Page 1 User Guide T2500G-10MPS 1910012405 REV1.0.1 April 2018...
Page 2: Table Of Contents
CONTENTS About This Guide Intended Readers ................................1 Conventions ................................... 1 More Information ................................. 2 Accessing the Switch Overview ....................................4 Web Interface Access ................................ 5 Login 5 Save Config Function ....................................6 Disable the Web Server ..................................7 Configure the Switch's IP Address and Default Gateway ....................8 Command Line Interface Access ..........................
Page 3 Specifying the Device Description ..........................29 Setting the System Time ..............................30 Setting the Daylight Saving Time .............................32 Specifying the Serial Port Parameter ..........................34 User Management Configurations ..........................36 Using the GUI ......................................36 Creating Admin Accounts ..............................36 Creating Accounts of Other Types ..........................37 Using the CLI ......................................39 Creating Admin Accounts ..............................39 Creating Accounts of Other Types ..........................40...
Page 4 Configuring the Access Control ............................62 Configuring the HTTP Function ............................64 Configuring the HTTPS Function .............................65 Configuring the SSH Feature .............................68 Enabling the Telnet Function ..............................70 Appendix: Default Parameters ............................. 71 Managing Physical Interfaces Physical Interface ................................75 Overview ........................................75 Supported Features ....................................75 Basic Parameters Configurations ..........................
Page 5 Example for Loopback Detection...............................100 Network Requirements ...............................100 Configuration Scheme ................................100 Using the GUI ....................................100 Using the CLI ....................................101 Appendix: Default Parameters ...........................103 Configuring LAG LAG ......................................106 Overview ........................................106 Supported Features ...................................106 LAG Configuration ................................107 Using the GUI ......................................108 Configuring Load-balancing Algorithm ........................108 Configuring Static LAG or LACP............................109 Using the CLI ......................................111 Configuring Load-balancing Algorithm ........................111...
Page 6 Address Configurations ...............................130 Using the GUI ......................................130 Adding Static MAC Address Entries ..........................130 Modifying the Aging Time of Dynamic Address Entries...................132 Adding MAC Filtering Address Entries........................133 Viewing Address Table Entries ............................133 Using the CLI ......................................134 Adding Static MAC Address Entries ..........................134 Modifying the Aging Time of Dynamic Address Entries...................135 Adding MAC Filtering Address Entries........................136 Security Configurations ...............................138...
Page 7 Configuring DDM Shutdown ............................156 Configuring Temperature Threshold ..........................157 Configuring Voltage Threshold ............................158 Configuring Bias Current Threshold ..........................159 Configuring Tx Power Threshold ...........................161 Configuring Rx Power Threshold ..........................162 Viewing DDM Configuration .............................163 Viewing DDM Status ................................164 Appendix: Default Parameters ...........................165 Configuring L2PT Overview ....................................167 L2PT Configuration ................................169 Using the GUI ......................................169...
Page 8 Using the CLI ......................................189 Appendix: Default Parameters ..........................191 Configuring MAC VLAN Overview ....................................193 MAC VLAN Configuration ............................194 Using the GUI ......................................194 Configuring 802.1Q VLAN ..............................194 Binding the MAC Address to the VLAN ........................195 Enabling MAC VLAN for the Port ...........................195 Using the CLI ......................................196 Configuring 802.1Q VLAN ..............................196 Binding the MAC Address to the VLAN ........................196...
Page 9 Appendix: Default Parameters ...........................231 Configuring VLAN-VPN VLAN-VPN ..................................233 Overview ........................................233 Supported Features ...................................234 Basic VLAN-VPN Configuration ..........................235 Using the GUI ......................................235 Configuring 802.1Q VLAN ..............................235 Enabling VLAN-VPN Globally and Configuring Up-link Ports ................235 Using the CLI ......................................236 Configuring 802.1Q VLAN ..............................236 Enabling VLAN-VPN Globally and Configuring Up-link Ports ................236 Flexible VLAN-VPN Configuration ..........................239 Using the GUI ......................................239...
Page 10 Overview ........................................269 Basic Concepts ....................................269 STP/RSTP Concepts ................................269 MSTP Concepts ..................................273 STP Security ......................................274 STP/RSTP Configurations ............................277 Using the GUI ......................................277 Configuring STP/RSTP Parameters on Ports ......................277 Configuring STP/RSTP Globally .............................279 Verifying the STP/RSTP Configurations ........................281 Using the CLI ......................................282 Configuring STP/RSTP Parameters on Ports ......................282 Configuring Global STP/RSTP Parameters ......................284 Enabling STP/RSTP Globally ............................285...
Page 11 Configuring Layer 2 Multicast Layer 2 Multicast ................................329 Overview ........................................329 Supported Layer 2 Multicast Protocols ..........................330 IGMP Snooping Configurations ..........................331 Using the GUI ......................................331 Configuring IGMP Snooping Globally .........................331 Enabling IGMP Snooping Globally ........................331 (Optional) Configuring Unknown Multicast ....................331 (Optional) Configuring Report Message Suppression ..............332 Configuring Router Port Time and Member Port Time ..............332 Configuring IGMP Snooping Last Listener Query ................333 Verifying IGMP Snooping Status ........................333...
Page 12 Configuring Auto Refresh ..........................343 Viewing IGMP Statistics .............................344 Enabling IGMP Accounting and Authentication ....................344 Configuring IGMP Accounting Globally .....................344 Configuring IGMP Authentication on the Port ..................345 Configuring Static Member Port ............................345 Configuring Static Member Port ........................345 Viewing IGMP Static Multicast Groups ......................346 Using the CLI ......................................346 Enabling IGMP Snooping Globally ..........................346 Enabling IGMP Snooping on the Port .........................346...
Page 13 Configuring MLD Snooping............................368 Using the GUI ......................................368 Configuring MLD Snooping Globally ...........................368 Enabling MLD Snooping Globally........................368 (Optional) Configuring Unknown Multicast ....................368 (Optional) Configuring Report Message Suppression ..............369 Configuring Router Port Time and Member Port Time ..............369 Configuring MLD Snooping Last Listener Query .................369 Verifying MLD Snooping Status ........................370 Configuring the Port’s Basic MLD Snooping Features ..................370 Enabling MLD Snooping on the Port ......................371...
Page 14 Using the CLI ......................................381 Enabling MLD Snooping Globally ..........................381 Enabling MLD Snooping on the Port ...........................381 Configuring MLD Snooping Parameters Globally ....................382 Configuring Report Message Suppression ....................382 Configuring Unknown Multicast ........................383 Configuring MLD Snooping Parameters on the Port ..................385 Configuring Router Port Time and Member Port Time ..............385 Configuring Fast Leave ............................386 Configuring Max Group and Overflow Action on the Port ..............387 Configuring MLD Snooping Last Listener Query ....................388...
Page 15 Using the GUI ....................................407 Using the CLI ....................................409 Example for Configuring Multicast VLAN ..........................411 Network Requirements ...............................411 Configuration Scheme ................................411 Network Topology .................................411 Using the GUI ....................................412 Using the CLI ....................................415 Example for Configuring Unknown Multicast and Fast Leave ..................418 Network Requirement ................................418 Configuration Scheme ................................418 Using the GUI ....................................419...
Page 16 Configuring QoS QoS ......................................444 Overview ........................................444 Supported Features ...................................444 DiffServ Configuration ..............................445 Using the GUI ......................................446 Configuring Priority Mode ..............................446 Configuring Schedule Mode ............................448 Using CLI ........................................450 Configuring Priority Mode ..............................450 Configuring Schedule Mode ............................454 Bandwidth Control Configuration ..........................456 Using the GUI ......................................456 Configuring Rate Limit .................................456 Configuring Storm Control ...............................457 Using the CLI ......................................458...
Page 17 Configuring Voice VLAN Mode on Ports ........................486 Using the CLI ......................................487 Configuration Example ..............................490 Network Requirements ..................................490 Configuration Scheme ..................................490 Network Topology....................................490 Using the GUI ......................................492 Using the CLI ......................................502 Appendix: Default Parameters ...........................506 Configuring PoE PoE ......................................508 Overview ........................................508 Supported Features ...................................508 PoE Power Management Configurations ......................509 Using the GUI ......................................509...
Page 18 Configuring ACL Overview ....................................530 Introduction......................................530 Supported Features ...................................530 ACL Configuration ................................531 Using the GUI ......................................532 Configuring Time-Range ..............................532 (Optional) Configuring Holiday ............................533 Creating an ACL ..................................533 Configuring ACL Rules ................................534 Configuring Policy ..................................538 Configuring the ACL Binding and Policy Binding ....................540 Using the CLI ......................................544 Configuring Time Range ..............................544 Configuring ACL ..................................546...
Page 19 DHCP Snooping Configuration ..........................577 Using the GUI ......................................577 Enabling DHCP Snooping on VLAN ..........................577 Configuring DHCP Snooping on Ports ........................578 (Optional) Configuring Option 82 ..........................579 Using the CLI ......................................580 Enabling DHCP Snooping on VLAN ..........................580 Configuring DHCP Snooping on Ports ........................581 (Optional) Configuring Option 82 ..........................582 ARP Inspection Configurations ..........................585 Using the GUI ......................................585...
Page 20 Configuring the Method List ............................616 Configuring the AAA Application List .........................618 Configuring Login Account and Enable Password .....................618 Using the CLI ......................................619 Globally Enabling AAA .................................619 Adding Servers ..................................620 Configuring Server Groups ...............................623 Configuring the Method List ............................624 Configuring the AAA Application List .........................625 Configuring Login Account and Enable Password .....................630 Configuration Examples ...............................632 Example for DHCP Snooping and ARP Detection ......................632...
Page 21 Using the CLI ......................................661 Global Config ....................................661 Port Config ....................................663 LLDP-MED Configurations ............................665 Using the GUI ......................................665 Global Config ....................................665 Port Config ....................................666 Using the CLI ......................................668 Global Config ....................................668 Port Config ....................................669 Viewing LLDP Settings..............................672 Using GUI ........................................672 Viewing LLDP Device Info ..............................672 Viewing LLDP Statistics ..............................674 Using CLI ........................................675 Viewing LLDP-MED Settings ............................677...
Page 22 Monitoring the System ..............................701 Using the GUI ......................................701 Monitoring the CPU ................................701 Monitoring the Memory ..............................702 Using the CLI ......................................703 Monitoring the CPU ................................703 Monitoring the Memory ..............................703 System Log Configurations ............................704 Using the GUI ......................................705 Configuring the Local Log ..............................705 Configuring the Remote Log ............................706 Backing up the Log File ..............................706 Viewing the Log Table .................................707...
Page 23 Configuring SNMP & RMON SNMP Overview ................................726 SNMP Configurations ..............................727 Using the GUI ......................................728 Enabling SNMP ..................................728 Creating an SNMP View..............................728 Creating an SNMP Group ..............................729 Creating SNMP Users .................................731 Creating SNMP Communities ............................732 Using the CLI ......................................733 Enabling SNMP ..................................733 Creating an SNMP View..............................735 Creating an SNMP Group ..............................736 Creating SNMP Users ................................738...
Page 24 Using the CLI ......................................767 Appendix: Default Parameters ...........................773...
Page 25: About This Guide
About This Guide Intended Readers About This Guide This Configuration Guide provides information for managing T2500G-10MPS. Please read this guide carefully before operation. Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies. Conventions When using this guide, please notice that features of the switch may vary slightly depending on the model and software version you have.
Page 26: More Information
 The Installation Guide (IG) can be found where you find this guide or inside the package of the switch.  Specifications can be found on the product page at http://www.tp-link.com.  A Technical Support Forum is provided for you to discuss our products at http://forum.tp-link.com.
Page 27: Accessing The Switch
Part 1 Accessing the Switch CHAPTERS 1. Overview 2. Web Interface Access 3. Command Line Interface Access...
Page 28: Overview
Accessing the Switch Overview Overview You can access and manage the switch using the GUI (Graphical User Interface, also called web interface in this text) or using the CLI (Command Line Interface). There are equivalent functions in the web interface and the command line interface, while web configuration is easier and more visual than the CLI configuration.
Page 29: Web Interface Access
Accessing the Switch Web Interface Access Web Interface Access You can access the switch’s web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication. The following example shows how to login via the HTTP server. Login To manage your switch through a web browser in the host PC: 1) Make sure that the route between the host PC and the switch is available.
Page 30: Save Config Function
Accessing the Switch Web Interface Access Figure 2-3 Web interface 2.2 Save Config Function The switch’s configuration files fall into two types: the running configuration file and the start-up configuration file. After you perform configurations on the sub-interfaces and click Apply, the modifications will be saved in the running configuration file.
Page 31: Disable The Web Server
Accessing the Switch Web Interface Access Figure 2-4 Save Config Disable the Web Server You can shut down the HTTP server or HTTPS server to block any access to the web interface. Go to System > Access Security > HTTP Config, disable the HTTP server and click Apply. Figure 2-5 Shut down HTTP server Configuration Guide...
Page 32: Configure The Switch's Ip Address And Default Gateway
Accessing the Switch Web Interface Access Go to System > Access Security > HTTPS Config, disable the HTTPS server and click Apply. Figure 2-6 Disbale the HTTPS Server 2.4 Configure the Switch's IP Address and Default Gateway The default IP address of the switch is 192.168.0.1, and the default gateway is 0.0.0.0. You can change the IP address and default gateway of the switch according to your needs.
Page 33: Command Line Interface Access
Accessing the Switch Command Line Interface Access Command Line Interface Access Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines. Console connection requires the host PC connecting to the switch’s console port directly, while Telnet and SSH connection support both local and remote access.
Page 34 Accessing the Switch Command Line Interface Access Figure 3-1 CLI Main Window 4) Enter enable to enter the User EXEC Mode to further configure the switch. Figure 3-2 User EXEC Mode Note: In Windows XP, go to Start > All Programs > Accessories > Communications > Hyper Terminal to open the Hyper Terminal and configure the above settings to log in to the switch.
Page 35: Telnet Login
Accessing the Switch Command Line Interface Access Telnet Login The switch supports Login Local Mode for authentication by default. Login Local Mode: Username and password are required, which are both admin by default. The following steps show how to manage the switch via the Login Local Mode: 1) Make sure the switch and the PC are in the same LAN (Local Area Network).
Page 36: Ssh Login
Accessing the Switch Command Line Interface Access Figure 3-6 Enter Privileged EXEC Mode Now you can manage your switch with CLI commands through Telnet connection. 3.3 SSH Login SSH login supports the following two modes: Password Authentication Mode and Key Authentication Mode. You can choose one according to your needs:  Password Authentication Mode: Username and password are required, which are both admin by default.
Page 37 Accessing the Switch Command Line Interface Access Figure 3-8 Configurations in PuTTY 2) Enter the login username and password to log in to the switch, and you can continue to configure the switch. Figure 3-9 Log In to the Switch Key Authentication Mode 1) Open the PuTTY Key Generator.
Page 38 Accessing the Switch Command Line Interface Access Figure 3-10 Generate a Public/Private Key Pair Note: The key length should be between 512 and 3072 bits. • You can accelerate the key generation process by moving the mouse quickly and randomly in •...
Page 39 Accessing the Switch Command Line Interface Access 3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure: Figure 3-12 Download the Public Key to the Switch Note: The key type should accord with the type of the key file. In the above CLI, v1 corresponds to •...
Page 40: Disable Telnet Login
Accessing the Switch Command Line Interface Access Figure 3-14 Download the Private Key to PuTTY 6) After negotiation is completed, enter the username to log in. If you can log in without entering the password, the key authentication completed successfully. Figure 3-15 Log In to the Switch 3.4 Disable Telnet login You can shut down the Telnet function to block any Telnet access to the CLI interface.
Page 41: Disable Ssh Login
Accessing the Switch Command Line Interface Access  Using the CLI: Switch#configure Switch(config)#telnet disable Disable SSH login You can shut down the SSH server to block any SSH access to the CLI interface.  Using the GUI: Go to System > Access Security > SSH Config, disable the SSH server and click Apply. Figure 3-17 Shut down SSH server  Using the CLI: Switch#configure...
Page 42: Change The Switch's Ip Address And Default Gateway
Accessing the Switch Command Line Interface Access 3.7 Change the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.
Page 43: Managing System
Part 2 Managing System CHAPTERS 1. System 2. System Info Configurations 3. User Management Configurations 4. System Tools Configurations 5. Access Security Configurations 6. Appendix: Default Parameters...
Page 44: System
Managing System System System 1.1 Overview The System module is mainly used to configure and view the system information of the switch. It provides controls over the type of the access users and the access security. 1.2 Supported Features System Info The System Info is mainly used for the basic properties configuration.
Page 45 Managing System System HTTPS Config function is based on the SSL or TLS protocol working in transport layer. It supports a security access via a web browser. SSH Config function is based on the SSH protocol, a security protocol established on application and transport layers.
Page 46: System Info Configurations
Managing System System Info Configurations System Info Configurations With system information configurations, you can:  View the system summary  Specify the device description  Set the system time  Set the daylight saving time  Specify the Serial Port Parameter 2.1 Using the GUI 2.1.1 Viewing the System Summary Choose the menu System >...
Page 47 Managing System System Info Configurations Port Status Indication Indicates that the corresponding 1000Mbps port is not connected to a device. Indicates that the corresponding 1000Mbps port is at the speed of 1000Mbps. Indicates that the corresponding 1000Mbps port is at the speed of 10Mbps or 100Mbps.
Page 48: Specifying The Device Description
Managing System System Info Configurations Figure 2-3 Bnadwidth Utilization Select Rx to view the bandwidth utilization of receiving packets on this port. Select Tx to view the bandwidth utilization of sending packets on this port. 2.1.2 Specifying the Device Description Choose the menu System > System Info > Device Description to load the following page. Figure 2-4 Specifying the Device Description 1) In the Device Description section, specify the following information.
Page 49: Setting The System Time
Managing System System Info Configurations 2.1.3 Setting the System Time Choose the menu System > System Info > System Time to load the following page. Figure 2-5 Setting the System Time In the Time Info section, view the current time information of the switch. Current System Displays the current date and time of the switch.
Page 50: Setting The Daylight Saving Time
Managing System System Info Configurations Get Time from Set the system time by getting time from NTP server. Make sure the NTP server NTP Server is accessible on your network. If the NTP server is on the Internet, connect the switch to the Internet first.
Page 51: Specifying The Serial Port Parameter
Managing System System Info Configurations Predefined If you select Predefined Mode, choose a predefined DST schedule for the switch. Mode USA: Select the Daylight Saving Time of the USA. It is from 2: 00 a.m. on the Second Sunday in March to 2:00 a.m. on the First Sunday in November. Australia: Select the Daylight Saving Time of Australia.
Page 52: Using The Cli
LinkDown N/A Disable Copper Gi1/0/3 LinkUp 1000M Full Disable Disable Copper Switch#show system-info System Description - JetStream 8-Port Gigabit L2 Managed PoE+ Switch with 2 SFP Slots System Name - T2500G-10MPS System Location - SHENZHEN Contact Information - www.tp-link.com Configuration Guide...
Page 53: Specifying The Device Description
Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the device name as Switch_A, set the location as BEIJING and set the contact information as http://www.tp-link.com. Switch#configure Configuration Guide...
Page 54: Setting The System Time
System Description - JetStream 8-Port Gigabit L2 Managed PoE+ Switch with 2 SFP Slots System Name - Switch_A System Location - BEIJING Contact Information - http://www.tp-link.com Switch(config)#end Switch#copy running-config startup-config 2.2.3 Setting the System Time Follow these steps and choose one method to set the system time:...
Page 55 Managing System System Info Configurations The detailed information of each time-zone are displayed as follows: UTC-12:00 —— TimeZone for International Date Line West. UTC-11:00 —— TimeZone for Coordinated Universal Time-11. UTC-10:00 —— TimeZone for Hawaii. UTC-09:00 —— TimeZone for Alaska. UTC-08:00 ——...
Page 56: Setting The Daylight Saving Time
Managing System System Info Configurations Step 3 Use the following command to verify the system time information. show system-time Verify the system time information. Use the following command to verify the NTP mode configuration information. show system-time ntp Verify the system time information of NTP mode. Step 4 Return to privileged EXEC mode.
Page 57 Managing System System Info Configurations Step 2 Use the following command to select a predefined Daylight Saving Time configuration: system-time dst predefined [ USA | Australia | Europe | New-Zealand ] Specify the Daylight Saving Time using a predefined schedule. USA | Australia | Europe | New-Zealand: Select one mode of Daylight Saving Time.
Page 58: Specifying The Serial Port Parameter
Managing System System Info Configurations : Enter the start month of Daylight Saving Time. There are 12 values showing as follows: smonth Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. : Enter the start day of Daylight Saving Time, which ranges from 1 to 31. sday : Enter the start time of Daylight Saving Time,in the format of HH:MM.
Page 59 Managing System System Info Configurations Step 2 serial_port baud_rate { 9600 | 19200 | 38400 | 57600 | 115200 } Specify the baud rate of the console connection. 9600 | 19200 | 38400 | 57600 | 115200: Specify the communication baud rate on the console port.
Page 60: User Management Configurations
Managing System User Management Configurations User Management Configurations With user management configurations, you can:  Create Admin accounts  Create accounts of other types 3.1 Using the GUI 3.1.1 Creating Admin Accounts Choose the menu System > User Management > User Config to load the following page. Figure 3-1 Create Admin Accounts Follow these steps to create an Admin account: 1) In the User Info section, select Admin from the drop-down list and specify the user...
Page 61: Creating Accounts Of Other Types
Managing System User Management Configurations Access Level Select the access level as Admin. Admin: Admin can edit, modify and view all the settings of different functions. Operator: Operator can edit, modify and view most of the settings of different functions. Power User: Power User can edit, modify and view some of the settings of different functions.
Page 62 Managing System User Management Configurations User Name Create a user name for users' login. It contains 16 characters at most, composed of digits, English letters and under dashes only. Access Level Select the access level as Operator, Power User or User. Admin: Admin can edit, modify and view all the settings of different functions.
Page 63: Using The Cli
Managing System User Management Configurations Using the CLI 3.2.1 Creating Admin Accounts Follow these steps to create an Admin account: Step 1 configure Enter global configuration mode. Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege admin } password { [ 0 ] password | 7 encrypted-password } Create an account whose access level is Admin.
Page 64: Creating Accounts Of Other Types
Managing System User Management Configurations Step 3 show user account-list Verify the information of the current users. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. 3.2.2 Creating Accounts of Other Types You can create accounts with the access level of Operator, Power user and User here.
Page 65 Managing System User Management Configurations Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege operator | power_user | user } password { [ 0 ] password | 7 encrypted-password } Create an account whose access level is Operator, Power User or User.
Page 66 Managing System User Management Configurations Step 4 Use the following command to create an enable password unencrypted or symmetric encrypted. enable admin password { [ 0 ] password | 7 encrypted-password } Create an Enable Password. It can change the users’ access level to Admin. By default, it is empty.
Page 67 Managing System User Management Configurations The following example shows how to create a uesr with the access level of Operator, set the user name as user1 and set the password as 123. Enable AAA function and set the enable password as abc123. Switch#configure Switch(config)#user name user1 privilege operator password 123 Switch(config)#aaa enable...
Page 68: System Tools Configurations
Managing System System Tools Configurations System Tools Configurations With system tools configurations, you can:  Configure the boot file  Restore the configuration of the switch  Back up the configuration file  Upgrade the firmware  Configure the Auto Install Function  Reboot the switch  Configure the reboot schedule  Reset the switch...
Page 69: Restoring The Configuration Of The Switch
Managing System System Tools Configurations Select Select one or more units to be configured. Unit Displays the number of the unit. Current Startup Displays the current startup image. Image Next Startup Select the next startup image. When the switch is powered on, it will try to start up Image with the next startup image.
Page 70: Backing Up The Configuration File
Managing System System Tools Configurations 4.1.3 Backing up the Configuration File Choose the menu System > System Tools > Config Backup to load the following page. Figure 4-3 Backing up the Configuration File In the Config Backup section, select one unit and click Export to export the configuration file.
Page 71: Configuring Auto Install Function
Managing System System Tools Configurations After upgrading, the Select this option to reboot automatically with the backup image after upgrading. device will reboot automatically with the backup image 4.1.5 Configuring Auto Install Function Note: You should configure the DHCP server and the TFTP server first before configuring the Auto Install function.
Page 72: Rebooting The Switch
Managing System System Tools Configurations Note: The switch will obtain a new IP address from the DHCP server during the process of Auto In- • stall. If you want to access to the switch, you should check the new IP address on the DHCP server.
Page 73: Reseting The Switch
Managing System System Tools Configurations Time Interval Specify a period of time. The switch will reboot after this period. The valid values are from 1 to 43200 minutes. This reboot schedule recurs if users check the Save Before Reboot. Time (HH:MM)/ Specify the date and time for the switch to reboot.
Page 74: Restoring The Configuration Of The Switch
Managing System System Tools Configurations Step 2 boot application filename { image1 | image2 } { startup | backup } Specify the configuration of the boot file. By default, the image1.bin is the startup image and the image2.bin is the backup image. image1 | image2: Select the image file to be configured.
Page 75: Backing Up The Configuration File
Managing System System Tools Configurations Note: It will take a long time to restore the configuration. Please wait without any operation. • After the configuration is restored successfully, the device will reboot to make the configura- • tion change effective. The following example shows how to restore the configuration file named file1 from the TFTP server with IP address 192.168.0.100.
Page 76: Configuring Auto Install Function
Managing System System Tools Configurations Step 2 firmware upgrade ip-address ip-addr filename name Upgrade the switch’s backup image via TFTP server. To boot up with the new firmware, you need to choose to reboot the switch with the backup image. : Specify the IP address of the TFTP server.
Page 77: Rebooting The Switch
Managing System System Tools Configurations Step 6 boot autoinstall start Start the Auto Install process and the switch will download the configuration file and the backup image automatically. Step 7 Return to privileged EXEC mode. Step 8 copy running-config startup-config Save the settings in the configuration file.
Page 78: Configuring The Reboot Schedule
Managing System System Tools Configurations Step 2 reboot Reboot the switch. 4.2.7 Configuring the Reboot Schedule Follow these steps and choose one type to configure the reboot schedule: Step 1 configure Enter global configuration mode. Step 2 Use the following command to set the interval to reboot: reboot-schedule in interval [ save_before_reboot ] (Optional) Specify the reboot schedule.
Page 79: Reseting The Switch
Managing System System Tools Configurations Save before reboot: Yes Switch(config)#end Switch#copy running-config startup-config 4.2.8 Reseting the Switch Follow these steps to reset the switch: Step 1 enable Enter privileged mode. Step 2 reset Reset the switch. Note: After the system is reset, configurations of the switch will be reset to the default. Configuration Guide...
Page 80: Access Security Configurations
Managing System Access Security Configurations Access Security Configurations With access security configurations, you can:  Configure the Access Control feature  Configure the HTTP feature  Configure the HTTPS feature  Configure the SSH feature  Enable the telnet function 5.1 Using the GUI 5.1.1 Configuring the Access Control Feature Choose the menu System >...
Page 81 Managing System Access Security Configurations Access Select the interface to control the methods for users’ accessing. The selected Interface access interfaces will only affect the users you set before. SNMP: A function to manage the network devices via NMS. Telnet: A connection type for users to remote login. SSH: A connection type based on SSH protocol.
Page 82: Configuring The Http Function
Managing System Access Security Configurations 5.1.2 Configuring the HTTP Function Choose the menu System > Access Security > HTTP Config to load the following page. Figure 5-2 Configuring the HTTP Function 1) In the Global Control section, Select Enable and click Apply to enable the HTTP function.
Page 83: Configuring The Https Function
Managing System Access Security Configurations 5.1.3 Configuring the HTTPS Function Choose the menu System > Access Security > HTTPS Config to load the following page. Table 5-1 Configuring the HTTPS Function 1) In the Global Config section, select Enable to enable HTTPS function and select the protocol the switch supports.
Page 84 Managing System Access Security Configurations HTTPS Select Enable to enable the HTTPS function. HTTPS function is based on the SSL or TLS protocol. It provides a secure connection between the client and the switch. SSL Version 3 Select Enable to make the switch support SSL Version 3 protocol. SSL is a transport protocol.
Page 85: Configuring The Ssh Feature
Managing System Access Security Configurations Certificate File Select the desired certificate to download to the switch. The certificate must be BASE64 encoded. The SSL certificate and key downloaded must match each other, otherwise the HTTPS connection will not work. Key File Select the desired Key to download to the switch.
Page 86: Enabling The Telnet Function
Managing System Access Security Configurations Protocol V2 Select Enable to enable SSH version 2. Idle Timeout Specify the idle timeout time. The system will automatically release the connection when the time is up. Max Connect Specify the maximum number of the connections to the SSH server. New connection will not be established when the number of the connections reaches the maximum number you set.
Page 87 Managing System Access Security Configurations Step 1 configure Enter global configuration mode. Step 2 Use the following command to control the users’ access by limiting the IP address: user access-control ip-based { ip-addr ip-mask } [ snmp ] [ telnet ] [ ssh ] [ http ] [ https ] [ ping ] [ all ] Only the users within the IP-range you set here are allowed to access the switch.
Page 88: Configuring The Http Function
Managing System Access Security Configurations Switch(config)#user access-control ip-based 192.168.0.100 255.255.255.0 snmp telnet http https Switch(config)#show user configuration User authentication mode: IP based Index IP Address Access Interface ----- ----------------- ------------------------------- 192.168.0.0/24 SNMP Telnet HTTP HTTPS Switch(config)#end Switch#copy running-config startup-config 5.2.2 Configuring the HTTP Function Follow these steps to configure the HTTP function: Step 1 configure...
Page 89: Configuring The Https Function
Managing System Access Security Configurations Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the session timeout as 9, set the maximum admin number as 2, operator number as 2, power user number as 5, and user number as 4. Switch#configure Switch(config)#ip http server Switch(config)#ip http session timeout 9...
Page 90 Managing System Access Security Configurations Step 4 ip http secure-ciphersuite { [ 3des-ede-cbc-sha ] [ rc4-128-md5 ] [ rc4-128-sha ] [ des-cbc- sha ] } Enable the corresponding ciphersuite. By default, these types are all enabled. [ 3des-ede-cbc-sha ]: Key exchange with 3DES and DES-EDE3-CBC for message encryption and SHA for message digest.
Page 91 Managing System Access Security Configurations Step 10 Return to privileged EXEC mode. Step 11 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the HTTPS function. Enable SSL3 and TLS1 protocol. Enable the ciphersuite of 3des-ede-cbc-sha. Set the session timeout time as 15; set the maximum admin number as 2, operator number as 2, power user number as 5, and user number as 4.
Page 92: Configuring The Ssh Feature
Managing System Access Security Configurations Switch(config)#end Switch#copy running-config startup-config 5.2.4 Configuring the SSH Feature Follow these steps to configure the SSH function: Step 1 configure Enter global configuration mode. Step 2 ip ssh server Enable the SSH function. By default, it is disabled. Step 3 ip ssh version { v1 | v2 } Configure to make the switch support the corresponding protocol.
Page 93 Managing System Access Security Configurations Step 8 show ip ssh Verify the global configuration of SSH. Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: It will take a long time to download the key file. Please wait without any operation. The following example shows how to configure the SSH function.
