Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK TECHNOLOGIES CO., LTD.
Industry Canada Statement CAN ICES-3 (A)/NMB-3(A) Safety Information When product has power button, the power button is one of the way to shut off the product; When there is no power button, the only way to completely shut off power is to disconnect the product or the power adapter from the power source.
Page 4
DECLARATION OF CONFORMITY Company: TP-LINK TECHNOLOGIES CO., LTD. We declare under our own responsibility for the following equipment: Product Description: JetStream 24-Port Gigabit Stackable Smart Switch with 4 10GE SFP+ Slots Model No.: T1700G-28TQ Trademark: TP-LINK The above products satisfy all the technical regulations applicable to the product...
One JetStream Gigabit Stackable Smart Switch One power cord Two mounting brackets and other fittings Installation Guide Resource CD for T1700G-28TQ, including: This User Guide • CLI Reference Guide • SNMP Mibs • 802.1X Client Software and its User Guide •...
Gigabit Stackable Smart Switch with 4 10GE SFP+ Slots without any explanation. Tips: The T1700G-28TQ switchs are sharing this User Guide. For simplicity, we will take for example throughout this Guide. However, differences with significance will be presented with figures or notes as to attract your attention.
Page 13
Introduction Chapter Chapter 4 System This module is used to configure system properties of the switch. Here mainly introduces: System Info: Configure the description, system time and • network parameters of the switch. User Management: Configure the user name and password •...
Page 14
Introduction Chapter Chapter 9 Multicast This module is used to configure multicast function of the switch. Here mainly introduces: IGMP Snooping: Configure global parameters of IGMP • Snooping function, port properties, VLAN and multicast VLAN. MLD Snooping: Configure global parameters of MLD •...
Page 15
Introduction Chapter Chapter 13 Network Security This module is used to configure the protection measures for the network security. Here mainly introduces: IP-MAC Binding: Bind the IP address, MAC address, VLAN • ID and the connected Port number of the Host together. DHCP Snooping: Monitor the process of the host and record •...
SFP+ Slots integrates multiple functions with excellent performance, and is friendly to manage, which can fully meet the need of the users demanding higher networking performance. T1700G-28TQ also supports stacking of up to 6 units, thus providing flexible scalability and protective redundancy for your networks.
SFP+ Ports: Port 25-28, designed to install the 1Gbps SFP transceiver, 10Gbps SFP+ transceiver or SFP+ cable. 2.2.2 Rear Panel The rear panel of T1700G-28TQ features a power socket, a Kensington security slot and a Grounding Terminal (marked with ). Figure 2-2 Rear Panel ...
Page 18
Power Socket: Connect the female connector of the power cord here, and the male connector to the AC power outlet. Please make sure the voltage of the power supply meets the requirement of the input voltage. Return to CONTENTS...
Chapter 3 Login to the Switch 3.1 Login 1) To access the configuration utility, open a web-browser and type in the default address http://192.168.0.1 in the address field of the browser, then press the Enter key. Figure 3-1 Web-browser Tips: To log in to the switch, the IP address of your PC should be set in the same subnet addresses of the switch.
3.2 Configuration After a successful login, the main page will appear as Figure 3-3, and you can configure the function by clicking the setup menu on the left side of the screen. Figure 3-3 Main Setup-Menu Note: Clicking Apply can only make the new configurations effective before the switch is rebooted. If you want to keep the configurations effective even the switch is rebooted, please click Save Config.
Chapter 4 System The System module is mainly for system configuration of the switch, including four submenus: System Info, User Management, System Tools and Access Security. 4.1 System Info The System Info, mainly for basic properties configuration, can be implemented on System Summary, Device Description, System Time, Daylight Saving Time and System IPv6 pages.
Page 22
Port Status The port status diagram shows the working status of the ports on the specified unit switch. Indicates the 1000Mbps port is not connected to a device. Indicates the 1000Mbps port is at the speed of 1000Mbps. Indicates the 1000Mbps port is at the speed of 10Mbps or 100Mbps. Indicates the SFP+ port is not connected to a device.
Page 23
Click a port to display the bandwidth utilization on this port. The actual rate divided by theoretical maximum rate is the bandwidth utilization. The following figure displays the bandwidth utilization monitored every four seconds. Monitoring the bandwidth utilization on each port facilitates you to monitor the network traffic and analyze the network abnormities.
4.1.2 Device Description On this page you can configure the description of the switch, including device name, device location and system contact. Choose the menu System→System Info→Device Description to load the following page. Figure 4-4 Device Description The following entries are displayed on this screen: Device Description ...
The following entries are displayed on this screen: Time Info Current System Time: Displays the current date and time of the switch. Current Time Source: Displays the current time source of the switch. Time Config Manual: When this option is selected, you can set the date and time manually.
The following entries are displayed on this screen: DST Config DST Status: Enable or disable the DST. Predefined Mode: Select a predefined DST configuration. USA: Second Sunday in March, 02:00 ~ First Sunday in November, 02:00. Australia: First Sunday in October, 02:00 ~ First Sunday in ...
Page 27
3. Flexible extension headers: IPv6 cancels the Options field in IPv4 packets but introduces multiple extension headers. In this way, IPv6 enhances the flexibility greatly to provide scalability for IP while improving the handling efficiency. The Options field in IPv4 packets contains 40 bytes at most, while the size of IPv6 extension headers is restricted by that of IPv6 packets.
Page 28
Note: Two colons (::) can be used only once in an IPv6 address, usually to represent the longest successive hexadecimal fields of zeros. If two colons are used more than once, the device is unable to determine how many zeros double-colons represent when converting them to zeros to restore a 128-bit IPv6 address.
