T1500-28TC (TL-SL2428)/T1500-28PCT(TL-SL2428P) - TP-Link Manual

T1500-28TC (TL-SL2428)/T1500-28PCT(TL-SL2428P) - TP-Link Manual

Sponsored Links

T1500-28tc(un)_v1_configuration Guide Manual Summary


Search in this Manual:

T1500-28TC (TL-SL2428)/T1500-28PCT(TL-SL2428P) - Page 1

Configuration Guide T1500-28TC (TL-SL2428)/T1500-28PCT(TL-SL2428P) 1910012115 REV2.0.0 March 2017

..

FCC STATEMENT - Page 2

FCC STATEMENT This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which ..

Industry Canada Statement - Page 3

Industry Canada Statement CAN ICES-3 (A)/NMB-3(A) NCC Notice 注意! 依據 低功率電波輻射性電機管理辦法 第十二條 經型式認證合格之低功率射頻電機,非經許可,公司、商號或使用者均不得擅自變 更頻率、加大功率或變更原設計之特性或功能。 第十四條 低功率射頻電機之使用不得影響飛航安全及干擾合法通行;經發現有干擾現象時, 應立即停用,並改善至無干擾時方得繼續使用。前項合法通信,指依電信規定作業之無線電信。 低功率射頻電機需忍受合法通..

Safety Information - Page 4

この装置は、クラス A 情報技術装置です。この装置を家庭環境で使用すると電波妨害を引き 起こすことがあります。この場合には使用者が適切な対策を講ずるよう要求されることがあ ります。 VCCI-A Safety Information  When product has power button, the power button is one of the way to shut off the product; When there is no power button, the only way to completely shut off power is to disconnect the product or the power adapter from the power source.  Don’t disassemble the product, or make repairs yourself. You ru..

About This Guide - Page 5

CONTENTS About This Guide Intended Readers ................................................................................................................................................................ 1 Conventions ........................................................................................................................................................................... 1 More Information ................................................................................................................................................................. 2 Accessing the Switch Ove..

Specifying the System IP - Page 6

Specifying the Device Description .................................................................................................................................. 29 Setting the System Time ...................................................................................................................................................... 30 Setting the Daylight Saving Time ..................................................................................................................................... 33 Specifying the System IP ..........................................................

Managing Physical Interfaces - Page 7

Enabling the Telnet Function .............................................................................................................................................. 68 Appendix: Default Parameters ..................................................................................................................................... 69 Managing Physical Interfaces Physical Interface ............................................................................................................................................................. 73 Overview ........................................

Configuring LAG - Page 8

Using the CLI ............................................................................................................................................................................... 98 Appendix: Default Parameters ................................................................................................................................... 100 Configuring LAG LAG ...................................................................................................................................................................................... 103 Overview .........................

Configuring 802.1Q VLAN - Page 9

Adding MAC Filtering Address Entries ....................................................................................................................... 129 Viewing Address Table Entries ....................................................................................................................................... 129 Using the CLI .......................................................................................................................................................................................... 130 Adding Static MAC Address Entries .............................

Configuring Layer 2 Multicast - Page 10

Verifying the STP/RSTP Configurations .................................................................................................................... 162 Using the CLI .......................................................................................................................................................................................... 163 Configuring STP/RSTP Parameters on Ports ......................................................................................................... 163 Configuring Global STP/RSTP Parameters .............................................

- Page 11

(Optional) Configuring Report Message Suppression ...................................................................... 219 Configuring Router Port Time and Member Port Time ..................................................................... 219 Configuring IGMP Snooping Last Listener Query ............................................................................... 219 Verifying IGMP Snooping Status ................................................................................................................... 220 Configuring the Port’s Basic IGMP Snooping Features ...............

- Page 12

Configuring Unknown Multicast .................................................................................................................... 235 Configuring IGMP Snooping Parameters on the Port ....................................................................................... 236 Configuring Router Port Time and Member Port Time ..................................................................... 236 Configuring Fast Leave ...................................................................................................................................... 237 Configuring Max Gro..

Configuring QoS - Page 13

Using the CLI ............................................................................................................................................................................ 265 Example for Configuring Unknown Multicast and Fast Leave .................................................................................... 267 Network Requirement .......................................................................................................................................................... 267 Configuration Scheme ..............................................................

Configuring Voice VLAN - Page 14

Using the GUI ............................................................................................................................................................................ 302 Using the CLI ............................................................................................................................................................................ 302 Example for Configuring WRR Mode ........................................................................................................................................ 303 Network Requirements ......................

Configuring ACL - Page 15

Using the GUI ......................................................................................................................................................................................... 352 Creating a Time-Range ....................................................................................................................................................... 352 Configuring the Holiday Parameters ........................................................................................................................... 354 Viewing the Time-Range Table .........................

Configuring Network Security - Page 16

Configuring Network Security Network Security ............................................................................................................................................................ 393 Overview ................................................................................................................................................................................................... 393 Supported Features ....................................................................................................................................................................

- Page 17

Configuring 802.1X on Ports ........................................................................................................................................... 429 Using the CLI .......................................................................................................................................................................................... 430 Configuring the RADIUS Server ..................................................................................................................................... 430 Configuring 802.1X Globally ..........................

Configuring SNMP & RMON - Page 18

Configuring SNMP & RMON SNMP Overview ............................................................................................................................................................... 483 SNMP Configurations .................................................................................................................................................... 484 Using the GUI ......................................................................................................................................................................................... 485 Enabling SNMP ..

Configuring LLDP - Page 19

Using the CLI .......................................................................................................................................................................................... 523 Appendix: Default Parameters ................................................................................................................................... 529 Configuring LLDP LLDP ..................................................................................................................................................................................... 534 Overview ............

Configuring Maintenance - Page 20

Network Requirements ....................................................................................................................................................... 565 Configuration Scheme ........................................................................................................................................................ 565 Network Topology ................................................................................................................................................................. 565 Using the GUI ...............................................

- Page 21

Configuration Example for Remote Log ................................................................................................................. 596 Network Requirements ..................................................................................................................................................................... 596 Configuration Scheme ..................................................................................................................................................................... 596 Using the GUI ................................................

In this Guide, the following conventions are used: - Page 22

Configuration Guide 1 About This Guide Intended Readers About This Guide This Configuration Guide provides information for managing T1600G Series Switches. Please read this guide carefully before operation. Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies. Conventions Some models featured in this guide may be unavailable in your country or region. For local sales information, visit http://www.tp-link.com. When using this guide, please notice that features of the switch may vary slightly depending on the model and software versi..

More Information - Page 23

Configuration Guide 2 About This Guide More Information Normal Font A constant (several options are enumerated and only one can be selected). For example: no bandwidth {all | ingress | egress} {} Items in braces { } are required. [] Items in square brackets [ ] are optional. | Alternative items are grouped in braces and separated by vertical bars |. For example: speed {10 | 100 | 1000} Italic Font A variable (an actual value must be assigned). For example: bridge aging-time aging-time Common combination: {[ ][ ][ ]} A least one item in the square brackets must be selected. For example: band..

Accessing the Switch - Page 24

Part 1 Accessing the Switch CHAPTERS 1. Overview 2. Web Interface Access 3. Command Line Interface Access

..

Overview - Page 25

Configuration Guide 4 Accessing the Switch Overview 1 Overview You can access and manage the switch using the GUI (Graphical User Interface, also called web interface in this text) or using the CLI (Command Line Interface). There are equivalent functions in the web interface and the command line interface, while web configuration is easier and more visual than the CLI configuration. You can choose the method according to their available applications and preference.

..

Enter the switch's IP addresss in the browser - Page 26

Accessing the Switch Web Interface Access Configuration Guide 5 2 Web Interface Access You can access the switch’s web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication. The following example shows how to login via the HTTP server. 2.1 Login To manage your switch through a web browser in the host PC: 1) Make sure that the route between the host PC and the switch is available. 2) Launch a web browser. The supported web browsers include, but are not limited to, the following types:  IE 8.0, 9.0,..

Web interface - Page 27

Configuration Guide 6 Accessing the Switch Web Interface Access Figure 2-3 Web interface 2.2 Save Config Function The switch’s configuration files fall into two types: the running configuration file and the start-up configuration file. After you perform configurations on the sub-interfaces and click Apply , the modifications will be saved in the running configuration file. The configurations will be lost when the switch reboots. If you need to keep the configurations after the switch reboots, please user the Save Config function on the main interface to save the configurations in the star..

Shut down HTTP server - Page 28

Accessing the Switch Web Interface Access Configuration Guide 7 2.3 Disable the Web Server You can shut down the HTTP server or HTTPS server to block any access to the web interface. Go to System > Access Security > HTTP Config , disable the HTTP server and click Apply . Figure 2-5 Shut down HTTP server Go to System > Access Security > HTTPS Config , disable the HTTPS server and click Apply . Figure 2-6 Disbale the HTTPS Server 2.4 Configure the Switch's IP Address and Default Gateway The default IP address of the switch is 192.168.0.1, and the default gateway is 0.0.0.0. You ca..

Change the default IP address - Page 29

Configuration Guide 8 Accessing the Switch Web Interface Access Figure 2-7 Change the default IP address IP Address Mode Choose the IP address mode as Static IP. Management VLAN This is the only VLAN through which you can get access to the switch. By default, all the ports are belonged to VLAN 1, and VLAN 1 is the Management VLAN, you can connect to the switch through VLAN 1. However, if another VLAN is created and set to be the Management VLAN, you may have to reconnect the management station to a port that is a member of the Management VLAN. IP Address Enter a new IP address. Make sure th..

Command Line Interface Access - Page 30

Accessing the Switch Command Line Interface Access Configuration Guide 9 3 Command Line Interface Access Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines. Console connection requires the host PC connecting to the switch’s console port directly, while Telnet and SSH connection support both local and remote access. The following table shows the typical applications used in the CLI access. Table 3-1 Method list Method Using Port Typical Applications Console Cons..

Figure 3-1 - Page 31

Configuration Guide 10 Accessing the Switch Command Line Interface Access Figure 3-1 CLI Main Window 4) Enter enable to enter the User EXEC Mode to further configure the switch. Figure 3-2 User EXEC Mode Note: In Windows XP, go to Start > All Programs > Accessories > Communications > Hyper Terminal to open the Hyper Terminal and configure the above settings to log in to the switch.

..

Open the cmd Window - Page 32

Accessing the Switch Command Line Interface Access Configuration Guide 11 3.2 Telnet Login The switch supports Login Local Mode for authentication by default. Login Local Mode: Username and password are required, which are both admin by default. The following steps show how to manage the switch via the Login Local Mode: 1) Make sure the switch and the PC are in the same LAN (Local Area Network). Click Start and type in cmd in the Search bar and press Enter . Figure 3-3 Open the cmd Window 2) Type in telnet 192.168.0.1 in the cmd window and press Enter . Figure 3-4 Log In to the Switch 3) Ty..

Password Authentication Mode - Page 33

Configuration Guide 12 Accessing the Switch Command Line Interface Access Figure 3-6 Enter Privileged EXEC Mode Now you can manage your switch with CLI commands through Telnet connection. 3.3 SSH Login SSH login supports the following two modes: Password Authentication Mode and Key Authentication Mode. You can choose one according to your needs:  Password Authentication Mode: Username and password are required, which are both admin by default.  Key Authentication Mode (Recommended): A public key for the switch and a private key for the client software (PuTTY) are required. You can gen..

Key Authentication Mode - Page 34

Accessing the Switch Command Line Interface Access Configuration Guide 13 Figure 3-8 Configurations in PuTTY 2) Enter the login username and password to log in to the switch, and you can continue to configure the switch. Figure 3-9 Log In to the Switch Key Authentication Mode 1) Open the PuTTY Key Generator. In the Parameters section, select the key type and enter the key length. In the Actions section, click Generate to generate a public/private key pair. In the following figure, an SSH-2 RSA key pair is generated, and the length of each key is 1024 bits.

..

Generate a Public/Private Key Pair - Page 35

Configuration Guide 14 Accessing the Switch Command Line Interface Access Figure 3-10 Generate a Public/Private Key Pair Note: • The key length should be between 512 and 3072 bits. • You can accelerate the key generation process by moving the mouse quickly and randomly in the Key section. 2) After the keys are successfully generated, click Save public key to save the public key to a TFTP server; click Save private key to save the private key to the host PC. Figure 3-11 Save the Generated Keys

..

Download the Public Key to the Switch - Page 36

Accessing the Switch Command Line Interface Access Configuration Guide 15 3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure: Figure 3-12 Download the Public Key to the Switch Note: • The key type should accord with the type of the key file. In the above CLI, v1 corresponds to SSH-1 (RSA), and v2 corresponds to SSH-2 RSA and SSH-2 DSA. • The key downloading process cannot be interrupted. 4) After the public key is downloaded, open PuTTY and go to the Session page. Enter the IP address of the switch and select SSH as the..

System > Access Security > Telnet Config - Page 37

Configuration Guide 16 Accessing the Switch Command Line Interface Access Figure 3-14 Download the Private Key to PuTTY 6) After negotiation is completed, enter the username to log in. If you can log in without entering the password, the key authentication completed successfully. Figure 3-15 Log In to the Switch 3.4 Disable Telnet login You can shut down the Telnet function to block any Telnet access to the CLI interface.  Using the GUI: Go to System > Access Security > Telnet Config , disable the Telnet function and click Apply . Figure 3-16 Disable Telnet login

..

System > Access Security > SSH Config - Page 38

Accessing the Switch Command Line Interface Access Configuration Guide 17  Using the CLI: Switch#configure Switch(config)#telnet disable 3.5 Disable SSH login You can shut down the SSH server to block any SSH access to the CLI interface.  Using the GUI: Go to System > Access Security > SSH Config , disable the SSH server and click Apply . Figure 3-17 Shut down SSH server  Using the CLI: Switch#configure Switch(config)#no ip ssh server 3.6 Copy running-config startup-config The switch’s configuration files fall into two types: the running configuration file and the start-up ..

3.7 - Page 39

Configuration Guide 18 Accessing the Switch Command Line Interface Access 3.7 Change the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.  Change the IP Address By default, all the ports belong to VLAN 1 with the VLAN interface IP 192.168.0.1/24. In the following example, we will show how to replace the switch’s default access IP address 192.168.0.1/24 wi..

Managing System - Page 40

Part 2 Managing System CHAPTERS 1. System 2. System Info Configurations 3. User Management Configurations 4. System Tools Configurations 5. Access Security Configurations 6. Appendix: Default Parameters

..

System - Page 41

Configuration Guide 20 Managing System System 1 System 1.1 Overview The System module is mainly used to configure and view the system information of the switch. It provides controls over the type of the access users and the access security. 1.2 Supported Features System Info The System Info is mainly used for the basic properties configuration. You can view the switch’s port status and system information, and configure the device description, system time, and daylight saving time. User management User Management function is used to configure the user name and password for users to log int..

SSH Config - Page 42

Managing System System Configuration Guide 21 SSH Config function is based on the SSH protocol, a security protocol established on application and transport layers. The function with SSH is similar to a telnet connection, but SSH can provide information security and powerful authentication.

..

2.1.1 Viewing the System Summary - Page 43

Configuration Guide 22 Managing System System Info Configurations 2 System Info Configurations With system information configurations, you can:  View the system summary  Specify the device description  Set the system time  Set the daylight saving time  Specify the system IP 2.1 Using the GUI 2.1.1 Viewing the System Summary Choose the menu System > System Info > System Summary to load the following page. Figure 2-1 Viewing the System Summary Port Status Indication

..

Figure 2-2 - Page 44

Managing System System Info Configurations Configuration Guide 23 Indicates that the corresponding 100Mbps port is not connected to a device. Indicates that the corresponding 1000Mbps port is at the speed of 100Mbps. Indicates that the corresponding 1000Mbps port is not connected to a device. Indicates that the corresponding 1000Mbps port is at the speed of 1000Mbps. Indicates that the corresponding 1000Mbps port is at the speed of 10Mbps or 100Mbps. Indicates that the corresponding SFP port is not connected to a device. Indicates the SFP port is at the speed of 1000Mbps. Move the cursor to..

2.1.2 Specifying the Device Description - Page 45

Configuration Guide 24 Managing System System Info Configurations Figure 2-3 Bnadwidth Utilization Rx Select Rx to view the bandwidth utilization of receiving packets on this port. Tx Select Tx to view the bandwidth utilization of sending packets on this port. 2.1.2 Specifying the Device Description Choose the menu System > System Info > Device Description to load the following page. Figure 2-4 Specifying the Device Description 1) In the Device Description section, specify the following information. Device Name Enter the name of the switch. Device Location Enter the location of the sw..

2.1.3 Setting the System Time - Page 46

Managing System System Info Configurations Configuration Guide 25 2.1.3 Setting the System Time Choose the menu System > System Info > System Time to load the following page. Figure 2-5 Setting the System Time In the Time Info section, view the current time information of the switch. Current System Time Displays the current date and time of the switch. Current Time Source Displays the current time source of the switch. In the Time Config section, follow these steps to configure the system time: 1) Choose one method to set the system time and specify the information. Manual Set the sys..

2.1.4 Setting the Daylight Saving Time - Page 47

Configuration Guide 26 Managing System System Info Configurations Get Time from NTP Server Set the system time by getting time from NTP server. Make sure the NTP server is accessible on your network. If the NTP server is on the Internet, connect the switch to the Internet first. Time Zone : Select your local time zone. Primary Server : Enter the IP Address of the primary NTP server. Secondary Server : Enter the IP Address of the secondary NTP server. Update Rate : Specify the interval the switch fetching time from NTP server, which ranges from 1 to 24 hours. The default value is 12 hours. S..

2.1.5 Specifying the System IP - Page 48

Managing System System Info Configurations Configuration Guide 27 Predefined Mode If you select Predefined Mode , choose a predefined DST schedule for the switch. USA : Select the Daylight Saving Time of the USA. It is from 2: 00 a.m. on the Second Sunday in March to 2:00 a.m. on the First Sunday in November. Australia : Select the Daylight Saving Time of Australia. It is from 2:00 a.m. on the First Sunday in October to 3:00 a.m. on the First Sunday in April. Europe : Select the Daylight Saving Time of Europe. It is from 1: 00 a.m. on the Last Sunday in March to 1:00 a.m. on the Last Sunday..

2.2.1 Viewing the System Summary - Page 49

Configuration Guide 28 Managing System System Info Configurations Figure 2-7 Configuring the system IP 1) In the IP Config section, specify the following information. IP Address Mode Select the mode to obtain IP address for the switch. Static IP : Select to specify the IP address, subnet mask and default gateway manually. DHCP : Select to let the switch obtain network parameters from the DHCP server. BOOTP : Select to let the switch obtain network parameters from the BOOTP server. Management VLAN Enter the ID for management VLAN. Only the members belong to the management VLAN can access to ..

2.2.2 Specifying the Device Description - Page 50

Managing System System Info Configurations Configuration Guide 29 The following example shows how to view the interface status and the system information of the switch. Switch#show interface status Port Status Speed Duplex FlowCtrl Jumbo Active-Medium ------- ----------- ----- ------ -------- --------- ------------- Fa1/0/1 LinkDown N/A N/A N/A Disable Copper Fa1/0/2 LinkDown N/A N/A N/A Disable Copper Fa1/0/3 LinkUp 100M Full Disable Disable Copper ... Gi1/0/26 LinkDown N/A N/A N/A Disable Copper Gi1/0/27 LinkDown N/A N/A N/A Disable Fiber Gi1/0/28 LinkDown N/A N/A N/A Disable Fiber Switch..

2.2.3 Setting the System Time - Page 51

Configuration Guide 30 Managing System System Info Configurations Step 3 location [ location ] Specify the system location of the switch. location : Enter the device location. It should consist of no more than 32 characters. By default, it is “SHENZHEN”. Step 4 contact-info [ contact-info ] Specify the system contact Information. contact-info : Enter the contact information. It should consist of no more than 32 characters. By default, it is “www.tp-link.com”. Step 5 show system-info Verify the system information including system Description, Device Name, Device Location, System Cont..

Ensure the NTP - Page 52

Managing System System Info Configurations Configuration Guide 31 Step 1 configure Enter global configuration mode. Step 2 Use the following command to set the system time manually: system-time manual time Configure the system time manually. time : Specify the date and time manually in the format of MM/DD/YYYY-HH:MM:SS. The valid value of the year ranges from 2000 to 2037. Use the following command to set the system time by getting time from the NTP server: system-time ntp { timezone } { ntp-server } { backup-ntp-server } { fetching-rate } Configure the time zone and the NTP server to get t..

ntp-server - Page 53

Configuration Guide 32 Managing System System Info Configurations The detailed information of each time-zone are displayed as follows: UTC-12:00 —— TimeZone for International Date Line West. UTC-11:00 —— TimeZone for Coordinated Universal Time-11. UTC-10:00 —— TimeZone for Hawaii. UTC-09:00 —— TimeZone for Alaska. UTC-08:00 —— TimeZone for Pacific Time (US Canada). UTC-07:00 —— TimeZone for Mountain Time (US Canada). UTC-06:00 —— TimeZone for Central Time (US Canada). UTC-05:00 —— TimeZone for Eastern Time (US Canada). UTC-04:30 —— TimeZone for Caracas. U..

2.2.4 Setting the Daylight Saving Time - Page 54

Managing System System Info Configurations Configuration Guide 33 Step 3 Use the following command to verify the system time information. show system-time Verify the system time information. Use the following command to verify the NTP mode configuration information. show system-time ntp Verify the system time information of NTP mode. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the system time by Get Time from NTP Server and set the time zone as UTC+08:00, set the NTP ..

- Page 55

Configuration Guide 34 Managing System System Info Configurations Step 2 Use the following command to select a predefined Daylight Saving Time configuration: system-time dst predefined [ USA | Australia | Europe | New-Zealand ] Specify the Daylight Saving Time using a predefined schedule. USA | Australia | Europe | New-Zealand: Select one mode of Daylight Saving Time. USA : 02:00 a.m. on the Second Sunday in March ~ 02:00 a.m. on the First Sunday in November. Australia : 02:00 a.m. on the First Sunday in October ~ 03:00 a.m. on the First Sunday in April. Europe : 01:00 a.m. on the Last Sund..

Specifying the System IP - Page 56

Managing System System Info Configurations Configuration Guide 35 smonth : Enter the start month of Daylight Saving Time. There are 12 values showing as follows: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. sday : Enter the start day of Daylight Saving Time, which ranges from 1 to 31. stime : Enter the start time of Daylight Saving Time,in the format of HH:MM. syear : Enter the start year of Daylight Saving Time. emonth : Enter the end month of Daylight Saving Time. There are 12 values showing as follows: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. eday : Ente..

Switch#configure - Page 57

Configuration Guide 36 Managing System System Info Configurations Follow these steps and choose one method to specify the system IP: Step 1 configure Enter global configuration mode. Step 2 ip management-vlan vlan-id Specify the ID for management VLAN. Only the members belong to the management VLAN can access to the switch. vlan-id : Enter the ID for management VLAN. Step 3 interface vlan vlan-id Enter the Interface Configuration Mode of the management VLAN. vlan-id : Enter the IEEE 802.1Q VLAN ID of the management VLAN, ranging from 1 to 4094. Step 4 Use the following command to specify th..

Switch(config)#interface vlan - Page 58

Managing System System Info Configurations Configuration Guide 37 Switch(config)#interface vlan 2 Switch(config-if)#ip address 192.168.0.12 255.255.255.0

..

User Management Configurations - Page 59

Configuration Guide 38 Managing System User Management Configurations 3 User Management Configurations With user management configurations, you can:  Create Admin accounts  Create accounts of other types 3.1 Using the GUI 3.1.1 Creating Admin Accounts Choose the menu System > User Management > User Config to load the following page. Figure 3-1 Create Admin Accounts Follow these steps to create an Admin account: 1) In the User Info section, select Admin from the drop-down list and specify the user name and password. User Name Create a user name for users' login. It contains 16 ch..

3.1.2 Creating Accounts of Other Types - Page 60

Managing System User Management Configurations Configuration Guide 39 Access Level Select the access level as Admin . Admin : Admin can edit, modify and view all the settings of different functions. Operator : Operator can edit, modify and view most of the settings of different functions. Power User : Power User can edit, modify and view some of the settings of different functions. User : User can only view the settings without the right to edit or modify. Password Type a password for users' login. It is a string from 1 to 31 alphanumeric characters or symbols. You can use digits, English l..

Configuring Network Security. - Page 61

Configuration Guide 40 Managing System User Management Configurations User Name Create a user name for users' login. It contains 16 characters at most, composed of digits, English letters and under dashes only. Access Level Select the access level as Operator , Power User or User . Admin : Admin can edit, modify and view all the settings of different functions. Operater : Operator can edit, modify and view most of the settings of different functions. Power User : Power User can edit, modify and view some of the settings of different functions. User : User can only view the settings without ..

Follow these steps to create an Admin account: - Page 62

Managing System User Management Configurations Configuration Guide 41 3.2 Using the CLI 3.2.1 Creating Admin Accounts Follow these steps to create an Admin account: Step 1 configure Enter global configuration mode. Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege admin } password { [ 0 ] password | 7 encrypted-password } Create an account whose access level is Admin. name : Enter a user name for users’ login. It contains 16 characters at most, composed of digits, English letters and underscore only. admin : Select the acc..

3.2.2 Creating Accounts of Other Types - Page 63

Configuration Guide 42 Managing System User Management Configurations Step 3 show user account-list Verify the information of the current users. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. 3.2.2 Creating Accounts of Other Types You can create accounts with the access level of Operator, Power user and User here. You also need to go to the AAA section to create an Enable Password for these accounts. The Enable Password is used to change the users’ access level to Admin. Follow these steps to create an acco..

- Page 64

Managing System User Management Configurations Configuration Guide 43 Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege operator | power_user | user } password { [ 0 ] password | 7 encrypted-password } Create an account whose access level is Operator, Power User or User. name : Enter a user name for users’ login. It contains 16 characters at most, composed of digits, English letters and underscore only. operator | power_user | user : Select the access level for the user. Operator can edit, modify and view mostly the settin..

Configuring Network Security - Page 65

Configuration Guide 44 Managing System User Management Configurations Step 4 Use the following command to create an enable password unencrypted or symmetric encrypted. enable admin password { [ 0 ] password | 7 encrypted-password } Create an Enable Password. It can change the users’ access level to Admin. By default, it is empty. 0 : Specify the encryption type. 0 indicates that the password you entered is unencrypted, and the password is saved to the configuration file unencrypted. By default, the encryption type is 0. password : Enter an enable password. It is a string from 1 to 31 alph..

- Page 66

Managing System User Management Configurations Configuration Guide 45 The following example shows how to create a uesr with the access level of Operator, set the user name as user1 and set the password as 123. Enable AAA function and set the enable password as abc123. Switch#configure Switch(config)#user name user1 privilege operator password 123 Switch(config)#aaa enable Switch(config)#enable admin password abc123 Switch(config)#show user account-list Index User-Name User-Type ----- --------- --------- 1 user1 Operator 2 admin Admin Switch(config)#end Switch#copy running-config startup-con..

Select one or more units to be configured. - Page 67

Configuration Guide 46 Managing System System Tools Configurations 4 System Tools Configurations With system tools configurations, you can:  Configure the boot file  Restore the configuration of the switch  Back up the configuration file  Upgrade the firmware  Reboot the switch  Reset the switch 4.1 Using the GUI 4.1.1 Configuring the Boot File Choose the menu System > System Tools > Boot Config to load the following page. Figure 4-1 Configuring the Boot File Follow these steps to configure the boot file: 1) In the Boot Table section, select one or more units and con..

4.1.2 Restoring the Configuration of the Switch - Page 68

Managing System System Tools Configurations Configuration Guide 47 Unit Displays the number of the unit. Current Startup Image Displays the current startup image. Next Startup Image Select the next startup image. When the switch is powered on, it will try to start up with the next startup image. The next startup and backup image should not be the same. Backup Image Select the backup image. When the switch fails to start up with the next startup image, it will try to start up with the backup image. The next startup and backup image should not be the same. 2) Click Apply . 4.1.2 Restoring the..

4.1.3 Backing up the Configuration File - Page 69

Configuration Guide 48 Managing System System Tools Configurations 4.1.3 Backing up the Configuration File Choose the menu System > System Tools > Config Backup to load the following page. Figure 4-3 Backing up the Configuration File In the Config Backup section, select one unit and click Export to export the configuration file. 4.1.4 Upgrading the Firmware Choose the menu System > System Tools > Firmware Upgrade to load the following page. Figure 4-4 Upgrading the Firmware In the Firmware Upgrade section, select one file and click Upgrade to upgrade the system. Firmware File Se..

4.1.5 Rebooting the switch - Page 70

Managing System System Tools Configurations Configuration Guide 49 After upgrading, the device will reboot automatically with the backup image Select this option to reboot automatically with the backup image after upgrading. 4.1.5 Rebooting the switch Choose the menu System > System Tools > System Reboot to load the following page. Figure 4-5 Rebooting the switch In the S ystem Reboot section, select the desired unit and click Reboot . Target Unit Select the desired unit to reboot. By default, it is ALL Unit. Save Config Select this option to save the configuration before the reboot. ..

4.2.1 Configuring the Boot File - Page 71

Configuration Guide 50 Managing System System Tools Configurations 4.2 Using the CLI 4.2.1 Configuring the Boot File Follow these steps to configure the boot file: Step 1 configure Enter global configuration mode. Step 2 boot application filename { image1 | image2 } { startup | backup } Specify the configuration of the boot file. By default, the image1.bin is the startup image and the image2.bin is the backup image. image1 | image2 : Select the image file to be configured. startup | backup : Select the property of the image file. Step 3 show boot Verify the boot configuration of the system...

4.2.3 Backing up the Configuration File - Page 72

Managing System System Tools Configurations Configuration Guide 51 Step 1 enable Enter privileged mode. Step 2 copy tftp startup-config ip-address ip-addr filename name Download the configuration file to the switch from TFTP server. ip-addr : Specify the IP address of the TFTP server. Both IPv4 and IPv6 addresses are supported. name : Specify the name of the configuration file to be downloaded. Note: • It will take a long time to restore the configuration. Please wait without any operation. • After the configuration is restored successfully, the device will reboot to make the configura-..

4.2.4 Upgrading the firmware - Page 73

Configuration Guide 52 Managing System System Tools Configurations 4.2.4 Upgrading the firmware Follow these steps to upgrade the firmware: Step 1 enable Enter privileged mode. Step 2 firmware upgrade ip-address ip-addr filename name Upgrade the switch’s backup image via TFTP server. To boot up with the new firmware, you need to choose to reboot the switch with the backup image. ip-addr : Specify the IP address of the TFTP server. Both IPv4 and IPv6 addresses are supported. name : Specify the name of the desired firmware file. Step 3 Enter Y to continue then enter Y to reboot. The followi..

Note: - Page 74

Managing System System Tools Configurations Configuration Guide 53 Note: After the system is reset, configurations of the switch will be reset to the default.

..

5.1.1 Configuring the Access Control Feature - Page 75

Configuration Guide 54 Managing System Access Security Configurations 5 Access Security Configurations With access security configurations, you can:  Configure the Access Control feature  Configure the HTTP feature  Configure the HTTPS feature  Configure the SSH feature  Enable the telnet function 5.1 Using the GUI 5.1.1 Configuring the Access Control Feature Choose the menu System > Access Security > Access Control to load the following page. Figure 5-1 Configuring the Access Control 1) In the Access Control section, select one control mode and specify the parameters. ..

IP-based - Page 76

Managing System Access Security Configurations Configuration Guide 55 Access Interface Select the interface to control the methods for users’ accessing. The selected access interfaces will only affect the users you set before. SNMP : A function to manage the network devices via NMS. Telnet : A connection type for users to remote login. SSH : A connection type based on SSH protocol. HTTP : A connection type based on HTTP protocol. HTTPS : A connection type based on SSL protocol. Ping : A communication protocol to test the connection of the network. IP Address/ Mask If you select IP-based m..

5.1.2 Configuring the HTTP Function - Page 77

Configuration Guide 56 Managing System Access Security Configurations 5.1.2 Configuring the HTTP Function Choose the menu System > Access Security > HTTP Config to load the following page. Figure 5-2 Configuring the HTTP Function 1) In the Global Control section, Select Enable and click Apply to enable the HTTP function. HTTP HTTP function is based on the HTTP protocol. It allows users to manage the switch through a web browser. 2) In the Session Config section, specify the Session Timeout and click Apply . Session Timeout The system will log out automatically if users do nothing with..

5.1.3 Configuring the HTTPS Function - Page 78

Managing System Access Security Configurations Configuration Guide 57 5.1.3 Configuring the HTTPS Function Choose the menu System > Access Security > HTTPS Config to load the following page. Table 5-1 Configuring the HTTPS Function 1) In the Global Config section, select Enable to enable HTTPS function and select the protocol the switch supports. Click Apply . HTTPS Select Enable to enable the HTTPS function. HTTPS function is based on the SSL or TLS protocol. It provides a secure connection between the client and the switch.

..

, otherwise the HTTPS connection will not work. - Page 79

Configuration Guide 58 Managing System Access Security Configurations SSL Version 3 Select Enable to make the switch support SSL Version 3 protocol. SSL is a transport protocol. It can provide server authentication, encryption and message integrity to allow secure HTTP connection. TLS Version 1 Select Enable to make the switch support TLS Version 1 protocol. TLS is a transport protocol upgraded from SSL. It supports a different encryption algorithm from SSL, so TLS and SSL are not compatible. TLS can support a more secure connection. 2) In the CipherSuite Config section, select the algorith..

5.1.4 Configuring the SSH Feature - Page 80

Managing System Access Security Configurations Configuration Guide 59 Key File Select the desired Key to download to the switch. The key must be BASE64 encoded. The SSL certificate and key downloaded must match each other , otherwise the HTTPS connection will not work. 5.1.4 Configuring the SSH Feature Choose the menu System > Access Security > SSH Config to load the following page. Figure 5-3 Configuring the SSH Feature 1) In the Global Config section, select Enable to enable SSH function and specify other parameters. SSH Select Enable to enable the SSH function. SSH is a protocol wo..

5.1.5 Enabling the Telnet Function - Page 81

Configuration Guide 60 Managing System Access Security Configurations Max Connect Specify the maximum number of the connections to the SSH server. New connection will not be established when the number of the connections reaches the maximum number you set. 2) In the Encryption Algorithm section, select the encryption algorithm you want the switch to support and click Apply . 3) In Data Integrity Algorithm section, select the integrity algorithm you want the switch to support and click Apply . 4) In Key Download section, select key type from the drop-down list and select the desired key file..

Switch#configure - Page 82

Managing System Access Security Configurations Configuration Guide 61 Step 2 Use the following command to control the users’ access by limiting the IP address: user access-control ip-based { ip-addr ip-mask } [ snmp ] [ telnet ] [ ssh ] [ http ] [ https ] [ ping ] [ all ] Only the users within the IP-range you set here are allowed to access the switch. ip-addr : Specify the IP address of the user. ip-mask : Specify the subnet mask of the user. [ snmp ] [ telnet ] [ ssh ] [ http ] [ https ] [ ping ] [ all ] : Select to control the types for users’ accessing. By default, these types are a..

5.2.2 Configuring the HTTP Function - Page 83

Configuration Guide 62 Managing System Access Security Configurations User authentication mode: IP based Index IP Address Access Interface ----- ----------------- ------------------------------- 1 192.168.0.0/24 SNMP Telnet HTTP HTTPS Switch(config)#end Switch#copy running-config startup-config 5.2.2 Configuring the HTTP Function Follow these steps to configure the HTTP function: Step 1 configure Enter global configuration mode. Step 2 ip http server Enable the HTTP function. By default, it is enabled. Step 3 ip http session timeout minutes Specify the Session Timeout time. The system will ..

5.2.3 Configuring the HTTPS Function - Page 84

Managing System Access Security Configurations Configuration Guide 63 The following example shows how to set the session timeout as 9, set the maximum admin number as 6, and set the maximum guest number as 5. Switch#configure Switch(config)#ip http server Switch(config)#ip http session timeout 9 Switch(config)#ip http max-user 6 5 Switch(config)#show ip http configuration HTTP Status: Enabled HTTP Session Timeout: 9 HTTP User Limitation: Enabled HTTP Max Admin Users: 6 HTTP Max Guest Users: 5 Switch(config)#end Switch#copy running-config startup-config 5.2.3 Configuring the HTTPS Function F..

- Page 85

Configuration Guide 64 Managing System Access Security Configurations Step 4 ip http secure-ciphersuite { [ 3des-ede-cbc-sha ] [ rc4-128-md5 ] [ rc4-128-sha ] [ des-cbc- sha ] } Enable the corresponding ciphersuite. By default, these types are all enabled. [ 3des-ede-cbc-sha ] : Key exchange with 3DES and DES-EDE3-CBC for message encryption and SHA for message digest. [ rc4-128-md5 ] : Key exchange with RC4 128-bit encryption and MD5 for message digest. [ rc4-128-sha ] : Key exchange with RC4 128-bit encryption and SHA for message digest. [ des-cbc-sha ] : Key exchange with DES-CBC for mess..

end - Page 86

Managing System Access Security Configurations Configuration Guide 65 Step 10 end Return to privileged EXEC mode. Step 11 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the HTTPS function. Enable SSL3 and TLS1 protocol. Enable the ciphersuite of 3des-ede-cbc-sha. Set the session timeout time as 15, the admin number as 1 and the guest number as 2. Download the certificate named ca.crt and the key named ca.key from the TFTP server with the IP address 192.168.0.100. Switch#configure Switch(config)#ip http secure-serv..