Page 94: Enabling The Telnet Function
Managing System Access Security Configurations AES192-CBC: Disabled AES256-CBC: Disabled Blowfish-CBC: Disabled Cast128-CBC: Enabled 3DES-CBC: Disabled Data Integrity Algorithm: HMAC-SHA1: Disabled HMAC-MD5: Enabled Key Type: SSH-2 RSA/DSA Key File: ---- BEGIN SSH2 PUBLIC KEY ---- Comment: “dsa-key-20160711” Switch(config)#end Switch#copy running-config startup-config 5.2.5 Enabling the Telnet Function Follow these steps enable the Telnet function: Step 1...
Page 95: Appendix: Default Parameters
Default Setting Device Name The model name of the switch. Device Location SHENZHEN System Contact www.tp-link.com Table 6-2 Default Settings of Daylight Saving Time Configuration Parameter Default Setting DST status Disabled Default settings of User Management are listed in the following table.
Page 96 Managing System Appendix: Default Parameters Default settings of Access Security are listed in the following tables. Table 6-5 Default Settings of Access Control Configuration Parameter Default Setting Control Mode Disabled Table 6-6 Default Settings of HTTP Configuration Parameter Default Setting HTTP Enabled Session Timeout...
Page 97 Managing System Appendix: Default Parameters Parameter Default Setting HMAC-SHA1 Enabled HMAC-MD5 Enabled Key Type: SSH-2 RSA/DSA Table 6-9 Default Settings of Telnet Configuration Parameter Default Setting Control Mode Enabled Configuration Guide...
Page 98: Managing Physical Interfaces
Part 3 Managing Physical Interfaces CHAPTERS 1. Physical Interface 2. Basic Parameters Configurations 3. Port Mirror Configuration 4. Port Security Configuration 5. Port Isolation Configurations 6. Loopback Detection Configuration 7. Configuration Examples...
Page 99: Physical Interface
Managing Physical Interfaces Physical Interface Physical Interface Overview Interfaces of a device are used to exchange data and interact with other network devices. Interfaces are classified into physical interfaces and logical interfaces.  Physical interfaces are the ports on the front panel or rear panel of the switch.  Logical interfaces are manually configured and do not physically exist, such as loopback interfaces and routing interfaces.
Page 100: Basic Parameters Configurations
Managing Physical Interfaces Basic Parameters Configurations Basic Parameters Configurations 2.1 Using the GUI Choose the menu Switching > Port > Port Config to load the following page. Figure 2-1 Configuring Basic Parameters Follow these steps to set basic parameters for ports: 1) Set the jumbo frame value and click Apply.
Page 101: Using The Cli
Managing Physical Interfaces Basic Parameters Configurations Speed Select the appropriate speed mode for the port. When Auto is selected, the port autonegotiates speed mode with the connected device. The default setting is Auto. This value is recommended if both ends of the line support auto- negotiation.
Page 102 Managing Physical Interfaces Basic Parameters Configurations Step 3 Configure basic parameters for the port: description string Give a port description for identification. string : Content of a port description, ranging from 1 to 16 characters. shutdown no shutdown Use shutdown to disable the port, and use no shutdown to enable the port. When the status is enabled, the port can forward packets normally, otherwise it will discard the received packets.
Page 103 Managing Physical Interfaces Basic Parameters Configurations Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#no shutdown Switch(config-if)#description router connection Switch(config-if)#speed auto Switch(config-if)#duplex auto Switch(config-if)#flow-control Switch(config-if)#jumbo Switch(config-if)#show interface configuration gigabitEthernet 1/0/1 Port State Speed Duplex FlowCtrl Jumbo Description -------- ----- -------- ------ -------- -------- ----------- Gi1/0/1 Enable Auto Auto...
Page 104: Port Mirror Configuration
Managing Physical Interfaces Port Mirror Configuration Port Mirror Configuration 3.1 Using the GUI Choose the menu Switching > Port > Port Mirror to load the following page. Figure 3-1 Mirror Session List The above page displays a mirror session, and no more session can be created. Click Edit to configure this mirror session on the following page.
Page 105 Managing Physical Interfaces Port Mirror Configuration Figure 3-2 Configuring Port Mirror Follow these steps to configure Port Mirror: 1) In the Destination Port section, specify a monitoring port for the mirror session, and click Apply. 2) In the Source Port section, select one or multiple monitored ports for configuration. Then set the parameters and click Apply.
Page 106: Using The Cli
Managing Physical Interfaces Port Mirror Configuration Egress With this option enabled, the packets sent by the monitored port will be copied to the monitoring port. By default, it is disabled. Note: The member port of an LAG cannot be set as a monitoring port or monitored port. •...
Page 107 Managing Physical Interfaces Port Mirror Configuration Switch(config)#show monitor session Monitor Session: Destination Port: Gi1/0/10 Source Ports(Ingress): Gi1/0/1-3 Source Ports(Egress): Gi1/0/1-3 Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 108: Port Security Configuration
Managing Physical Interfaces Port Security Configuration Port Security Configuration 4.1 Using the GUI Choose the menu Switching > Port > Port Security to load the following page. Figure 4-1 Port Security Follow these steps to configure Port Security: 1) Select one or multiple ports for security configuration. 2) Specify the maximum number of the MAC addresses that can be learned on the port, and then select the learn mode of the MAC addresses.
Page 109: Using The Cli
Managing Physical Interfaces Port Security Configuration Learn Mode Select the learn mode of the MAC addresses on the port. Three modes are provided: Dynamic: The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting. Static: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually.
Page 110 Managing Physical Interfaces Port Security Configuration Step 3 mac address-table max-mac-count { [max-number num ] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ] } Enable the port security feature of the port and configure the related parameters. num : The maximum number of MAC addresses that can be learned on the port.
Page 111 Managing Physical Interfaces Port Security Configuration Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 112: Port Isolation Configurations
Managing Physical Interfaces Port Isolation Configurations Port Isolation Configurations 5.1 Using the GUI Choose the menu Switching > Port > Port Isolation to load the following page. Figure 5-1 Port Isolation List The above page displays the port isolation list. Click Edit to configure Port Isolation on the following page.
Page 113: Using The Cli
Managing Physical Interfaces Port Isolation Configurations Figure 5-2 Port Isolation Follow these steps to configure Port Isolation: 1) In the Port section, select one or multiple ports to be isolated. 2) In the Forward Portlist section, select the forward ports or LAGs which the isolated ports can only communicate with.
Page 114 Managing Physical Interfaces Port Isolation Configurations Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add ports 1/0/1-3 and LAG 4 to the forward list of port 1/0/5: Switch#configure Switch(config)#interface gigabitEthernet 1/0/5...
Page 115: Loopback Detection Configuration
Managing Physical Interfaces Loopback Detection Configuration Loopback Detection Configuration Using the GUI To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring QoS . Choose the menu Switching > Port > Loopback Detection to load the following page. Figure 6-1 Loopback Detection Follow these steps to configure loopback detection: 1) In the Global Config section, enable loopback detection and configure the global...
Page 116: Using The Cli
Managing Physical Interfaces Loopback Detection Configuration Automatic Set the recovery time globally, after which the blocked port in Auto Recovery Recovery Time mode can automatically recover to normal status. It should be integral times of detection interval. The valid values are from 1 to 100, and the default value is 3.
Page 117 Managing Physical Interfaces Loopback Detection Configuration Step 3 loopback-detection interval interval-time Set the interval of sending loopback detection packets which is used to detect the loops in the network. The interval of sending loopback detection packets. The valid values are from interval-time: 1 to 1000 seconds.
Page 118 Managing Physical Interfaces Loopback Detection Configuration Switch(config)#show loopback-detection global Loopback detection global status : enable Loopback detection interval : 30 s Loopback detection recovery time : 3 intervals Switch(config-if)#end Switch#copy running-config startup-config The following example shows how to enable loopback detection of port 1/0/3 and set the process mode as alert and recovery mode as auto: Switch#configure Switch(config)#interface gigabitEthernet 1/0/3...
Page 119: Configuration Examples
Managing Physical Interfaces Configuration Examples Configuration Examples Example for Port Mirror 7.1.1 Network Requirements As shown below, several hosts and a network analyzer are directly connected to the switch. For network security and troubleshooting, the network manager needs to use the network analyzer to monitor the data packets from the end hosts.
Page 120 Managing Physical Interfaces Configuration Examples Figure 7-2 Mirror Session List 2) Click Edit on the above page to load the following page. In the Destination Port section, select port 1/0/1 as the monitoring port and click Apply. Figure 7-3 Destination Port Configuration 3) In the Source Port section, select ports 1/0/2-5 as the monitored ports, and enable Ingress and Egress to allow the received and sent packets to be copied to the monitoring port.
Page 121: Using The Cli
Managing Physical Interfaces Configuration Examples 7.1.4 Using the CLI Switch#configure Switch(config)#monitor session 1 destination interface gigabitEthernet 1/0/1 Switch(config)#monitor session 1 source interface gigabitEthernet 1/0/2-5 both Switch(config)#end Switch#copy running-config startup-config Verify the Configuration Switch#show monitor session 1 Monitor Session: Destination Port: Gi1/0/1 Source Ports(Ingress): Gi1/0/2-5 Source Ports(Egress): Gi1/0/2-5...
Page 122: Configuration Scheme
Managing Physical Interfaces Configuration Examples 7.2.2 Configuration Scheme You can configure port isolation to implement the requirement. Set 1/0/4 as the only forwarding port for port 1/0/1, thus forbidding Host A to forward packets to the other hosts. The following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 123: Using The Cli
Managing Physical Interfaces Configuration Examples Figure 7-7 Port Isolation Configuration 3) Click Save Config to save the settings. 7.2.4 Using the CLI Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#port isolation gi-forward-list 1/0/4 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Switch#show port isolation interface Port Forward-List ----...
Page 124: Example For Loopback Detection
Managing Physical Interfaces Configuration Examples 7.3 Example for Loopback Detection 7.3.1 Network Requirements As shown below, Switch A is a convergence-layer switch connecting several access- layer switches. Loops can be easily caused in case of misoperation on the access- layer switches. If there is a loop on an access-layer switch, broadcast storms will occur on Switch A or even in the entire network, creating excessive traffic and degrading the network performance.
Page 125: Using The Cli
Managing Physical Interfaces Configuration Examples Figure 7-9 Global Configuration 3) In the Port Config section, enable ports 1/0/1-3, select the operation mode as Port based so that the port will be blocked when a loop is detected, and keep the recovery mode as Auto so that the port will recover to normal status after the automatic recovery time.
Page 126 Managing Physical Interfaces Configuration Examples Switch(config-if)#loopback-detection Switch(config-if)#loopback-detection config process-mode port-based recovery-mode auto Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#loopback-detection Switch(config-if)#loopback-detection config process-mode port-based recovery-mode auto Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#loopback-detection Switch(config-if)#loopback-detection config process-mode port-based recovery-mode auto Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Verify the global configuration: Switch#show loopback-detection global Loopback detection global status : disable...
Page 127: Appendix: Default Parameters
Managing Physical Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 8-1 Configurations for Ports Parameter Default Setting Port Config Type Copper Status Enable Speed Auto Duplex Auto Flow Control Disable Jumbo 1518 Bytes Port Mirror...
Page 128 Managing Physical Interfaces Appendix: Default Parameters Parameter Default Setting Port Status Disable Operation mode Alert Recovery mode Auto Configuration Guide...
Page 129: Configuring Lag
Part 4 Configuring LAG CHAPTERS 1. LAG 2. LAG Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 130: Lag
Configuring LAG 1.1 Overview With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface to increase link bandwidth and configure the backup ports to enhance the connection reliability. 1.2 Supported Features You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol).
Page 131: Lag Configuration
Configuring LAG LAG Configuration LAG Configuration To complete LAG configuration, follow these steps: 1) Configure the global load-balancing algorithm. 2) Configure Static LAG or LACP. Configuration Guidelines  Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should be set as LACP mode.
Page 132: Using The Gui
Configuring LAG LAG Configuration 2.1 Using the GUI 2.1.1 Configuring Load-balancing Algorithm Choose the menu Switching > LAG > LAG Table to load the following page. Figure 2-1 Global Config In the Global Config section, select the load-balancing algorithm. Click Apply. Hash Algorithm Select the Hash Algorithm, based on which the switch can choose the port to send the received packets.
Page 133: Configuring Static Lag Or Lacp
Configuring LAG LAG Configuration Figure 2-2 Hash Algorithm Configuration Switch A Switch B Hosts Server 2.1.2 Configuring Static LAG or LACP For one port, you can choose only one LAG mode: Static LAG or LACP. And make sure both ends of a link use the same LAG mode.  Configuring Static LAG Choose the menu Switching >...
Page 134 Configuring LAG LAG Configuration  Configuring LACP Choose the menu Switching > LAG > LACP to load the following page. Figure 2-4 LACP Config Follow these steps to configure LACP: 1) Specify the system priority for the switch and click Apply. System Priority Specify the system priority for the switch.
Page 135: Using The Cli
Configuring LAG LAG Configuration Mode Select the LACP mode for the port. In LACP, the switch uses LACPDU (Link Aggregation Control Protocol Data Unit) to negotiate the parameters with the peer end. In this way, the two ends select active ports and form the aggregation link. The LACP mode determines whether the port will take the initiative to send the LACPDU.
Page 136: Configuring Static Lag Or Lacp
Configuring LAG LAG Configuration Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the global load-balancing mode as src-dst-mac: Switch#configure Switch(config)#port-channel load-balance src-dst-mac Switch(config)#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-mac EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination MAC address...
Page 137 Configuring LAG LAG Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add ports1/0/5-8 to LAG 2 and set the mode as static LAG: Switch#configure Switch(config)#interface range gigabitEthernet 1/0/5-8...
Page 138 Configuring LAG LAG Configuration Step 3 interface {fastEthernet port | r ange fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. Step 4 channel-group num mode { active | passive } Add the port to an LAG and set the mode as LACP. : The group number of the LAG.
Page 139 Configuring LAG LAG Configuration Switch#copy running-config startup-config The following example shows how to add ports 1/0/1-4 to LAG 6, set the mode as LACP, and select the LACPDU sending mode as active: Switch#configure Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#channel-group 6 mode active Switch(config-if-range)#show lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs...
Page 140: Configuration Example
1/0/9-10 to set them as the backup ports. When any of the active ports is down, the backup ports will be enabled to transmit data. Demonstrated with T2500G-10MPS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 141: Using The Gui
Configuring LAG Configuration Example Using the GUI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Choose the menu Switching > LAG > LAG Table to load the following page. Select the hash algorithm as ‘SRC MAC+DST MAC’.
Page 142: Using The Cli
Configuring LAG Configuration Example 3.4 Using the CLI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Configure the load-balancing algorithm as “src-dst-mac”. Switch#configure Switch(config)#port-channel load-balance src-dst-mac 2) Specify the system priority of Switch A as 0. Remember to ensure that the system priority value of Switch B is bigger than 0.
Page 143 Configuring LAG Configuration Example 0, 000a.eb13.2397 Verify the LACP configuration: Switch#show lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in active mode P - Device is in passive mode Channel group 1 Port Flags State LACP Port Priority Admin Key Oper Key Port Number Port State...
Page 144: Appendix: Default Parameters
Configuring LAG Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in the following tables. Table 4-1 Default Settings of LAG Parameter Default Setting LAG Table Hash Algorithm SRC MAC+DST MAC LACP Config System Priority 32768 Admin Key Port Priority 32768 Mode...
Page 145: Monitoring Traffic
Part 5 Monitoring Traffic CHAPTERS 1. Traffic Monitor 2. Appendix: Default Parameters...
Page 146: Traffic Monitor
Monitoring Traffic Traffic Monitor Traffic Monitor With Traffic Monitor function, you can monitor the traffic on the switch, including:  Traffic Summary  Traffic Statistics in Detail 1.1 Using the GUI 1.1.1 Viewing the Traffic Summary Choose the menu Switching > Traffic Monitor > Traffic Summary to load the following page.
Page 147: Viewing The Traffic Statistics In Detail
Monitoring Traffic Traffic Monitor Packets Tx: Displays the number of packets transmitted on the port. Error packets are not counted in. Octets Rx: Displays the number of octets received on the port. Error octets are counted in. Octets Tx: Displays the number of octets transmitted on the port. Error octets are counted Statistics: Click this button to view the detailed traffic statistics of the port.
Page 148 Monitoring Traffic Traffic Monitor 3) In the Statistics section, view the detailed information of the selected port or LAG. Received: Displays the detailed information of received packets. Broadcast: Displays the number of valid broadcast packets received on the port. Error frames are not counted in. Multicast: Displays the number of valid multicast packets received on the port.
Page 149: Using The Cli
Monitoring Traffic Traffic Monitor Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to view the traffic information of each port or LAG: show interface counters [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port- channel port-channel-id ] : The port number.
Page 150: Appendix: Default Parameters
Monitoring Traffic Appendix: Default Parameters Appendix: Default Parameters Table 2-1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disable Refresh Rate 10 seconds Traffic Statistics Auto Refresh Disable Refresh Rate 10 seconds Configuration Guide...
Page 151: Managing Mac Address Table
Part 6 Managing MAC Address Table CHAPTERS 1. MAC Address Table 2. Address Configurations 3. Security Configurations 4. Example for Security Configurations 5. Appendix: Default Parameters...
Page 152: Mac Address Table
Managing MAC Address Table MAC Address Table MAC Address Table 1.1 Overview The MAC address table contains address information that the switch uses to forward traffic between ports. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports.
Page 153 Managing MAC Address Table MAC Address Table Security Configurations  Configuring MAC Notification Traps You can configure traps and SNMP (Simple Network Management Protocol) to monitor and receive notifications of the usage of the MAC address table and the MAC address change activity.
Page 154: Address Configurations
Managing MAC Address Table Address Configurations Address Configurations With MAC address table, you can:  Add static MAC address entries  Change the address aging time  Add filtering address entries  View address table entries 2.1 Using the GUI 2.1.1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.
Page 155 Managing MAC Address Table Address Configurations Follow these steps to add a static MAC address entry: 1) Enter the MAC address, VLAN ID and select a port to bind them together. VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received.
Page 156: Modifying The Aging Time Of Dynamic Address Entries
Managing MAC Address Table Address Configurations 2.1.2 Modifying the Aging Time of Dynamic Address Entries Choose the menu Switching > MAC Address > Dynamic Address to load the following page. Figure 2-3 Modifying the Aging Time of Dynamic Address Entries Follow these steps to modify the aging time of dynamic address entries: 1) In the Aging Config section, enable Auto Aging, and enter your desired length of time.
Page 157: Adding Mac Filtering Address Entries
Managing MAC Address Table Address Configurations 2.1.3 Adding MAC Filtering Address Entries Choose the menu Switching > MAC Address > Filtering Address to load the following page. Figure 2-4 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries: 1) In the Create Filtering Address section, enter the MAC Address and VLAN ID.
Page 158: Using The Cli
Managing MAC Address Table Address Configurations Choose the menu Switching > MAC Address > Address Table to load the following page. Figure 2-5 Viewing Address Table Entries 2.2 Using the CLI 2.2.1 Adding Static MAC Address Entries Follow these steps to add static MAC address entries: Step 1 configure Enter global configuration mode.
Page 159: Modifying The Aging Time Of Dynamic Address Entries
Managing MAC Address Table Address Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. Note: In the same VLAN, once an address is configured as a static address, it cannot be set as a filter- •...
Page 160: Adding Mac Filtering Address Entries
Managing MAC Address Table Address Configurations Step 2 mac address-table aging-time aging-time Set your desired length of address aging time for dynamic address entries. Set the length of time that a dynamic entry remains in the MAC address table after aging-time: the entry is used or updated.
Page 161 Managing MAC Address Table Address Configurations Step 4 copy running-config startup-config Save the settings in the configuration file. Note: In the same VLAN, once an address is configured as a filtering address, it cannot be set as a • static address, and vice versa. Multicast or broadcast addresses cannot be set as filtering addresses .
Page 162: Security Configurations
Managing MAC Address Table Security Configurations Security Configurations With security configurations of the MAC address table, you can:  Configure MAC notification traps  Limit the number of MAC addresses in VLANs 3.1 Using the GUI 3.1.1 Configuring MAC Notification Traps Choose the menu Switching >...
Page 163: Limiting The Number Of Mac Addresses In Vlans
Managing MAC Address Table Security Configurations Table Full Enable Table Full Notification, and when address table is full, a notification will be Notification generated and sent to the management host . Notification Specify a time value in seconds between 1 to 1000 to bundle the notifications and Interval reduce traffic.
Page 164: Using The Cli
Managing MAC Address Table Security Configurations VLAN ID Specify an existing VLAN in which you want to limit the number of MAC addresses. 2) Enter your desired value in Max Learned MAC to set a threshold. Max Learned Set the maximum number of MAC addresses in the specific VLAN. It ranges from 0 to 16383.
Page 165 Managing MAC Address Table Security Configurations Step 4 mac address-table notification interval time Set your desired interval time between each set of New MAC Learned notifications that are generated. Specify a time value in seconds between 1to 1000 to bundle the notifications and reduce time: traffic.
Page 166: Limiting The Number Of Mac Addresses In Vlans
Managing MAC Address Table Security Configurations Mac Notification Global Config Notification Global Status : enable Table Full Notification Status: disable Notification Interval : 10 Port LrnMode Change Exceed Max Limit New Mac Learned ---- -------------- ---------------- ---------------- Gi1/0/1 disable disable enable Switch(config-if)#end Switch#copy running-config startup-config...
Page 167 Managing MAC Address Table Security Configurations VlanId Max-learn Current-learn Status ------ --------- ------------- ------ Drop Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 168: Example For Security Configurations
Managing MAC Address Table Example for Security Configurations Example for Security Configurations 4.1 Network Requirements Several departments are connected to the company network as shown in Figure 4-1. Now the Marketing Department that is in VLAN 10 has network requirements as follows:  Free the network system from illegal accesses and MAC address attacks by limiting the number of access users in this department to 100.
Page 169: Using The Gui
Managing MAC Address Table Example for Security Configurations Using the GUI 1) Choose the menu Switching > MAC Address > MAC VLAN Security to load the following page. Set the maximum number of MAC address in VLAN 10 as 100, choose drop mode and click Create.
Page 170: Using The Cli
Managing MAC Address Table Example for Security Configurations 4.4 Using the CLI 1) Set the maximum number of MAC address in VLAN 10 as 100, and choose drop mode. Switch#configure Switch(config)#mac address-table security vid 10 max-learn 100 drop 2) Configure the new-MAC-learned trap on port 2 and set notification interval as 10 seconds.
Page 171: Appendix: Default Parameters
Managing MAC Address Table Appendix: Default Parameters Appendix: Default Parameters Default settings of the MAC Address Table are listed in the following tables. Table 5-1 Entries in the MAC Address Table Parameter Default Setting Static Address Entries None Dynamic Address Entries Auto-learning Filtering Address Entries None...
Page 172: Configuring Ddm
Part 7 Configuring DDM CHAPTERS 1. Overview 2. DDM Configuration 3. Appendix: Default Parameters...
Page 173: Overview
Configuring DDM Overview Overview The DDM (Digital Diagnostic Monitoring) function allows the user to monitor the status of the SFP modules inserted into the SFP ports on the switch. The user can choose to shut down the monitored SFP port automatically when the specified parameter exceeds the alarm threshold or warning threshold.
Page 174: Ddm Configuration
Configuring DDM DDM Configuration DDM Configuration To complete DDM configuration, follow these steps: 1) Enable DDM on the SFP port. 2) Configure the shutdown condition. 3) Configure the specified threshold for warning or alarm. 2.1 Using the GUI 2.1.1 Configuring DDM Globally Choose the menu Switching >...
Page 175: Configuring The Temperature Threshold
Configuring DDM DDM Configuration 2.1.2 Configuring the Temperature Threshold Choose the menu Switching > DDM > Temperature Threshold to load the following page. Figure 2-2 Configure Temperature Threshold Follow these steps to configure DDM‘s temperature threshold: 1) In the Port Config table, configure temperature threshold of the SFP ports. High Alarm Specify the high threshold for the alarm.
Page 176: Configuring The Bias Current Threshold
Configuring DDM DDM Configuration Follow these steps to configure DDM‘s voltage threshold: 1) In the Port Config table, configure voltage threshold on the SFP ports. High Alarm Specify the high threshold for the alarm. When the operating parameter rises above this value, action associated with the alarm will be taken. The valid values are from 0 to 6.5535.
Page 177: Configuring The Tx Power Threshold
Configuring DDM DDM Configuration Low Warning Specify the low threshold for the warning. When the operating parameter falls below this value, action associated with the warning will be taken. The valid values are from 0 to 131. Displays the LAG number which the port belongs to. 2) Click Apply.
Page 178: Configuring The Rx Power Threshold
Configuring DDM DDM Configuration 2.1.6 Configuring the Rx Power Threshold Choose the menu Switching > DDM > Rx Power Threshold to load the following page. Figure 2-6 Configure Rx Power Threshold Follow these steps to configure DDM‘s Rx power threshold: 1) In the Port Config table, configure Rx power threshold on the SFP ports. High Alarm Specify the high threshold for the alarm.
Page 179: Using The Cli
Configuring DDM DDM Configuration In the Port Config table, view the current operating parameters for the SFP modules inserted into the SFP ports. Temperature The current temperature of the SFP module inserted into this port. Voltage The current voltage of the SFP module inserted into this port. Bias Current The current bias current of the SFP module inserted into this port.
Page 180 Configuring DDM DDM Configuration Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DDM on SFP port 1/0/9: Switch#configure Switch(config)#interface gigabitEthernet 1/0/9 Switch(config-if)#ddm state enable Switch(config-if)#show ddm configuration state DDM Status Shutdown Gi1/0/9 Enable...
Page 181 Configuring DDM DDM Configuration The following example shows how to set SFP port 1/0/9 to shut down when the warning threshold is exceeded. Switch#configure Switch(config)#interface gigabitEthernet 1/0/9 Switch(config-if)#ddm shutdown warning Switch(config-if)#show ddm configuration state DDM Status Shutdown Gi1/0/9 Enable Warning Gi1/0/10 Enable None...
Page 182 Configuring DDM DDM Configuration Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set SFP port 1/0/9’s high alarm temperature threshold as 110 Celsius. Switch#configure Switch(config)#interface gigabitEthernet 1/0/9 Switch(config-if)#ddm temperature_threshold high_alarm 110 Switch(config-if)#show ddm configuration temperature Temperature Threshold(Celsius) : High Alarm...
Page 183 Configuring DDM DDM Configuration Step 4 show ddm configuration voltage Display the DDM voltage threshold of the SFP ports. Step 5 Return to Privileged EXEC Mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set SFP port 1/0/9’s high alarm threshold voltage as 5 Switch#configure Switch(config)#interface gigabitEthernet 1/0/9 Switch(config-if)#ddm vlotage_threshold high_alarm 5...
Page 184 Configuring DDM DDM Configuration Step 3 ddm bias_current_threshold { high_alarm | high_warning | low_alarm | low-warning } value high_alarm: Specify the high threshold for the alarm. When the operating parameter rises above this value, action associated with the alarm will be taken. high_warning: Specify the high threshold for the warning.
Page 185 Configuring DDM DDM Configuration 2.2.6 Configuring Tx Power Threshold Follow these steps to configure the threshold of the DDM Tx power on the specified SFP port. Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode.
Page 186 Configuring DDM DDM Configuration Switch(config-if)#end Switch#copy running-config startup-config 2.2.7 Configuring Rx Power Threshold Follow these steps to configure the threshold of the DDM Rx power on the specified SFP port. Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode.
Page 187 Configuring DDM DDM Configuration Rx Power Threshold(mW) : High Alarm Low Alarm High Warning Low Warning Gi1/0/9 6.000000 Gi1/0/10 Switch(config-if)#end Switch#copy running-config startup-config 2.2.8 Viewing DDM Configuration Follow these steps to view the DDM configuration. Step 1 configure Enter global configuration mode. Step 2 show ddm configuration { state | temperature | voltage | bias_current | tx_power | rx_power} state:...
Page 188 Configuring DDM DDM Configuration 2.2.9 Viewing DDM Status Follow these steps to view the DDM status, which is the digital diagnostic monitoring status of SFP modules inserted into the switch’s SFP ports. Step 1 configure Enter global configuration mode. Step 2 show ddm status Displays all the monitoring status of SFP modules.
Page 189 Configuring DDM Appendix: Default Parameters Appendix: Default Parameters Default settings of DDM are listed in the following table. Table 3-1 Default Settings of DDM Parameter Default Setting DDM Status Enable. All the SFP ports are being monitored. None. The port will not be shut down even if the Threshold Action alarm or warning threshold is exceeded.
Page 190 Part 8 Configuring L2PT CHAPTERS 1. Overview 2. L2PT Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 191 Configuring L2PT Overview Overview L2PT (Layer 2 Protocol Tunneling) is a feature for service providers to transparently transmit layer 2 protocol data units (PDUs) between customer networks at different locations through a public ISP network. Some terminology that is used in this section is defined as follows:  Edge Switch: The switch that is connected to the customer network and placed on the boundary of the ISP network.
Page 192 Configuring L2PT Overview 1) Upon receiving a layer 2 PDU from CE1 via the UNI port, PE1 replaces the destination MAC address of the PDU with a special multicast MAC address (01:00:0c:cd:cd: d0) and then sends the PDU to the ISP network via the NNI port. 2) The ISP network identifies the PDU and directly forwards it to the other end.
Page 193 Configuring L2PT L2PT Configuration L2PT Configuration Using the GUI Choose the menu Switching > L2PT > L2PT Config to load the following page. Figure 2-1 Configuring L2PT Follow these steps to configure L2PT: 1) In the Global Config section, enable L2PT globally and click Apply. 2) In the Port Config section, configure the port that is connected to the customer network as a UNI port and specify your desired protocols on the port.
Page 194 Configuring L2PT L2PT Configuration Protocol Specify the layer 2 protocol types of the packets that can be transparently transmitted on the selected port: STP: Enable protocol tunneling for the STP packets. GVRP: Enable protocol tunneling for the GVRP packets. 01000CCCCCCC: Enable protocol tunneling for the packets with their destination MAC address as 01000CCCCCCC, which includes CDP, VTP, PAgP and UDLD.
Page 195 Configuring L2PT L2PT Configuration Step 3 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel- id-list } Enter interface configuration mode. Step 4 l2protocol-tunnel type uni { 01000ccccccc | 01000ccccccd | gvrp | stp | all } [ threshold threshold ] Configure the port as a UNI port, specify the layer 2 protocol types of the packets that can be transparently transmitted on the port, and set the threshold for packets-per-second...
Page 196 Configuring L2PT L2PT Configuration This example shows how to enable L2PT globally: Switch#configure Switch(config)#l2protocol-tunnel Switch(config)#show l2protocol-tunnel global l2protocol-tunnel State: Enable Switch(config)#end Switch#copy running-config startup-config This example shows how to configure port 1/0/1 as a UNI port for the layer 2 protocol GVRP and set the threshold as 1000: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1...