Page 29
Type Format Prefix (binary) IPv6 Prefix ID Multicast address 11111111 FF00::/8 Anycast addresses are taken from unicast Anycast address address space and are not syntactically distinguishable from unicast addresses. Table 4-1 Mappings between address types and format prefixes 3. IPv6 Unicast Address: IPv6 unicast address is an identifier for a single interface.
Page 30
The figure below shows the structure of a global unicast address. Figure 4-7 Global Unicast Address Format Link-local address A link-local address is an IPv6 unicast address that can be automatically configured on any interface using the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in the modified EUI-64 format.
Page 31
packet header, on the local link. After the source node receives the neighbor advertisement, the source node and destination node can communicate. Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node on a local link. Address Resolution The address resolution procedure is as follows: Node A multicasts an NS message.
Page 32
2. IPv6 Router Advertisement Message Router advertisement (RA) messages, which have a value of 134 in the Type field of the ICMP packet header, are periodically sent out each configured interface of an IPv6 router. RA messages typically include the following information: One or more onlink IPv6 prefixes that nodes on the local link can use to automatically ...
Page 33
You can configure the system’s administrative IPv6 address on this page. Choose the menu System →System Info →System IPv6 to load the following page. Figure 4-9 System IPv6 The following entries are displayed on this screen: Global Config IPv6: Enable/Disable IPv6 function globally on the switch.
Page 34
Link-local Address: Enter a link-local address. Status: Displays the status of the link-local address. Normal: Indicates that the link-local address is normal. Try: Indicates that the link-local address may be newly configured. Repeat: Indicates that the link-local address is duplicate. It is ...
Status: Displays the status of the global address. Normal: Indicates that the global address is normal. Try: Indicates that the global address may be newly configured. Repeat: Indicates that the corresponding address is duplicate. It is illegal to access the switch using this address. Tips: After adding a global IPv6 address to your switch manually here, you can configure your PC’s global IPv6 address in the same subnet with the switch and login to the switch via its global IPv6...
Choose the menu System→User Management→User Config to load the following page. Figure 4-11 User Config The following entries are displayed on this screen: User Info User Name: Create a name for users’ login. Access Level: Select the access level to login. Guest: Guest only can view the settings without the right to edit ...
4.3.1 Boot Config On this page you can configure the boot file of the switch. When the switch is powered on, it will start up with the startup image. If it fails, it will try to start up with the backup image. If this fails too, you will enter into the bootutil menu of the switch.
4.3.2 Config Restore On this page you can upload a backup configuration file to restore your switch to this previous configuration. Choose the menu System→System Tools→Config Restore to load the following page. Figure 4-13 Config Restore The following entries are displayed on this screen: Config Restore ...
4.3.4 Firmware Upgrade The switch system can be upgraded via the Web management page. To upgrade the system is to get more functions and better performance. Go to http://www.tp-link.com to download the updated firmware. Choose the menu System→System Tools→Firmware Upgrade to load the following page.
Choose the menu System→System Tools→System Reboot to load the following page. Figure 4-16 System Reboot Note: To avoid damage, please don't turn off the device while rebooting. 4.3.6 System Reset On this page you can reset the switch to the default. All the settings will be cleared after the switch is reset.
Page 41
Choose the menu System→Access Security→Access Control to load the following page. Figure 4-18 Access Control The following entries are displayed on this screen: Access Control Config Control Mode: Select the control mode for users to log on to the Web management page.
4.4.2 HTTP Config With the help of HTTP (Hyper Text Transfer Protocol), you can manage the switch through a standard browser. The standards development of HTTP was coordinated by the Internet Engineering Task Force and the World Wide Web Consortium. On this page you can configure the HTTP function.
Page 43
SSL mainly provides the following services: Authenticate the users and the servers based on the certificates to ensure the data are transmitted to the correct users and servers; Encrypt the data transmission to prevent the data being intercepted; Maintain the integrality of the data to prevent the data being altered in the transmission. Adopting asymmetrical encryption technology, SSL uses key pair to encrypt/decrypt information.
Page 44
Choose the menu System→Access Security→HTTPS Config to load the following page. Figure 4-20 HTTPS Config The following entries are displayed on this screen Global Config HTTPS: Select Enable/Disable the HTTPS function on the switch. SSL Version 3: Enable or Disable Secure Sockets Layer Version 3.0. By default, it’s enabled.
CipherSuite Config RSA_WITH_RC4_128_MD5: Key exchange with RC4 128-bit encryption and MD5 for message digest. By default, it’s enabled. RSA_WITH_RC4_128_SHA: Key exchange with RC4 128-bit encryption and SHA for message digest. By default, it’s enabled. RSA_WITH_DES_CBC_SHA: Key exchange with DES-CBC for message encryption and SHA for message digest.
Page 46
information security and powerful authentication when you log on to the switch remotely through an insecure network environment. It can encrypt all the transmission data and prevent the information in a remote management being leaked. Comprising server and client, SSH has two versions, V1 and V2 which are not compatible with each other.
Page 47
Idle Timeout: Specify the idle timeout time. The system will automatically release the connection when the time is up. The default time is 120 seconds. Max Connect: Specify the maximum number of the connections to the SSH server. No new connection will be established when the number of the connections reaches the maximum number you set.
Page 48
2. Click the Open button in the above figure to log on to the switch. Enter the login user name and password, and then you can continue to configure the switch. Application Example 2 for SSH: Network Requirements 1. Log on to the switch via key authentication using SSH and the SSH function is enabled on the switch.
Page 49
Configuration Procedure 1. Select the key type and key length, and generate SSH key. Note: The key length is in the range of 512 to 3072 bits. During the key generation, randomly moving the mouse quickly can accelerate the key generation.