Follow these steps to configure the SSH function: - Page 87

Configuration Guide 66 Managing System Access Security Configurations 5.2.4 Configuring the SSH Feature Follow these steps to configure the SSH function: Step 1 configure Enter global configuration mode. Step 2 ip ssh server Enable the SSH function. By default, it is disabled. Step 3 ip ssh version { v1 | v2 } Configure to make the switch support the corresponding protocol. By default, the switch supports SSHv1 and SSHv3. v1 | v2 : Select to enable the corresponding protocol. Step 4 ip ssh timeout value Specify the idle timeout time. The system will automatically release the connection when..

Note: - Page 88

Managing System Access Security Configurations Configuration Guide 67 Step 9 end Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: It will take a long time to download the key file. Please wait without any operation. The following example shows how to configure the SSH function. Set the version as SSH V1 and SSH V2. Enable the AES128-CBC and Cast128-CBC encryption algorithm. Enable the HMAC-MD5 data integrity algorithm. Choose the key type as SSH-2 RSA/DSA. Switch(config)#ip ssh server Switch(config)#ip ssh version ..

5.2.5 Enabling the Telnet Function - Page 89

Configuration Guide 68 Managing System Access Security Configurations Blowfish-CBC: Disabled Cast128-CBC: Enabled 3DES-CBC: Disabled Data Integrity Algorithm: HMAC-SHA1: Disabled HMAC-MD5: Enabled Key Type: SSH-2 RSA/DSA Key File: ---- BEGIN SSH2 PUBLIC KEY ---- Comment: “dsa-key-20160711” Switch(config)#end Switch#copy running-config startup-config 5.2.5 Enabling the Telnet Function Follow these steps enable the Telnet function: Step 1 configure Enter global configuration mode. Step 2 telnet enable Enable the telnet function. By default, it is enabled. Step 3 end Return to privileged E..

Appendix: Default Parameters - Page 90

Managing System Appendix: Default Parameters Configuration Guide 69 6 Appendix: Default Parameters Default settings of System Info are listed in the following tables. Table 6-1 Default Settings of Device Description Configuration Parameter Default Setting Device Name The model name of the switch. Device Location SHENZHEN System Contact www.tp-link.com Table 6-2 Default Settings of System Time Configuration Parameter Default Setting Time Source Manual System Time 2006-01-01 08:01:56 Sunday Table 6-3 Default Settings of Daylight Saving Time Configuration Parameter Default Setting DST status D..

- Page 91

Configuration Guide 70 Managing System Appendix: Default Parameters Default settings of Access Security are listed in the following tables. Table 6-6 Default Settings of Access Control Configuration Parameter Default Setting Control Mode Disabled Table 6-7 Default Settings of HTTP Configuration Parameter Default Setting HTTP Enabled Session Timeout 10 minutes Number Control Disabled Table 6-8 Default Settings of HTTPS Configuration Parameter Default Setting HTTPS Enabled SSL Version 3 Enabled TLS Version 1 Enabled RSA_WITH_RC4_128_MD5 Enabled RSA_WITH_RC4_128_SHA Enabled RSA_WITH_DES_CBC_SH..

Enabled - Page 92

Managing System Appendix: Default Parameters Configuration Guide 71 Parameter Default Setting HMAC-SHA1 Enabled HMAC-MD5 Enabled Key Type: SSH-2 RSA/DSA Table 6-10 Default Settings of Telnet Configuration Parameter Default Setting Control Mode Enabled

..

Managing Physical - Page 93

Part 3 Managing Physical Interfaces CHAPTERS 1. Physical Interface 2. Basic Parameters Configurations 3. Port Mirror Configuration 4. Port Security Configuration 5. Port Isolation Configurations 6. Loopback Detection Configuration 7. Configuration Examples

..

Physical Interface - Page 94

Managing Physical Interfaces Physical Interface Configuration Guide 73 1 Physical Interface 1.1 Overview Interfaces of a device are used to exchange data and interact with other network devices. Interfaces are classified into physical interfaces and logical interfaces.  Physical interfaces are the ports on the front panel or rear panel of the switch.  Logical interfaces are manually configured and do not physically exist, such as loopback interfaces and routing interfaces. This chapter introduces the configurations for physical interfaces. 1.2 Supported Features The switch supports th..

Switching > Port > Port Config - Page 95

Configuration Guide 74 Managing Physical Interfaces Basic Parameters Configurations 2 Basic Parameters Configurations 2.1 Using the GUI Choose the menu Switching > Port > Port Config to load the following page. Figure 2-1 Configuring Basic Parameters Follow these steps to set basic parameters for ports: 1) Set the jumbo frame value and click Apply . The default MTU (Maximum Transmission Unit) size for frames received and sent on all ports is 1518 bytes. A higher value means allowing the port to send jumbo frames. The valid values are from 1518 to 9216 bytes. 2) Select and configure yo..

Follow these steps to set basic parameters for the ports. - Page 96

Managing Physical Interfaces Basic Parameters Configurations Configuration Guide 75 Speed Select the appropriate speed mode for the port. When Auto is selected, the port autonegotiates speed mode with the connected device. The default setting is Auto . This value is recommended if both ends of the line support auto-negotiation. Duplex Select the appropriate duplex mode for the port. There are three options: Half , Full and Auto . When Auto is selected, the port autonegotiates duplex mode with the connected device. The default setting is Auto . Flow Control With this option enabled, the swit..

Switch#configure - Page 97

Configuration Guide 76 Managing Physical Interfaces Basic Parameters Configurations Step 3 Configure basic parameters for the port: description string Give a port description for identification. string : Content of a port description, ranging from 1 to 16 characters. shutdown no shutdown Use shutdown to disable the port, and use no shutdown to enable the port. When the status is enabled, the port can forward packets normally, otherwise it will discard the received packets. By default, all ports are enabled. speed { 10 | 100 | 1000 | auto } Set the appropriate speed mode for the port. 10 | 1..

- Page 98

Managing Physical Interfaces Basic Parameters Configurations Configuration Guide 77 Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#no shutdown Switch(config-if)#description router connection Switch(config-if)#speed auto Switch(config-if)#duplex auto Switch(config-if)#flow-control Switch(config-if)#show interface configuration fastEthernet 1/0/1 Port State Speed Duplex FlowCtrl Description -------- ----- -------- ------ -------- ----------- Fa1/0/1 Enable Auto Auto Enable router connection Switch(config-if)#end Switch#copy running-config startup-config The following example sh..

Switching > Port > Port Mirror - Page 99

Configuration Guide 78 Managing Physical Interfaces Port Mirror Configuration 3 Port Mirror Configuration 3.1 Using the GUI Choose the menu Switching > Port > Port Mirror to load the following page. Figure 3-1 Mirror Session List The above page displays a mirror session, and no more session can be created. Click Edit to configure this mirror session on the following page.

..

Configuring Port Mirror - Page 100

Managing Physical Interfaces Port Mirror Configuration Configuration Guide 79 Figure 3-2 Configuring Port Mirror Follow these steps to configure Port Mirror: 1) In the Destination Port section, specify a monitoring port for the mirror session, and click Apply . 2) In the Source Port section, select one or multiple monitored ports for configuration. Then set the parameters and click Apply . UNIT:1/LAGS Click 1 to select physical ports. Click LAGS to select LAGs. Ingress With this option enabled, the packets received by the monitored port will be copied to the monitoring port. By default, it ..

Note: - Page 101

Configuration Guide 80 Managing Physical Interfaces Port Mirror Configuration Note: • The member port of an LAG cannot be set as a monitoring port or monitored port. • A port cannot be set as the monitoring port and monitored port at the same time. 3.2 Using the CLI Follow these steps to configure Port Mirror. Step 1 configure Enter global configuration mode. Step 2 monitor session session_num destination interface { fastEthernet port | gigabitEthernet port } Enable the port mirror function and set the monitoring port. session_num : The monitor session number. It can only be specified a..

Switch(config)#end - Page 102

Managing Physical Interfaces Port Mirror Configuration Configuration Guide 81 Destination Port: Fa1/0/10 Source Ports(Ingress): Fa1/0/1-3 Source Ports(Egress): Fa1/0/1-3 Switch(config)#end Switch#copy running-config startup-config

..

Switching > Port > Port Security - Page 103

Configuration Guide 82 Managing Physical Interfaces Port Security Configuration 4 Port Security Configuration 4.1 Using the GUI Choose the menu Switching > Port > Port Security to load the following page. Figure 4-1 Port Security Follow these steps to configure Port Security: 1) Select one or multiple ports for security configuration. 2) Specify the maximum number of the MAC addresses that can be learned on the port, and then select the learn mode of the MAC addresses. Max Learned MAC Specify the maximum number of MAC addresses that can be learned on the port. When the learned MAC add..

Apply - Page 104

Managing Physical Interfaces Port Security Configuration Configuration Guide 83 Learn Mode Select the learn mode of the MAC addresses on the port. Three modes are provided: Dynamic : The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting. Static : The learned MAC addresses are out of the influence of the aging time and can only be deleted manually. The learned entries will be cleared after the switch is rebooted. Permanent : The learned MAC addresses are out of the influence of the aging time and can only be deleted manually. T..

- Page 105

Configuration Guide 84 Managing Physical Interfaces Port Security Configuration Step 3 mac address-table max-mac-count { [max-number num ] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ] } Enable the port security feature of the port and configure the related parameters. num : The maximum number of MAC addresses that can be learned on the port. The valid values are from 0 to 64. The default value is 64. mode : Learn mode of the MAC address. There are three modes: dynamic : The switch will delete the MAC addresses that are not used or updated within the aging..

Switching > Port > Port Isolation - Page 106

Managing Physical Interfaces Port Isolation Configurations Configuration Guide 85 5 Port Isolation Configurations 5.1 Using the GUI Choose the menu Switching > Port > Port Isolation to load the following page. Figure 5-1 Port Isolation List The above page displays the port isolation list. Click Edit to configure Port Isolation on the following page.

..

Port Isolation - Page 107

Configuration Guide 86 Managing Physical Interfaces Port Isolation Configurations Figure 5-2 Port Isolation Follow these steps to configure Port Isolation: 1) In the Port section, select one or multiple ports to be isolated. 2) In the Forward Portlist section, select the forward ports or LAGs which the isolated ports can only communicate with. It is multi-optional. 3) Click Apply . 5.2 Using the CLI Follow these steps to configure Port Isolation: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | ran..

end - Page 108

Managing Physical Interfaces Port Isolation Configurations Configuration Guide 87 Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add ports 1/0/1-3 and LAG 4 to the forward list of port 1/0/5: Switch#configure Switch(config)#interface fastEthernet 1/0/5 Switch(config-if)#port isolation gi-forward-list 1/0/1-3 po-forward-list 4 Switch(config-if)#show port isolation interface fastEthernet 1/0/5 Port LAG Forward-List ---- --- ----------------------- Fa1/0/5 N/A Fa1/0/1-3,Po4 Swi..

Switching > Port > Loopback Detection - Page 109

Configuration Guide 88 Managing Physical Interfaces Loopback Detection Configuration 6 Loopback Detection Configuration 6.1 Using the GUI To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring QoS . Choose the menu Switching > Port > Loopback Detection to load the following page. Figure 6-1 Loopback Detection Follow these steps to configure loopback detection: 1) In the Global Config section, enable loopback detection and configure the global parameters. Then click ..

Port Config - Page 110

Managing Physical Interfaces Loopback Detection Configuration Configuration Guide 89 Loopback Detection Status Enable loopback detection globally. Detection Interval Set the interval of sending loopback detection packets. The valid values are from 1 to 1000 seconds and the default value is 30 seconds. Automatic Recovery Time Set the recovery time globally, after which the blocked port in Auto Recovery mode can automatically recover to normal status. It should be integral times of detection interval. The valid values are from 1 to 100, and the default value is 3. Web Refresh Status With this..

: - Page 111

Configuration Guide 90 Managing Physical Interfaces Loopback Detection Configuration Step 2 loopback-detection Enable the loopback detection feature globally. By default, it is disabled. Step 3 loopback-detection interval interval-time Set the interval of sending loopback detection packets which is used to detect the loops in the network. interval-time : The interval of sending loopback detection packets. The valid values are from 1 to 1000 seconds. By default, the value is 30 seconds. Step 4 loopback-detection recovery-time recovery-time Set the recovery time, after which the blocked port ..

- Page 112

Managing Physical Interfaces Loopback Detection Configuration Configuration Guide 91 Switch#configure Switch(config)#loopback-detection Switch(config)#show loopback-detection global Loopback detection global status : enable Loopback detection interval : 30 s Loopback detection recovery time : 3 intervals Switch(config)#end Switch#copy running-config startup-config The following example shows how to enable loopback detection of port 1/0/3 and set the process mode as alert and recovery mode as auto: Switch#configure Switch(config)#interface fastEthernet 1/0/3 Switch(config-if)#loopback-detect..

Switching > Port > Port Mirror - Page 113

Configuration Guide 92 Managing Physical Interfaces Configuration Examples 7 Configuration Examples 7.1 Example for Port Mirror 7.1.1 Network Requirements As shown below, several hosts and a network analyzer are directly connected to the switch. For network security and troubleshooting, the network manager needs to use the network analyzer to monitor the data packets from the end hosts. Figure 7-1 Network Topology Switch Network Analyzer Hosts Fa1/0/2-5 Fa1/0/1 7.1.2 Configuration Scheme To implement this requirement, you can configure port mirror to copy the packets from ports 1/0/2-5 to p..

Mirror Session List - Page 114

Managing Physical Interfaces Configuration Examples Configuration Guide 93 Figure 7-2 Mirror Session List 2) Click Edit on the above page to load the following page. In the Destination Port section, select port 1/0/1 as the monitoring port and click Apply . Figure 7-3 Destination Port Configuration 3) In the Source Port section, select ports 1/0/2-5 as the monitored ports, and enable Ingress and Egress to allow the received and sent packets to be copied to the monitoring port. Then click Apply. Figure 7-4 Source Port Configuration

..

Verify the Configuration - Page 115

Configuration Guide 94 Managing Physical Interfaces Configuration Examples 4) Click Save Config to save the settings. 7.1.4 Using the CLI Switch#configure Switch(config)#monitor session 1 destination interface fastEthernet 1/0/1 Switch(config)#monitor session 1 source interface fastEthernet 1/0/2-5 both Switch(config)#end Switch#copy running-config startup-config Verify the Configuration Switch#show monitor session 1 Monitor Session: 1 Destination Port: Fa1/0/1 Source Ports(Ingress): Fa1/0/2-5 Source Ports(Egress): Fa1/0/2-5 7.2 Example for Port Isolation 7.2.1 Network Requirements As shown..

Switching > Port > Port Isolation - Page 116

Managing Physical Interfaces Configuration Examples Configuration Guide 95 7.2.2 Configuration Scheme You can configure port isolation to implement the requirement. Set 1/0/4 as the only forwarding port for port 1/0/1, thus forbidding Host A to forward packets to the other hosts. Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 7.2.3 Using the GUI 1) Choose the menu Switching > Port > Port Isolation to load the following page. It displays the port isolation list. Figure 7-6 Port Isolation List 2) Click ..

Port Isolation Configuration - Page 117

Configuration Guide 96 Managing Physical Interfaces Configuration Examples Figure 7-7 Port Isolation Configuration 3) Click Save Config to save the settings. 7.2.4 Using the CLI Switch#configure Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#port isolation gi-forward-list 1/0/4 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Switch#show port isolation interface Port LAG Forward-List ---- --- ------------ Fa1/0/1 N/A Fa1/0/4 Fa1/0/2 N/A Fa1/0/1-52,Po1-14 Fa1/0/3 N/A Fa1/0/1-52,Po1-14 ......

..

Switching > Port > Loopback Detection - Page 118

Managing Physical Interfaces Configuration Examples Configuration Guide 97 7.3 Example for Loopback Detection 7.3.1 Network Requirements As shown below, Switch A is a convergence-layer switch connecting several access- layer switches. Loops can be easily caused in case of misoperation on the access- layer switches. If there is a loop on an access-layer switch, broadcast storms will occur on Switch A or even in the entire network, creating excessive traffic and degrading the network performance. To reduce the impacts of broadcast storms, users need to detect loops in the network via Switch A..

Global Configuration - Page 119

Configuration Guide 98 Managing Physical Interfaces Configuration Examples Figure 7-9 Global Configuration 3) In the Port Config section, enable ports 1/0/1-3, select the operation mode as Port based so that the port will be blocked when a loop is detected, and keep the recovery mode as Auto so that the port will recover to normal status after the automatic recovery time. Click Apply . Figure 7-10 Port Configuration 4) Monitor the detection result on the above page. The Loop status and Block status are displayed on the right side of ports. 7.3.4 Using the CLI 1) Enable loopback detection gl..

Verify the Configuration - Page 120

Managing Physical Interfaces Configuration Examples Configuration Guide 99 2) Enable loopback detection on ports 1/0/1-3 and set the process mode and recovery mode. Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#loopback-detection Switch(config-if)#loopback-detection config process-mode port-based recovery-mode auto Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/2 Switch(config-if)#loopback-detection Switch(config-if)#loopback-detection config process-mode port-based recovery-mode auto Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/3 Switch..

Appendix: Default Parameters - Page 121

Configuration Guide 100 Managing Physical Interfaces Appendix: Default Parameters 8 Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 8-1 Configurations for Ports Parameter Default Setting Global Config Jumbo 1518 bytes Port Config Type Copper Status Enable Speed Auto Duplex Auto Flow Control Disable Port Mirror Ingress Disable Egress Disable Port Security Max Learned MAC 64 Learned Num 0 Learned Mode Dynamic Status Disable Loopback Detection Loopback Detection Status Disable Detection Interval 30 seconds Automatic Recovery Time 3 detection ..

Parameter - Page 122

Managing Physical Interfaces Appendix: Default Parameters Configuration Guide 101 Parameter Default Setting Web Refresh Interval 6 seconds Port Status Disable Operation mode Alert Recovery mode Auto

..

Configuring LAG - Page 123

Part 4 Configuring LAG CHAPTERS 1. LAG 2. LAG Configuration 3. Configuration Example 4. Appendix: Default Parameters

..

Static LAG - Page 124

Configuring LAG LAG Configuration Guide 103 1 LAG 1.1 Overview With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface to increase link bandwidth and configure the backup ports to enhance the connection reliability. 1.2 Supported Features You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol). Static LAG The member ports are manually added to the LAG. LACP The switch uses LACP to implement dynamic link aggregation and disaggregation by exchanging LACP packets with its partner. LACP extends the flexibi..

Configuration Guidelines - Page 125

Configuration Guide 104 Configuring LAG LAG Configuration 2 LAG Configuration To complete LAG configuration, follow these steps: 1) Configure the global load-balancing algorithm. 2) Configure Static LAG or LACP. Configuration Guidelines  Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should be set as LACP mode.  Ensure the LAGs of the devices on both sides have the same number of member ports.  Ensure the both ends of a link have the same port parameter configurations, including Speed, Duplex, ..

2.1.1 Configuring Load-balancing Algorithm - Page 126

Configuring LAG LAG Configuration Configuration Guide 105 2.1 Using the GUI 2.1.1 Configuring Load-balancing Algorithm Choose the menu Switching > LAG > LAG Table to load the following page. Figure 2-1 Global Config In the Global Config section, select the load-balancing algorithm. Click Apply . Hash Algorithm Select the Hash Algorithm, based on which the switch can choose the port to send the received packets. In this way, different data flows are forwarded on different physical links to implement load balancing. There are six options: SRC MAC : The computation is based on the source..

2.1.2 Configuring Static LAG or LACP - Page 127

Configuration Guide 106 Configuring LAG LAG Configuration Figure 2-2 Hash Algorithm Configuration Switch A Switch B Hosts Server 2.1.2 Configuring Static LAG or LACP For one port, you can choose only one LAG mode: Static LAG or LACP. And make sure both ends of a link use the same LAG mode.  Configuring Static LAG Choose the menu Switching > LAG > Static LAG to load the following page. Figure 2-3 Static LAG Follow these steps to configure the static LAG: 1) In the LAG Config section, select an LAG for configuration. Group Number Select an LAG for static LAG configuration. Descriptio..

Switching > LAG > LACP - Page 128

Configuring LAG LAG Configuration Configuration Guide 107  Configuring LACP Choose the menu Switching > LAG > LACP to load the following page. Figure 2-4 LACP Config Follow these steps to configure LACP: 1) Specify the system priority for the switch and click Apply . System Priority Specify the system priority for the switch. A smaller value means a higher priority. To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device. The device with higher priority will determine its active ports, and the other device can ..

2.2.1 Configuring Load-balancing Algorithm - Page 129

Configuration Guide 108 Configuring LAG LAG Configuration Port Priority (0-65535) Specify the Port Priority. A smaller value means a higher port priority. The port with higher priority in an LAG will be selected as the active port to forward data. If two ports have the same priority value, the port with a smaller port number has the higher priority. Mode Select the LACP mode for the port. In LACP, the switch uses LACPDU (Link Aggregation Control Protocol Data Unit) to negotiate the parameters with the peer end. In this way, the two ends select active ports and form the aggregation link. The..

2.2.2 Configuring Static LAG or LACP - Page 130

Configuring LAG LAG Configuration Configuration Guide 109 Step 3 show etherchannel load-balance Verify the configuration of load-balancing algorithm. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the global load-balancing mode as src-dst-mac: Switch#configure Switch(config)#port-channel load-balance src-dst-mac Switch(config)#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-mac EtherChannel Load-Balancing Addresses Used Per-Protocol: Non..

Configuring LACP - Page 131

Configuration Guide 110 Configuring LAG LAG Configuration Step 4 show ether-channel num summary Verify the configuration of the static LAG. num : The group number of the LAG. Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add ports1/0/5-8 to LAG 2 and set the mode as static LAG: Switch#configure Switch(config)#interface range fastEthernet 1/0/5-8 Switch(config-if-range)#channel-group 2 mode on Switch(config-if-range)#show etherchannel 2 summary Flags: D - down P - bundled in..

- Page 132

Configuring LAG LAG Configuration Configuration Guide 111 Step 2 lacp system-priority pri Specify the system priority for the switch. To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device. The device with higher priority will determine its active ports, and the other device can select its active ports according to the selection result of the device with higher priority. If the two ends have the same system priority value, the end with a smaller MAC address has the higher priority. pri: System priority. The valid value..

- Page 133

Configuration Guide 112 Configuring LAG LAG Configuration The following example shows how to specify the system priority of the switch as 2: Switch#configure Switch(config)#lacp system-priority 2 Switch(config)#show lacp sys-id 2, 000a.eb13.2397 Switch(config)#end Switch#copy running-config startup-config The following example shows how to add ports 1/0/1-4 to LAG 6, set the mode as LACP, and select the LACPDU sending mode as active: Switch#configure Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#channel-group 6 mode active Switch(config-if-range)#show lacp inte..

Configuration Example - Page 134

Configuring LAG Configuration Example Configuration Guide 113 3 Configuration Example 3.1 Network Requirements As shown below, users and servers are connected to Switch A and Switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches. 3.2 Configuration Scheme LAG function can bundle multiple physical ports into one logical interface to increase bandwidth and improve reliability. In this case, we take LACP as an example. As shown below,..

Global Configuration - Page 135

Configuration Guide 114 Configuring LAG Configuration Example 3.3 Using the GUI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Choose the menu Switching > LAG > LAG Table to load the following page. Select the hash algorithm as ‘SRC MAC+DST MAC’. Figure 3-2 Global Configuration 2) Choose the menu Switching > LAG > LACP Config to load the following page. In the Global Config section, specify the system priority of Switch A as 0 and Click Apply . Remember to ensure that the system priority value of Switch B ..

Verify the Configuration - Page 136

Configuring LAG Configuration Example Configuration Guide 115 4) Click Save Config to save the settings. 3.4 Using the CLI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Configure the load-balancing algorithm as “src-dst-mac”. Switch#configure Switch(config)#port-channel load-balance src-dst-mac 2) Specify the system priority of Switch A as 0. Remember to ensure that the system priority value of Switch B is bigger than 0. Switch(config)#lacp system-priority 0 3) Add ports 1/0/1-8 to LAG 1 and set the mode as LACP. The..

- Page 137

Configuration Guide 116 Configuring LAG Configuration Example Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in active mode P - Device is in passive mode Channel group 1 Port Flags State LACP Port Priority Admin Key Oper Key Port Number Port State Fa1/0/1 SA Down 0 0x1 0 0x1 0x45 Fa1/0/2 SA Down 0 0x1 0 0x2 0x45 Fa1/0/3 SA Down 0 0x1 0 0x3 0x45 Fa1/0/4 SA Down 0 0x1 0 0x4 0x45 Fa1/0/5 SA Down 0 0x1 0 0x5 0x45 Fa1/0/6 SA Down 0 0x1 0 0x6 0x45 Fa1/0/7 SA Down 0 0x1 0 0x7 0x45 Fa1/0/8 SA Down 0 0x1 0 0x8 0x45 Fa1/0/9 SA Down 1 0x1 0 0x9 0x45

Appendix: Default Parameters - Page 138

Configuring LAG Appendix: Default Parameters Configuration Guide 117 4 Appendix: Default Parameters Default settings of Switching are listed in the following tables. Table 4-1 Default Settings of LAG Parameter Default Setting LAG Table Hash Algorithm SRC MAC+DST MAC LACP Config System Priority 32768 Admin Key 0 Port Priority 32768 Mode Passive Status Disable

..

Monitoring Traffic - Page 139

Part 5 Monitoring Traffic CHAPTERS 1. Traffic Monitor 2. Appendix: Default Parameters

..

1.1.1 Viewing the Traffic Summary - Page 140

Monitoring Traffic Traffic Monitor Configuration Guide 119 1 Traffic Monitor With Traffic Monitor function, you can monitor the traffic on the switch, including:  Traffic Summary  Traffic Statistics in Detail 1.1 Using the GUI 1.1.1 Viewing the Traffic Summary Choose the menu Switching > Traffic Monitor > Traffic Summary to load the following page. Figure 1-1 Traffic Summary Follow these steps to view the traffic summary of each port: 1) To get the real-time traffic summary, enable auto refresh in the Auto Refresh section, or click Refresh at the bottom of the page. Auto Refresh..

Switching > Traffic Monitor > Traffic Statistics - Page 141

Configuration Guide 120 Monitoring Traffic Traffic Monitor Packets Rx: Displays the number of packets received on the port. Error packets are not counted in. Packets Tx: Displays the number of packets transmitted on the port. Error packets are not counted in. Octets Rx: Displays the number of octets received on the port. Error octets are counted in. Octets Tx: Displays the number of octets transmitted on the port. Error octets are counted in. Statistics: Click this button to view the detailed traffic statistics of the port. 1.1.2 Viewing the Traffic Statistics in Detail Choose the menu Swit..

Refresh Rate: - Page 142

Monitoring Traffic Traffic Monitor Configuration Guide 121 Refresh Rate: Specify the refresh interval in seconds. 2) In Port Select , select a port or LAG, and click Select . 3) In the Statistics section, view the detailed information of the selected port or LAG. Received: Displays the detailed information of received packets. Broadcast: Displays the number of valid broadcast packets received on the port. Error frames are not counted in. Multicast: Displays the number of valid multicast packets received on the port. Error frames are not counted in. Unicast: Displays the number of valid unic..

1.2 - Page 143

Configuration Guide 122 Monitoring Traffic Traffic Monitor 1.2 Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to view the traffic information of each port or LAG: show interface counters [ fastEthernet port | gigabitEthernet port | port-channel port-channel-id ] port : The port number. port-channel-id : The group number of the LAG. If you enter no port number or group number, the information of all ports and LAGs will be displayed. The displaying information includes: Broadcast: Displays the number of valid broadcast packets received..

Appendix: Default Parameters - Page 144

Monitoring Traffic Appendix: Default Parameters Configuration Guide 123 2 Appendix: Default Parameters Table 2-1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disable Refresh Rate 10 seconds Traffic Statistics Auto Refresh Disable Refresh Rate 10 seconds

..

Managing MAC - Page 145

Part 6 Managing MAC Address Table CHAPTERS 1. MAC Address Table 2. Address Configurations 33. Appendix: Default Parameters

..

MAC Address Table - Page 146

Managing MAC Address Table MAC Address Table Configuration Guide 125 1 MAC Address Table 1.1 Overview The MAC address table contains address information that the switch uses to forward traffic between ports. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports. These entries can be manually input or automatically learned by the switch. Based on the MAC-address-to-port mapping in the table, the switch forwards the packet only to the associated port. Table 1-1 The MAC Address Table MAC Address VLAN ID Port Type Aging Status 00:00:00:00:00:01 1 1 Dynamic Aging 00:00..

Switching > MAC Address > Static Address - Page 147

Configuration Guide 126 Managing MAC Address Table Address Configurations 2 Address Configurations With MAC address table, you can:  Add static MAC address entries  Change the address aging time  Add filtering address entries  View address table entries 2.1 Using the GUI 2.1.1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.  Adding MAC Addresses Manually Choose the menu Switching > MAC Address > Static Address to load the following page. Figure 2-1 Adding MAC ..

Binding Dynamic MAC Address Entries - Page 148

Managing MAC Address Table Address Configurations Configuration Guide 127 Follow these steps to add a static MAC address entry: 1) Enter the MAC address, VLAN ID and select a port to bind them together. VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received. Port Specify a port to which packets with the specific MAC address are forwarded. The port must belong to the specified VLAN. After you have added the static MAC address, if the corresponding port number of the MAC address is not correct, or the connected port (or the device) has been changed, the s..

2.1.2 Modifying the Aging Time of Dynamic Address Entries - Page 149

Configuration Guide 128 Managing MAC Address Table Address Configurations 2.1.2 Modifying the Aging Time of Dynamic Address Entries Choose the menu Switching > MAC Address > Dynamic Address to load the following page. Figure 2-3 Modifying the Aging Time of Dynamic Address Entries Follow these steps to modify the aging time of dynamic address entries: 1) In the Aging Config section, enable Auto Aging, and enter your desired length of time. Auto Aging Enable Auto Aging, then the switch automatically updates the dynamic address table with the aging mechanism. By default, it is enabled. A..

Switching > MAC Address > Filtering Address - Page 150

Managing MAC Address Table Address Configurations Configuration Guide 129 2.1.3 Adding MAC Filtering Address Entries Choose the menu Switching > MAC Address > Filtering Address to load the following page. Figure 2-4 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries: 1) In the Create Filtering Address section, enter the MAC Address and VLAN ID. MAC Address Specify a MAC address to configure the switch to drop packets which include this MAC address as the source address or destination address. VLAN ID Specify an existing VLAN in which packets w..

Switching > MAC Address > Address Table - Page 151

Configuration Guide 130 Managing MAC Address Table Address Configurations Choose the menu Switching > MAC Address > Address Table to load the following page. Figure 2-5 Viewing Address Table Entries 2.2 Using the CLI 2.2.1 Adding Static MAC Address Entries Follow these steps to add static MAC address entries: Step 1 configure Enter global configuration mode. Step 2 mac address-table static mac-addr vid vid interface { fastEthernet port | gigabitEthernet port } Bind the MAC address, VLAN and port together to add a static address to the VLAN. mac-addr : Enter the MAC address and packets..

2.2.2 Modifying the Aging Time of Dynamic Address Entries - Page 152

Managing MAC Address Table Address Configurations Configuration Guide 131 Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. Note: • In the same VLAN, once an address is configured as a static address, it cannot be set as a filter- ing address, and vice versa. • Multicast or broadcast addresses cannot be set as static addresses. • Ports in LAGs (Link Aggregation Group) are not supported for static address configuration. The following example shows how to add a static MAC address entry with MAC address 00:02..

2.2.3 Adding MAC Filtering Address Entries - Page 153

Configuration Guide 132 Managing MAC Address Table Address Configurations Step 2 mac address-table aging-time aging-time Set your desired length of address aging time for dynamic address entries. aging-time: Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The valid values are from10 to 630. When 0 is entered, the Auto Aging function is disabled. The default value is 300 and we recommend you keep the default value if you are unsure about settings in your case. Step 3 end Return to privileged EXEC mode. Step 4 copy running-confi..

Note: - Page 154

Managing MAC Address Table Address Configurations Configuration Guide 133 Note: • In the same VLAN, once an address is configured as a filtering address, it cannot be set as a static address, and vice versa. • Multicast or broadcast addresses cannot be set as filtering addresses . The following example shows how to add the MAC filtering address 00:1e:4b:04:01:5d to VLAN 10. Then the switch will drop the packet that is received in VLAN 10 with this address as its source or destination. Switch#configure Switch(config)# mac address-table filtering 00:1e:4b:04:01:5d vid 10 Switch(config)#sh..

Appendix: Default Parameters - Page 155

Configuration Guide 134 Managing MAC Address Table Appendix: Default Parameters 3 Appendix: Default Parameters Default settings of the MAC Address Table are listed in the following tables. Table 3-1 Entries in the MAC Address Table Parameter Default Setting Static Address Entries None Dynamic Address Entries Auto-learning Filtering Address Entries None Table 3-2 Default Settings of Dynamic Address Table Parameter Default Setting Auto Aging Enable Aging Time 300 seconds

..

Configuring - Page 156

Part 7 Configuring 802.1Q VLAN CHAPTERS 1. Overview 2. 802.1Q VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters

..

Overview - Page 157

Configuration Guide 136 Configuring 802.1Q VLAN Overview 1 Overview VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions:  To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN. It reduces the influence of broadcast traffic in Layer 2 network to the whole network.  To enhance network security: Devices from different VLANs cannot achieve Layer 2 communication, and thus users can group and is..

2.1.1 Configuring the PVID of the Port - Page 158

Configuring 802.1Q VLAN 802.1Q VLAN Configuration Configuration Guide 137 2 802.1Q VLAN Configuration To complete 802.1Q VLAN configuration, follow these steps: 1) Configure PVID (Port VLAN ID) of the port; 2) Configure the VLAN, including creating a VLAN and adding the configured port to the VLAN. 2.1 Using the GUI 2.1.1 Configuring the PVID of the Port Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Figure 2-1 Configuring the Port Select a port and configure its PVID. Click Apply .

..

VLAN > 802.1Q VLAN > VLAN Config - Page 159

Configuration Guide 138 Configuring 802.1Q VLAN 802.1Q VLAN Configuration PVID The default VLAN ID of the port with the values between 1 and 4094. It is used mainly in the following two ways: • When the port receives a tagged packet, the switch inserts a VLAN tag to the packet based on the PVID. • When the port receives a UL packet or a broadcast packet, the switch broadcasts the packet within the default VLAN. LAG Displays the LAG (Link Aggregation Group) which the port belongs to. VLAN Check details of the VLAN which the port is in. 2.1.2 Configuring the VLAN Choose the menu VLAN >..

2.2.1 Creating a VLAN - Page 160

Configuring 802.1Q VLAN 802.1Q VLAN Configuration Configuration Guide 139 Tagged port The selected ports will forward tagged packets in the target VLAN. 3) Click Apply . 2.2 Using the CLI 2.2.1 Creating a VLAN Follow these steps to create a VLAN: Step 1 configure Enter global configuration mode. Step 2 vlan vlan-list When you enter a new VLAN ID, the switch creates a new VLAN and enters VLAN configuration mode; when you enter an existing VLAN ID, the switch directly enters VLAN configuration mode. vlan-list : Specify the ID or the ID list of the VLAN(s) for configuration. The valid values a..

2.2.2 Configuring the PVID of the Port - Page 161

Configuration Guide 140 Configuring 802.1Q VLAN 802.1Q VLAN Configuration VLAN Name Status Ports ------- -------- --------- --------- 2 RD active Switch(config-vlan)#end Switch#copy running-config startup-config 2.2.2 Configuring the PVID of the Port Follow these steps to configure the port: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. port| port-list : The number or the list of the Ethernet port that you want to configure. S..

2.2.3 Adding the Port to the Specified VLAN - Page 162

Configuring 802.1Q VLAN 802.1Q VLAN Configuration Configuration Guide 141 Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Adding the Port to the Specified VLAN Follow these steps to add the port to the specified VLAN: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. port| port-list : The number or the list of the Ethernet port that you want to configure. Step 3 switchport general allowed vlan vlan-list { tag..

Switch(config-if)#end - Page 163

Configuration Guide 142 Configuring 802.1Q VLAN 802.1Q VLAN Configuration Vlan Name Egress-rule ------- ------------------ --------------- 1 System-VLAN Untagged 2 rd Tagged Switch(config-if)#end Switch#copy running-config startup-config

..

Configuration Example - Page 164

Configuring 802.1Q VLAN Configuration Example Configuration Guide 143 3 Configuration Example 3.1 Network Requirements  Offices of both Department A and Department B in the company are located in different places, and computers in different offices are connected to different switches.  It is required that computers can communicate with each other in the same department but not with computers in the other department. 3.2 Configuration Scheme  Divide computers in Department A and Department B into two VLANs respectively so that computers can communicate with each other in the same de..

