copper or Fiber for the combo ports State If STP Spanning Tree Protocol is enabled this field displays the STP state of the port see Section 13 1 on page 121 for more information If STP is disabled this field displays FORWARDING if the link is up otherwise it displays STOP LACP Thi...

Page 73: ...an individual port on the Switch Figure 39 Status Port Details Rx KB s This field shows the number of kilobytes per second received on this port Up Time This field shows the total amount of time in hours minutes and seconds the port has been up Clear Counter Enter a port number and then click Clear Counter to erase the recorded statistical information for that port or select Any to clear statistic...

Page 74: ...is field shows the number of kilobytes per second received on this port Up Time This field shows the total amount of time the connection has been up Tx Packet The following fields display detailed information about packets transmitted TX Packet This field shows the number of good packets unicast multicast and broadcast transmitted Multicast This field shows the number of good multicast packets tra...

Page 75: ... of packets including bad packets received that were 64 octets in length 65 127 This field shows the number of packets including bad packets received that were between 65 and 127 octets in length 128 255 This field shows the number of packets including bad packets received that were between 128 and 255 octets in length 256 511 This field shows the number of packets including bad packets received t...

Page 76: ...Chapter 7 System Status and Port Statistics MES 3528 User s Guide 76 ...

Page 77: ...s you to set the system time manually or get the current time and date from an external server when you turn on your Switch The real time is then displayed in the Switch logs The Switch Setup screen allows you to set up and configure global Switch features The IP Setup screen allows you to configure a Switch IP address in each routing domain subnet mask s and DNS domain name server for management ...

Page 78: ...CRIPTION System Name This field displays the descriptive name of the Switch for identification purposes ZyNOS F W Version This field displays the version number of the Switch s current firmware including the date created Ethernet Address This field refers to the Ethernet MAC Media Access Control address of the Switch Table 9 Basic Setting General Setup LABEL DESCRIPTION System Name Choose a descri...

Page 79: ... the Current Time field after you click Apply Current Date This field displays the date you open this menu New Date yyyy mm dd Enter the new date in year month and day format The new date then appears in the Current Date field after you click Apply Time Zone Select the time difference between UTC Universal Time Coordinated formerly known as GMT Greenwich Mean Time and your time zone from the drop ...

Page 80: ... Chapter 9 on page 91 for information on port based and 802 1Q tagged VLANs End Date Configure the day and time when Daylight Saving Time ends if you selected Daylight Saving Time The time field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at ...

Page 81: ...r more information GARP Timer Switches join VLANs by making a declaration A declaration is made by issuing a Join message using GARP Declarations are withdrawn by issuing a Leave message A Leave All message terminates all registrations GARP timers set declaration timeout values See the chapter on VLAN setup for more background information Join Timer Join Timer sets the duration of the Join Period ...

Page 82: ...owing descriptions are based on the traffic types defined in the IEEE 802 1d standard which incorporates the 802 1p Level 7 Typically used for network control traffic such as router configuration messages Level 6 Typically used for voice traffic that is especially sensitive to jitter jitter is the variations in delay Level 5 Typically used for video that consumes high bandwidth and is sensitive to...

Page 83: ... default IP address is 192 168 1 1 The subnet mask specifies the network number portion of an IP address The factory default subnet mask is 255 255 255 0 You can configure up to 64 IP addresses which are used to access and manage the Switch from the ports belonging to the pre defined VLAN s Note You must configure a VLAN first Figure 43 Basic Setting IP Setup ...

Page 84: ...gement only The default is 1 All ports by default are fixed members of this management VLAN in order to manage the device from any port If a port is not a member of this VLAN then users on that port cannot access the device To access the Switch make sure the port that you are connected to is a member of Management VLAN Management IP Addresses You can create up to 64 IP addresses which are used to ...

Page 85: ...he configuration screen Figure 44 Basic Setting Port Setup Default Gateway This field displays the IP address of the default gateway Delete Check the management IP addresses that you want to remove in the Delete column then click the Delete button Cancel Click Cancel to clear the selected check boxes in the Delete column Table 11 Basic Setting IP Setup continued LABEL DESCRIPTION ...

Page 86: ...ically to obtain the connection speed and duplex mode that both ends support When auto negotiation is turned on a port on the Switch negotiates with the peer automatically to determine the connection speed and duplex mode If the peer port does not support auto negotiation or turns off this feature the Switch determines the connection speed by detecting the signal on the cable and using half duplex...

Page 87: ...or more information Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 12 Basic Setting Port Setup continued LABEL DESCRI...

Page 88: ...Chapter 8 Basic Setting MES 3528 User s Guide 88 ...

Page 89: ...ocol 121 Bandwidth Control 143 Broadcast Storm Control 147 Mirroring 149 Link Aggregation 151 Port Authentication 161 Port Security 165 Classifier 169 Policy Rule 175 Queuing Method 181 VLAN Stacking 185 Multicast 193 AAA 209 IP Source Guard 223 Loop Guard 249 Layer 2 Protocol Tunneling 253 ...

Page 90: ...90 ...

Page 91: ...nformation starts after the source address field of the Ethernet frame The CFI Canonical Format Indicator is a single bit flag always set to zero for Ethernet switches If a frame received at an Ethernet port has a CFI set to 1 then that frame should not be forwarded as it is to an untagged port The remaining twelve bits define the VLAN ID giving a possible maximum number of 4 096 VLANs Note that u...

Page 92: ... switches to register and de register attribute values with other GARP participants within a bridged LAN GARP is a protocol that provides a generic mechanism for protocols that serve a more specific application for example GVRP 9 2 1 1 GARP Timers Switches join VLANs by making a declaration A declaration is made by issuing a Join message using GARP Declarations are withdrawn by issuing a Leave mes...

Page 93: ... E automatically allow frames with VLAN Administrative Control Registration Fixed Fixed registration ports are permanent VLAN members Registration Forbidden Ports with registration forbidden are forbidden to join the specified VLAN Normal Registration Ports dynamically join a VLAN using GVRP VLAN Tag Control Tagged Ports belonging to the specified VLAN tag all outgoing frames transmitted Untagged ...

Page 94: ...n the Basic Setting Switch Setup screen Figure 46 Switch Setup Select VLAN Type 9 5 Static VLAN Use a static VLAN to decide whether an incoming frame on a port should be sent to a VLAN group as normal depending on its VLAN tag sent to a group whether it has a VLAN tag or not blocked from a VLAN group regardless of its VLAN tag You can also tag all outgoing frames that were previously untagged from...

Page 95: ...ay only the specified VLAN s in the list below Leave this field blank and click Search to display all VLANs configured on the Switch The Number of VLAN This is the number of VLANs configured on the Switch The Number of Search Results This is the number of VLANs that match the searching criteria and display in the list below This field displays only when you use the Search button to look for certai...

Page 96: ...en if all status information cannot be seen in one screen Table 14 Advanced Application VLAN VLAN Status continued LABEL DESCRIPTION Table 15 Advanced Application VLAN VLAN Detail LABEL DESCRIPTION VLAN Status Click this to go to the VLAN Status screen VID This is the VLAN identification number that was configured in the Static VLAN screen Port Number This column displays the ports that are partic...

Page 97: ...Figure 49 Advanced Application VLAN Static VLAN The following table describes the related labels in this screen Table 16 Advanced Application VLAN Static VLAN LABEL DESCRIPTION ACTIVE Select this check box to activate the VLAN settings Name Enter a descriptive name for the VLAN group for identification purposes This name consists of up to 64 printable characters VLAN Group ID Enter the VLAN ID for...

Page 98: ...smitted with this VLAN Group ID Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to change the fields back to their last saved values Clear Click Clear to start configur...

Page 99: ...bes the labels in this screen Table 17 Advanced Application VLAN VLAN Port Setting LABEL DESCRIPTION GVRP GVRP GARP VLAN Registration Protocol is a registration protocol that defines a way for switches to register necessary VLAN members on ports across the network Select this check box to permit VLAN groups beyond the local Switch Ingress Check If this check box is selected the Switch discards inc...

Page 100: ...k box to allow GVRP on this port Acceptable Frame Type Specify the type of frames allowed on a port Choices are All Tag Only and Untag Only Select All from the drop down list box to accept all untagged or tagged frames on this port This is the default setting Select Tag Only to accept only tagged frames on this port All untagged frames will be dropped Select Untag Only to accept only untagged fram...

Page 101: ... services You also have a subnet based VLAN with priority 5 and VID of 200 for traffic received from IP subnet 192 168 1 0 24 video services Lastly you configure VLAN with priority 3 and VID of 300 for traffic received from IP subnet 10 1 1 0 24 data services All untagged incoming frames will be classified based on their source IP subnet and prioritized accordingly That is video services receive t...

Page 102: ...IP subnet to obtain their IP addresses through the DHCP VLAN Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Active Check this box to activate the IP subnet VLAN you are creating or ed...

Page 103: ... be an existing VLAN which you defined in the Advanced Applications VLAN screens Priority Select the priority level that the Switch assigns to frames belonging to this VLAN Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memo...

Page 104: ... switch C Figure 53 Protocol Based VLAN Application Example 9 9 Configuring Protocol Based VLAN Click Protocol Based VLAN in the VLAN Port Setting screen to display the configuration screen as shown Note Protocol based VLAN applies to un tagged packets and is applicable only when you use IEEE 802 1Q tagged VLAN Figure 54 Advanced Application VLAN VLAN Port Setting Protocol Based VLAN ...

Page 105: ...n existing VLAN which you defined in the Advanced Applications VLAN screens Priority Select the priority level that the Switch will assign to frames belonging to this VLAN Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memor...

Page 106: ...s protocol based VLAN a descriptive name Type IP VLAN 4 Select the protocol Leave the default value IP 5 Type the VLAN ID of an existing VLAN In our example we already created a static VLAN with an ID of 5 Type 5 6 Leave the priority set to 0 and click Add Figure 55 Protocol Based VLAN Configuration Example To add more ports to this protocol based VLAN 1 Click the index number of the protocol base...

Page 107: ...r example between conference rooms in a hotel you must define the egress an egress port is an outgoing port that is a port through which a data packet leaves for both ports Port based VLANs are specific only to the Switch on which they were created Note When you activate port based VLAN the Switch uses a default VLAN ID of 1 You cannot change it Note In screens such as IP Setup and Filtering that ...

Page 108: ... 1 Configure a Port based VLAN Select Port Based as the VLAN Type in the Basic Setting Switch Setup screen and then click Advanced Application VLAN from the navigation panel to display the next screen Figure 56 Port Based VLAN Setup All Connected ...