Page 197: Configuration Scheme
STP. In addition, configure the threshold as 1000 to limit the number of packets to be processed on the port in one second. Demonstrated with T2500G-10MPS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 198: Using The Cli
Configuring L2PT Configuration Example 1) Choose the menu Switching > L2PT > L2PT Config to load the following page. Enable the L2PT feature globally and click Apply. 2) Specify port 1/0/1 as an NNI port and click Apply. Specify port 1/0/2 as a UNI port for the STP and set the threshold as 1000.
Page 199 Configuring L2PT Configuration Example Verify the Configuration Verify the global configuration: Switch_A#show l2protocol-tunnel global l2protocol-tunnel State: Enable Verify the configuration on port 1/0/1: Switch_A#show l2protocol-tunnel interface gigabitEthernet 1/0/1 Interface Type Protocol Threshold --------- ---- -------- --------- ---- Gi1/0/1 --,--,--,-- --,--,--,-- Verify the configuration on port 1/0/2: Switch_A#show l2protocol-tunnel interface gigabitEthernet 1/0/2 Interface...
Page 200: Appendix: Default Parameters
Configuring L2PT Appendix: Default Parameters Appendix: Default Parameters Default settings of L2PT are listed in the following table. Table 4-1 Default Settings of L2PT Parameter Defualt Setting Global Config Layer 2 Protocol Tunneling Disable Port Config Type NONE Protocol NONE Threshold Disable Configuration Guide...
Page 201 Part 9 Configuring 802.1Q VLAN CHAPTERS 1. Overview 2. 802.1Q VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 202 Configuring 802.1Q VLAN Overview Overview VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions:  To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN.
Page 203 Configuring 802.1Q VLAN 802.1Q VLAN Configuration 802.1Q VLAN Configuration To complete 802.1Q VLAN configuration, follow these steps: 1) Configure PVID (Port VLAN ID) of the port; 2) Configure the VLAN, including creating a VLAN and adding the configured port to the VLAN.
Page 204 Configuring 802.1Q VLAN 802.1Q VLAN Configuration Link Type Select the link type of the port. It is Access by default. ACCESS: The port can only be added to one VLAN and is usually connected to a terminal device that does not support VLAN, a host for example. When receiving frames: The port accepts untagged frames and adds a VLAN tag with the PVID to •...
Page 205 Configuring 802.1Q VLAN 802.1Q VLAN Configuration VLAN Check details of the VLAN which the port is in. 2.1.2 Configuring the VLAN Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Figure 2-2 Configuring VLAN Follow these steps to configure VLAN: 1) Enter a VLAN ID and a description for identification to create a VLAN.
Page 206 Configuring 802.1Q VLAN 802.1Q VLAN Configuration 2.2 Using the CLI 2.2.1 Creating a VLAN Follow these steps to create a VLAN: Step 1 configure Enter global configuration mode. Step 2 vlan vlan-list When you enter a new VLAN ID, the switch creates a new VLAN and enters VLAN configuration mode;...
Page 207 Configuring 802.1Q VLAN 802.1Q VLAN Configuration Switch#copy running-config startup-config 2.2.2 Configuring the Port Follow these steps to configure the port: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode.
Page 208 Configuring 802.1Q VLAN 802.1Q VLAN Configuration Vlan Name Egress-rule ---- ----------- --------------- System-VLAN Tagged Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Adding the Port to the Specified VLAN Follow these steps to add the port to the specified VLAN: Step 1 configure Enter global configuration mode.
Page 209 Configuring 802.1Q VLAN 802.1Q VLAN Configuration PVID: 2 Member in LAG: N/A Link Type: General Member in VLAN: Vlan Name Egress-rule ------- ------------------ --------------- System-VLAN Untagged Tagged Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 210 Configuring 802.1Q VLAN Configuration Example Configuration Example 3.1 Network Requirements  Offices of both Department A and Department B in the company are located in different places, and computers in different offices are connected to different switches.  It is required that computers can communicate with each other in the same department but not with computers in the other department.
Page 211 Configuring 802.1Q VLAN Configuration Example Network Topology The figure below shows the network topology. Host A1 and Host A2 are used in Department A, while Host B1 and Host B2 are used in Department B. Switch 1 and Switch 2 are located in two different places. Host A1 and Host B1 are connected to port 1/0/2 and port 1/0/3 on Switch 1 respectively, while Host A2 and Host B2 are connected to port 1/0/6 and port 1/0/7 on Switch 2 respectively.
Page 212 Configuring 802.1Q VLAN Configuration Example Figure 3-2 Create VLAN 10 for Department A 2) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10 with the description of Department_A. Add port 1/0/2 as an untagged port and port 1/0/4 as a tagged port to VLAN 10.
Page 213: Using The Cli
Configuring 802.1Q VLAN Configuration Example 3) Click Create again to load the following page. Create VLAN 20 with the description of Department_B. Add port 1/0/2 as an untagged port and port 1/0/4 as a tagged port to VLAN 20. Then click Apply. Figure 3-4 Create VLAN 20 for Department B 4) Click Save Config to save the settings.
Page 214 Configuring 802.1Q VLAN Configuration Example Switch_1(config-vlan)#exit 2) Set the link type of port 1/0/2 and port 1/0/3 as Access, and then add port 1/0/2 to VLAN 10 and add port 1/0/3 to VLAN 20. Switch_1(config)#interface gigabitEthernet 1/0/2 Switch_1(config-if)#switchport mode access Switch_1(config-if)#switchport access vlan 10 Switch_1(config-if)#exit Switch_1(config)#interface gigabitEthernet 1/0/3...
Page 215: Appendix: Default Parameters
Configuring 802.1Q VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1Q VLAN are listed in the following table. Table 4-1 Default Settings of 802.1Q VLAN Parameter Default Setting VLAN ID PVID Link Type ACCESS Configuration Guide...
Page 216 Part 10 Configuring MAC VLAN CHAPTERS 1. Overview 2. MAC VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 217: Overview
Configuring MAC VLAN Overview Overview VLAN is generally divided by ports. This way of division is simple but isn’t suitable for those networks that require frequent topology changes. With the popularity of mobile office, a terminal device may access the switch via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time.
Page 218: Mac Vlan Configuration
Configuring MAC VLAN MAC VLAN Configuration MAC VLAN Configuration To complete MAC VLAN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Bind the MAC address to the VLAN. 3) Enable MAC VLAN for the port. Configuration Guidelines When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN.
Page 219: Binding The Mac Address To The Vlan
Configuring MAC VLAN MAC VLAN Configuration 2.1.2 Binding the MAC Address to the VLAN Choose the menu VLAN > MAC VLAN > MAC VLAN to load the following page. Figure 2-1 MAC VLAN Configuration Follow these steps to bind the MAC address to the VLAN: 1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN.
Page 220: Using The Cli
Configuring MAC VLAN MAC VLAN Configuration Choose the menu VLAN > MAC VLAN > Port Enable to load the following page. Figure 2-2 Enable MAC VLAN for the Port Follow these steps to enable MAC VLAN for the port: Select your desired ports to enable MAC VLAN, and click Apply. Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG but not its own.
Page 221: Enabling Mac Vlan For The Port
Configuring MAC VLAN MAC VLAN Configuration Step 3 show mac-vlan VLAN vid Verify the configuration of MAC VLAN. : Specify the MAC VLAN to be displayed. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to bind the MAC address 00:19:56:8A:4C:71 to VLAN 10, with the address description as Dept.A.
Page 222 Configuring MAC VLAN MAC VLAN Configuration Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable MAC VLAN for port 1/0/1. Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#mac-vlan Switch(config-if)#show mac-vlan interface Port STATUS ------- ----------- Gi1/0/1 Enable...
Page 223: Configuration Example
Configuring MAC VLAN Configuration Example Configuration Example Network Requirements Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in.
Page 224: Using The Gui
2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports. Demonstrated with T2500G-10MPS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 225 Configuring MAC VLAN Configuration Example Figure 3-3 VLAN 10 Configuration 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 20, and add port 1/0/1 as untagged port and port 1/0/2 as tagged ports to VLAN 20.
Page 226 Configuring MAC VLAN Configuration Example Figure 3-4 VLAN 20 Configuration 4) Choose the menu VLAN > MAC VLAN > MAC VLAN to load the following page. Enter MAC Address, Description, VLAN ID and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20.
Page 227 Configuring MAC VLAN Configuration Example Figure 3-6 Enable MAC VLAN for the Port 6) Click Save Config to save the settings.  Configurations for Switch 3 1) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Set the link type of port1/0/2-5 as General, and click Apply.
Page 228 Configuring MAC VLAN Configuration Example Figure 3-8 VLAN 10 Configuration 3) Click Create to load the following page. Create VLAN 20, and add port 1/0/5 as untagged port and ports 1/0/2-3 as tagged ports to VLAN 20. Click Apply. Configuration Guide...
Page 229: Using The Cli
Configuring MAC VLAN Configuration Example Figure 3-9 VLAN 20 Configuration 4) Click Save Config to save the settings. Using the CLI  Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example.
Page 230 Configuring MAC VLAN Configuration Example Switch_1(config)#interface gigabitEthernet 1/0/2 Switch_1(config-if)#switchport mode general Switch_1(config-if)#switchport general allowed vlan 10,20 tagged Switch_1(config-if)#exit 3) Set port 1/0/1 set the type as General, set the egress rule as Untagged, and add it to both VLAN 10 and VLAN 20. Then enable MAC VLAN for port 1/0/1. Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport mode general Switch_1(config-if)#switchport general allowed vlan 10,20 untagged...
Page 231 Configuring MAC VLAN Configuration Example Switch_3(config-if)#exit Switch_3(config)#interface gigabitEthernet 1/0/3 Switch_3(config-if)#switchport general allowed vlan 10,20 tagged Switch_3(config-if)#exit 3) For port 1/0/4 and port 1/0/5, set the type as General, set the egress rule as Untagged, and respectively add them to VLAN 10 and VLAN 20. Switch_3(config)#interface gigabitEthernet 1/0/4 Switch_3(config-if)#switchport mode general Switch_3(config-if)#switchport general allowed vlan 10 untagged...
Page 232 Configuring MAC VLAN Configuration Example  Switch 3 Switch_3#show vlan VLAN Name Status Ports -------- --------------- ------------- ------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8 Gi1/0/9, Gi1/0/10 DeptA active Gi1/0/2, Gi1/0/3, Gi1/0/4 DeptB active Gi1/0/2, Gi1/0/3, Gi1/0/5 Configuration Guide...
Page 233: Appendix: Default Parameters
Configuring MAC VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of MAC VLAN are listed in the following table. Table 4-1 Default Settings of MAC VLAN Parameter Default Setting MAC Address None Description None VLAN ID None Port Enable Disable Configuration Guide...
Page 234: Configuring Protocol Vlan
Part 11 Configuring Protocol VLAN CHAPTERS 1. Overview 2. Protocol VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 235: Overview
Configuring Protocol VLAN Overview Overview Protocol VLAN is a technology that divides VLANs based on the network layer protocol. With the protocol VLAN rule configured on the basis of the existing 802.1Q VLAN, the switch can analyze special fields of received packets, encapsulate the packets in specific formats, and forward the packets of different protocols to the corresponding VLANs.
Page 236: Protocol Vlan Configuration
3) Configure Protocol VLAN. Configuration Guidelines  You can use the IP, ARP, RARP, and other protocol templates provided by TP-Link switches, or create new protocol templates.  In a protocol VLAN, when a port receives an untagged data packet, the switch will first search for the protocol VLAN matching the protocol type value of the packet.
Page 237: Creating Protocol Template
Configuring Protocol VLAN Protocol VLAN Configuration 2.1.2 Creating Protocol Template Choose the menu VLAN > Protocol VLAN > Protocol Template to load the following page. Figure 2-1 Create a Protocol Template Follow these steps to create a protocol template: 1) Check whether your desired template already exists in the Protocol Template Table section.
Page 238: Configuring Protocol Vlan
Configuring Protocol VLAN Protocol VLAN Configuration 2.1.3 Configuring Protocol VLAN Choose the menu VLAN > Protocol VLAN > Protocol Group to load the following page. Figure 2-2 Configure the Protocol Group Follow these steps to configure the protocol group: 1) In the Protocol Group Config section, select the protocol name and enter the VLAN ID to bind the protocol type to the VLAN.
Page 239: Creating A Protocol Template
Configuring Protocol VLAN Protocol VLAN Configuration 2.2.2 Creating a Protocol Template Follow these steps to create a protocol template: Step 1 configure Enter global configuration mode. Step 2 protocol-vlan template name protocol-name ether-type type Create a protocol template. Specify the protocol name with 1 to 8 characters. protocol-name: : Specify the Ethernet protocol type with 4 hexadecimal numbers.
Page 240: Configuring Protocol Vlan
Configuring Protocol VLAN Protocol VLAN Configuration 2.2.3 Configuring Protocol VLAN Follow these steps to configure protocol VLAN: Step 1 configure Enter global configuration mode. Step 2 show protocol-vlan template Check the index of each protocol template. Step 3 protocol-vlan vlan vid template index Bind the protocol template to the VLAN.
Page 241 Configuring Protocol VLAN Protocol VLAN Configuration SNAP ether-type 809B IPv6 EthernetII ether-type 86DD Switch(config)#protocol-vlan vlan 10 template 6 Switch(config)#end Switch#copy running-config startup-config The following example shows how to add port 1/0/2 to the IPv6 protocol group: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#show protocol-vlan vlan Index Protocol-Name...
Page 242: Configuration Example
Configuring Protocol VLAN Configuration Example Configuration Example 3.1 Network Requirements A company uses both IPv4 and IPv6 hosts, and these hosts access the IPv4 network and IPv6 network respectively via different routers. It is required that IPv4 packets are forwarded to the IPv4 network, IPv6 packets are forwarded to the IPv6 network, and other packets are dropped.
Page 243: Using The Gui
3) Bind the protocol templates to the corresponding VLANs to form protocol groups, and add port 1/0/1 to the groups. For Switch 1, configure 802.1Q VLAN according to the network topology. Demonstrated with T2500G-10MPS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI. Using the GUI  Configurations for Switch 1...
Page 244 Configuring Protocol VLAN Configuration Example 2) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10, and add port 1/0/1 and port 1/0/3 as untagged ports to VLAN 10. Click Apply. Figure 3-3 ...
Page 245 Configuring Protocol VLAN Configuration Example 3) Click Create to load the following page. Create VLAN 20, and add ports 1/0/2-3 as untagged ports to VLAN 20. Click Apply. Figure 3-4 Create VLAN 20 4) Click Save Config to save the settings. Configuration Guide...
Page 246 Configuring Protocol VLAN Configuration Example  Configurations for Switch 2 1) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Set the link type of ports 1/0/1-3 as General, and respectively set the PVID of port 1/0/2 and port 1/0/3 as 10 and 20.
Page 247 Configuring Protocol VLAN Configuration Example 2) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10, and add port 1/0/1 as tagged port and port 1/0/2 as untagged port to VLAN 10. Click Apply. Figure 3-6 ...
Page 248 Configuring Protocol VLAN Configuration Example 3) Click Create to load the following page. Create VLAN 20, and add port 1/0/1 as tagged port and port 1/0/3 as untagged port to VLAN 20. Click Apply. Figure 3-7 Create VLAN 20 4) Choose the menu VLAN > Protocol VLAN > Protocol Template to load the following page.
Page 249 Configuring Protocol VLAN Configuration Example Figure 3-8 Create the IPv6 Protocol Template 5) Choose the menu VLAN > Protocol VLAN > Protocol Group to load the following page. Select the IP protocol name (that is the IPv4 protocol template), enter VLAN ID 10, select port 1, and click Apply.
Page 250: Using The Cli
Configuring Protocol VLAN Configuration Example Figure 3-10 Configure the IPv6 Protocol Group 6) Choose the menu VLAN > Protocol VLAN > Protocol Group Table to load the following page. Here you can view the protocol VLAN configuration. Figure 3-11 Protocol VLAN configuration 7) Click Save Config to save the settings.
Page 251 Configuring Protocol VLAN Configuration Example 2) For port 1/0/1 and port 1/0/2, set the type as General, set the egress rule as Untagged, and respectively add them to VLAN 10 and VLAN 20. Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport mode general Switch_1(config-if)#switchport general allowed vlan 10 untagged Switch_1(config-if)#exit Switch_1(config)#interface gigabitEthernet 1/0/2 Switch_1(config-if)#switchport mode general...
Page 252 Configuring Protocol VLAN Configuration Example Switch_2(config-if)#exit 3) For port 1/0/2 and port 1/0/3, set the type as General, set the egress rule as Untagged, and add them to VLAN 10 and VLAN 20 respectively. Switch_2(config)#interface gigabitEthernet 1/0/2 Switch_2(config-if)#switchport mode general Switch_2(config-if)#switchport pvid 10 Switch_2(config-if)#switchport general allowed vlan 10 untagged Switch_2(config-if)#exit...
Page 253 Configuring Protocol VLAN Configuration Example Index Protocol-Name Member ---- --------------- ---------- ------------- IPv6 Switch_2(config)#interface gigabitEthernet 1/0/1 Switch_2(config-if)#protocol-vlan group 1 Switch_2(config-if)#protocol-vlan group 2 Switch_2(config-if)#exit Switch_2(config)#end Switch_2#copy running-config startup-config Verify the Configurations  Switch 1 Verify 802.1Q VLAN configuration: Switch_1#show vlan VLAN Name Status Ports...
Page 254 Configuring Protocol VLAN Configuration Example IPv4 active Gi1/0/1, Gi1/0/2 IPv6 active Gi1/0/1, Gi1/0/3 Verify protocol group configuration: Switch_2#show protocol-vlan vlan Index Protocol-Name Member -------- --------------------- ------ ------------- Gi1/0/1 IPv6 Gi1/0/1 Configuration Guide...
Page 255: Appendix: Default Parameters
Configuring Protocol VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of Protocol VLAN are listed in the following table. Table 4-1 Default Settings of Protocol VLAN Parameter Default Setting Ethernet II ether-type 0800 Ethernet II ether-type 0806 Protocol Template Table RARP Ethernet II ether-type 8035 SNAP ether-type 8137...
Page 256: Configuring Vlan-Vpn
Part 12 Configuring VLAN-VPN CHAPTERS 1. VLAN-VPN 2. Basic VLAN-VPN Configuration 3. Flexible VLAN-VPN Configuration 4. Configuration Example 5. Appendix: Default Parameters...
Page 257: Vlan-Vpn
Configuring VLAN-VPN VLAN-VPN VLAN-VPN Overview VLAN-VPN (Virtual Private Network) is an easy-to-implement layer 2 VLAN technology, and it is usually deployed at the edge of the ISP (Internet Service Provider) network. With VLAN-VPN, when forwarding packets from the customer network to the ISP network, the switch tags the packets with outer VLAN tags.
Page 258: Supported Features
Configuring VLAN-VPN VLAN-VPN 1.2 Supported Features The VLAN-VPN function includes: basic VLAN-VPN and flexible VLAN-VPN (VLAN mapping). Basic VLAN-VPN All packets from customer VLANs are encapsulated with the same VLAN tag of the ISP network, and sent to the ISP network. Additionally, you can set the TPID (Tag Protocol Identifier) of to-be-sent packets for compatibility with devices in the ISP network.
Page 259: Basic Vlan-Vpn Configuration
Configuring VLAN-VPN Basic VLAN-VPN Configuration Basic VLAN-VPN Configuration To complete the basic VLAN-VPN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Enable VLAN-VPN globally and configure up-link ports Configuration Guidelines The TPID preset by the switch is 0x8100. If devices in the ISP network do not support the value, you should change it to ensure VLAN-VPN packets sent to the ISP network can be recognized and forwarded by devices of other manufacturers.
Page 260: Using The Cli
Configuring VLAN-VPN Basic VLAN-VPN Configuration Follow these steps to configure the global VLAN-VPN parameters and up-link ports: 1) In the Global Config section, enable VPN mode in the Global Config section, modify the TPID value for compatibility with devices in the ISP network, and click Apply. VPN Mode VLAN-VPN works only when the VPN mode is enabled.
Page 261 Configuring VLAN-VPN Basic VLAN-VPN Configuration Step 3 dot1q-tunnel tpid num Set the TPID value globally. Set the global TPID which is used to identify the protocol of the tag. The default value is 0x8100 in hexadecimal format. You can modify it if needed. Before a VPN up-link port forwards a packet, the port will replace its TPID value in the outer VLAN tag with the user- defined value.
Page 262 Configuring VLAN-VPN Basic VLAN-VPN Configuration The following example shows how to set port 1/0/2 as the VPN up-link port: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#switchport dot1q-tunnel mode nni Switch(config-if)#show dot1q-tunnel interface Port Type Member -------------- -------------------------- Gi1/0/2 Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 263: Flexible Vlan-Vpn Configuration
Configuring VLAN-VPN Flexible VLAN-VPN Configuration Flexible VLAN-VPN Configuration To complete the flexible VLAN-VPN configuration, follow these steps: 1) Configure 802.1Q VLAN and basic VLAN-VPN. 2) Configure VLAN mapping. Configuration Guidelines  Before you start, configure 802.1Q VLAN and the basic VLAN-VPN. VLAN mapping entries work only after you have set VPN up-link ports and VPN ports in the basic VLAN- VPN configuration and enabled the VPN feature globally.
Page 264: Using The Cli
Configuring VLAN-VPN Flexible VLAN-VPN Configuration ID in the SP VLAN field, and enter a name to identify the entry. Then click Create to add a mapping entry. Port Choose a VPN up-link port to enable VLAN mapping. You can also enter the port number in 1/0/1 format.
Page 265 Configuring VLAN-VPN Flexible VLAN-VPN Configuration Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#switchport dot1q-tunnel mapping 15 1040 mapping1 Switch(config-if)#show dot1q-tunnel mapping Port C-VLAN SP-VLAN Name ----------- ---------- ------------ ----------- Gi1/0/3 1040 mapping1 Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 266: Configuration Example
Configuring VLAN-VPN Configuration Example Configuration Example 4.1 Network Requirements Two divisions of the company are located in different areas and have to communicate across an ISP network. A normal communication is required. Figure 4-1 shows the network topology. Switches of the two divisions are connected to customer networks VLAN 100 and VLAN 200 respectively.
Page 267: Using The Gui
Configuring VLAN-VPN Configuration Example Using the GUI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Set the link type of ports 1/0/1-2 as General, and modify PVID of the two ports as 1050.
Page 268 Configuring VLAN-VPN Configuration Example Figure 4-3 Creating VLAN 1050 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 100, and add port 1/0/2 tagged to the VLAN. Click Apply. Figure 4-4 Creating VLAN 100 Configuration Guide...
Page 269 Configuring VLAN-VPN Configuration Example 4) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 200, and add port 1/0/2 tagged to the VLAN. Click Apply. Figure 4-5 Creating VLAN 200 5) Choose the menu VLAN >...
Page 270: Using The Cli
Configuring VLAN-VPN Configuration Example 4.4 Using the CLI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Create VLAN 1050, VLAN 100 and VLAN 200. Switch_1#configure Switch_1(config)#vlan 1050 Switch_1(config-vlan)#name SP_VLAN Switch_1(config-vlan)#exit Switch_1(config)#vlan 100 Switch_1(config-vlan)#name Client_VLAN100...
Page 271 Configuring VLAN-VPN Configuration Example Switch_1(config)#dot1q-tunnel tpid 9100 Switch_1(config)#end Switch_1#copy running-config startup-config Verify the Configurations Verify the configurations of global VLAN-VPN: Switch_1#show dot1q-tunnel VLAN-VPN Mode: Enabled Global TPID: 0X9100 Mapping Mode: Disabled Verify the configurations of VPN up-link port. Switch_1#show dot1q-tunnel interface Port Type Member --------------...
Page 272 Configuring VLAN-VPN Configuration Example Member in LAG: N/A Link Type: General Member in VLAN: Vlan Name Egress-rule ---- ----------- ----------- System-VLAN Untagged Client_VLAN100 Tagged Client_VLAN200 Tagged 1050 SP_VLAN Untagged Configuration Guide...
Page 273: Appendix: Default Parameters
Configuring VLAN-VPN Appendix: Default Parameters Appendix: Default Parameters Default settings of VLAN-VPN are listed in the following table. Table 5-1 Default Settings of VLAN-VPN Parameter Default Setting Global VLAN-VPN Disable VLAN Mapping Enable Global TPID 0x8100 Configuration Guide...
Page 274: Configuring Gvrp
Part 13 Configuring GVRP CHAPTERS 1. Overview 2. GVRP Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 275: Overview
Configuring GVRP Overview Overview GVRP (GARP VLAN Registration Protocol) is a GARP (Generic Attribute Registration Protocol) application that allows registration and deregistration of VLAN attribute values and dynamic VLAN creation. Without GVRP operating, configuring the same VLAN on a network would require manual configuration on each device.
Page 276: Gvrp Configuration
Configuring GVRP GVRP Configuration GVRP Configuration To complete GVRP configuration, follow these steps: 1) Create a VLAN, and set link type as Trunk for ports that need to enable GVRP. 2) Enable GVRP globally. 3) Enable GVRP on each trunk port and configure the corresponding parameters. Configuration Guidelines To dynamically create a VLAN on all ports in a network link, you must configure the same static VLAN on both ends of the link.
Page 277 Configuring GVRP GVRP Configuration Choose the menu VLAN > GVRP > GVRP Config to load the following page. Figure 2-1 GVRP Config Follow these steps to configure GVRP: 1) In the Global Config section, enable GVRP globally, then click Apply. 2) In the Port Config section, select one or more ports, set the status as Enable and configure the related parameters according to your needs.
Page 278: Using The Cli
Configuring GVRP GVRP Configuration LeaveAll Timer When a GARP participant is enabled, the LeaveAll timer is started. When the (centisecond) LeaveAll timer expires, the GARP participant sends LeaveAll messages to request other GARP participants to re-register all its attributes. After that, the participant restarts the LeaveAll timer.
Page 279 Configuring GVRP GVRP Configuration Step 4 gvrp Enable GVRP on the port. Step 5 gvrp registration { normal | fixed | forbidden } Configure the GVRP registration mode for the port. normal: In this mode, the port can dynamically register and deregister VLANs , and transmit both dynamic and static VLAN registration information.
Page 280 Configuring GVRP GVRP Configuration Note: The member port of an LAG follows the configuration of the LAG but not its own. The • configurations of the port can take effect only after it leaves the LAG. When setting the timer values, make sure the values are within the required range. The value •...
Page 281: Configuration Example
Configuring GVRP Configuration Example Configuration Example Network Requirements Department A and Department B of a company are connected using switches. Offices of one department are distributed on different floors. As shown in Figure 3-1, the network topology is complicated. Configuration of the same VLAN on different switches is required so that computers in the same department can communicate with each other.
Page 282: Using The Gui
Configuring GVRP Configuration Example 3.3 Using the GUI GVRP configuration for Switch 3 is the same as Switch 1, and Switch 4 the same as Switch 2. Other switches share similar configurations. The following configuration procedures take Switch 1, Switch 2 and Switch 5 as example.  Configurations for Switch 1 1) Choose the menu VLAN >...
Page 283 Configuring GVRP Configuration Example Figure 3-3 VLAN Configuration 3) Choose the menu VLAN > GVRP > GVRP Config to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. Figure 3-4 GVRP Configuration Configuration Guide...
Page 284 Configuring GVRP Configuration Example 4) Click Save Config to save the settings.  Configurations for Switch 2 1) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Set the link type of port 1/0/1 as Trunk. Figure 3-5 Set Link Type for the Port 2) Choose the menu VLAN >...
Page 285 Configuring GVRP Configuration Example Figure 3-6 VLAN Configuration 3) Choose the menu VLAN > GVRP > GVRP Config to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. Figure 3-7 GVRP Configuration Configuration Guide...
Page 286 Configuring GVRP Configuration Example 4) Click Save Config to save the settings.  Configurations for Switch 5 1) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Set the link type of ports 1/0/1-3 as Trunk. Figure 3-8 Set Link Type for the Port 2) Choose the menu VLAN >...
Page 287: Using The Cli
Configuring GVRP Configuration Example Figure 3-9 GVRP Configuration 3) Click Save Config to save the settings. Using the CLI GVRP configuration for Switch 3 is the same as Switch 1, and Switch 4 the same as Switch 2. Other switches share similar configurations. The following configuration procedures take Switch 1, Switch 2 and Switch 5 as example.
Page 288 Configuring GVRP Configuration Example Switch_1(config-if)#switchport mode trunk Switch_1(config-if)#switchport trunk allowed vlan 10 Switch_1(config-if)#gvrp Switch_1(config-if)#gvrp registration fixed Switch_1(config-if)#end Switch_1#copy running-config startup-config  Configurations for Switch 2 1) Enable GVRP globally. Switch_2#configure Switch_2(config)#gvrp 2) Create VLAN 20. Switch_2(config)#vlan 20 Switch_2(config-vlan)#name Department B Switch_2(config-vlan)#exit 3) For port 1/0/1, set the link type as Trunk, and add it to VLAN 20.
Page 289 Configuring GVRP Configuration Example Switch_5(config-if-range)#gvrp Switch_5(config-if-range)#end Switch_5#copy running-config startup-config Verify the Configuration  Switch 1 Verify the global GVRP configuration: Switch_1#show gvrp global GVRP Global Status ------------------ Enabled Verify GVRP configuration for port 1/0/1: Switch_1#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG...
Page 290 Configuring GVRP Configuration Example Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------ -------- ------- ------ ----- Gi1/0/1 Enabled Fixed 1000 Gi1/0/2 Disabled Normal 1000 .. Switch 5 Verify global GVRP configuration: GVRP Global Status ------------------ Enabled Verify GVRP configuration for ports 1/0/1-3: Switch_5#show gvrp interface Port Status...
Page 291: Appendix: Default Parameters
Configuring GVRP Appendix: Default Parameters Appendix: Default Parameters Default settings of GVRP are listed in the following tables. Table 4-1 Default Settings of GVRP Parameter Default Setting Global Config GVRP Disable Port Config Status Disable Registration Mode Normal LeaveAll Timer 1000 centisecond Join Timer 20 centisecond...
Page 292: Configuring Spanning Tree
Part 14 Configuring Spanning Tree CHAPTERS 1. Spanning Tree 2. STP/RSTP Configurations 3. MSTP Configurations 4. STP Security Configurations 5. Configuration Example for MSTP 6. Appendix: Default Parameters...
Page 293: Spanning Tree
Configuring Spanning Tree Spanning Tree Spanning Tree Overview STP (Spanning Tree Protocol) is a layer 2 Protocol that prevents loops in the network. As is shown in Figure 1-1, STP helps to:  Block specified ports of the switches to build a loop-free topology.  Detect topology changes and automatically generate a loop-free topology.
Page 294 Configuring Spanning Tree Spanning Tree Figure 1-2 STP/RSTP Topology Root bridge Designated port Designated port Root port Root port Designated port Designated port Root port Root port Designated port Backup port Alternate port Root Bridge The root bridge is the root of a spanning tree. There is only one root bridge in each spanning tree, and the root bridge has the lowest bridge ID.
Page 295 Configuring Spanning Tree Spanning Tree In RSTP/MSTP, the alternate port is the backup for the root port. It is blocked when the root port works normally. Once the root port fails, the alternate port will become the new root port. In STP, the alternate port is always blocked.