Page 50
2. After the key is successfully generated, please save the public key and private key to the computer. 3. On the Web management page of the switch, download the public key file saved in the computer to the switch. Note: The key type should accord with the type of the key file.
Page 51
4. After the public key and private key are downloaded, please log on to the interface of PuTTY and enter the IP address for login. 5. Click Browse to download the private key file to SSH client software and click Open.
After successful authentication, please enter the login user name. If you log on to the switch without entering password, it indicates that the key has been successfully downloaded. 4.4.5 Telnet Config On this page you can Enable/Disable Telnet function globally on the switch. Choose the menu System→Access Security→Telnet Config to load the following page.
Page 53
Choose the menu System→SDM Template→SDM Template Config to load the following page. Figure 4-23 SDM Template Config Select Options Current Template Displays the SDM template currently in use. Next Template ID: Displays the SDM template that will become active after a reboot. Select Next Configure the SDM template that will become active after the next Template:...
Chapter 5 Stack The stack technology is to connect multiple stackable devices through their stack ports, forming a stack which works as a unified system and presents as a single entity to the network. It enables multiple devices to collaborate and be managed as a whole, which improves the performance and simplifies the management of the devices efficiently.
Page 55
In a ring connected stack, it can still operate normally by transforming into a daisy chained stack when link failure occurs, which further ensures the normal operation of load distribution and backup across devices and links as Figure 5-2 shows. Figure 5-2 Load Distribution and Backup across Devices 3.
Page 56
Stack Introduction 1. Stack Elements 1) Stack Role Each device in the stack system is called stack member. Each stack member processes services packets and plays a role which is either master or stack member in the stack system. The differences between master and stack member are described as below: Master: Indicates the device is responsible for managing the entire stack system.
Page 57
To establish a stack, please physically connect the stack ports of the member devices with cables. The stack ports of T1700G-28TQ can be used for stack connection or as normal SFP+ port. When you want to establish a stack, the stack capability of the related SFP+ ports should be configured as "Enable".
Page 58
The master is elected based on the following rules and in the order listed: The switch that is formerly the stack master. The switch with the highest stack member priority value. The switch with the longest running time. The switch with the lowest MAC address. After master election, the stack forms and enters into stack management and maintenance stage.
Page 59
Slot Number: Indicates the number of the slot the interface card is in. For T1700G-28TQ, the front panel ports belong to slot 0. Physical Port Number: The physical port number on the switch which can be obtained through the front panel of the switch.
Page 60
the interfaces associated with the switch that is not currently a member of the stack. The configuration you create on the stack is defined as the provisioned configuration. The switch that associated with the provisioned configuration is called the provisioned member. Provisioned Configuration: The unit number, switch type and interface information which are defined for switches not in the stack.
5.1 Stack Management Before configuring the stack, we highly recommend you to prepare the configuration planning with a clear set of the role and function of each member device. Some configuration needs device reboot to take effect, so you are kindly recommended to configure the stack at first, next connect the devices physically after powering off them, then you can power them on and the devices will join the stack automatically.
Displays the MAC address of the member switch. MAC Address: Priority: Displays the member priority of the member switch. The higher the value is, the more likely the member will be elected as the master. Version: Displays the current firmware version of the member switch. Device Type: Displays the device type of the switch.
Page 63
Choose the menu Stack Management→Stack Config to load the following page. Figure 5-8 Stack Config The following entries are displayed on this screen: Provision Info Unit ID: Configure the unit number of the provisioned stack member. Device Type: Specify the device type of the provisioned stack member. Stack Member Config ...
Status: Displays the state of the stack port. 5.2 Application Example for Stack Network Requirements Establish a stack of ring topology with four T1700G-28TQ switches. Network Diagram Configuration Procedure Configure switch A, B, C and D before physically connecting them: ...
Chapter 6 Switching Switching module is used to configure the basic functions of the switch, including four submenus: Port, LAG, Traffic Monitor and MAC Address. 6.1 Port The Port function, allowing you to configure the basic features for the port, is implemented on the Port Config, Port Mirror, Port Security, Port Isolation and Loopback Detection pages.
Status: Allows you to Enable/Disable the port. When Enable is selected, the port/LAG can forward the packets normally. Speed: Select the Speed mode for the port. The device connected to the switch should be in the same Speed and Duplex mode with the switch.
Page 67
Mode: Displays the mirror mode. The value will be "Ingress Only", "Egress Only" or “Both”. Source: Displays the mirrored ports. Operation: You can configure the mirror session by clicking Edit, or clear the mirror session configuration by clicking the Clear. Click Edit to display the following figure.
Ingress: Select Enable/Disable the Ingress feature. When the Ingress is enabled, the incoming packets received by the mirrored port will be copied to the mirroring port. Egress: Select Enable/Disable the Egress feature. When the Egress is enabled, the outgoing packets sent by the mirrored port will be copied to the mirroring port.
Page 69
Choose the menu Switching→Port→Port Security to load the following page. Figure 6-4 Port Security The following entries are displayed on this screen: Port Security UNIT: Click unit number to configure the physical ports of this unit member. Select: Select the desired port for Port Security configuration. It is multi-optional.
aging time and can only be deleted manually. The learned entries will be saved even the switch is rebooted. Status: Select Enable/Disable the Port Security feature for the port. Note: The Port Security function is disabled for the LAG port member. Only the port is removed from the LAG, will the Port Security function be available for the port.
Click Edit to configure the forward portlist. Figure 6-6 Port Isolation Config 6.1.5 Loopback Detection With loopback detection feature enabled, the switch can detect loops using loopback detection packets. When a loop is detected, the switch will display an alert or further block the corresponding port according to the port configuration.