Page 109: ...Chapter 9 VLAN MES 3528 User s Guide 109 Figure 57 Port Based VLAN Setup Port Isolation ...

Page 110: ...rough which a data packet enters If you wish to allow two subscriber ports to talk to each other you must define the ingress port for both ports The numbers in the top row denote the incoming port for the corresponding port listed on the left its outgoing port CPU refers to the Switch management port By default it forms a VLAN with all Ethernet ports If it does not form a VLAN with a particular po...

Page 111: ...AC Forwarding A static MAC address is an address that has been manually entered in the MAC address table Static MAC addresses do not age out When you set up static MAC address rules you are setting static MAC addresses for a port This may reduce the need for broadcasting Static MAC address forwarding together with port security allow only computers in the MAC address table on a port to access the ...

Page 112: ...ere the MAC address entered in the previous field will be automatically forwarded Add Click Add to save your rule to the Switch s run time memory The Switch loses this rule if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to reset the fields to their last saved value...

Page 113: ...plays the port where the MAC address shown in the next field will be forwarded Delete Click Delete to remove the selected entry from the summary table Cancel Click Cancel to clear the Delete check boxes Table 21 Advanced Application Static MAC Forwarding continued LABEL DESCRIPTION ...

Page 114: ...Chapter 10 Static MAC Forward Setup MES 3528 User s Guide 114 ...

Page 115: ...ge out Static multicast forwarding allows you the administrator to forward multicast frames to a member without the member having to join the group first If a multicast group has no members then the switch will either flood the multicast frames to all ports or drop them You can configure this in the Advanced Application Multicast Multicast Setting screen see Section 24 3 on page 195 Figure 59 show...

Page 116: ... within VLAN group 4 Figure 59 No Static Multicast Forwarding Figure 60 Static Multicast Forwarding to A Single Port Figure 61 Static Multicast Forwarding to Multiple Ports 11 2 Configuring Static Multicast Forwarding Use this screen to configure rules to forward specific multicast frames such as streaming or control frames to specific port s ...

Page 117: ... pair 00000001 is 01 and 00000011 is 03 in hexadecimal so 01 00 5e 00 00 0A and 03 00 5e 00 00 27 are valid multicast MAC addresses VID You can forward frames with matching destination MAC address to port s within a VLAN group Enter the ID that identifies the VLAN group here If you don t have a specific target VLAN enter 1 Port Enter the port s where frames with destination MAC address that matche...

Page 118: ...his field displays the multicast MAC address that identifies a multicast group VID This field displays the ID number of a VLAN group to which frames containing the specified multicast MAC address will be forwarded Port This field displays the port s within a identified VLAN group to which frames containing the specified multicast MAC address will be forwarded Delete Click Delete to remove the sele...

Page 119: ...ring in the navigation panel to display the screen as shown next Figure 63 Advanced Application Filtering The following table describes the related labels in this screen Table 23 Advanced Application Filtering LABEL DESCRIPTION Active Make sure to select this check box to activate your rule You may temporarily deactivate a rule without deleting it by deselecting this check box Name Type a descript...

Page 120: ...ve link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to reset the fields to your previous configuration Clear Click Clear to clear the fields to the factory defaults Index This field displays the index number of the rule Click an index number to change the settings Active This field displays Yes when the rule is activ...

Page 121: ...t switches in your network to ensure that only one path exists between any two stations on the network The Switch uses IEEE 802 1w RSTP Rapid Spanning Tree Protocol that allows faster convergence of the spanning tree than STP while also being backwards compatible with STP only aware bridges In RSTP topology change information is directly propagated throughout the network from the device that gener...

Page 122: ...r connected LANs and disables all other ports that participate in STP Network packets are therefore only forwarded between enabled ports eliminating any possible network loops STP aware switches exchange Bridge Protocol Data Units BPDUs periodically When the bridged LAN topology changes a new spanning tree is constructed Once a stable network topology has been established all bridges listen for He...

Page 123: ...ependently with its own bridge information In the following example there are two RSTP instances MRSTP 1 and MRSTP2 on switch A To set up MRSTP activate MRSTP on the Switch and specify which port s belong to which spanning tree Table 25 STP Port States PORT STATE DESCRIPTION Disabled STP is disabled default Blocking Only configuration and management BPDUs are received and processed Listening All B...

Page 124: ...anning Tree CIST that represents the entire network s connectivity Grouping of multiple bridges or switching devices into regions that appear as one single bridge on the network A VLAN can be mapped to a specific Multiple Spanning Tree Instance MSTI MSTI allows multiple VLANs to use the same spanning tree Load balancing is possible as traffic from different VLANs can use distinct paths in a region...

Page 125: ...he following figure shows the network example using MSTP Figure 66 MSTP Network Example 13 1 5 2 MST Region An MST region is a logical grouping of multiple network devices that appears as a single device to the rest of the network Each MSTP enabled device can only belong to one MST region When BPDUs enter an MST region external path cost of paths outside this region is increased by one Internal pa...

Page 126: ...created MSTI is identified by a unique number known as an MST ID known internally to a region Thus an MSTI does not span across MST regions The following figure shows an example where there are two MST regions Regions 1 and 2 have 2 spanning tree instances Figure 67 MSTIs in Different Regions 13 1 5 4 Common and Internal Spanning Tree CIST A CIST represents the connectivity of the entire network a...

Page 127: ... status screen changes depending on what standard you choose to implement on your network Click Advanced Application Spanning Tree Protocol to see the screen as shown Figure 69 Advanced Application Spanning Tree Protocol This screen differs depending on which STP mode RSTP MRSTP or MSTP you configure on the Switch This screen is described in detail in the section that follows the configuration sec...

Page 128: ...ication Spanning Tree Protocol Configuration LABEL DESCRIPTION Spanning Tree Mode You can activate one of the STP modes on the Switch Select Rapid Spanning Tree Multiple Rapid Spanning Tree or Multiple Spanning Tree See Section 13 1 on page 121 for background information on STP Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off...

Page 129: ...anced Application Spanning Tree Protocol RSTP The following table describes the labels in this screen Table 27 Advanced Application Spanning Tree Protocol RSTP LABEL DESCRIPTION Status Click Status to display the RSTP Status screen see Figure 72 on page 131 Active Select this check box to activate RSTP Clear this checkbox to disable RSTP Note You must also activate Rapid Spanning Tree in the Advan...

Page 130: ...maximum time in seconds the Switch will wait before changing states This delay is required because every switch must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a blocking state otherwise temporary data loops might result The allowed range is 4 to 30 seconds As a ge...

Page 131: ...power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 27 Advanced Application Spanning Tree Protocol RSTP continued LABEL DESCRIPTION Table 28 Advanced Application Spanning Tree Protocol Status RSTP LABEL DESCRIPTION Configuration Click Configuration to s...

Page 132: ...e root switch will wait before changing states that is listening to learning to forwarding Note The listening state does not exist in RSTP Cost to Bridge This is the path cost from the root port on this Switch to the root switch Port ID This is the priority and number of the port on the Switch through which this Switch must communicate with the root of the Spanning Tree Topology Changed Times This...

Page 133: ...The following table describes the labels in this screen Table 29 Advanced Application Spanning Tree Protocol MRSTP LABEL DESCRIPTION Status Click Status to display the MRSTP Status screen see Figure 72 on page 131 Tree This is a read only index number of the STP trees Active Select this check box to activate an STP tree Clear this checkbox to disable an STP tree Note You must also activate Multipl...

Page 134: ...maximum time in seconds the Switch will wait before changing states This delay is required because every switch must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a blocking state otherwise temporary data loops might result The allowed range is 4 to 30 seconds As a ge...

Page 135: ...r changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 29 Advanced Application Spanning Tree Protocol MRSTP continued LABEL DESCRIPTION Table 30 Advanced ...

Page 136: ...ge before attempting to reconfigure Forwarding Delay second This is the time in seconds the root switch will wait before changing states that is listening to learning to forwarding Note The listening state does not exist in RSTP Cost to Bridge This is the path cost from the root port on this Switch to the root switch Port ID This is the priority and number of the port on the Switch through which t...

Page 137: ... 137 13 8 Configure Multiple Spanning Tree Protocol To configure MSTP click MSTP in the Advanced Application Spanning Tree Protocol screen See Section 13 1 5 on page 124 for more information on MSTP Figure 75 Advanced Application Spanning Tree Protocol MSTP ...

Page 138: ...elay This is the maximum time in seconds the Switch will wait before changing states This delay is required because every switch must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a blocking state otherwise temporary data loops might result The allowed range is 4 to 3...

Page 139: ...ommon settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Active Select this check box to add this port to the MST instance Priority Configure the priority for each port here Priority decides which port should be disabled when more than one port forms a loop in a switch Ports with a higher priority numeric value a...

Page 140: ...13 1 5 on page 124 for more information on MSTP Note This screen is only available after you activate MSTP on the Switch Figure 76 Advanced Application Spanning Tree Protocol Status MSTP Delete Check the rule s that you want to remove in the Delete column and then click the Delete button Cancel Click Cancel to begin configuring this screen afresh Table 31 Advanced Application Spanning Tree Protoco...

Page 141: ...st from the root port on this Switch to the root switch Port ID This is the priority and number of the port on the Switch through which this Switch must communicate with the root of the Spanning Tree Configuration Name This field displays the configuration name for this MST region Revision Number This field displays the revision number for this MST region Configuration Digest A configuration diges...

Page 142: ...m the root port in this MST instance to the regional root switch Port ID This is the priority and number of the port on the Switch through which this Switch must communicate with the root of the MST instance Table 32 Advanced Application Spanning Tree Protocol Status MSTP continued LABEL DESCRIPTION ...

Page 143: ...ntrol This chapter shows you how you can cap the maximum bandwidth using the Bandwidth Control screen 14 1 Bandwidth Control Overview Bandwidth control means defining a maximum allowable bandwidth for incoming and or out going traffic flows on a port ...

Page 144: ...ol on the Switch Port This field displays the port number Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Active Select this check box to activate ingress rate...

Page 145: ...me memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to reset the fields Table 33 Advanced Application Bandwidth Control continued LABEL DESCRIPTION ...

Page 146: ...Chapter 14 Bandwidth Control MES 3528 User s Guide 146 ...