VLAN > 802.1Q VLAN > VLAN Config - Page 165

Configuration Guide 144 Configuring 802.1Q VLAN Configuration Example 3.3 Network Topology The figure below shows the network topology. Host A1 and Host A2 are used in Department A, while Host B1 and Host B2 are used in Department B. Switch 1 and Switch 2 are located in two different places. Host A1 and Host B1 are connected to port 1/0/2 and port 1/0/3 on Switch 1 respectively, while Host A2 and Host B2 are connected to port 1/0/6 and port 1/0/7 on Switch 2 respectively. Port 1/0/4 on Switch 1 is connected to port 1/0/8 on Switch 2. Figure 3-1 Network Topology VLAN 10 VLAN 20 Host A1 Host ..

Create VLAN 10 for Department A - Page 166

Configuring 802.1Q VLAN Configuration Example Configuration Guide 145 Figure 3-2 Create VLAN 10 for Department A 2) Click Create again to load the following page. Create VLAN 20 with the description of Department-B. Add port 1/0/2 as an untagged port and port 1/0/4 as a tagged port to VLAN 20. Then click Apply . Figure 3-3 Create VLAN 20 for Department B 3) Click Save Config to save the settings.

..

Verify the Configurations - Page 167

Configuration Guide 146 Configuring 802.1Q VLAN Configuration Example 3.5 Using the CLI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Create VLAN 10 for Department A, and configure the description as Department-A. Similarly, create VLAN 20 for Department B, and configure the description as Department-B. Switch_1#configure Switch_1(config)#vlan 10 Switch_1(config-vlan)#name Department-A Switch_1(config-vlan)#exit Switch_1(config)#vlan 20 Switch_1(config-vlan)#name Department-B Switch_1(config-vlan)#exit 2) Set the port mo..

- Page 168

Configuring 802.1Q VLAN Configuration Example Configuration Guide 147 Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, ... 10 Department-A active Fa1/0/2, Fa1/0/4 20 Department-B active Fa1/0/3, Fa1/0/4

..

Appendix: Default Parameters - Page 169

Configuration Guide 148 Configuring 802.1Q VLAN Appendix: Default Parameters 4 Appendix: Default Parameters Default settings of 802.1Q VLAN are listed in the following table. Table 4-1 Default Settings of 802.1Q VLAN Parameter Default Setting VLAN ID 1 PVID 1 Egress rule Untagged

..

Configuring - Page 170

Part 8 Configuring Spanning Tree CHAPTERS 1. Spanning Tree 2. STP/RSTP Configurations 3. MSTP Configurations 4. STP Security Configurations 5. Configuration Example for MSTP 6. Appendix: Default Parameters

..

1.2.1 STP/RSTP Concepts - Page 171

Configuration Guide 150 Configuring Spanning Tree Spanning Tree 1 Spanning Tree 1.1 Overview STP STP (Spanning Tree Protocol) is a layer 2 Protocol that prevents loops in the network. As is shown in Figure 1-1, STP helps to:  Block specified ports of the switches to build a loop-free topology.  Detect topology changes and automatically generate a loop-free topology. Figure 1-1 STP Function STP RSTP RSTP (Rapid Spanning Tree Protocol) provides the same features as STP. But RSTP also provides much faster spanning tree convergence. MSTP MSTP (Multiple Spanning Tree Protocol) also provide..

Root Bridge - Page 172

Configuring Spanning Tree Spanning Tree Configuration Guide 151 Figure 1-2 STP/RSTP Topology Root bridge Designated port Root port Root port Backup port Alternate port Root port Root port Designated port Designated port Designated port Designated port Root Bridge The root bridge is the root of a spanning tree. There is only one root bridge in each spanning tree, and the root bridge has the lowest bridge ID. Bridge ID The value of the priority and MAC address of the switch. It is used to select the root bridge. The bridge ID is composed of a 2-byte priority and a 6-byte MAC address. The prio..

Port Status - Page 173

Configuration Guide 152 Configuring Spanning Tree Spanning Tree In RSTP/MSTP, the alternate port is the backup for the root port. It is blocked when the root port works normally. Once the root port fails, the alternate port will become the new root port. In STP, the alternate port is always blocked.  Backup Port If a port is not selected as the designated port for it receives better BPDUs from the switch it belongs to, it will become an backup port. In RSTP/MSTP, the backup port is the backup for the designated port. It is blocked when the designated port works normally. Once the root po..

Table 1-1 - Page 174

Configuring Spanning Tree Spanning Tree Configuration Guide 153 Learning and Forwarding status correspond exactly to the Learning and Forwarding status specified in STP. In TP-Link switches, the port status includes: Blocking, Learning, Forwarding and Disconnected.  Blocking In this status, the port receives and sends BPDUs. The other packets are dropped.  Learning In this status, the port receives and sends BPDUs. It also receives the other user packets to update its MAC address table, but doesn’t forward them.  Forwarding In this status, the port receives and sends BPDUs. It al..

1.2.2 MSTP Concepts - Page 175

Configuration Guide 154 Configuring Spanning Tree Spanning Tree BPDU The packets used to generate the spanning tree. The BPDUs (Bridge Protocol Data Unit) contain a lot of information, like bridge ID, root path cost, port priority and so on. Switches share these information to help determine the tree topology. 1.2.2 MSTP Concepts MSTP, compatible with STP and RSTP, has the same basic elements used in STP and RSTP. Based on the networking topology, this section will introduce some concepts only exist in MSTP. Figure 1-3 MSTP Topology region 1 region 3 region 4 CST IST Blocked Port region 2 M..

Figure 1-4 - Page 176

Configuring Spanning Tree Spanning Tree Configuration Guide 155 Figure 1-4 MST Region A C Instance 1 (root bridge: A) VLAN 3 Instance 1 VLAN 4-5 Instance 2 Other VLANs IST Instance 2 (root bridge: B) IST (root bridge: C) Blocked port B VLAN-Instance Mapping VLAN-Instance Mapping describes the mapping relationship between VLANs and instances. Multiple VLANs can be mapped to a same instance, but one VLAN can be mapped to only one instance. As Figure 1-4 shows, VLAN 3 is mapped to instance 1, VLAN 4 and VLAN 5 are mapped to instance 2, the other VLANs are mapped to the IST. IST The Internal Sp..

- Page 177

Configuration Guide 156 Configuring Spanning Tree Spanning Tree If the switch cannot receive BPDUs because of link congestions or link failures, the root port will become a designated port and the alternate port will transit to forwarding status, so loops will occur. With Loop Protect function enabled, the port will temporarily transit to blocking state when the port does not receive BPDUs. After the link restores to normal, the port will transit to its normal state, so loops can be prevented. » Root Protect Root Protect function is used to ensure that the desired root bridge will not lose..

- Page 178

Configuring Spanning Tree Spanning Tree Configuration Guide 157 A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology). If a user maliciously sends a large number of TC-BPDUs to a switch in a short period, the switch will be busy with removing MAC address entries, which may decrease the performance and stability of the network. With TC protect function enabled, the port will drop the received TC-BPDUs.

..

Spanning Tree > Port Config > Port Config - Page 179

Configuration Guide 158 Configuring Spanning Tree STP/RSTP Configurations 2 STP/RSTP Configurations To complete the STP/RSTP configuration, follow these steps: 1) Configure STP/RSTP parameters on ports. 2) Configure STP/RSTP globally. 3) Verify the STP/RSTP configurations. Configuration Guidelines  Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.  To avoid any possible network flapping caused by STP/RSTP parameter changes, you are suggested to enable STP/RSTP function globally after configuring the relevant paramete..

- Page 180

Configuring Spanning Tree STP/RSTP Configurations Configuration Guide 159 Status Enable or disable spanning tree function on the desired port. Priority Enter the value of the port priority from 0 to 240, which is divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port. Ext-Path Cost Enter the value of the external path cost. The default setting is Auto, which means the port calculates the external path cost automatically according to the port’s link spee..

2.1.2 Configuring STP/RSTP Globally - Page 181

Configuration Guide 160 Configuring Spanning Tree STP/RSTP Configurations Port Role Displays the role that the port plays in the spanning tree. Root Port : Indicates the port is a root port. Designated Port : Indicates the port is a designated port . Alternate Port : Indicates the port is a backup of a root port. Backup Port : Indicates the port is a backup of a designated port. Disabled : Indicates the port is not participating in the spanning tree. Port Status Displays the port status. Forwarding : The port receives and sends BPDUs, and forwards user data. Learning : The port receives and..

Note: - Page 182

Configuring Spanning Tree STP/RSTP Configurations Configuration Guide 161 Follow these steps to configure STP/RSTP globally: 1) In the Parameters Config section, configure the global parameters of STP/RSTP and click Apply . CIST Priority Specify the CIST priority of the switch. The valid values are from 0 to 61440, which are divisible by 4096.By default, it is 32768. The switch with the lower value has the higher priority. CIST priority is usually a parameter configured in MSTP, which means the priority of a switch in CIST. The switch with the highest priority will be elected as the root br..

Spanning Tree > STP Config > STP Summary - Page 183

Configuration Guide 162 Configuring Spanning Tree STP/RSTP Configurations Mode Select the desired spanning tree mode as STP/RSTP on the switch. By default, it’s STP. STP : Specify the spanning tree mode as STP. RSTP : Specify the spanning tree mode as RSTP. MSTP : Specify the spanning tree mode as MSTP. 2.1.3 Verifying the STP/RSTP Configurations Verify the STP/RSTP information of your switch after all the configurations are finished. Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 2-3 Verifying the STP/RSTP Configurations The STP Summary ..

2.2.1 Configuring STP/RSTP Parameters on Ports - Page 184

Configuring Spanning Tree STP/RSTP Configurations Configuration Guide 163 Spanning-Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local bridge. The local bridge is the current switch. Root Bridge Displays the bridge ID of the root bridge. External Path Cost Displays the root path cost from the switch to the root bridge. Regional Root Bridge It is the root bridge of IST. It is not displayed when you choose the spanning tree mode as STP/RSTP. Internal Path Cost The internal path cost is the root path cost from the switch to the root bridge of IST. It is ..

: - Page 185

Configuration Guide 164 Configuring Spanning Tree STP/RSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure STP/RSTP parameters on the desired port . pri: Specify the value of port priority. The valid values are from 0 to 240, which are divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port. ext-cost: Specify the value of exter..

2.2.2 Configuring Global STP/RSTP Parameters - Page 186

Configuring Spanning Tree STP/RSTP Configurations Configuration Guide 165 Interface State Prio Ext-Cost Int-Cost Edge P2p Mode Role Status ---------- ------- ---- ------ -------- ---- --------- ----- ----- ------- Fa1/0/3 Enable 32 Auto Auto No No(auto) N/A N/A LnkDwn Switch(config-if)#end Switch#copy running-config startup-config 2.2.2 Configuring Global STP/RSTP Parameters Follow these steps to configure global STP/RSTP parameters of the switch: Step 1 configure Enter global configuration mode. Step 2 spanning-tree priority pri Configure the priority of the switch. pri : Specify the value..

2.2.3 Enabling STP/RSTP Globally - Page 187

Configuration Guide 166 Configuring Spanning Tree STP/RSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: • 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age This example shows how to configure the priority of the switch as 36864, the Forward Delay as 12 seconds: Switch#configure Switch(config)#spanning-tree priority 36864 Switch(config)#spanning-tree timer forward-time 12 Switch ( config)#show spanning-tree bridge State Mode Priority Hello-Time Fwd-Time Max-Age Hold..

copy running-config startup-config - Page 188

Configuring Spanning Tree STP/RSTP Configurations Configuration Guide 167 Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to enable spanning tree function, configure the spanning tree mode as RSTP and verify the configurations: Switch#configure Switch(config)#spanning tree mode rstp Switch(config)#spanning-tree Switch(config)#show spanning-tree active Spanning tree is enabled Spanning-tree’s mode: RSTP (802.1w Rapid Spanning Tree Protocol) Latest topology change time: 2006-01-02 10:04:02 Root Bridge Priority : 32768 Address : 0..

Spanning Tree > Port Config > Port Config - Page 189

Configuration Guide 168 Configuring Spanning Tree MSTP Configurations 3 MSTP Configurations To complete the MSTP configuration, follow these steps: 1) Configure parameters on ports in CIST. 2) Configure the MSTP region. 3) Configure the MSTP globally. 4) Verify the MSTP configurations. Configuration Guidelines  Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.  To avoid any possible network flapping caused by MSTP parameter changes, you are suggested to enable MSTP function globally after configuring the relevant par..

Auto - Page 190

Configuring Spanning Tree MSTP Configurations Configuration Guide 169 Status Enable or disable spanning tree function on the desired port. Priority Enter the value of port priority from 0 to 240 divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in CIST. Ext-Path Cost Enter the value of the external path cost. The default setting is Auto, which means the port calculates the path cost automatically according to the port’s link speed. External path co..

Configuring the Region Name and Revision Level - Page 191

Configuration Guide 170 Configuring Spanning Tree MSTP Configurations Port Role Displays the role that the port plays in CIST. Root Port : Indicates the port is the root port in CIST. Designated Port : Indicates the port is the designated port in CIST. Master Port : Indicates the port provides the lowest root path cost from the region to the root bridge in CIST. In CIST, each region is regarded as a ‘switch‘, and the master port is the root port of that ‘switch‘. Alternate Port : Indicates the port is a backup of a root or master port in CIST. Backup Port : Indicates the port is a b..

Configuring the VLAN-Instance Mapping and Switch Priority - Page 192

Configuring Spanning Tree MSTP Configurations Configuration Guide 171 Follow these steps to create an MST region: 1) In the Region Config section, set the name and revision level to specify an MSTP region. Region Name Configure the name for an MST region using up to 32 characters. By default, it is the MAC address of the switch. Revision Enter the revision number from 0 to 65535. By default, it is 0. 2) Click Apply .  Configuring the VLAN-Instance Mapping and Switch Priority Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Figure 3-3 Confi..

Show All - Page 193

Configuration Guide 172 Configuring Spanning Tree MSTP Configurations Instance ID Displays the instance ID. Status Displays the status of the instance. Priority Enter a value from 0 to 61440 to specify the priority of the switch, which is divisible by 4096, and the default value is 32768. The switch with the lower value has the higher priority, and the switch with the highest priority will be elected as the root bridge in the desired instance. VLAN ID Enter the VLAN ID mapped to the corresponding instance ID. After the modification, the previous VLAN will be cleared and mapped to the CIST. ..

Configuring Parameters on Ports in the Instance - Page 194

Configuring Spanning Tree MSTP Configurations Configuration Guide 173  Configuring Parameters on Ports in the Instance Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Figure 3-4 Configuring Port Parameters in the Instance Follow these steps to configure port parameters in the instance: 1) In the Instance ID Select section, select the desired instance ID for its port configuration. Instance ID Select the desired instance. 2) In the Instance Port Config section, configure port parameters in the desired instance. UNIT Select the desired..

- Page 195

Configuration Guide 174 Configuring Spanning Tree MSTP Configurations Priority Enter the value of port priority from 0 to 240, which is divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in the desired instance. Path Cost Enter the value of the path cost. The default setting is Auto, which means the port calculates the path cost automatically according to the port’s link speed. It is the path cost of the port in the desired instance. The port with t..

Spanning Tree > STP Config > STP Config - Page 196

Configuring Spanning Tree MSTP Configurations Configuration Guide 175 3.1.3 Configuring MSTP Globally Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Figure 3-5 Configure MSTP Function Globally Follow these steps to configure MSTP globally: 1) In the Parameters Config section, Configure the global parameters of MSTP and click Apply . CIST Priority Enter a value from 0 to 61440 to specify the CIST priority of the switch, which is divisible by 4096, and the default value is 32768. The switch with the lower value has the higher priority. CIST priority ..

Global Config - Page 197

Configuration Guide 176 Configuring Spanning Tree MSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: • 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age 2) In the Global Config section, enable Spanning-Tree function and choose the STP mode as MSTP and click Apply . Spanning-Tree Enable or disable spanning tree function globally on the switch. Mode Select the desired STP mode as MSTP on the switch. By default, it is STP. STP : Specify the spanning tree mode as STP. R..

Spanning Tree > STP Config > STP Summary - Page 198

Configuring Spanning Tree MSTP Configurations Configuration Guide 177 3.1.4 Verifying the MSTP Configurations Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 3-6 Verifying the MSTP Configurations The STP Summary section shows the summary information of CIST: Spanning Tree Displays the status of the spanning tree function. Spanning-Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local switch. The local bridge is the current switch. Root Bridge Displays the bridge ID of the root bridge in CIST. External Pa..

3.2.1 Configuring Parameters on Ports in CIST - Page 199

Configuration Guide 178 Configuring Spanning Tree MSTP Configurations Internal Path Cost Displays the internal path cost. It is the root path cost from the current switch to the root bridge in IST. Designated Bridge Displays the bridge ID of the designated bridge in CIST. Root Port Displays the root port of in CIST. Latest TC Time Displays the latest time when the topology is changed. TC Count Displays how many times the topology has changed. The MSTP Summary section shows the information in MST instances: Instance ID Select the desired instance. Instance Status Displays the status of the d..

Switch#configure - Page 200

Configuring Spanning Tree MSTP Configurations Configuration Guide 179 Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ int-cost int-cost ][ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure the parameters on ports in CIST. pri: Specify the value of port priority. The valid values are from 0 to 240, which are divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in CIST. ext-cost: Specify th..

3.2.2 Configuring the MSTP Region - Page 201

Configuration Guide 180 Configuring Spanning Tree MSTP Configurations Switch(config)#interface fastEthernet 1/0/3 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree common-config port-priority 32 Switch(config-if)#show spanning-tree interface fastEthernet 1/0/3 MST-Instance 0 (CIST) Interface State Prio Ext-Cost Int-Cost Edge P2p Mode Role Status ----------- -------- ---- -------- -------- ---- --------- ----- ------- -------- Fa1/0/3 Enable 32 Auto Auto No No(auto) N/A N/A LnkDwn MST-Instance 5 Interface Prio Cost Role Status ----------- ------------ -------- --------- Fa1/0/3..

: - Page 202

Configuring Spanning Tree MSTP Configurations Configuration Guide 181 Step 4 name name Configure the region name of the region. name : Specify the region name, used to identify an MST region. The valid values are from 1 to 32 characters. Step 5 revision revision Configure the revision level of the region. revision: Specify the revision level of the region. The valid values are from 0 to 65535. Step 6 instance instance-id vlan vlan-id Configure the VLAN-Instance mapping. instance-id : Specify the Instance ID. The valid values are from 1 to 8. vlan-id : Specify the VLAN mapped to the correspo..

Configuring the Parameters on Ports in Instance - Page 203

Configuration Guide 182 Configuring Spanning Tree MSTP Configurations MST-Instance Vlans-Mapped ---------------- ------------------------------------------------------------ 0 1,7-4094 5 2-6, ---------------------------------------------------------------------------- Switch(config-mst)#end Switch#copy running-config startup-config  Configuring the Parameters on Ports in Instance Follow these steps to configure the priority and path cost of ports in the specified instance: Step 1 configure Enter global configuration mode. Step 2 interface {gigabitEthernet

3.2.3 Configuring Global MSTP Parameters - Page 204

Configuring Spanning Tree MSTP Configurations Configuration Guide 183 Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to configure the priority as 144, the path cost as 200 of port 1/0/3 in instance 5: Switch#configure Switch(config)#interface fastEthernet 1/0/3 Switch(config-if)#spanning-tree mst instance 5 port-priority 144 cost 200 Switch(config-if)#show spanning-tree interface fastEthernet 1/0/3 MST-Instance 0 (CIST) Interface State Prio Ext-Cost Int-Cost Edge P2p Mode Role Status ---------- ------ ---- -------- -------- ----..

Switch#configure - Page 205

Configuration Guide 184 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree timer {[ forward-time forward-time ] [ hello-time hello-time ] [ max-age max-age ]} (Optional) Configure the Forward Delay, Hello Time and Max Age. forward-time: Specify the value of Forward Delay. The valid values are from 4 to 30 in seconds, and the default value is 15. Forward Delay is the time for the port to transit its state after the network topology is changed. hello-time: Specify the value of Hello Time. The valid values are from 1 to 10 in seconds, and the default value is 2. The root bridge..

3.2.4 Enabling Spanning Tree Globally - Page 206

Configuring Spanning Tree MSTP Configurations Configuration Guide 185 Switch(config-if)#spanning-tree timer forward-time 12 Switch(config-if)#spanning-tree hold-count 8 Switch(config-if)#spanning-tree max-hops 25 Switch(config-if)#show spanning-tree bridge State Mode Priority Hello-Time Fwd-Time Max-Age Hold-Count Max-Hops ------- ------- -------- -------- -------- -------- --------- -------- Enable Mstp 36864 2 12 20 8 25 Switch(config-if)#end Switch#copy running-config startup-config 3.2.4 Enabling Spanning Tree Globally Follow these steps to configure the spanning tree mode as MSTP and e..

- Page 207

Configuration Guide 186 Configuring Spanning Tree MSTP Configurations Spanning tree is enabled Spanning-tree’s mode: MSTP (802.1s Multiple Spanning Tree Protocol) Latest topology change time: 2006-01-04 10:47:42 MST-Instance 0 (CIST) Root Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 External Cost : 200000 Root Port : Fa/0/20 Designated Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 Regional Root Bridge Priority : 36864 Address : 00-0a-eb-13-12-ba Local bridge is the regional root bridge Local Bridge Priority : 36864 Address : 00-0a-eb-13-12-ba Interface State Prio Ext-Cost Int..

Switch(config)#end - Page 208

Configuring Spanning Tree MSTP Configurations Configuration Guide 187 Local Bridge Priority : 32768 Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status ---------- ---- -------- ------- -------- Fa/0/16 128 200000 Altn Blk Fa/0/20 128 200000 Mstr Fwd Switch(config)#end Switch#copy running-config startup-config

..

Spanning Tree > STP Security > Port Protect - Page 209

Configuration Guide 188 Configuring Spanning Tree STP Security Configurations 4 STP Security Configurations With STP security, you can:  Configure the Loop Protect function.  Configure the Root Protect function.  Configure the TC Protect function.  Configure the BPDU Protect function.  Configure the BPDU Filter function. 4.1 Using the GUI 4.1.1 Configuring the STP Security Choose the menu Spanning Tree > STP Security > Port Protect to load the following page. Figure 4-1 Configuring the Port Protect

..

4.2.1 Configuring the STP Security - Page 210

Configuring Spanning Tree STP Security Configurations Configuration Guide 189 Configure the Port Protect features for the selected ports, and click Apply . UNIT Select the desired unit or LAGs for configuration. Loop Protect Enable or disable the Loop Protect function. It is recommended to enable this function on root ports and alternate ports. Loop Protect function is used to prevent loops caused by link congestions or link failures. With Loop Protect function enabled, the port will temporarily transit to blocking state when it does not receive BPDUs. After the link restores to normal, the..

feature - Page 211

Configuration Guide 190 Configuring Spanning Tree STP Security Configurations Step 2 interface {gigabitEthernet

port
| range gigabitEthernet
port-list
]
[port-channel
port-channel
|
range port-channel
p..

copy running-config startup-config - Page 212

Configuring Spanning Tree STP Security Configurations Configuration Guide 191 Step 10 copy running-config startup-config Save the settings in the configuration file. This example shows how to enable Loop Protect, Root Protect, TC Protect, BPDU Filter and BPDU Protect functions on port 1/0/3: Switch#configure Switch(config)#interface fastEthernet 1/0/3 Switch(config-if)#spanning-tree guard loop Switch(config-if)#spanning-tree guard root Switch(config-if)#spanning-tree bpdufilter Switch(config-if)#spanning-tree guard tc Switch(config-if)#spanning-tree bpduguard Switch(config-if)#show spanning..

Configuration Example for MSTP - Page 213

Configuration Guide 192 Configuring Spanning Tree Configuration Example for MSTP 5 Configuration Example for MSTP MSTP, backwards-compatible with STP and RSTP, can map VLANs to instances to enable load-balancing, thus providing a more flexible method in network management. Here we take the MSTP configuration as an example. 5.1 Network Requirements As shown in figure 5-1, the network consists of three switches. Traffic in VLAN 101-VLAN 106 is transmitted in this network. The link speed between the switches is 100Mb/s (the default path cost of the port is 200000). It is required that traffic ..

Spanning Tree > STP Config > Port Config - Page 214

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 193 Figure 5-2 VLAN-Instance Mapping Fa1/0/1 Fa1/0/2 Fa1/0/2 Fa1/0/2 Fa1/0/1 Fa1/0/1 Switch C Switch A Instance 1: VLAN 101 -VLAN 103 Instance 2: VLAN 104 -VLAN 106 Blocked Port Switch B The overview of configuration is as follows: 1) Enable the Spanning Tree function on the ports in each switch. 2) Configure Switch A, Switch B and Switch C in the same region. Configure the region name as 1, and the revision level as 100. Map VLAN 101 - VLAN 103 to instance 1 and VLAN 104 - VLAN 106 to instance 2. 3) Configure the ..

Spanning Tree > MSTP Instance > Region Config - Page 215

Configuration Guide 194 Configuring Spanning Tree Configuration Example for MSTP Figure 5-3 Enable Spanning Tree Function on Ports 2) Choose the menu Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Figure 5-4 Configuring the MST Region 3) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2.

..

Configuring the VLAN-Instance Mapping - Page 216

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 195 Figure 5-5 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Set the path cost of port 1/0/1 in instance 1 as 400000.

..

Configure the Path Cost of Port 1/0/1 In Instance 1 - Page 217

Configuration Guide 196 Configuring Spanning Tree Configuration Example for MSTP Figure 5-6 Configure the Path Cost of Port 1/0/1 In Instance 1 5) Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings.

..

Configure the Global MSTP Parameters of the Switch - Page 218

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 197 Figure 5-7 Configure the Global MSTP Parameters of the Switch 6) Click Save Config to save the settings.  Configurations for Switch B 1) Choose the menu Spanning Tree > STP Config > Port Config to load the following page. Enable the spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings. Figure 5-8 Enable Spanning Tree Function on Ports 2) Choose the menu Spanning Tree > MSTP Instance > Region Config to load the following page. Se..

Spanning Tree > MSTP Instance > Instance Config - Page 219

Configuration Guide 198 Configuring Spanning Tree Configuration Example for MSTP Figure 5-9 Configuring the Region 3) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2. Figure 5-10 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Configure the priority of Switch B as 0 to set it as the root bridge in instance 1.

..

Configuring the Priority of Switch B in Instance 1 - Page 220

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 199 Figure 5-11 Configuring the Priority of Switch B in Instance 1 5) Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Set the path cost of port 1/0/2 in instance 2 as 400000.

..

Configure the Path Cost of Port 1/0/2 in Instance 2 - Page 221

Configuration Guide 200 Configuring Spanning Tree Configuration Example for MSTP Figure 5-12 Configure the Path Cost of Port 1/0/2 in Instance 2 6) Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally. Here we leave the values of the other global parameters as default settings.

..

Configuring the MSTP Globally - Page 222

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 201 Figure 5-13 Configuring the MSTP Globally 7) Click Save Config to save the settings.  Configurations for Switch C 1) Choose the menu Spanning Tree > STP Config > Port Config to load the following page. Enable the spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings. Figure 5-14 Enable Spanning Tree Function on Ports 2) Choose the menu Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name a..

Spanning Tree > MSTP Instance > Instance Config - Page 223

Configuration Guide 202 Configuring Spanning Tree Configuration Example for MSTP Figure 5-15 Configuring the Region 3) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2. Figure 5-16 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Configure the priority of Switch C as 0 to set it as the root bridge in instance 2.

..

Configuring the Priority of Switch C in Instance 2 - Page 224

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 203 Figure 5-17 Configuring the Priority of Switch C in Instance 2 5) Choose the menu Spanning Tree > STP Instance > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings. Figure 5-18 Configuring the MSTP Globally 6) Click Save Config to save the settings.

..

Configurations for Switch A - Page 225

Configuration Guide 204 Configuring Spanning Tree Configuration Example for MSTP 5.4 Using the CLI  Configurations for Switch A 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/1 in instance 1 as 400000. Switch#configure Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree mst instance 1 cost 400000 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/2 Switch(config-if)#spanning-tree Switch(config-if)#exit 2) Configure the region name as 1, the revision number as 10..

Configurations for Switch C - Page 226

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 205 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree mst instance 2 cost 400000 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#spanning-tree Switch(config-if)#exit 2) Configure the region name as 1, the revision number as 100; map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2; configure the priority of Switch B in instance 1 as 0 to set it as the root bridge in instance 1: Switch(config)#spanning-tree mst configuration Switch(config-mst)#name 1..

Verify the Configurations - Page 227

Configuration Guide 206 Configuring Spanning Tree Configuration Example for MSTP Switch(config-mst)#name 1 Switch(config-mst)#revision 100 Switch(config-mst)#instance 1 vlan 101-103 Switch(config-mst)#instance 2 vlan 104-106 Switch(config-mst)#exit Switch(config)#spanning-tree mst instance 2 priority 0 3) Configure the spanning tree mode as MSTP, then enable spanning tree function globally. Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree Switch(config)#end Switch#copy running-config startup-config Verify the Configurations  Switch A Verify the configurations of Switch..

Switch B - Page 228

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 207 Fa1/0/1 128 400000 Root Fwd N/A Fa1/0/2 128 200000 Altn Blk N/A Verify the configurations of Switch A in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority : 0 Address : 3c-46-d8-9d-88-f7 Internal Cost : 200000 Root Port : 2 Designated Bridge Priority : 0 Address : 3c-46-d8-9d-88-f7 Local Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 Interface Prio Cost Role Status LAG --------- ---- -------- ------- ------- ---- Fa1/0/1 128 200000 Desg Fwd N/A Fa1/0/2 128 200..

- Page 229

Configuration Guide 208 Configuring Spanning Tree Configuration Example for MSTP Priority : 0 Address : 00-0a-eb-13-12-ba Local Bridge Priority : 0 Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status ---------- ---- -------- ------- -------- Fa1/0/1 128 200000 Desg Fwd Fa1/0/2 128 200000 Desg Fwd Verify the configurations of Switch B in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority : 0 Address : 3c-46-d8-9d-88-f7 Internal Cost : 400000 Root Port : 2 Designated Bridge Priority : 0 Address : 3c-46-d8-9d-88-f7 Local Bridge Priority : 3..

Switch C - Page 230

Configuring Spanning Tree Configuration Example for MSTP Configuration Guide 209  Switch C Verify the configurations of Switch C in instance 1: Switch(config)#show spanning-tree mst instance 1 MST-Instance 1 Root Bridge Priority : 0 Address : 00-0a-eb-13-12-ba Internal Cost : 200000 Root Port : 2 Designated Bridge Priority : 0 Address : 00-0a-eb-13-12-ba Local Bridge Priority : 32768 Address : 3c-46-d8-9d-88-f7 Interface Prio Cost Role Status ---------- ------ -------- --------- ---------- Fa1/0/1 128 200000 Desg Fwd Fa1/0/2 128 200000 Root Fwd Verify the configurations of Switch C in in..

- Page 231

Configuration Guide 210 Configuring Spanning Tree Configuration Example for MSTP Local Bridge Priority : 0 Address : 3c-46-d8-9d-88-f7 Interface Prio Cost Role Status ----------- ------ --------- ------- ---------- Fa1/0/1 128 200000 Desg Fwd Fa1/0/2 128 200000 Desg Fwd

..

Appendix: Default Parameters - Page 232

Configuring Spanning Tree Appendix: Default Parameters Configuration Guide 211 6 Appendix: Default Parameters Default settings of the Spanning Tree feature are listed in the following table. Table 6-1 Default Settings of the Global Parameters Parameter Default Setting Spanning-tree Disable Mode STP CIST Priority 32768 Hello Time 2 seconds Max Age 20 seconds Forward Delay 15 seconds TxHoldCount 5 pps Max Hops 20 hops Table 6-2 Default Settings of the Port Parameters Parameter Default Setting Status Disable Priority 128 Ext-Path Cost Auto In-Path Cost Auto Edge Port Disable P2P Link Auto MChe..

Parameter - Page 233

Configuration Guide 212 Configuring Spanning Tree Appendix: Default Parameters Parameter Default Setting Port Priority 128 Path Cost Auto

..

Configuring Spanning Tree - Page 234

Configuring Spanning Tree Configuration Guide 213

..

Configuration Guide - Page 235

Configuration Guide 214 Configuring Spanning Tree

..

Configuring - Page 236

Part 9 Configuring Layer 2 Multicast CHAPTERS 1. Layer 2 Multicast 2. IGMP Snooping Configurations 3. Viewing Multicast Snooping Configurations 4. Configuration Examples 5. Appendix: Default Parameters

..

Layer 2 Multicast - Page 237

Configuration Guide 216 Configuring Layer 2 Multicast Layer 2 Multicast 1 Layer 2 Multicast 1.1 Overview In a point-to-multipoint network, packets can be sent in three ways: unicast, broadcast and multicast. With unicast, many copies of the same information will be sent to all the receivers, occupying a large bandwidth. With broadcast, information will be sent to all users in the network no matter they need it or not, wasting network resources and impacting information security. Multicast, however, solves all the problems caused by unicast and broadcast. With multicast, the source only need..

IGMP Snooping - Page 238

Configuring Layer 2 Multicast Layer 2 Multicast Configuration Guide 217 Demonstrated as below: Figure 1-1 IGMP Snooping Source Multicast router Layer 2 switch Host A Host B Host C Receiver Receiver Multicast packets transmission with IGMP Snooping Source Multicast router Layer 2 switch Host A Host B Host C Receiver Receiver Multicast packets transmission without IGMP Snooping Multicast packets 1.2 Supported Layer 2 Multicast Protocols  Layer 2 Multicast protocol for IPv4: IGMP Snooping On the Layer 2 device, IGMP Snooping transmits data on demand on data link layer by analyzing IGMP pack..

Multicast > IGMP Snooping > Snooping Config - Page 239

Configuration Guide 218 Configuring Layer 2 Multicast IGMP Snooping Configurations 2 IGMP Snooping Configurations 2.1 Using the GUI 2.1.1 Configuring IGMP Snooping Globally Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Figure 2-1 IGMP Snooping Global Config Enabling IGMP Snooping Globally Before configuring functions related to IGMP Snooping, enable IGMP Snooping globally first. 1) Select Enable to enable IGMP Snooping globally. 2) Click Apply . (Optional) Configuring Unknown Multicast Unknown Multicast decides how to process the multicast dat..

(Optional) Configuring Report Message Suppression - Page 240

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 219 1) Configure Unknown Multicast as Forward or Discard. Unknown Multicast Configure the way how the switch processes the multicast data sent to unknown multicast groups as Forward or Discard. Unknown multicast groups are multicast groups whose destination multicast address is not in the multicast forwarding table of the switch. 2) Click Apply . (Optional) Configuring Report Message Suppression Enabling Report Message Suppression can reduce the number of packets in the network. Follow these steps to configure re..

Verifying IGMP Snooping Status - Page 241

Configuration Guide 220 Configuring Layer 2 Multicast IGMP Snooping Configurations Follow these steps to configure Last Listener Query Interval and Last Listener Query Count in the Global Config section: 1) Specify the interval between MASQs. Last Listener Query Interval When the switch receives an IGMP leave message, the switch obtains the address of the multicast group that the host wants to leave from the message. Then the switch sends out MASQs to this multicast group through the port receiving the leave message. This parameter determines the interval between MASQs. The valid values are..

Enabling IGMP Snooping on the Port - Page 242

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 221 2.1.2 Configuring the Port’s Basic IGMP Snooping Features Choose the menu Multicast > IGMP Snooping > Port Config to load the following page. Figure 2-2 Enable IGMP Snooping on Port Enabling IGMP Snooping on the Port Follow these steps to enable or disable IGMP Snooping on the port. 1) Select the port to be configured and select Enable under the IGMP Snooping column. 2) Click Apply . (Optional) Configuring Fast Leave With Fast Leave enabled on a port, the switch will remove this port from the forwardi..

Configuring IGMP Snooping Globally in the VLAN - Page 243

Configuration Guide 222 Configuring Layer 2 Multicast IGMP Snooping Configurations Fast Leave With Fast Leave enabled on a port, the switch will remove this port from the forwarding list of the corresponding multicast group once the port receives a leave message. You should only use this function when there is a single receiver present on the port. 2) Click Apply . 2.1.3 Configuring IGMP Snooping in the VLAN Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Figure 2-3 IGMP Snooping in VLAN Configuring IGMP Snooping Globally in the VLAN In the VLAN Con..

2.1.4 Configuring the Multicast VLAN - Page 244

Configuration Guide 223 Configuring Layer 2 Multicast IGMP Snooping Configurations Router Port Time Specify the aging time of the router ports in the VLAN. If the router port does not receive any IGMP general query message within the router port time, the switch will no longer consider this port as a router port and delete it from the router port list. The valid values are from 60 to 600 seconds. When the router port time is 0, the VLAN uses the global time. Member Port Time Specify the aging time of the member ports in the VLAN. If the member port does not receive any IGMP membership repor..

Creating Multicast VLAN and Configuring Basic Settings - Page 245

Configuration Guide 224 Configuring Layer 2 Multicast IGMP Snooping Configurations Choose the menu Multicast > IGMP Snooping > Multicast VLAN to load the following page. Figure 2-4 Multicast VLAN Config Creating Multicast VLAN and Configuring Basic Settings In the Multicast VLAN section, follow these steps to enable Multicast VLAN and to finish the basic settings: 1) Set up the VLAN that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN . 2) Enable Multicast VLAN, configure the specific VLAN to be the multicast VLAN, and configure the R..