Page 296 Spanning Tree Learning and Forwarding status correspond exactly to the Learning and Forwarding status specified in STP. In TP-Link switches, the port status includes: Blocking, Learning, Forwarding and Disconnected.  Blocking In this status, the port receives and sends BPDUs. The other packets are dropped.
Page 297: Mstp Concepts
Configuring Spanning Tree Spanning Tree BPDU The packets used to generate the spanning tree. The BPDUs (Bridge Protocol Data Unit) contain a lot of information, like bridge ID, root path cost, port priority and so on. Switches share these information to help determine the tree topology. 1.2.2 MSTP Concepts MSTP, compatible with STP and RSTP, has the same basic elements used in STP and RSTP.
Page 298: Stp Security
Configuring Spanning Tree Spanning Tree Figure 1-4 MST Region Instance 1 (root bridge: A) VLAN 3 Instance 1 Instance 2 (root bridge: B) VLAN 4-5 Instance 2 Other VLANs IST (root bridge: C) Blocked port VLAN-Instance Mapping VLAN-Instance Mapping describes the mapping relationship between VLANs and instances.
Page 299 Configuring Spanning Tree Spanning Tree If the switch cannot receive BPDUs because of link congestions or link failures, the root port will become a designated port and the alternate port will transit to forwarding status, so loops will occur. With Loop Protect function enabled, the port will temporarily transit to blocking state when the port does not receive BPDUs.
Page 300 Configuring Spanning Tree Spanning Tree A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology). If a user maliciously sends a large number of TC-BPDUs to a switch in a short period, the switch will be busy with removing MAC address entries, which may decrease the performance and stability of the network.
Page 301: Stp/Rstp Configurations
Configuring Spanning Tree STP/RSTP Configurations STP/RSTP Configurations To complete the STP/RSTP configuration, follow these steps: 1) Configure STP/RSTP parameters on ports. 2) Configure STP/RSTP globally. 3) Verify the STP/RSTP configurations. Configuration Guidelines  Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
Page 302 Configuring Spanning Tree STP/RSTP Configurations Priority Enter the value of the port priority from 0 to 240, which is divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port.
Page 303: Configuring Stp/Rstp Globally
Configuring Spanning Tree STP/RSTP Configurations Port Role Displays the role that the port plays in the spanning tree. Root Port: Indicates the port is a root port. Designated Port: Indicates the port is a designated port . Alternate Port: Indicates the port is a backup of a root port. Backup Port: Indicates the port is a backup of a designated port.
Page 304 Configuring Spanning Tree STP/RSTP Configurations Follow these steps to configure STP/RSTP globally: 1) In the Parameters Config section, configure the global parameters of STP/RSTP and click Apply. CIST Priority Specify the CIST priority of the switch. The valid values are from 0 to 61440, which are divisible by 4096.By default, it is 32768.
Page 305: Verifying The Stp/Rstp Configurations
Configuring Spanning Tree STP/RSTP Configurations Mode Select the desired spanning tree mode as STP/RSTP on the switch. By default, it’s STP. STP: Specify the spanning tree mode as STP. RSTP: Specify the spanning tree mode as RSTP. MSTP: Specify the spanning tree mode as MSTP. 2.1.3 Verifying the STP/RSTP Configurations Verify the STP/RSTP information of your switch after all the configurations are finished.
Page 306: Using The Cli
Configuring Spanning Tree STP/RSTP Configurations Spanning-Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local bridge. The local bridge is the current switch. Root Bridge Displays the bridge ID of the root bridge. External Path Cost Displays the root path cost from the switch to the root bridge.
Page 307 Configuring Spanning Tree STP/RSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure STP/RSTP parameters on the desired port . Specify the value of port priority.
Page 308: Configuring Global Stp/Rstp Parameters
Configuring Spanning Tree STP/RSTP Configurations Interface State Prio Ext-Cost Int-Cost Edge Mode Role Status ---------- ------- ---- ------ -------- ---- --------- ----- ----- ------- Gi1/0/3 Enable Auto Auto No(auto) LnkDwn Switch(config-if)#end Switch#copy running-config startup-config 2.2.2 Configuring Global STP/RSTP Parameters Follow these steps to configure global STP/RSTP parameters of the switch: Step 1 configure Enter global configuration mode.
Page 309: Enabling Stp/Rstp Globally
Configuring Spanning Tree STP/RSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age •...
Page 310 Configuring Spanning Tree STP/RSTP Configurations Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to enable spanning tree function, configure the spanning tree mode as RSTP and verify the configurations: Switch#configure Switch(config)#spanning-tree mode rstp Switch(config)#spanning-tree Switch(config)#show spanning-tree active Spanning tree is enabled...
Page 311: Mstp Configurations
Configuring Spanning Tree MSTP Configurations MSTP Configurations To complete the MSTP configuration, follow these steps: 1) Configure parameters on ports in CIST. 2) Configure the MSTP region. 3) Configure the MSTP globally. 4) Verify the MSTP configurations. Configuration Guidelines  Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
Page 312 Configuring Spanning Tree MSTP Configurations Priority Enter the value of port priority from 0 to 240 divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in CIST. Ext-Path Cost Enter the value of the external path cost.
Page 313: Configuring The Mstp Region
Configuring Spanning Tree MSTP Configurations Port Role Displays the role that the port plays in CIST. Root Port: Indicates the port is the root port in CIST. Designated Port: Indicates the port is the designated port in CIST. Master Port: Indicates the port provides the lowest root path cost from the region to the root bridge in CIST.
Page 314 Configuring Spanning Tree MSTP Configurations Follow these steps to create an MST region: 1) In the Region Config section, set the name and revision level to specify an MSTP region. Region Name Configure the name for an MST region using up to 32 characters. By default, it is the MAC address of the switch.
Page 315 Configuring Spanning Tree MSTP Configurations Instance ID Displays the instance ID. Status Displays the status of the instance. Priority Enter a value from 0 to 61440 to specify the priority of the switch, which is divisible by 4096, and the default value is 32768. The switch with the lower value has the higher priority, and the switch with the highest priority will be elected as the root bridge in the desired instance.
Page 316 Configuring Spanning Tree MSTP Configurations Instance ID Select the desired instance. 2) In the Instance Port Config section, configure port parameters in the desired instance. UNIT Select the desired unit or LAGs for configuration. Priority Enter the value of port priority from 0 to 240, which is divisible by 16, and the default value is 128.
Page 317: Configuring Mstp Globally
Configuring Spanning Tree MSTP Configurations 3.1.3 Configuring MSTP Globally Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Figure 3-5 Configure MSTP Function Globally Follow these steps to configure MSTP globally: 1) In the Parameters Config section, Configure the global parameters of MSTP and click Apply.
Page 318 Configuring Spanning Tree MSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age •...
Page 319: Verifying The Mstp Configurations
Configuring Spanning Tree MSTP Configurations 3.1.4 Verifying the MSTP Configurations Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 3-6 Verifying the MSTP Configurations The STP Summary section shows the summary information of CIST: Spanning Tree Displays the status of the spanning tree function.
Page 320: Using The Cli
Configuring Spanning Tree MSTP Configurations Internal Path Cost Displays the internal path cost. It is the root path cost from the current switch to the root bridge in IST. Designated Bridge Displays the bridge ID of the designated bridge in CIST. Root Port Displays the root port of in CIST.
Page 321 Configuring Spanning Tree MSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ int-cost int-cost ][ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure the parameters on ports in CIST. Specify the value of port priority.
Page 322: Configuring The Mstp Region
Configuring Spanning Tree MSTP Configurations Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree common-config port-priority 32 Switch(config-if)#show spanning-tree interface gigabitEthernet 1/0/3 MST-Instance 0 (CIST) Interface State Prio Ext-Cost Int-Cost Edge Mode Role Status ----------- -------- ---- -------- -------- ---- --------- ----- ------- -------- Gi1/0/3 Enable Auto...
Page 323 Configuring Spanning Tree MSTP Configurations Step 4 name name Configure the region name of the region. : Specify the region name, used to identify an MST region. The valid values are from 1 to name 32 characters. Step 5 revision revision Configure the revision level of the region.
Page 324 Configuring Spanning Tree MSTP Configurations MST-Instance Vlans-Mapped ---------------- ------------------------------------------------------------ 1,7-4094 2-6, ---------------------------------------------------------------------------- Switch(config-mst)#end Switch#copy running-config startup-config  Configuring the Parameters on Ports in Instance Follow these steps to configure the priority and path cost of ports in the specified instance: Step 1 configure Enter global configuration mode.
Page 325: Configuring Global Mstp Parameters
Configuring Spanning Tree MSTP Configurations Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to configure the priority as 144, the path cost as 200 of port 1/0/3 in instance 5: Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree mst instance 5 port-priority 144 cost 200 Switch(config-if)#show spanning-tree interface gigabitEthernet 1/0/3 MST-Instance 0 (CIST)
Page 326 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree timer {[ forward-time forward-time ] [ hello-time hello-time ] [ max-age max-age ]} (Optional) Configure the Forward Delay, Hello Time and Max Age. Specify the value of Forward Delay. The valid values are from 4 to 30 in seconds, forward-time: and the default value is 15.
Page 327: Enabling Spanning Tree Globally
Configuring Spanning Tree MSTP Configurations Switch(config-if)#spanning-tree hold-count 8 Switch(config-if)#spanning-tree max-hops 25 Switch(config-if)#show spanning-tree bridge State Mode Priority Hello-Time Fwd-Time Max-Age Hold-Count Max-Hops ------- ------- -------- -------- -------- -------- --------- -------- Enable Mstp 36864 Switch(config-if)#end Switch#copy running-config startup-config 3.2.4 Enabling Spanning Tree Globally Follow these steps to configure the spanning tree mode as MSTP and enable spanning tree function globally: Step 1...
Page 328 Configuring Spanning Tree MSTP Configurations Spanning-tree’s mode: MSTP (802.1s Multiple Spanning Tree Protocol) Latest topology change time: 2006-01-04 10:47:42 MST-Instance 0 (CIST) Root Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 External Cost : 200000 Root Port : Gi/0/20 Designated Bridge Priority : 32768 Address...
Page 329 Configuring Spanning Tree MSTP Configurations Priority : 32768 Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status ---------- ---- -------- ------- -------- Gi/0/6 128 200000 Altn Gi/0/8 128 200000 Mstr Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 330: Stp Security Configurations
Configuring Spanning Tree STP Security Configurations STP Security Configurations With STP security, you can:  Configure the Loop Protect function.  Configure the Root Protect function.  Configure the TC Protect function.  Configure the BPDU Protect function.  Configure the BPDU Filter function. 4.1 Using the GUI 4.1.1 Configuring the STP Security Choose the menu Spanning Tree >...
Page 331: Using The Cli
Configuring Spanning Tree STP Security Configurations Loop Protect Enable or disable the Loop Protect function. It is recommended to enable this function on root ports and alternate ports. Loop Protect function is used to prevent loops caused by link congestions or link failures.
Page 332 Configuring Spanning Tree STP Security Configurations Step 2 interface {gigabitEthernet port | range gigabitEthernet port-list ] [port-channel port-channel | range port-channel port-channel-list } Enter interface configuration mode. Step 3 spanning-tree guard loop feature (Optional) Enable the Loop Protect on the port. t is recommended to enable this function on root ports and alternate ports.
Page 333 Configuring Spanning Tree STP Security Configurations Step 10 copy running-config startup-config Save the settings in the configuration file. This example shows how to enable Loop Protect, Root Protect, BPDU Filter and BPDU Protect functions on port 1/0/3: Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree guard loop Switch(config-if)#spanning-tree guard root Switch(config-if)#spanning-tree bpdufilter...
Page 334: Configuration Example For Mstp
Configuring Spanning Tree Configuration Example for MSTP Configuration Example for MSTP MSTP, backwards-compatible with STP and RSTP, can map VLANs to instances to enable load-balancing, thus providing a more flexible method in network management. Here we take the MSTP configuration as an example. 5.1 Network Requirements As shown in figure 5-1, the network consists of three switches.
Page 335: Using The Gui
Configuring Spanning Tree Configuration Example for MSTP Figure 5-2 VLAN-Instance Mapping Switch A Gi1/0/1 Gi1/0/1 Gi1/0/1 Switch B Switch C Instance 1: VLAN 101 -VLAN 103 Instance 2: VLAN 104 -VLAN 106 Blocked Port The overview of configuration is as follows: 1) Enable the Spanning Tree function on the ports in each switch.
Page 336 Configuring Spanning Tree Configuration Example for MSTP Figure 5-3 Enable Spanning Tree Function on Ports 2) Choose the menu Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Figure 5-4 Configuring the MST Region 3) Choose the menu Spanning Tree >...
Page 337 Configuring Spanning Tree Configuration Example for MSTP Figure 5-6 Configure the Path Cost of Port 1/0/1 In Instance 1 5) Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings.
Page 338 Configuring Spanning Tree Configuration Example for MSTP  Configurations for Switch B 1) Choose the menu Spanning Tree > STP Config > Port Config to load the following page. Enable the spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings.
Page 339 Configuring Spanning Tree Configuration Example for MSTP Figure 5-10 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Configure the priority of Switch B as 0 to set it as the root bridge in instance 1.
Page 340 Configuring Spanning Tree Configuration Example for MSTP Figure 5-12 Configure the Path Cost of Port 1/0/2 in Instance 2 6) Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally. Here we leave the values of the other global parameters as default settings.
Page 341 Configuring Spanning Tree Configuration Example for MSTP  Configurations for Switch C 1) Choose the menu Spanning Tree > STP Config > Port Config to load the following page. Enable the spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings.
Page 342 Configuring Spanning Tree Configuration Example for MSTP Figure 5-16 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Configure the priority of Switch C as 0 to set it as the root bridge in instance 2.
Page 343: Using The Cli
Configuring Spanning Tree Configuration Example for MSTP Figure 5-18 Configuring the MSTP Globally 6) Click Save Config to save the settings. Using the CLI  Configurations for Switch A 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/1 in instance 1 as 400000.
Page 344 Configuring Spanning Tree Configuration Example for MSTP Switch(config-mst)#instance 1 vlan 101-103 Switch(config-mst)#instance 2 vlan 104-106 Switch(config-mst)#exit 3) Configure the spanning tree mode as MSTP, then enable spanning tree function globally. Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree Switch(config)#end Switch#copy running-config startup-config  Configurations for Switch B 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/2 in instance 2 as 400000.
Page 345 Configuring Spanning Tree Configuration Example for MSTP Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree Switch(config)#end Switch#copy running-config startup-config  Configurations for Switch C 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2. Switch#configure Switch(config)#interface range gigabitEthernet 1/0/1-2 Switch(config-if-range)#spanning-tree Switch(config-if-range)#exit 2) Configure the region name as 1, the revision number as 100; map VLAN101-VLAN103 to instance 1;...
Page 346 Configuring Spanning Tree Configuration Example for MSTP Root Bridge Priority Address : 00-0a-eb-13-12-ba Internal Cost : 400000 Root Port Designated Bridge Priority Address : 00-0a-eb-13-12-ba Local Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 Interface Prio Cost Role Status --------- ---- -------- ------ -----...
Page 347 Configuring Spanning Tree Configuration Example for MSTP Priority : 32768 Address : 00-0a-eb-13-23-97 Interface Prio Cost Role Status --------- ---- -------- ------- ------- ---- Gi1/0/1 200000 Desg Gi1/0/2 200000 Root  Switch B Verify the configurations of Switch B in instance 1: Switch(config)#show spanning-tree mst instance 1 MST-Instance 1 Root Bridge...
Page 348 Configuring Spanning Tree Configuration Example for MSTP Address : 3c-46-d8-9d-88-f7 Internal Cost : 400000 Root Port Designated Bridge Priority Address : 3c-46-d8-9d-88-f7 Local Bridge Priority : 32768 Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status --------- ---- -------- ------- ------- Gi1/0/1 200000 Altn Gi1/0/2...
Page 349 Configuring Spanning Tree Configuration Example for MSTP Interface Prio Cost Role Status ---------- ------ -------- --------- ---------- Gi1/0/1 200000 Desg Gi1/0/2 200000 Root Verify the configurations of Switch C in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority Address : 3c-46-d8-9d-88-f7...
Page 350: Appendix: Default Parameters
Configuring Spanning Tree Appendix: Default Parameters Appendix: Default Parameters Default settings of the Spanning Tree feature are listed in the following table. Table 6-1 Default Settings of the Global Parameters Parameter Default Setting Spanning-tree Disable Mode CIST Priority 32768 Hello Time 2 seconds Max Age 20 seconds...
Page 351 Configuring Spanning Tree Appendix: Default Parameters Parameter Default Setting Port Priority Path Cost Auto Configuration Guide...
Page 352: Configuring Layer 2 Multicast
Part 15 Configuring Layer 2 Multicast CHAPTERS 1. Layer 2 Multicast 2. IGMP Snooping Configurations 3. Configuring MLD Snooping 4. Viewing Multicast Snooping Configurations 5. Configuration Examples 6. Appendix: Default Parameters...
Page 353: Layer 2 Multicast
Configuring Layer 2 Multicast Layer 2 Multicast Layer 2 Multicast 1.1 Overview In a point-to-multipoint network, packets can be sent in three ways: unicast, broadcast and multicast. With unicast, many copies of the same information will be sent to all the receivers, occupying a large bandwidth.
Page 354: Supported Layer 2 Multicast Protocols
Configuring Layer 2 Multicast Layer 2 Multicast Demonstrated as below: Figure 1-1 IGMP Snooping Multicast packets transmission Multicast packets transmission with without IGMP Snooping IGMP Snooping Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host B Host C Host A Host B...
Page 355: Igmp Snooping Configurations
Configuring Layer 2 Multicast IGMP Snooping Configurations IGMP Snooping Configurations 2.1 Using the GUI 2.1.1 Configuring IGMP Snooping Globally Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Figure 2-1 IGMP Snooping Global Config Enabling IGMP Snooping Globally Before configuring functions related to IGMP Snooping, enable IGMP Snooping globally first.
Page 356: (Optional) Configuring Report Message Suppression
Configuring Layer 2 Multicast IGMP Snooping Configurations For switches that support MLD Snooping, IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable MLD Snooping globally on the Multicast > MLD Snooping > Snooping Config page at the same time. Follow these steps to configure unknown multicast.
Page 357: Configuring Igmp Snooping Last Listener Query
Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring IGMP Snooping Last Listener Query Configure the Last Listener Query Interval and Last Listener Query Count when the switch receives an IGMP leave message. If specified count of Multicast-Address-Specific Queries (MASQs) are sent and no report message is received, the switch will delete the multicast address from the multicast forwarding table.
Page 358: Configuring The Port's Basic Igmp Snooping Features
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.1.2 Configuring the Port’s Basic IGMP Snooping Features Choose the menu Multicast > IGMP Snooping > Port Config to load the following page. Figure 2-2 Enable IGMP Snooping on Port Enabling IGMP Snooping on the Port Follow these steps to enable or disable IGMP Snooping on the port.
Page 359: Configuring Igmp Snooping In The Vlan
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.1.3 Configuring IGMP Snooping in the VLAN Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Figure 2-3 IGMP Snooping in VLAN Configuring IGMP Snooping Globally in the VLAN In the VLAN Config section, follow these steps to configure relevant parameters for the designate VLAN.
Page 360: (Optional) Configuring The Static Router Ports In The Vlan
Configuring Layer 2 Multicast IGMP Snooping Configurations 3) Click Create. (Optional) Configuring the Static Router Ports in the VLAN Follow these steps to configure static router ports in the designate VLAN: 1) Configure the router ports in the designate VLAN. VLAN ID Specify the VLAN to be configured.
Page 361: Creating Multicast Vlan And Configuring Basic Settings
Configuring Layer 2 Multicast IGMP Snooping Configurations Figure 2-4 Multicast VLAN Config Creating Multicast VLAN and Configuring Basic Settings In the Multicast VLAN section, follow these steps to enable Multicast VLAN and to finish the basic settings: 1) Set up the VLAN that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN.
Page 362: (Optional) Creating Replace Source Ip
Configuring Layer 2 Multicast IGMP Snooping Configurations Member Port Specify the aging time of the member ports in the multicast VLAN. If the member Time port does not receive any IGMP membership report message from the multicast group within the member port time, the switch will no longer consider this port as a member port and delete it from the multicast forwarding table.
Page 363: Optional) Configuring The Querier
Configuring Layer 2 Multicast IGMP Snooping Configurations Note: When configuration is finished, all multicast data through the ports in the VLAN will be processed in this multicast VLAN. 2.1.5 (Optional) Configuring the Querier IGMP Snooping Querier sends general query packets regularly to maintain the multicast forwarding table.
Page 364: Configuring Igmp Profile
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.1.6 Configuring IGMP Profile With IGMP Profile, the switch can define a blacklist or whitelist of multicast addresses so as to filter multicast sources, Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page.
Page 365: Editing Ip Range Of The Profile
Configuring Layer 2 Multicast IGMP Snooping Configurations Editing IP Range of the Profile Follow these steps to edit profile mode and its IP range: 1) Click Edit in the IGMP Profile Info table. Edit its IP range and click Add to save the settings.
Page 366: Binding Profile And Member Ports
Configuring Layer 2 Multicast IGMP Snooping Configurations Figure 2-8 Profile Binding Binding Profile and Member Ports Follow these steps to bind the profile to the port. 1) Select the port to be bound, and enter the Profile ID in the Profile ID column. Select Select the port to be bound.
Page 367: Viewing Igmp Statistics On Each Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Overflow Action Select the action towards the new multicast group when the number of multicast groups the port joined exceeds max group. Drop: Drop all subsequent membership report messages, and the port will not join any new multicast groups.
Page 368 Configuring Layer 2 Multicast IGMP Snooping Configurations 2) Click Apply. Viewing IGMP Statistics The IGMP Statistics table displays all kinds of IGMP statistics of all the ports. 2.1.9 Enabling IGMP Accounting and Authentication Choose the menu Multicast > IGMP Snooping > IGMP Authentication to load the following page.
Page 369 Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring IGMP Authentication on the Port To use this function, you should also enable AAA globally and configure RADIUS server on the switch. Follow these steps to enable IGMP Authentication on the port. 1) Specify the ports and enable IGMP Authentication.
Page 370 Configuring Layer 2 Multicast IGMP Snooping Configurations Multicast IP Specify the multicast group that the static member is in. VLAN ID Specify the VLAN that the static member is in. Forward Port Specify one or more ports to be the static member port in the multicast group. Without aging, the static member port receives all multicast data sent to this multicast group.
Page 371 Configuring Layer 2 Multicast IGMP Snooping Configurations Step 3 ip igmp snooping Enable IGMP Snooping on the specified port. Step 4 Return to privileged EXEC mode. Step 5 show ip igmp snooping Show the basic IGMP snooping configuration. Step 6 copy running-config startup-config Save the settings in the configuration file.
Page 372 Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.3 Configuring IGMP Snooping Parameters Globally Configuring Report Message Suppression Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping report-suppression Enable Report Message Suppression globally. If this function is enabled, the switch will only forward the first IGMP report message to Layer 3 devices and suppress subsequent IGMP report messages from the same multicast group during one query interval, which reduces the number of IGMP packets.
Page 373 Configuring Layer 2 Multicast IGMP Snooping Configurations Switch#copy running-config startup-config Configuring Unknown Multicast Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping drop-unknown Configure the way how the switch processes the multicast data from unknown multicast groups as Discard. Unknown multicast groups are multicast groups whose destination multicast address is not in the multicast forwarding table of the switch.
Page 374 Configuring Layer 2 Multicast IGMP Snooping Configurations Enable Port: Enable VLAN: Switch(config-if)#end Switch#copy running-config startup-config 2.2.4 Configuring IGMP Snooping Parameters on the Port Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping rtime rtime ip igmp snooping mtime mtime is the aging time of router ports, ranging from 60 to 600 seconds.
Page 375 Configuring Layer 2 Multicast IGMP Snooping Configurations Global Report Suppression :Disable Global Authentication Accounting:Disable Enable Port: Enable VLAN: Switch(config-if)#end Switch#copy running-config startup-config Configuring Fast Leave Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode Step 3...
Page 376 Configuring Layer 2 Multicast IGMP Snooping Configurations Port IGMP-Snooping Fast-Leave ---- ----------- ---------- Gi1/0/3 enable enable Switch(config-if)#end Switch#copy running-config startup-config Configuring Max Group and Overflow Action on the Port Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode Step 3...
Page 377 Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config-if)#ip igmp snooping max-groups 500 Switch(config-if)#ip igmp snooping max-groups action drop Switch(config-if)#show ip igmp snooping interface gigabitEthernet 1/0/3 max-groups Port Max-Groups Overflow-Action ---- ------------- ------------------- Gi1/0/3 Drop Switch(config-if)#end Switch#copy running-config startup-config 2.2.5 Configuring IGMP Snooping Last Listener Query Step 1 configure Enter global configuration mode.
Page 378 Configuring Layer 2 Multicast IGMP Snooping Configurations Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time :300 Global Report Suppression :Disable Global Authentication Accounting:Disable Enable Port: Enable VLAN: Switch(config)#end Switch#copy running-config startup-config 2.2.6 Configuring IGMP Snooping Parameters in the VLAN Configuring Router Port Time and Member Port Time Step 1 configure...
Page 379 Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config)#show ip igmp snooping vlan 2 Vlan Id: 2 Router Time:500 Member Time:400 Static Router Port:None Dynamic Router Port:None Forbidden Router Port:None Switch(config)#show ip igmp snooping vlan 3 Vlan Id: 3 Router Time:500 Member Time:400 Static Router Port:None Dynamic Router Port:None...
Page 380 Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config)#ip igmp snooping Switch(config)#ip igmp snooping vlan-config 2 rport interface gigabitEthernet 1/0/2 Switch(config)#show ip igmp snooping vlan 2 Vlan Id: 2 Router Time:0 Member Time:0 Static Router Port:Gi1/0/2 Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Forbidden Router Port...
Page 381 Configuring Layer 2 Multicast IGMP Snooping Configurations Vlan Id: 2 Router Time:0 Member Time:0 Static Router Port:None Dynamic Router Port:None Forbidden Router Port:Gi1/0/4-6 Switch(config)#end Switch#copy running-config startup-config Configuring Static Multicast (Multicast IP and Forward Port) Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list static ip interface {gigabitEthernet port-list | port- channel port-channel-id }...
Page 382 Configuring Layer 2 Multicast IGMP Snooping Configurations 226.0.0.2 static Gi1/0/9-10 Switch(config)#end Switch#copy running-config startup-config 2.2.7 Configuring IGMP Snooping Parameters in the Multicast VLAN Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] [rtime router-time | mtime member-time ] specifies the VLAN to be created or to be configured.
Page 383 Configuring Layer 2 Multicast IGMP Snooping Configurations Static Router Port:None Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] [rport interface {gigabitEthernet port-list | port- channel port-channel-id }] specifies the VLAN to be created or to be configured.
Page 384 Configuring Layer 2 Multicast IGMP Snooping Configurations Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Forbidden Router Port Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] router-ports-forbidden interface {gigabitEthernet port-list | port-channel port-channel-id } specifies the multicast VLAN to be configured.
Page 385 Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config)#end Switch#copy running-config startup-config Configuring Replace Source IP Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] replace-sourceip ip specifies the multicast VLAN to be configured. vlan-id specifies the new source IP.
Page 386 Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.8 Configuring the Querier Enabling IGMP Querier Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping querier vlan vlan-id specifies the VLAN to enable IGMP Querier. vlan-id Step 3 show ip igmp snooping querier [vlan vlan-id ] Show the IGMP querier configuration.
Page 387 Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 ip igmp snooping querier vlan vlan-id {query-interval interval | max-response-time response-time | general-query source-ip ip-addr } specifies the VLAN where the querier is. vlan-id is the interval between general query messages sent by the querier. interval is the host’s maximum response time to general query messages in a range of 1 response-time...
Page 388 Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.9 Configuring Multicast Filtering Creating Profile Step 1 configure Enter global configuration mode. Step 2 ip igmp profile id Create a new profile and enter profile configuration mode. Step 3 permit deny Configure the profile's filtering mode. permit is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups.
Page 389 Configuring Layer 2 Multicast IGMP Snooping Configurations range 226.0.0.5 226.0.0.10 Switch(config)#end Switch#copy running-config startup-config Binding Profile to the Port Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode Step 3...
Page 390 Configuring Layer 2 Multicast IGMP Snooping Configurations range 226.0.0.5 226.0.0.10 Binding Port(s) Gi1/0/2 Switch(config)#end Switch#copy running-config startup-config 2.2.10 Enabling IGMP Accounting and Authentication Enabling IGMP Authentication on the Port Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode Step 3...
Page 391 Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config)#end Switch#copy running-config startup-config Note: IGMP Authentication takes effect only after AAA is enabled and RADIUS server is configured. Enabling IGMP Accounting Globally Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping accounting Enable IGMP Accounting globally.
Page 392 Configuring Layer 2 Multicast Configuring MLD Snooping Configuring MLD Snooping Using the GUI 3.1.1 Configuring MLD Snooping Globally Choose the menu Multicast > MLD Snooping > Snooping Config Figure 3-1 MLD Snooping Global Config Enabling MLD Snooping Globally Before configuring functions related to MLD Snooping, enable MLD Snooping globally first. 1) Select Enable to enable MLD Snooping globally.
Page 393 Configuring Layer 2 Multicast Configuring MLD Snooping Follow these steps to configure unknown multicast. 1) Configure Unknown Multicast as Forward or Discard. Unknown Configure the way how the switch processes the multicast data sent to unknown Multicast multicast groups as Forward or Discard. Unknown multicast groups are multicast groups whose destination multicast address is not in the multicast forwarding table of the switch.
Page 394 Configuring Layer 2 Multicast Configuring MLD Snooping Follow these steps to configure Last Listener Query Interval and Last Listener Query Count in the Global Config section: 1) Specify the interval between MASQs. Last Listener When the switch receives an MLD leave message, the switch obtains the address Query Interval of the multicast group that the host wants to leave from the message.
Page 395 Configuring Layer 2 Multicast Configuring MLD Snooping Enabling MLD Snooping on the Port Follow these steps to enable or disable MLD Snooping on the port. 1) Select the port to be configured and select Enable under the MLD Snooping column. 2) Click Apply.
Page 396 Configuring Layer 2 Multicast Configuring MLD Snooping Configuring MLD Snooping Globally in the VLAN In the VLAN Config section, follow these steps to configure relevant parameters for the designate VLAN. 1) Set up the VLAN that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN.
Page 397 Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.4 Configuring the Multicast VLAN In old multicast transmission mode, when users in different VLANs apply for data from the same multicast group, the Layer 3 device will duplicate this multicast data and deliver copies to the Layer 2 devices.
Page 398 Configuring Layer 2 Multicast Configuring MLD Snooping 2) Enable Multicast VLAN, configure the specific VLAN to be the multicast VLAN, and configure the Router Port Time and Member Port Time. Multicast VLAN Select Enable to enable multicast VLAN function. VLAN ID Specify the 802.1Q VLAN to be the multicast VLAN.