Page 147: ...kets the Switch receives per second on the ports When the maximum number of allowable broadcast multicast and or DLF packets is reached per second the subsequent packets are discarded Enable this feature to reduce broadcast multicast and or DLF packets in your network You can specify limits for each packet type on each port Click Advanced Application Broadcast Storm Control in the navigation panel...

Page 148: ...ents on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Broadcast pkt s Select this option and specify how many broadcast packets the port receives per second Multicast pkt s Select this option and specify how many multicast packets the port receives per second DLF pkt s Select this option and specify how many destination lookup failure DLF packet...

Page 149: ...w to a monitor port the port you copy the traffic to in order that you can examine the traffic from the monitor port without interference Click Advanced Application Mirroring in the navigation panel to display the Mirroring screen Use this screen to select a monitor port and specify the traffic flow to be copied to the monitor port Figure 79 Advanced Application Mirroring ...

Page 150: ...s Use this row only if you want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Mirrored Select this option to mirror the traffic on a port Direction Specify the direction of the traffic to mirror by selecting from the drop down ...

Page 151: ...nning port of each trunk group must be physically connected to form a trunk group The Switch supports both static and dynamic link aggregation Note In a properly planned network it is recommended to implement static link aggregation only This ensures increased network stability and control over the trunk groups on your Switch See Section 17 6 on page 158 for a static port trunking example 17 2 Dyn...

Page 152: ... type speed duplex mode and flow control settings Configure trunk groups or LACP before you connect the Ethernet switch to avoid causing network topology loops 17 2 1 Link Aggregation ID LACP aggregation ID consists of the following information1 Table 36 Link Aggregation ID Local Switch SYSTEM PRIORITY MAC ADDRESS KEY PORT PRIORITY PORT NUMBER 0000 00 00 00 00 00 00 0000 00 0000 Table 37 Link Aggr...

Page 153: ...nk group that is one logical link containing multiple ports Enabled Ports These are the ports you have configured in the Link Aggregation screen to be in the trunk group The port number s displays only when this trunk group is activated and there is a port belonging to this group Synchronized Ports These are the ports that are currently transmitting data as one logical link in this trunk group Agg...

Page 154: ...c based on a combination of the packet s source and destination MAC addresses src ip means the Switch distributes traffic based on the packet s source IP address dst ip means the Switch distributes traffic based on the packet s destination IP address src dst ip means the Switch distributes traffic based on a combination of the packet s source and destination IP addresses Status This field displays...

Page 155: ...anced Application Link Aggregation Link Aggregation Setting The following table describes the labels in this screen Table 39 Advanced Application Link Aggregation Link Aggregation Setting LABEL DESCRIPTION Link Aggregation Setting This is the only screen you need to configure to enable static link aggregation Group ID The field identifies the link aggregation group that is one logical link contain...

Page 156: ...ddresses Select src ip to distribute traffic based on the packet s source IP address Select dst ip to distribute traffic based on the packet s destination IP address Select src dst ip to distribute traffic based on a combination of the packet s source and destination IP addresses Port This field displays the port number Group Select the trunk group to which a port belongs Note When you enable the ...

Page 157: ...on dynamic link aggregation Figure 82 Advanced Application Link Aggregation Link Aggregation Setting LACP The following table describes the labels in this screen Table 40 Advanced Application Link Aggregation Link Aggregation Setting LACP LABEL DESCRIPTION Link Aggregation Control Protocol Note Do not configure this screen unless you want to enable dynamic link aggregation Active Select this check...

Page 158: ...me for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them LACP Timeout Timeout is the time interval between the individual port exchanges of LACP packets in order to check that the peer port in the trunk group is still up If a port does not respond after three tries ...

Page 159: ...B Figure 83 Trunking Example Physical Connections 2 Configure static trunking Click Advanced Application Link Aggregation Link Aggregation Setting In this screen activate trunk group T1 select the traffic distribution algorithm used by this group and select the ports that should belong to this group as shown in the figure below Click Apply when you are done Figure 84 Trunking Example Configuration...

Page 160: ...Chapter 17 Link Aggregation MES 3528 User s Guide 160 ...

Page 161: ...cation Dial In User Service RFC 2138 2139 protocol to validate users See Section 25 1 2 on page 210 for more information on configuring your RADIUS server settings 18 1 1 IEEE 802 1x Authentication The following figure illustrates how a client connecting to a IEEE 802 1x authentication enabled port goes through a validation process The Switch prompts the client for login information in the form of...

Page 162: ...thentication first activate the port authentication method both on the Switch and the port s then configure the RADIUS server settings in the Auth and Acct Radius Server Setup screen Click Advanced Application Port Authentication in the navigation panel to display the screen as shown Figure 86 Advanced Application Port Authentication New Connection Authentication Request Authentication Reply 1 4 5...

Page 163: ...nced Application Port Authentication 802 1x LABEL DESCRIPTION Active Select this check box to permit 802 1x authentication on the Switch Note You must first enable 802 1x authentication on the Switch before configuring it on each port Port This field displays the port number Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this ...

Page 164: ...port Reauthenticati on Timer Specify how often a client has to re enter his or her username and password to stay connected to the port Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring C...

Page 165: ...Switch The Switch can learn up to 16K MAC addresses in total with no limit on individual ports other than the sum cannot exceed 16K For maximum port security enable this feature disable MAC address learning and configure static MAC address es for a port It is not recommended you disable port security together with MAC address learning as this will result in many broadcasts By default MAC address l...

Page 166: ...of the port s separated by a comma on which you want to enable port security and disable MAC address learning After you click MAC freeze all previously learned MAC addresses on the specified port s will become static MAC addresses and display in the Static MAC Forwarding screen MAC freeze Click MAC freeze to have the Switch automatically select the Active check boxes and clear the Address Learning...

Page 167: ... occur on a port the port itself must be active with address learning enabled Limited Number of Learned MAC Address Use this field to limit the number of dynamic MAC addresses that may be learned on a port For example if you set this field to 5 on port 2 then only the devices with these five learned MAC addresses may access port 2 at any one time A sixth device would have to wait until one of the ...

Page 168: ...Chapter 19 Port Security MES 3528 User s Guide 168 ...

Page 169: ...as the source address destination address source port number destination port number or incoming port number For example you can configure a classifier to select traffic from the same protocol port such as Telnet to form a flow Configure QoS on the Switch to group and prioritize application traffic and fine tune network performance Setting up QoS involves two separate steps 1 Configure classifiers...

Page 170: ...ect this option to enable this rule Name Enter a descriptive name for this rule for identifying purposes Layer 2 Specify the fields below to configure a layer 2 classifier Ethernet Type Select an Ethernet type or select Other and enter the Ethernet type number in hexadecimal value Refer to Table 45 on page 172 for information Source MAC Address Select Any to apply the rule to all MAC addresses To ...

Page 171: ... 24 Socket Number Note You must select either UDP or TCP in the IP Protocol field before you configure the socket numbers Select Any to apply the rule to all TCP UDP protocol port numbers or select the second option and enter a TCP UDP protocol port number Refer to Table 47 on page 173 for more information Destination IP Address Address Prefix Enter a destination IP address in dotted decimal notat...

Page 172: ...g protocol number Table 44 Classifier Summary Table LABEL DESCRIPTION Index This field displays the index number of the rule Click an index number to edit the rule Active This field displays Yes when the rule is activated and No when it is deactivated Name This field displays the descriptive name for this rule This is for identification purpose only Rule This field displays a summary of the classi...

Page 173: ...page 347 for information on commonly used port numbers 20 4 Classifier Example The following screen shows an example where you configure a classifier that identifies all traffic from MAC address 00 50 ba ad 4f 81 on port 2 IBM SNA 80D5 AppleTalk AARP 80F3 Table 46 Common IP Protocol Types and Protocol Numbers PROTOCOL TYPE PROTOCOL NUMBER ICMP 1 TCP 6 UDP 17 EGP 8 L2TP 115 Table 47 Common TCP and ...

Page 174: ...r 20 Classifier MES 3528 User s Guide 174 After you have configured a classifier you can configure a policy in the Policy screen to define action s on the classified traffic flow Figure 91 Classifier Example ...

Page 175: ...inguishes traffic into flows based on the configured criteria refer to Chapter 20 on page 169 for more information A policy rule ensures that a traffic flow gets the requested treatment in the network 21 2 Configuring Policy Rules You must first configure a classifier in the Classifier screen Refer to Section 20 2 on page 169 for more information ...

Page 176: ...er a descriptive name for identification purposes Classifier s This field displays the active classifier s you configure in the Classifier screen Select the classifier s to which this policy rule applies To select more than one classifier press SHIFT and select the choices at the same time Parameters Set the fields below for this policy You only have to set the field s that is related to the actio...

Page 177: ... classifiers Class 1 and Class 2 and both identify all traffic from MAC address 11 22 33 44 55 66 on port 3 If Policy 1 applies to Class 1 and the action is to drop the packets Policy 2 applies to Class 2 and the action is to foward the packets to the egress port the Switch will forward the packets If Policy 1 applies to Class 1 and the action is to drop the packets Policy 2 applies to Class 2 and...

Page 178: ...lear Click Clear to set the above fields back to the factory defaults Table 48 Advanced Application Policy Rule continued LABEL DESCRIPTION Table 49 Advanced Application Policy Rule Summary Table LABEL DESCRIPTION Index This field displays the policy index number Click an index number to edit the policy Active This field displays Yes when policy is activated and No when is it deactivated Name This...

Page 179: ...uide 179 21 4 Policy Example The figure below shows an example Policy screen where you configure a policy to limit bandwidth on a traffic flow classified using the Example classifier refer to Section 20 4 on page 173 Figure 94 Policy Example ...

Page 180: ...Chapter 21 Policy Rule MES 3528 User s Guide 180 ...

Page 181: ... transmitted first When that queue empties traffic on the next highest priority queue Q6 is transmitted until Q6 empties and then traffic is transmitted on Q5 and so on If higher priority queues never empty then traffic on lower priority queues never gets sent SP does not automatically adapt to changing network requirements 22 1 2 Weighted Fair Queuing Weighted Fair Queuing is used to guarantee ea...

Page 182: ...o on depending on the number of queues being used This works in a looping fashion until a queue is empty Weighted Round Robin Scheduling WRR uses the same algorithm as round robin scheduling but services queues based on their priority and queue weight the number you configure in the queue Weight field rather than a fixed amount of bandwidth WRR is activated only when a port has more traffic than i...

Page 183: ...labels in this screen Table 50 Advanced Application Queuing Method LABEL DESCRIPTION Port This label shows the port you are configuring Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports ...