Apply - Page 246

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 225 Router Port Time Specify the aging time of the router ports in the multicast VLAN. If the router port does not receive any IGMP general query message within the router port time, the switch will no longer consider this port as a router port and delete it from the router port table. The valid values are from 60 to 600 seconds. When the router port time is 0, the VLAN uses the global time. Member Port Time Specify the aging time of the member ports in the multicast VLAN. If the member port does not receive any ..

2.1.5 (Optional) Configuring the Querier - Page 247

Configuration Guide 226 Configuring Layer 2 Multicast IGMP Snooping Configurations Forbidden Router Ports Select the ports to forbid them from being router ports in the VLAN. 2) Click Apply . Note: When configuration is finished, all multicast data through the ports in the VLAN will be processed in this multicast VLAN. 2.1.5 (Optional) Configuring the Querier IGMP Snooping Querier sends general query packets regularly to maintain the multicast forwarding table. Choose the menu Multicast > IGMP Snooping > Querier Config to load the following page. Figure 2-5 Querier Config Configuring ..

Multicast > IGMP Snooping > Profile Config - Page 248

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 227 Viewing Settings of IGMP Querier The IGMP Snooping Querier Table displays all the related settings of the IGMP querier. 2.1.6 Configuring IGMP Profile With IGMP Profile, the switch can define a blacklist or whitelist of multicast addresses so as to filter multicast sources, Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page. Figure 2-6 Profile Create Creating Profile Follow these steps to create a profile and configure its filtering mode. 1) Create a profile and config..

2.1.7 Binding Profile and Member Ports - Page 249

Configuration Guide 228 Configuring Layer 2 Multicast IGMP Snooping Configurations Editing IP Range of the Profile Follow these steps to edit profile mode and its IP range: 1) Click Edit in the IGMP Profile Info table. Edit its IP range and click Add to save the settings. Figure 2-7 Add IP-range Profile ID Displays the ID of the profile to be edited. Mode Select Permit or Deny as the filtering mode. Permit : similar to a whitelist, means that the switch only allows specified member ports to join specific multicast groups. Deny : similar to a blacklist, means that the switch disallows specif..

Binding Profile and Member Ports - Page 250

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 229 Figure 2-8 Profile Binding Binding Profile and Member Ports Follow these steps to bind the profile to the port. 1) Select the port to be bound, and enter the Profile ID in the Profile ID column. Select Select the port to be bound. Port Displays the port number. Profile ID Enter the profile ID you create to bind the profile to the port. One port can only be bound to one profile. ClearBinding Click to clear the binding between the profile and the port. 2) Click Apply . Configuring Max Groups a Port Can Join Fol..

2.1.8 Viewing IGMP Statistics on Each Port - Page 251

Configuration Guide 230 Configuring Layer 2 Multicast IGMP Snooping Configurations Max Group Enter the number of multicast groups the port can join. The valid values are from 0 to 512. Overflow Action Select the action towards the new multicast group when the number of multicast groups the port joined exceeds max group. Drop : Drop all subsequent membership report messages, and the port will not join any new multicast groups. Replace : Replace the existing multicast group owning the lowest multicast MAC address with the new multicast group. 2) Click Apply . 2.1.8 Viewing IGMP Statistics on ..

2.1.9 Configuring Static Member Port - Page 252

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 231 Auto Refresh If Auto Refresh is enabled, statistics of IGMP packets on this page will refresh automatically. Refresh Period After Auto Refresh is enabled, enter the interval between each refresh. The valid values are from 3 to 300 seconds. 2) Click Apply . Viewing IGMP Statistics The IGMP Statistics table displays all kinds of IGMP statistics of all the ports. 2.1.9 Configuring Static Member Port This function allows you to specify a port as a static member port in the multicast group. Choose the menu Multica..

2.2.1 Enabling IGMP Snooping Globally - Page 253

Configuration Guide 232 Configuring Layer 2 Multicast IGMP Snooping Configurations Multicast IP Specify the multicast group that the static member is in. VLAN ID Specify the VLAN that the static member is in. Forward Port Specify one or more ports to be the static member port in the multicast group. Without aging, the static member port receives all multicast data sent to this multicast group. 2) Click Create . Viewing IGMP Static Multicast Groups You can search IGMP static multicast entries by using Multicast IP, VLAN ID or Forward Port as the Search Option. Static Multicast IP Table displ..

- Page 254

Configuration Guide 233 Configuring Layer 2 Multicast IGMP Snooping Configurations Step 3 ip igmp snooping Enable IGMP Snooping on the specified port. Step 4 end Return to privileged EXEC mode. Step 5 show ip igmp snooping Show the basic IGMP snooping configuration. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable IGMP Snooping globally and enable IGMP Snooping on port 1/0/3: Switch#configure Switch(config)#ip igmp snooping Switch(config)#interface fastEthernet 1/0/3 Switch(config-if)#ip igmp snooping Switch(con..

2.2.3 Configuring IGMP Snooping Parameters Globally - Page 255

Configuration Guide 234 Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.3 Configuring IGMP Snooping Parameters Globally Configuring Report Message Suppression Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping report-suppression Enable Report Message Suppression globally. If this function is enabled, the switch will only forward the first IGMP report message to Layer 3 devices and suppress subsequent IGMP report messages from the same multicast group during one query interval, which reduces the number of IGMP packets. Step 3 end Return to privileged EXE..

Configuring Unknown Multicast - Page 256

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 235 Switch#copy running-config startup-config Configuring Unknown Multicast Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping drop-unknown Configure the way how the switch processes the multicast data from unknown multicast groups as Discard. Unknown multicast groups are multicast groups whose destination multicast address is not in the multicast forwarding table of the switch. Step 3 end Return to privileged EXEC mode. Step 4 show ip igmp snooping Show the basic IGMP snooping configuratio..

2.2.4 Configuring IGMP Snooping Parameters on the Port - Page 257

Configuration Guide 236 Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.4 Configuring IGMP Snooping Parameters on the Port Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping rtime rtime ip igmp snooping mtime mtime rtime is the aging time of router ports, ranging from 60 to 600 seconds. mtime is the aging time of member ports, ranging from 60 to 600 seconds. Step 3 end Return to privileged EXEC mode. Step 4 show ip igmp snooping Show the basic IGMP snooping configuration. Step 5 copy running-config start..

Configuring Fast Leave - Page 258

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 237 Switch(config-if)#end Switch#copy running-config startup-config Configuring Fast Leave Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet

port
| range fastEthernet
port-list
| gigabitEthernet
port
| range

Configuring Max Group and Overflow Action on the Port - Page 259

Configuration Guide 238 Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring Max Group and Overflow Action on the Port Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet

port
| range fastEthernet
port-list
| gigabitEthernet
port
| range
gigabit..

2.2.5 Configuring IGMP Snooping Last Listener Query - Page 260

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 239 Switch(config-if)#end Switch#copy running-config startup-config 2.2.5 Configuring IGMP Snooping Last Listener Query Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping last-listener query-inteval interval interval determines the interval between MASQs sent by the switch. The valid values are from 1 to 5 seconds. Step 3 ip igmp snooping last-listener query-count num num determines the number of MASQs sent by the switch. The valid values are from 1 to 5. Step 4 show ip igmp snooping Show t..

2.2.6 Configuring IGMP Snooping Parameters in the VLAN - Page 261

Configuration Guide 240 Configuring Layer 2 Multicast IGMP Snooping Configurations Enable Port: Enable VLAN: Switch(config)#end Switch#copy running-config startup-config 2.2.6 Configuring IGMP Snooping Parameters in the VLAN Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list [rtime router-time | mtime member-time ] router-time is the aging time of the router ports in the specified VLAN, ranging from 60 to 600 seconds. member-time is the aging time of the member ports in the specified VLAN, rang..

Configuring Static Router Port - Page 262

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 241 Forbidden Router Port:None Switch(config)#show ip igmp snooping vlan 3 Vlan Id: 3 Router Time:500 Member Time:400 Static Router Port:None Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list [rport interface {gigabitEthernet

port-list
|..

Configuring Forbidden Router Port - Page 263

Configuration Guide 242 Configuring Layer 2 Multicast IGMP Snooping Configurations Static Router Port:Fa1/0/2 Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Forbidden Router Port Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list router-ports-forbidden interface {gigabitEthernet

port-list
| port-channel
port-channel-id

- Page 264

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 243 Switch(config)#end Switch#copy running-config startup-config Configuring Static Multicast (Multicast IP and Forward Port) Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list static ip interface {gigabitEthernet

port-list
| port-
channel
port-channel-id
Configuring Router Port Time and Member Port Time - Page 265

Configuration Guide 244 Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.7 Configuring IGMP Snooping Parameters in the Multicast VLAN Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] [rtime router-time | mtime member-time ] vlan-id specifies the VLAN to be created or to be configured. router-time is the aging time of the router ports in the multicast VLAN, ranging from 60 to 600 seconds. member-time is the aging time of the member ports in the multicast VLAN, ranging from 6..

Configuring Static Router Port - Page 266

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 245 Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] [rport interface {gigabitEthernet

port-list
| port-
channel
port-channel-id
}] vlan-id specifies the VLAN to be created o..

Configuring Forbidden Router Port - Page 267

Configuration Guide 246 Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring Forbidden Router Port Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] router-ports-forbidden interface {gigabitEthernet

port-list
| port-channel
port-channel-id
} vlan-id specifies the multicast VLAN to be configured. port-list and port-channel-id are the ports that can..

Configuring Replace Source IP - Page 268

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 247 Configuring Replace Source IP Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] replace-sourceip ip vlan-id specifies the multicast VLAN to be configured. ip specifies the new source IP. The switch will replace the source IP in the IGMP multicast data sent by the multicast VLAN with the IP address you enter. Step 3 show ip igmp snooping multi-vlan Show the IGMP snooping configuration in the multicast VLAN. Step 4 end Return to privileged EXEC mode. Step 5 ..

2.2.8 Configuring the Querier - Page 269

Configuration Guide 248 Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.8 Configuring the Querier Enabling IGMP Querier Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping querier vlan vlan-id vlan-id specifies the VLAN to enable IGMP Querier. Step 3 show ip igmp snooping querier [ vlan vlan-id ] Show the IGMP querier configuration. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable IGMP Snooping and IGMP Querier in VLAN 4: Switch#conf..

vlan-id - Page 270

Configuration Guide 249 Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 ip igmp snooping querier vlan vlan-id {query-interval

interval
| max-response-time
response-time
| general-query source-ip
ip-addr
} vlan-id specifies the VLAN where the querier is. interval is the interval between general query messages sent..

2.2.9 Configuring Multicast Filtering - Page 271

Configuration Guide 250 Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.9 Configuring Multicast Filtering Creating Profile Step 1 configure Enter global configuration mode. Step 2 ip igmp profile id Create a new profile and enter profile configuration mode. Step 3 permit deny Configure the profile's filtering mode. permit is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups. deny is similar to a blacklist, indicating that the switch disallow specific member ports to join specific multicast groups. Step 4 rang..

Binding Profile to the Port - Page 272

Configuring Layer 2 Multicast IGMP Snooping Configurations Configuration Guide 251 range 226.0.0.5 226.0.0.10 Switch(config)#end Switch#copy running-config startup-config Binding Profile to the Port Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet

port
| range fastEthernet
port-list
| gigabitEthernet
port
range 226.0.0.5 226.0.0.10 - Page 273

Configuration Guide 252 Configuring Layer 2 Multicast IGMP Snooping Configurations range 226.0.0.5 226.0.0.10 Binding Port(s) Fa1/0/2 Switch(config)#end Switch#copy running-config startup-config

..

Multicast > Multicast Table > IPv4 Multicast Table - Page 274

Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations Configuration Guide 253 3 Viewing Multicast Snooping Configurations 3.1 Using the GUI 3.1.1 Viewing IPv4 Multicast Snooping Configurations Choose the menu Multicast > Multicast Table > IPv4 Multicast Table to view all valid Multicast IP-VLAN-Port entries . Figure 3-1 IPv4 Multicast Table Search Option Search Option Search for specific multicast entries by using Multicast IP, VLAN ID and Forward Port. Multicast IP Table Multicast IP Multicast source IP. VLAN ID ID of the VLAN that the multicast group is in. Forward..

- Page 275

Configuration Guide 254 Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations show ip igmp snooping interface [ fastEthernet [ port | port-list ] | gigabitEthernet [ port | port-list ] ] { basic- config | max-groups | packet-stat } Displays settings of IGMP Snooping on the port(s). port | port-list specifies the port(s) to display. basic-config | max-groups | packet-stat displays the related IGMP configuration information. show ip igmp snooping interface [port-channel [ lagid ] ] { basic-config | max-groups } Displays settings of IGMP Snooping on the port-channel. lagid sp..

Network Topology for Basic IGMP Snooping - Page 276

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 255 4 Configuration Examples 4.1 Example for Configuring Basic IGMP Snooping 4.1.1 Network Requirements Host B, Host C and Host D are in the same VLAN of the switch. All of them want to receive multicast data sent to multicast group 225.1.1.1. As shown in the following topology, Host B, Host C and Host D are connected to port 1/0/1, port 1/0/2 and port 1/0/3 respectively. Port 1/0/4 is the router port connected to the multicast querier. Figure 4-1 Network Topology for Basic IGMP Snooping Internet Host B Receiver Host C..

Multicast > IGMP Snooping > Snooping Config - Page 277

Configuration Guide 256 Configuring Layer 2 Multicast Configuration Examples Enable IGMP Snooping in the VLAN. Demonstrated with T1500-28PCT, this section provides configuration procedures in two ways: using the GUI and using the CLI. 4.1.3 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Enable IGMP Snooping globally, and keep the default values in the Router Port Time and Member Port Time fields. Figure 4-2 Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the followin..

VLAN > 802.1Q VLAN > VLAN Config - Page 278

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 257 Figure 4-3 Enable IGMP Snooping on the Ports 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10 and add Untagged port 1/0/1-3 and Tagged port 1/0/4 to VLAN 10. Figure 4-4 Configure Link Type

..

VLAN > 802.1Q VLAN > Port Config - Page 279

Configuration Guide 258 Configuring Layer 2 Multicast Configuration Examples 4) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the PVID of port 1/0/1-4 as 10. Figure 4-5 Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Keep 0 as the Router Port Time and Member Port Time, which means the global settings will be used.

..

Enable IGMP Snooping in the VLAN - Page 280

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 259 Figure 4-6 Enable IGMP Snooping in the VLAN 6) Click Save Config to save the settings. 4.1.4 Using the CLI 1) Enable IGMP Snooping globally. Switch#configure Switch(config)#ip igmp snooping 2) Enable IGMP Snooping on port 1/0/1-4. Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit 3) Create VLAN 10. Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 4) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Ad..

Verify the Configurations - Page 281

Configuration Guide 260 Configuring Layer 2 Multicast Configuration Examples Switch(config-if-range)#exit Switch(config)#interface fastEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 5) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 6) Enable IGMP Snooping in VLAN 10. Switch(config)#ip igmp snooping vlan-config 10 7) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show memb..

4.2.1 Network Requirements - Page 282

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 261 Global Report Suppression :Disable Global Authentication Accounting:Disable Enable Port:Fa1/0/1-4 Enable VLAN:10 4.2 Example for Configuring Multicast VLAN 4.2.1 Network Requirements Host B, Host C and Host D are in three different VLANs of the switch. All of them want to receive multicast data sent to multicast group 225.1.1.1. 4.2.2 Configuration Scheme Create a multicast VLAN and add the router port and ports connected to multicast members to the multicast VLAN. In this case, all multicast data will only be proc..

Multicast > IGMP Snooping > Snooping Config - Page 283

Configuration Guide 262 Configuring Layer 2 Multicast Configuration Examples Figure 4-7 Network Topoloy for Multicast VLAN Internet Host B Receiver Host C Receiver Host D Receiver VLAN 40 Querier Source Fa1/0/4 Fa1/0/2 Fa1/0/3 Fa1/0/1 Demonstrated with T1500-28PCT, this section provides configuration procedures in two ways: using the GUI and using the CLI. 4.2.4 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Enable IGMP Snooping globally, and keep the default values in the Router Port Time and Member Port Time fields.

..

Multicast > IGMP Snooping > Snooping Config - Page 284

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 263 Figure 4-8 Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Enable IGMP Snooping on port 1/0/1-4. Figure 4-9 Configure IGMP Snooping Globally

..

VLAN > 802.1Q VLAN > VLAN Config - Page 285

Configuration Guide 264 Configuring Layer 2 Multicast Configuration Examples 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 40 and add Untagged port 1/0/1-4 to VLAN 40. Figure 4-10 Configure Link Type 4) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the PVID of port 1/0/1 as 10, port 1/0/2 as 20, port 1/0/3 as 30 and port 1/0/4 as 40.

..

Multicast > IGMP Snooping > Multicast VLAN - Page 286

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 265 Figure 4-11 Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > Multicast VLAN to load the following page. Enable Multicast VLAN and configure VLAN 40 as the multicast VLAN. Keep Router Port Time and Member Port Time as 0. Figure 4-12 Create Multicast VLAN 6) Click Save Config to save the settings. 4.2.5 Using the CLI 1) Enable IGMP Snooping Globally. Switch#configure Switch(config)#ip igmp snooping 2) Enable IGMP Snooping on port 1/0/1-4.

..

Verify the Configurations - Page 287

Configuration Guide 266 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit 3) Create VLAN 40. Switch(config)#vlan 40 Switch(config-vlan)#name M-VLAN Switch(config-vlan)#exit 4) Add port 1/0/1-4 to VLAN 40 and set the link type as untagged. Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#switchport general allowed vlan 40 untagged Switch(config-if-range)#exit 5) Set the PVID of port 1/0/1 as 10, port 1/0/2 as 20, port 1/0/3 as 30 and port 1/0..

4.3.1 Network Requirement - Page 288

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 267 VLAN Name Status Ports ----- ---------------- --------- ---------------------------------------- 1 System-VLAN active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, ...... 40 M-VLAN active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4 Show status of IGMP Snooping globally, on the ports and in the multicast VLAN: Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times :2 Last Query Interval :1 Global Member Age Time :260 Global Router Age Time :300 Global Rep..

Network Topology for Unknow Multicast and Fast Leave - Page 289

Configuration Guide 268 Configuring Layer 2 Multicast Configuration Examples Figure 4-13 Network Topology for Unknow Multicast and Fast Leave Internet Host B Receiver VLAN 10 Querier Source Fa1/0/4 Fa1/0/2 4.3.2 Configuration Scheme After the channel is changed, the client (Host B) still receives irrelevant multicast data, the data from the previous channel and possibly other unknown multicast data, which increases the network load and results in network congestion. The solution to this problem is using Unknown Multicast and Fast Leave. To avoid Host B from receiving irrelevant multicast da..

Multicast > IGMP Snooping > Port Config - Page 290

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 269 Figure 4-14 Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Port Config to load the following page. Enable IGMP Snooping on port 1/0/2 and port 1/0/4 and enable Fast Leave on port 1/0/2.

..

Multicast > IGMP Snooping > VLAN Config - Page 291

Configuration Guide 270 Configuring Layer 2 Multicast Configuration Examples Figure 4-15 Configure IGMP Snooping Globally 3) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Figure 4-16 Enable IGMP Snooping in the VLAN

..

Verify the Configurations - Page 292

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 271 4) Click Save Config to save the settings. 4.3.4 Using the CLI 1) Enable IGMP Snooping Globally. Switch#configure Switch(config)#ip igmp snooping 2) Configure Unknown Multicast as Discard globally. Switch(config)#ip igmp snooping drop unknown 3) Enable IGMP Snooping on port 1/0/2 and enable Fast Leave. On port 1/0/4, enable IGMP Snooping. Switch(config)#interface fastEthernet 1/0/2 Switch(config-if)#ip igmp snooping Switch(config-if)#ip igmp snooping immediate-leave Switch(config-if)#exit Switch(config)#interface f..

4.4.1 Network Requirements - Page 293

Configuration Guide 272 Configuring Layer 2 Multicast Configuration Examples Global Report Suppression :Disable Global Authentication Accounting:Disable Enable Port:Fa1/0/2,1/0/4 Enable VLAN:10 Show settings of IGMP Snooping on port 1/0/2: Switch(config)#show ip igmp snooping interface fastEthernet 1/0/2 basic-config Port IGMP-Snooping Fast-Leave ---- ------------- ---------- Fa1/0/2 enable enable 4.4 Example for Configuring Multicast Filtering 4.4.1 Network Requirements Host B, Host C and Host D are in the same subnet. Host C and Host D only receive multicast data sent to 225.0.0.1, while ..

Multicast > IGMP Snooping > Snooping Config - Page 294

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 273 Figure 4-17 Network Topology for Multicast Filtering Internet Host B Receiver Host C Receiver Host D Receiver VLAN 10 Querier Source Fa1/0/4 F a1/0/2 Fa1/0/3 Fa1/0/1 Demonstrated with T1500-28PCT, this section provides configuration procedures in two ways: using the GUI and using the CLI. 4.4.4 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Enable IGMP Snooping globally, and keep the default values in the Router Port Time and Member Port Time fields.

Multicast > IGMP Snooping > Snooping Config - Page 295

Configuration Guide 274 Configuring Layer 2 Multicast Configuration Examples Figure 4-18 Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Figure 4-19 Enable IGMP Snooping on the Port

..

VLAN > 802.1Q VLAN > VLAN Config - Page 296

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 275 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10 and add Untagged port 1/0/1-3 and Tagged port 1/0/4 to VLAN 10. Figure 4-20 Configure Link Type 4) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the PVID of port 1/0/1-4 as 10.

..

Multicast > IGMP Snooping > VLAN Config - Page 297

Configuration Guide 276 Configuring Layer 2 Multicast Configuration Examples Figure 4-21 Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Keep 0 as the Router Port Time and Member Port Time, which means the global settings will be used.

..

Multicast > IGMP Snooping > Profile Config - Page 298

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 277 Figure 4-22 Enable IGMP Snooping in the VLAN 6) Specify the multicast data that Host C and Host D can receive. a. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page. Create Profile 1, select Permit as the Mode and click Create. Figure 4-23 Create Profile 1 b. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page.

..

Multicast > IGMP Snooping > Profile Binding - Page 299

Configuration Guide 278 Configuring Layer 2 Multicast Configuration Examples Figure 4-24 Edit Add IP-range in Profile 1 c. Choose the menu Multicast > IGMP Snooping > Profile Binding to load the following page. Select port 1/0/2 and port 1/0/3, enter 1 in the Profile ID field and click Apply to bind Profile 1 to these ports. Figure 4-25 Bind Profile 1 to Port 1/0/2 and Port 1/0/3 7) Specify the multicast data that Host B can receive a. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page. Create Profile 2, select Deny as the Mode and click Create..

Multicast > IGMP Snooping > Profile Config - Page 300

Configuring Layer 2 Multicast Configuration Examples Configuration Guide 279 Figure 4-26 Profile 2 b. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page. In the IGMP Profile Info table, click Edit in the Profile 2 entry, enter 225.0.0.2 in both Start IP and End IP fields, and click Add. Figure 4-27 Edit Add IP-range in Profile 2 c. Choose the menu Multicast > IGMP Snooping > Profile Binding to load the following page. Select port 1/0/1, enter 2 in the Profile ID field and click Apply to bind Profile 2 to this port.

..

Bind Profile 2 to Port 1/0/1 - Page 301

Configuration Guide 280 Configuring Layer 2 Multicast Configuration Examples Figure 4-28 Bind Profile 2 to Port 1/0/1 8) Click Save Config to save the settings. 4.4.5 Using the CLI 1) Enable IGMP Snooping Globally. Switch#configure Switch(config)#ip igmp snooping 2) Enable IGMP Snooping on port 1/0/1-4. Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit 3) Create VLAN 10. Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 4) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add p..

- Page 302

Configuration Guide 281 Configuring Layer 2 Multicast Configuration Examples Switch(config-if-range)#switchport general allowed vlan 10 untagged Switch(config-if-range)#exit Switch(config)#interface fastEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 5) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 6) Enable IGMP Snoopin in VLAN 10. Switch(config)#ip igmp snooping vlan-config 10 Switch(config-if)#exit 7) Create Profile 1, configu..

Verify the Configurations - Page 303

Configuration Guide 282 Configuring Layer 2 Multicast Configuration Examples 11) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times :2 Last Query Interval :1 Global Member Age Time :260 Global Router Age Time :300 Global Report Suppression :Disable Enable Port:Fa1/0/1-4 Enable VLAN:10 Show all profile bindings: Switch(config)#show ip igmp profile IGMP Profile 1 permit range 225.0.0.1 225.0.0.1 Bindin..

Appendix: Default Parameters - Page 304

Configuring Layer 2 Multicast Appendix: Default Parameters Configuration Guide 283 5 Appendix: Default Parameters 5.1 Default Parameters for IGMP Snooping Table 5-1 Default Parameters of IGMP Snooping Function Parameter Default Setting G l o b a l S e t t i n g s o f I G M P Snooping IGMP Snooping Disabled Unknown Multicast Forward Report Message Suppression Disabled Router Port Time 300 seconds Member Port Time 260 seconds Last Listener Query Interval 1 second Last Listener Query Count 2 IGMP Snooping Settings on the Port IGMP Snooping Disabled Fast Leave Disabled IGMP Snooping Settings in..

Configuring QoS - Page 305

Part 10 Configuring QoS CHAPTERS 1. QoS 2. DiffServ Configuration 3. Bandwidth Control Configuration 4. Configuration Examples 5. Appendix: Default Parameters

..

DiffServ - Page 306

Configuring QoS QoS Configuration Guide 285 1 QoS 1.1 Overview With network scale expanding and applications developing, Internet traffic is dramatically increased, thus resulting in network congestion, packet drops and long transmission delay. Typically, networks treat all traffic equally on FIFO (First In First Out) delivery basis, but nowadays many special applications like VoD, video conferences, etc. require more bandwidth or shorter transmission delay to guarantee the performance. With QoS (Quality of Service) technology, you can classify and prioritize network traffic to provide Diff..

Configuration Guidelines - Page 307

Configuration Guide 286 Configuring QoS DiffServ Configuration 2 DiffServ Configuration To complete differentiated services configuration, follow these steps: 1) Configure the priority mode to classify packets with different priorities. 2) Configure the schedule mode to control the forwarding sequence of packets. Configuration Guidelines  Deploy the priority mode appropriate to your network requirements. Three modes are supported on the switch, 802.1P Priority, DSCP Priority and Port Priority. · 802.1P Priority 802.1P defines the first three bits in 802.1Q Tag as PRI field. The PRI valu..

QoS > DiffServ > 802.1P Priority - Page 308

Configuring QoS DiffServ Configuration Configuration Guide 287 2.1 Using the GUI 2.1.1 Configuring Priority Mode The instructions of the three priority modes are described respectively in this section.  Configuring 802.1P Priority Choose the menu QoS > DiffServ > 802.1P Priority to load the following page. Figure 2-1 802.1P/CoS Mapping Follow these steps to configure the 802.1P Priority: 1) Enable 802.1P Priority and click Apply . 2) Enable 802.1P Priority, and configure the Tag-id/CoS-id-TC mapping relations. Tag-id/CoS-id Select the desired Tag-id/CoS-id to configure. Tag-id indi..

QoS > DiffServ > DSCP Priority - Page 309

Configuration Guide 288 Configuring QoS DiffServ Configuration  Configuring DSCP Priority Choose the menu QoS > DiffServ > DSCP Priority to load the following page. Figure 2-2 DSCP Mapping Follow these steps to configure the DSCP priority: 1) Enable DSCP Priority and click Apply . DSCP Priority is disabled by default. 2) Configure the DSCP-TC mapping relations. DSCP Select the desired DSCP priority. DSCP priority represents the DSCP field in the IP packet header. It comprises 6 bits and the valid values are from 0 to 63. Note: The DSCP priority displayed on this page may indicate t..

QoS > DiffServ > Port Priority - Page 310

Configuring QoS DiffServ Configuration Configuration Guide 289  Configuring Port Priority Choose the menu QoS > DiffServ > Port Priority to load the following page. Figure 2-3 Port Priority Follow these steps to configure the port priority: 1) Select the desired port or LAG to set its priority. Priority Specify the TC queue that the port will be mapped to. LAG Displays the aggregation group which the port is in. 2) Click Apply . Note: All the ports in the same LAG should be assigned with the same port priority. 2.1.2 Configuring Schedule Mode Configure the schedule mode to control ..

2.2.1 Configuring Priority Mode - Page 311

Configuration Guide 290 Configuring QoS DiffServ Configuration Figure 2-4 Schedule Mode Follow these steps to configure the schedule mode: 1) Select a schedule mode. SP-Mode Strict-Priority Mode. In this mode, the queue with higher priority will occupy the whole bandwidth. Packets in the queue with lower priority are sent only when the queue with higher priority is empty. WRR-Mode Weight Round Robin Mode. In this mode, packets in all the queues are sent in order based on the weight value for each queue. By default, the weight value ratio of TC0 to TC3 is 1:2:4:8. SP+WRR-Mode Strict-Priority..

- Page 312

Configuring QoS DiffServ Configuration Configuration Guide 291 Step 3 qos queue cos-map { tag-id / cos-id } { tc-id } Configure the Tag-id-TC queues mapping relations or the CoS-id-TC mapping relations. tag-id: Specify the Tag-ID. The valid values are from 0 to 7. cos-id : Specify the CoS-ID. The valid values are from 0 to 7. tc-id : Specify the TC-ID. The valid values are from 0 to 3. Step 4 show qos status Verify that 802.1P priority is enabled. show qos cos-map Verify the mapping relations between the Tag-id / CoS-id and TC queues. Step 5 end Return to privileged EXEC mode. Step 6 copy r..

Configuring DSCP Priority - Page 313

Configuration Guide 292 Configuring QoS DiffServ Configuration  Configuring DSCP Priority Step 1 configure Enter global configuration mode. Step 2 qos dscp Enable DSCP Priority. Step 3 show qos cos-map Check the CoS-id-TC mapping relations. Step 4 qos queue dscp-map { dscp-list } { cos-id } Configure the mapping relations between the DSCP values in the IP header and the CoS values. The packets are firstly mapped to CoS queues, then to TC queues according to the CoS-id-TC mapping relations. dscp-list: Enter one or more DSCP values which range from 0 to 63. Enter the multiple values in the..

Configuring Port Priority - Page 314

Configuring QoS DiffServ Configuration Configuration Guide 293 Switch(config)#show qos status 802.1p priority is disabled. DSCP priority is enabled. Switch(config)#show qos dscp-map ... ---------------------------------------------------------------------------------- DSCP 8 9 10 11 12 13 14 15 CoS TC 0 TC 0 TC 0 TC 0 TC 0 TC 0 TC 0 TC 0 ---------------------------------------------------------------------------------- ... Switch(config)#end Switch#copy running-config startup-config  Configuring Port Priority Select the desired port to set the priority. Packets from this ingress port are..

2.2.2 Configuring Schedule Mode - Page 315

Configuration Guide 294 Configuring QoS DiffServ Configuration Note: All the ports in the same LAG should be assigned with the same port priority. The following example shows how to map port 1-3 to TC1, and keep other mapping relations as default: Switch#configure Switch(config)#interface range fastEthernet 1/0/1-3 Switch(config-if-range)#qos 0 Switch(config-if-range)#show qos interface fastEthernet 1/0/1-3 Port TC Value LAG -------- --------- -------- Fa1/0/1 TC 0 N/A Fa1/0/2 TC 0 N/A Fa1/0/3 TC 0 N/A Switch(config-if-range)#end Switch#copy running-config startup-config 2.2.2 Configuring S..

show qos queue mode - Page 316

Configuring QoS DiffServ Configuration Configuration Guide 295 Step 3 show qos queue mode Verify the schedule mode configurations. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. Note: With ACL Redirect feature, the switch maps all the packets that meet the configured ACL rules to the new TC queue, regardless of the mapping relations configured in this section. The following example shows how to configure the schedule mode as WRR: Switch#configure Switch(config)#qos queue mode wrr Switch(config)#show qos queue..

QoS > Bandwidth Control > Rate Limit - Page 317

Configuration Guide 296 Configuring QoS Bandwidth Control Configuration 3 Bandwidth Control Configuration To implement bandwidth control, you can:  Limit the ingress/egress traffic rate on each port by configuring the Rate Limit function;  Limit the broadcast, multicast and UL frame forwarding rate on each port to avoid network broadcast storm by configuring the Storm Control function. 3.1 Using the GUI 3.1.1 Configuring Rate Limit Choose the menu QoS > Bandwidth Control > Rate Limit to load the following page. Figure 3-1 Rate Limit Follow these steps to configure the Rate Limit..

3.1.2 Configuring Storm Control - Page 318

Configuring QoS Bandwidth Control Configuration Configuration Guide 297 Egress Rate (1- 1000000Kbps) Configure the bandwidth for sending packets on the port. The valid values are from 1 to 1000000 Kbps. LAG Displays the aggregation group which the port is in. 2) Click Apply . 3.1.2 Configuring Storm Control Choose the menu QoS > Bandwidth Control > Storm Control to load the following page. Figure 3-2 Storm Control Follow these steps to configure the Storm Control function: 1) Select the port(s) and configure the upper rate limit for forwarding broadcast packets, multicast packets and ..

3.2.1 Configuring Rate Limit on Port - Page 319

Configuration Guide 298 Configuring QoS Bandwidth Control Configuration Multicast Rate Mode / Multicast To enable the multicast rate control, select a multicast rate mode and specify the upper rate limit for receiving broadcast packets in the Multicast field. The packet traffic exceeding the rate will be discarded. The switch supports the following two rate modes: kbps: Specify the upper rate limit in kilo-bits per second, which ranges from 1 to 1000000 kbps. ratio: Specify the upper rate limit as a percentage of the bandwidth, which ranges from 1 to 100 percent. To disable the multicast ra..

3.2.2 Configuring Storm Control - Page 320

Configuring QoS Bandwidth Control Configuration Configuration Guide 299 Step 3 bandwidth {[ingress ingress-rate ] [egress egress-rate ]} Configure the upper rate limit for the port to receive and send packets. ingress-rate: Configure the upper rate limit for receiving packets on the port. The valid values are from 1 to 1000000 Kbps. egress-rate: Configure the upper rate limit for sending packets on the port. The valid values are from 1 to 1000000 Kbps. Step 4 show bandwidth interface [fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list ]..

rate - Page 321

Configuration Guide 300 Configuring QoS Bandwidth Control Configuration Step 3 Use the following commands to specify the upper rate limit of the broadcast packets and multicast packets: storm-control { broadcast | multicast | unicast } { kbps | ratio } rate broadcast | multicast | unicast: Enable broadcast packets rate limit, multicast packets rate limit or unknown unicast frames rate limit on the port. kbps: Configure the storm control mode as kbps. In this mode, the upper rate limit is specified in kilo-bits per second. ratio: Configure the storm control mode as ratio. In this mode, the u..

4.1.1 Network Requirements - Page 322

Configuring QoS Configuration Examples Configuration Guide 301 4 Configuration Examples 4.1 Example for Configuring SP Mode 4.1.1 Network Requirements Two hosts, Admin and Host A, can access the local network server through the switch. Configure the switch to ensure the traffic from the Admin can be treated preferentially when congestion occurs. Only when the traffic from the Admin is completely forwarded will the traffic from Host A be forwarded. The figure below shows the network topology. Figure 4-1 QoS Application Topology Server Fa1/0/3 Fa1/0/1 Fa1/0/2 Switch Admin Host A 4.1.2 Configu..

Configure Port Priority - Page 323

Configuration Guide 302 Configuring QoS Configuration Examples 4.1.3 Using the GUI 1) Choose QoS > DiffServ > Port Priority to load the following page, and set the priority for port 1/0/1 toTC1 and priority for port 1/0/2 to TC0. Figure 4-2 Configure Port Priority 2) Choose QoS > DiffServ > Schedule Mode to load the following page, and select SP- Mode as the schedule mode. Click Apply . Figure 4-3 Configure Schedule Mode 3) Click Save Config to save the settings. 4.1.4 Using the CLI 1) Set the priority for port 1/0/1 to TC1 and priority for port 1/0/2 to TC0. Switch#configure Sw..

4.2.1 Network Requirements - Page 324

Configuring QoS Configuration Examples Configuration Guide 303 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/2 Switch(config-if)#qos 1 Switch(config-if)#exit 2) Select SP-Mode as the schedule mode and save the settings. Switch(config)#qos queue mode sp Switch(config)#exit Switch#copy running-config startup-config Verify the configuration Verify the port-CoS mapping: Switch(config)#show qos interface Port TC Value LAG --------- ------------ ------------ Fa1/0/1 0 N/A Fa1/0/2 1 N/A ... Verify the schedule mode. Switch(config)#show qos queue mode -----------------+----------..

4.2.2 Configuration Scheme - Page 325

Configuration Guide 304 Configuring QoS Configuration Examples server is connected to port 1/0/2 of Switch B and port 1/0/3 of Switch A is connected to port 1/0/1 of Switch B. Figure 4-4 QoS Application Topology Server 10.10.88.5/24 RD Dept. 10.10.10.0/24 Marketing Dept. 10.10.20.0/24 Router Fa1/0/3 Fa1/0/1 Fa1/0/1 VLAN 10 VLAN 20 Fa1/0/2 Fa1/0/2 Switch B Switch A 4.2.2 Configuration Scheme  Configure Switch A to add different VLAN tags to the packets from the two departments respectively.  Configure Switch B to classify the incoming packets from the two departments according to the V..