Page 72
Choose the menu Switching→Port→Loopback Detection to load the following page. Figure 6-7 Loopback Detection Config The following entries are displayed on this screen Global Config LoopbackDetection Here you can enable or disable Loopback Detection function Status: globally. Detection Interval: Set a loopback detection interval between 1 and 1000 seconds.
Select: Select the desired port for Loopback Detection configuration. It is multi-optional. Port: Displays the port number. Status: Enable or disable Loopback Detection function for the port. Operation Mode: Select the mode how the switch processes the detected loops. Alert: When a loop is detected, display an alert. ...
The traffic load of the LAG will be balanced among the ports according to the Aggregate Arithmetic. If the connections of one or several ports are broken, the traffic of these ports will be transmitted on the normal ports, so as to guarantee the connection reliability. The LAG function is implemented on the LAG Table, Static LAG and LACP Config configuration pages.
Group Number: Displays the LAG number here. Description: Displays the description of LAG. Member: Displays the LAG member. Operation: Allows you to view or modify the information for each LAG. Edit: Click to modify the settings of the LAG. Detail: Click to get the information of the LAG.
Choose the menu Switching→LAG→Static LAG to load the following page. Figure 6-10 Manually Config The following entries are displayed on this screen: LAG Config Group Number: Select a Group Number for the LAG. Description: Displays the description of the LAG. Member Port ...
Page 77
system priority, the device owning the smaller system MAC has the higher priority. The device with the higher priority will choose the ports to be aggregated based on the port priority, port number and operation key. Only the ports with the same operation key can be selected into the same aggregation group.
Click LAGS to configure the link aggregation groups. Select: Select the desired port for LACP configuration. It is multi-optional. Port: Displays the port number. Admin Key: Specify an Admin Key for the port. The member ports in a dynamic aggregation group must have the same Admin Key. Port Priority: Specify a Port Priority for the port.
Auto Refresh Auto Refresh: Allows you to Enable/Disable refreshing the Traffic Summary automatically. Refresh Rate: Enter a value in seconds to specify the refresh interval. Traffic Summary UNIT/LAGS: Click unit number to display the information of the physical ports associated with this unit member.
Page 80
Choose the menu Switching→Traffic Monitor→Traffic Statistics to load the following page. Figure 6-13 Traffic Statistics The following entries are displayed on this screen: Auto Refresh Auto Refresh: Allows you to Enable/Disable refreshing the Traffic Summary automatically. Refresh Rate: Enter a value in seconds to specify the refresh interval. Port Select ...
Jumbo: Displays the number of good jumbo packets received or transmitted on the port. The error frames are not counted in. Alignment Errors: Displays the number of the received packets that have a bad Frame Check Sequence (FCS) with a non-integral octet (Alignment Error).
Table 6-1 Types and features of Address Table This function includes four submenus: Address Table, Static Address, Dynamic Address and Filtering Address. 6.4.1 Address Table On this page, you can view all the information of the Address Table. Choose the menu Switching→MAC Address→Address Table to load the following page. Figure 6-14 Address Table The following entries are displayed on this screen: Search Option...
MAC Address: Displays the MAC address learned by the switch. VLAN ID: Displays the corresponding VLAN ID of the MAC address. Port: Displays the corresponding Port number of the MAC address. Type: Displays the type of the MAC address. Aging Status: Displays the aging status of the MAC address.
MAC: Enter the MAC address of your desired entry. VLAN ID: Enter the VLAN ID number of your desired entry. Port: Enter the Port number of your desired entry. Static Address Table Unit: Click unit number to display the static address table of this unit member.
Page 85
Choose the menu Switching→MAC Address→Dynamic Address to load the following page. Figure 6-16 Dynamic Address The following entries are displayed on this screen: Aging Config Auto Aging: Allows you to Enable/Disable the Auto Aging feature. Aging Time: Enter the Aging Time for the dynamic address. Search Option ...
Tips: Setting aging time properly helps implement effective MAC address aging. The aging time that is too long or too short results in a decrease of the switch performance. If the aging time is too long, excessive invalid MAC address entries maintained by the switch may fill up the MAC address table. This prevents the MAC address table from updating with network changes in time.
Page 87
VLAN ID: Displays the corresponding VLAN ID. Port: Here the symbol “--” indicates no specified port. Type: Displays the type of the MAC address. Aging Status: Displays the aging status of the MAC address. Note: The MAC address in the Filtering Address Table cannot be added to the Static Address Table or bound to a port dynamically.
Chapter 7 VLAN The traditional Ethernet is a data network communication technology based on CSMA/CD (Carrier Sense Multiple Access/Collision Detect) via shared communication medium. Through the traditional Ethernet, the overfull hosts in LAN will result in serious collision, flooding broadcasts, poor performance or even breakdown of the Internet.
7.1 802.1Q VLAN VLAN tags in the packets are necessary for the switch to identify packets of different VLANs. The switch works at the data link layer in OSI model and it can identify the data link layer encapsulation of the packet only, so you can add the VLAN tag field into the data link layer encapsulation for identification.
PVID PVID (Port VLAN ID) is the default VID of the port. When the switch receives an un-VLAN-tagged packet, it will add a VLAN tag to the packet according to the PVID of its received port and forward the packets. When creating VLANs, the PVID of each port, indicating the default VLAN to which the port belongs, is an important parameter with the following two purposes: When the switch receives an un-VLAN-tagged packet, it will add a VLAN tag to the packet...
The following entries are displayed on this screen: VLAN Table Select: Select the desired entry to delete the corresponding VLAN. It is multi-optional. VLAN ID: Displays the VLAN ID. Name: Displays the name of the specific VLAN. Members: Displays the port members in the VLAN. Operation: Allows you to view or modify the information for each entry.