Page 184: ... larger weights get more service than queues with smaller weights Weight When you select WFQ or WRR enter the queue weight here Bandwidth is divided across the different traffic queues according to their weights Hybrid SPQ Lowest Queue This field is applicable only when you select WFQ or WRR Select a queue Q0 to Q7 to have the Switch use SPQ to service the subsequent queue s after and including th...

Page 185: ...up to 4 094 customer VLANs This allows a service provider to provide different service based on specific VLANs for many different customers A service provider s customers may require a range of VLANs to handle multiple applications A service provider s customers can assign their own inner VLAN tags on ports for these applications The service provider can assign an outer VLAN tag for each customer ...

Page 186: ...LAN Tx Tagging MUST be disabled on a port where you choose Access Port Select Tunnel Port available for Gigabit ports only for egress ports at the edge of the service provider s network The Switch adds the configured SP TPID and the corresponding ingress port s SP VID to the outgoing frames before transmitting them on a Tunnel Port All VLANs belonging to a customer can be aggregated into a single ...

Page 187: ...n the Switch discards all incoming frames on the service provider s edge devices 1 and 2 in the VLAN stacking example figure that have an SP TPID different to the one configured on the Switch The Switch adds the SP TPID tag to all outgoing frames sent through the Tunnel Port on the service provider s edge devices 1 and 2 in the VLAN stacking example figure Priority refers to the IEEE 802 1p standa...

Page 188: ...n Etype Data FCS IEEE 802 1Q customer tagged frame DA SA TPID Priority VID Len Etype Data FCS Double tagged frame DA SA SP TPID Priority VID TPID Priority VID Len Etype Data FCS Table 53 802 1Q Frame DA Destination Address Priority 802 1p Priority SA Source Address Len Etype Length and type of Ethernet frame SP TPID Service Provider Tag Protocol IDentifier Data Frame data VID VLAN ID FCS Frame Che...

Page 189: ...tacking on the Switch SP TPID TPID Tag Protocol Identifier is a standard Ethernet type code identifying the frame and indicates whether the frame carries IEEE 802 1Q tag information SP TPID Service Provider Tag Protocol Identifier is the service provider VLAN stacking tag type Choose 0x8100 or 0x9100 from the drop down list box or select Others and then enter a four digit hexadecimal number from 0...

Page 190: ... Port available for Gigabit ports only for egress ports at the edge of the service provider s network The Switch adds SP TPID and the corresponding ingress port s SPVID to all outgoing frames transmitting on the Tunnel Port In order to support VLAN stacking on a port the port must be able to allow frames of 1526 Bytes 1522 Bytes 4 Bytes for the second tag to pass through it SPVID SPVID is the serv...

Page 191: ...sert the entry in the summary table below and save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Index This is the index number of the entry SVLAN ID This is the service VLAN ID Delete Check the entry ies tha...

Page 192: ...Chapter 23 VLAN Stacking MES 3528 User s Guide 192 ...

Page 193: ...st address allows a device to send packets to a specific group of hosts multicast group in a different subnetwork A multicast IP address represents a traffic receiving group not individual receiving devices IP addresses in the Class D range 224 0 0 0 to 239 255 255 255 are used for IP multicasting Certain IP multicast numbers are reserved by IANA for special purposes see the IANA web site for more...

Page 194: ...nooping and VLANs The Switch can perform IGMP snooping on up to 16 VLANs You can configure the Switch to automatically learn multicast group membership of any VLANs The Switch then performs IGMP snooping on the first 16 VLANs that send IGMP packets This is referred to as auto mode Alternatively you can specify the VLANs that IGMP snooping should be performed on This is referred to as fixed mode In...

Page 195: ...n as shown See Section 24 1 on page 193 for more information on multicasting Figure 100 Advanced Application Multicast Multicast Setting Port This field displays the port number that belongs to the multicast group Multicast Group This field displays IP multicast group addresses Table 56 Advanced Application Multicast Status continued LABEL DESCRIPTION ...

Page 196: ...ame Select Drop to discard the frame s Select Flooding to send the frame s to all ports Reserved Multicast Group The IP address range of 224 0 0 0 to 224 0 0 255 are reserved for multicasting on the local network only For example 224 0 0 1 is for all hosts on a local network segment and 224 0 0 9 is used to send RIP routing information to all RIP v2 routers on the same network segment A multicast ...

Page 197: ...Replace to replace an existing entry in the multicast forwarding table with the new IGMP report s received on this port IGMP Filtering Profile Select the name of the IGMP filtering profile to use for this port Otherwise select Default to prohibit the port from joining any multicast group You can create IGMP filtering profiles in the Multicast Multicast Setting IGMP Filtering Profile screen IGMP Qu...

Page 198: ...n of any VLANs automatically Select fixed to have the Switch only learn multicast group membership information of the VLAN s that you specify below In either auto or fixed mode the Switch can learn up to 16 VLANs including up to five VLANs you configured in the MVR screen For example if you have configured one multicast VLAN in the MVR screen you can only specify up to 15 VLANs in this screen The ...

Page 199: ... ID of a static VLAN the valid range is between 1 and 4094 Note You cannot configure the same VLAN ID as in the MVR screen Add Click Add to insert the entry in the summary table below and save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory...

Page 200: ... IP address for a range of multicast IP addresses that you want to belong to the IGMP filter profile End Address Type the ending multicast IP address for a range of IP addresses that you want to belong to the IGMP filter profile If you want to add a single multicast IP address enter it in both the Start Address and End Address fields Add Click Add to save the profile to the Switch s run time memor...

Page 201: ...igure shows a network example The subscriber VLAN 1 2 and 3 information is hidden from the streaming media server S In addition the multicast VLAN information is only visible to the Switch and S Figure 103 MVR Network Example 24 6 1 Types of MVR Ports In MVR a source port is a port on the Switch that can send and receive multicast traffic in a multicast VLAN while a receiver port can only receive ...

Page 202: ...ple subscriber devices can connect through a port configured as the receiver on the Switch When the subscriber selects a television channel computer A sends an IGMP report to the Switch to join the appropriate multicast group If the IGMP report matches one of the configured MVR multicast group addresses on the Switch an entry is created in the forwarding table on the Switch This maps the subscribe...

Page 203: ...ticast VLAN Click Advanced Applications Multicast Multicast Setting MVR link to display the screen as shown next Note You can create up to five multicast VLANs and up to 256 multicast rules on the Switch Note Your Switch automatically creates a static VLAN with the same VID when you create a multicast VLAN in this screen Figure 105 Advanced Application Multicast Multicast Setting MVR ...

Page 204: ...n a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Source Port Select this option to set this port as the MVR source port that sends and receives multicast traffic All source ports must belong to a single multicast VLAN Receiver Port Select this option to set this port as a receiver port that only receives multicast traffic None Select this option ...

Page 205: ... describes the labels in this screen Delete To delete a multicast VLAN s select the rule s that you want to remove in the Delete column then click the Delete button Cancel Click Cancel to clear the Delete check boxes Table 60 Advanced Application Multicast Multicast Setting MVR continued LABEL DESCRIPTION Table 61 Advanced Application Multicast Multicast Setting MVR Group Configuration LABEL DESCR...

Page 206: ...193 for more information on IP multicast addresses Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh MVLAN This field displays the...

Page 207: ...n the Switch create a multicast group in the MVR screen and set the receiver and source ports Figure 108 MVR Configuration Example To set the Switch to forward the multicast group traffic to the subscribers configure multicast group settings in the Group Configuration screen The ...

Page 208: ... 3528 User s Guide 208 following figure shows an example where two multicast groups News and Movie are configured for the multicast VLAN 200 Figure 109 MVR Group Configuration Example Figure 110 MVR Group Configuration Example ...

Page 209: ... levels associated with them For example user A may have the right to create new login accounts on the Switch but user B cannot The Switch can authorize users based on user accounts configured on the Switch itself or it can use an external server to authorize a large number of users Accounting is the process of recording what a user is doing The Switch can use an external server to track when user...

Page 210: ...ed to the memory capacity of the device In essence RADIUS and TACACS authentication both allow you to validate an unlimited number of users from a central location The following table describes some key differences between RADIUS and TACACS 25 2 AAA Screens The AAA screens allow you to enable authentication authorization accounting or all of them on the Switch First configure your authentication a...

Page 211: ...up Use this screen to configure your RADIUS server settings See Section 25 1 2 on page 210 for more information on RADIUS servers and Section 25 3 on page 219 for RADIUS attributes utilized by the authentication and accounting features on the Switch Click on the RADIUS Server Setup link in the AAA screen to view the screen as shown Figure 113 Advanced Application AAA RADIUS Server Setup ...

Page 212: ...cimal notation UDP Port The default port of a RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so Shared Secret Specify a password up to 32 alphanumeric characters as the key to be shared between the external RADIUS server and the Switch This key is not sent over the network This key must be the same on the external RADIU...

Page 213: ... Switch This key is not sent over the network This key must be the same on the external RADIUS accounting server and the Switch Delete Check this box if you want to remove an existing RADIUS accounting server entry from the Switch This entry is deleted when you click Apply Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or l...

Page 214: ...n dotted decimal notation TCP Port The default port of a TACACS server for authentication is 49 You need not change this value unless your network administrator instructs you to do so Shared Secret Specify a password up to 32 alphanumeric characters as the key to be shared between the external TACACS server and the Switch This key is not sent over the network This key must be the same on the exter...

Page 215: ...ver the network This key must be the same on the external TACACS accounting server and the Switch Delete Check this box if you want to remove an existing TACACS accounting server entry from the Switch This entry is deleted when you click Apply Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save lin...

Page 216: ...ternal servers Login These fields specify which database the Switch should use first second and third to authenticate administrator accounts users for Switch management Configure the local user accounts in the Access Control Logins screen The TACACS and RADIUS are external servers Before you specify the priority make sure you have set up the corresponding database correctly first You can specify u...

Page 217: ...ave the Switch send accounting information to all configured accounting servers at the same time If you don t select this and you have two accounting servers set up then the Switch sends information to the first accounting server and if it doesn t get a response from the accounting server then it tries the second accounting server Mode The Switch supports two modes of recording login events Select...

Page 218: ...LI Reference Guide for more information on account privilege levels for the authenticated user The VSAs are composed of the following Vendor ID An identification number assigned to the company by the IANA Internet Assigned Numbers Authority ZyXEL s vendor ID is 890 Vendor Type A vendor specified attribute identifying the setting you want to modify Vendor data A value you want to assign to the sett...