Page 399 Configuring Layer 2 Multicast Configuring MLD Snooping (Optional) Configuring the Forbidden Router Ports Follow these steps to forbid the selected ports to be the router ports in the multicast VLAN. 1) Configure the router ports in the designate VLAN. VLAN ID Specify the VLAN to be configured.
Page 400 Configuring Layer 2 Multicast Configuring MLD Snooping General Query Specify the source IP address of the general query messages sent by the querier. Source IP It cannot be a multicast address or a broadcast address. 2) Click Add. 3) You can edit the settings in the MLD Snooping Querier Table. Viewing Settings of MLD Querier The MLD Snooping Querier Table displays all the related settings of the MLD querier.
Page 401 Configuring Layer 2 Multicast Configuring MLD Snooping Searching Profile Enter the search condition in the Search Option field to search the profile in the MLD Profile Info table. Editing IP Range of the Profile Follow these steps to edit profile mode and its IP range: 1) Click Edit in the MLD Profile Info table.
Page 402 Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.7 Binding Profile and Member Ports With this function, you can configure each port’s filtering profile and the number of multicast groups a port can join. Choose the menu Multicast > MLD Snooping > Profile Binding to load the following page.
Page 403 Configuring Layer 2 Multicast Configuring MLD Snooping Max Group Enter the number of multicast groups the port can join. The valid values are from 0 to 1000. Overflow Action Select the action towards the new multicast group when the number of multicast groups the port joined exceeds max group.
Page 404 Configuring Layer 2 Multicast Configuring MLD Snooping Refresh Period After Auto Refresh is enabled, enter the interval between each refresh. The valid values are from 3 to 300 seconds. 2) Click Apply. Viewing MLD Statistics The MLD Statistics table displays all kinds of MLD statistics of all the ports. 3.1.9 Configuring Static Member Port This function allows you to specify a port as a static member port in the multicast group.
Page 405 Configuring Layer 2 Multicast Configuring MLD Snooping Forward Port Specify one or more ports to be the static member port in the multicast group. Without aging, the static member port receives all multicast data sent to this multicast group. 2) Click Create. Viewing MLD Static Multicast Groups You can search MLD static multicast entries by using Multicast IP, VLAN ID or Forward Port as the Search Option.
Page 406 Configuring Layer 2 Multicast Configuring MLD Snooping Step 4 show ipv6 mld snooping Show the basic MLD snooping configuration. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable MLD Snooping globally and enable MLD Snooping Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#interface gigabitEthernet 1/0/3...
Page 407 Configuring Layer 2 Multicast Configuring MLD Snooping Step 2 ipv6 mld snooping report-suppression Enable Report Message Suppression globally. If this function is enabled, the switch will only forward the first MLD report message to Layer 3 devices and suppress subsequent MLD report messages from the same multicast group during one query interval, which reduces the number of MLD packets.
Page 408 Configuring Layer 2 Multicast Configuring MLD Snooping Step 2 ipv6 mld snooping drop-unknown Configure the way how the switch processes the multicast data from unknown multicast groups as Discard. Unknown multicast groups are multicast groups whose destination multicast address is not in the multicast forwarding table of the switch. Step 3 show ipv6 mld snooping Show the basic MLD snooping configuration.
Page 409 Configuring Layer 2 Multicast Configuring MLD Snooping 3.2.4 Configuring MLD Snooping Parameters on the Port Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping rtime rtime ipv6 mld snooping mtime mtime is the aging time of router ports, ranging from 60 to 600 seconds.
Page 410 Configuring Layer 2 Multicast Configuring MLD Snooping Switch#copy running-config startup-config Configuring Fast Leave Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode Step 3 ipv6 mld snooping immediate-leave...
Page 411 Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Max Group and Overflow Action on the Port Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode Step 3 ipv6 mld snooping max-groups maxgroup...
Page 412 Configuring Layer 2 Multicast Configuring MLD Snooping Switch(config-if)#end Switch#copy running-config startup-config 3.2.5 Configuring MLD Snooping Last Listener Query Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping last-listener query-inteval interval determines the interval between MASQs sent by the switch. The valid values are from interval 1 to 5 seconds.
Page 413 Configuring Layer 2 Multicast Configuring MLD Snooping Enable VLAN: Switch(config)#end Switch#copy running-config startup-config 3.2.6 Configuring MLD Snooping Parameters in the VLAN Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping vlan-config vlan-id-list [rtime router-time | mtime member-time ] is the aging time of the router ports in the specified VLAN, ranging from 60 to 600 router-time seconds.
Page 414 Configuring Layer 2 Multicast Configuring MLD Snooping Switch(config)#show ipv6 mld snooping vlan 3 Vlan Id: 3 Router Time:500 Member Time:400 Static Router Port:None Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Enter global configuration mode.
Page 415 Configuring Layer 2 Multicast Configuring MLD Snooping Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Forbidden Router Port Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping vlan-config vlan-id-list router-ports-forbidden interface {gigabitEthernet port-list | port-channel port-channel-id } are the ports that cannot become router ports in the specified port-list port-channel-id...
Page 416 Configuring Layer 2 Multicast Configuring MLD Snooping Switch#copy running-config startup-config Configuring Static Multicast (Multicast IP and Forward Port) Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping vlan-config vlan-id-list static ip interface {gigabitEthernet port-list | port- channel port-channel-id } specifies the VLAN to be configured.
Page 417 Configuring Layer 2 Multicast Configuring MLD Snooping 3.2.7 Configuring MLD Snooping Parameters in the Multicast VLAN Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping multi-vlan-config [ vlan-id ] [rtime router-time | mtime member-time ] specifies the VLAN to be created or to be configured.
Page 418 Configuring Layer 2 Multicast Configuring MLD Snooping Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping multi-vlan-config [ vlan-id ] [rport interface {gigabitEthernet port-list | port-channel port-channel-id }] specifies the VLAN to be created or to be configured. vlan-id are the static router ports in the multicast VLAN.
Page 419 Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Forbidden Router Port Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping multi-vlan-config [ vlan-id ] router-ports-forbidden interface {gigabitEthernet port-list | port-channel port-channel-id } specifies the multicast VLAN to be configured. vlan-id are the ports that cannot become router ports in the multicast port-list...
Page 420 Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Replace Source IP Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping multi-vlan-config [ vlan-id ] replace-sourceip ip specifies the multicast VLAN to be configured. vlan-id specifies the new source IP. The switch will replace the source IP in the MLD multicast data sent by the multicast VLAN with the IP address you enter.
Page 421 Configuring Layer 2 Multicast Configuring MLD Snooping 3.2.8 Configuring the Querier Enabling MLD Querier Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping querier vlan vlan-id specifies the VLAN to enable MLD Querier. vlan-id Step 3 show ipv6 mld snooping querier [vlan vlan-id ] Show the MLD querier configuration.
Page 422 Configuring Layer 2 Multicast Configuring MLD Snooping Step 2 ipv6 mld snooping querier vlan vlan-id {query-interval interval | max-response-time response-time | general-query source-ip ip-addr } specifies the VLAN where the querier is. vlan-id is the interval between general query messages sent by the querier. interval is the host’s maximum response time to general query messages in a range of 1 response-time...
Page 423 Configuring Layer 2 Multicast Configuring MLD Snooping 3.2.9 Configuring Multicast Filtering Creating Profile Step 1 configure Enter global configuration mode. Step 2 ipv6 mld profile id Create a new profile and enter profile configuration mode. Step 3 deny permit Configure the profile’s filtering mode. permit is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups.
Page 424 Configuring Layer 2 Multicast Configuring MLD Snooping range ff01::1234:5 ff01::1234:8 Switch(config)#end Switch#copy running-config startup-config Binding Profile to the Port Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode Step 3...
Page 425 Configuring Layer 2 Multicast Configuring MLD Snooping range ff01::1234:5 ff01::1234:8 Binding Port(s) Gi1/0/2 Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 426 Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations Viewing Multicast Snooping Configurations Using the GUI 4.1.1 Viewing IPv4 Multicast Snooping Configurations Choose the menu Multicast > Multicast Table > IPv4 Multicast Table to view all valid Multicast IP-VLAN-Port entries . Figure 4-1 IPv4 Multicast Table Search Option Search Option...
Page 427 Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations 4.1.1 Viewing IPv6 Multicast Snooping Configurations Choose the menu Multicast > Multicast Table > IPv6 Multicast Table to view all valid Multicast IP-VLAN-Port entries. Figure 4-2 IPv6 Multicast Table 4.2 Using the CLI 4.2.1 Viewing IPv4 Multicast Snooping Configurations show ip igmp snooping Displays global settings of IGMP Snooping.
Page 428 Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations show ip igmp snooping groups [ vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN. count: displays the number of multicast groups.
Page 429 Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations show ipv6 mld snooping groups [vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN. count displays the number of multicast groups.
Page 430 Configuring Layer 2 Multicast Configuration Examples Configuration Examples Example for Configuring Basic IGMP Snooping 5.1.1 Network Requirements Host B, Host C and Host D are in the same VLAN of the switch. All of them want to receive multicast data sent to multicast group 225.1.1.1. As shown in the following topology, Host B, Host C and Host D are connected to port 1/0/1, port 1/0/2 and port 1/0/3 respectively.
Page 431 Configuring Layer 2 Multicast Configuration Examples Demonstrated with T2500G-10MPS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.1.3 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page.
Page 432 Configuring Layer 2 Multicast Configuration Examples Figure 5-3 Enable IGMP Snooping on the Ports 3) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. For port 1/0/1-4, configure the link type as General and the PVID as 10. Figure 5-4 Configure Link Type and PVID 4) Choose the menu VLAN >...
Page 433 Configuring Layer 2 Multicast Configuration Examples Figure 5-5 Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Keep 0 as the Router Port Time and Member Port Time, which means the global settings will be used.
Page 434 Configuring Layer 2 Multicast Configuration Examples 3) Create VLAN 10. Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 4) For port 1/0/1-3, set the link type as General, and the PVID as 10. Then add the ports to VLAN 10 as untagged ports. Switch(config)#interface range gigabitEthernet 1/0/1-3 Switch(config-if-range)#switchport mode general Switch(config-if-range)#switchport pvid 10...
Page 435 Configuring Layer 2 Multicast Configuration Examples vlan10 active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 Show status of IGMP Snooping globally, on the ports and in the VLAN: Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time...
Page 436 Receiver Receiver Receiver Demonstrated with T2500G-10MPS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.2.4 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page.
Page 437 Configuring Layer 2 Multicast Configuration Examples Figure 5-8 Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Enable IGMP Snooping on port 1/0/1-4. Figure 5-9 Configure IGMP Snooping Globally 3) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the link type of port 1/0/1-4 as General.
Page 438 Configuring Layer 2 Multicast Configuration Examples Figure 5-10 Configure Link Type and PVID 4) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 40 and add port 1/0/1-4 to VLAN 40 as untagged ports. Create VLAN 10, 20, and 30.
Page 439 Configuring Layer 2 Multicast Configuration Examples Figure 5-12 VLAN Configurations 5) Choose the menu Multicast > IGMP Snooping > Multicast VLAN to load the following page. Enable Multicast VLAN and configure VLAN 40 as the multicast VLAN. Keep Router Port Time and Member Port Time as 0. Figure 5-13 Create Multicast VLAN 6) Click Save Config to save the settings.
Page 440 Configuring Layer 2 Multicast Configuration Examples Switch(config-vlan)#name vlan30 Switch(config)#vlan 40 Switch(config-vlan)#name m-vlan Switch(config-vlan)#exit 4) For port 1/0/1, set the link type as General, and the PVID as 10. Add the port to VLAN 10 and VLAN 40 as untagged port. Switch(config)#interface range gigabitEthernet 1/0/1 Switch(config-if)#switchport mode general Switch(config-if)#switchport pvid 10...
Page 441 Configuring Layer 2 Multicast Configuration Examples 8) Enable Multicast VLAN and configure VLAN 40 as the multicast VLAN. Switch(config)#ip igmp snooping multi-vlan-config 40 9) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Switch(config)#show vlan brief VLAN Name Status Ports ------ -----------------...
Page 442 Configuring Layer 2 Multicast Configuration Examples Example for Configuring Unknown Multicast and Fast Leave 5.3.1 Network Requirement A user experiences lag when he is changing channel on his IPTV. He wants solutions to this problem. As shown in the following network topology, port 1/0/4 on the switch is connected to the upper layer network, and port 1/0/2 is connected to Host B.
Page 443 Configuring Layer 2 Multicast Configuration Examples Demonstrated with T2500G-10MPS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.3.3 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page.
Page 444 Configuring Layer 2 Multicast Configuration Examples Figure 5-16 Configure IGMP Snooping Globally 3) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Figure 5-17 Enable IGMP Snooping in the VLAN 4) Click Save Config to save the settings.
Page 445 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#ip igmp snooping Switch(config-if)#exit 4) Enable IGMP Snooping in VLAN 10. Switch(config)#ip igmp snooping vlan-config 10 5) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable...
Page 446 Configuring Layer 2 Multicast Configuration Examples Example for Configuring Multicast Filtering 5.4.1 Network Requirements Host B, Host C and Host D are in the same subnet. Host C and Host D only receive multicast data sent from 225.0.0.1, while Host B receives all multicast data except the one sent from 225.0.0.2.
Page 447 Configuring Layer 2 Multicast Configuration Examples Demonstrated with T2500G-10MPS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.4.4 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page.
Page 448 Configuring Layer 2 Multicast Configuration Examples Figure 5-20 Enable IGMP Snooping on the Port 3) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. For port 1/0/1-4, configure the link type as General and the PVID as 10. Figure 5-21 Configure Link Type and PVID 4) Choose the menu VLAN >...
Page 449 Configuring Layer 2 Multicast Configuration Examples Figure 5-22 Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Keep 0 as the Router Port Time and Member Port Time, which means the global settings will be used.
Page 450 Configuring Layer 2 Multicast Configuration Examples Figure 5-25 Edit Add IP-range in Profile 1 c. Choose the menu Multicast > IGMP Snooping > Profile Binding to load the following page. Select port 1/0/2 and port 1/0/3, enter 1 in the Profile ID field and click Apply to bind Profile 1 to these ports.
Page 451 Configuring Layer 2 Multicast Configuration Examples Figure 5-27 Profile 2 b. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page. In the IGMP Profile Info table, click Edit in the Profile 2 entry, enter 225.0.0.2 in both Start IP and End IP fields, and click Add.
Page 452 Configuring Layer 2 Multicast Configuration Examples Figure 5-29 Bind Profile 2 to Port 1/0/1 8) Click Save Config to save the settings. 5.4.5 Using the CLI 1) Enable IGMP Snooping Globally. Switch#configure Switch(config)#ip igmp snooping 2) Enable IGMP Snooping on port 1/0/1-4. Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit...
Page 453 Configuring Layer 2 Multicast Configuration Examples Switch(config-if-range)#exit 5) For port 1/0/4, set the link type as General, and the PVID as 10. Then add the ports to VLAN 10 as tagged ports. Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#switchport mode general Switch(config-if)#switchport pvid 10 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 6) Enable IGMP Snooping in VLAN 10.
Page 454 Configuring Layer 2 Multicast Configuration Examples Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time :300 Global Report Suppression :Disable Global Authentication Accounting: Disable...
Page 455 Configuring Layer 2 Multicast Appendix: Default Parameters Appendix: Default Parameters 6.1 Default Parameters for IGMP Snooping Table 6-1 Default Parameters of IGMP Snooping Function Parameter Default Setting IGMP Snooping Disabled Unknown Multicast Forward Report Message Suppression Disabled G l o b a l S e t t i n g s o f I G M P Router Port Time 300 seconds Snooping...
Page 456 Configuring Layer 2 Multicast Appendix: Default Parameters Function Parameter Default Setting Global Settings of IGMP Accounting Disabled I G M P A c c o u n t i n g a n d Authentication IGMP Authentication Disabled Default Parameters for MLD Snooping Table 6-2 Default Parameters of MLD Snooping Function...
Page 457 Configuring Layer 2 Multicast Appendix: Default Parameters Function Parameter Default Setting Enable or Not Disabled Query Interval 60 seconds Max Response Time 10 seconds IGMP Snooping Querier General Query Source IP FE80::02FF:FFFF:FE00:0001 Configuration Guide...
Page 458 Part 16 Configuring DHCP VLAN Relay CHAPTERS 1. DHCP VLAN Relay 2. DHCP VLAN Relay Configuration 3. Appendix: Default Parameters...
Page 459 IP addresses from the DHCP server. For T2500G-10MPS, you can set the management VLAN as the default agent interface and specify the VLANs that can use the default agent interface to get IP addresses from the DHCP server.
Page 460 Configuring DHCP VLAN Relay DHCP VLAN Relay Configuration DHCP VLAN Relay Configuration To complete DHCP VLAN Relay configuration, follow these steps: 1) Enable DHCP Relay and configure Option 82. 2) Specify DHCP server for the VLAN. 2.1 Using the GUI 2.1.1 Enabling DHCP Relay and Configuring Option 82 Choose the menu DHCP >...
Page 461 Configuring DHCP VLAN Relay DHCP VLAN Relay Configuration Existed Option Select the operation for the Option 82 field of the DHCP request packets. 82 field Keep: Indicates keeping the Option 82 field of the packets. Replace: Indicates replacing the Option 82 field of the packets with the switch defined one.
Page 462 Configuring DHCP VLAN Relay DHCP VLAN Relay Configuration Interface ID Specify the interface ID as the management VLAN. IP Address Displays the IP address of the management VLAN. 2) In the Add DHCP Server Address section, specify the VLAN in which the clients needs IP addresses and the server address.
Page 463 Configuring DHCP VLAN Relay DHCP VLAN Relay Configuration 2.2.2 (Optional) Configuring Option 82 Follow these steps to configure Option 82: Step 1 configure Enter global configuration mode. Step 2 ip dhcp relay information Enable the Option 82 feature. Step 3 ip dhcp relay information policy { keep | replace | drop } Configure how to process Option 82 information.
Page 464 Configuring DHCP VLAN Relay DHCP VLAN Relay Configuration Switch(config)#show ip dhcp relay ..DHCP relay option 82 is enabled. Existed option 82 field operation: keep..Switch(config)#end Switch#copy running-config startup-config 2.2.3 Specifying DHCP Server for VLAN You can specify DHCP server for a VLAN. The following respectively introduces how to configure DHCP VLAN Relay.
Page 465 Configuring DHCP VLAN Relay DHCP VLAN Relay Configuration The following example shows how to set interface VLAN 1 (the management VLAN) as the default relay agent interface and configure the DHCP server address as 192.168.1.8 on VLAN 10: Switch#configure Switch(config)#interface vlan 1 Switch(config-if)# ip dhcp relay default-interface Switch(config-if)#exit Switch(config)#ip dhcp relay vlan 10 helper-address 192.168.1.8...
Page 466 Configuring DHCP VLAN Relay Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Relay are listed in the following table. Table 3-1 Default Settings of DHCP Relay Parameter Default Setting DHCP Relay DHCP Relay Disable Option 82 Support Disable Existed Option 82 field Keep Customization...
Page 467 Part 17 Configuring QoS CHAPTERS 1. QoS 2. DiffServ Configuration 3. Bandwidth Control Configuration 4. Configuration Examples 5. Appendix: Default Parameters...
Page 468 Configuring QoS 1.1 Overview With network scale expanding and applications developing, Internet traffic is dramatically increased, thus resulting in network congestion, packet drops and long transmission delay. Typically, networks treat all traffic equally on FIFO (First In First Out) delivery basis, but nowadays many special applications like VoD, video conferences, etc.
Page 469 Configuring QoS DiffServ Configuration DiffServ Configuration To complete differentiated services configuration, follow these steps: 1) Configure the priority mode to classify packets with different priorities. 2) Configure the schedule mode to control the forwarding sequence of packets. Configuration Guidelines  Deploy the priority mode appropriate to your network requirements. Three modes are supported on the switch, 802.1P Priority, DSCP Priority and Port Priority.
Page 470 Configuring QoS DiffServ Configuration 2.1 Using the GUI 2.1.1 Configuring Priority Mode The instructions of the three priority modes are described respectively in this section.  Configuring 802.1P Priority Choose the menu QoS > DiffServ > 802.1P Priority to load the following page. Figure 2-1 802.1P/CoS Mapping Follow these steps to configure the 802.1P Priority: 1) Configure the Tag-id/CoS-id-TC mapping relations.
Page 471 Configuring QoS DiffServ Configuration  Configuring DSCP Priority Choose the menu QoS > DiffServ > DSCP Priority to load the following page. Figure 2-2 DSCP Mapping Follow these steps to configure the DSCP priority: 1) Enable DSCP Priority and click Apply. DSCP Priority is disabled by default. 2) Configure the DSCP-TC mapping relations.
Page 472 Configuring QoS DiffServ Configuration  Configuring Port Priority Choose the menu QoS > DiffServ > Port Priority to load the following page. Figure 2-3 Port Priority Follow these steps to configure the port priority: 1) Select the desired port or LAG to set its priority. Priority Specify the TC queue that the port will be mapped to.
Page 473 Configuring QoS DiffServ Configuration Figure 2-4 Schedule Mode Follow these steps to configure the schedule mode: 1) Select a schedule mode. SP-Mode Strict-Priority Mode. In this mode, the queue with higher priority will occupy the whole bandwidth. Packets in the queue with lower priority are sent only when the queue with higher priority is empty.
Page 474 Configuring QoS DiffServ Configuration Queue Weight Configure the weight value of the each TC queue. In WRR mode, the 8 queues will take up the bandwidth according to their ratio. The default values of TC0, TC1, TC2, TC3, TC4, TC5,TC6 and TC7 are 1, 2, 4, 8, 16, 32, 64 and 127 respectively.
Page 475 Configuring QoS DiffServ Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to map CoS2 to TC0, and keep other CoS-id-TC as default: Switch#configure Switch(config)#qos queue cos-map 2 0 Switch(config)#show qos status 802.1p priority is enabled.
Page 476 Configuring QoS DiffServ Configuration Step 4 show qos status Verify that DSCP priority is enabled. show qos dscp-map Verify the DSCP-TC mapping relations. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to map DSCP values 10-14 to TC1, and keep other mapping relations as default: Switch#configure...
Page 477 Configuring QoS DiffServ Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. Step 3 qos tc-id Configure the TC queue of the port. tc-id: Configure the TC queue. The valid values are from 0 to 7. Step 4 show qos interface [fastEthernet port-list | gigabitEthernet port-list ] [port-channel lagid-list ] Verify the TC queue of the port.
Page 478 Configuring QoS DiffServ Configuration 2.2.2 Configuring Schedule Mode Follow these steps to configure the schedule mode to control the forwarding sequence of different TC queues when congestion occurs. Step 1 configure Enter global configuration mode. Step 2 qos queue mode {sp | wrr | spwrr | equ} Configure the schedule mode of TC queues.
Page 479 Configuring QoS DiffServ Configuration Step 6 copy running-config startup-config Save the settings in the configuration file. Note: With ACL Redirect feature, the switch maps all the packets that meet the configured ACL rules to the new TC queue, regardless of the mapping relations configured in this section. The following example shows how to configure the schedule mode as WRR, with the weight values of TC0 to TC7 as 4, 7, 10, 13,16,19,22,25: Switch#configure...
Page 480 Configuring QoS Bandwidth Control Configuration Bandwidth Control Configuration To implement bandwidth control, you can:  Limit the ingress/egress traffic rate on each port by configuring the Rate Limit function;  Limit the broadcast, multicast and UL frame forwarding rate on each port to avoid network broadcast storm by configuring the Storm Control function.
Page 481 Configuring QoS Bandwidth Control Configuration 2) Click Apply. 3.1.2 Configuring Storm Control Choose the menu QoS > Bandwidth Control > Storm Control to load the following page. Figure 3-2 Storm Control Follow these steps to configure the Storm Control function: 1) Select the port(s) and configure the upper rate limit for forwarding broadcast packets, multicast packets and UL frames.
Page 482 Configuring QoS Bandwidth Control Configuration Multicast Rate To enable the multicast rate control, select a multicast rate mode and specify the Mode / Multicast upper rate limit for receiving broadcast packets in the Multicast field. The packet traffic exceeding the rate will be discarded. The switch supports the following three rate modes: kbps: Specify the upper rate limit in kilo-bits per second, which ranges from 1 to 1000000 kbps.
Page 483 Configuring QoS Bandwidth Control Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. Step 3 bandwidth {[ingress ingress-rate ] [egress egress-rate ]} Configure the upper rate limit for the port to receive and send packets. Configure the upper rate limit for receiving packets on the port.
Page 484 Configuring QoS Bandwidth Control Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. Step 3 storm-control {broadcast | multicast | unicast} {kbps | ratio} rate broadcast | multicast | unicast: Enable broadcast packets rate limit, multicast packets rate limit or unknown unicast frames rate limit on the port.
Page 485 Configuring QoS Configuration Examples Configuration Examples Example for Configuring SP Mode 4.1.1 Network Requirements Two hosts, Admin and Host A, can access the local network server through the switch. Configure the switch to ensure the traffic from the Admin can be treated preferentially when congestion occurs.
Page 486 Configuring QoS Configuration Examples 1) Choose QoS > DiffServ > Port Priority to load the following page, and set the priority for port 1/0/1 to TC1 and priority for port 1/0/2 to TC0. Figure 4-2 Configure Port Priority 2) Choose QoS > DiffServ > Schedule Mode to load the following page, and select SP- Mode as the schedule mode.
Page 487 Configuring QoS Configuration Examples Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#qos 1 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#qos 0 Switch(config-if)#exit 2) Select SP-Mode as the schedule mode and save the settings. Switch(config)#qos queue mode sp Switch(config)#exit Switch#copy running-config startup-config Verify the configuration Verify the port-TC mapping: Switch(config)#show qos interface Port TC Value...
Page 488 Configuring QoS Configuration Examples The network topology is shown as the following figure. Switch A is an access layer switch, and Switch B is a layer 3 switch with ACL Redirect feature. RD department is connected to port 1/0/1 of Switch A. Marketing Department is connected to port 1/0/2 of Switch A, the server is connected to port 1/0/2 of Switch B and port 1/0/3 of Switch A is connected to port 1/0/1 of Switch B.
Page 489 Configuring QoS Configuration Examples  Configurations for Switch A 1) Choose VLAN > 802.1Q VLAN > Port Config, change the type of port 1/0/1-3 to General. Figure 4-5 Configure the Port 2) Choose VLAN > 802.1Q VLAN> VLAN Config, and click Create to load the following page.
Page 490 Configuring QoS Configuration Examples Figure 4-6 Configure VLAN 10 3) Click Create again to load the following page. Create VLAN 20 with the description of Marketing. Add port 1/0/2 as an untagged port and port 1/0/3 as a tagged port to VLAN 20.
Page 491 Configuring QoS Configuration Examples Figure 4-7 Configure VLAN 20 4) Click save config to save the settings.  Configurations for Switch B 1) Choose VLAN > 802.1Q VLAN > Port Config to load the following page. For port 1/0/1, set the Link Type as TRUNK, and for port 1/0/2, set the Link Type as ACCESS. Click Apply.
Page 492 Configuring QoS Configuration Examples Figure 4-8 Configure the Port 2) Choose VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10 and VLAN 20, and add port 1/0/1 to the two VLANs; create VLAN 30, and add port 1/0/2 to VLAN 30.
Page 493 Configuring QoS Configuration Examples Figure 4-10 Configure VLAN 20 Figure 4-11 Configure VLAN30 Configuration Guide...
Page 494 Configuring QoS Configuration Examples 3) Create MAC ACL 10 with its Rule ID as 1 and Operation as Permit. Choose ACL> ACL Config > ACL Create to load the following page. Create ACL 10, and click Apply. Figure 4-12 Create MAC ACL 10 Choose ACL>...
Page 495 Configuring QoS Configuration Examples Figure 4-15 Action Create 5) Create Policy Marketing and bind it to ACL 10, select QoS Remark and set Local Priority to TC0. Choose ACL > Policy Config > Policy Create to load the following page. Create a policy with the Policy Name Marketing and click Apply.
Page 496 Configuring QoS Configuration Examples Figure 4-17 Action Create 6) Choose ACL > Policy Binding > VLAN Binding. Bind Policy RD and Policy Marketing to VLAN10 and VLAN 20 respectively. Figure 4-18 Bind Policy RD to VLAN 10 Figure 4-19 Bind Policy Marketing to VLAN 20 Configuration Guide...
Page 497 Configuring QoS Configuration Examples 7) Choose QoS > DiffServ > Schedule Mode. Select WRR-Mode as the schedule mode, and click Apply. No configuration is required here because queues based on ACL rules have higher priority. Figure 4-20 Configure Schedule Mode 8) Click Save Config to save the settings. 4.2.4 Using the CLI Note: Before configuration, ensure network segments are reachable to each other.
Page 498 Configuring QoS Configuration Examples Switch_A(config-vlan)#exit Switch_A(config)#interface gigabitEthernet 1/0/2 Switch_A(config-if)#switchport general allowed vlan 20 untagged Switch_A(config-vlan)#exit Switch_A(config)#interface gigabitEthernet 1/0/3 Switch_A(config-if)#switchport general allowed vlan 10,20 tagged Switch_A(config-if)#end Switch_A#copy running-config startup-config  Configurations for For Switch B (Demonstrated with T3700G-28TQ) 1) Create VLAN 10 and VLAN 20. Configure the Link Type of port 1/0/1 as Trunk, and add it to the two VLANs.
Page 499 Configuring QoS Configuration Examples 3) Create MAC ACL 10 with its Rule ID as 1 and Operation as Permit. Switch_B(config)#mac access-list 10 Switch_B(config-mac-acl)#rule 1 permit Switch_B(config-mac-acl)#exit 4) Create Policy RD and bind it to ACL 10, enable QoS Remark and set Local Priority to TC1.
Page 500 Configuring QoS Configuration Examples Verify the configuration  Switch A: Verify the VLAN members. Switch_B#show vlan VLAN Name Status Ports ------ ---------------- ------- ------------------------------------- System-VLAN active Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/49, Gi1/0/50, Gi1/0/51, Gi1/0/52 active Gi1/0/1, Gi1/0/3 Marketing active Gi1/0/2, Gi1/0/3...
Page 501 Configuring QoS Configuration Examples Verify the schedule mode. Switch_B#show qos queue mode ----------------------+---------- Scheduler Mode | WRR ----------------------+---------- Configuration Guide...
Page 502 Configuring QoS Appendix: Default Parameters Appendix: Default Parameters  DiffServ Table 5-1 DiffServ Parameter Default Setting Port Priority Enabled. Packets from all ports are mapped to the same TC queue. Enabled. See Table 5-3 for Tag-id/CoS-id-TC mapping relations. 802.1P Priority Disabled.
Page 503 Configuring QoS Appendix: Default Parameters  Bandwidth Control Table 5-4 Bandwidth Control Parameter Default Setting Rate Limit Disabled Storm Control Disabled Configuration Guide...
Page 504 Part 18 Configuring Voice VLAN CHAPTERS 1. Overview 2. Voice VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 505 Configuring Voice VLAN Overview Overview The voice VLAN feature is used to prioritize the transmission of voice traffic. Voice traffic is typically more time-sensitive than data traffic, and the voice quality can deteriorate a lot because of packet loss and delay. To ensure the high voice quality, you can configure the voice VLAN and set priority for voice traffic.