Page 92
Choose the menu VLAN→802.1Q VLAN→Port Config to load the following page. Figure 7-5 Port Config The following entries are displayed on this screen: VLAN Port Config UNIT/LAGS: Click unit number to configure the physical ports of this unit member. Click LAGS to configure the link aggregation groups. Select the desired port for configuration.
The following entries are displayed on this screen: VLAN of Port Displays the ID number of VLAN. VLAN ID: Displays the user-defined description of VLAN. Name: Operation: Allows you to remove the port from the current VLAN. Configuration Procedure: Step Operation Description Configure the PVID.
Network Diagram Configuration Procedure Configure Switch A Step Operation Description Create VLAN10 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 10, owning Port 2 and Port 3. Configure the link type of Port 2 and Port 3 as Untagged and Tagged respectively. Create VLAN20 Required.
When receiving tagged packet, the switch will process it basing on the 802.1Q VLAN. If the received port is the member of the VLAN to which the tagged packet belongs, the packet will be forwarded normally. Otherwise, the packet will be discarded. If the MAC address of a Host is classified into 802.1Q VLAN, please set its connected port of switch to be a member of this 802.1Q VLAN so as to ensure the packets forwarded normally.
Choose the menu VLAN→MAC VLAN→Port Enable to load the following page. Figure 7-8 Enable Port for MAC VLAN Select your desired port for MAC VLAN function. All the ports are disabled for MAC VLAN function by default. Configuration Procedure: Step Operation Description Create VLAN.
Page 97
Network Diagram Configuration Procedure Configure switch A Step Operation Description Required. On VLAN→802.1Q VLAN→VLAN Config page, create a Create VLAN10 VLAN with its VLAN ID as 10, owning Port 11 and Port 12, and configure the egress rule of Port 11 as Untag. Create VLAN20 Required.
Step Operation Description Configure MAC On VLAN→MAC VLAN→MAC VLAN page, create MAC VLAN10 with VLAN 10 the MAC address as 00-19-56-8A-4C-71. On VLAN→MAC VLAN→MAC VLAN page, create MAC VLAN20 with Configure MAC VLAN 20 the MAC address as 00-19-56-82-3B-70. Port Enable Required.
When receiving tagged packet, the switch will process it basing on the 802.1Q VLAN. If the received port is the member of the VLAN to which the tagged packet belongs, the packet will be forwarded normally. Otherwise, the packet will be discarded. If the Protocol VLAN is created, please set its enabled port to be the member of corresponding 802.1Q VLAN so as to ensure the packets forwarded normally.
Choose the menu VLAN→Protocol VLAN→Protocol Group to load the following page. Figure 7-10 Enable Protocol VLAN for Port Protocol Group Config Protocol Name: Select the defined protocol template. VLAN ID: Enter the ID number of the Protocol VLAN. This VLAN should be one of the 802.1Q VLANs the ingress port belongs to.
Page 101
Choose the menu VLAN→Protocol VLAN→Protocol Template to load the following page. Figure 7-11 Create and View Protocol Template The following entries are displayed on this screen: Create Protocol Template Protocol Name: Give a name for the Protocol Template. Frame Type: Select a Frame Type for the Protocol Template.
Step Operation Description Create Protocol Template. Required. On the VLAN→Protocol VLAN→Protocol Template page, create the Protocol Template before configuring Protocol VLAN. Create Protocol VLAN. Required. On the VLAN→Protocol VLAN→Protocol Group page, select the protocol name and enter the VLAN ID to create a Protocol VLAN. Meanwhile, enable protocol VLAN for ports.
Page 103
Configuration Procedure Configure switch A Step Operation Description Create VLAN10 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 10, owning Port 12 and Port 13, and configure the egress rule of Port 12 as Untagged and Port 13 as Tagged.
Chapter 8 Spanning Tree STP (Spanning Tree Protocol), subject to IEEE 802.1D standard, is to disbranch a ring network in the Data Link layer in a local network. Devices running STP discover loops in the network and block ports by exchanging information, in that way, a ring network can be disbranched to form a tree-topological ring-free network to prevent packets from being duplicated and forwarded endlessly in the network.
Page 105
Figure 8-1 Basic STP diagram STP Timers Hello Time: Hello Time ranges from 1 to 10 seconds. It specifies the interval to send BPDU packets. It is used to test the links. Max. Age: Max. Age ranges from 6 to 40 seconds. It specifies the maximum time the switch can wait without receiving a BPDU before attempting to reconfigure.
Page 106
Comparing BPDUs Each switch sends out configuration BPDUs and receives a configuration BPDU on one of its ports from another switch. The following table shows the comparing operations. Step Operation If the priority of the BPDU received on the port is lower than that of the BPDU if of the port itself, the switch discards the BPDU and does not change the BPDU of the port.
Page 107
The condition for the root port to transit its port state rapidly: The old root port of the switch stops forwarding data and the designated port of the upstream switch begins to forward data. The condition for the designated port to transit its port state rapidly: The designated port is ...
Page 108
The following figure shows the network diagram in MSTP. Figure 8-2 Basic MSTP diagram MSTP MSTP divides a network into several MST regions. The CST is generated between these MST regions, and multiple spanning trees can be generated in each MST region. Each spanning tree is called an instance.
The following diagram shows the different port roles. Figure 8-3 Port roles The Spanning Tree module is mainly for spanning tree configuration of the switch, including four submenus: STP Config, Port Config, MSTP Instance and STP Security. 8.1 STP Config The STP Config function, for global configuration of spanning trees on the switch, can be implemented on STP Config and STP Summary pages.