Page 219: ...ed on the RADIUS server This appendix lists the RADIUS attributes supported by the Switch Egress Bandwidth Assignment Vendor Id 890 Vendor Type 2 Vendor data egress rate Kbps in decimal format Privilege Assignment Vendor ID 890 Vendor Type 3 Vendor Data shell priv lvl N or Vendor ID 9 CISCO Vendor Type 1 CISCO AVPAIR Vendor Data shell priv lvl N where N is a privilege level from 0 to 14 Note If yo...

Page 220: ...following sections list the attributes sent from the Switch to the RADIUS server when performing authentication 25 3 1 1 Attributes Used for Authenticating Privilege Access User Name The format of the User Name attribute is enab where is the privilege level 1 14 User Password NAS Identifier NAS IP Address 25 3 1 2 Attributes Used to Login Users User Name User Password NAS Identifier NAS IP Address...

Page 221: ...tributes are listed in the following table along with the time that they are sent the difference between Console and Telnet SSH Exec events is that the Telnet SSH events utilize the Calling Station Id attribute Table 68 RADIUS Attributes Exec Events via Console ATTRIBUTE START INTERIM UPDATE STOP User Name Y Y Y NAS Identifier Y Y Y NAS IP Address Y Y Y Service Type Y Y Y Acct Status Type Y Y Y Ac...

Page 222: ...BUTE START INTERIM UPDATE STOP Table 70 RADIUS Attributes Exec Events via 802 1x ATTRIBUTE START INTERIM UPDATE STOP User Name Y Y Y NAS IP Address Y Y Y NAS Port Y Y Y Class Y Y Y Called Station Id Y Y Y Calling Station Id Y Y Y NAS Identifier Y Y Y NAS Port Type Y Y Y Acct Status Type Y Y Y Acct Delay Time Y Y Y Acct Session Id Y Y Y Acct Authentic Y Y Y Acct Input Octets Y Y Acct Output Octets ...

Page 223: ...s a binding the Switch forwards the packet If there is not a binding the Switch discards the packet The Switch builds the binding table by snooping DHCP packets dynamic bindings and from information provided manually by administrators static bindings IP source guard consists of the following features Static bindings Use this to create static bindings in the binding table DHCP snooping Use this to ...

Page 224: ...not succeed Untrusted ports are connected to subscribers The Switch discards DHCP packets from untrusted ports in the following situations The packet is a DHCP server packet for example OFFER ACK or NACK The source MAC address and source IP address in the packet do not match any of the current bindings The packet is a RELEASE or DECLINE packet and the source MAC address and source port do not matc...

Page 225: ...e requests The Switch can add the following information Slot ID 1 byte port ID 1 byte and source VLAN ID 2 bytes System name up to 32 bytes This information is stored in an Agent Information field in the option 82 field of the DHCP headers of client DHCP request frames See Chapter 31 on page 267 for more information about DHCP relay option 82 When the DHCP server responds the Switch removes the in...

Page 226: ...X does the following things It pretends to be computer A and responds to computer B It pretends to be computer B and sends a message to computer A As a result all the communication between computer A and computer B passes through computer X Computer X can read and alter the information passed between them 26 1 2 1 ARP Inspection and MAC Address Filters When the Switch identifies an unauthorized AR...

Page 227: ...tch can send syslog messages to the specified syslog server Chapter 35 on page 309 when it forwards or discards ARP packets The Switch can consolidate log messages and send log messages in batches to make this mechanism more efficient 26 1 2 4 Configuring ARP Inspection Follow these steps to configure ARP inspection on the Switch 1 Configure DHCP snooping See Section 26 1 1 4 on page 225 Note It i...

Page 228: ...rce Guard LABEL DESCRIPTION Index This field displays a sequential number for each binding MAC Address This field displays the source MAC address in the binding IP Address This field displays the IP address assigned to the MAC address in the binding Lease This field displays how many days hours minutes and seconds the binding is valid for example 2d3h4m5s means the binding is still valid for 2 day...

Page 229: ...t number in the field to the right If this binding applies to all ports select Any Add Click this to create the specified static binding or to update an existing one Cancel Click this to reset the values above based on the last selected static binding or if not applicable to clear the fields above Clear Click this to clear the fields above Index This field displays a sequential number for each bin...

Page 230: ...screen click Advanced Application IP Source Guard DHCP Snooping Port This field displays the port number in the binding If this field is blank the binding applies to all ports Delete Select this and click Delete to remove the specified entry Cancel Click this to clear the Delete check boxes above Table 72 IP Source Guard Static Binding continued LABEL DESCRIPTION ...

Page 231: ...Chapter 26 IP Source Guard MES 3528 User s Guide 231 Figure 120 DHCP Snooping ...

Page 232: ... field displays how much longer in seconds the Switch tries to complete the current update before it gives up It displays Not Running if the Switch is not updating the DHCP snooping database right now Abort timer expiry This field displays when in seconds the Switch is going to update the DHCP snooping database again It displays Not Running if the current bindings have not changed since the last u...

Page 233: ...ce Guide Binding collisions This field displays the number of bindings the Switch ignored because the Switch already had a binding with the same MAC address and VLAN ID Invalid interfaces This field displays the number of bindings the Switch ignored because the port number was a trusted interface or does not exist anymore Parse failures This field displays the number of bindings the Switch ignored...

Page 234: ...rt To open this screen click Advanced Application IP Source Guard DHCP Snooping Configure Figure 121 DHCP Snooping Configure Parse failures This field displays the number of bindings the Switch has ignored because the Switch was unable to understand the binding in the DHCP binding database Expired leases This field displays the number of bindings the Switch has ignored because the lease time had a...

Page 235: ...o start the next update until it completes the current one Agent URL Enter the location of the DHCP snooping database The location should be expressed like this tftp domain name or IP address directory if applicable file name for example tftp 192 168 10 1 database txt Timeout interval Enter how long 10 65535 seconds the Switch tries to complete a specific update in the DHCP snooping database befor...

Page 236: ...untrusted can receive each second To open this screen click Advanced Application IP Source Guard DHCP Snooping Configure Port Figure 122 DHCP Snooping Port Configure Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory ...

Page 237: ...d ports are connected to subscribers and the Switch discards DHCP packets from untrusted ports in the following situations The packet is a DHCP server packet for example OFFER ACK or NACK The source MAC address and source IP address in the packet do not match any of the current bindings The packet is a RELEASE or DECLINE packet and the source MAC address and source port do not match any of the cur...

Page 238: ... on the Switch and specify trusted ports Note If DHCP is enabled and there are no trusted ports DHCP requests will not succeed Option82 Select this to have the Switch add the slot number port number and VLAN ID to DHCP requests that it broadcasts to the DHCP VLAN if specified or VLAN You can specify the DHCP VLAN in the DHCP Snooping Configure screen See Section 26 5 on page 234 Information Select...

Page 239: ... filters that were created because the Switch identified unauthorized ARP packets Index This field displays a sequential number for each MAC address filter MAC Address This field displays the source MAC address in the MAC address filter VID This field displays the source VLAN ID in the MAC address filter Port This field displays the source port of the discarded ARP packet Expiry sec This field dis...

Page 240: ...tion to specify the VLANs you want to look at in the section below Enabled VLAN Select this to look at all the VLANs on which ARP inspection is enabled in the section below Selected VLAN Select this to look at all the VLANs in a specific range in the section below Then enter the lowest VLAN ID Start VID and the highest VLAN ID End VID you want to look at Apply Click this to display the specified r...

Page 241: ...generated by ARP packets and that have not been sent to the syslog server yet Total number of logs This field displays the number of log messages that were generated by ARP packets and that have not been sent to the syslog server yet If one or more log messages are dropped due to unavailable buffer there is an entry called overflow with the current number of dropped log messages Index This field d...

Page 242: ...because it violated a static binding with the same MAC address and VLAN ID deny An ARP packet was discarded because there were no bindings with the same MAC address and VLAN ID dhcp permit An ARP packet was forwarded because it matched a dynamic binding static permit An ARP packet was forwarded because it matched a static binding In the ARP Inspection VLAN Configure screen you can configure the Sw...

Page 243: ... address filter remains in the Switch after the Switch identifies an unauthorized ARP packet The Switch automatically deletes the MAC address filter afterwards Enter 0 if you want the MAC address filter to be permanent Log Profile Log buffer size Enter the maximum number 1 1024 of log messages that were generated by ARP packets and have not been sent to the syslog server yet Make sure this number ...

Page 244: ...ng examples 4 invalid ARP packets per second Syslog rate is 5 Log interval is 1 the Switch sends 4 syslog messages every second 6 invalid ARP packets per second Syslog rate is 5 Log interval is 2 the Switch sends 5 syslog messages every 2 seconds Log interval Enter how often 1 86400 seconds the Switch sends a batch of syslog messages to the syslog server Enter 0 if you want the Switch to send sysl...

Page 245: ...is port is a trusted port Trusted or an untrusted port Untrusted The Switch does not discard ARP packets on trusted ports for any reason The Switch discards ARP packets on untrusted ports in the following situations The sender s information in the ARP packet does not match any of the current bindings The rate at which ARP packets arrive is too high You can specify the maximum rate at which ARP pac...

Page 246: ...l is 5 seconds then the Switch accepts a maximum of 75 ARP packets in every five second interval Enter the length 1 15 seconds of the burst interval Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done...

Page 247: ...the VLAN Deny The Switch generates log messages when it discards an ARP packet from the VLAN Permit The Switch generates log messages when it forwards an ARP packet from the VLAN All The Switch generates log messages every time it receives an ARP packet from the VLAN Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses p...

Page 248: ...Chapter 26 IP Source Guard MES 3528 User s Guide 248 ...

Page 249: ... 130 Loop Guard vs STP Loop guard is designed to handle loop problems on the edge of your network This can occur when a port is connected to a Switch that is in a loop state Loop state occurs as a result of human error It happens when two ports on a switch are connected with the same cable When a switch in loop state sends out broadcast messages the messages loop back to the switch and are re broa...

Page 250: ...port If this is the case the Switch will shut down the port connected to the switch in loop state The following figure shows a loop guard enabled port N on switch A sending a probe packet P to switch B Since switch B is in loop state the probe packet P returns to port N on A The Switch then shuts down port N to ensure that the rest of the network is not affected by the switch in loop state Figure ...