Configure VLAN 10 - Page 326

Configuring QoS Configuration Examples Configuration Guide 305  Configurations for Switch A (Demonstrated with T1500-28PCT) 1) Choose VLAN > 802.1Q VLAN> VLAN Config , and click Create to load the following page. Create VLAN 10 with the description of RD. Add port 1/0/1 as an untagged port and port 1/0/3 as a tagged port to VLAN 10. Then click Apply . Figure 4-5 Configure VLAN 10 2) Click Create again to load the following page. Create VLAN 20 with the description of Marketing. Add port 1/0/2 as an untagged port and port 1/0/4 as a tagged port to VLAN 20. Then click Apply .

..

Configure VLAN 20 - Page 327

Configuration Guide 306 Configuring QoS Configuration Examples Figure 4-6 Configure VLAN 20 3) Click s ave config to save the settings.  Configurations for Switch B (Demonstrated with T3700G-28TQ) 1) Choose VLAN > 802.1Q VLAN > Port Config to load the following page. For port 1/0/1, set the Link Type as TRUNK, and for port 1/0/2, set the Link Type as ACCESS . Click Apply .

..

VLAN > 802.1Q VLAN > VLAN Config - Page 328

Configuring QoS Configuration Examples Configuration Guide 307 Figure 4-7 Configure the Port 2) Choose VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10 and VLAN 20, and add port 1/0/1 to the two VLANs; create VLAN 30, and add port 1/0/2 to VLAN 30.

..

Configure VLAN 10 - Page 329

Configuration Guide 308 Configuring QoS Configuration Examples Figure 4-8 Configure VLAN 10 Figure 4-9 Configure VLAN 20

..

Configure VLAN30 - Page 330

Configuring QoS Configuration Examples Configuration Guide 309 Figure 4-10 Configure VLAN30 3) Create MAC ACL 10 with its Rule ID as 1 and Operation as Permit . Choose ACL> ACL Config > ACL Create to load the following page. Create ACL 10, and click Apply . Figure 4-11 Create MAC ACL 10 Choose ACL> ACL Config > MAC ACL to load the following page. Select ACL 10, specify the Rule ID as 1 and the Operation as Permit . Click Apply .

..

Create Rule 1 - Page 331

Configuration Guide 310 Configuring QoS Configuration Examples Figure 4-12 Create Rule 1 4) Create Policy RD and bind it to ACL 10, select QoS Remark and set Local Priority to TC1 . Choose ACL > Policy Config > Policy Create to load the following page. Create a policy with the Policy Name RD and click Apply . Figure 4-13 Create Policy RD Choose ACL > Policy Config > Action Create to load the following page. Select Policy RD, and ACL 10, click QoS Remark and set the Local Priority to TC 1 . Click Apply .

..

Action Create - Page 332

Configuring QoS Configuration Examples Configuration Guide 311 Figure 4-14 Action Create 5) Create Policy Marketing and bind it to ACL 10, select QoS Remark and set Local Priority to TC0 . Choose ACL > Policy Config > Policy Create to load the following page. Create a policy with the Policy Name Marketing and click Apply . Figure 4-15 Create Policy Marketing Choose ACL > Policy Config > Action Create to load the following page. Select Policy Marketing, and ACL 10, click QoS Remark and set the Local Priority to TC 0 . Click Apply .

..

ACL > Policy Binding > VLAN Binding - Page 333

Configuration Guide 312 Configuring QoS Configuration Examples Figure 4-16 Action Create 6) Choose ACL > Policy Binding > VLAN Binding . Bind Policy RD and Policy Marketing to VLAN10 and VLAN 20 respectively. Figure 4-17 Bind Policy RD to VLAN 10 Figure 4-18 Bind Policy Marketing to VLAN 20

..

Configure Schedule Mode - Page 334

Configuring QoS Configuration Examples Configuration Guide 313 7) Choose QoS > DiffServ > Schedule Mode . Select WRR-Mode as the schedule mode, and click Apply . No configuration is required here because queues based on ACL rules have higher priority. Figure 4-19 Configure Schedule Mode 8) Click Save Config to save the settings. 4.2.4 Using the CLI Note: Before configuration, ensure network segments are reachable to each other.  Configurations for Switch A (Demonstrated with T1500-28PCT) 1) Create VLAN 10 with the name RD and VLAN 20 with the name Marketing. Switch_A#configure Swit..

 - Page 335

Configuration Guide 314 Configuring QoS Configuration Examples Switch_A(config-if)#end Switch_A#copy running-config startup-config  Configurations for For Switch B (Demonstrated with T3700G-28TQ) 1) Create VLAN 10 and VLAN 20. Configure the Link Type of port 1/0/1 as Trunk , and add it to the two VLANs. Switch_B#configure Switch_B(config)#vlan 10 Switch_B(config-vlan)#name RD Switch_B(config-vlan)exit Switch_B(config)#vlan 20 Switch_B(config-vlan)#name Marketing Switch_B(config-vlan)exit Switch_B(config)#interface gigabitEthernet 1/0/1 Switch_B(config-if)#switchport mode trunk Switch_B(c..

Verify the configuration - Page 336

Configuring QoS Configuration Examples Configuration Guide 315 Switch_B(config)#access-list policy name RD Switch_B(config)#access-list policy action RD 10 Switch_B(config-action)#qos-remark priority 1 Switch_B(config-action)#exit 5) Create Policy Marketing and bind it to ACL 10, enable QoS Remark and set Local Priority to TC0 . Switch_B(config)#access-list policy name Marketing Switch_B(config)#access-list policy action Marketing 10 Switch_B(config-action)#qos-remark priority 0 Switch_B(config-action)#exit 6) Bind Policy RD and Policy Market to VLAN10 and VLAN 20 respectively. Switch_B(con..

Switch B: - Page 337

Configuration Guide 316 Configuring QoS Configuration Examples 10 RD active Fa1/0/1, Fa1/0/3 20 Marketing active Fa1/0/2, Fa1/0/3  Switch B: Verify ACL configuration: Switch_B#show access-list Mac access list 10 1 permit Verify Policy and Action configuration: Switch_B(config)#show access-list policy Policy name : RD access-list 10 priority 1 Policy name : Marketing access-list 10 priority 0 Verify Policy binding: Switch_B#show access-list bind Index Policy Name Interface/VID Direction Type ------- -------------- ---------------- ----------- ----------------- 1 RD 10 Ingress Vlan 2 Marke..

Appendix: Default Parameters - Page 338

Configuring QoS Appendix: Default Parameters Configuration Guide 317 5 Appendix: Default Parameters  DiffServ Table 5-1 DiffServ Parameter Default Setting Port Priority Enabled. Packets from all ports are mapped to the same TC queue. 802.1P Priority Disabled. See Table 5-2 for Tag-id/CoS-id-TC mapping relations. DSCP Priority Disabled. See Table 5-3 for DSCP-TC mapping relations. Schedule Mode Equ-Mode. Table 5-2 Tag-id/CoS-id-TC Mapping Tag-id/CoS-id TC Queues (8) 0 TC1 1 TC0 2 TC0 3 TC1 4 TC2 5 TC2 6 TC3 7 TC3 Table 5-3 DSCP-TC Mapping DSCP TC-id 0~15 TC 0 16~31 TC 1 32~47 TC 2 48~63 T..

Configuring Voice VLAN - Page 339

Part 11 Configuring Voice VLAN CHAPTERS 1. Overview 2. Voice VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters

..

Only Voice Traffic on One Port - Page 340

Configuring Voice VLAN Overview Configuration Guide 319 1 Overview The voice VLAN feature is used to prioritize the transmission of voice traffic. Voice traffic is typically more time-sensitive than data traffic, and the voice quality can deteriorate a lot because of packet loss and delay. To ensure the high voice quality, you can configure the voice VLAN and set priority for voice traffic.  Voice VLAN Modes on Ports A voice VLAN can operate in two modes: manual mode and automatic mode. Manual mode: This mode is applicable when the switch port forwards voice traffic only. You manually ad..

 - Page 341

Configuration Guide 320 Configuring Voice VLAN Overview  OUI Address (Organizationally Unique Identifier Address) The OUI address is used by the switch to determine whether a packet is a voice packet. An OUI address is the first 24 bits of a MAC address, and is assigned as a unique identifier by IEEE (Institute of Electrical and Electronics Engineers) to a device vendor. If the source MAC address of a packet complies with the OUI addresses in the switch, the switch identifies the packet as a voice packet and prioritizes it in transmission.

..

Voice VLAN Configuration - Page 342

Configuring Voice VLAN Voice VLAN Configuration Configuration Guide 321 2 Voice VLAN Configuration To complete the Voice VLAN configuration, follow these steps: 1) Create a VLAN. 2) (Optional) Configure OUI addresses. 3) Configure Voice VLAN globally. 4) Configure Voice VLAN mode on ports. Configuration Guidelines  Before configuring voice VLAN, you need to create a VLAN for voice traffic. For details about VLAN Configuration, please refer to Configuring 802.1Q VLAN .  VLAN 1 is a default VLAN and cannot be configured as the voice VLAN.  Only one VLAN can be set as the voice VLAN o..

2.1.1 (Optional) Configuring OUI Addresses - Page 343

Configuration Guide 322 Configuring Voice VLAN Voice VLAN Configuration 2.1 Using the GUI 2.1.1 (Optional) Configuring OUI Addresses If the OUI address of your voice device is not in the OUI table, you need to add the OUI address to the table. Choose the menu QoS > Voice VLAN > OUI Config to load the following page. Figure 2-1 Configuring OUI Addresses Follow these steps to add OUI addresses: 1) Enter an OUI address and the corresponding mask, and give a description about the OUI address. OUI Enter the OUI address of your device. Mask Specify a mask to determine the depth of the OUI t..

QoS > Voice VLAN > Global Config - Page 344

Configuring Voice VLAN Voice VLAN Configuration Configuration Guide 323 2.1.2 Configuring Voice VLAN Globally Choose the menu QoS > Voice VLAN > Global Config to load the following page. Figure 2-2 Configuring Voice VLAN Globally Follow these steps to configure the voice VLAN globally: 1) Enable the voice VLAN feature, and enter a VLAN ID. VLAN ID Specify an existing VLAN as the voice VLAN. 2) Set the aging time for the voice VLAN. Aging Time Specify the length of time that a port remains in the voice VLAN after the port receives a voice packet. Aging time works only for ports in auto..

2.1.3 Configuring Voice VLAN Mode on Ports - Page 345

Configuration Guide 324 Configuring Voice VLAN Voice VLAN Configuration 2.1.3 Configuring Voice VLAN Mode on Ports Choose the menu QoS > Voice VLAN > Port Config to load the following page. Figure 2-3 Configuring Voice VLAN Mode on Ports Follow these steps to configure voice VLAN mode on ports: 1) Select your desired ports and choose the port mode. Port Mode Choose the way of adding the selected ports to the voice VLAN. Auto : When a port receives a voice packet whose resource MAC address matches an OUI address, the switch automatically adds the port to the voice VLAN. If you choose t..

Configuring QoS - Page 346

Configuring Voice VLAN Voice VLAN Configuration Configuration Guide 325 Security Mode For packets that will be forwarded in the voice VLAN, you can configure the security mode to prevent malicious traffic with faked voice VLAN tag. For packets to other VLANs, how the switch processes the packets is determined by whether the selected ports permit the VLAN or not, independent of voice VLAN security mode. Disable : For packets to the voice VLAN, the switch does not check the source MAC address and the selected ports forward all these packets in the voice VLAN. The security mode is disabled by ..

- Page 347

Configuration Guide 326 Configuring Voice VLAN Voice VLAN Configuration Step 5 voice vlan aging time (Optional) Set the aging time for ports in automatic voice VLAN mode. time: Specify the length of time that a port remains in the voice VLAN after the port receives a voice packet. Aging time works only for ports in automatic voice VLAN mode. The range is 1 to 43200 minutes; the default is 1440 minutes. Step 6 voice vlan vid Specify an existing VLAN as the voice VLAN. vid : Enter the VLAN ID that you have created for the voice VLAN. Step 7 interface { fastEthernet port | range fastEthernet p..

end - Page 348

Configuring Voice VLAN Voice VLAN Configuration Configuration Guide 327 Step 13 end Return to privileged EXEC mode. Step 14 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set port 1/0/1 in manual voice VLAN mode. Configure the switch to forward voice traffic with an IEEE 802.1p priority of 5 and to transmit only voice traffic whose resource MAC address matches an OUI address in the voice VLAN : Switch#configure Switch(config)#vlan 10 Switch(config-vlan)#name VoiceVLAN Switch(config-vlan)#exit Switch(config)#voice vlan prior..

Configuration Example - Page 349

Configuration Guide 328 Configuring Voice VLAN Configuration Example 3 Configuration Example 3.1 Network Requirements The company plans to install IP phones in the office area and the meeting room, and has requirements as follows:  In the office area · IP phones share switch ports used by computers, because no more ports are available for IP phones. · Transmit voice traffic in an exclusive path with high quality. · Avoid attacks from malicious data flows.  In the meeting room · Transmit voice traffic in an exclusive path with high quality. · Avoid attacks from malicious data flow..

VLAN > 802.1Q VLAN > VLAN Config - Page 350

Configuring Voice VLAN Configuration Example Configuration Guide 329 In the meeting room, computers and IP phones are connected to different ports of Switch B. Ports connected to IP phones use the voice VLAN for voice traffic, and ports connected to computers use the default VLAN for data traffic. Voice traffics from Switch A and Switch B are forwarded to voice gateway and Internet through Switch C. Figure 3-1 Network Topology Internet IP Phone 20 IP Phone 30 Switch B Fa1/0/2 Fa1/0/1 Fa1/0/1 Switch C Switch A Fa1/0/2 Fa1/0/3 Fa1/0/4 PC 20 Meeting Room Fa1/0/1 Fa1/0/2 Fa1/0/3 IP Phone 10 PC ..

Creating a VLAN - Page 351

Configuration Guide 330 Configuring Voice VLAN Configuration Example Figure 3-2 Creating a VLAN 2) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable voice VLAN, enter 10 in the VLAN ID field and set aging time as 1440 minutes and priority as 6. Then click Apply . Figure 3-3 Configuring Voice VLAN Globally 3) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Select port 1/0/1, choose auto mode and enable security mode. Select port 1/0/2 and choose manual mode. Click Apply .

..

Configuring Voice VLAN Mode on Port 1/0/1 - Page 352

Configuring Voice VLAN Configuration Example Configuration Guide 331 Figure 3-4 Configuring Voice VLAN Mode on Port 1/0/1 Figure 3-5 Configuring Voice VLAN Mode on Port 1/0/2

..

Figure 3-6 - Page 353

Configuration Guide 332 Configuring Voice VLAN Configuration Example 4) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and edit VLAN 10 to load the following page. Add port 1/0/2 to the voice VLAN. Figure 3-6 Adding Port 1/0/2 to the Voice VLAN 5) Choose the menu LLDP > Basic Config> Global Config to load the following page. Enable LLDP globally. Figure 3-7 Enabling LLDP Globally 6) Choose the menu LLDP > LLDP-MED> Global Config to load the following page. Set fast start count as 4. Figure 3-8 Configuring LLDP-MED Globally 7) Choose the menu LLDP > LLDP-MED> Port C..

Configuring LLDP-MED on Ports - Page 354

Configuring Voice VLAN Configuration Example Configuration Guide 333 Figure 3-9 Configuring LLDP-MED on Ports

..

Configurations for Switch B - Page 355

Configuration Guide 334 Configuring Voice VLAN Configuration Example Click Detail of port1/0/1 to load the following page. Configure the TLV information which will be carried in LLDP-MED frames and sent out by port 1/0/1. Select all TLVs, and configure location identification parameters. Figure 3-10 Configuring TLVs For details about LLDP-MED, please refer to Configuring LLDP . 8) Click Save Config to save the settings.  Configurations for Switch B 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10.

..

Creating a VLAN - Page 356

Configuring Voice VLAN Configuration Example Configuration Guide 335 Figure 3-11 Creating a VLAN 2) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable voice VLAN, enter 10 in the VLAN ID field and set priority as 6. Figure 3-12 Configuring Voice VLAN Globally 3) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Select ports 1/0/1-3, choose manual mode and enable security mode. Figure 3-13 Configuring Voice VLAN Mode on Ports 4) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and edit VLAN 10 to load the following p..

Adding Ports to the Voice VLAN - Page 357

Configuration Guide 336 Configuring Voice VLAN Configuration Example Figure 3-14 Adding Ports to the Voice VLAN 5) Click Save Config to save the settings.  Configurations for Switch C 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10 and add ports 1/0/1-3 as tagged ports to the VLAN. Figure 3-15 Creating a VLAN and Adding Ports to the VLAN 2) Click Save Config to save the settings.

..

Configurations for Switch A - Page 358

Configuring Voice VLAN Configuration Example Configuration Guide 337 3.5 Using the CLI  Configurations for Switch A 1) Create VLAN 10. Switch_A#configure Switch_A(config)#vlan 10 Switch_A(config-vlan)#name VoiceVLAN Switch_A(config-vlan)#exit 2) Configure the aging time as 1440 minutes for port in automatic voice VLAN mode, and set the 802.1p priority of voice packets as 6. Set VLAN 10 as the voice VLAN. Switch_A(config)#voice vlan aging 1440 Switch_A(config)#voice vlan priority 6 Switch_A(config)#voice vlan 10 3) Configure port 1/0/1 to automatic voice VLAN mode and enable security mode..

Configurations for Switch B - Page 359

Configuration Guide 338 Configuring Voice VLAN Configuration Example 8) Configure the location identification parameters for the IP phone on port 1/0/1. For details about LLDP-MED, please refer to Configuring LLDP . Switch(config-if)#lldp med-location civic-address language English city Vancouver street X east hastings street postal-zipcode V6A 1P9 Switch_A(config-if)#end Switch_A#copy running-config startup-config  Configurations for Switch B 1) Create VLAN 10. Switch_B#configure Switch_B(config)#vlan 10 Switch_B(config-vlan)#name VoiceVLAN Switch_B(config-vlan)#exit 2) Set the 802.1p p..

Verify the Configurations - Page 360

Configuring Voice VLAN Configuration Example Configuration Guide 339 Switch_C(config)#vlan 10 Switch_C(config-vlan)#name VoiceVLAN Switch_C(config-vlan)#exit Switch_C(config)#interface range fastEthernet 1/0/1-3 Switch_C(config-if-range)#switchport general allowed vlan 10 tagged Switch_C(config-if-range)#end Switch_C#copy running-config startup-config Verify the Configurations  Switch A Verify the global configuration of voice VLAN: Switch_A#show voice vlan Voice VLAN status: Enabled VLAN ID: 10 Aging Time: 1440 Voice Priority: 6 Verify the voice VLAN configuration on the ports: Switch_A..

Switch C - Page 361

Configuration Guide 340 Configuring Voice VLAN Configuration Example Voice Priority: 6 Verify the voice VLAN configuration on the ports: Switch_B#show voice vlan switchport Port Auto-mode Security State LAG ------ ------------ ------------ -------- ------ Fa1/0/1 Manual Enabled Active N/A Fa1/0/2 Manual Enabled Active N/A Fa1/0/3 Manual Enabled Active N/A ......  Switch C Verify the voice VLAN configuration for VLAN 10: Switch_C#show vlan id 10 VLAN Name Status Ports ----- ------------- --------- ------------------------------ 10 VoiceVlan active Fa1/0/1, Fa1/0/2, Fa1/0/3

..

Appendix: Default Parameters - Page 362

Configuring Voice VLAN Appendix: Default Parameters Configuration Guide 341 4 Appendix: Default Parameters Default settings of voice VLAN are listed in the following tables. Table 4-1 Default Settings of Global Configuration Parameter Default Setting Voice VLAN Disable VLAN ID None Aging Time 1440 minutes Priority 6 Table 4-2 Default Settings of Port Configuration Parameter Default Setting Port Mode Auto Security Mode Disable Member State Inactive Table 4-3 Entries in the OUI Table OUI MASK Description 00-01-e3-00-00-00 ff-ff-ff-00-00-00 Siemens Phone 00-03-6b-00-00-00 ff-ff-ff-00-00-00 Cis..

Configuring PoE - Page 363

Part 12 Configuring PoE CHAPTERS 1. PoE 2. PoE Power Management Configurations 3. Time-Range Function Configurations 4. Example for PoE Configurations 5. Appendix: Default Parameters

..

Only T1500-28PCT supports PoE feature.. - Page 364

Configuring PoE PoE Configuration Guide 343 Note : Only T1500-28PCT supports PoE feature.. 1 PoE 1.1 Overview Power over Ethernet (PoE) is a remote power supply function. With this function, the switch can supply power to the connected devices over twisted-pair cable. Some devices such as IP phones, access points (APs) and cameras may be located far away from the AC power source in actual use. PoE can provide power for these devices without requiring to deploy power cables. This allows a single cable to provide both data connection and electric power to devices. IEEE 802.3af and 802.3at a..

2.1.1 Configuring the PoE Parameters Manually - Page 365

Configuration Guide 344 Configuring PoE PoE Power Management Configurations 2 PoE Power Management Configurations With PoE Power Management, you can:  Configure the PoE parameters manually  Configure the PoE parameters using the profile You can configure the PoE parameters one by one via configuring the PoE parameters manually. You can also set a profile with the desired parameters and bind the profile to the corresponding ports to quickly configure the PoE parameters. 2.1 Using the GUI 2.1.1 Configuring the PoE Parameters Manually Choose the menu PoE > PoE Config > PoE Config t..

Time Range Function Configurations - Page 366

Configuring PoE PoE Power Management Configurations Configuration Guide 345 System Power Consumption Displays the real-time system power consumption of the PoE switch. System Power Remain Displays the real-time system remaining power of the PoE switch. 2) In the Port Config section, select the port you want to configure and specify the parameters. Click Apply . PoE Status Enable or disable the PoE function for on corresponding port. The port can supply power to the PD when its status is enable. PoE Priority Select the priority level for the corresponding port. When the supply power exceeds ..

2.1.2 Configuring the PoE Parameters Using the Profile - Page 367

Configuration Guide 346 Configuring PoE PoE Power Management Configurations 2.1.2 Configuring the PoE Parameters Using the Profile  Creating a PoE Profile Choose the menu PoE > PoE Config > PoE Profile to load the following page. Figure 2-2 Create a PoE Profile Follow these steps to create a PoE profile: 1) In the Create PoE Profile section, specify the desired configurations of the profile. Profile Name Specify a name for the PoE profile. PoE Status Specify the PoE status for the PoE profile. PoE Priority Specify the priority level for the PoE profile. The following options are pr..

Binding the Profile to the Corresponding Ports - Page 368

Configuring PoE PoE Power Management Configurations Configuration Guide 347  Binding the Profile to the Corresponding Ports Figure 2-3 Bind the Profile to the Corresponding Ports Follow these steps to bind the profile to the corresponding ports: 1) In the Global Config section, specify the System Power Limit and click Apply . System Power Limit Specify the maximum power the PoE switch can supply. System Power Consumption Displays the real-time system power consumption of the PoE switch. System Power Remain Displays the real-time system remaining power of the PoE switch. 2) In the Port Co..

Follow these steps to configure the basic PoE parameters: - Page 369

Configuration Guide 348 Configuring PoE PoE Power Management Configurations Voltage(v) Displays the port’s real-time voltage. PD Class Displays the class the linked PD belongs to. Power Status Displays the port’s real-time power status. 2.2 Using the CLI 2.2.1 Configuring the PoE Parameters Manually Follow these steps to configure the basic PoE parameters: Step 1 configure Enter global configuration mode. Step 2 power inline consumption power-limit Specify the the maximum power the PoE switch can supply globally. power-limit : Specify the maximum power the PoE switch can supply. It rang..

- Page 370

Configuring PoE PoE Power Management Configurations Configuration Guide 349 Step 7 show power inline Verify the global PoE information of the system. Step 8 show power inline configuration interface [ fastEthernet { port | port-list } | gigabitEthernet { port | port-list }] Verify the PoE configuration of the corresponding port. port : Specify the Ethernet port number, for example 1/0/1. port-list : Specify the list of Ethernet ports, in the format of 1/0/1-3, 1/0/5. Step 9 show power inline information interface [ fastEthernet { port | port-list } | gigabitEthernet { port | port-list }] Ve..

2.2.2 Configuring the PoE Parameters Using the Profile - Page 371

Configuration Guide 350 Configuring PoE PoE Power Management Configurations Switch(config-if)#show power inline information interface fastEthernet 1/0/5 Interface Power(w) Current(mA) Voltage(v) PD-Class Power-Status ---------- -------- ----------- ---------- ----------- ---------------- Fa1/0/5 1.3 26 53.5 Class 2 ON Switch(config)#end Switch#copy running-config startup-config 2.2.2 Configuring the PoE Parameters Using the Profile Follow these steps to configure the PoE profile: Step 1 configure Enter global configuration mode. Step 2 power profile name [ supply { enable | disable } [ prio..

show power profile - Page 372

Configuring PoE PoE Power Management Configurations Configuration Guide 351 Step 5 show power profile Verify the defined PoE profile. Step 6 end Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a profile named profile1and bind the profile to the port 1/0/6. Switch#configure Switch(config)#power profile profile1 supply enable priority middle consumption class2 Switch(config)#show power profile Index Name Status Priority Power-Limit(w) ----- ------------ ---------- --------- -------..

Time-Range Function Configurations - Page 373

Configuration Guide 352 Configuring PoE Time-Range Function Configurations 3 Time-Range Function Configurations With Time-Range configurations, you can:  Create a time-range  Configure the holiday parameters  View the time-range table The time range here relies on the switch system clock; therefore, you need a reliable clock source. We recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For details, refer to System Info Configurations in Managing System . 3.1 Using the GUI 3.1.1 Creating a Time-Range Choose the menu PoE > Time-Range > Time-Rang..

Add Absolute or Periodic - Page 374

Configuring PoE Time-Range Function Configurations Configuration Guide 353 Holiday Select to Include or Exclude the holiday in a time-range. If Exclude is selected, the time-range will not take effect on holiday and the PoE Status is disabled. Otherwise, the time-range will not be affected by holiday. 2) In the Add Absolute or Periodic section, specify the parameters and click Add . When the Absolute mode is selected, the following section will be shown. Figure 3-2 Absolute Mode Type Select Absolute time to configure. From Time Specify the starting time of the absolute mode. To Time Specify..

3.1.2 Configuring the Holiday Parameters - Page 375

Configuration Guide 354 Configuring PoE Time-Range Function Configurations 3.1.2 Configuring the Holiday Parameters Choose the menu PoE > Time-Range > Holiday Config to load the following page. Figure 3-4 Configuring the Holiday Parameters Follow these steps to configure the holiday parameters: 1) In the Create Holiday section, enter a name of the holiday and specify the time. Holiday Name Specify a name for the holiday time. Start Date Specify the starting time of the holiday. End Date Specify the ending time of the holiday. 2) Click Apply . 3.1.3 Viewing the Time-Range Table Choose ..

Follow these steps to create a time-range: - Page 376

Configuring PoE Time-Range Function Configurations Configuration Guide 355 3.2 Using the CLI 3.2.1 Configuring a Time-Range Follow these steps to create a time-range: Step 1 configure Enter global configuration mode. Step 2 power time-range name Create a time-range for the switch and enter Power Time-range Configuration Mode. name : Specify a name for the PoE time-range. It ranges from 1 to 16 characters. If the name contains spaces, enclose the name in double quotes. Step 3 holiday { exclude | include } Specify the time-range including or excluding the holiday. exclude | include : Select t..

: - Page 377

Configuration Guide 356 Configuring PoE Time-Range Function Configurations Step 6 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter Interface Configuration mode. port : Specify the Ethernet port number, for example 1/0/1. port-list: Specify the list of Ethernet ports, for example 1/0/1-3, 1/0/5. Step 7 power inline time-range name Bind a time-range to the desired port. name : Specify the name of the PoE time-range. Step 8 show power time-range [ name ] Verify the configuration of the time-range. name : Specify the n..

3.2.2 Configuring the Holiday Parameters - Page 378

Configuring PoE Time-Range Function Configurations Configuration Guide 357 Switch(config)#interface fastEthernet 1/0/7 Switch(config-if)#power inline time-range time-range1 Switch(config-if)#end Switch#copy running-config startup-config 3.2.2 Configuring the Holiday Parameters Follow these steps to configure the holiday parameters: Step 1 configure Enter global configuration mode. Step 2 power holiday name start-date start-date end-date end-date Create a time range for the holiday. name : Specify a name for the holiday. It ranges from 1 to 16 characters. If the name contains spaces, enclose..

3.2.3 Viewing the Time-Range Table - Page 379

Configuration Guide 358 Configuring PoE Time-Range Function Configurations 3.2.3 Viewing the Time-Range Table On privileged EXEC mode or any other configuration mode, you can use the following command to view the time-range table: show power time-range [ name ] Verify the defined PoE time-range. name : Specify the name of the time-range desired. It ranges from 1 to 16 characters. If the name contains spaces, enclose the name in double quotes. All PoE time-range configurations will be displayed if the name is not specified. The following example shows how to view the time-range table. Switch..

Example for PoE Configurations - Page 380

Configuring PoE Example for PoE Configurations Configuration Guide 359 4 Example for PoE Configurations 4.1 Network Requirements The network topology of a company is shown below. Camera1 and Camera2 work for the security of the company and cannot be power off all the time. AP1 and AP2 provide Internet service and only work in the daytime. Figure 4-1 Network Topology Fa1/0/1 Fa1/0/2 Fa1/0/3 Fa1/0/4 Camera1 Camera2 AP1 AP2 Switch A 4.2 Configuring Scheme To implement this requirement, you can set a PoE time-range as the office time for example from 08:30 to 18:00. You can also set a holiday a..

Create a Time-Range - Page 381

Configuration Guide 360 Configuring PoE Example for PoE Configurations Figure 4-2 Create a Time-Range 2) Choose the menu PoE > Time-Range > Holiday Config to load the following page. Specify a name for the holiday and set the starting date and ending date. Figure 4-3 Configure the Holiday

..

Configure the Port - Page 382

Configuring PoE Example for PoE Configurations Configuration Guide 361 3) Choose the menu PoE > PoE Config > PoE Config to load the following page. Select port 1/0/3 and enable the PoE function. Set the Time Range as office time. Click Apply . Figure 4-4 Configure the Port 4.4 Using the CLI The configurations of Port1/0/4 is similar with the configuration of port 1/0/3. Here we take port 1/0/3 for example. 1) Create a time-range. Switch_A#config Switch_A(config)#power time-range “office time” Switch_A(config-time-range)#holiday exclude Switch_A(config-time-range)#periodic start 08..

Verify the Configuration - Page 383

Configuration Guide 362 Configuring PoE Example for PoE Configurations Switch_A(config-if)#exit Switch_A(config-if)#end Switch_A#copy running-config startup-config Verify the Configuration Verify the configuration of the holiday: Switch_A(config)#show power holiday Index Holiday Name Start-End ----- ------------ --------- 1 Christmas 12.22-12.31 Verify the configuration of the time-range: Switch_A(config)#show power time-range Time-range entry: office time (Active) holiday: exclude number of absolute time: 0 (01/01/2000-00:00 to 12/31/2099-24:00 by default) number of periodic time: 1 1 - 08..

Appendix: Default Parameters - Page 384

Configuring PoE Appendix: Default Parameters Configuration Guide 363 5 Appendix: Default Parameters Table 5-1 Default Settings of PoE Configuration Parameter Default Setting System Power Limit 192.0W PoE Status Enable PoE Priority Low Power Limit (0.1w-30.0w) Class 4 Time Range No Limit PoE Profile None Table 5-2 Default Settings of PoE Profile Parameter Default Setting Profile Name None PoE Status Enable PoE Priority High Power Limit Auto Table 5-3 Default Settings of Time-Range Create Parameter Default Setting Name None Holiday Include Type Absolute From Time 01/01/2000-00:00 To Time 01/0..

Configuring ACL - Page 385

Part 13 Configuring ACL CHAPTERS 1. ACL 2. ACL Configurations 3. Configuration Example for ACL 4. Appendix: Default Parameters

..

ACL Binding - Page 386

Configuring ACL ACL Configuration Guide 365 1 ACL 1.1 Overview The rapid growth of network size and traffic brings challenges to network security and bandwidth allocation. Packet filtering can help prevent unauthorized access behaviors, limit network traffic and improve bandwidth use. ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs. It accurately identifies and processes the packets based on the ACL rules. In this way, ACL ensures security and high service quality of networks. ACL helps to:  Pre..

Configuration Guidelines - Page 387

Configuration Guide 366 Configuring ACL ACL Configurations 2 ACL Configurations To configure ACL Binding, follow these steps: 1) Create an ACL and configure the rules. 2) Bind the ACL to a port or VLAN. To configure Policy Binding, follow these steps: 1) Create an ACL and configure the rules. 2) Create a Policy and configure the policy action. 3) Bind the Policy to a port or VLAN. Configuration Guidelines  A packet “matches” an ACL rule when it meets the rule’s matching criteria, no matter the operation to be performed is “permit”or “deny”.  If no ACL rule is configured ..

ACL > ACL Config > ACL Create - Page 388

Configuring ACL ACL Configurations Configuration Guide 367 Choose the menu ACL > ACL Config > ACL Create to load the following page. Figure 2-1 Creating an ACL Follow these steps to create an ACL: 1) Enter a number to identify the ACL. ACL ID Enter a number to identify the ACL. 2) Click Apply . 2.1.2 Configuring ACL Rules Add rules to the ACL. For details, refer to “Configuring the MAC ACL Rule” , “Configuring the Standard-IP ACL Rule” , and “Configuring the Extend-IP ACL Rule” .  Configuring the MAC ACL Rule Choose the menu ACL > ACL Config > MAC ACL to load the ..

Configuring the Standard-IP ACL Rule - Page 389

Configuration Guide 368 Configuring ACL ACL Configurations Rule ID Specify the rule ID, which ranges from 0 to 999. It should not be the same as any existing MAC ACL Rule IDs. Operation Select an operation to be performed when a packet matches the rule. Permit : To forward the matched packets. Deny : To discard the matched packets. 2) Configure the rule’s packet-matching criteria. S-MAC/Mask Enter the source MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-MAC/Mask Enter the destination IP address with a mask. A value..

Configuring the Extend-IP ACL Rule - Page 390

Configuring ACL ACL Configurations Configuration Guide 369 2) Configure the rule’s packet-matching criteria. S-IP/Mask Specify the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-IP/Mask Specify the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. 3) Click Apply .  Configuring the Extend-IP ACL Rule Choose the menu ACL > ACL Config > Extend-IP ACL to load the following page. Figure 2-4 Creating the Extend-IP ACL Rule Follo..

2.1.3 Configuring Policy - Page 391

Configuration Guide 370 Configuring ACL ACL Configurations D-IP/Mask Specify the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. IP Protocol Select a protocol type from the drop-down list. The default is All, which indicates that packets of all protocols will be matched. S-Port / D-Port Enter the TCP/UDP source and destination port if TCP/UDP protocol is selected. The port number ranges from 0 to 65535. 3) Click Apply .  Verifying the Rule Table The rules in an ACL are listed in ascending order of configura..

2.1.4 Configuring the ACL Binding and Policy Binding - Page 392

Configuring ACL ACL Configurations Configuration Guide 371 Follow these steps to create a policy: Enter a Policy Name, and click Apply . Policy Name Enter a Policy Name between 1 and 16 characters.  Applying an ACL to the Policy Choose the menu ACL > Policy Config > Action Create to load the following page. Figure 2-7 Configuring the Action of the Policy Follow these steps to configure the action of the policy: Select your preferred policy and ACL, and click Apply . Select Policy Select a Policy from the drop-down list. Select ACL Select an ACL to be applied to the Policy. 2.1.4 Co..

Binding the ACL to a Port - Page 393

Configuration Guide 372 Configuring ACL ACL Configurations  Binding the ACL to a Port Choose the menu ACL > ACL Binding > Port Binding to load the following page. Figure 2-8 Binding the ACL to a Port Follow these steps to bind the ACL to a Port: Select the ACL and the port, and click Apply . ACL ID Select an ACL from the drop-down list.  Binding the ACL to a VLAN Choose the menu ACL > ACL Binding > VLAN Binding to load the following page. Figure 2-9 Binding the ACL to a VLAN Follow these steps to bind the ACL to a VLAN: Select the ACL and enter the VLAN ID, and click Apply..

ACL > Policy Binding > Port Binding - Page 394

Configuring ACL ACL Configurations Configuration Guide 373 ACL ID Select an ACL from the drop-down list. VLAN ID Enter the VLAN ID.  Configuring the Policy Binding You can bind the Policy to a port or a VLAN. The received packets will then be matched and processed according to this Policy.  Binding the Policy to a Port Choose the menu ACL > Policy Binding > Port Binding to load the following page. Figure 2-10 Binding the Policy to a Port Follow these steps to bind the Policy to a Port: Select the Policy and the port to be bound, and click Apply . Policy Name Select a Policy from..

ACL > Policy Binding > VLAN Binding - Page 395

Configuration Guide 374 Configuring ACL ACL Configurations  Binding the Policy to a VLAN Choose the menu ACL > Policy Binding > VLAN Binding to load the following page. Figure 2-11 Binding the Policy to a VLAN Follow these steps to bind the Policy to a VLAN: Select the ACL and enter the VLAN ID, and click Apply . ACL ID Select an ACL from the drop-down list. VLAN ID Enter the VLAN ID. Verifying the Binding Configuration  Verifying the ACL Binding You can view both port binding and VLAN binding entries in the table. You can also delete existing entries if needed.