Page 110
The following entries are displayed on this screen: Global Config Spanning-Tree: Select Enable/Disable STP function globally on the switch. Mode: Select the desired STP mode on the switch. STP: Spanning Tree Protocol. RSTP: Rapid Spanning Tree Protocol. MSTP: Multiple Spanning Tree Protocol.
8.1.2 STP Summary On this page you can view the related parameters for Spanning Tree function. Choose the menu Spanning Tree→STP Config→STP Summary to load the following page. Figure 8-5 STP Summary...
8.2 Port Config On this page you can configure the parameters of the ports for CIST. Choose the menu Spanning Tree→Port Config to load the following page. Figure 8-6 Port Config The following entries are displayed on this screen: Port Config ...
Port Mode: Display the spanning tree mode of the port. Port Role: Displays the role of the port played in the STP Instance. Root Port: Indicates the port that has the lowest path cost from this bridge to the Root Bridge and forwards packets to the root. Designated Port: Indicates the port that forwards packets to a ...
8.3.1 Region Config On this page you can configure the name and revision of the MST region. Choose the menu Spanning Tree→MSTP Instance→Region Config to load the following page. Figure 8-7 Region Config The following entries are displayed on this screen: Region Config ...
The following entries are displayed on this screen: VLAN-Instance Mapping Instance ID: Enter the corresponding instance ID. VLAN ID: Enter the desired VLAN ID. After modification here, the new VLAN ID will be added to the corresponding instance ID and the previous VLAN ID won’t be replaced.
Page 116
Choose the menu Spanning Tree→MSTP Instance→Instance Port Config to load the following page. Figure 8-9 Instance Port Config The following entries are displayed on this screen: Instance ID Select Instance ID: Select the desired instance ID for its port configuration. Instance Port Config ...
Port Role: Displays the role of the port played in the MSTP Instance. Port Status: Displays the working status of the port. LAG: Displays the LAG number which the port belongs to. Note: The port status of one port in different spanning tree instances can be different. Global configuration Procedure for Spanning Tree function: Step Operation Description...
Page 118
packets from the upstream switch and spanning trees are regenerated, and thereby loops can be prevented. Root Protect A CIST and its secondary root bridges are usually located in the high-bandwidth core region. Wrong configuration or malicious attacks may result in configuration BPDU packets with higher priorities being received by the legal root bridge, which causes the current legal root bridge to lose its position and network topology jitter to occur.
Page 119
Choose the menu Spanning Tree→STP Security→Port Protect to load the following page. Figure 8-10 Port Protect The following entries are displayed on this screen: Port Protect UNIT/LAGS: Click unit number to configure the physical ports of this unit member. Click LAGS to configure the link aggregation groups.
8.4.2 TC Protect When TC Protect is enabled for the port on Port Protect page, the TC threshold and TC protect cycle need to be configured on this page. Choose the menu Spanning Tree→STP Security→TC Protect to load the following page. Figure 8-11 TC Protect The following entries are displayed on this screen: TC Protect...
Page 121
MSTP function for the port. Configure the region name and Spanning Tree→MSTP Instance→Region the revision of MST region Config page, configure the region as TP-LINK and keep the default revision setting. Configure VLAN-to-Instance Spanning Tree→MSTP Instance→Instance mapping table of the MST region Config page, configure VLAN-to-Instance mapping table.
Page 122
Step Operation Description Configure the region name and Spanning Tree→MSTP Instance→Region the revision of MST region Config page, configure the region as TP-LINK and keep the default revision setting. Configure VLAN-to-Instance Spanning Tree→MSTP Instance→Instance mapping table of the MST region Config page, configure VLAN-to-Instance mapping table.
Page 123
MSTP function for the port. Configure the region name and Spanning Tree→MSTP Instance→Region Config page, configure the region as TP-LINK and the revision of MST region keep the default revision setting. On Spanning Tree→MSTP Instance→Instance Configure VLAN-to-Instance mapping table of the MST region Config page, configure VLAN-to-Instance mapping table.
Page 124
Suggestion for Configuration Enable TC Protect function for all the ports of switches. Enable Root Protect function for all the ports of root bridges. Enable Loop Protect function for the non-edge ports. Enable BPDU Protect function or BPDU Filter function for the edge ports which are connected to the PC and server.
Chapter 9 Multicast Multicast Overview In the network, packets are sent in three modes: unicast, broadcast and multicast. In unicast, the source server sends separate copy information to each receiver. When a large number of users require this information, the server must send many pieces of information with the same content to the users.
Page 126
IPv4 Multicast Address 1. IPv4 Multicast IP Address: As specified by IANA (Internet Assigned Numbers Authority), Class D IP addresses are used as destination addresses of multicast packets. The multicast IP addresses range from 224.0.0.0~239.255.255.255. The following table displays the range and description of several special multicast IP addresses.
Page 127
IPv6 Multicast Address 1. IPv6 Multicast Address An IPv6 multicast address is an identifier for a group of interfaces, and has the following format: 0XFF at the start of the address identifies the address as being a multicast address. ...
Page 128
Group ID: 112 bits, IPv6 multicast group identifier that uniquely identifies an IPv6 multicast group in the scope defined by the Scope field. Reserved Multicast Addresses: Address Indication FF01::1 All interface-local IPv6 nodes FF02::1 All link-local IPv6 nodes FF01::2 All interface-local IPv6 routers FF02::2 All link-local IPv6 routers...
The high-order 16 bits of the IP multicast address are 0x3333, identifying the IPv6 multicast group. The low-order 32 bits of the IPv6 multicast IP address are mapped to the multicast MAC address. Multicast Address Table The switch is forwarding multicast packets based on the multicast address table. As the transmission of multicast packets cannot span the VLAN, the first part of the multicast address table is VLAN ID, based on which the received multicast packets are forwarded in the VLAN owning the receiving port.