Page 251: ...r network you can re activate the disabled port via the web configurator see Section 8 7 on page 85 or via commands See the CLI Reference Guide 27 2 Loop Guard Setup Click Advanced Application Loop Guard in the navigation panel to display the screen as shown Note The loop guard feature can not be enabled on the ports that have Spanning Tree Protocol RSTP MRSTP or MSTP enabled Figure 134 Advanced A...

Page 252: ...anges in this row are copied to all the ports as soon as you make them Active Select this check box to enable the loop guard feature on this port The Switch sends probe packets from this port to check if the switch it is connected to is in loop state If the switch that this port is connected is in loop state the Switch will shut down this port Clear this check box to disable the loop guard feature...

Page 253: ... provider s network The edge switch encapsulates layer 2 protocol packets with a specific MAC address before sending them across the service provider s network to other edge switches Figure 135 Layer 2 Protocol Tunneling Network Scenario In the following example if you enable L2PT for STP you can have switches A B C and D in the same spanning tree even though switch A is not directly connected to ...

Page 254: ... on the service provider s edge device 1 or 2 in Figure 136 on page 254 and connected to a customer switch A or B Incoming layer 2 protocol packets received on an access port are encapsulated and forwarded to the tunnel ports The Tunnel port is an egress port at the edge of the service provider s network and connected to another service provider s switch Incoming encapsulated layer 2 protocol pack...

Page 255: ...ESCRIPTION Active Select this to enable layer 2 protocol tunneling on the Switch Destination MAC Address Specify an MAC address with which the Switch uses to encapsulate the layer 2 protocol packets by replacing the destination MAC address in the packets Note The MAC address can be either a unicast MAC address or multicast MAC address If you use a unicast MAC address make sure the MAC address does...

Page 256: ... s physical status and detect a unidirectional link PAGP Select this option to have the Switch send PAgP packets to a peer to automatically negotiate and build a logical port aggregation LACP Select this option to have the Switch send LACP packets to a peer to dynamically creates and manages trunk groups UDLD Select this option to have the Switch send UDLD packets to a peer s port it connected to ...

Page 257: ...257 PART IV IP Application Static Route 259 Differentiated Services 263 DHCP 267 ...

Page 258: ...258 ...

Page 259: ...the default gateway The Switch can also use static routes to send data to a server or device that is not reachable through the default gateway for example when sending SNMP traps or using ping to test IP connectivity This figure shows a Telnet session coming in from network N1 The Switch sends reply traffic to default gateway R1 which routes it back to the manager s computer The Switch needs a sta...

Page 260: ... host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID Gateway IP Address Enter the IP address of the gateway The gateway is an immediate neighbor of your Switch that will forward the packet to the destination The gateway must be a router on the same segment as your Switch Metric The metric represents the cost of transmission ...

Page 261: ... for this route This is for identification purposes only Destination Address This field displays the IP network address of the final destination Subnet Mask This field displays the subnet mask for this destination Gateway Address This field displays the IP address of the gateway The gateway is an immediate neighbor of your Switch that will forward the packet to the destination Metric This field di...

Page 262: ...Chapter 29 Static Route MES 3528 User s Guide 262 ...

Page 263: ...differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going 30 1 1 DSCP and Per Hop Behavior DiffServ defines a new DS Differentiated Services field to replace the Type of Service ToS field in the IP header The DS f...

Page 264: ...ing packets into different traffic flows Platinum Gold Silver Bronze based on the configured marking rules A network administrator can then apply various traffic policies to the traffic flows An example traffic policy is to give higher drop precedence to one traffic flow over others In our example packets in the Bronze traffic flow are more likely to be dropped when congestion occurs than the pack...

Page 265: ...802 1p mapping table The following table shows the default DSCP to IEEE802 1p mapping Table 86 IP Application DiffServ LABEL DESCRIPTION Active Select this option to enable DiffServ on the Switch Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your chang...

Page 266: ...8 IP Application DiffServ DSCP Setting LABEL DESCRIPTION 0 63 This is the DSCP classification identification number To set the IEEE 802 1p priority mapping select the priority level from the drop down list box Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to s...

Page 267: ... the client computers must be configured manually 31 1 1 DHCP Modes If there is already a DHCP server on your network then you can configure the Switch as a DHCP relay agent When the Switch receives a request from a computer on your network it contacts the DHCP server for the necessary IP information and then relays the assigned information back to the computer 31 1 2 DHCP Configuration Options Th...

Page 268: ...e Switch The Switch can be configured as a global DHCP relay This means that the Switch forwards all DHCP requests from all domains to the same DHCP server You can also configure the Switch to relay DHCP information based on the VLAN membership of the DHCP clients 31 3 1 DHCP Relay Agent Information The Switch can add information about the source of client DHCP requests that it relays to a DHCP se...

Page 269: ...tion that the Switch sends to the DHCP server 31 3 2 Configuring DHCP Global Relay Configure global DHCP relay in the DHCP Relay screen Click IP Application DHCP in the navigation panel and click the Global link to display the screen as shown Figure 145 IP Application DHCP Global Table 90 Relay Agent Information FIELD LABELS DESCRIPTION Slot ID 1 byte This value is always 0 for stand alone switche...

Page 270: ... Remote DHCP Server 1 3 Enter the IP address of a DHCP server in dotted decimal notation Relay Agent Information Select the Option 82 check box to have the Switch add information slot number port number and VLAN ID to client DHCP requests that it relays to a DHCP server Information This read only field displays the system name you configure in the General Setup screen Select the check box for the ...

Page 271: ... DHCP Relay Configuration Example 31 4 Configuring DHCP VLAN Settings Use this screen to configure your DHCP settings based on the VLAN domain of the DHCP clients Click IP Application DHCP in the navigation panel then click the VLAN link In the DHCP Status screen that displays Note You must set up a management IP address for each VLAN that you want to configure DHCP settings for on the Switch ...

Page 272: ...er Information This read only field displays the system name you configure in the General Setup screen Select the check box for the Switch to add the system name to the client DHCP requests that it relays to a DHCP server Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation pa...

Page 273: ... 100 Requests from the academic buildings VLAN 2 are sent to the other DHCP server with an IP address of 172 23 10 100 Figure 149 DHCP Relay for Two VLANs For the example network configure the VLAN Setting screen as shown Figure 150 DHCP Relay for Two VLANs Configuration Example Delete Select the configuration entries you want to remove and click Delete to remove them Cancel Click Cancel to clear ...

Page 274: ...Chapter 31 DHCP MES 3528 User s Guide 274 ...

Page 275: ...275 PART V Management Maintenance 277 Access Control 285 Diagnostic 307 Syslog 309 Cluster Management 313 MAC Table 321 ARP Table 325 Configure Clone 327 ...

Page 276: ...276 ...

Page 277: ...the following screen Figure 151 Management Maintenance The following table describes the labels in this screen Table 93 Management Maintenance LABEL DESCRIPTION Current This field displays which configuration Configuration 1 or Configuration 2 is currently operating on the Switch Firmware Upgrade Click Click Here to go to the Firmware Upgrade screen Restore Configuratio n Click Click Here to go to...

Page 278: ...rator again you may need to change the IP address of your computer to be in the same subnet as that of the default Switch IP address 192 168 1 1 Load Factory Default Click Click Here to reset the configuration to the factory default settings Save Configuratio n Click Config 1 to save the current configuration settings to Configuration 1 on the Switch Click Config 2 to save the current configuratio...

Page 279: ...ows you to restart the Switch without physically turning the power off It also allows you to load configuration one Config 1 or configuration two Config 2 when you reboot Follow the steps below to reboot the Switch 1 In the Maintenance screen click the Config 1 button next to Reboot System to reboot and load configuration one The following screen displays Figure 153 Reboot System Confirmation 2 Cl...

Page 280: ... upgrades are only applied after a reboot Click Upgrade to load the new firmware After the firmware upgrade process is complete see the System Info screen to verify your current firmware version number 32 6 Restore a Configuration File Restore a previously saved configuration from your computer to the Switch using the Restore Configuration screen Figure 155 Management Maintenance Restore Configura...

Page 281: ... the Save As screen 3 Choose a location to save the file on your computer from the Save in drop down list box and type a descriptive name for it in the File name list box Click Save to save the configuration file to your computer 32 8 FTP Command Line This section shows some examples of uploading to or downloading files from the Switch using FTP commands First understand the filename conventions 3...

Page 282: ...red copies of all files for later use Be sure to upload the correct model firmware as uploading the wrong model firmware may damage your device 32 8 2 FTP Command Line Procedure 1 Launch the FTP client on your computer 2 Enter open followed by a space and the IP address of your Switch 3 Press ENTER when prompted for a username 4 Enter your password as requested the default is 1234 5 Enter bin to s...

Page 283: ...trictions FTP will not work when FTP service is disabled in the Service Access Control screen The IP address es in the Remote Management screen does not match the client IP address If it does not match the Switch will disconnect the FTP session immediately General Commands for GUI based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server Login Type Anonymous This is w...

Page 284: ...Chapter 32 Maintenance MES 3528 User s Guide 284 ...

Page 285: ...ol sessions are allowed A console port access control session and Telnet access control session cannot coexist when multi login is disabled See the CLI Reference Guide for more information on disabling multi login 33 2 The Access Control Main Screen Click Management Access Control in the navigation panel to display the main screen as shown Figure 157 Management Access Control Table 95 Access Contr...

Page 286: ...twork consists of two main components agents and a manager An agent is a management software module that resides in a managed switch the Switch An agent translates the local management information from the managed switch into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and mon...

Page 287: ...s let administrators collect statistics and monitor status and performance The Switch supports the following MIBs SNMP MIB II RFC 1213 RFC 1157 SNMP v1 RFC 1493 Bridge MIBs RFC 1643 Ethernet MIBs RFC 1155 SMI RFC 2674 SNMPv2 SNMPv2c RFC 1757 RMON SNMPv2 SNMPv2c or later version compliant with RFC 2011 SNMPv2 MIB for IP RFC 2012 SNMPv2 MIB for TCP RFC 2013 SNMPv2 MIB for UDP Table 96 SNMP Commands ...

Page 288: ...e Switch reboots by an administrator through a management interface timesync RTCNotUpdatedEventOn 1 3 6 1 4 1 890 1 5 8 51 2 7 2 1 This trap is sent when the Switch fails to get the time and date from a time server RTCNotUpdatedEventClea r 1 3 6 1 4 1 890 1 5 8 51 2 7 2 2 This trap is sent when the Switch gets the time and date from a time server intrusionlo ck IntrusionLockEventOn 1 3 6 1 4 1 890...