Page 506 Configuring Voice VLAN Overview  OUI Address (Organizationally Unique Identifier Address) The OUI address is used by the switch to determine whether a packet is a voice packet. An OUI address is the first 24 bits of a MAC address, and is assigned as a unique identifier by IEEE (Institute of Electrical and Electronics Engineers) to a device vendor.
Page 507 Configuring Voice VLAN Voice VLAN Configuration Voice VLAN Configuration To complete the Voice VLAN configuration, follow these steps: 1) Create a VLAN. 2) Configure OUI addresses. 3) Configure Voice VLAN globally. 4) Configure Voice VLAN mode on ports. Configuration Guidelines  Before configuring voice VLAN, you need to create a VLAN for voice traffic.
Page 508 Configuring Voice VLAN Voice VLAN Configuration 2.1 Using the GUI 2.1.1 Configuring OUI Addresses If the OUI address of your voice device is not in the OUI table, you need to add the OUI address to the table. Choose the menu QoS > Voice VLAN > OUI Config to load the following page. Figure 2-1 Configuring OUI Addresses Follow these steps to add OUI addresses: 1) Enter an OUI address and the corresponding mask, and give a description about the...
Page 509 Configuring Voice VLAN Voice VLAN Configuration 2.1.2 Configuring Voice VLAN Globally Choose the menu QoS > Voice VLAN > Global Config to load the following page. Figure 2-2 Configuring Voice VLAN Globally Follow these steps to configure the voice VLAN globally: 1) Enable the voice VLAN feature, and enter a VLAN ID.
Page 510 Configuring Voice VLAN Voice VLAN Configuration 2.1.3 Configuring Voice VLAN Mode on Ports Choose the menu QoS > Voice VLAN > Port Config to load the following page. Figure 2-3 Configuring Voice VLAN Mode on Ports Follow these steps to configure voice VLAN mode on ports: 1) Select your desired ports and choose the port mode.
Page 511 Configuring Voice VLAN Voice VLAN Configuration Security Mode For packets that will be forwarded in the voice VLAN, you can configure the security mode to prevent malicious traffic with faked voice VLAN tag. For packets to other VLANs, how the switch processes the packets is determined by whether the selected ports permit the VLAN or not, independent of voice VLAN security mode.
Page 512 Configuring Voice VLAN Voice VLAN Configuration Step 5 voice vlan aging time Set the aging time for ports in automatic voice VLAN mode. Specify the length of time that a port remains in the voice VLAN after the port receives a time: voice packet.
Page 513 Configuring Voice VLAN Voice VLAN Configuration Step 13 Return to privileged EXEC mode. Step 14 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set port 1/0/1 in manual voice VLAN mode. Configure the switch to forward voice traffic with an IEEE 802.1p priority of 5 and to transmit only voice traffic whose resource MAC address matches an OUI address in the voice VLAN : Switch#configure...
Page 514 Configuring Voice VLAN Configuration Example Configuration Example 3.1 Network Requirements The company plans to install IP phones in the office area and the meeting room, and has requirements as follows:  In the office area » IP phones share switch ports used by computers, because no more ports are available for IP phones.
Page 515 Switch A IP Phone 10 PC 10 IP Phone 20 IP Phone 30 PC 20 ..Office Area Meeting Room Demonstrated with T2500G-10MPS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI. Configuration Guide...
Page 516 Configuring Voice VLAN Configuration Example 3.4 Using the GUI  Configurations for Switch A 1) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Set the link type of port1/0/1-2 as General, and click Apply. Figure 3-2 Configuring the Link Type of port 1/0/1-2 2) Choose the menu VLAN >...
Page 517 Configuring Voice VLAN Configuration Example Figure 3-3 Creating a VLAN 3) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable voice VLAN, enter 10 in the VLAN ID field and set aging time as 1440 minutes and priority as 6.
Page 518 Configuring Voice VLAN Configuration Example Figure 3-5 Configuring Voice VLAN Mode on Port 1/0/1 Figure 3-6 Configuring Voice VLAN Mode on Port 1/0/2 5) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and edit VLAN 10 to load the following page. Add port 1/0/2 to the voice VLAN. Configuration Guide...
Page 519 Configuring Voice VLAN Configuration Example Figure 3-7 Adding Port 1/0/2 to the Voice VLAN 6) Choose the menu LLDP > Basic Config> Global Config to load the following page. Enable LLDP globally. Figure 3-8 Enabling LLDP Globally 7) Choose the menu LLDP > LLDP-MED> Global Config to load the following page. Set fast start count as 4.
Page 520 Configuring Voice VLAN Configuration Example 8) Choose the menu LLDP > LLDP-MED> Port Config to load the following page. Enable LLDP-MED on port 1/0/1. Figure 3-10 Configuring LLDP-MED on Ports Click Detail of port1/0/1 to load the following page. Configure the TLV information which will be carried in LLDP-MED frames and sent out by port 1/0/1.
Page 521 Configuring Voice VLAN Configuration Example Figure 3-11 Configuring TLVs For details about LLDP-MED, please refer to Configuring LLDP. 9) Click Save Config to save the settings.  Configurations for Switch B 1) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the link type of ports 1/0/1-3 as General.
Page 522 Configuring Voice VLAN Configuration Example Figure 3-12 Configuring the Link Type of port 1/0/1-3 2) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10. Figure 3-13 Creating a VLAN 3) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable voice VLAN, enter 10 in the VLAN ID field and set priority as 6.
Page 523 Configuring Voice VLAN Configuration Example Figure 3-14 Configuring Voice VLAN Globally 4) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Select ports 1/0/1-3, choose manual mode and enable security mode. Click Apply. Figure 3-15 Configuring Voice VLAN Mode on Ports 5) Choose the menu VLAN >...
Page 524 Configuring Voice VLAN Configuration Example Figure 3-16 Adding Ports to the Voice VLAN 6) Click Save Config to save the settings.  Configurations for Switch C 1) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the link type of ports 1/0/1-3 as General.
Page 525 Configuring Voice VLAN Configuration Example Figure 3-17 Configuring the Link Type of port 1/0/1-3 2) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10 and add ports 1/0/1-3 as tagged ports to the VLAN. Click Apply.
Page 526 Configuring Voice VLAN Configuration Example 3.5 Using the CLI  Configurations for Switch A 1) Configure the link type of ports 1/0/1-2 as General. Switch_A#configure Switch_A(config)#interface range gigabitEthernet 1/0/1-2 Switch_A(config-if-range)#switchport mode general Switch_A(config-if-range)#exit 2) Create VLAN 10. Switch_A(config)#vlan 10 Switch_A(config-vlan)#name VoiceVLAN Switch_A(config-vlan)#exit 3) Configure the aging time as 1440 minutes for port in automatic voice VLAN mode, and set the 802.1p priority of voice packets as 6.
Page 527 Configuring Voice VLAN Configuration Example Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#lldp med-status 8) Select all MED TLVs to be carried in LLDP frames and sent out by port 1/0/1. Switch_A(config-if)#lldp med-tlv-select all 9) Configure the location identification parameters for the IP phone on port 1/0/1. For details about LLDP-MED, please refer to Configuring LLDP.
Page 528 Configuring Voice VLAN Configuration Example Switch_B(config)#interface gigabitEthernet 1/0/3 Switch_B(config-if)#switchport mode general Switch_B(config-if)#switchport general allowed vlan 10 tagged Switch_B(config-if)#end Switch_B#copy running-config startup-config  Configurations for Switch C 1) Create VLAN 10. Switch_C#configure Switch_C(config)#vlan 10 Switch_C(config-vlan)#name VoiceVLAN Switch_C(config-vlan)#exit 2) For ports 1/0/1-3, set the link type as General and the egress rule as Tagged, and add them to the Voice VLAN.
Page 529 Configuring Voice VLAN Configuration Example ------ ------------ ---------- ---------- ------ Gi1/0/1 Auto Enabled Inactive Gi1/0/2 Manual Disabled Active Gi1/0/3 Auto Disabled Inactive .. Switch B Verify the global configuration of voice VLAN: Switch_B#show voice vlan Voice VLAN status: Enabled VLAN ID: 10 Aging Time: 1440 Voice Priority: 6...
Page 530 Configuring Voice VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of voice VLAN are listed in the following tables. Table 4-1 Default Settings of Global Configuration Parameter Default Setting Voice VLAN Disable VLAN ID None Aging Time 1440 minutes Priority Table 4-2 Default Settings of Port Configuration...
Page 531 Part 19 Configuring PoE CHAPTERS 1. PoE 2. PoE Power Management Configurations 3. Time-Range Function Configurations 4. Example for PoE Configurations 5. Appendix: Default Parameters...
Page 532 Powered device (PD) is a device receiving power from the PSE, for example, IP phones and access points. According to whether PDs comply with IEEE standard, they can be classified into standard PDs and non-standard PDs. Only standard PDs can be powered via TP-Link PoE switches.
Page 533 Configuring PoE PoE Power Management Configurations PoE Power Management Configurations With PoE Power Management, you can:  Configure the PoE parameters manually  Configure the PoE parameters using the profile You can configure the PoE parameters one by one via configuring the PoE parameters manually.
Page 534 Configuring PoE PoE Power Management Configurations 2) In the Port Config section, select the port you want to configure and specify the parameters. Click Apply. PoE Status Enable or disable the PoE function for on corresponding port. The port can supply power to the PD when its status is enable.
Page 535 Configuring PoE PoE Power Management Configurations 2.1.2 Configuring the PoE Parameters Using the Profile  Creating a PoE Profile Choose the menu PoE > PoE Config > PoE Profile to load the following page. Figure 2-2 Create a PoE Profile Follow these steps to create a PoE profile: 1) In the Create PoE Profile section, specify the desired configurations of the profile.
Page 536 Configuring PoE PoE Power Management Configurations  Binding the Profile to the Corresponding Ports Choose the menu PoE > PoE Config > PoE Config to load the following page. Figure 2-3 Bind the Profile to the Corresponding Ports Follow these steps to bind the profile to the corresponding ports: 1) In the Global Config section, specify the System Power Limit and click Apply.
Page 537 Configuring PoE PoE Power Management Configurations Power Status Displays the port’s real-time power status. Using the CLI 2.2.1 Configuring the PoE Parameters Manually Follow these steps to configure the basic PoE parameters: Step 1 configure Enter global configuration mode. Step 2 power inline consumption power-limit Specify the the maximum power the PoE switch can supply globally.
Page 538 Configuring PoE PoE Power Management Configurations Step 8 show power inline configuration interface [ fastEthernet { port | port-list } | gigabitEthernet { port | port-list }] Verify the PoE configuration of the corresponding port. : Specify the Ethernet port number, for example 1/0/1. port : Specify the list of Ethernet ports, in the format of 1/0/1-3, 1/0/5.
Page 539 Configuring PoE PoE Power Management Configurations Switch(config-if)#show power inline information interface gigabitEthernet 1/0/5 Interface Power(w) Current(mA) Voltage(v) PD-Class Power-Status ---------- -------- ----------- ---------- ----------- ---------------- Gi1/0/5 1.3 53.5 Class 2 Switch(config-if)#end Switch#copy running-config startup-config 2.2.2 Configuring the PoE Parameters Using the Profile Follow these steps to configure the PoE profile: Step 1 configure...
Page 540 Configuring PoE PoE Power Management Configurations Step 5 show power profile Verify the defined PoE profile. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a profile named profile1and bind the profile to the port 1/0/6.
Page 541 Configuring PoE Time-Range Function Configurations Time-Range Function Configurations With Time-Range configurations, you can:  Create a time-range  Configure the holiday parameters  View the time-range table The time range here relies on the switch system clock; therefore, you need a reliable clock source.
Page 542 Configuring PoE Time-Range Function Configurations Holiday Select to Include or Exclude the holiday in a time-range. If Exclude is selected, the time-range will not take effect on holiday and the PoE Status is disabled. Otherwise, the time-range will not be affected by holiday. 2) In the Add Absolute or Periodic section, specify the parameters and click Add.
Page 543 Configuring PoE Time-Range Function Configurations 3.1.2 Configuring the Holiday Parameters Choose the menu PoE > Time-Range > Holiday Config to load the following page. Figure 3-4 Configuring the Holiday Parameters Follow these steps to configure the holiday parameters: 1) In the Create Holiday section, enter a name of the holiday and specify the time. Holiday Name Specify a name for the holiday time.
Page 544 Configuring PoE Time-Range Function Configurations 3.2 Using the CLI 3.2.1 Configuring a Time-Range Follow these steps to create a time-range: Step 1 configure Enter global configuration mode. Step 2 power time-range name Create a time-range for the switch and enter Power Time-range Configuration Mode. : Specify a name for the PoE time-range.
Page 545 Configuring PoE Time-Range Function Configurations Step 6 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter Interface Configuration mode. : Specify the Ethernet port number, for example 1/0/1. port Specify the list of Ethernet ports, for example 1/0/1-3, 1/0/5. port-list: Step 7 power inline time-range name...
Page 546 Configuring PoE Time-Range Function Configurations Switch(config)#interface gigabitEthernet 1/0/7 Switch(config-if)#power inline time-range time-range1 Switch(config-if)#end Switch#copy running-config startup-config 3.2.2 Configuring the Holiday Parameters Follow these steps to configure the holiday parameters: Step 1 configure Enter global configuration mode. Step 2 power holiday name start-date start-date end-date end-date Create a time range for the holiday.
Page 547 Configuring PoE Time-Range Function Configurations 3.2.3 Viewing the Time-Range Table On privileged EXEC mode or any other configuration mode, you can use the following command to view the time-range table: show power time-range [ name ] Verify the defined PoE time-range. name : Specify the name of the time-range desired.
Page 548 Configuring PoE Example for PoE Configurations Example for PoE Configurations 4.1 Network Requirements The network topology of a company is shown below. Camera1 and Camera2 work for the security of the company and cannot be power off all the time. AP1 and AP2 provide Internet service and only work in the daytime.
Page 549 Configuring PoE Example for PoE Configurations Figure 4-2 Create a Time-Range 2) Choose the menu PoE > Time-Range > Holiday Config to load the following page. Specify a name for the holiday and set the starting date and ending date. Figure 4-3 ...
Page 550 Configuring PoE Example for PoE Configurations Figure 4-4 Configure the Port 4.4 Using the CLI The configurations of port 1/0/4 is similar with the configuration of port 1/0/3. Here we take port 1/0/3 for example. 1) Create a time-range. Switch_A#config Switch_A(config)#power time-range “office time”...
Page 551 Configuring PoE Example for PoE Configurations Index Holiday Name Start-End ----- ------------ --------- Christmas 12.22-12.31 Verify the configuration of the time-range: Switch_A#show power time-range Time-range entry: office time (Active) holiday: exclude number of absolute time: 0 (01/01/2000-00:00 to 12/31/2099-24:00 by default) number of periodic time: 1 1 - 08:30 to 23:00 on 1,2,3,4,5 Verify the configuration of the PoE basic parameters:...
Page 552 Configuring PoE Appendix: Default Parameters Appendix: Default Parameters Table 5-1 Default Settings of PoE Configuration Parameter Default Setting System Power Limit 116.0W PoE Status Enable PoE Priority Power Limit (0.1w-30.0w) Class 4 Time Range No Limit PoE Profile None Table 5-2 Default Settings of PoE Profile Parameter Default Setting...
Page 553 Part 20 Configuring ACL CHAPTERS 1. Overview 2. ACL Configuration 3. Configuration Example for ACL 4. Appendix: Default Parameters...
Page 554 Configuring ACL Overview Overview 1.1 Introduction The rapid growth of network size and traffic brings challenges to network security and bandwidth allocation. Packet filtering can help prevent unauthorized access behaviors, limit network traffic and improve bandwidth use. ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs.
Page 555 Configuring ACL ACL Configuration ACL Configuration To configure ACL Binding, follow these steps: 1) Configure a time-range during which the ACL is in effect. 2) Create a Policy and configure the policy action for packets that match the ACL rule. 3) Bind the ACL to a port or VLAN to make it effective.
Page 556 Configuring ACL ACL Configuration 2.1 Using the GUI 2.1.1 Configuring Time-Range Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure time-range for the ACL. Choose the menu ACL >...
Page 557 Configuring ACL ACL Configuration 2.1.2 (Optional) Configuring Holiday In Holiday mode, you need to configure specific dates for the holidays. Choose the menu ACL > Time-Range > Holiday Create to load the following page. Figure 2-2 Configuring the Holiday Follow these steps to configure the holiday: 1) In the Create Holiday section, configure the start and end date, and assign a name to the holiday.
Page 558 Configuring ACL ACL Configuration Choose the menu ACL > ACL Config > ACL Create to load the following page. Figure 2-3 Creating an ACL Follow these steps to create an ACL: 1) In the ACL Create section, assign a name to the ACL ACL ID Enter a number to identify the ACL 2) Click Apply to make the settings effective.
Page 559 Configuring ACL ACL Configuration Follow these steps to create the MAC ACL: 1) Select an MAC ACL ID from the drop-down list, enter a Rule ID, then specify the operation for the matched packets. ACL ID Select an MAC ACL from the drop-down list. Rule ID Enter an ID number to identify the rule.
Page 560 Configuring ACL ACL Configuration 1) Select a Standard-IP ACL ID from the drop-down list, enter a Rule ID, then specify the operation for the matched packets. ACL ID Standard-IP Select a ACL from the drop-down list. Rule ID Enter an ID number to identify the rule. It should not be the same as any existing Standard-IP ACL Rule IDs.
Page 561 Configuring ACL ACL Configuration 1) Select an Extend-IP ACL ID from the drop-down list, enter a Rule ID, then specify the operation for the matched packets. ACL ID Extend-IP ACL Select a ACL from the drop-down list. Rule ID Enter an ID number to identify the rule. It should not be the same as any existing Extend-IP ACL ACL Rule IDs.
Page 562 Configuring ACL ACL Configuration View the Rule Table The rules in an ACL are listed in ascending order of configuration time, regardless of their rule IDs. By default, a rule configured earlier is listed before a rule configured later. The switch matches a received packet with the rules in order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.
Page 563 Configuring ACL ACL Configuration Configuring the Action of the Policy Apply an ACL to the policy and specify the action to be taken for the matched packets. Choose the menu ACL > Policy Config > Action Create to load the following page. Figure 2-9 Configuring the Action of the Policy Follow these steps to configure the action of the policy: 1) Select your preferred policy and ACL.
Page 564 Configuring ACL ACL Configuration QoS Remark Configure QoS action for the matched packets. 802.1P Priority Specify the 802.1p priority for the matched packets. DSCP Specify the DSCP region for the matched packets. Local Priority Specify the local priority for thematched packets. 3) Click Apply to make the settings effective.
Page 565 Configuring ACL ACL Configuration  Binding the ACL to a VLAN Choose the menu ACL > ACL Binding > VLAN Binding to load the following page. Figure 2-11 Binding the ACL to a VLAN Follow these steps to bind the ACL to a VLAN: Select the ACL and enter the VLAN ID, and click Apply.
Page 566 Configuring ACL ACL Configuration Configuring the Policy Binding You can bind the policy to a port or a VLAN. The received packets will then be matched and processed according to this policy.  Binding the Policy to a Port Figure 2-12 Binding the policy to a Port Follow these steps to bind the policy to a Port: Select the policy and the port to be bound, and click Apply.
Page 567 Configuring ACL ACL Configuration Follow these steps to bind the policy to a VLAN: Select the ACL and enter the VLAN ID, and click Apply. ACL ID Select an ACL from the drop-down list. Note: Packet Content ACLs cannot be bound to any VLANs. VLAN ID Enter the VLAN ID.
Page 568 Configuring ACL ACL Configuration Choose the menu ACL > Policy Binding > Binding Table to load the following page. Figure 2-15 Verifying the Policy Binding 2.2 Using the CLI 2.2.1 Configuring Time Range Some services or features that use ACL need to be limited to a specified time period. In this case, you can configure time-range for the ACL.
Page 569 Configuring ACL ACL Configuration Step 3 absolute start start-date end end-date (Optional) Configure time-range in Absolute mode. In this mode, the rule takes effect only during a specified period of time. Specify the start date in MM/DD/YYYY format. The default is 01/01/2000. start-date: Specify the start date in MM/DD/YYYY format.
Page 570 Configuring ACL ACL Configuration The following example shows how to configure time-range in Week mode. The ACL only takes effect at 08:30 am to 18:00 pm on Monday to Friday: Switch#configure Switch(config)#time-range work_time Switch(config-time-range)#periodic week-date 1-5 time-slice1 08:30-18:00 Switch(config-time-range)#exit Switch(config)#show time-range Time-range entry: work_time(inactive) periodic time-slice 08:30-18:00 periodic week-day 1,2,3,4,5...
Page 571 Configuring ACL ACL Configuration Step 3 rule rule-id {deny | permit} [ [smac source-mac ] smask source-mac-mask ] [ [dmac destination- mac ] dmask destination-mac-mask ] [ vid vlan-id ] [ type ethernet-type ] [ pri user-pri ] [ tseg time-segment ] Add a MAC ACL Rule.
Page 572 Configuring ACL ACL Configuration mac access list 50 rule 5 permit smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff Switch(config)#end Switch#copy running-config startup-config  Standard-IP ACL Step 1 configure Enter global configuration mode. Step 2 access-list create access-list-num Create an Standard-IP ACL. Enter an ACL ID. The ID ranges from 500 to 1499. access-list-num：...
Page 573 Configuring ACL ACL Configuration Switch(config)#access-list create 600 Switch(config)#access-list standard 600 rule 1 permit sip 192.168.1.100 smask 255.255.255.255 Switch(config)#show access-list 600 Standard IP access list 600 rule 1 permit sip 192.168.1.100 smask 255.255.255.255 Switch(config)#end Switch#copy running-config startup-config  Extend-IP ACL Step 1 configure Enter global configuration mode.
Page 574 Configuring ACL ACL Configuration Step 3 access-list extended acl-id rule rule-id {deny | permit} [ [sip source-ip] smask source-ip- mask ] [ [dip destination-ip ] dmask destination-ip-mask ] [tseg time-segment ] [frag {disable | enable}] [dscp dscp ] [s-port s-port ] [d-port d-port ] [tcpflag tcpflag ] [protocol protocol ] [tos tos ] [pre pr e] Add a rule for the ACL.
Page 575 Configuring ACL ACL Configuration Extended IP access list 1700 rule 7 deny sip 192.168.2.100 smask 255.255.255.255 protocol 6 d-port 23 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring Policy Policy allows you to further process the matched packets through operations such as mirroring, rate-limiting, redirecting, or changing priority.
Page 576 Configuring ACL ACL Configuration Step 4 redirect interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to redirect the matched packets to the desired port. : The destination port to which the packets will be redirected. The default is All. port s-mirror interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to mirror the matched packets to the desired port.
Page 577 Configuring ACL ACL Configuration Switch(config)#end Switch#copy running-config startup-config 2.2.4 ACL Binding and Policy Binding You can select ACL binding or Policy binding according to your needs. An ACL Rule and policy takes effect only after they are bound to a port or VLAN.  Policy Binding You can bind the policy to a port or a VLAN, then the received packets will be matched and operated based on the policy.
Page 578 Configuring ACL ACL Configuration Switch(config)#interface vlan 2 Switch(config-if)#access-list bind 2 Switch(config-if)#exit Switch(config)#show access-list bind Index Policy Name Interface/VID Direction Type ----- ----------- ------------- -------- ---- Gi1/0/2 Ingress Port Ingress Vlan Index ACL ID Interface/VID Direction Type ----- ----------- ------------- -------- ---- Switch(config)#end Switch#copy running-config startup-config...
Page 579 Configuring ACL ACL Configuration Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to bind ACL 1 to port 3 and ACL 2 to VLAN 4: Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#access-list bind acl 1 Switch(config-if)#exit Switch(config)#interface vlan 4 Switch(config-if)#access-list bind acl 2...
Page 580 Configuring ACL Configuration Example for ACL Configuration Example for ACL 3.1 Network Requirements A company’s internal server group can provide different types of services. It is required that:  the Marketing department can only access internal server group in the intranet.  the Marketing department can only visit http and https websites on the internet.
Page 581 Apply the Extend-IP ACL to a Policy and bind the Policy to port 1/0/1 so that the ACL rules will apply to the Marketing department only. Demonstrated with T2500G-10MPS, the following sections explain the configuration procedure in two ways: using the GUI and using the CLI.
Page 582 Configuring ACL Configuration Example for ACL Figure 3-3 Configuring Rule 1 3) Choose the menu ACL > ACL Config > Extend-IP ACL to load the the following page. Select the Extend- IP ACL 1600, configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and UDP 443 (https service port).
Page 583 Configuring ACL Configuration Example for ACL Figure 3-5 Configuring Rule 3 4) Choose the menu ACL > ACL Config > Extend-IP ACL to load the following page. Select the Extend- IP ACL 1600, configure Rule 4 and Rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port).
Page 584 Configuring ACL Configuration Example for ACL Figure 3-7 Configuring Rule 5 5) Choose the menu ACL > ACL Config > Extend-IP ACL to load the following page. Select the Extend- IP ACL 1600, configure Rule 6 to deny packets with source IP 10.10.70.0.
Page 585 Configuring ACL Configuration Example for ACL Figure 3-9 Creating the Policy 7) Choose the menu ACL > Policy Config > Action Create to load the the following page. Then apply ACL 1600 to Policy Market. Figure 3-10 Applying the ACL to the Policy 8) Choose the menu ACL >...
Page 586 Configuring ACL Configuration Example for ACL Figure 3-11 Binding the Policy to Port 1/0/1 9) Click Save Config to save the settings. 3.5 Using the CLI 1) Create Extended-IP ACL 1600. Switch#configure Switch(config)#access-list create 1600 2) Configure rule 1 to permit packets with source IP 10.10.70.0 and destination IP 10.10.80.0.
Page 587 Configuring ACL Configuration Example for ACL 5) Configure Rule 6 to deny packets with source IP 10.10.70.0. Switch(config)#access-list extended 1600 rule 6 deny sip 10.10.70.0 smask 255.255.255.0 6) Create Policy Market, and then apply ACL 1600 to it. Switch(config)#access-list policy name Market Switch(config)#access-list policy action Market 1600 Switch(config-action)#exit 7) Bind Policy Market to Port 1.
Page 588 Configuring ACL Appendix: Default Parameters Appendix: Default Parameters For MAC ACL: Parameter Default Setting Operation Permit User Priority No Limit Time-Range No Limit For Standard-IP ACL: Parameter Default Setting Operation Permit Time-Range No Limit For Extend-IP ACL: Parameter Default Setting Operation Permit IP Protocol...
Page 589 Part 21 Configuring Network Security CHAPTERS 1 . Network Security 2 . IP-MAC Binding Configurations 3 . DHCP Snooping Configuration 4 . ARP Inspection Configurations 5 . DoS Defend Configuration 6 . 802.1X Configuration 7 . PPPoE ID-Insertion Configuration 8 . AAA Configuration 9 .
Page 590 Configuring Network Security Network Security Network Security 1.1 Overview Network Security provides multiple protection measures for the network. Users can configure the security functions according to their needs. 1.2 Supported Features The switch supports multiple network security features, for example, IP-MAC Binding, DHCP Snooping, ARP Inspection and so on.
Page 591 Configuring Network Security Network Security Figure 1-1 Network Topology of Basic DHCP Security Legal DHCP Server Trusted Port Untrusted Port Untrusted Port Switch Clients Illegal DHCP Server Additionally, with DHCP Snooping, the switch can monitor the IP address obtaining process of each client host and record the IP address, MAC address, VLAN ID and the connected port number of the host for automatic binding.
Page 592 Configuring Network Security Network Security  Prevent ARP Flooding Attack With the ARP Defend feature the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP flooding attack.
Page 593  Client A client, usually a computer, is connected to the authenticator via a physical port. We recommend that you install TP-Link 802.1X authentication client software on the client hosts, enabling them to request 802.1X authentication to access the LAN.
Page 594 RADIUS Server PPPoE Server AAA stands for authentication, authorization and accounting. On TP-Link switches, this feature is mainly used to authenticate the users trying to log in to the switch or get administrative privileges. The administrator can create guest accounts and an Enable password for other users.
Page 595 Configuring Network Security IP-MAC Binding Configurations IP-MAC Binding Configurations You can complete IP-MAC binding in two ways:  Manual Binding  Dynamical Binding (including ARP Scanning and DHCP Snooping) Additionally, you can search the specified entries in the Binding Table. Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IP address, MAC address, VLAN ID and the Port number...
Page 596 Configuring Network Security IP-MAC Binding Configurations Host Name Enter the host name for identification. IP Address Enter the IP address. MAC Address Enter the MAC address. VLAN ID Enter the VLAN ID. 2) Select protect type for the entry. Protect Type Select the protect type for the entry: None: This entry will not be applied to any feature.
Page 597 Configuring Network Security IP-MAC Binding Configurations Start IP Address/ Specify an IP range by entering a start and end IP address. End IP Address VLAN ID Specify a VLAN ID. 2) In the Scanning Result section, select one or more entries and configure the relevant parameters.
Page 598 Configuring Network Security IP-MAC Binding Configurations Choose the menu Network Security > IP-MAC Binding > Binding Table to load the following page. Figure 2-3 Binding Table In the Search section, specify the search criteria to search your desired entries. Source Select the source of the entry and click Search. All: Displays the entries from all sources.
Page 599 Configuring Network Security IP-MAC Binding Configurations Collision Displays the collision status of the entry. Warning: The collision entries have the same IP address and MAC address, and all the collision entries are valid. This kind of collision may be caused by the MSTP function. Critical: The collision entries have the same IP address but different MAC addresses.
Page 600 Configuring Network Security IP-MAC Binding Configurations Step 3 show ip source binding Verify the binding entry. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to bind an entry with the hostname host1, IP address 192.168.0.55, MAC address AA-BB-CC-DD-EE-FF, VLAN ID 10, port number 1/0/5, and enable this entry for the ARP detection feature.
Page 601 Configuring Network Security DHCP Snooping Configuration DHCP Snooping Configuration To complete DHCP Snooping configuration, follow these steps: 1) Enable DHCP Snooping on VLAN. 2) Configure DHCP Snooping on the specified port. 3) (Optional) Configure Option 82 on the specified port. The switch can dynamically bind the entries via DHCP Snooping after step 1 and step Tips: 2 are completed.
Page 602 Configuring Network Security DHCP Snooping Configuration VLAN ID Specify the VLAN ID in the format shown on the page. VLAN Displays the VLANs that have been enabled with DHCP Snooping. Configuration Display 3) Click Apply. 3.1.2 Configuring DHCP Snooping on Ports Choose the menu Network Security >...
Page 603 Configuring Network Security DHCP Snooping Configuration Decline Protect Select to enable the decline protect feature and specify the maximum number of DHCP Decline packets that can be forwarded on the port per second. The excessive DHCP Decline packets will be discarded. Displays the LAG that the port is in.
Page 604 Configuring Network Security DHCP Snooping Configuration Circuit ID Select Enable to manually define the circuit ID field, which is a sub-option of Customization Option 82. The circuit ID configurations of the switch and the DHCP server should be compatible with each other. Circuit ID Enter the customized circuit ID, which contains up to 64 characters.