Page 130
IGMP Messages The switch, running IGMP snooping, processes the IGMP messages of different types as follows. 1. IGMP Query Message IGMP query message, sent by the router, falls into two types, IGMP general query message and IGMP group-specific-query message. The router regularly sends IGMP general message to query if the multicast groups contain any member.
2. Timers Router Port Time: Within the time, if the switch does not receive IGMP query message from the router port, it will consider this port is not a router port any more. The default value is 300 seconds. Member Port Time: Within the time, if the switch does not receive IGMP report message from the member port, it will consider this port is not a member port any more.
Page 132
The following entries are displayed on this screen: Global Config IGMP Snooping: Select Enable/Disable IGMP snooping function globally on the switch. Unknown Multicast: Select the operation for the switch to process unknown multicast, Forward or Discard. Report Message Enable or disable Report Message Suppression function globally. Suppression: If this function is enabled, the first Report Message from the listener will be forwarded to the router ports while the subsequent...
9.1.2 Port Config On this page you can enable or disable the IGMP Snooping and Fast Leave feature for ports of the switch. Choose the menu Multicast →IGMP Snooping →Port Config to load the following page. Figure 9-6 Port Config The following entries are displayed on this screen: Port Config ...
Note: Fast Leave on the port is effective only when the host supports IGMPv2 or IGMPv3. When Fast Leave feature is enabled, the leaving of a user connected to a port owning multi-user will result in the other users intermitting the multicast business. 9.1.3 VLAN Config Multicast groups established by IGMP snooping are based on VLANs.
VLAN Table Select: Select the desired VLAN ID for configuration. It is multi-optional. VLAN ID: Displays the VLAN ID. Router Port Time: Displays the router port time of the VLAN. Member Port Time: Displays the member port time of the VLAN. Static Router Ports: Displays the static router ports of the VLAN.
Page 136
Choose the menu Multicast→IGMP Snooping→Multicast VLAN to load the following page. Figure 9-8 Multicast VLAN The following entries are displayed on this screen: Multicast VLAN Multicast VLAN: Select Enable/Disable Multicast VLAN feature. VLAN ID: Enter the VLAN ID of the multicast VLAN. Router Port Time: Specify the aging time of the router port.
Page 137
Configure the link type of the router port in the multicast VLAN as Tagged otherwise all the member ports in the multicast VLAN cannot receive multicast streams. After a multicast VLAN is created, all the IGMP packets will be processed only within the multicast VLAN.
Network Diagram Configuration Procedure Step Operation Description Create VLANs Create three VLANs with the VLAN ID 3, 4 and 5 respectively, and specify the description of VLAN3 as Multicast VLAN on VLAN→802.1Q VLAN page. Configure ports On VLAN→802.1Q VLAN function pages. For port 3, configure its link type as Tagged, and add it to VLAN3, VLAN4 and VLAN5.
Page 139
help to create and maintain multicast forwarding table on the switch with the Query messages it generates. Choose the menu Multicast→IGMP Snooping→Querier Config to load the following page. Figure 9-9 Querier Config The following entries are displayed on this screen: IGMP Snooping Querier Config ...
9.1.6 Profile Config On this page you can configure an IGMP profile. Choose the menu Multicast→IGMP Snooping→Profile Config to load the following page. Figure 9-10 Profile Config The following entries are displayed on this screen: Profile Creation Profile ID: Specify the Profile ID you want to create, and it should be a number between 1 and 999.
Operation: Click the Edit button to configure the mode or IP-range of the Profile. After you have created a profile ID, click Edit to display the following figure. The following entries are displayed on this screen: Profile Mode Profile ID: Displays the Profile ID you have created.
Page 142
Choose the menu Multicast→IGMP Snooping→Profile Binding to load the following page. Figure 9-11 Profile Binding The following entries are displayed on this screen: Profile and Max Group Binding UNIT/LAGS: Click unit number to configure the physical ports of this unit member.
Clear Binding: Click the ClearBinding button to clear all profiles bound to the port. Configuration Procedure: Step Operation Description Create Profile Required. Configure Profile mode Multicast→IGMP Snooping→Profile Config page. Configure IP-Range Required. Click Edit of the specified entry in the IGMP Profile Info table on Multicast→IGMP Snooping→Profile Config page to configure the mode or IP-range of the Profile.
The following entries are displayed on this screen: Auto Refresh Auto Refresh: Select Enable/Disable auto refresh feature. Refresh Period: Enter the time from 3 to 300 in seconds to specify the auto refresh period. IGMP Statistics Unit: Click unit number to display the information of the physical ports associated with this unit member.
Page 145
Relevant Ports of the Switch Router Port: Indicates the switch port that links toward the MLD router. Member Port: Indicates the switch port that links toward the multicast members. Timers Router Port Aging Time: Within this time, if the switch does not receive MLD queries from the router port, it will delete this port from the router port list.
The MLD snooping function can be implemented on Snooping Config, Port Config, VLAN Config, Multicast VLAN, Querier Config, Profile Config, Profile Binding and Packet Statistics pages. 9.2.1 Snooping Config To configure MLD snooping on the switch, please firstly configure MLD global configuration and related parameters on this page.
Page 147
Report Message Enable or disable Report Message Suppression function globally. Suppression: If this function is enabled, the first Report Message from the listener will forward to the router ports while the subsequent Report Message from the group will be suppressed to reduce the MLD traffic in the network.