Page 289: ...ameters return to the normal operating range Table 98 SNMP Interface Traps continued OPTION OBJECT LABEL OBJECT ID DESCRIPTION Table 99 AAA Traps OPTION OBJECT LABEL OBJECT ID DESCRIPTION authenticati on authenticationFailure 1 3 6 1 6 3 1 1 5 5 This trap is sent when authentication fails due to incorrect user name and or password AuthenticationFailureEven tOn 1 3 6 1 4 1 890 1 5 8 51 2 7 2 1 This...

Page 290: ... sent when the TACACS accounting server can be reached Table 99 AAA Traps continued OPTION OBJECT LABEL OBJECT ID DESCRIPTION Table 100 SNMP IP Traps OPTION OBJECT LABEL OBJECT ID DESCRIPTION ping pingProbeFailed 1 3 6 1 2 1 80 0 1 This trap is sent when a single ping probe fails pingTestFailed 1 3 6 1 2 1 80 0 2 This trap is sent when a ping test consisting of a series of ping probes fails pingTe...

Page 291: ...1 36 2 2 This trap is sent when the MRSTP topology changes MSTPTopologyChange 1 3 6 1 4 1 890 1 5 8 51 10 7 70 2 This trap is sent when the MSTP root switch changes mactable MacTableFullEventOn 1 3 6 1 4 1 890 1 5 8 51 27 2 1 This trap is sent when more than 99 of the MAC table is used MacTableFullEventClear 1 3 6 1 4 1 890 1 5 8 51 27 2 2 This trap is sent when less than 95 of the MAC table is us...

Page 292: ...al Setting Use this section to specify the SNMP version and community password values Version Select the SNMP version for the Switch The SNMP version on the Switch must match the version on the SNMP manager Choose SNMP version 2c v2c SNMP version 3 v3 or both v3v2c Note SNMP version 2c is backwards compatible with SNMP version 1 Get Community Enter the Get Community string which is the password fo...

Page 293: ...rs using SNMP v3 Note Use the username and password of the login accounts you specify in this section to create accounts on the SNMP v3 manager Index This is a read only number identifying a login account on the Switch Username This field displays the username of a login account on the Switch Security Level Select whether you want to implement authentication and or encryption for SNMP communicatio...

Page 294: ...ard is a widely used but breakable method of data encryption It applies a 56 bit key to each 64 bit block of data AES Advanced Encryption Standard is another method for data encryption that also uses a secret key AES applies a 128 bit key to 128 bit blocks of data Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses powe...

Page 295: ...a trap destination IP address in the SNMP Setting screen Use the rest of the screen to select which traps the Switch sends to that SNMP manager Type Select the categories of SNMP traps that the Switch is to send to the SNMP manager Options Select the individual SNMP traps that the Switch is to send to the SNMP station See Section 33 3 3 on page 288 for individual trap descriptions The traps are gr...

Page 296: ...ly the administrator has read write access Old Password Type the existing system password 1234 is the default password when shipped New Password Enter your new system password Retype to confirm Retype your new system password for confirmation Edit Logins You may configure passwords for up to four users These users have read only access You can give users higher privileges via the CLI For more info...

Page 297: ...ween two hosts over an unsecured network Figure 162 SSH Communication Example Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afres...

Page 298: ...r The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method Once the identification is verified both ...

Page 299: ...ol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and data integrity you know if data has been changed It relies up...

Page 300: ...l screen then the Switch blocks all HTTP connection attempts 33 8 HTTPS Example If you haven t changed the default HTTPS port on the Switch then in your browser enter https Switch IP Address as the web site address where Switch IP Address is the IP address or domain name of the Switch you wish to access 33 8 1 Internet Explorer Warning Messages When you attempt to access the Switch HTTPS server a ...

Page 301: ...e 165 Security Alert Dialog Box Internet Explorer 33 8 2 Netscape Navigator Warning Messages When you attempt to access the Switch HTTPS server a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is from the Switch If Accept this certificate temporarily for this session is selecte...

Page 302: ...8 User s Guide 302 Select Accept this certificate permanently to import the Switch s certificate into the SSL client Figure 166 Security Certificate 1 Netscape Figure 167 Security Certificate 2 Netscape example example example example ...

Page 303: ...played in the bottom right of the browser status bar denotes a secure connection Figure 168 Example Lock Denoting a Secure Connection 33 9 Service Port Access Control Service Access Control allows you to decide what services you may use to access the Switch You may also change the default service port and configure trusted computer s for each service in the Remote Management screen discussed ...

Page 304: ...elnet SSH FTP HTTP or HTTPS services you may change the default service port by typing the new port number in the Server Port field If you change the default port number then you will have to let people who wish to use the service know the new port number for that service Timeout Type how many minutes a management session via the web configurator can be left idle before the session times out After...

Page 305: ...nt set Clear the check box if you wish to temporarily disable the set without deleting it Start Address End Address Configure the IP address range of trusted computers from which you can manage this Switch The Switch checks if the client IP address of a computer requesting a service or protocol matches the range set here The Switch immediately disconnects the session if it does not match Telnet FT...

Page 306: ...Chapter 33 Access Control MES 3528 User s Guide 306 ...

Page 307: ...tic This chapter explains the Diagnostic screen 34 1 Diagnostic Click Management Diagnostic in the navigation panel to open this screen Use this screen to check system logs ping IP addresses or perform port tests Figure 171 Management Diagnostic ...

Page 308: ...y to display a log of events in the multi line text box Click Clear to empty the text box and reset the syslog entry IP Ping Type the IP address of a device that you want to ping in order to test a connection Click Ping to have the Switch ping the IP address in the field to the left Ethernet Port Test Enter a port number and click Port Test to perform an internal loopback test ...

Page 309: ...essage has a facility and severity level The syslog facility identifies a file in the syslog server Refer to the documentation of your syslog program for details The following table describes the syslog severity levels Table 108 Syslog Severity Levels CODE SEVERITY 0 Emergency The system is unusable 1 Alert Action must be taken immediately 2 Critical The system condition is critical 3 Error There ...

Page 310: ...tting Logging Type This column displays the names of the categories of logs that the device can generate Active Select this option to set the device to generate logs for the corresponding category Facility The log facility allows you to send logs to different files in the syslog server Refer to the documentation of your syslog program for more details Apply Click Apply to save your changes to the ...

Page 311: ...ber the more critical the logs are Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Clear Click Clear to return the fields to the...

Page 312: ...Chapter 35 Syslog MES 3528 User s Guide 312 ...

Page 313: ... switches must be directly connected and be in the same VLAN group so as to be able to communicate with one another Table 111 Clustering Management Specifications Maximum number of cluster members 24 Cluster Member Models Must be compatible with ZyXEL cluster management implementation Cluster Manager The switch through which you manage the cluster member switches Cluster Members The switches being...

Page 314: ...nd the other switches on the upper floors of the building are cluster members Figure 174 Clustering Application Example 36 2 Cluster Management Status Click Management Cluster Management in the navigation panel to display the following screen Note A cluster can only have one manager Figure 175 Management Cluster Management Status ...

Page 315: ...lays the cluster manager switch s hardware MAC address The Number of Member This field displays the number of switches that make up this cluster The following fields describe the cluster member switches Index You can manage cluster member switches via the cluster manager switch Each number in the Index column is a hyperlink leading to the cluster member switch s web configurator see Figure 176 on ...

Page 316: ...192 168 1 1 220 Switch FTP version 1 0 ready at Thu Jan 1 00 58 46 1970 User 192 168 0 1 none admin 331 Enter PASS command Password 230 Logged in ftp ls 200 Port command okay 150 Opening data connection for LIST w w w 1 owner group 3042210 Jul 01 12 00 ras rw rw rw 1 owner group 393216 Jul 01 12 00 config w w w 1 owner group 0 Jul 01 12 00 fw 00 a0 c5 01 23 46 rw rw rw 1 owner group 0 Jul 01 12 00...

Page 317: ...default is 1234 ls Enter this command to list the name of cluster member switch s firmware and configuration file 390BHR0 bin This is the name of the firmware file you want to upload to the cluster member switch fw 00 a0 c5 01 23 46 This is the cluster member switch s firmware name as seen in the cluster manager switch config 00 a0 c5 01 23 46 This is the cluster member switch s configuration file...

Page 318: ...4 Management Cluster Management Configuration LABEL DESCRIPTION Clustering Manager Active Select Active to have this Switch become the cluster manager switch A cluster can only have one manager Other directly connected switches that are set to be cluster managers will not be visible in the Clustering Candidates list If a switch that was previously a cluster member is later set to become a cluster ...

Page 319: ...word is its web configurator password Select a member in the Clustering Candidate list and then enter its web configurator password If that switch administrator changes the web configurator password afterwards then it cannot be managed from the Cluster Manager Its Status is displayed as Error in the Cluster Management Status screen and a warning icon appears in the member summary list below If mul...

Page 320: ...Chapter 36 Cluster Management MES 3528 User s Guide 320 ...

Page 321: ...anually entered in the Static MAC Forwarding screen The Switch uses the MAC table to determine how to forward frames See the following figure 1 The Switch examines a received frame and learns the port on which this source MAC address came 2 The Switch checks to see if the frame s destination MAC address matches a source MAC address already learned in the MAC table If the Switch has already learned...

Page 322: ...port for this MAC address but the destination port is the same as the port it came in on then it filters the frame Figure 179 MAC Table Flowchart 37 2 Viewing the MAC Table Click Management MAC Table in the navigation panel to display the following screen Figure 180 Management MAC Table ...

Page 323: ...t VID to display and arrange the data according to VLAN group Select PORT to display and arrange the data according to port number Transfer Type Select Dynamic to MAC forwarding and click the Transfer button to change all dynamically learned MAC address entries in the summary table below into static entries They also display in the Static MAC Forwarding screen Select Dynamic to MAC filtering and c...

Page 324: ...Chapter 37 MAC Table MES 3528 User s Guide 324 ...

Page 325: ...ch s ARP program looks in the ARP Table and if it finds the address sends it to the device If no entry is found for the IP address ARP broadcasts the request to all the devices on the LAN The Switch fills in its own MAC and IP address in the sender address fields and puts the known IP address of the target in the target IP address field In addition the Switch puts all ones in the target MAC field ...