Page 605 Configuring Network Security DHCP Snooping Configuration Switch(config)#ip dhcp snooping vlan 5 Switch(config)#show ip dhcp snooping Global Status: Enable VLAN ID: 5 Switch(config-if)#end Switch#copy running-config startup-config 3.2.2 Configuring DHCP Snooping on Ports Follow these steps to configure DHCP Snooping on the specified ports. Step 1 configure Enter global configuration mode.
Page 606 Configuring Network Security DHCP Snooping Configuration Step 7 show ip dhcp snooping interface [ gigabitEthernet port | port-channel port-channel-id ] Verify the DHCP Snooping configuration of the port. Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file.
Page 607 Configuring Network Security DHCP Snooping Configuration Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | interface port-channel port-channel-id | interface range port- channel port-channel-id-list } Enter interface configuration mode. Step 3 ip dhcp snooping information option Enable the Option 82 feature on the port.
Page 608 Configuring Network Security DHCP Snooping Configuration Switch(config-if)#ip dhcp snooping information strategy replace Switch(config-if)#ip dhcp snooping information circut-id VLAN20 Switch(config-if)#ip dhcp snooping information remote-id Host1 Switch(config-if)#show ip dhcp snooping information interface gigabitEthernet 1/0/7 Interface Option 82 Status Operation Strategy Circuit ID Remote ID --------- ----------------...
Page 609 Configuring Network Security ARP Inspection Configurations ARP Inspection Configurations With ARP Inspection configurations, you can:  Configure ARP Detection  Configure ARP Defend  View ARP Statistics Using the GUI 4.1.1 Configuring ARP Detection The ARP Detection feature allows the switch to detect the ARP packets based on the binding entries in the IP-MAC Binding Table and filter out the illegal ARP packets.
Page 610 Configuring Network Security ARP Inspection Configurations 4.1.2 Configuring ARP Defend With ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood. Choose the menu Network Security >...
Page 611 Configuring Network Security ARP Inspection Configurations 4.1.3 Viewing ARP Statistics You can view the number of the illegal ARP packets received on each port, which facilitates you to locate the network malfunction and take the related protection measures. Choose the menu Network Security > ARP Inspection > ARP Statistics to load the following page.
Page 612 Configuring Network Security ARP Inspection Configurations 4.2 Using the CLI 4.2.1 Configuring ARP Detection The ARP Detection feature allows the switch to detect the ARP packets basing on the binding entries in the IP-MAC Binding Table and filter the illegal ARP packets. Before configuring ARP Detection, complete IP-MAC Binding configuration.
Page 613 Configuring Network Security ARP Inspection Configurations ARP detection global status: Enabled Port Trusted Gi1/0/1 Gi1/0/2 ..Switch(config-if)#end Switch#copy running-config startup-config 4.2.2 Configuring ARP Defend With ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood.
Page 614 Configuring Network Security ARP Inspection Configurations The following example shows how to enable ARP Defend and configure the ARP inspection limit-rate as 20 pps on port 1/0/2: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#ip arp inspection Switch(config-if)#ip arp inspection limit-rate 20 Switch(config-if)#show ip arp inspection interface gigabitEthernet 1/0/2 Port OverSpeed Rate Current Status...
Page 615 Configuring Network Security ARP Inspection Configurations 4.2.3 Viewing ARP Statistics On privileged EXEC mode or any other configuration mode, you can use the following command to view ARP statistics: show ip arp inspection statistics View the ARP statistics on each port, including whether the port is trusted port and the number of received ARP packets on the port.
Page 616 Configuring Network Security DoS Defend Configuration DoS Defend Configuration 5.1 Using the GUI Choose the menu Network Security > DoS Defend > DoS Defend to load the following page. Figure 5-1 Dos Defend Follow these steps to configure DoS Defend: 1) In the Configure section, enable DoS Protection. 2) In the Defend Table section, select one or more defend types according to your needs.
Page 617 Configuring Network Security DoS Defend Configuration NULL Scan The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. SYN sPort less The attacker sends the illegal packet with its TCP SYN field set to 1 and source 1024...
Page 618 Configuring Network Security DoS Defend Configuration Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping- flood | syn-flood | win-nuke | smurf | ping-of-death } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows.
Page 619 Configuring Network Security DoS Defend Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the DoS Defend type named land: Switch#configure Switch(config)#ip dos-prevent Switch(config)#ip dos-prevent type land Switch(config)#show ip dos-prevent Type...
Page 620 Configuring Network Security 802.1X Configuration 802.1X Configuration To complete the 802.1X configuration, follow these steps: 1) Configure the RADIUS server. 2) Configure 802.1X globally. 3) Configure 802.1X on ports. Configuration Guidelines 802.1X authentication and Port Security cannot be enabled at the same time. Before enabling 802.1X authentication, make sure that Port Security is disabled.
Page 621 Configuring Network Security 802.1X Configuration  Adding the RADIUS Server Choose the menu Network Security > AAA > RADIUS Config to load the following page. Figure 6-2 RADIUS Config Follow these steps to create a protocol template: 1) In the Server Config section, configure the parameters of RADIUS server. 2) Click Apply.
Page 622 Configuring Network Security 802.1X Configuration Choose the menu Network Security > AAA > Server Group to load the following page. Figure 6-3 Adding a Server Group Follow these steps to create a protocol template: 1) In the Add New Server Group section, specify the name and server type for the new server group, and click Add.
Page 623 Configuring Network Security 802.1X Configuration Figure 6-5 Add Server to Group  Configuring the Dot1x List Choose the menu Network Security > AAA > Dot1x List to load the following page. Figure 6-6 Configuring the Dot1x List Follow these steps to configure RADIUS server groups for 802.1X authentication and accounting: 1) In the Authentication Dot1x Method List section, select an existing RADIUS server group for authentication from the Pri1 drop-down list and click Apply.
Page 624 Handshake Enable or disable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1X Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP- Link 802.1X Client.
Page 625 Configuring Network Security 802.1X Configuration Guest VLAN Select whether to enable Guest VLAN. By default, it is disabled. If the Guest VLAN is enabled, a port can access resources in the guest VLAN even though the port is not yet authenticated; if guest VLAN is disabled and the port is not authenticated, the port cannot visit any resource in the LAN.
Page 626 Configuring Network Security 802.1X Configuration Status Enable 802.1X authentication on the port. Guest VLAN Select whether to enable Guest VLAN on the port. Control Mode Select the Control Mode for the port. By default, it is Auto. Auto: If this option is selected, the port can access the network only when it is authenticated.
Page 627 Configuring Network Security 802.1X Configuration Step 3 radius-server host ip-address [ auth-port port-id ] [ acct-port port-id ] [ timeout time ] [ retransmit number ] [ key { [ 0 ] string | 7 encrypted-string } ] Add the RADIUS server and configure the related parameters as needed. host ip-address : Enter the IP address of the server running the RADIUS protocol.
Page 628 Configuring Network Security 802.1X Configuration Step 8 show aaa global (Optional) Verify the global configuration of AAA. Step 9 show radius-server (Optional) Verify the configuration of RADIUS server. Step 10 show aaa group [ group-name ] (Optional) Verify the configuration of server group. Step 11 show aaa authentication dot1x (Optional) Verify the authentication method list.
Page 629 Configuring Network Security 802.1X Configuration 192.168.0.100 Switch(config)#show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default radius1 Switch(config)#show aaa accounting dot1x Methodlist pri1 pri2 pri3 pri4 default radius1 Switch(config)#show aaa global AAA global status: Enable Switch(config)#end Switch#copy running-config startup-config 6.2.2 Configuring 802.1X Globally Follow these steps to configure 802.1X globally: Step 1 configure...
Page 630 Configuring Network Security 802.1X Configuration Step 5 dot1x quiet-period [time] (Optional) Enable the quiet feature for 802.1X authentication and configure the quiet period. time: Set a value between 1 and 999 seconds for the quiet period. It is 10 seconds by default.
Page 631 Configuring Network Security 802.1X Configuration Quiet-period State: Disable Quiet-period Timer: 10 sec. Max Retry-times For RADIUS Packet: 3 Supplicant Timeout: 3 sec. Switch(config)#end Switch#copy running-config startup-config 6.2.3 Configuring 802.1X on Ports Follow these steps to configure the port: Step 1 configure Enter global configuration mode.
Page 632 Configuring Network Security 802.1X Configuration Step 7 show dot1x interface [fastEthernet port |gigabitEthernet port | ten-gigabitEthernet port ] (Optional) Verify the configurations of 802.1X authentication on the port. Enter the ID of the port to be configured. If no specific port is entered, the switch will port: show configurations of all ports.
Page 633 Configuring Network Security PPPoE ID-Insertion Configuration PPPoE ID-Insertion Configuration Using the GUI Choose the menu Network Security > PPPoE > PPPoE ID Insertion to load the following page. Figure 7-1 PPPoE ID Insertion Follow these steps to configure PPPoE ID-Insertion: 1) In the Global Config section, enable PPPoE ID Insertion and click Apply. 2) In the Port Config section, select one or more ports, and configure the relevant parameters.
Page 634 Configuring Network Security PPPoE ID-Insertion Configuration UDF Value If UDF or UDF ONLY is selected, specify a string with at most 40 characters to encode the Circuit-id option. Remote-ID Enable or disable the Remote-ID Insertion feature. With this option enabled, the switch will insert a Remote ID to the received PPPoE Discovery packet on this port.
Page 635 Configuring Network Security PPPoE ID-Insertion Configuration Step 8 show pppoe id-insertion interface { fastEthernet port | gigabitEthernet port } Verify the configuration of PPPoE ID-Insertion for the specific port. Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file.
Page 636 Configuring Network Security AAA Configuration AAA Configuration In the AAA feature, the authentication can be processed locally on the switch or centrally on the RADIUS/TACACS+ server(s). To ensure the stability of the authentication system, you can configure multiple servers and authentication methods at the same time. This chapter introduces how to configure this kind of comprehensive authentication in AAA.
Page 637 Configuring Network Security AAA Configuration  AAA Application List The switch supports the following access applications: Console, Telnet, SSH and HTTP. You can select the configured authentication method lists for each application. Using the GUI 8.1.1 Globally Enabling AAA Choose the menu Network Security > AAA > Global Conifg to load the following page. Figure 8-1 Global Configuration Follow these steps to globally enable AAA: 1) In the Global Config section, enable AAA.
Page 638 Configuring Network Security AAA Configuration Follow these steps to add a RADIUS server: 1) In the Server Config section, configure the following parameters. Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
Page 639 Configuring Network Security AAA Configuration Shared Key Enter the shared key between the TACACS+ server and the switch. The TACACS+ server and the switch use the key string to encrypt passwords and exchange responses. Server Port Specify the TCP port used on the TACACS+ server for AAA. The default setting is 2) Click Add to add the TACACS+ server on the switch.
Page 640 Configuring Network Security AAA Configuration Figure 8-5 Edit the Group 3) Select the server to be added to the group from the Server IP drop-down list . Then click Add to add this server to the server group. Figure 8-6 Add Server to Group 8.1.4 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users.
Page 641 Configuring Network Security AAA Configuration Choose the menu Network Security > AAA > Method List to load the following page. Figure 8-7 Add New Method There are two default methods respectively for the Login authentication and the Enable authentication. You can edit the default methods or follow these steps to add a new method: 1) In the Add Method List section, configure the parameters for the method to be added.
Page 642 Configuring Network Security AAA Configuration 8.1.5 Configuring the AAA Application List Choose the menu Network Security > AAA > Global Config to load the following page. Figure 8-8 Configure Application List Follow these steps to configure the AAA application list. 1) In the AAA Application List section, select an access application and configure the Login list and Enable list.
Page 643 Configuring Network Security AAA Configuration The logged-in guests can enter the Enable password on this page to get Tips: administrative privileges.  On the Server The accounts created by the RADIUS/TACACS+ server can only view the configurations and some network information without the Enable password. Some configuration principles on the server are as follows:  For Login authentication configuration, more than one login account can be created on the server.
Page 644 Configuring Network Security AAA Configuration Switch#configure Switch(config)#aaa enable Switch(config)#show aaa global AAA global status: Enable ..Switch(config)#end Switch#copy running-config startup-config 8.2.2 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server with the highest priority authenticates the users trying to access the switch, and the others act as backup servers in case the first one breaks down.
Page 645 Configuring Network Security AAA Configuration Step 3 show radius-server Verify the configuration of RADIUS server. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add a RADIUS server on the switch. Set the IP address of the server as 192.168.0.10, the authentication port as 1812, the shared key as 123456, the timeout as 8 seconds and the retransmit number as 3.
Page 646 Configuring Network Security AAA Configuration Step 2 tacacs-server host ip-address [ port port-id ] [ timeout time ] [ key { [ 0 ] string | 7 encrypted- string } ] Add the RADIUS server and configure the related parameters as needed. host ip-address Enter the IP address of the server running the TACACS+ protocol.
Page 647 Configuring Network Security AAA Configuration 8.2.3 Configuring Server Groups The switch has two built-in server groups, one for RADIUS and the other for TACACS+. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. The two default server groups cannot be deleted or edited.
Page 648 Configuring Network Security AAA Configuration Switch(aaa-group)#end Switch#copy running-config startup-config 8.2.4 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges.
Page 649 Configuring Network Security AAA Configuration Methodlist pri1 pri2 pri3 pri4 default local Login1 radius local Switch(config)#end Switch#copy running-config startup-config The following example shows how to create an Enable method list named Enable1, and configure the method 1 as the default radius server group and the method 2 as local. Switch#configure Switch(config)##aaa authentication enable Enable1 radius local Switch(config)#show aaa authentication enable...
Page 650 Configuring Network Security AAA Configuration Step 3 login authentication { method-list } Apply the Login method list for the application Console. Specify the name of the Login method list. method-list Step 4 enable authentication { method-list } Apply the Enable method list for the application Console. Specify the name of the Enable method list.
Page 651 Configuring Network Security AAA Configuration  Telnet Follow these steps to apply the Login and Enable method lists for the application Telnet: Step 1 configure Enter global configuration mode. Step 2 line telnet Enter line configuration mode. Step 3 login authentication { method-list } Apply the Login method list for the application Telnet.
Page 652 Configuring Network Security AAA Configuration Http default default Switch(config-line)#end Switch#copy running-config startup-config  SSH Follow these steps to apply the Login and Enable method lists for the application SSH: Step 1 configure Enter global configuration mode. Step 2 line ssh Enter line configuration mode.
Page 653 Configuring Network Security AAA Configuration Console default default Telnet default default Login1 Enable1 Http default default Switch(config-line)#end Switch#copy running-config startup-config  HTTP Follow these steps to apply the Login and Enable method lists for the application HTTP: Step 1 configure Enter global configuration mode.
Page 654 Configuring Network Security AAA Configuration Console default default Telnet default default default default Http Login1 Enable1 Switch(config)#end Switch#copy running-config startup-config 8.2.6 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s).
Page 655 Configuring Network Security AAA Configuration Step 4 copy running-config startup-config Save the settings in the configuration file.  On the Server The accounts created by the RADIUS/TACACS+ server can only view the configurations and some network information without the Enable password. Some configuration principles on the server are as follows:  For Login authentication configuration, more than one login account can be created on the server.
Page 656 Configuring Network Security Configuration Examples Configuration Examples 9.1 Example for DHCP Snooping and ARP Detection 9.1.1 Network Requirements As shown below, User 1 and User 2 get IP addresses from the legal DHCP server, and User 3 has a static IP address. All of them are in the default VLAN 1. Now, untrusted DHCP packets need to be filtered to ensure that the DHCP clients (User 1 and User 2) can get the IP addresses from the legal DHCP server.
Page 657 4) Configure ARP Defend on Switch A to limit the speed of receiving the legal ARP packets on each port, thus to prevent ARP flooding attacks. Demonstrated with T2500G-10MPS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 658 Configuring Network Security Configuration Examples Figure 9-3 Port Config 3) Choose the menu Network Security > IP-MAC Binding > Manual Binding to load the following page. Enter the host name, IP address, MAC address and VLAN ID of User 3, select ARP Detection as the protect type, and select port 1/0/3 on the panel. Click Bind. Figure 9-4 Manual Binding 4) Choose the menu Network Security >...
Page 659 Configuring Network Security Configuration Examples Figure 9-5 Binding Table 5) Choose the menu Network Security > ARP Inspection > ARP Detect to load the following page. Enable ARP Detection and set ports 1/0/4 as trusted port. Click Apply. Figure 9-6 ARP Detect 6) Choose the menu Network Security >...
Page 660 Configuring Network Security Configuration Examples 7) Click Save Config to save the settings. 9.1.4 Using the CLI 1) Enable DHCP Snooping globally and on VLAN 1. Switch_A#configure Switch_A(config)#ip dhcp snooping Switch_A(config)#ip dhcp snooping vlan 1 2) Configure port 1/0/4 as a trusted port. Switch_A(config)#interface gigabitEthernet 1/0/4 Switch_A(config-if)#ip dhcp snooping trust Switch_A(config-if)#exit...
Page 661 Configuring Network Security Configuration Examples VLAN ID: 1 Switch_A#show ip dhcp snooping interface Interface Trusted MAC-Verify Limit-Rate Dec-rate --------- ------- ---------- ---------- -------- ---- Gi1/0/1 Disable Enable Gi1/0/2 Disable Enable Gi1/0/3 Disable Enable Gi1/0/4 Enable Enable ..Verify the IP-MAC Binding entries: Switch_A#show ip source binding No.
Page 662 Configuring Network Security Configuration Examples Switch_A#show ip arp inspection interface Port OverSpeed Rate Current Status Gi1/0/1 Enabled Normal Gi1/0/2 Enabled Normal Gi1/0/3 Enabled Normal Gi1/0/4 Disabled ..9.2 Example for 802.1X 9.2.1 Network Requirements The network administrator wants to control access from the end users (clients) in the company.
Page 663 Client Client Client Demonstrated with T2500G-10MPS acting as the authenticator, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 9.2.4 Using the GUI 1) Choose the menu Network Security > AAA > Global Config to load the following page.
Page 664 Configuring Network Security Configuration Examples Figure 9-10 RADIUS Config 3) Choose the menu Network Security > AAA > Server Group to load the following page. In the Add New Server Group section, specify the group name as radius1 and the server type as RADIUS. Click Add to create the server group. Figure 9-11 Create Server Group 4) On the same page, select the newly created server group and click edit to load the following page.
Page 665 Configuring Network Security Configuration Examples 6) Choose the menu Network Security > 802.1X Authentication > Global Config to load the following page. Enable 802.1X authentication and configure the Authentication Method as EAP. Enable the Quiet feature and then keep the default authentication settings.
Page 666 Configuring Network Security Configuration Examples 9.2.5 Using the CLI 1) Enable AAA function globally and configure the RADIUS parameters. Switch_A(config)#aaa enable Switch_A(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch_A(config)#aaa group radius radius1 Switch_A(aaa-group)#server 192.168.0.10 Switch_A(aaa-group)#exit Switch_A(config)#aaa authentication dot1x default radius1 Switch_A(config)#end Switch_A#copy running-config startup-config 2) Globally enable 802.1X authentication and set the authentication method;...
Page 667 Configuring Network Security Configuration Examples Verify the Configurations Verify the global configurations of 802.1X authentication: Switch_A#show dot1x global 802.1X State: Enabled Authentication Method: Handshake State: Enabled Guest VLAN State: Disabled Guest VLAN ID: 802.1X Accounting State: Disabled Quiet-period State: Enabled Quiet-period Timer: 10 sec.
Page 668 Configuring Network Security Configuration Examples Http default default Switch_A#show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default radius1 Switch_A#show aaa group radius1 192.168.0.10 9.3 Example for AAA 9.3.1 Network Requirements As shown below, the switch needs to be managed remotely via Telnet. In addition, the senior administrator of the company wants to create an account for the less senior administrators, who can only view the configurations and some network information without the Enable password provided.
Page 669 RADIUS Server 1 is the first server for authentication. 3) Configure the method list. 4) Configure the AAA application list. Demonstrated with T2500G-10MPS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 9.3.3 Using the GUI 1) Choose the menu Network Security >...
Page 670 Configuring Network Security Configuration Examples Figure 9-19 Add RADIUS Server 2 4) Choose the menu Network Security > AAA > Server Group to load the following page. In the Add New Server Group section, specify the group name as RADIUS1 and the server type as RADIUS.
Page 671 Configuring Network Security Configuration Examples Figure 9-21 Add Servers to Server Group 6) Choose the menu Network Security > AAA > Method List to load the following page. Specify the Method List Name as Method-Login, select the List Type as Authentication Login, and select the Pri1 as RADIUS1.
Page 672 Configuring Network Security Configuration Examples Figure 9-24 Configure AAA Application List 9) Click Save Config to save the settings. 9.3.4 Using the CLI 1) Enable AAA globally. Switch#configure Switch(config)#aaa enable 2) Add RADIUS Server 1 and RADIUS Server 2 on the switch. Switch(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch(config)#radius-server host 192.168.0.20 auth-port 1812 key 123456 3) Create a new server group named RADIUS1 and add the two RADIUS servers to the...
Page 673 Configuring Network Security Configuration Examples Switch#copy running-config startup-config Verify the Configuration Verify the configuration of the RADIUS servers: Switch#show radius-server Server Ip Auth Port Acct Port Timeout Retransmit Shared key 192.168.0.10 1812 1813 123456 192.168.0.20 1812 1813 123456 Verify the configuration of server group RADIUS1: Switch#show aaa group RADIUS1 192.168.0.10 192.168.0.20...
Page 674 Configuring Network Security Configuration Examples Module Login List Enable List Console default default Telnet Method-Login Method-Enable default default Http default default Configuration Guide...
Page 675 Configuring Network Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Security are listed in the following tables. Table 10-1 IP-MAC Binding Parameter Default Setting For Manual Binding: None Protect Type For ARP Scanning: None For DHCP Snooping: All Table 10-2 DHCP Snooping Parameter...
Page 676 Configuring Network Security Appendix: Default Parameters Table 10-3 ARP Inspection Parameter Default Setting ARP Detect ARP Detect Disable Trusted Port None ARP Defend Defend Disable Speed 15 pps ARP Statistics Auto Refresh Disable Refresh Interval 5 seconds Table 10-4 DoS Defend Parameter Default Setting DoS Defend...
Page 677 Configuring Network Security Appendix: Default Parameters Parameter Default Setting Supplicant Timeout 3 seconds Port Config 802.1X Status Disable Guest VLAN Disable Control Mode Auto Control Type MAC Based Dot1X List Authentication Dot1x List Name: default Method List Pri1: radius Accounting Dot1x Method List Name: default List Pri1:radius...
Page 678 Configuring Network Security Appendix: Default Parameters Parameter Defualt Setting RADIUS Config Server IP None Shared Key None Auth Port 1812 Acct Port 1813 Retransmit Timeout 5 seconds TACACS+ Config Server IP None Timeout 5 seconds Shared Key None Port Server Group: There are two default server groups: radius and tacacs.
Page 679 Configuring Network Security Appendix: Default Parameters Parameter Defualt Setting Login List: default http Enable List: default Configuration Guide...
Page 680 Part 22 Configuring LLDP CHAPTERS 1. LLDP 2. LLDP Configurations 3. LLDP-MED Configurations 4. Viewing LLDP Settings 5. Viewing LLDP-MED Settings 6. Configuration Example 7. Appendix: Default Parameters...
Page 681 Configuring LLDP LLDP LLDP Overview LLDP (Link Layer Discovery Protocol) is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol is a standard IEEE 802.1ab defined protocol and runs over the Layer 2 (the data-link layer) , which allows for interoperability between network devices of different vendors.
Page 682 Configuring LLDP LLDP Configurations LLDP Configurations With LLDP configurations, you can: 1) Enable the LLDP feature on the switch. 2) (Optional) Configure the LLDP feature globally. 3) (Optional) Configure the LLDP feature for the interface. 2.1 Using the GUI 2.1.1 Global Config Choose the LLDP >...
Page 683 Configuring LLDP LLDP Configurations Follow these steps to enable LLDP and configure the LLDP feature globally. 1) In the Global Config section, enable LLDP. Click Apply. 2) In the Parameters Config section, configure the LLDP parameters. Click Apply. Transmit Enter the interval between successive LLDP packets that are periodically sent Interval from the local device to its neighbors.
Page 684 Configuring LLDP LLDP Configurations 2.1.2 Port Config Choose th menu LLDP > Basic Config > Policy Config to load the following page. Figure 2-2 Port Config Follow these steps to configure the LLDP feature for the interface. 1) Select the desired port and set its Admin Status and Notification Mode. Admin Status Set Admin Status for the port to deal with LLDP packets.
Page 685 Included TLVs Configure the TLVs included in the outgoing LLDP packets. TP-Link supports the following TLVs: PD: Used to advertise the port description defined by the IEEE 802 LAN station. SC: Used to advertise the supported functions and whether or not these functions are enabled.
Page 686 Configuring LLDP LLDP Configurations Step 3 lldp hold-multiplier (Optional) Specify the amount of time the neighbor device should hold the received information before discarding it. The default is 4. TTL (Time to Live) = Hold Multiplier * Transmit Interval. Step 4 lldp timer { tx-interval tx-interval | tx-delay tx-delay | reinit-delay reinit-delay | notify- interval notify-interval | fast-count fast-count } (Optional) Configure the timers for LLDP packet forwarding.
Page 687 Configuring LLDP LLDP Configurations TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3 LLDP-MED Fast Start Repeat Count: 4 Switch(config)#end Switch#copy running-config startup-config 2.2.2 Port Config Select the desired port and set its Admin Status, Notification Mode and the TLVs included in the LLDP packets.
Page 688 Configuring LLDP LLDP Configurations The following example shows how to configure the port 1/0/1. The port can receive and transmit LLDP packets, its notification mode is enabled and the outgoing LLDP packets include all TLVs. Switch#configure Switch(config)#lldp Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#lldp receive Switch(config-if)#lldp transmit Switch(config-if)#lldp snmp-trap...
Page 689 Configuring LLDP LLDP-MED Configurations LLDP-MED Configurations With LLDP-MED configurations, you can: 1) Configure the LLDP-MED feature globally. 2) Enable and configure the LLDP-MED feature on the interface. Configuration Guidelines LLDP-MED is used together with Voice VLAN to implement VoIP access. Besides the configuration of LLDP-MED feature, you also need configure the Voice VLAN feature.
Page 690 Configuring LLDP LLDP-MED Configurations 3.1.2 Port Config Choose th menu LLDP > LLDP-MED > Policy Config to load the following page. Figure 3-2 LLDP-MED Port Config Follow these steps to enable LLDP-MED: 1) Select the desired port and enble LLDP-MED. Click Apply. 2) Click Detail to enter the following page.
Page 691 Configuring LLDP LLDP-MED Configurations Figure 3-3 LLDP-MED Port Config-Detail Network Policy Used to advertise VLAN configuration and the associated Layer 2 and Layer 3 attributes of the port to the Endpoint devices. Location Used to assign the location identifier information to the Endpoint devices. Identification If this option is selected, you can configure the emergency number or the detailed address of the Endpoint device in the Location Identification Parameters section.
Page 692 Configuring LLDP LLDP-MED Configurations Civic Address Configure the address of the audio device in the IETF defined address format. What: Specify the role type of the local device, DHCP Server, Switch or LLDP-MED Endpoint. Country Code: Enter the country code defined by ISO 3166 , for example, CN, US. Language, Province/State etc.: Enter the regular details.
Page 693 Configuring LLDP LLDP-MED Configurations TTL Multiplier: Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: LLDP-MED Fast Start Repeat Count: Switch(config)#end Switch#copy running-config startup-config 3.2.2 Port Config Select the desired port, enable LLDP-MED and select the TLVs (Type/Length/Value) included in the outgoing LLDP packets according to your needs.
Page 694 Configuring LLDP LLDP-MED Configurations Step 6 Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable LLDP-MED on port 1/0/1, configure the LLDP- MED TLVs included in the outgoing LLDP packets. Switch(config)#lldp Switch(config)#lldp med-fast-count 4 Switch(config)#interface gigabitEthernet 1/0/1...
Page 695 Configuring LLDP LLDP-MED Configurations LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Location Identification Extended Power Via MDI Inventory Management Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 696 Configuring LLDP Viewing LLDP Settings Viewing LLDP Settings This chapter introduces how to view the LLDP settings on the local device. 4.1 Using GUI 4.1.1 Viewing LLDP Device Info  Viewing the Local Info Choose the menu LLDP > Device Info > Local Info to load the following page. Figure 4-1 Local Info Follow these steps to view the local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate...
Page 697 Configuring LLDP Viewing LLDP Settings Port ID Subtype Displays the Port ID type. Port ID Displays the value of the Port ID. Specify the amount of time the neighbor device should hold the received information before discarding it. Port Description Displays the description of the local port.
Page 698 Configuring LLDP Viewing LLDP Settings 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Local Info section, select the desired port and view its associated neighbor device information.
Page 699 Configuring LLDP Viewing LLDP Settings 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Global Statistics section, view the global statistics of the local device. Last Update Displays the time when the statistics updated.
Page 700 Configuring LLDP Viewing LLDP Settings  Viewing LLDP Statistics show lldp traffic interface { fastEthernet port | gigabitEthernet port | tengigabitEthernet port } View the statistics of the corresponding port on the local device. Configuration Guide...
Page 701 Configuring LLDP Viewing LLDP-MED Settings Viewing LLDP-MED Settings Using GUI  Viewing the Local Info Figure 5-1 LLDP-MED Local Info Follow these steps to view LLDP-MED local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
Page 702 Configuring LLDP Viewing LLDP-MED Settings Application Displays the supported applications of the local device. Type Unknown Policy Displays the unknown location settings included in the network policy TLV. Flag VLAN tagged Displays the VLAN Tag type of the applications, tagged or untagged. Media Policy Displays the 802.1Q VLAN ID of the port.
Page 703 Configuring LLDP Viewing LLDP-MED Settings Application Displays the application type of the neighbor device. Type Location Data Displays the location type of the neighbor device. Format Power Type Displays the power type of the neighbor device. Information View more LLDP-MED details of the neighbor device. Using CLI  Viewing the Local Info show lldp local-information interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port }...
Page 704 Configuring LLDP Configuration Example Configuration Example 6.1 Example for Configuring LLDP 6.1.1 Network Requirements The network administrator needs view the information of the devices in the company network to know about the link situation and network topology so that he can troubleshoot the potential network faults in advance.
Page 705 Configuring LLDP Configuration Example Figure 6-2 LLDP Global Config 2) Choose the menu LLDP > Basic Config > Port Config to load the following page. Set the Admin Status of port Gi1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Figure 6-3 LLDP Port Config 6.1.5 Using CLI 1) Enable LLDP globally and configure the corresponding parameters.
Page 706 Configuring LLDP Configuration Example Switch_A(config)#lldp hold-multiplier 4 Switch_A(config)#lldp timer tx-interval 30 tx-delay 2 reinit-delay 3 notify-interval 5 fast- count 3 2) Set the Admin Status of port Gi1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Switch_A#configure Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#lldp receive...