..

ACL > ACL Binding > Binding Table - Page 396

Configuring ACL ACL Configurations Configuration Guide 375 Choose the menu ACL > ACL Binding > Binding Table to load the following page. Figure 2-12 Verifying the ACL Binding  Verifying the Policy Binding You can view both port binding and VLAN binding entries in the table. You can also delete existing entries if needed. Choose the menu ACL > Policy Binding > Binding Table to load the following page. Figure 2-13 Verifying the Policy Binding

..

Configuring the MAC ACL - Page 397

Configuration Guide 376 Configuring ACL ACL Configurations 2.2 Using the CLI 2.2.1 Configuring ACL Follow the steps to create different types of ACL and configure the ACL rules. You can define the rules based on source or destination IP addresses, source or destination MAC addresses, protocol type and so on.  Configuring the MAC ACL Step 1 configure Enter global configuration mode Step 2 mac access-list access-list-num Input an MAC ACL ID to enter MAC Access-list mode. If it is a new ID , the ACL will be created and the switch will enter MAC Access-list mode. access-list-num: Enter an AC..

Configuring the Standard-IP ACL - Page 398

Configuring ACL ACL Configurations Configuration Guide 377 The following example shows how to create MAC ACL 50 and configure Rule 1 to permit packets with source MAC address 00:34:a2:d4:34:b5: Switch#configure Switch(config)#mac access-list 50 Switch(config-mac-acl)#rule 1 permit smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff Switch(config-mac-acl)#show access-list 50 mac access list 50 Rule 1 permit smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff Switch(config-mac-acl)#end Switch#copy running-config startup-config  Configuring the Standard-IP ACL Step 1 configure Enter global configurat..

Configuring the Extend-IP ACL - Page 399

Configuration Guide 378 Configuring ACL ACL Configurations Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create Standard-IP ACL 600, and configure Rule 1 to permit packets with source IP address 192.168.1.100: Switch#configure Switch(config)#access-list create 600 Switch(config)#rule 1 permit sip 192.168.1.100 smask 255.255.255.255 Switch(config)#show access-list 600 Standard IP access list 600 rule 1 permit sip 192.168.1.100 smask 255.255.255.255 Switch(config)#end Switch#..

- Page 400

Configuring ACL ACL Configurations Configuration Guide 379 Step 3 access-list extended acl-id rule rule-id {deny | permit} [ [ sip source-ip] smask source-ip-mask ] [ [ dip destination-ip ] dmask destination-ip-mask ] [ s-port s-port ] [ d-port d-port ] [ protocol protocol ] Add a rule to the ACL. acl-id: The ID number of the ACL you have created. rule-id: Specify the rule ID, which ranges from 0 to 1999. It should not be the same as any existing Extend-IP ACL IDs deny | permit : Specify the operation to be performed with the packets that match the rule. Deny means to discard; permit means ..

2.2.2 Configuring Policy - Page 401

Configuration Guide 380 Configuring ACL ACL Configurations 2.2.2 Configuring Policy Follow the steps below to create a policy and configure the policy actions. Step 1 configure Enter global configuration mode Step 2 access-list policy name name Create a Policy. name : Assign the policy a name with 1 to 16 characters. Step 3 access-list policy action policy-name acl-id Apply an ACL to the Policy. policy-name : The name of the policy. acl-id : The ID number of the ACL to be applied. Step 4 show access-list policy name (Optional) View the information of a specified policy. name : The policy na..

2.2.3 ACL Binding and Policy Binding - Page 402

Configuring ACL ACL Configurations Configuration Guide 381 2.2.3 ACL Binding and Policy Binding You can select ACL binding or Policy binding according to your needs. An ACL Rule and Policy takes effect only after they are bound to a port or VLAN.  ACL Binding You can bind the ACL to a port or a VLAN. The received packets will then be matched and processed according to the ACL rules. Step 1 configure Enter global configuration mode Step 2 interface {fastEthernet

port |
range fastEthernet

Policy Binding - Page 403

Configuration Guide 382 Configuring ACL ACL Configurations Index Policy Name Interface/VID Direction Type ----- ----------- ------------- -------- ---- Index ACL ID Interface/VID Direction Type ----- ----------- ------------- -------- ---- 1 1 Fa1/0/3 Ingress Port 2 2 4 Ingress Vlan Switch(config-if)#end Switch#copy running-config startup-config  Policy Binding You can bind the Policy to a port or a VLAN, then the received packets will be matched and operated based on the Policy. Step 1 configure Enter global configuration mode Step 2 interface {fastEthernet

- Page 404

Configuring ACL ACL Configurations Configuration Guide 383 Switch(config-if)#exit Switch(config)#interface vlan 2 Switch(config-if)#access-list bind policy 2 Switch(config-if)#show access-list bind Index Policy Name Interface/VID Direction Type ----- ----------- ------------- -------- ---- 1 1 Fa1/0/2 Ingress Port 2 2 2 Ingress Vlan Index ACL ID Interface/VID Direction Type ----- ----------- ------------- -------- ---- Switch(config-if)#end Switch#copy running-config startup-config

..

Configuration Example for ACL - Page 405

Configuration Guide 384 Configuring ACL Configuration Example for ACL 3 Configuration Example for ACL 3.1 Network Requirements A company’s server group can provide different types of services. It is required that:  The Marketing department can only access the server group.  The Marketing department can only visit HTTP and HTTPS websites on the Internet. 3.2 Network Topology As shown below, computers in the Marketing department are connected to the switch via port 1/0/1 , and the server group is connected to the switch via port 1/0/2. Figure 3-1 Network Topology Internet Fa1/0/1 Mark..

ACL > ACL Config > ACL Create - Page 406

Configuring ACL Configuration Example for ACL Configuration Guide 385 2) Configure permit rules to match packets with source IP address 10.10.70.0/24, and destination ports TCP 80, TCP 443 and TCP/UDP 53. These rules allow the Marketing department to visit http and HTTPS websites on the Internet. 3) Configure a deny rule to match packets with source IP address 10.10.70.0. This rule blocks other network services. The switch matches the packets with the rules in order, starting with Rule 1. If a packet matches a rule, the switch stops the matching process.  Binding Configuration Apply the ..

ACL > ACL Config > Extend ACL - Page 407

Configuration Guide 386 Configuring ACL Configuration Example for ACL Figure 3-3 Configuring Rule 1 3) Choose the menu ACL > ACL Config > Extend ACL to load the the following page. Configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and UDP 443 (HTTPS service port). Figure 3-4 Configuring Rule 2 Figure 3-5 Configuring Rule 3

..

ACL > Policy Config > Policy Create - Page 408

Configuring ACL Configuration Example for ACL Configuration Guide 387 4) Choose the menu ACL > Policy Config > Policy Create to load the following page. Configure Rule 4 and Rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port). Figure 3-6 Configuring Rule 4 Figure 3-7 Configuring Rule 5 5) Choose the menu ACL > Policy Config > Policy Create to load the following page. Configure Rule 6 to deny packets with source IP 10.10.70.0.

..

ACL > Policy Config > Policy - Page 409

Configuration Guide 388 Configuring ACL Configuration Example for ACL Figure 3-8 Configuring Rule 6 6) Choose the menu ACL > Policy Config > Policy Createto load the the following page. Then create Policy Market. Figure 3-9 Creating the Policy 7) Choose the menu ACL > Policy Config > Action Create to load the the following page. Then apply ACL 1600 to Policy Market. Figure 3-10 Applying the ACL to the Policy 8) Choose the menu ACL > Policy Binding > Port Binding to load the the following page. Bind Policy Market to port 1/0/1 to make it effective.

..

Binding the Policy to Port 1/0/1 - Page 410

Configuring ACL Configuration Example for ACL Configuration Guide 389 Figure 3-11 Binding the Policy to Port 1/0/1 9) Click Save Config to save the settings. 3.5 Using the CLI 1) Create Extended-IP ACL 1600. Switch#configure Switch(config)#access-list create 1600 2) Configure rule 1 to permit packets with source IP 10.10.70.0 and destination IP 10.10.80.0. Switch(config)#access-list extended 1600 rule 1 permit sip 10.10.70.0 smask 255.255.255.0 dip 10.10.80.0 dmask 255.255.255.0 3) Configure Rule 2 and Rule 3 to permit packets with source IP 10.10.70.0, and destination port TCP 80 (http ser..

Verify the Configurations - Page 411

Configuration Guide 390 Configuring ACL Configuration Example for ACL 5) Configure Rule 6 to deny packets with source IP 10.10.70.0. Switch(config)#access-list extended 1600 rule 6 deny sip 10.10.70.0 smask 255.255.255.0 6) Create Policy Market, and then apply ACL 1600 to it. Switch(config)#access-list policy name Market Switch(config)#access-list policy action Market 1600 Switch(config-action)#exit 7) Bind Policy Market to port 1/0/1. Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#access-list bind Market Switch(config-if)#end Switch#copy running-config startup-config Verify ..

Appendix: Default Parameters - Page 412

Configuring ACL Appendix: Default Parameters Configuration Guide 391 4 Appendix: Default Parameters For MAC ACL: Parameter Default Setting Operation Permit For Standard-IP ACL: Parameter Default Setting Operation Permit For Extend-IP ACL: Parameter Default Setting Operation Permit IP Protocol All

..

Configuring - Page 413

Part 14 Configuring Network Security CHAPTERS 1. Network Security 2. IP-MAC Binding Configurations 3. DHCP Snooping Configuration 4. ARP Inspection Configurations 5. DoS Defend Configuration 6. 802.1X Configuration 7. AAA Configuration 8. Configuration Examples 9. Appendix: Default Parameters

..

Network Security - Page 414

Configuration Guide 393 Configuring Network Security Network Security 1 Network Security 1.1 Overview Network Security provides multiple protection measures for the network. Users can configure the security functions according to their needs. 1.2 Supported Features The switch supports multiple network security features, for example, IP-MAC Binding, DHCP Snooping, ARP Inspection and so on. IP-MAC Binding IP-MAC Binding is used to bind the IP address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the IP-MAC binding table, the switch can prevent the ARP ch..

Network Topology of Basic DHCP Security - Page 415

Configuration Guide 394 Configuring Network Security Network Security Figure 1-1 Network Topology of Basic DHCP Security Switch Trusted Port Untrusted Port Untrusted Port Illegal DHCP Server Clients Legal DHCP Server Additionally, with DHCP Snooping, the switch can monitor the IP address obtaining process of each client host and record the IP address, MAC address, VLAN ID and the connected port number of the host for automatic binding.  Option 82 Option 82 records the location of the DHCP client. The switch can add option 82 to the DHCP request packet and then transmit the packet to the ..

802.1X Authentication Model - Page 416

Configuration Guide 395 Configuring Network Security Network Security DoS Defend The DoS (Denial of Service) defend feature provides protection against DoS attacks. DoS attacks occupy the network bandwidth maliciously by sending numerous service requests to the hosts. It results in an abnormal service or breakdown of the network. With DoS Defend feature, the switch can analyze the specific fields of the IP packets, distinguish the malicious DoS attack packets and discard them directly. Also, DoS Defend feature can limit the transmission rate of legal packets. When the number of legal packet..

Network Topology of AAA - Page 417

Configuration Guide 396 Configuring Network Security Network Security authentication server; also, the authenticator obtains responses from the authentication server and send them to the client. The authenticator allows authenticated clients to access the LAN through the connected ports but denies the unauthenticated clients..  Authentication Server The authentication server is usually the host running the RADIUS server program. It stores information of clients, confirms whether a client is legal and informs the authenticator whether a client is authenticated. AAA AAA stands for authenti..

Network Security > IP-MAC Binding > Manual Binding - Page 418

Configuration Guide 397 Configuring Network Security IP-MAC Binding Configurations 2 IP-MAC Binding Configurations You can complete IP-MAC binding in two ways:  Manual Binding  Dynamical Binding (including ARP Scanning and DHCP Snooping) Additionally, you can search the specified entries in the Binding Table. 2.1 Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IP address, MAC address, VLAN ID and the Port number together on the condition that you have got the related information of the hosts on the network. Choose the menu Network Security > IP-MAC Binding &g..

2.1.2 Binding Entries Dynamically - Page 419

Configuration Guide 398 Configuring Network Security IP-MAC Binding Configurations Host Name Enter the host name for identification. IP Address Enter the IP address. MAC Address Enter the MAC address. VLAN ID Enter the VLAN ID. 2) Select protect type for the entry. Protect Type Select the protect type for the entry: None : This entry will not be applied to any feature. ARP Detection : This entry will be applied to the ARP Detection feature. 3) Select the port that is connected to this host. 4) Click Bind . 2.1.2 Binding Entries Dynamically The binding entries can be dynamically learned from..

ARP Scanning - Page 420

Configuration Guide 399 Configuring Network Security IP-MAC Binding Configurations Choose the menu Network Security > IP-MAC Binding > ARP Scanning to load the following page. Figure 2-2 ARP Scanning Follow these steps to configure IP-MAC Binding via ARP scanning: 1) In the Scanning Option section, specify an IP address range and a VLAN ID. Then click Scan to scan the entries in the specified IP address range and VLAN. Start IP Address/ End IP Address Specify an IP range by entering a start and end IP address. VLAN ID Specify a VLAN ID. 2) In the Scanning Result section, select one or..

Network Security > IP-MAC Binding > Binding Table - Page 421

Configuration Guide 400 Configuring Network Security IP-MAC Binding Configurations Collision Displays the collision status of the entry. Warning : The collision entries have the same IP address and MAC address, and all the collision entries are valid. This kind of collision may be caused by the MSTP function. Critical : The collision entries have the same IP address but different MAC addresses. For the collision entries learned from the same source, only the newly added entry will be valid. For the collision entries learned from different sources, only the entry with the highest priority wi..

2.2.1 Binding Entries Manually - Page 422

Configuration Guide 401 Configuring Network Security IP-MAC Binding Configurations In the Binding Table section, you can view the searched entries. Additionally, you can configure the host name and protect type for one or more entries, and click Apply . Host Name Enter a host name for identification. IP Address Displays the IP address. MAC Address Displays the MAC address. VLAN ID Displays the VLAN ID. Port Displays the port number. Protect Type Select the protect type for the entry: None : This entry will not be applied to any feature. ARP Detection : This entry will be applied to the ARP ..

- Page 423

Configuration Guide 402 Configuring Network Security IP-MAC Binding Configurations Step 2 ip source binding hostname ip-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port } { none | arp-detection } [ forced-source { arp-scanning | dhcp-snooping } ] Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host. In addition, you can change the source of the entry as ARP Scanning or DHCP Snooping. hostname : Specify a name for the host. It contains 20 characters at most. ip-addr : Enter the IP..

2.2.2 Viewing Binding Entries - Page 424

Configuration Guide 403 Configuring Network Security IP-MAC Binding Configurations 2.2.2 Viewing Binding Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries: show ip source binding View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port number, protect type and collision status. There are two types of collision status: Warning and Critical. Warning : The collision entries have the same IP address and MAC address, and all the collision entries are valid. This kind of collis..

Network Security > DHCP Snooping > Global Config - Page 425

Configuration Guide 404 Configuring Network Security DHCP Snooping Configuration 3 DHCP Snooping Configuration To complete DHCP Snooping configuration, follow these steps: 1) Enable DHCP Snooping on VLAN. 2) Configure DHCP Snooping on the specified port. 3) (Optional) Configure Option 82 on the specified port. Tips: The switch can dynamically bind the entries via DHCP Snooping after step 1 and step 2 are completed. By default, the binding entries are applied to ARP Detection. Configuration Guidelines DHCP Snooping and DHCP Relay cannot be used at the same time on the switch. When both of th..

3.1.2 Configuring DHCP Snooping on Ports - Page 426

Configuration Guide 405 Configuring Network Security DHCP Snooping Configuration VLAN Configuration Display Displays the VLANs that have been enabled with DHCP Snooping. 3) Click Apply . 3.1.2 Configuring DHCP Snooping on Ports Choose the menu Network Security > DHCP Snooping > Port Config to load the following page. Figure 3-2 Port Config Follow these steps to configure DHCP Snooping on the specified port: 1) Select one or more ports and configure the parameters. Trusted Port Select Enable to set the port that is connected to the DHCP server as a trusted port. Select Disable to set t..

3.1.3 (Optional) Configuring Option 82 - Page 427

Configuration Guide 406 Configuring Network Security DHCP Snooping Configuration Rate Limit Select to enable the rate limit feature and specify the maximum number of DHCP packets that can be forwarded on the port per second. The excessive DHCP packets will be discarded. Decline Protect Select to enable the decline protect feature and specify the maximum number of DHCP Decline packets that can be forwarded on the port per second. The excessive DHCP Decline packets will be discarded. LAG Displays the LAG that the port is in. 2) Click Apply . 3.1.3 (Optional) Configuring Option 82 Option 82 re..

Follow these steps to globally configure DHCP Snooping: - Page 428

Configuration Guide 407 Configuring Network Security DHCP Snooping Configuration Operation Strategy Select the operation for the Option 82 field of the DHCP request packets. Keep : Indicates keeping the Option 82 field of the packets. Replace : Indicates replacing the Option 82 field of the packets with one defined by the switch. By default, the Circuit ID is defined to be the VLAN and the number of the port which receives the DHCP Request packets. The Remote ID is defined as the MAC address of the DHCP Snooping device which receives the DHCP Request packets. Drop : Indicates discarding the..

3.2.2 Configuring DHCP Snooping on Ports - Page 429

Configuration Guide 408 Configuring Network Security DHCP Snooping Configuration Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCP Snooping globally and on VLAN 5: Switch#configure Switch(config)#ip dhcp snooping Switch(config)#ip dhcp snooping vlan 5 Switch(config)#show ip dhcp snooping Global Status: Enable VLAN ID: 5 Switch(config)#end Switch#copy running-config startup-config 3.2.2 Configuring DHCP Snooping on Ports Follow these steps to configure DHCP Snooping ..

- Page 430

Configuration Guide 409 Configuring Network Security DHCP Snooping Configuration Step 5 ip dhcp snooping limit rate value Enable the limit rate feature and specify the maximum number of DHCP messages that can be forwarded on the port per second. The excessive DHCP packets will be discarded. value: Specify the limit rate value. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling limit rate. Step 6 ip dhcp snooping decline rate value Enable the decline protect feature and specify the maximum number of Decline packets ..

3.2.3 (Optional) Configuring Option 82 - Page 431

Configuration Guide 410 Configuring Network Security DHCP Snooping Configuration 3.2.3 (Optional) Configuring Option 82 Option 82 records the location of the DHCP client. The switch can add the Option 82 to the DHCP request packet and then transmit the packet to the DHCP server. Administrators can check the location of the DHCP client via option 82. The DHCP server supporting Option 82 can also set the distribution policy of IP addresses and other parameters, providing more flexible address distribution way. Follow these steps to configure Option 82: Step 1 configure Enter global configurat..

end - Page 432

Configuration Guide 411 Configuring Network Security DHCP Snooping Configuration Step 8 end Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable Option 82 on port 1/0/7 and configure the strategy as replace, the circuit-id as VLAN20 and the remote-id as Host1: Switch#configure Switch(config)#interface fastEthernet 1/0/7 Switch(config-if)#ip dhcp snooping information option Switch(config-if)#ip dhcp snooping information strategy replace Switch(config-if)#ip dhcp snooping information ci..

Network Security > ARP Inspection > ARP Detect - Page 433

Configuration Guide 412 Configuring Network Security ARP Inspection Configurations 4 ARP Inspection Configurations With ARP Inspection configurations, you can:  Configure ARP Detection  Configure ARP Defend  View ARP Statistics 4.1 Using the GUI 4.1.1 Configuring ARP Detection The ARP Detection feature allows the switch to detect the ARP packets based on the binding entries in the IP-MAC Binding Table and filter out the illegal ARP packets. Before configuring ARP Detection, complete IP-MAC Binding configuration. For details, refer to IP- MAC Binding Configurations . Choose the menu..

4.1.2 Configuring ARP Defend - Page 434

Configuration Guide 413 Configuring Network Security ARP Inspection Configurations 3) Click Apply . 4.1.2 Configuring ARP Defend With ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood. Choose the menu Network Security > ARP Inspection > ARP Defend to load the following page. Figure 4-2 ARP Defend Follow these steps to configure ARP Defend: 1) Select one or more ports and configure the parameters. Defend Enable the ARP Defend fea..

4.1.3 Viewing ARP Statistics - Page 435

Configuration Guide 414 Configuring Network Security ARP Inspection Configurations Status Displays the status of the ARP attack: Normal : The forwarding of ARP packets on the port is normal. Drop ARP300sec : The speed of receiving the ARP packets has exceeded the specified value, and the port will drop the received ARP packets in the next 300 seconds. LAG Displays the LAG that the port is in. Operation Click the Recover button to restore the port to the normal status. The ARP Defend for this port will be re-enabled. 2) Click Apply . 4.1.3 Viewing ARP Statistics You can view the number of th..

Network Security > ARP Inspection > ARP Statistics - Page 436

Configuration Guide 415 Configuring Network Security ARP Inspection Configurations Choose the menu Network Security > ARP Inspection > ARP Statistics to load the following page. Figure 4-3 ARP Statistics In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed. In the Illegal ARP Packet section, you can view the number of illegal ARP packets on each port. Trusted Port Indicates whether the port is an ARP trusted port or not. Illegal ARP Packet Displays the number of the received illegal..

4.2.1 Configuring ARP Detection - Page 437

Configuration Guide 416 Configuring Network Security ARP Inspection Configurations 4.2 Using the CLI 4.2.1 Configuring ARP Detection The ARP Detection feature allows the switch to detect the ARP packets basing on the binding entries in the IP-MAC Binding Table and filter the illegal ARP packets. Before configuring ARP Detection, complete IP-MAC Binding configuration. For details, refer to IP- MAC Binding Configurations . Follow these steps to configure ARP Detection: Step 1 configure Enter global configuration mode. Step 2 ip arp inspection Globally enable the ARP Detection feature. Step 3 ..

4.2.2 Configuring ARP Defend - Page 438

Configuration Guide 417 Configuring Network Security ARP Inspection Configurations Port Trusted Fa1/0/1 YES Fa1/0/2 NO ...... Switch(config-if)#end Switch#copy running-config startup-config 4.2.2 Configuring ARP Defend With ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood. Follow these steps to configure ARP Defend: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list |..

show ip arp inspection statistics - Page 439

Configuration Guide 418 Configuring Network Security ARP Inspection Configurations Switch#configure Switch(config)#interface fastEthernet 1/0/2 Switch(config-if)#ip arp inspection Switch(config-if)#ip arp inspection limit-rate 20 Switch(config-if)#show ip arp inspection interface fastEthernet 1/0/2 Port OverSpeed Rate Current Status LAG Fa1/0/2 Enabled 20 N/A Normal N/A Switch(config-if)#end Switch#copy running-config startup-config The following example shows how to restore the port 1/0/1 that is in Discard status to Normal status: Switch#configure Switch(config)#show ip arp inspection int..

Network Security > DoS Defend > DoS Defend - Page 440

Configuration Guide 419 Configuring Network Security DoS Defend Configuration 5 DoS Defend Configuration 5.1 Using the GUI Choose the menu Network Security > DoS Defend > DoS Defend to load the following page. Figure 5-1 Dos Defend Follow these steps to configure DoS Defend: 1) In the Configure section, enable DoS Protection. 2) In the Defend Table section, select one or more defend types according to your needs. The following table introduces each type of DoS attack. Land Attack The attacker sends a specific fake SYN (synchronous) packet to the destination host. Because both of the s..

configure - Page 441

Configuration Guide 420 Configuring Network Security DoS Defend Configuration NULL Scan The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. SYN sPort less 1024 The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024. Blat Attack The attacker sends the illegal packet with the same source port and destination port on Layer 4 and with its URG field set to 1. Similar to the Land Attack, the..

ip dos-prevent type { - Page 442

Configuration Guide 421 Configuring Network Security DoS Defend Configuration Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping- flood | syn-flood | win-nuke | smurf | ping-of-death } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows. land: The attacker sends a specific fake SYN (synchronous) packet to the destination host. Because both the source IP address and the destination IP address of the SYN packet are set to be the IP address of the host, the host will be trapped in an e..

end - Page 443

Configuration Guide 422 Configuring Network Security DoS Defend Configuration Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the DoS Defend type named land: Switch#configure Switch(config)#ip dos-prevent Switch(config)#ip dos-prevent type land Switch(config)#show ip dos-prevent Type Status --------- ------ Land Attack Enabled Scan SYNFIN Disabled Xmascan Disabled ...... Switch(config)#end Switch#copy running-config startup-config

..

Network Security > AAA > Global Config - Page 444

Configuration Guide 423 Configuring Network Security 802.1X Configuration 6 802.1X Configuration To complete the 802.1X configuration, follow these steps: 1) Configure the RADIUS server. 2) Configure 802.1X globally. 3) Configure 802.1X on ports. Configuration Guidelines 802.1X authentication and Port Security cannot be enabled at the same time. Before enabling 802.1X authentication, make sure that Port Security is disabled. 6.1 Using the GUI 6.1.1 Configuring the RADIUS Server Enable AAA function on the switch, configure the parameters of RADIUS sever and configure the RADIUS server group...

Adding the RADIUS Server - Page 445

Configuration Guide 424 Configuring Network Security 802.1X Configuration  Adding the RADIUS Server Choose the menu Network Security > AAA > RADIUS Config to load the following page. Figure 6-2 RADIUS Config Follow these steps to create a protocol template: 1) In the Server Config section, configure the parameters of RADIUS server. 2) Click Apply . Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and excha..

Adding a Server Group - Page 446

Configuration Guide 425 Configuring Network Security 802.1X Configuration Choose the menu Network Security > AAA > Server Group to load the following page. Figure 6-3 Adding a Server Group Follow these steps to create a protocol template: 1) In the Add New Server Group section, specify the name and server type for the new server group, and click Add . Server Group: Specify the name of the new server group. Server Type: Select the type of the server group as RADIUS. 2) Select the newly added group, and click edit in the Operation column. Figure 6-4 Edit the Group 3) Select the server t..

Configuring the Dot1x List - Page 447

Configuration Guide 426 Configuring Network Security 802.1X Configuration Figure 6-5 Add Server to Group  Configuring the Dot1x List Choose the menu Network Security > AAA > Dot1x List to load the following page. Figure 6-6 Configuring the Dot1x List Follow these steps to configure RADIUS server groups for 802.1X authentication and accounting: 1) In the Authentication Dot1x Method List section, select an existing RADIUS server group for authentication from the Pri1 drop-down list and click Apply . 2) In the Accounting Dot1x Method List section, select an existing RADIUS server grou..

6.1.2 Configuring 802.1X Globally - Page 448

Configuration Guide 427 Configuring Network Security 802.1X Configuration 6.1.2 Configuring 802.1X Globally Choose the menu Network Security > 802.1X > Global Config to load the following page. Figure 6-7 Global Config Follow these steps to configure 802.1X global parameters: 1) In the Global Config section, enable 802.1X globally and click Apply . Auth Method Select the 802.1X authentication method. PAP : The 802.1X authentication system uses EAP packets to exchange information between the switch and the client. The transmission of EAP (Extensible Authentication Protocol) packets is ..

Authentication Config - Page 449

Configuration Guide 428 Configuring Network Security 802.1X Configuration Guest VLAN Select whether to enable Guest VLAN. By default, it is disabled. If the Guest VLAN is enabled, a port can access resources in the guest VLAN even though the port is not yet authenticated; if guest VLAN is disabled and the port is not authenticated, the port cannot visit any resource in the LAN. Guest VLAN ID Enter the guest VLAN's ID. It must be an existing VLAN with the ID ranging from 2 to 4094. Accounting Enable or disable 802.1X accounting function. 2) In the Authentication Config section, enable Quiet,..

Network Security > 802.1X > Port Config - Page 450

Configuration Guide 429 Configuring Network Security 802.1X Configuration 6.1.3 Configuring 802.1X on Ports Choose the menu Network Security > 802.1X > Port Config to load the following page. Figure 6-8 Port Config Configure 802.1X authentication on the desired port and click Apply . Status Enable 802.1X authentication on the port. Guest VLAN Select whether to enable Guest VLAN on the port. Control Mode Select the Control Mode for the port. By default, it is Auto. Auto : If this option is selected, the port can access the network only when it is authenticated. Force-Authorized : If th..

Follow these steps to configure RADIUS: - Page 451

Configuration Guide 430 Configuring Network Security 802.1X Configuration Note: If a port is in an LAG, its 802.1X authentication function cannot be enabled. Also, a port with 802.1X authentication enabled cannot be added to any LAG. 6.2 Using the CLI 6.2.1 Configuring the RADIUS Server Follow these steps to configure RADIUS: Step 1 configure Enter global configuration mode. Step 2 aaa enable Enable the AAA function globally. Step 3 radius-server host ip-address [ auth-port port-id ] [ acct-port port-id ] [ timeout time ] [ retransmit number ] [ key { [ 0 ] string | 7 encrypted-string } ] A..

- Page 452

Configuration Guide 431 Configuring Network Security 802.1X Configuration Step 5 server ip-address Add the existing servers to the server group. ip-address : Specify IP address of the server to be added to the group. Step 6 exit Return to global configuration mode. Step 7 aaa authentication dot1x default { method } Select the radius group for 802.1X authentication. method: Specify the radius group for 802.1X authentication. aaa accounting dot1x default { method } Select the radius group for 802.1X accounting. method: Specify the radius group for 802.1X accounting. Note: If multiple radius s..

6.2.2 Configuring 802.1X Globally - Page 453

Configuration Guide 432 Configuring Network Security 802.1X Configuration Switch#configure Switch#aaa enable Switch(config)#radius-server host 192.168.0.100 key 123456 auth-port 1812 acct-port 1813 Switch(config)#aaa group radius radius1 Switch(aaa-group)#server 192.168.0.100 Switch(aaa-group)#exit Switch(config)#aaa authentication dot1x default radius1 Switch(config)#aaa accounting dot1x default radius1 Switch(config)#show radius-server Server Ip Auth Port Acct Port Timeout Retransmit Shared key 192.168.0.100 1812 1813 5 2 123456 Switch(config)#show aaa group radius1 192.168.0.100 Switch(c..

vid - Page 454

Configuration Guide 433 Configuring Network Security 802.1X Configuration Step 3 dot1x auth-method { pap | eap } Configure the 802.1X authentication method. pap : Specify the authentication method as PAP. If this option is selected, the 802.1X authentication system uses EAP (Extensible Authentication Protocol) packets to exchange information between the switch and the client. The transmission of EAP packets is terminated at the switch and the EAP packets are converted to other protocol (such as RADIUS) packets, and transmitted to the authentication server. eap: Specify the authentication me..

6.2.3 Configuring 802.1X on Ports - Page 455

Configuration Guide 434 Configuring Network Security 802.1X Configuration Step 10 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable 802.1X authentication, configure PAP as the authentication method and keep other parameters as default: Switch#configure Switch(config)#dot1x system-auth-control Switch(config)#dot1x auth-method pap Switch(config)#show dot1x global 802.1X State: Enabled Authentication Method: PAP Handshake State: Enabled Guest VLAN State: Disable Guest VLAN ID: N/A 802.1X Accounting State: Disable Quiet-per..

port - Page 456

Configuration Guide 435 Configuring Network Security 802.1X Configuration Step 4 dot1x port-method { mac-based | port-based } Configure the control type for the port. By default, it is mac-based. mac-based : All clients connected to the port need to be authenticated. port-based : If a client connected to the port is authenticated, other clients can access the LAN without authentication. Step 5 dot1x guest-vlan (Optional) Enable guest VLAN on the port. Note: Before enabling guest VLAN, the control type of the port should be configured as port-based. Step 6 dot1x port-control { auto | authori..

Switch(config-if)#end - Page 457

Configuration Guide 436 Configuring Network Security 802.1X Configuration Port State GuestVLAN PortControl PortMethod Authorized LAG ---- ----- --------- -------- -------- -------------- --- Fa1/0/2 enabled disabled auto port-based unauthorized N/A Switch(config-if)#end Switch#copy running-config startup-config

..

Configuration Guidelines - Page 458

Configuration Guide 437 Configuring Network Security AAA Configuration 7 AAA Configuration In the AAA feature, the authentication can be processed locally on the switch or centrally on the RADIUS/TACACS+ server(s). To ensure the stability of the authentication system, you can configure multiple servers and authentication methods at the same time. This chapter introduces how to configure this kind of comprehensive authentication in AAA. To complete the configuration, follow these steps: 1) Globally enable AAA. 2) Add the servers. 3) Configure the server groups. 4) Configure the method list. ..

7.1.1 Globally Enabling AAA - Page 459

Configuration Guide 438 Configuring Network Security AAA Configuration 7.1 Using the GUI 7.1.1 Globally Enabling AAA Choose the menu Network Security > AAA > Global Conifg to load the following page. Figure 7-1 Global Configuration Follow these steps to globally enable AAA: 1) In the Global Config section, enable AAA. 2) Click Apply . 7.1.2 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server that is first added to the group has the highest priority and authenticates the users trying to access the swi..

TACACS+ Server Configuration - Page 460

Configuration Guide 439 Configuring Network Security AAA Configuration Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses. Auth Port Specify the UDP destination port on the RADIUS server for authentication requests. The default setting is 1812. Acct Port Specify the UDP destination port on the RADIUS server for accounting requests. The default setting is 1813. Usually, it is used in the 802.1X feature. Retransmit Specify the number of times a request is resent to the server..

7.1.3 Configuring Server Groups - Page 461

Configuration Guide 440 Configuring Network Security AAA Configuration 2) Click Add to add the TACACS+ server on the switch. 7.1.3 Configuring Server Groups The switch has two built-in server groups, one for RADIUS servers and the other for TACACS+ servers. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. Choose the menu Network Security > AAA > Server Group to load the following page. Figure 7-4 Add New Server Group The two default server groups in the list cannot be edited or deleted. You can follow t..

Network Security > AAA > Method List - Page 462

Configuration Guide 441 Configuring Network Security AAA Configuration Figure 7-6 Add Server to Group 7.1.4 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges. Choose the menu Network Security > AAA > Method List to load the following page. Figure 7-7 Add New Method There are two default methods respectively for the Login authentication and the Enable authe..

7.1.5 Configuring the AAA Application List - Page 463

Configuration Guide 442 Configuring Network Security AAA Configuration 1) In the Add Method List section, configure the parameters for the method to be added. Method List Name Specify a name for the method. List Type Select the authentication type. The following options are provided: Authentication Login and Authentication Enable. Pri1- Pri4 Specify the authentication methods in order. The method with priority 1 authenticates a user first, the method with priority 2 is tried if the previous method does not respond, and so on. local : Use the local database in the switch for authentication. ..

7.1.6 Configuring Login Account and Enable Password - Page 464

Configuration Guide 443 Configuring Network Security AAA Configuration 7.1.6 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s).  On the Switch The local username and password for login can be configured in the User Management feature. For details, refer to Managing System . To configure the local Enable password for getting administrative privileges, choose the menu Network Security > AAA > Global Config to load the following page. Figure 7-9 Configure Enable Passw..

7.2.1 Globally Enabling AAA - Page 465

Configuration Guide 444 Configuring Network Security AAA Configuration 7.2 Using the CLI 7.2.1 Globally Enabling AAA Follow these steps to globally enable AAA: Step 1 configure Enter global configuration mode. Step 2 aaa enable Globally enable the AAA feature. Step 3 show aaa global Verify the global configuration of AAA. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to globally enable AAA: Switch#configure Switch(config)#aaa enable Switch(config)#show aaa global AAA global st..

- Page 466

Configuration Guide 445 Configuring Network Security AAA Configuration Step 1 configure Enter global configuration mode. Step 2 radius-server host ip-address [ auth-port port-id ] [ acct-port port-id ] [ timeout time ] [ retransmit number ] [ key { [ 0 ] string | 7 encrypted-string } ] Add the RADIUS server and configure the related parameters as needed. host ip-address : Enter the IP address of the server running the RADIUS protocol. auth-port port-id : Specify the UDP destination port on the RADIUS server for authentication requests. The default setting is 1812. acct-port port-id: Specify..

Adding TACACS+ Server - Page 467

Configuration Guide 446 Configuring Network Security AAA Configuration Switch#copy running-config startup-config  Adding TACACS+ Server Follow these steps to add TACACS+ server on the switch: Step 1 configure Enter global configuration mode. Step 2 tacacs-server host ip-address [ port port-id ] [ timeout time ] [ key { [ 0 ] string | 7 encrypted- string } ] Add the RADIUS server and configure the related parameters as needed. host ip-address : Enter the IP address of the server running the TACACS+ protocol. port port-id : Specify the TCP destination port on the TACACS+ server for authent..

7.2.3 Configuring Server Groups - Page 468

Configuration Guide 447 Configuring Network Security AAA Configuration Switch#copy running-config startup-config 7.2.3 Configuring Server Groups The switch has two built-in server groups, one for RADIUS and the other for TACACS+. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. The two default server groups cannot be deleted or edited. Follow these steps to add a server group: Step 1 configure Enter global configuration mode. Step 2 aaa group { radius | tacacs } group-name Create a server group. radius | taca..