Page 326: ...able The following table describes the labels in this screen Table 116 Management ARP Table LABEL DESCRIPTION Index This is the ARP Table entry number IP Address This is the learned IP address of a device connected to a Switch port with corresponding MAC address below MAC Address This is the MAC address of the device with corresponding IP address above Type This shows whether the MAC address is dy...

Page 327: ...ou can copy the settings of one port onto other ports 39 1 Configure Clone Cloning allows you to copy the basic and advanced settings from a source port to a destination port or ports Click Management Configure Clone to open the following screen Figure 182 Management Configure Clone ...

Page 328: ... 4 6 indicates that ports 2 4 and 6 are the destination ports 2 6 indicates that ports 2 through 6 are the destination ports Basic Setting Select which port settings you configured in the Basic Setting menus should be copied to the destination port s Advanced Application Select which port settings you configured in the Advanced Application menus should be copied to the destination ports Apply Clic...

Page 329: ...329 PART VI Troubleshooting Product Specifications Troubleshooting 331 Product Specifications 335 ...

Page 330: ...330 ...

Page 331: ... None of the LEDs turn on 1 Make sure you are using the power adaptor or cord included with the Switch 2 Make sure the power adaptor or cord is connected to the Switch and plugged in to an appropriate power source Make sure the power source is turned on 3 Disconnect and re connect the power adaptor or cord to the Switch 4 If the problem continues contact the vendor The ALM LED is on 1 Disconnect a...

Page 332: ...t the IP address for the Switch 1 The default IP address is 192 168 1 1 2 Use the console port to log in to the Switch 3 If this does not work you have to reset the device to its factory defaults See Section 4 6 on page 52 I forgot the username and or password 1 The default username is admin and the default password is 1234 2 If this does not work you have to reset the device to its factory defaul...

Page 333: ...ions Try to access the Switch using another service such as Telnet If you can access the Switch check the remote management settings to find out why the Switch does not respond to HTTP I can see the Login screen but I cannot log in to the Switch 1 Make sure you have entered the user name and password correctly The default user name is admin and the default password is 1234 These fields are case se...

Page 334: ... the Display button in the System Log field in the Management Diagnostic screen to check for unauthorized access to your Switch To avoid unauthorized access configure the secured client setting in the Management Access Control Remote Management screen for telnet HTTP and SSH see Section 33 10 on page 304 Computers not belonging to the secured client set cannot get permission to access the Switch 4...

Page 335: ...5 port and one Small Form Factor Pluggable SFP slot with one port active at a time Auto negotiation Auto MDIX One console port Compliant with IEEE 802 3ad u x Back pressure flow control for half duplex Flow control for full duplex IEEE 802 3x External alarm jack LEDs Per switch PWR SYS ALM Per Fast Ethernet RJ 45 10 100 port LNK ACT Per mini GBIC slot LNK ACT Per 1000BASE T RJ 45 port in dual pers...

Page 336: ...s the traffic must first go through a router VLAN Stacking Use VLAN stacking to add an outer VLAN tag to the inner IEEE 802 1Q tagged frames that enter the network By tagging the tagged frames double tagged frames the service provider can manage up to 4 094 VLAN groups with each group containing up to 4 094 customer VLANs This allows a service provider to provide different service based on specifi...

Page 337: ...istration MVR Multicast VLAN Registration MVR is designed for applications such as Media on Demand MoD using multicast traffic across a network MVR allows one single multicast VLAN to be shared among different subscriber VLANs on the network This improves bandwidth utilization by reducing multicast traffic in the subscriber VLANs and simplifies multicast group management STP Spanning Tree Protocol...

Page 338: ...a copy of the Switch s configuration and put it back on the Switch later if you decide you want to revert back to an earlier configuration Cluster Management Cluster management also known as iStacking allows you to manage switches through one switch called the cluster manager The switches must be directly connected and be in the same VLAN group so as to be able to communicate with one another Tabl...

Page 339: ...e tagging for VLAN stacking Private VLAN for port isolation Protocol Based VLAN IP subnet based VLAN Port Aggregation IEEE 802 3ad LACP Six groups up to eight ports each Port mirroring Port based mirroring Support port mirroring per IP TCP UDP Bandwidth control Supports rate limiting at 64 Kb increments Provider Bridge Layer2 protocol tunneling Layer 3 Features IP Capability IPV4 support 64 Manage...

Page 340: ... Security Static MAC address filtering Static MAC address forwarding MAC Freeze IEEE 802 1x port based authentication Limiting number of dynamic MAC addresses per port SSH v1 v2 SSL Intrusion Lock Multiple RADIUS servers Multiple TACACS servers 802 1X VLAN and bandwidth assignment IP source guard Static IP MAC binding DHCP snooping ARP Inspection Table 120 Feature Specifications continued Table 12...

Page 341: ...FC 3376 Internet Group Management Protocol Version 3 RFC 3414 User based Security Model USM for version 3 of the Simple Network Management Protocol SNMP v3 RFC 3580 RADIUS Tunnel Protocol Attribute IEEE 802 1ab Link Layer Discovery Protocol LLDP IEEE 802 1ag Connectivity Fault Management CFM IEEE 802 1x Port Based Network Access Control IEEE 802 1D MAC Bridges IEEE 802 1p Traffic Types Packet Prio...

Page 342: ...Chapter 41 Product Specifications MES 3528 User s Guide 342 ...

Page 343: ...343 PART VII Appendices and Index Changing a Fuse 345 Common Services 347 Legal Information 351 Index 355 ...

Page 344: ...344 ...

Page 345: ...use housing 3 A burnt out fuse is blackened darkened or cloudy inside its glass casing A working fuse has a completely clear glass casing Pull gently but firmly to remove the burnt out fuse from the fuse housing Dispose of the burnt out fuse properly Installing a Fuse 1 The Switch is shipped from the factory with one spare fuse included in a box like section of the fuse housing Push the middle par...

Page 346: ...Appendix A Changing a Fuse MES 3528 User s Guide 346 ...

Page 347: ... information about port numbers If the Protocol is TCP UDP or TCP UDP this is the IP port number If the Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 122 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Authent...

Page 348: ...This is a popular Internet chat program IGMP MULTICAST User Defined 2 Internet Group Multicast Protocol is used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol NEW ...

Page 349: ...ime Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RF...

Page 350: ...P networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution Table 122 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION ...

Page 351: ...ing out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyX...

Page 352: ...e in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense CE Mark Warning This is a class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Taiwanese BSMI Bureau of Standards Metrology and Inspection A Warning Noti...

Page 353: ...sist of a new or re manufactured functionally equivalent product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warra...

Page 354: ...Appendix C Legal Information MES 3528 User s Guide 354 ...

Page 355: ...d MAC filter 226 configuring 227 syslog messages 227 trusted ports 227 authentication 209 setup 215 Authentication Authorization and Accounting see AAA 209 authorization 209 privilege levels 216 setup 215 auto crossover 35 automatic VLAN registration 92 B back up configuration file 281 bandwidth control 143 338 egress rate 144 ingress rate 144 setup 144 basic settings 77 basic setup tutorial 61 bi...

Page 356: ...light saving time 79 default Ethernet settings 35 DHCP 267 configuration options 267 modes 267 Option 82 269 overview 267 relay agent 267 relay agent information 268 relay example 273 setup 271 VLAN setting 271 DHCP relay 268 configuration 269 example 270 DHCP relay option 82 225 DHCP snooping 61 223 224 configuring 225 DHCP relay option 82 225 trusted ports 224 untrusted ports 224 DHCP snooping d...

Page 357: ...igabit ports 34 GMT Greenwich Mean Time 79 GVRP 92 99 100 and port assignment 100 GVRP GARP VLAN Registration Protocol 92 H hardware installation 29 hardware overview 33 hello time 138 hops 138 HTTPS 299 certificates 299 implementation 299 public keys private keys 299 HTTPS example 300 humidity 335 I IEEE 802 1p priority 82 IEEE 802 1x activate 163 213 port authentication 161 reauthentication 164 ...

Page 358: ...fic distribution type 156 trunk group 151 Link Aggregation Control Protocol LACP 151 Link Aggregation Control Protocol see LACP 151 lockout 52 log 308 login 45 password 51 login account Administrator 295 non administrator 295 login accounts 295 configuring via web configurator 295 multiple 295 number of 295 login password 296 loop guard 249 examples 250 port shut down 251 setup 251 vs STP 249 M MA...

Page 359: ...iority 196 and IGMP 193 IGMP throttling 197 IP addresses 193 overview 193 setup 195 196 multicast group 199 multicast VLAN 205 Multiple Rapid Spanning Tree Protocol 123 Multiple RSTP 123 Multiple Spanning Tree Protocol See MSTP 121 124 Multiple STP 124 MVR 201 configuration 203 group configuration 205 network example 201 MVR Multicast VLAN Registration 201 N network applications 23 network managem...

Page 360: ...iority 105 un tagged packets 103 PVID 92 PVID Priority Frame 92 Q Q in Q see VLAN stacking 185 QoS 338 and classifier 169 queue weight 182 queuing 181 SPQ 182 WRR 182 queuing method 181 184 R rack mounting 29 RADIUS 209 210 advantages 210 and port authentication 210 and tunnel protocol attribute 219 Network example 210 server 210 settings 211 setup 211 Rapid Spanning Tree Protocol See RSTP 121 rea...

Page 361: ...t address 115 static multicast forwarding 115 static routes 261 static trunking example 158 Static VLAN 97 static VLAN control 98 tagging 98 status 46 72 link aggregation 153 MSTP 140 port 72 port details 73 STP 131 135 VLAN 95 STP 121 256 338 bridge ID 131 135 bridge priority 130 134 configuration 129 133 designated bridge 122 forwarding delay 130 134 Hello BPDU 122 Hello Time 130 131 134 136 how...

Page 362: ...ecific Attribute See VSA 218 ventilation 29 VID 95 96 187 number of possible VIDs 91 priority frame 91 VID VLAN Identifier 91 VLAN 80 338 acceptable frame type 100 automatic registration 92 ID 91 IGMP snooping 194 ingress filtering 99 introduction 80 91 number of VLANs 95 port number 96 port settings 99 port based VLAN 107 port based all connected 110 port based isolation 110 port based wizard 110...

Page 363: ...nty 353 note 353 web configurator 45 getting help 54 home 46 login 45 logout 53 navigation panel 48 weight queuing 182 Weighted Round Robin Scheduling WRR 182 WRR Weighted Round Robin Scheduling 182 Z ZyNOS ZyXEL Network Operating System 282 ...

Page 364: ...Index MES 3528 User s Guide 364 ...