Page 707 Configuring LLDP Configuration Example Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power LLDP-MED Status: Disabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management View the Local Info Switch_A#show lldp local-information interface gigabitEthernet 1/0/1 LLDP local Information: gigabitEthernet 1/0/1: Chassis type:...
Page 708 Configuring LLDP Configuration Example TTL: System name: T2500G-10MPS System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.1 Management address interface type: IfIndex Management address interface ID: Management address OID: Port VLAN ID(PVID):...
Page 709 Tagged: VLAN ID: Layer 2 Priority: DSCP: Location Data Format: Civic Address LCI - What: Switch - Country Code: Hardware Revision: T2500G-10MPS 2.0 Firmware Revision: Reserved Software Revision: 2.0.0 Build 20160905 Rel.74744(s) Serial Number: Reserved Manufacturer Name: TP-Link Model Name: T2500G-10MPS 2.0...
Page 710 Configuring LLDP Configuration Example System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.1 Management address interface type: IfIndex Management address interface ID: Management address OID: Port VLAN ID(PVID): Port and protocol VLAN ID(PPVID): Port and protocol VLAN supported: Port and protocol VLAN enabled: VLAN name of VLAN 1: System-VLAN...
Page 711 Configuring LLDP Configuration Example  The voice traffic is transmitted in a separate VLAN to guarantee the voice quality.  The IP phones can finish the Voice VLAN configuration automatically to minimize the configuration effort. 6.2.2 Configuration Scheme To save the limited ports on the switch, connect the IP phone and the PC in a series, then the IP phone and PC can share the same port on the switch.
Page 712 Configuring LLDP Configuration Example Choose the menu QoS > Voice VLAN > Global Config, enable Voice VLAN and set the VLAN ID to 10. Figure 6-6 Configuring Voice VLAN Globally Choose the menu QoS > Voice VLAN > Port Config, set the Voice VLAN mode on Gi1/0/1 and Gi1/0/2 as Auto and Manual respectively.
Page 713 Configuring LLDP Configuration Example Figure 6-8 Configuring Voice VLAN Mode on Port 1/0/2 Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Add port 1/0/2 to the Voice VLAN. Figure 6-9 Adding Port 1/0/2 to the Voice VLAN 3) Choose the LLDP >...
Page 714 Configuring LLDP Configuration Example Figure 6-10 LLDP Global Config 4) Choose the LLDP > LLDP-MED > Global Config to load the following page and configure the fast start count. The default is 4. Figure 6-11 LLDP-MED Global Config 5) Choose th menu LLDP > LLDP-MED > Policy Config to load the following page. Select port 1/0/1 and enable LLDP-MED.
Page 715 Configuring LLDP Configuration Example Figure 6-14 Configure the detailed address of the IP phone 6.2.5 Using the CLI 1) Create VLAN 10 and name it as Voice VLAN. Switch_A(config)#vlan 10 Switch_A(config-vlan)#name Voice_VLAN Switch_A(config)#voice vlan 10 2) Configure the Voice VLAN mode on port Gi1/0/1 as Auto. Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#switchport voice vlan mode auto Switch_A(config-if)#exit...
Page 716 Configuring LLDP Configuration Example Switch_A(config)#interface gigabitEthernet 1/0/2 Switch_A(config-if)#switchport voice vlan mode manual Switch_A(config-if)#switchport general allowed vlan 10 tagged Switch_A(config-if)#exit 4) Enable LLDP globally. Switch_A(config)#lldp 5) Configure the fast start count of LLDP-MED. The default is 4. Switch_A(config)# lldp med-fast-count 4 6) Enable the LLDP-MED on port Gi1/0/1.
Page 717 Configuring LLDP Configuration Example Admin Status: TxRx SNMP Trap: Enabled Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power LLDP-MED Status: Enabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management View the local information: Switch_A#show lldp local-information interface gigabitEthernet 1/0/1 LLDP local Information: gigabitEthernet 1/0/1:...
Page 718 Configuring LLDP Configuration Example Port ID: GigabitEthernet1/0/1 Port description: GigabitEthernet1/0/1 Interface TTL: System name: Switch System description: JetStream 24-Port Gigabit L2 Managed Switch with 4 SFP Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.226...
Page 719 - County/Parish/District: China - City/Township: Shenzhen - Street: Keyuan Road - Name: South Building No.5 - Postal/Zip Code: 518057 Hardware Revision: T2500G-10MPS 2.0 Firmware Revision: Reserved Software Revision: 1.0.1 Build 20151216 Rel.65850(s) Serial Number: Reserved Manufacturer Name: TP-Link Model Name: T2500G-10MPS 2.0...
Page 720 Configuring LLDP Configuration Example LLDP Neighbor Information: gigabitEthernet 1/0/1: Neighbor index 1: Chassis type: Network address Chassis ID: 192.168.1.117 Port ID type: Locally assigned Port ID: 64A0E714DC54:P1 Port description: SW PORT TTL: System name: SEP64A0E714DC54 System description: Cisco IP Phone 7931G,V4, term default System capabilities supported: Bridge Telephone...
Page 721 Configuring LLDP Configuration Example PSE pairs control ability: Maximum frame size: LLDP-MED Capabilities: Capabilities Network Policy Extended Power via MDI - PD Inventory Device Type: Endpoint Class III Application type: Voice Unknown policy: Tagged: VLAN ID: 4095 Layer 2 Priority: DSCP: Application type: Voice Signaling...
Page 722 Configuring LLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of LLDP are listed in the following tables. Default LLDP Settings Table 7-1 Default LLDP Settings Parameter Default Setting LLDP Disable Transmit Interval 30 seconds Hold Multiplier Transmit Delay 2 seconds Reinit Delay 2 seconds Notification Interval...
Page 723 Part 23 Configuring Maintenance CHAPTERS 1. Maintenance 2. Monitoring the System 3. System Log Configurations 4. Diagnosing the Device 5. Diagnosing the Network 6. DLDP Configuration 7. Configuration Example for Remote Log 8. Appendix: Default Parameters...
Page 724 Configuring Maintenance Maintenance Maintenance 1.1 Overview The maintenance module assembles various system tools for network troubleshooting. 1.2 Supported Features The maintenance module includes system monitor, log, device diagnose, network diagnose and DLDP. System Monitor You can monitor the memory and the CPU utilizations of the switch. You can check system messages for debugging and network management.
Page 725 Configuring Maintenance Monitoring the System Monitoring the System The system monitor configurations include:  Monitoring the CPU;  Monitoring the memory. Configuration Guidelines The CPU and memory utilizations should be always under 80%, and excessive use may result in switch malfunctions. For example, the switch fails to respond to management requests.
Page 726 Configuring Maintenance Monitoring the System Click Monitor to enable the switch to monitor and display its CPU utilization rate every four seconds. 2.1.2 Monitoring the Memory Choose the menu Maintenance > System Monitor > Memory Monitor to load the following page.
Page 727 Configuring Maintenance Monitoring the System Using the CLI 2.2.1 Monitoring the CPU On privileged EXEC mode or any other configuration mode, you can use the following command to view the CPU utilization: show cpu-utilization View the memory utilization of the switch in the last 5 seconds, 1minute and 5minutes. The following example shows how to monitor the CPU: Switch#show cpu-utilization Unit |...
Page 728 Configuring Maintenance System Log Configurations System Log Configurations System log configurations include:  Configuring the local log;  Configuring the remote log;  Backing up log files;  Viewing the log table. Configuration Guidelines Logs are classified into the following eight levels. Messages of levels 0 to 4 mean the functionality of the switch is affected.
Page 729 Configuring Maintenance System Log Configurations Using the GUI 3.1.1 Configuring the Local Log Choose the menu Maintenance > Log> Local Log to load the following page. Figure 3-1 Configuring the Local Log Follow these steps to configure the local log: 1) Select your desired channel and configure the corresponding severity and status. Channel Local log includes 2 channels: log buffer and log file.
Page 730 Configuring Maintenance System Log Configurations 3.1.2 Configuring the Remote Log Remote Log enables the switch to send system logs to a host. To display the logs, the host should run a log server that complies with the syslog standard. Choose the menu Maintenance > Log> Remote Log to load the following page. Figure 3-2 Configuring the Remote Log Follow these steps to configure remote log: 1) Select an entry to enable the status, and then set the host IP address and severity.
Page 731 Configuring Maintenance System Log Configurations 3.1.4 Viewing the Log Table Choose the menu Maintenance > Log> Log Table to load the following page. Figure 3-4 Viewing the Log Table Select a module and a severity to view the corresponding log information. Time To get the exact time when the log event occurs, you need to configure the system time on the System >...
Page 732 Configuring Maintenance System Log Configurations Step 2 logging buffer The switch stores the system log messages to the RAM. And the information will be lost when the switch is restarted. You can view the logs with show logging buffer command. Step 3 logging buffer level level Specify the severity level of the log information that should be saved to the buffer.
Page 733 Configuring Maintenance System Log Configurations Switch(config)#logging file flash level 2 Switch(config)#show logging local-config Channel Level Status Sync-Periodic ------- ----- ------ ------------- Buffer enable Immediately Flash enable 10 hour(s) Monitor enable Immediately Switch(config)#end Switch#copy running-config startup-config 3.2.2 Configuring the Remote Log Remote Log enables the switch to send system logs to a host.
Page 734 Configuring Maintenance System Log Configurations The following example shows how to set the remote log on the switch. Enable log host 2, set its IP address as 192.168.0.148, and allow logs of levels 0 to 5 to be sent to the host: Switch#configure Switch(config)# logging host index 2 192.168.0.148 5 Switch(config)# show logging loghost...
Page 735 Configuring Maintenance Diagnosing the Device Diagnosing the Device Using the GUI Choose the menu Maintenance > Device Diagnose > Cable Test to load the following page. Figure 4-1 Diagnosing the Device 1) In the Port section, select your desired port for the test. 2) In the Result section, click Apply and check the test results.
Page 736 Configuring Maintenance Diagnosing the Device Status Displays the cable status. Test results include normal, close, open and crosstalk. Normal : The cable is normally connected. Close: A short circuit caused by an abnormal contact of wires in the cable. Open: No device is connected to the other end or the connectivity is broken. Crosstalk: Impedance mismatch caused by the poor quality of the cable.
Page 737 Configuring Maintenance Diagnosing the Network Diagnosing the Network The configuration includes:  Configuring the Ping Test;  Configuring the Tracert Test. Using the GUI 5.1.1 Configuring the Ping Test Choose the menu Maintenance > Network Diagnose > Ping to load the following page. Figure 5-1 Configuring the Ping Test Follow these steps to test the connectivity between the switch and another device in the network:...
Page 738 Configuring Maintenance Diagnosing the Network Destination IP Enter the IP address of the destination node for Ping test. Both IPv4 and IPv6 are supported. Ping Times Enter the amount of times to send test data for Ping test. We recommend that you keep the default 4 times.
Page 739 Configuring Maintenance Diagnosing the Network Using the CLI 5.2.1 Configuring the Ping Test On privileged EXEC mode or any other configuration mode, you can use the following command to test the connectivity between the switch and one node of the network. ping [ ip | ipv6 ] { ip_addr } [ -n count ] [ -l count ] [ -i count ] Test the connectivity between the switch and destination device.
Page 740 Configuring Maintenance Diagnosing the Network 5.2.2 Configuring the Tracert Test On privileged EXEC mode or any other configuration mode, you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination: tracert [ ip | ipv6 ] ip_addr [ maxHops ] Test the connectivity of the gateways along the path from the source to the destination.
Page 741 Configuring Maintenance DLDP Configuration DLDP Configuration Using the GUI Choose the menu Maintenance > DLDP > DLDP Config to load the following page. Figure 6-1 DLDP Config Follow these steps to configure DLDP: 1) In the Global Config section, enable DLDP and configure the relevant parameters. Click Apply.
Page 742 Configuring Maintenance DLDP Configuration Shut Mode Choose how to shut down the port when a unidirectional link is detected: Auto: When an unidirectional link is detected on a port, DLDP will generate logs and traps and shut down the port, and the DLDP link state will transit to Disable. Manual: When an unidirectional link is detected on a port, DLDP will generate logs and traps, and then the users can manually shut down the unidirectional link ports.
Page 743 Configuring Maintenance DLDP Configuration Using the CLI Follow these steps to configure DLDP: Step 1 configure Enter global configuration mode. Step 2 dldp Globally enable DLDP. Step 3 dldp interval interval-time Configure the interval of sending advertisement packets on ports that are in the advertisement state.
Page 744 Configuring Maintenance DLDP Configuration Switch(config)#dldp Switch(config)#dldp interval 10 Switch(config)#dldp shut-mode auto Switch(config)#show dldp DLDP Global State: Enable DLDP Message Interval: 10 DLDP Shut Mode: Auto Switch(config)#end Switch#copy running-config startup-config The following example shows how to enable DLDP on port 1/0/1. Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#dldp...
Page 745 Make sure the switch and the PC are reachable to each other; configure a log server that complies with the syslog standard on the PC and set the PC as the log host. Demonstrated with T2500G-10MPS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.
Page 746 Configuring Maintenance Configuration Example for Remote Log 7.4 Using the CLI Configure the remote log host. Switch#configure Switch(config)# logging host index 1 1.1.0.1 5 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Switch# show logging loghost Index Host-IP Severity Status ----- ------- -------- ------...
Page 747 Configuring Maintenance Appendix: Default Parameters Appendix: Default Parameters Default settings of maintenance are listed in the following tables. Table 8-1 Default Settings of Local Log Parameter Default Setting Status of Log Buffer Enabled Severity of Log Buffer Level_6 Sync-Periodic of Log Immediately Buffer Status of Log File...
Page 748 Configuring Maintenance Appendix: Default Parameters Parameter Default Setting DLDP State Disable Adver Interval 5 seconds Shut Mode Auto Web Refresh State Disable Web Refresh Interval 5 seconds Port Config DLDP State Disable Configuration Guide...
Page 749 Part 24 Configuring SNMP & RMON CHAPTERS 1. SNMP Overview 2. SNMP Configurations 3. Notification Configurations 4. RMON Overview 5. RMON Configurations 6. Configuration Example 7. Appendix: Default Parameters...
Page 750 Configuring SNMP & RMON SNMP Overview SNMP Overview SNMP (Simple Network Management Protocol) is a standard network management protocol, widely used on TCP/IP networks. It facilitates device management using NMS (Network Management System) software. With SNMP, network managers can view or modify network device information, and troubleshoot according to notifications sent by those devices in a timely manner.
Page 751 Configuring SNMP & RMON SNMP Configurations SNMP Configurations To complete the SNMP configuration, choose an SNMP version according to network requirements and supportability of the NMS software, and then follow these steps:  Choose SNMPv3 1) Enable SNMP. 2) Create an SNMP view for managed objects. 3) Create an SNMP group, and specify the access rights.
Page 752 Configuring SNMP & RMON SNMP Configurations 2.1 Using the GUI 2.1.1 Enabling SNMP Choose the SNMP > SNMP Config > Global Config to load the following page. Figure 2-1 Global Config Follow these steps to configure SNMP globally: 1) In the Global Config section, enable SNMP. Click Apply. 2) In the Local Engine section, configure the local engine ID.
Page 753 Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP View to load the following page. Figure 2-2 SNMP View Set the view name and one MIB variable that is related to the view. Choose the view type and click Create to add the view entry.
Page 754 Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP Group to load the following page. Figure 2-3 SNMP Group Follow these steps to create an SNMP Group: 1) Set the group name and security model. If you choose SNMPv3 as the security model, you need to further configure security level.
Page 755 Configuring SNMP & RMON SNMP Configurations Read View Choose a view to allow parameters to be viewed but not modified by the NMS. The view is necessary for any group. By default, the view is viewDefault. To modify parameters of a view, you need to add it to Write View. Write View Choose a view to allow parameters to be modified but not viewed by the NMS.
Page 756 Configuring SNMP & RMON SNMP Configurations Security Model Choose the SNMP version of the security model. The default is SNMPv1. The setting should be identical with that of the specified group. v1: The group’s security model is SNMPv1. v2c: In this mode, Community Name is used for authentication. You can configure Community Name on the SNMP Community.
Page 757 Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP Community to load the following page. Figure 2-5 SNMP Community Set the community name, access rights and the related view. Click Create. Community Name Set the community name with 1 to 16 characters. For SNMPv1 and SNMPv2c, the community name match is used for authentication.
Page 758 Configuring SNMP & RMON SNMP Configurations Step 3 snmp-server engineID {[ local local-engineID ] [remote remote-engineID ]} (Optional) Configure the local engine ID and the remote engine ID. Enter the local engine ID with 10 to 64 hexadecimal digits. The ID must contain local-engineID: an even number of characters.
Page 759 Configuring SNMP & RMON SNMP Configurations 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors(Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Switch(config)#show snmp-server engineID Local engine ID: 80002e5703000aeb132397 Remote engine ID: 123456789a...
Page 760 Configuring SNMP & RMON SNMP Configurations Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set a view to allow the NMS to manage all function. Name the view as View: Switch#configure Switch(config)#snmp-server view View 1 include Switch(config)#show snmp-server view...
Page 761 Configuring SNMP & RMON SNMP Configurations Step 2 snmp-server group name [ smode {v1 | v2c | v3}] [ slev {noAuthNoPriv | authNoPriv | authPriv}] [ read read-view ] [ write write-view ] [ notify notify-view ] Set an SNMP group. Enter the group name with 1 to 16 characters.
Page 762 Configuring SNMP & RMON SNMP Configurations 2.2.4 Creating SNMP Users Configure users of the SNMP group. Users belong to the group, and use the same security level and access rights as the group. Step 1 configure Enter global configuration mode. Step 2 snmp-server user name { local | remote } group-name [ smode { v1 | v2c | v3 }] [ slev { noAuthNoPriv | authNoPriv | authPriv }] [ cmode { none | MD5 | SHA }] [ cpwd confirm-pwd ] [...
Page 763 Configuring SNMP & RMON SNMP Configurations security level, SHA as the authentication algorithm, 1234 as the authentication password, DES as the privacy algorithm and 1234 as the privacy password: Switch#configure Switch(config)#snmp-server user admin remote nms-monitor smode v3 slev authPriv cmode SHA cpwd 1234 emode DES epwd 1234 Switch(config)#show snmp-server user No.
Page 764 Configuring SNMP & RMON SNMP Configurations Switch(config)#snmp-server community nms-monitor read-write View Switch(config)#show snmp-server community Index Name Type MIB-View ----- ---------------- ------------ -------- nms-monitor read-write View Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 765 Configuring SNMP & RMON Notification Configurations Notification Configurations With Notification enabled, the switch can send notifications to the NMS about important events relating to the device’s operation. This facilitates the monitoring and management of the NMS. Configuration Guidelines  To guarantee the communication between the switch and the NMS, ensure the switch and the NMS are able to reach one another.
Page 766 Configuring SNMP & RMON Notification Configurations IP Mode Choose an IP mode for the host, which should be coordinated with the IP Address. 2) Specify the user name or community name used by the NMS, and configure the security model and security level based on the settings of the user or community. User Name Specify the user name or community name used by the NMS.
Page 767 Configuring SNMP & RMON Notification Configurations Using the CLI 3.2.1 Configuring the Host Configure parameters of the NMS host and packet handling mechanism. Step 1 configure Enter global configuration mode. Step 2 snmp-server host ip udp-port user-name [smode { v1 | v2c | v3 }] [slev {noAuthNoPriv | authNoPriv | authPriv }] [type { trap | inform}] [retries retries ] [timeout timeout ] Configure parameters of the NMS host and packet handling mechanism.
Page 768 Configuring SNMP & RMON Notification Configurations Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the NMS host IP address as 172.168.1.222, UDP port as port 162, name used by the NMS as admin, security model as SNMPv3, security level as authPriv, notification type as Inform, retry times as 3, and the timeout interval as 100 seconds: Switch#configure...
Page 769 Configuring SNMP & RMON Notification Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to send linkup traps: Switch#configure Switch(config)#snmp-server traps snmp linkup Switch(config)#end Switch#copy running-config startup-config  Enabling the SNMP PoE Trap...
Page 770 Configuring SNMP & RMON Notification Configurations Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to send PoE over max power budget traps: Switch#configure Switch(config)#snmp-server traps power over-max-pwr-budget Switch(config)#end Switch#copy running-config startup-config  (Optional) Enabling the SNMP Extend Trap...
Page 771 Configuring SNMP & RMON Notification Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to enable bandwidth-control traps: Switch#configure Switch(config)#snmp-server traps bandwidth-control Switch(config)#end Switch#copy running-config startup-config  (Optional) Enabling the DDM Trap...
Page 772 Configuring SNMP & RMON Notification Configurations Switch(config)#end Switch#copy running-config startup-config  (Optional) Enabling the Link-status Trap Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Configure notification traps on the specified ports.
Page 773 Configuring SNMP & RMON RMON Overview RMON Overview RMON (Remote Network Monitoring) together with the SNMP system allows the network manager to monitor remote network devices efficiently. RMON reduces traffic flow between the NMS and managed devices, which is convenient for management in large networks.
Page 774 Configuring SNMP & RMON RMON Configurations RMON Configurations With RMON configurations, you can:  Configuring the statistics group.  Configuring the history group.  Configuring the event group.  Configuring the alarm group. Configuration Guidelines To ensure that the NMS receives notifications normally, please complete configurations of SNMP and SNMP Notification before RMON configurations.
Page 775 Configuring SNMP & RMON RMON Configurations Specify the entry ID, the port to be monitored, and the owner name of the entry. Set the entry as valid or underCreation, and click Create. Enter the ID of the entry. Port Click Choose to specify an Ethernet port to be monitored in the entry, or enter the port number in the format of 1/0/1.
Page 776 Configuring SNMP & RMON RMON Configurations Interval Set the sample interval from 10 to 3600 seconds; the default is 1800 seconds. Every history entry has its own timer. For the monitored port, the switch collects packet information and generates a record in every interval. Max Buckets Set the maximum number of records for the history entry.
Page 777 Configuring SNMP & RMON RMON Configurations Description Give a description to the event. Type Specify the action type of the event; then the switch will take the specified action to deal with the event. By default, the type is None. None: No action.
Page 778 Configuring SNMP & RMON RMON Configurations Variable Set the alarm variable to be monitored. The switch will monitor the specified variable in sample intervals and act in the set way when the alarm is triggered. The default variable is RecBytes. RecBytes: Total received bytes.
Page 779 Configuring SNMP & RMON RMON Configurations Alarm Type Specify the alarm type for the entry. By default, the alarm type is all. Rising: The alarm is triggered only when the sampled value exceeds the rising threshold. Falling: The alarm is triggered only when the sampled value is below the falling threshold.
Page 780 Configuring SNMP & RMON RMON Configurations Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create two statistics entries on the switch to monitor port 1/0/1 and 1/0/2 respectively. The owner of the entry is monitor and the entry is valid: Switch#configure Switch(config)#rmon statistics 1 interface gigabitEthernet 1/0/1 owner monitor status valid...
Page 781 Configuring SNMP & RMON RMON Configurations Step 3 show rmon history [ index ] Displays the specified history entry and related configurations. Enter the index of history entries that you want to view. The range is 1 to 12, and the index: format is 1-3 or 5.
Page 782 Configuring SNMP & RMON RMON Configurations Step 2 rmon event index [ user user-name ] [ description description ] [ type { none | log | notify | log-notify }] [ owner owner-name ] Configuring RMON event entries. Enter the index of the event entry from 1 to12 in the format of 1-3 or 5. index: Enter the SNMP user name or community name of the entry.
Page 783 Configuring SNMP & RMON RMON Configurations 5.2.4 Configuring Alarm Step 1 configure Enter global configuration mode. Step 2 rmon alarm index { stats-index sindex } [ alarm-variable { revbyte | revpkt | bpkt | mpkt | crc- align | undersize | oversize | jabber | collision | 64 | 65-127 | 128-255 | 256-511 | 512-1023 | 1024-10240}] [ s-type {absolute | delta}] [ rising-threshold r-hold ] [ rising-event-index r-event ] [ falling-threshold f-hold ] [ falling-event-index f-event ] [ a-type {rise | fall | all} ] [ owner owner-name ] [ interval interval ]...
Page 784 Configuring SNMP & RMON RMON Configurations Step 3 show rmon alarm [ index ] Displays the specified alarm entry and related configurations. Enter the index of alarm entries that you want to view. The range is 1 to 12, and the index: format is 1-3 or 5.
Page 785 Configuration Example Configuration Example Network Requirements A company that deploys NMS to monitor the operation status of TP-Link switches has requirements as follows: 1) Monitor traffic flow of specified ports, and send notifications to the NMS when the actual rate of transmitting and receiving packets exceeds the preset threshold.
Page 786 Switch A Gi1/0/2 Switch B IP: 172.168.1.222 Demonstrated with T2500G-10MPS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI. 6.4 Using the GUI  Configuring Rate Limit on ports Configure the rate limit on required ports. For detailed configuration, please refer to Configuring QoS.
Page 787 Configuring SNMP & RMON Configuration Example Figure 6-2 Enabling SNMP 2) Choose SNMP > SNMP Config > SNMP View to load the following page. Name the SNMP view as View, set MIB Object ID as 1 (which means all functions), and set the view type as Include.
Page 788 Configuring SNMP & RMON Configuration Example Figure 6-4 SNMP Group Configuration 4) Choose SNMP > SNMP Config > SNMP User to load the following page. Create a user named admin for the NMS, set the user type as Remote User and specify the group name.
Page 789 Configuring SNMP & RMON Configuration Example Switch(config)#snmp-server traps bandwidth-control Enable Bandwitch-control trap.  Configuring RMON 1) Choose SNMP > RMON > Statistics to load the following page. Create two entries and bind them to ports 1/0/1 and 1/0/2 respectively. Set the owner of the entries as monitor and the status as valid.
Page 790 Configuring SNMP & RMON Configuration Example Figure 6-9 History Configuration 3) Choose the menu SNMP > RMON > Event to load the following page. Configure entries 1 and 2. For entry 1, set the SNMP user name as admin, type as Notify, description as “rising notify”, owner as monitor, and status as Enable.
Page 791 Configuring SNMP & RMON Configuration Example statistics entry ID as 2 (bound to port 1/0/2). Other configurations are the same as those of entry 1. Figure 6-11 Alarm Configuration 5) Click Save Config to save settings. Using the CLI  Configuring Rate Limit on ports Configure the rate limit on required ports.
Page 792 Configuring SNMP & RMON Configuration Example 5) To configure Notification, specify the IP address of the NMS host and UDP port. Set the User, Security Model and Security Level according to configurations of the SNMP User. Choose the type as Inform, and set the retry times as 3, and the timeout period as 100 seconds.
Page 793 Configuring SNMP & RMON Configuration Example Switch(config)#rmon alarm 2 stats-index 2 alarm-variable bpkt s-type absolute rising- threshold 3000 rising-event-index 1 falling-threshold 2000 falling-event-index 2 a-type all interval 10 owner monitor Verify the Configurations Verify global SNMP configurations: Switch(config)#show snmp-server SNMP agent is enabled. 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name...
Page 794 Configuring SNMP & RMON Configuration Example Verify SNMP view configurations: Switch(config)#show snmp-server view No. View Name Type MOID --- -------------- ------- ------------------- viewDefault include 1 viewDefault exclude 1.3.6.1.6.3.15 viewDefault exclude 1.3.6.1.6.3.16 viewDefault exclude 1.3.6.1.6.3.18 View include 1 Verify SNMP group configurations: Switch(config)#show snmp-server group No.
Page 795 Configuring SNMP & RMON Configuration Example Index Port Owner State ----- ---------- --------- ------- Gi1/0/1 monitor valid Gi1/0/2 monitor valid Verify RMON history configurations: Switch(config)#show rmon history Index Port Interval Buckets Owner State ----- --------- -------- --------- ---------- --------- Gi1/0/1 monitor Enable Gi1/0/2...
Page 796 Configuring SNMP & RMON Configuration Example Statistics index: 2 Alarm variable: BPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: Interval: Owner: monitor Configuration Guide...
Page 797 Configuring SNMP & RMON Appendix: Default Parameters Appendix: Default Parameters Default settings of SNMP are listed in the following table. Table 7-1 Default Global Config Settings Parameter Default Setting SNMP Disable Local Engine ID Automatically Remote Engine ID None Table 7-2 Default SNMP View Settings Parameter Default Setting...
Page 798 Configuring SNMP & RMON Appendix: Default Parameters Table 7-5 Default User Settings Parameter Default Setting User Name None User Type Local User Group Name None Security Model Security Level noAuthNoPriv Auth Mode None Auth Password None Privacy Mode None Privacy Password None Table 7-6 Default Community Settings...
Page 799 Configuring SNMP & RMON Appendix: Default Parameters Table 7-8 Default Statistics Config Settings Parameter Default Setting None Port None Owner None IP Mode valid Table 7-9 Default Settings for History Entries Parameter Default Setting Port 1/0/1 Interval 1800 seconds Max Buckets Owner monitor Status...
Page 800 Configuring SNMP & RMON Appendix: Default Parameters Parameter Default Setting Status Disable Configuration Guide...
Page 801 Specifications are subject to change without notice. is a registered trademark of TP-Link Technologies Co., Ltd. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-Link Technologies Co., Ltd.
Page 802 EU declaration of conformity TP-Link hereby declares that the device is in compliance with the essential requirements and other relevant provisions of directives 2014/30/EU, 2014/35/EU, 2009/125/EC and 2011/65/EU.
Page 803 第十四條低功率射頻電機之使用不得影響飛航安全及干擾合法通行；經發現有干擾現象時，應立即停用，並改善至無干擾時方得繼續使用。前項合法通信，指依電信規定作業之無線電信。低功率射頻電機需忍受合法通信或工業、科學以及醫療用電波輻射性電機設備之干擾。 BSMI Notice 安全諮詢及注意事項  請使用原裝電源供應器或只能按照本產品注明的電源類型使用本產品。  清潔本產品之前請先拔掉電源線。請勿使用液體、噴霧清潔劑或濕布進行清潔。  注意防潮，請勿將水或其他液體潑灑到本產品上。  插槽與開口供通風使用，以確保本產品的操作可靠並防止過熱，請勿堵塞或覆蓋開口。  請勿將本產品置放於靠近熱源的地方。除非有正常的通風，否則不可放在密閉位置中。  請不要私自打開機殼，不要嘗試自行維修本產品，請由授權的專業人士進行此項工作。此為甲類資訊技術設備，于居住環境中使用時，可能會造成射頻擾動，在此種情況下，使用者會被要求採取某些適當的對策。限用物質含有情況標示聲明書限用物質及其化學符號產品元件名鉛鎘汞六價鉻多溴聯苯多溴二苯醚稱 CrVI PBDE ○ ○ ○ ○...
Page 804 Safety Information  Keep the device away from water, fire, humidity or hot environments.  Do not attempt to disassemble, repair, or modify the device.  Do not use damaged charger or USB cable to charge the device.  Do not use any other chargers than those recommended. Please read and follow the above safety information when operating the device.

TP-Link T2500G-10MPS User Manual

Table of Contents

Configuring Dhcp VLAN Relay

Quick Links

Chapters

Related Manuals for TP-Link T2500G-10MPS

Summary of Contents for TP-Link T2500G-10MPS