Specify the authentication methods in order. The first - Page 469

Configuration Guide 448 Configuring Network Security AAA Configuration Switch(aaa-group)#end Switch#copy running-config startup-config 7.2.4 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges. Follow these steps to configure the method list: Step 1 configure Enter global configuration mode. Step 2 aaa authentication login { method-list } { method1 } [ method2 ] [..

7.2.5 Configuring the AAA Application List - Page 470

Configuration Guide 449 Configuring Network Security AAA Configuration Methodlist pri1 pri2 pri3 pri4 default local -- -- -- Login1 radius local -- -- Switch(config)#end Switch#copy running-config startup-config The following example shows how to create an Enable method list named Enable1, and configure the method 1 as the default radius server group and the method 2 as local. Switch#configure Switch(config)##aaa authentication enable Enable1 radius local Switch(config)#show aaa authentication enable Methodlist pri1 pri2 pri3 pri4 default local -- -- -- Enable1 radius local -- -- Switch(con..

method-list - Page 471

Configuration Guide 450 Configuring Network Security AAA Configuration Step 4 enable authentication { method-list } Apply the Enable method list for the application Console. method-list : Specify the name of the Enable method list. Step 5 show aaa global Verify the configuration of application list. Step 6 end Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to apply the existing Login method list named Login1 and Enable method list named Enable1 for the application Console. Switch#configur..

SSH - Page 472

Configuration Guide 451 Configuring Network Security AAA Configuration Step 3 login authentication { method-list } Apply the Login method list for the application Telnet. method-list : Specify the name of the Login method list. Step 4 enable authentication { method-list } Apply the Enable method list for the application Telnet. method-list : Specify the name of the Enable method list. Step 5 show aaa global Verify the configuration of application list. Step 6 end Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The follow..

: - Page 473

Configuration Guide 452 Configuring Network Security AAA Configuration Step 1 configure Enter global configuration mode. Step 2 line ssh Enter line configuration mode. Step 3 login authentication { method-list } Apply the Login method list for the application SSH. method-list : Specify the name of the Login method list. Step 4 enable authentication { method-list } Apply the Enable method list for the application SSH. method-list : Specify the name of the Enable method list. Step 5 show aaa global Verify the configuration of application list. Step 6 end Return to privileged EXEC mode. Step 7..

HTTP - Page 474

Configuration Guide 453 Configuring Network Security AAA Configuration  HTTP Follow these steps to apply the Login and Enable method lists for the application HTTP: Step 1 configure Enter global configuration mode. Step 2 ip http login authentication { method-lis t } Apply the Login method list for the application HTTP. method-list : Specify the name of the Login method list. Step 3 ip http enable authentication { method-lis t } Apply the Enable method list for the application HTTP. method-list : Specify the name of the Enable method list. Step 4 show aaa global Verify the configuration ..

7.2.6 Configuring Login Account and Enable Password - Page 475

Configuration Guide 454 Configuring Network Security AAA Configuration 7.2.6 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s).  On the Switch The local username and password for login can be configured in the User Management feature. For details, refer to Managing System . To configure the local Enable password for getting administrative privileges, follow these steps: Step 1 configure Enter global configuration mode. Step 2 enable admin password { [ 0 ] password | 7 en..

$enable$ - Page 476

Configuration Guide 455 Configuring Network Security AAA Configuration On RADIUS server, the user name should be set as $enable$ , and the Enable password is customizable. All the users trying to get administrative privileges share this Enable password. On TACACS+ server, configure the value of “enable 15“ as the Enable password in the configuration file. All the users trying to get administrative privileges share this Enable password. Tips: The logged-in guests can get administrative privileges by using the command enable-admin and providing the Enable password.

..

8.1.1 Network Requirements - Page 477

Configuration Guide 456 Configuring Network Security Configuration Examples 8 Configuration Examples 8.1 Example for DHCP Snooping and ARP Detection 8.1.1 Network Requirements As shown below, User 1 and User 2 get IP addresses from the legal DHCP server, and User 3 has a static IP address. All of them are in the default VLAN 1. Now, untrusted DHCP packets need to be filtered to ensure that the DHCP clients (User 1 and User 2) can get the IP addresses from the legal DHCP server. Additionally, the network needs to be prevented from ARP attacks. Figure 8-1 Network Topology Fa1/0/4 Fa1/0/1 Fa1/..

8.1.3 Using the GUI - Page 478

Configuration Guide 457 Configuring Network Security Configuration Examples 2) Configure IP-MAC Binding on Switch A. The binding entries for User 1 and User 2 will be automatically learned via DHCP Snooping, and you need to manually bind the entry for User 3. 3) Enable ARP Detection on Switch A to prevent ARP cheating attacks. 4) Configure ARP Defend on Switch A to limit the speed of receiving the legal ARP packets on each port, thus to prevent ARP flooding attacks. Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the..

Port Config - Page 479

Configuration Guide 458 Configuring Network Security Configuration Examples Figure 8-3 Port Config 3) Choose the menu Network Security > IP-MAC Binding > Manual Binding to load the following page. Enter the host name, IP address, MAC address and VLAN ID of User 3, select ARP Detection as the protect type, and select port 1/0/3 on the panel. Click Bind . Figure 8-4 Manual Binding 4) Choose the menu Network Security > IP-MAC Binding > Binding Table to load the following page. Select Source type as All, and click Search to view all the entries that have been bound.

..

Binding Table - Page 480

Configuration Guide 459 Configuring Network Security Configuration Examples Figure 8-5 Binding Table 5) Choose the menu Network Security > ARP Inspection > ARP Detect to load the following page. Enable ARP Detection and set port 1/0/4 as trusted port. Click Apply . Figure 8-6 ARP Detect 6) Choose the menu Network Security > ARP Inspection > ARP Defend to load the following page. Enable ARP Defend for port 1/0/1-3 and click Apply .

..

8.1.4 Using the CLI - Page 481

Configuration Guide 460 Configuring Network Security Configuration Examples Figure 8-7 ARP Defend 7) Click Save Config to save the settings. 8.1.4 Using the CLI 1) Enable DHCP Snooping globally and on VLAN 1. Switch_A#configure Switch_A(config)#ip dhcp snooping Switch_A(config)#ip dhcp snooping vlan 1 2) Configure port 1/0/4 as a trusted port. Switch_A(config)#interface fastEthernet 1/0/4 Switch_A(config-if)#ip dhcp snooping trust Switch_A(config-if)#exit 3) Manually bind the entry for User 3. Switch_A(config)#ip source binding User3 192.168.0.33 88:a9:d4:54:fd:c3 vlan 1 interface fastEther..

Verify the Configuration - Page 482

Configuration Guide 461 Configuring Network Security Configuration Examples 5) Configure ARP Defend on ports 1/0/1-3. Switch_A(config)#interface range fastEthernet 1/0/1-3 Switch_A(config-if-range)#ip arp inspection Switch_A(config-if-range)#ip arp inspection limit-rate 15 Switch_A(config-if-range)#end Switch_A#copy running-config startup-config Verify the Configuration Verify the configuration of DHCP Snooping: Switch_A#show ip dhcp snooping Global Status: Enable VLAN ID: 1 Switch_A#show ip dhcp snooping interface Interface Trusted MAC-Verify Limit-Rate Dec-rate LAG --------- ------- -----..

8.2.1 Network Requirements - Page 483

Configuration Guide 462 Configuring Network Security Configuration Examples ARP detection global status: Enabled Port Trusted Fa1/0/1 NO Fa1/0/2 NO Fa1/0/3 NO Fa1/0/4 YES ...... Verify the configuration of ARP Defend: Switch_A#show ip arp inspection interface Port OverSpeed Rate Current Status LAG Fa1/0/1 Enabled 15 N/A Normal N/A Fa1/0/2 Enabled 15 N/A Normal N/A Fa1/0/3 Enabled 15 N/A Normal N/A Fa1/0/4 Disabled 15 N/A N/A N/A ...... 8.2 Example for 802.1X 8.2.1 Network Requirements The network administrator wants to control access from the end users (clients) in the company. It is requir..

Network Security > AAA > Global Config - Page 484

Configuration Guide 463 Configuring Network Security Configuration Examples 8.2.3 Network Topology As shown in the following figure, Switch A acts as the authenticator. Port 1/0/1 is connected to the client, port 1/0/2 is connected to the RADIUS server, and port 1/0/3 is connected to the Internet. Figure 8-8 Network Topology Internet Switch A Authenticator Client Client Fa1/0/1 Fa1/0/2 Fa1/0/3 Client RADIUS Server 192.168.0.10/24 Auth Port:1812 Demonstrated with T1500-28PCT acting as the authenticator, the following sections provide configuration procedure in two ways: using the GUI and usi..

- Page 485

Configuration Guide 464 Configuring Network Security Configuration Examples Figure 8-10 RADIUS Config 3) Choose the menu Network Security > AAA > Server Group to load the following page. In the Add New Server Group section, specify the group name as radius1 and the server type as RADIUS. Click Add to create the server group. Figure 8-11 Create Server Group 4) On the same page, select the newly created server group and click edit to load the following page. Select 192.168.0.10 from the drop-down list, and click Add to add the server to the group. Figure 8-12 Add Servers to Server Group..

Global Config - Page 486

Configuration Guide 465 Configuring Network Security Configuration Examples 6) Choose the menu Network Security > 802.1X Authentication > Global Config to load the following page. Enable 802.1X authentication and configure the Authentication Method as EAP. Enable the Quiet feature and then keep the default authentication settings. Figure 8-14 Global Config 7) Choose the menu Network Security > 802.1X Authentication > Port Config to load the following page. For port 1/0/1, enable 802.1X authentication, set the Control Mode as auto and set the Control Type as MAC Based; For port 1..

8.2.5 Using the CLI - Page 487

Configuration Guide 466 Configuring Network Security Configuration Examples Figure 8-15 Port Config 8) Click Save Config to save the settings. 8.2.5 Using the CLI 1) Enable AAA function globally and configure the RADIUS parameters. Switch_A(config)#aaa enable Switch_A(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch_A(config)#aaa group radius radius1 Switch_A(aaa-group)#server 192.168.0.10 Switch_A(aaa-group)#exit Switch_A(config)#aaa authentication dot1x default radius1 Switch_A(config)#end Switch_A#copy running-config startup-config 2) Globally enable 802.1X authen..

Verify the Configurations - Page 488

Configuration Guide 467 Configuring Network Security Configuration Examples 3) Disable 802.1X authentication on port 1/0/2 and port 1/0/3. Enable 802.1X authentication on port 1/0/1, set the control mode as auto, and set the control type as MAC based. Switch_A(config)#interface fastEthernet 1/0/2 Switch_A(config-if)#no dot1x Switch_A(config-if)#exit Switch_A(config)#interface fastEthernet 1/0/3 Switch_A(config-if)#no dot1x Switch_A(config-if)#exit Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#dot1x Switch_A(config-if)#dot1x port-method mac-based Switch_A(config-if)#dot1x..

8.3.1 Network Requirements - Page 489

Configuration Guide 468 Configuring Network Security Configuration Examples ---- ----- --------- ----------- ---------- ---------- --- Fa1/0/1 enabled disabled auto mac-based authorized N/A Fa1/0/2 disabled disabled auto mac-based authorized N/A Fa1/0/3 disabled disabled auto mac-based authorized N/A ...... Verify the configurations of RADIUS : Switch_A#show aaa global AAA global status: Enable Module Login List Enable List Console default default Telnet default default Ssh default default Http default default Switch_A#show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default rad..

8.3.2 Configuration Scheme - Page 490

Configuration Guide 469 Configuring Network Security Configuration Examples Figure 8-16 Network Topology RADIUS Server 1 192.168.0.10/24 Auth Port:1812 RADIUS Server 2 192.168.0.20/24 Auth Port: 1812 Switch Administrator Management Network 8.3.2 Configuration Scheme To implement this requirement, the senior administrator can create the login account and the Enable password on the two RADIUS servers, and configure the AAA feature on the switch. The IP addresses of the two RADIUS servers are 192.168.0.10/24 and 192.168.0.20/24; the authentication port number is 1812; the shared key is 123456...

Add RADIUS Server 1 - Page 491

Configuration Guide 470 Configuring Network Security Configuration Examples Figure 8-18 Add RADIUS Server 1 3) On the same page, configure the Server IP as 192.168.0.20, the Shared Key as 123456, the Auth Port as 1812, and keep the other parameters as default. Click Add to add RADIUS Server 2 on the switch. Figure 8-19 Add RADIUS Server 2 4) Choose the menu Network Security > AAA > Server Group to load the following page. In the Add New Server Group section, specify the group name as RADIUS1 and the server type as RADIUS. Click Add to create the server group.

..

Create Server Group - Page 492

Configuration Guide 471 Configuring Network Security Configuration Examples Figure 8-20 Create Server Group 5) On the same page, select the newly created server group and click edit to load the following page. Select 192.168.0.10 from the drop-down list, and click Add to add RADIUS Server 1 to the group. Then select 192.168.0.20 from the drop-down list, and click Add to add RADIUS Server 2 to the group. Figure 8-21 Add Servers to Server Group 6) Choose the menu Network Security > AAA > Method List to load the following page. Specify the Method List Name as Method-Login, select the Lis..

Configure Enable Method List - Page 493

Configuration Guide 472 Configuring Network Security Configuration Examples 7) On the same page, specify the Method List Name as Method-Enable, select the List Type as Authentication Enable, and select the Pri1 as RADIUS1. Click Add to set the method list for the Enable password authentication. Figure 8-23 Configure Enable Method List 8) Choose the menu Network Security > AAA > Global Config to load the following page. In the AAA Application List section, select telnet and configure the Login List as Method-Login and Enable List as Method-Enable. Then click Apply . Figure 8-24 Configu..

Verify the Configuration - Page 494

Configuration Guide 473 Configuring Network Security Configuration Examples Switch(aaa-group)#exit 4) Create two method lists: Method-Login and Method-Enable, and configure the server group RADIUS1 as the authentication method for the two method lists. Switch(config)#aaa authentication login Method-Login RADIUS1 Switch(config)#aaa authentication enable Method-Enable RADIUS1 5) Configure Method-Login and Method-Enable as the authentication method for the Telnet application. Switch(config)#line telnet Switch(config-line)#login authentication Method-Login Switch(config-line)#enable authenticat..

- Page 495

Configuration Guide 474 Configuring Network Security Configuration Examples Methodlist pri1 pri2 pri3 pri4 default none -- -- -- Method-Enable RADIUS1 -- -- -- ...... Verify the status of the AAA feature and the configuration of the AAA application list: Switch#show aaa global AAA global status: Enable Module Login List Enable List Console default default Telnet Method-Login Method-Enable Ssh default default Http default default

..

Appendix: Default Parameters - Page 496

Configuration Guide 475 Configuring Network Security Appendix: Default Parameters 9 Appendix: Default Parameters Default settings of Network Security are listed in the following tables. Table 9-1 IP-MAC Binding Parameter Defualt Setting Protect Type For Manual Binding: None For ARP Scanning: None For DHCP Snooping: All Table 9-2 DHCP Snooping Parameter Default Setting Global Config DHCP Snooping Disable VLAN ID Disable Port Config Trusted Port Disable MAC Verify Enable Rate Limit Disable Decline Protect Disable Option 82 Config Option 82 Support Disable Operation Strategy Keep Circuit ID Cu..

- Page 497

Configuration Guide 476 Configuring Network Security Appendix: Default Parameters Table 9-3 ARP Inspection Parameter Default Setting ARP Detect ARP Detect Disable Trusted Port None ARP Defend Defend Disable Speed 15 pps ARP Statistics Auto Refresh Disable Refresh Interval 5 seconds Table 9-4 DoS Defend Parameter Default Setting DoS Defend Disable Table 9-5 802.1X Parameter Default Setting Global Config 802.1X Authentication Disable Auth Method EAP Handshake Enable Guest VLAN Disable Accounting Disable Quiet Feature Quiet Feature Disable Quiet Period 10 seconds Retry Times 3

..

Table 9-6 - Page 498

Configuration Guide 477 Configuring Network Security Appendix: Default Parameters Parameter Default Setting Supplicant Timeout 3 seconds Port Config 802.1X Status Disable Guest VLAN Disable Control Mode Auto Control Type MAC Based Dot1X List Authentication Dot1x Method List List Name: default Pri1: radius Accounting Dot1x Method List List Name: default Pri1:radius Table 9-6 AAA Parameter Defualt Setting Global Config AAA Disable RADIUS Config Server IP None Shared Key None Auth Port 1812 Acct Port 1813 Retransmit 2 Timeout 5 seconds TACACS+ Config Server IP None Timeout 5 seconds Shared Key..

Parameter - Page 499

Configuration Guide 478 Configuring Network Security Appendix: Default Parameters Parameter Defualt Setting Port 49 Server Group: There are two default server groups: radius and tacacs. Method List Authentication Login Method List List name: default Pri1: local Authentication Enable Method List List name: default Pri1: none AAA Application List console Login List: default Enable List: default telnet Login List: default Enable List: default ssh Login List: default Enable List: default http Login List: default Enable List: default

..

Configuration Guide - Page 500

Configuration Guide 479 Configuring Network Security

..

Configuration Guide - Page 501

Configuration Guide 480 Configuring Network Security

..

Configuration Guide - Page 502

Configuration Guide 481 Configuring Network Security

..

Configuring - Page 503

Part 15 Configuring SNMP & RMON CHAPTERS 1. SNMP Overview 2. SNMP Configurations 3. Notification Configurations 4. RMON Overview 5. RMON Configurations 6. Configuration Example 7. Appendix: Default Parameters

..

SNMP Overview - Page 504

Configuring SNMP & RMON SNMP Overview Configuration Guide 483 1 SNMP Overview SNMP (Simple Network Management Protocol) is a standard network management protocol, widely used on TCP/IP networks. It facilitates device management using NMS (Network Management System) software. With SNMP, network managers can view or modify network device information, and troubleshoot according to notifications sent by those devices in a timely manner. The device supports three SNMP versions: SNMPv1, SNMPv2c and SNMPv3.Table 1-1 lists features supported by different SNMP versions, and Table 1-2 shows corre..

SNMP Configurations - Page 505

Configuration Guide 484 Configuring SNMP & RMON SNMP Configurations 2 SNMP Configurations To complete the SNMP configuration, choose an SNMP version according to network requirements and supportability of the NMS software, and then follow these steps:  Choose SNMPv3 1) Enable SNMP. 2) Create an SNMP view for managed objects. 3) Create an SNMP group, and specify the access rights. 4) Create SNMP users, and configure the authentication mode, privacy mode and corresponding passwords.  Choose SNMPv1 or SNMPv2c 1) Enable SNMP. 2) Create an SNMP view for managed objects. 3) Direct confi..

2.1.1 Enabling SNMP - Page 506

Configuring SNMP & RMON SNMP Configurations Configuration Guide 485 2.1 Using the GUI 2.1.1 Enabling SNMP Choose the SNMP > SNMP Config > Global Config to load the following page. Figure 2-1 Global Config Follow these steps to configure SNMP globally: 1) In the Global Config section, enable SNMP. Click Apply . 2) In the Local Engine section, configure the local engine ID. Click Apply . Local Engine ID Set the ID of the local SNMP Agent with 10 to 64 hexadecimal digits. The local engine ID is a unique alphanumeric string used to identify the SNMP engine on the switch. 3) In the Rem..

2.1.3 Creating an SNMP Group - Page 507

Configuration Guide 486 Configuring SNMP & RMON SNMP Configurations Figure 2-2 SNMP View Set the view name and one MIB variable that is related to the view. Choose the view type and click Create to add the view entry. View Name Set the view name with 1 to 16 characters. A complete view consists of all MIB objects that have the same view name. MIB Object ID Enter a MIB Object ID to specify a specific function of the device. For specific ID rules, refer to the device related MIBs. View Type Set the view to include or exclude the related MIB object. By default, it is included. Include: The..

SNMP > SNMP Config > SNMP Group - Page 508

Configuring SNMP & RMON SNMP Configurations Configuration Guide 487 Choose the menu SNMP > SNMP Config > SNMP Group to load the following page. Figure 2-3 SNMP Group Follow these steps to create an SNMP Group: 1) Set the group name and security model. If you choose SNMPv3 as the security model, you need to further configure security level. Group Name Set the SNMP group name. You may enter 1 to 16 characters. The identifier of a group consists of a group name, security model and security level. Groups of the same identifier are recognized as being in the same group. Security Model ..

SNMP > SNMP Config > SNMP User - Page 509

Configuration Guide 488 Configuring SNMP & RMON SNMP Configurations Read View Choose a view to allow parameters to be viewed but not modified by the NMS. The view is necessary for any group. By default, the view is viewDefault. To modify parameters of a view, you need to add it to Write View. Write View Choose a view to allow parameters to be modified but not viewed by the NMS. The default is none. The view in Write View should also be added to Read View. Notify View Choose a view to allow it to send notifications to the NMS. 2.1.4 Creating SNMP Users Choose the menu SNMP > SNMP Conf..

2.1.5 Creating SNMP Communities - Page 510

Configuring SNMP & RMON SNMP Configurations Configuration Guide 489 Security Model Choose the SNMP version of the security model. The default is SNMPv1. The setting should be identical with that of the specified group. v1: The group’s security model is SNMPv1. v2c: In this mode, Community Name is used for authentication. You can configure Community Name on the SNMP Community. v3: The group’s security model is SNMPv3. Security Level Set the security level for the SNMPv3 group. The default is noAuthNoPriv. noAuthNoPriv: No authentication mode or privacy mode is applied to check or enc..

SNMP > SNMP Config > SNMP Community - Page 511

Configuration Guide 490 Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP Community to load the following page. Figure 2-5 SNMP Community Set the community name, access rights and the related view. Click Create . Community Name Set the community name with 1 to 16 characters. For SNMPv1 and SNMPv2c, the community name match is used for authentication. Access Specify the access right to the related view. The default is read-only. read-only: The NMS can view but not modify parameters of the specified view. read-write: The NMS can view and modify pa..

{[ - Page 512

Configuring SNMP & RMON SNMP Configurations Configuration Guide 491 Step 3 snmp-server engineID {[ local local-engineID ] [ remote remote-engineID ]} (Optional) Configure the local engine ID and the remote engine ID. local-engineID: Enter the local engine ID with 10 to 64 hexadecimal digits. The ID must contain an even number of characters. It is a unique alphanumeric string, used to identify the SNMP engine on the switch. remote-engineID: Enter the remote engine ID with 10 to 64 hexadecimal digits. The ID must contain an even number of characters. The remote engine ID is a unique alpha..

Switch(config)#show snmp-server engineID - Page 513

Configuration Guide 492 Configuring SNMP & RMON SNMP Configurations 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors(Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Switch(config)#show snmp-server engineID Local engine ID : 80002e5703000aeb132397 Remote engine ID: 123456789a Switch(config)#end Switch#copy running-config startup-config 2.2.2 Creating an SNMP View Specify the OID (Object Identifier) of the view to determine objects to be managed. Step 1 configure Enter global configuration mode. Step ..

copy running-config startup-config - Page 514

Configuring SNMP & RMON SNMP Configurations Configuration Guide 493 Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set a view to allow the NMS to manage all function. Name the view as View: Switch#configure Switch(config)#snmp-server view View 1 include Switch(config)#show snmp-server view No. View Name Type MOID --- ------------ ------- ---- 1 viewDefault include 1 2 viewDefault exclude 1.3.6.1.6.3.15 3 viewDefault exclude 1.3.6.1.6.3.16 4 viewDefault exclude 1.3.6.1.6.3.18 5 View include 1 Switch(config)#end Sw..

- Page 515

Configuration Guide 494 Configuring SNMP & RMON SNMP Configurations Step 2 snmp-server group name [ smode {v1 | v2c | v3}] [ slev {noAuthNoPriv | authNoPriv |

authPriv}] [ read read-view ] [ write write-view ] [ notify notify-view ] Set an SNMP group. name : Enter the group name with 1 to 16 characters. The identifier of a group consists of a group name, security model and security level. Groups of the same identifier are recognized as being in the same group. v1 | v2c | v3 : Choose a security mode for the SNMP group from the following: SNMPv1, S..

2.2.4 Creating SNMP Users - Page 516

Configuring SNMP & RMON SNMP Configurations Configuration Guide 495 2.2.4 Creating SNMP Users Configure users of the SNMP group. Users belong to the group, and use the same security level and access rights as the group. Step 1 configure Enter global configuration mode. Step 2 snmp-server user name { local | remote } group-name [ smode { v1 | v2c | v3 }] [ slev { noAuthNoPriv | authNoPriv | authPriv }] [ cmode { none | MD5 | SHA }] [ cpwd confirm-pwd ] [ emode { none | DES }] [ epwd encrypt-pwd ] Configure users of the SNMP group. name : Enter the user name with 1 to 16 characters. local..

2.2.5 Creating SNMP Communities - Page 517

Configuration Guide 496 Configuring SNMP & RMON SNMP Configurations security level, SHA as the authentication algorithm, 1234 as the authentication password, DES as the privacy algorithm and 1234 as the privacy password: Switch#configure Switch(config)#snmp-server user admin remote nms-monitor smode v3 slev authPriv cmode SHA cpwd 1234 emode DES epwd 1234 Switch(config)#show snmp-server user No. U-Name U-Type G-Name S-Mode S-Lev A-Mode P-Mode --- ------ ------ ------ ------ ----- ------ ------ 1 admin remote nms-monitor v3 authPriv SHA DES Switch(config)#end Switch#copy running-config s..

- Page 518

Configuring SNMP & RMON SNMP Configurations Configuration Guide 497 Switch(config)#snmp-server community nms-monitor read-write View Switch(config)#show snmp-server community Index Name Type MIB-View ----- ---------------- ------------ -------- 1 nms-monitor read-write View Switch(config)#end Switch#copy running-config startup-config

..

SNMP > Notification > Notification Config - Page 519

Configuration Guide 498 Configuring SNMP & RMON Notification Configurations 3 Notification Configurations With Notification enabled, the switch can send notifications to the NMS about important events relating to the device’s operation. This facilitates the monitoring and management of the NMS. Configuration Guidelines  To guarantee the communication between the switch and the NMS, ensure the switch and the NMS are able to reach one another.  Functions of the SNMP Extend Trap can be configured only with CLI. If needed, please refer to (Optional) Enabling the SNMP Extend Trap , (..

Create - Page 520

Configuring SNMP & RMON Notification Configurations Configuration Guide 499 IP Mode Choose an IP mode for the host, which should be coordinated with the IP Address. 2) Specify the user name or community name used by the NMS, and configure the security model and security level based on the settings of the user or community. User Name Specify the user name or community name used by the NMS. Security Model Choose the corresponding SNMP version for the NMS. The version should be consistent with settings of the user or community. v1: The NMS uses SNMPv1. v2: The NMS uses SNMPv2c. v3: The NMS..

3.2.1 Configuring the Host - Page 521

Configuration Guide 500 Configuring SNMP & RMON Notification Configurations 3.2 Using the CLI 3.2.1 Configuring the Host Configure parameters of the NMS host and packet handling mechanism. Step 1 configure Enter global configuration mode. Step 2 snmp-server host ip udp-port user-name [ smode { v1 | v2c | v3 }] [ slev {noAuthNoPriv

|
authNoPriv | authPriv }] [ type { trap | inform}] [ retries retries ] [ timeout timeout ] Configure parameters of the NMS host and packet handling mechanism. ip: Specify the IP..

linkup | linkdown | warmstart | coldstart | auth-failure - Page 522

Configuring SNMP & RMON Notification Configurations Configuration Guide 501 Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the NMS host IP address as 172.168.1.222, UDP port as port 162, name used by the NMS as admin, security model as SNMPv3, security level as authPriv, notification type as Inform, retry times as 3, and the timeout interval as 100 seconds: Switch#configure Switch(config)#snmp-server host 172.168.1.222 162 admin smode v3 slev authPriv type inform retries 3 timeout 100 Switch(config)#show snmp..

(Optional) Enabling the SNMP Extend Trap - Page 523

Configuration Guide 502 Configuring SNMP & RMON Notification Configurations Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to send linkup traps: Switch#configure Switch(config)#snmp-server traps snmp linkup Switch(config)#end Switch#copy running-config startup-config  (Optional) Enabling the SNMP Extend Trap Step 1 configure Enter global configuration mode.

..

Switch#configure - Page 524

Configuring SNMP & RMON Notification Configurations Configuration Guide 503 Step 2 For T1500-28TC: snmp-server traps { bandwidth-control | cpu | flash | lldp | loopback-detection | storm- control | spanning-tree | memory } For T1500-28PCT: snmp-server traps { bandwidth-control | cpu | flash | lldp | loopback-detection | storm- control | spanning-tree | memory | power } Configure parameters of extended traps supported on the switch. bandwidth-control: The trap is used to monitor whether the bandwidth has reached the limit that you have set. The trap is disabled by default. The trap can b..

(Optional) Enabling the Link-status Trap - Page 525

Configuration Guide 504 Configuring SNMP & RMON Notification Configurations Switch#copy running-config startup-config  (Optional) Enabling the Link-status Trap Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Configure notification traps on the specified ports. port/port-list: The number or the list of the Ethernet ports that you desire to configure notification traps. Step 3 snmp-server traps l..

5.2.2 Configuring History - Page 533

Configuration Guide 512 Configuring SNMP & RMON RMON Configurations Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create two statistics entries on the switch to monitor port 1/0/1 and 1/0/2 respectively. The owner of the entry is monitor and the entry is valid: Switch#configure Switch(config)#rmon statistics 1 interface fastEthernet 1/0/1 owner monitor status valid Switch(config)#rmon statistics 2 interface fastEthernet 1/0/2 owner monitor status valid Switch(config)#show rmon statistics Index Port Owner State -..

5.2.3 Configuring Event - Page 534

Configuring SNMP & RMON RMON Configurations Configuration Guide 513 Step 3 show rmon history [ index ] Displays the specified history entry and related configurations. index: Enter the index of history entries that you want to view. The range is 1 to 12, and the format is 1-3 or 5. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a history entry on the switch to monitor port 1/0/1. Set the sample interval as 100 seconds, max buckets as 50, and the owner as monitor: ..

: - Page 535

Configuration Guide 514 Configuring SNMP & RMON RMON Configurations Step 2 rmon event index [ user user-name ] [ description description ] [ type { none | log | notify | log-notify }] [ owner owner-name ] Configuring RMON event entries. index: Enter the index of the event entry from 1 to12 in the format of 1-3 or 5. user-name: Enter the SNMP user name or community name of the entry. The name should be what you have set in SNMP previously. The default name is public. description: Give a description to the entry with 1 to 16 characters. By default, the description is empty. none | log | n..

5.2.4 Configuring Alarm - Page 536

Configuring SNMP & RMON RMON Configurations Configuration Guide 515 5.2.4 Configuring Alarm Step 1 configure Enter global configuration mode. Step 2 rmon alarm index { stats-index sindex } [ alarm-variable { revbyte | revpkt | bpkt | mpkt | crc- align | undersize | oversize | jabber | collision | 64 | 65-127 | 128-255 | 256-511 | 512-1023 | 1024-10240}] [ s-type {absolute | delta}] [ rising-threshold r-hold ] [ rising-event-index r-event ] [ falling-threshold f-hold ] [ falling-event-index f-event ] [ a-type {rise | fall | all} ] [ owner owner-name ] [ interval interval ] Configuring RM..

show rmon alarm - Page 537

Configuration Guide 516 Configuring SNMP & RMON RMON Configurations Step 3 show rmon alarm [ index ] Displays the specified alarm entry and related configurations. index: Enter the index of alarm entries that you want to view. The range is 1 to 12, and the format is 1-3 or 5. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set an alarm entry to monitor BPackets on the switch. Set the related Statistics entry ID as 1, the sample type as Absolute, the rising threshold as 30..

Configuration Example - Page 538

Configuring SNMP & RMON Configuration Example Configuration Guide 517 6 Configuration Example 6.1 Network Requirements A company that deploys NMS to monitor the operation status of TP-Link switches has requirements as follows: 1) Monitor traffic flow of specified ports, and send notifications to the NMS when the actual rate of transmitting and receiving packets exceeds the preset threshold. 2) Monitor the sending status of specified ports, and regularly collect and save data for follow-up checks. Specifically, during the sample interval, the switch should notify the NMS when the number ..

SNMP > SNMP Config > Global Confi - Page 539

Configuration Guide 518 Configuring SNMP & RMON Configuration Example 6.3 Network Topology As shown in the following figure, the NMS host with IP address 172.168.1.222 is connected to the core switch, Switch B. On Switch A, ports 1/0/1 and 1/0/2 are monitored by the NMS; port 1/0/3 is connected to Switch B. And port 1/0/3 and the NMS are able to reach one another. Figure 6-1 Network Topology Fa1/0/1 NMS Switch B Switch A IP: 172.168.1.222 Fa1/0/2 Fa1/0/3 Demonstrated with T1500-28PCT, this chapter provides configuration procedures in two ways: using the GUI and using the CLI. 6.4 Using ..

Enabling SNMP - Page 540

Configuring SNMP & RMON Configuration Example Configuration Guide 519 Figure 6-2 Enabling SNMP 2) Choose SNMP > SNMP Config > SNMP View to load the following page. Name the SNMP view as View, set MIB Object ID as 1 (which means all functions), and set the view type as Include. Click Create . Figure 6-3 SNMP View Configuration 3) Choose SNMP > SNMP Config > SNMP Group to load the following page. Create a group with the name of nms-monitor, choose SNMPv3 and enable authentication and privacy, and add View to Read View and Notify View. Click Create .

..

SNMP Group Configuration - Page 541

Configuration Guide 520 Configuring SNMP & RMON Configuration Example Figure 6-4 SNMP Group Configuration 4) Choose SNMP > SNMP Config > SNMP User to load the following page. Create a user named admin for the NMS, set the user type as Remote User and specify the group name. Set the Security Model and Security Level in accordance with those of the group nms-monitor. Choose SHA authentication algorithm and DES privacy algorithm, and set corresponding passwords. Click Create . Figure 6-5 User Config 5) Choose SNMP > Notification > Notification Config to load the following page...

Enabling Bandwith-control Trap - Page 542

Configuring SNMP & RMON Configuration Example Configuration Guide 521 Figure 6-6 Notification Configuration 6) Click Save Config to save the settings.  Enabling Bandwith-control Trap The feature can be configured only with the CLI. You can enter the following commands under the CLI configuration mode: Switch>enable Enter Privileged EXEC Mode. Switch#config Enter global configuration mode. Switch(config)#snmp-server traps bandwidth-control Enable Bandwitch-control trap.  Configuring RMON 1) Choose SNMP > RMON > Statistics to load the following page. Create two entries and ..

SNMP > RMON > History - Page 543

Configuration Guide 522 Configuring SNMP & RMON Configuration Example Figure 6-8 Configuring Entry 2 2) Choose the menu SNMP > RMON > History to load the following page. Configure entries 1 and 2. Bind entries 1 and 2 to ports 1/0/1 and 1/0/2 respectively, and set the Interval as 100 seconds, Max Buckets as 50, the owner of the entries as monitor, and the status as Enable. Figure 6-9 History Configuration 3) Choose the menu SNMP > RMON > Event to load the following page. Configure entries 1 and 2. For entry 1, set the SNMP user name as admin, type as Notify, description as ..

Configuring Rate Limit on ports - Page 544

Configuring SNMP & RMON Configuration Example Configuration Guide 523 Figure 6-10 Event Configuration 4) Choose SNMP > RMON > Alarm to load the following page. Configure entries 1 and 2. For entry 1, set the alarm variable as BPackets, related statistics entry ID as 1 (bound to port 1/0/1), the sample type as Absolute, the rising threshold as 3000, associated rising event entry ID as 1 (which is the notify type), the falling threshold as 2000, the associated falling event entry ID as 2 (which is the log type), the alarm type as all, the interval as 10 seconds, the owner name as mo..

Configuring SNMP - Page 545

Configuration Guide 524 Configuring SNMP & RMON Configuration Example  Configuring SNMP 1) Enable SNMP and specify the remote engine ID. Switch#configure Switch(config)#snmp-server Switch(config)#snmp-server engineID remote 123456789a 2) Create a view with the name View; set the MIB Object ID as 1 (which represents all functions), and the view type as Include. Switch(config)#snmp-server view View 1 include 3) Create a group of SNMPv3 with the name of nms-monitor. Enable Auth Mode and Privacy Mode, and set the view as read View and notify view. Switch(config)#snmp-server group nms-mon..

Verify the Configurations - Page 546

Configuring SNMP & RMON Configuration Example Configuration Guide 525 Switch(config)#rmon history 2 interface fastEthernet 1/0/2 interval 100 owner monitor buckets 50 3) Create two event entries named admin, which is the SNMP user name. Set entry 1 as the Notify type and its description as “rising notify”. Set entry 2 as the Log type and its description as “falling log”. Set the owner of them as monitor. Switch(config)#rmon event 1 user admin description rising-notify type notify owner monitor Switch(config)#rmon event 2 user admin description falling-log type log owner monitor ..

- Page 547

Configuration Guide 526 Configuring SNMP & RMON Configuration Example 0 Too big errors(Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Verify SNMP engine ID: Switch(config)#show snmp-server engineID Local engine ID : 80002e5703000aeb132397 Remote engine ID: 123456789a Verify SNMP view configurations: Switch(config)#show snmp-server view No. View Name Type MOID --- -------------- ------- ------------------- 1 viewDefault include 1 2 viewDefault exclude 1.3.6.1.6.3.15 3 viewDefault exclude 1.3.6.1.6.3.16 4 viewDefault exclude..

- Page 548

Configuring SNMP & RMON Configuration Example Configuration Guide 527 No. U-Name U-Type G-Name S-Mode S-Lev A-Mode P-Mode --- ----------- ------ ------ ------ ----- ------ ------ 1 admin remote nms-monitor v3 authPriv SHA DES Verify SNMP host configurations: Switch(config)#show snmp-server host No. Des-IP UDP Name SecMode SecLev Type Retry Timeout --- ---------------- ----- -------- --------- ---------- ------- ----- -------- 1 172.168.1.222 162 admin v3 authPriv inform 3 100 Verify RMON statistics configurations: Switch(config)#show rmon statistics Index Port Owner State ----- --------..

- Page 549

Configuration Guide 528 Configuring SNMP & RMON Configuration Example Verify RMON alarm configurations: Switch(config)#show rmon alarm Index-State: 1-Enabled Statistics index: 1 Alarm variable: BPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: All Interval: 10 Owner: monitor Index-State: 2-Enabled Statistics index: 2 Alarm variable: BPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: All Interval: 10 Owner: monitor

..

Appendix: Default Parameters - Page 550

Configuring SNMP & RMON Appendix: Default Parameters Configuration Guide 529 7 Appendix: Default Parameters Default settings of SNMP are listed in the following table. Table 7-1 Default Global Config Settings Parameter Default Setting SNMP Disable Local Engine ID Automatically Remote Engine ID None Table 7-2 Default SNMP View Settings Parameter Default Setting View Name None MIB Object ID None View Type Include Table 7-3 Default SNMP View Table Settings View Name View Type MIB Object ID viewDefault Include 1 viewDefault Exclude 1.3.6.1.6.3.15 viewDefault Exclude 1.3.6.1.6.3.16 viewDefau..

- Page 551

Configuration Guide 530 Configuring SNMP & RMON Appendix: Default Parameters Table 7-5 Default User Settings Parameter Default Setting User Name None User Type Local User Group Name None Security Model v1 Security Level noAuthNoPriv Auth Mode None Auth Password None Privacy Mode None Privacy Password None Table 7-6 Default Community Settings Parameter Default Setting Community Name None Access read-only MIB View viewDefault Default settings of Notification are listed in the following table. Table 7-7 Default Host Config Settings Parameter Default Setting IP Address None UDP Port 162 Use..

- Page 552

Configuring SNMP & RMON Appendix: Default Parameters Configuration Guide 531 Table 7-8 Default Statistics Config Settings Parameter Default Setting ID None Port None Owner None IP Mode valid Table 7-9 Default Settings for History Entries Parameter Default Setting Port 1/0/1 Interval 1800 seconds Max Buckets 50 Owner monitor Status Disable Table 7-10 Default Settings for Event Entries Parameter Default Setting User public Description None Type None Owner monitor Status Disable Table 7-11 Default Settings for Alarm Entries Parameter Default Setting Variable RecBytes Statistics None Sample..

Parameter - Page 553

Configuration Guide 532 Configuring SNMP & RMON Appendix: Default Parameters Parameter Default Setting Status Disable

..

Configuring LLDP - Page 554

Part 16 Configuring LLDP CHAPTERS 1. LLDP 2. LLDP Configurations 3. LLDP-MED Configurations 4. Viewing LLDP Settings 5. Viewing LLDP-MED Settings 6. Configuration Example 7. Appendix: Default Parameters

..

LLDP - Page 555

Configuration Guide 534 Configuring LLDP LLDP 1 LLDP 1.1 Overview LLDP (Link Layer Discovery Protocol) is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol is a standard IEEE 802.1ab defined protocol and runs over the Layer 2 (the data-link layer) , which allows for interoperability between network devices of different vendors. With the LLDP feature, network administrators can get the managed network devices’ information from the switch or the NMS (Network Management System), which can he..

LLDP Configurations - Page 556

Configuring LLDP LLDP Configurations Configuration Guide 535 2 LLDP Configurations With LLDP configurations, you can: 1) Enable the LLDP feature on the switch. 2) (Optional) Configure the LLDP feature globally. 3) (Optional) Configure the LLDP feature for the interface. 2.1 Using the GUI 2.1.1 Global Config Choose the LLDP > Basic Config > Global Config to load the following page. Figure 2-1 Global Config

..

- Page 557

Configuration Guide 536 Configuring LLDP LLDP Configurations Follow these steps to enable LLDP and configure the LLDP feature globally. 1) In the Global Config section, enable LLDP. Click Apply . 2) In the Parameters Config section, configure the LLDP parameters. Click Apply . Transmit Interval Enter the interval between successive LLDP packets that are periodically sent from the local device to its neighbors. The default is 30 seconds. Hold Multiplier Specify the amount of time the neighbor device should hold the received information before discarding it. The default is 4. TTL (Time to Liv..

2.1.2 Port Config - Page 558

Configuring LLDP LLDP Configurations Configuration Guide 537 2.1.2 Port Config Choose th menu LLDP > Basic Config > Policy Config to load the following page. Figure 2-2 Port Config Follow these steps to configure the LLDP feature for the interface. 1) Select the desired port and set its Admin Status and Notification Mode. Admin Status Set Admin Status for the port to deal with LLDP packets. Tx&Rx: The port will transmit LLDP packets and process the received LLDP packets. Rx_Only: The port will only process the received LLDP packets but not transmit LLDP packets. Tx_Only: The port ..

2.2.1 Global Config - Page 559

Configuration Guide 538 Configuring LLDP LLDP Configurations Included TLVs Configure the TLVs included in the outgoing LLDP packets. TP-Link supports the following TLVs: PD: Used to advertise the port description defined by the IEEE 802 LAN station. SC: Used to advertise the supported functions and whether or not these functions are enabled. SD: Used to advertise the system’s description including the full name and version identification of the system’s hardware type, software operating system, and networking software. SN: Used to advertise the system name. SA: Used to advertise the loc..

- Page 560

Configuring LLDP LLDP Configurations Configuration Guide 539 Step 3 lldp hold-multiplier (Optional) Specify the amount of time the neighbor device should hold the received information before discarding it. The default is 4. TTL (Time to Live) = Hold Multiplier * Transmit Interval. Step 4 lldp timer { tx-interval tx-interval | tx-delay tx-delay | reinit-delay reinit-delay | notify- interval notify-interval | fast-count fast-count } (Optional) Configure the timers for LLDP packet forwarding. tx-interval: Enter the interval between successive LLDP packets that are periodically sent from the lo..

Switch(config)#end - Page 561

Configuration Guide 540 Configuring LLDP LLDP Configurations TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3 LLDP-MED Fast Start Repeat Count: 4 Switch(config)#end Switch#copy running-config startup-config 2.2.2 Port Config Select the desired port and set its Admin Status, Notification Mode and the TLVs included in the LLDP packets. Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet

port
| r..

- Page 562

Configuring LLDP LLDP Configurations Configuration Guide 541 The following example shows how to configure the port 1/0/1. The port can receive and transmit LLDP packets, its notification mode is enabled and the outgoing LLDP packets include all TLVs. Switch#configure Switch(config)#lldp Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#lldp receive Switch(config-if)#lldp transmit Switch(config-if)#lldp snmp-trap Switch(config-if)#lldp tlv-select all Switch(config-if)#show lldp interface fastEthernet 1/0/1 LLDP interface config: fastEthernet 1/0/1: Admin Status: TxRx SNMP Trap: E..

LLDP-MED Parameters Config - Page 563

Configuration Guide 542 Configuring LLDP LLDP-MED Configurations 3 LLDP-MED Configurations With LLDP-MED configurations, you can: 1) Configure the LLDP-MED feature globally. 2) Enable and configure the LLDP-MED feature on the interface. Configuration Guidelines LLDP-MED is used together with Voice VLAN to implement VoIP access. Besides the configuration of LLDP-MED feature, you also need configure the Voice VLAN feature. Refer to Configuring Voice VLAN for detailed instructions. 3.1 Using the GUI 3.1.1 Global Config Choose the LLDP > LLDP-MED > Global Config to load the following page..

LLDP-MED Port Config - Page 564

Configuring LLDP LLDP-MED Configurations Configuration Guide 543 3.1.2 Port Config Choose th menu LLDP > LLDP-MED > Policy Config to load the following page. Figure 3-2 LLDP-MED Port Config Follow these steps to enable LLDP-MED: 1) Select the desired port and enble LLDP-MED. Click Apply . 2) Click Detail to enter the following page. Configure the TLVs included in the outgoing LLDP packets. If Location Identification is selected, you need configure the Emergency Number or select Civic Address to configure the details. Click Apply .

..

LLDP-MED Port Config-Detail - Page 565

Configuration Guide 544 Configuring LLDP LLDP-MED Configurations Figure 3-3 LLDP-MED Port Config-Detail Network Policy Used to advertise VLAN configuration and the associated Layer 2 and Layer 3 attributes of the port to the Endpoint devices. Location Identification Used to assign the location identifier information to the Endpoint devices. If this option is selected, you can configure the emergency number or the detailed address of the Endpoint device in the Location Identification Parameters section. Extended Power-Via-MDI Used to advertise the detailed PoE information including power sup..

3.2.1 Global Config - Page 566

Configuring LLDP LLDP-MED Configurations Configuration Guide 545 Civic Address Configure the address of the audio device in the IETF defined address format. What: Specify the role type of the local device, DHCP Server, Switch or LLDP-MED Endpoint. Country Code: Enter the country code defined by ISO 3166 , for example, CN, US. Language, Province/State etc.: Enter the regular details. 3.2 Using the CLI 3.2.1 Global Config Step 1 configure Enter global configuration mode. Step 2 lldp Enable the LLDP feature on the switch. Step 3 lldp med-fast-count count (Optional) Specify the number of succes..

Switch(config)#end - Page 567

Configuration Guide 546 Configuring LLDP LLDP-MED Configurations TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3 LLDP-MED Fast Start Repeat Count: 4 Switch(config)#end Switch#copy running-config startup-config 3.2.2 Port Config Select the desired port, enable LLDP-MED and select the TLVs (Type/Length/Value) included in the outgoing LLDP packets according to your needs. Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet

port

end - Page 568

Configuring LLDP LLDP-MED Configurations Configuration Guide 547 Step 6 end Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable LLDP-MED on port 1/0/1, configure the LLDP- MED TLVs included in the outgoing LLDP packets. Switch(config)#lldp Switch(config)#lldp med-fast-count 4 Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#lldp med-status Switch(config-if)#lldp med-tlv-select all Switch(config-if)#show lldp interface fastEthernet 1/0/1 L LDP interface config: fastEthern..

Switch(config)#end - Page 569

Configuration Guide 548 Configuring LLDP LLDP-MED Configurations LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Yes Switch(config)#end Switch#copy running-config startup-config

..

4.1.1 Viewing LLDP Device Info - Page 570

Configuring LLDP Viewing LLDP Settings Configuration Guide 549 4 Viewing LLDP Settings This chapter introduces how to view the LLDP settings on the local device. 4.1 Using GUI 4.1.1 Viewing LLDP Device Info  Viewing the Local Info Choose the menu LLDP > Device Info > Local Info to load the following page. Figure 4-1 Local Info

..

Auto Refresh - Page 571

Configuration Guide 550 Configuring LLDP Viewing LLDP Settings Follow these steps to view the local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply . 2) In the Local Info section, select the desired port and view its associated local device information. Local Interface Displays the local port ID. Chassis ID Subtype Displays the Chassis ID type. Chassis ID Displays the value of the Chassis ID. Port ID Subtype Displays the Port ID type. Port ID Displays the value of the Port ID. TTL Specify the amount o..

Viewing the Neighbor Info - Page 572

Configuring LLDP Viewing LLDP Settings Configuration Guide 551  Viewing the Neighbor Info Choose the menu LLDP > Device Info > Neighbor Info to load the following page. Figure 4-2 Neighbor Info Follow these steps to view the neighbor information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply . 2) In the Local Info section, select the desired port and view its associated neighbor device information. System Name Displays the system name of the neighbor device. Chassis ID Displays the Chassis ID of the nei..

4.1.2 Viewing LLDP Statistics - Page 573

Configuration Guide 552 Configuring LLDP Viewing LLDP Settings 4.1.2 Viewing LLDP Statistics Choose the menu LLDP > Device Statistics > Statistics Info to load the following page. Figure 4-3 Static Info Follow these steps to view LLDP statistics: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply . 2) In the Global Statistics section, view the global statistics of the local device. Last Update Displays the time when the statistics updated. Total Inserts Displays the latest number of neighbors the local device h..

Viewing the Local Info - Page 574

Configuring LLDP Viewing LLDP Settings Configuration Guide 553 Transmit Total Displays the total number of the LLDP packets sent via the port. Receive Total Displays the total number of the LLDP packets received via the port. Discards Displays the total number of the LLDP packets discarded by the port. Errors Displays the total number of the error LLDP packets received via the port. Ageouts Displays the number of the aged out neighbors that are connected to the port. TLV Discards Displays the total number of the TLVs discarded by the port when receiving LLDP packets. TLV Unknowns Displays t..

Viewing LLDP-MED Settings - Page 575

Configuration Guide 554 Configuring LLDP Viewing LLDP-MED Settings 5 Viewing LLDP-MED Settings 5.1 Using GUI  Viewing the Local Info Figure 5-1 LLDP-MED Local Info Follow these steps to view LLDP-MED local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply . 2) In the LLDP-MED Local Info section, select the desired port and view the LLDP-MED settings.

..

Note: - Page 576

Configuring LLDP Viewing LLDP-MED Settings Configuration Guide 555 Local Interface Displays the local port ID. Device Type Displays the local device type defined by LLDP-MED.LLDP-MED. Application Type Displays the supported applications of the local device. Unknown Policy Flag Displays the unknown location settings included in the network policy TLV. VLAN tagged Displays the VLAN Tag type of the applications, tagged or untagged. Media Policy VLAN ID Displays the 802.1Q VLAN ID of the port. Media Policy Layer 2 Priority Displays the Layer 2 priority used in the specific application. Media Po..

Viewing the Neighbor Info - Page 577

Configuration Guide 556 Configuring LLDP Viewing LLDP-MED Settings  Viewing the Neighbor Info Figure 5-2 LLDP-MED Neighbor Info Follow these steps to view LLDP-MED neighgbor information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply . 2) In the LLDP-MED Neighbor Info section, select the desired port and view the LLDP- MED settings. Device Type Displays the LLDP-MED device type of the neighbor device. Application Type Displays the application type of the neighbor device. Location Data Format Displays the locat..

Viewing the Neighbor Info - Page 578

Configuring LLDP Viewing LLDP-MED Settings Configuration Guide 557  Viewing the Neighbor Info show lldp neighbor-information interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Display the information of the neighbor device which is connected to the port.  Viewing LLDP Statistics show lldp traffic interface { fastEthernet port | gigabitEthernet port | tengigabitEthernet port } View the statistics of the corresponding port.

..

Configuration Example - Page 579

Configuration Guide 558 Configuring LLDP Configuration Example 6 Configuration Example 6.1 Example for Configuring LLDP 6.1.1 Network Requirements The network administrator needs view the information of the devices in the company network to know about the link situation and network topology so that he can troubleshoot the potential network faults in advance. 6.1.2 Network Topology Exampled with the following situation: Port Fa1/0/1 on Switch A is directly connected to port Fa1/0/2 on Switch B. Switch B is directly connected to the PC. The administrator can view the device information using ..

LLDP Global Config - Page 580

Configuring LLDP Configuration Example Configuration Guide 559 Figure 6-2 LLDP Global Config 2) Choose the menu LLDP > Basic Config > Port Config to load the following page. Set the Admin Status of port Fa1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Figure 6-3 LLDP Port Config 6.1.5 Using CLI 1) Enable LLDP globally and configure the corresponding parameters.

..

View LLDP settings globally - Page 581

Configuration Guide 560 Configuring LLDP Configuration Example Switch_A#configure Switch_A(config)#lldp Switch_A(config)#lldp hold-multiplier 4 Switch_A(config)#lldp timer tx-interval 30 tx-delay 2 reinit-delay 3 notify-interval 5 fast- count 3 2) Set the Admin Status of port Fa1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Switch_A#configure Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#lldp receive Switch_A(config-if)#lldp transmit Switch_A(config-if)#lldp snmp-trap Switch_A(config-if)#lldp tlv-select all ..

View the Local Info - Page 582

Configuring LLDP Configuration Example Configuration Guide 561 Admin Status: TxRx SNMP Trap: Enabled TLV Status --- ------ Port-Description Yes System-Capability Yes System-Description Yes System-Name Yes Management-Address Yes Port-VLAN-ID Yes Protocol-VLAN-ID Yes VLAN-Name Yes Link-Aggregation Yes MAC-Physic Yes Max-Frame-Size Yes Power Yes LLDP-MED Status: Disabled TLV Status --- ------ Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Yes View the Local Info Switch_A#show lldp local-information interface fastEthernet 1/0/1 LLDP local Informat..

- Page 583

Configuration Guide 562 Configuring LLDP Configuration Example Port ID: FastEthernet1/0/1 Port description: FastEthernet1/0/1 Interface TTL: 120 System name: T1500-28PCT System description: JetStream 24-Port 10/100Mbps + 4-Port Gigabit Smart PoE+ Switch System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.1 Management address interface type: IfIndex Management address interface ID: 1 Management address OID: 0 Port VLAN ID(PVID): 1 Port and protocol VLAN ID(PPVID): 0 Port and protocol VLAN supporte..

View the Neighbor Info - Page 584

Configuring LLDP Configuration Example Configuration Guide 563 LLDP-MED Capabilities: Capabilities Network Policy Location Identification Extended Power via MDI - PSE Inventory Device Type: Network Connectivity Application type: Reserved Unknown policy: Yes Tagged: No VLAN ID: 0 Layer 2 Priority: 0 DSCP: 0 Location Data Format: Civic Address LCI - What: Switch - Country Code: CN Power Type: PSE Device Power Source: Primary Power Priority: Low Power Value: 30.0w Hardware Revision: T1500-28PCT 1.0 Firmware Revision: Reserved Software Revision: 1.0.0 Build 20170220 Rel.34965(s) Serial Number: ..

- Page 585

Configuration Guide 564 Configuring LLDP Configuration Example Neighbor index 1: Chassis type: MAC address Chassis ID: 00:0A:EB:13:18:2D Port ID type: Interface name Port ID: fastEthernet1/0/2 Port description: fastEthernet1/0/2 Interface TTL: 120 System name: T1500-28TC System description: JetStream 24-Port 10/100Mbps + 4-Port Gigabit Smart Switch System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.1 Management address interface type: IfIndex Management address interface ID: 1 Management address..

6.2.1 Network Requirements - Page 586

Configuring LLDP Configuration Example Configuration Guide 565 PSE power supported: No PSE power enabled: No PSE pairs control ability: No 6.2 Example for Configuring LLDP-MED 6.2.1 Network Requirements The marketing department needs establish the voice conversation with the field office. They want to install IP phones in their office and meet the following requirements:  Save the switch ports for more IP phones due to the limited number of the ports on the switch in the office;  The voice traffic is transmitted in a separate VLAN to guarantee the voice quality.  The IP phones can ..

LLDP-MED Network Topology - Page 587

Configuration Guide 566 Configuring LLDP Configuration Example Figure 6-4 LLDP-MED Network Topology PC IP: 172.168.1.222 IP Phone Switch A Voice Gateway Fa1/0/1 Fa1/0/2 To ensure the voice traffic can be preferentially treated, configure the corresponding settings on each device in the link. Demonstrated with T1500-28PCT, this section provides configuration procedures in two ways: using the GUI and using the CLI. 6.2.4 Using the GUI 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10, and name it as Voice VLAN. Figure 6-5 Creating a VLAN 2) E..

Configuring Voice VLAN Mode on Port 1/0/1 - Page 588

Configuring LLDP Configuration Example Configuration Guide 567 Figure 6-7 Configuring Voice VLAN Mode on Port 1/0/1 Figure 6-8 Configuring Voice VLAN Mode on Port 1/0/2

..

Adding Port 1/0/2 to the Voice VLAN - Page 589

Configuration Guide 568 Configuring LLDP Configuration Example Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Add port 1/0/2 to the Voice VLAN. Figure 6-9 Adding Port 1/0/2 to the Voice VLAN 3) Choose the LLDP > Basic Config > Global Config to load the following page and enable LLDP globally. Figure 6-10 LLDP Global Config 4) Choose the LLDP > LLDP-MED > Global Config to load the following page and configure the fast start count. The default is 4. Figure 6-11 LLDP-MED Global Config 5) Choose th menu LLDP > LLDP-MED > Policy Config to loa..

LLDP-MED Port Config - Page 590

Configuring LLDP Configuration Example Configuration Guide 569 Figure 6-12 LLDP-MED Port Config Click Detail in the Port 1/0/1 entry to configure TLVs included in the outgoing LLDP- MED packets. Figure 6-13 LLDP-MED Port Config-Detail In the Location Identification Parameters section, configure the detailed address of the IP phone. Click Apply .

..

Configure the detailed address of the IP phone - Page 591

Configuration Guide 570 Configuring LLDP Configuration Example Figure 6-14 Configure the detailed address of the IP phone 6.2.5 Using the CLI 1) Create VLAN 10 and name it as Voice VLAN. Switch_A(config)#vlan 10 Switch_A(config-vlan)#name Voice_VLAN Switch_A(config)#voice vlan 10 2) Configure the Voice VLAN mode on port Fa1/0/1 as Auto. Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#switchport voice vlan mode auto Switch_A(config-if)#exit 3) Configure the Voice VLAN mode on port Fa1/0/2 as Manual and add port Fa1/0/2 to Voice VLAN.

..

View global LLDP-MED settings: - Page 592

Configuring LLDP Configuration Example Configuration Guide 571 Switch_A(config)#interface fastEthernet 1/0/2 Switch_A(config-if)#switchport voice vlan mode manual Switch_A(config-if)#switchport general allowed vlan 10 tagged Switch_A(config-if)#exit 4) Enable LLDP globally. Switch_A(config)#lldp 5) Configure the fast start count of LLDP-MED. The default is 4. Switch_A(config)# lldp med-fast-count 4 6) Enable the LLDP-MED on port Fa1/0/1. Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#lldp med-status 7) Configure the LLDP-MED TLVs included in the outgoing LLDP packets. Swi..

View the local information: - Page 593

Configuration Guide 572 Configuring LLDP Configuration Example Admin Status: TxRx SNMP Trap: Enabled TLV Status --- ------ Port-Description Yes System-Capability Yes System-Description Yes System-Name Yes Management-Address Yes Port-VLAN-ID Yes Protocol-VLAN-ID Yes VLAN-Name Yes Link-Aggregation Yes MAC-Physic Yes Max-Frame-Size Yes Power Yes LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Yes View the local information: Switch_A#show lldp local-information interface fastEthernet 1/0/1 LLDP local I..

- Page 594

Configuring LLDP Configuration Example Configuration Guide 573 Port ID: FastEthernet 1/0/1 Port description: FastEthernet 1/0/1 Interface TTL: 120 System name: Switch System description: JetStream 24-Port 10/100Mbps + 4-Port Gigabit Smart Switch System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.1 Management address interface type: IfIndex Management address interface ID: 1 Management address OID: 0 Port VLAN ID(PVID): 1 Port and protocol VLAN ID(PPVID): 0 Port and protocol VLAN supported: Yes P..

View the neighbor information: - Page 595

Configuration Guide 574 Configuring LLDP Configuration Example LLDP-MED Capabilities: Capabilities Network Policy Location Identification Inventory Device Type: Network Connectivity Application type: Reserved Unknown policy: Yes Tagged: No VLAN ID: 0 Layer 2 Priority: 0 DSCP: 0 Location Data Format: Civic Address LCI - What: Switch - Country Code: CN - Language: chinese - Province/State: Guangdong - County/Parish/District: China - City/Township: Shenzhen - Street: Keyuan Road - Name: South Building No.5 - Postal/Zip Code: 518057 Hardware Revision: T1500-28PCT 1.0 Firmware Revision: Reserved..

- Page 596

Configuring LLDP Configuration Example Configuration Guide 575 LLDP Neighbor Information: fastEthernet 1/0/1: Neighbor index 1: Chassis type: Network address Chassis ID: 192.168.1.117 Port ID type: Locally assigned Port ID: 64A0E714DC54:P1 Port description: SW PORT TTL: 180 System name: SEP64A0E714DC54 System description: Cisco IP Phone 7931G,V4, term default System capabilities supported: Bridge Telephone System capabilities enabled: Bridge Telephone Management address type: ipv4 Management address: 192.168.1.117 Management address interface type: UnKnown Port VLAN ID(PVID): Port and proto..

- Page 597

Configuration Guide 576 Configuring LLDP Configuration Example PSE pairs control ability: Maximum frame size: LLDP-MED Capabilities: Capabilities Network Policy Extended Power via MDI - PD Inventory Device Type: Endpoint Class III Application type: Voice Unknown policy: No Tagged: No VLAN ID: 4095 Layer 2 Priority: 5 DSCP: 46 Application type: Voice Signaling Unknown policy: No Tagged: No VLAN ID: 4095 Layer 2 Priority: 4 DSCP: 32 Power Type: PD Device Power Source: Unknown Power Priority: Unknown Power Value: 7.0w Hardware Revision: 4 Firmware Revision: tnp31.3-2-0-11.bin Software Revision..

Appendix: Default Parameters - Page 598

Configuring LLDP Appendix: Default Parameters Configuration Guide 577 7 Appendix: Default Parameters Default settings of LLDP are listed in the following tables. Default LLDP Settings Table 7-1 Default LLDP Settings Parameter Default Setting LLDP Disable Transmit Interval 30 seconds Hold Multiplier 4 Transmit Delay 2 seconds Reinit Delay 2 seconds Notification Interval 5 seconds Fast Start Times 3 Table 7-2 Default LLDP Settings on the Port Parameter Default Setting Admin Status Tx&Rx Notification Mode Disable Included TLVs All Default LLDP-MED Settings Table 7-3 Default LLDP-MED Settin..

Configuring Maintenance - Page 599

Part 17 Configuring Maintenance CHAPTERS 1. Maintenance 2. Monitoring the System 3. System Log Configurations 4. Diagnosing the Device 5. Diagnosing the Network 6. Configuration Example for Remote Log 7. Appendix: Default Parameters

..

Maintenance - Page 600

Configuring Maintenance Maintenance Configuration Guide 579 1 Maintenance 1.1 Overview The maintenance module assembles various system tools for network troubleshooting. 1.2 Supported Features The maintenance module includes system monitor, log, device diagnose, and network diagnose. System Monitor You can monitor the memory and the CPU utilizations of the switch. Log You can check system messages for debugging and network management. Device Diagnose You can test the cable connection status, cable length and error length for troubleshooting. Network Diagnose The network diagnose function in..

Maintenance > System Monitor > CPU Monitor - Page 601

Configuration Guide 580 Configuring Maintenance Monitoring the System 2 Monitoring the System The system monitor configurations include:  Monitoring the CPU;  Monitoring the memory. Configuration Guidelines The CPU and memory utilizations should be always under 80%, and excessive use may result in switch malfunctions. For example, the switch fails to respond to management requests. In similar situations, you can monitor the system to verify a CPU or memory utilization problem. 2.1 Using the GUI 2.1.1 Monitoring the CPU Choose the menu Maintenance > System Monitor > CPU Monitor t..

2.1.2 Monitoring the Memory - Page 602

Configuring Maintenance Monitoring the System Configuration Guide 581 Click Monitor to enable the switch to monitor and display its CPU utilization rate every four seconds. 2.1.2 Monitoring the Memory Choose the menu Maintenance > System Monitor > Memory Monitor to load the following page. Figure 2-2 Monitoing the Memory Click Monitor to enable the switch to monitor and display its memory utilization rate every four seconds.

..

Switch#show cpu-utilization - Page 603

Configuration Guide 582 Configuring Maintenance Monitoring the System 2.2 Using the CLI 2.2.1 Monitoring the CPU On privileged EXEC mode or any other configuration mode, you can use the following command to view the CPU utilization: show cpu-utilization View the memory utilization of the switch in the last 5 seconds, 1minute and 5minutes. The following example shows how to monitor the CPU: Switch#show cpu-utilization Unit | CPU Utilization No. | Five-Seconds One-Minute Five-Minutes ------+------------------------------------------------- 1 | 13% 13% 13% 2.2.2 Monitoring the Memory On privil..

System Log Configurations - Page 604

Configuring Maintenance System Log Configurations Configuration Guide 583 3 System Log Configurations System log configurations include:  Configuring the local log;  Configuring the remote log;  Backing up log files;  Viewing the log table. Configuration Guidelines Logs are classified into the following eight levels. Messages of levels 0 to 4 mean the functionality of the switch is affected. Please take actions according to the log message. Table 3-1 Levels of Logs Severity Level Description Example Emergencies 0 The system is unusable and you have to reboot the switch. Software..

Maintenance > Log> Local Log - Page 605

Configuration Guide 584 Configuring Maintenance System Log Configurations 3.1 Using the GUI 3.1.1 Configuring the Local Log Choose the menu Maintenance > Log> Local Log to load the following page. Figure 3-1 Configuring the Local Log Follow these steps to configure the local log: 1) Select your desired channel and configure the corresponding severity and status. Channel Local log includes 2 channels: log buffer and log file. Log buffer indicates the RAM for saving system log. The channel is enabled by default. The information in the log buffer is displayed on the Maintenance > Log&..

3.1.3 Backing up the Log File - Page 606

Configuring Maintenance System Log Configurations Configuration Guide 585 Choose the menu Maintenance > Log> Remote Log to load the following page. Figure 3-2 Configuring the Remote Log Follow these steps to configure remote log: 1) Select an entry to enable the status, and then set the host IP address and severity. Host IP Specify an IP address for the log host. UDP Port Displays the UDP port that receives and sends the log information. And the switch uses the standard port 514. Severity Specify the severity level of the log information sent to the selected log host. Only the log wit..

System > System Info > System Time - Page 607

Configuration Guide 586 Configuring Maintenance System Log Configurations 3.1.4 Viewing the Log Table Choose the menu Maintenance > Log> Log Table to load the following page. Figure 3-4 Viewing the Log Table Select a module and a severity to view the corresponding log information. Time To get the exact time when the log event occurs, you need to configure the system time on the System > System Info > System Time Web management page. Module Select a module from the drop-down list to display the corresponding log information. Severity Select a severity level to display the log inf..

show logging buffer - Page 608

Configuring Maintenance System Log Configurations Configuration Guide 587 Step 2 logging buffer The switch stores the system log messages to the RAM. And the information will be lost when the switch is restarted. You can view the logs with show logging buffer command. Step 3 logging buffer level level Specify the severity level of the log information that should be saved to the buffer. level : Enter the severity level ranging from 0 to 7. The smaller value has the higher priority. Only the log with the same or smaller severity level value can be saved. The default level is 6, indicating tha..

3.2.2 Configuring the Remote Log - Page 609

Configuration Guide 588 Configuring Maintenance System Log Configurations Switch(config)#logging file flash level 2 Switch(config)#show logging local-config Channel Level Status Sync-Periodic ------- ----- ------ ------------- Buffer 5 enable Immediately Flash 2 enable 10 hour(s) Monitor 5 enable Immediately Switch(config)#end Switch#copy running-config startup-config 3.2.2 Configuring the Remote Log Remote Log enables the switch to send system logs to a host. To display the logs, the host should run a log server that complies with the syslog standard. Follow these steps to set the remote l..

- Page 610

Configuring Maintenance System Log Configurations Configuration Guide 589 The following example shows how to set the remote log on the switch. Enable log host 2, set its IP address as 192.168.0.148, and allow logs of levels 0 to 5 to be sent to the host: Switch#configure Switch(config)# logging host index 2 192.168.0.148 5 Switch(config)# show logging loghost Index Host-IP Severity Status ----- ------- -------- ------ 1 0.0.0.0 6 disable 2 192.168.0.148 5 enable 3 0.0.0.0 6 disable 4 0.0.0.0 6 disable Switch(config)#end Switch#copy running-config startup-config

..

Diagnosing the Device - Page 611

Configuration Guide 590 Configuring Maintenance Diagnosing the Device 4 Diagnosing the Device 4.1 Using the GUI Choose the menu Maintenance > Device Diagnose > Cable Test to load the following page. Figure 4-1 Diagnosing the Device 1) In the Port section, select your desired port for the test. 2) In the Result section, click Apply and check the test results. Port Select the port for cable testing. The interval between two cable tests for one port must be more than 3 seconds. Pair Displays the Pair number.

..

Switch#show cable-diagnostics interface fastEthernet - Page 612

Configuring Maintenance Diagnosing the Device Configuration Guide 591 Status Displays the cable status. Test results include normal, close, open and crosstalk. Normal : The cable is normally connected. Close: A short circuit caused by an abnormal contact of wires in the cable. Open: No device is connected to the other end or the connectivity is broken. Crosstalk: Impedance mismatch caused by the poor quality of the cable. Length If the connection status is normal, here displays the length range of the cable. The value makes sense only when the cable is longer than 30m. Error If the connecti..

Maintenance > Network Diagnose > Ping - Page 613

Configuration Guide 592 Configuring Maintenance Diagnosing the Network 5 Diagnosing the Network The configuration includes:  Configuring the Ping Test;  Configuring the Tracert Test. 5.1 Using the GUI 5.1.1 Configuring the Ping Test Choose the menu Maintenance > Network Diagnose > Ping to load the following page. Figure 5-1 Configuring the Ping Test Follow these steps to test the connectivity between the switch and another device in the network: 1) In the Ping Config section, enter the IP address of the destination device for Ping test, set Ping times, data size and interval acc..

5.1.2 Configuring the Tracert Test - Page 614

Configuring Maintenance Diagnosing the Network Configuration Guide 593 Destination IP Enter the IP address of the destination node for Ping test. Both IPv4 and IPv6 are supported. Ping Times Enter the amount of times to send test data for Ping test. We recommend that you keep the default 4 times. Data Size Enter the size of the sending data for Ping test. We recommend that you keep the default 64 bytes. Interval Specify the interval to send ICMP request packets. We recommend that you keep the default 1000 milliseconds. 2) In the Ping Result section, check the test results. 5.1.2 Configuring..

5.2.2 Configuring the Tracert Test - Page 615

Configuration Guide 594 Configuring Maintenance Diagnosing the Network ping [ ip | ipv6 ] { ip_addr } [ -n count ] [ -l count ] [ -i count ] Test the connectivity between the switch and destination device. ip: The type of the IP address for ping test should be IPv4. ipv6: The type of the IP address for ping test should be IPv6. ip_addr: The IP address of the destination node for ping test. If the parameter ip/ipv6 is not selected, both IPv4 and IPv6 addresses are supported, such as 192.168.0.100 or fe80::1234. -n count : Specify the amount of times to send test data for Ping testing. The va..

Switch#tracert - Page 616

Configuring Maintenance Diagnosing the Network Configuration Guide 595 tracert [ ip | ipv6 ] ip_addr [ maxHops ] Test the connectivity of the gateways along the path from the source to the destination. ip: The type of the IP address for tracert test should be IPv4. ipv6: The type of the IP address for tracert test should be IPv6. ip_addr: Enter the IP address of the destination device. If the parameter ip/ipv6 is not selected, both IPv4 and IPv6 addresses are supported, such as 192.168.0.100 or fe80::1234. maxHops : Specify the maximum number of the route hops the test data can pass though...

Configuration Example for Remote Log - Page 617

Configuration Guide 596 Configuring Maintenance Configuration Example for Remote Log 6 Configuration Example for Remote Log 6.1 Network Requirements The company network manager needs to monitor network of department A for troubleshooting. Figure 6-1 Network Topology IP: 1.1.0.1/16 IP: 1.1.0.2/16 Switch Department A PC 6.2 Configuration Scheme The network manager can configure the remote log to receive system logs from monitored devices. Make sure the switch and the PC are reachable to each other; configure a log server that complies with the syslog standard on the PC and set the PC as the l..

Verify the Configurations - Page 618

Configuring Maintenance Configuration Example for Remote Log Configuration Guide 597 6.4 Using the CLI Configure the remote log host. Switch#configure Switch(config)# logging host index 1 1.1.0.1 5 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Switch# show logging loghost Index Host-IP Severity Status ----- ------- -------- ------ 1 1.1.0.1 5 enable 2 0.0.0.0 6 disable 3 0.0.0.0 6 disable 4 0.0.0.0 6 disable

..

Appendix: Default Parameters - Page 619

Configuration Guide 598 Configuring Maintenance Appendix: Default Parameters 7 Appendix: Default Parameters Default settings of maintenance are listed in the following tables. Table 7-1 Default Settings of Local Log Parameter Default Setting Status of Log Buffer Enabled Severity of Log Buffer Level_6 Sync-Periodic of Log Buffer Immediately Status of Log File Disabled Severity of Log File Level_3 Sync-Periodic of Log File 24 hours Table 7-2 Default Settings of Remote Log Parameter Default Setting Host IP 0.0.0.0 UDP Port 514 Severity Level_6 Status Disabled Table 7-3 Default Settings of Ping..

Configuration Guide
T1500-28TC (TL-SL2428)/T1500-28PCT(TL-SL2428P)
1910012115
REV2.0.0
March 2017