9.2.2 Port Config On this page you can configure MLD snooping function with each single port. Choose the menu Multicast→MLD Snooping→Port Config to load the following page. Figure 9-14 Port Config The following entries are displayed on this screen: Port Config ...
9.2.3 VLAN Config On this page you can configure MLD snooping function with each single VLAN. You need to create VLAN if you want to enable MLD snooping function in this VLAN. Choose the menu Multicast→MLD Snooping→VLAN Config to load the following page. Figure 9-15 VLAN Config The following entries are displayed on this screen: VLAN Config...
Note: 1. The MLD snooping function in a VLAN will take effect when global MLD snooping function is enabled in 9.2.1 Snooping Config and the VLAN is created in Chapter 7 VLAN. 2. When the router port time or member port time is set for a VLAN, this value overrides the value configured globally in 9.2.1 Snooping Config.
VLAN ID: Enter the VLAN ID of the multicast VLAN. Router Port Time: Specify the aging time of the router port. Within this time, if the switch doesn’t receive MLD query message from the router port, it will consider this port is not a router port any more. Member Port Time: Specify the aging time of the member port.
Page 152
Choose the menu Multicast→MLD Snooping→Querier Config to load the following page. Figure 9-17 Querier Config The following entries are displayed on this screen: MLD Snooping Querier Config VLAN ID: Enter the VLAN ID which you want to start Querier. Query Interval: Enter the Query message interval time.
9.2.6 Profile Config On this page you can configure an MLD profile. Choose the menu Multicast→MLD Snooping→Profile Config to load the following page. Figure 9-18 Profile Config The following entries are displayed on this screen: Profile Creation Profile ID: Specify the Profile ID you want to create, and it should range from 1 to 999.
Operation: Click the Edit button to configure the mode or IP-range of the Profile. After you have created a profile ID, click Edit to display the following figure. The following entries are displayed on this screen: Profile Mode Profile ID: Displays the Profile ID you have created.
Page 155
Choose the menu Multicast→MLD Snooping→Profile Binding to load the following page. Figure 9-19 Profile Config The following entries are displayed on this screen: Profile and Max Group Binding UNIT/LAGS: Click unit number to configure the physical ports of this unit member.
LAG: The LAG number which the port belongs to. Clear Binding: Click the Clear Binding button to clear all profiles bound to the port. Configuration Procedure: Step Operation Description Create Profile Required. Configure Profile mode Multicast→MLD Snooping→Profile Config page. Configure IP-Range Required.
The following entries are displayed on this screen: Auto Fresh Auto Fresh: Select Enable/Disable auto fresh feature. Fresh Period: Enter the time from 3 to 300 seconds to specify the auto fresh period. MLD Statistics UNIT: Click unit number to display the information of the physical ports associated with this unit member.
The following entries are displayed on this screen: Search Option Search Option: Select the rule for displaying multicast IP table. All: Displays all multicast IP entries. Multicast IP: Enter the multicast IP address the desired entry must carry. VLAN ID: Enter the VLAN ID the desired entry must ...
The following entries are displayed on this screen: Create Static Multicast Multicast IP: Enter the multicast IP address the desired entry must carry. VLAN ID: Enter the VLAN ID the desired entry must carry. Forward Port: Enter the forward ports. Search Option ...
Forward Port: Enter the port number the desired entry must carry. Multicast IP Table Multicast IP: Displays the multicast IP. VLAN ID: Displays the VLAN ID. Forward Ports: Displays the forward ports of the group. 9.3.4 Static IPv6 Multicast Table On this page you can configure the static IPv6 multicast table.
Page 161
Search Option Search Option: Select the rule for displaying multicast IP table. All: Displays all static multicast IP entries. Multicast IP: Enter the multicast IP address the desired entry must carry. VLAN ID: Enter the VLAN ID the desired entry must ...
Chapter 10 Routing Routing is the method by which the host or gateway decides where to send the datagram. Routing is the task of finding a path from a sender to a desired destination. It may be able to send the datagram directly to the destination, if that destination is on one of the networks that are directly connected to the host or gateway.
Page 163
Subnet Mask: Specify the subnet mask of the interface's IP address. Admin Status: Specify interface administrator status. Choose Disable to disable the interface's Layer 3 capabilities. Interface Name: Specify the name of the network interface. Interface List Select : Select the interfaces to modify or delete.
Page 164
Modify Interface Interface ID: Display the ID of the interface corresponding to the VLAN ID, loopback interface, routed port or port-channel. IP Address Mode: View and modify the IP address allocation mode. None: without ip. Static: setup manually. ...
Detail Information Interface ID: Displays the ID of the interface, including VLAN ID, loopback interface, routed port and port-channel ID. IP Address Mode: Displays the IP address allocation mode. None: without ip. Static: setup manually. DHCP: allocated through DHCP. ...
Interface name: Displays the description of the egress interface. 10.3 Static Routing Static routes are special routes manually configured by the administrator and cannot change automatically with the network topology accordingly. Hence, static routes are commonly used in a relative simple and stable network. Proper configuration of static routes can greatly improve network performance.
10.4 ARP This page displays the ARP table information and you can configure static ARP here. 10.4.1 ARP Table Choose the menu Routing→ARP→ARP Table to load the following page. Figure 10-4 ARP Table The following entries are displayed on this screen: ARP Table ...
Page 168
MAC Address: Displays the MAC address of ARP entry. Return to CONTENTS...
Chapter 11 QoS QoS (Quality of Service) functions to provide different quality of service for various network applications and requirements and optimize the bandwidth resource distribution so as to provide a network service experience of a better quality. This switch classifies the ingress packets, maps the packets to different priority queues and then forwards the packets according to specified scheduling algorithms to implement QoS function.
Page 170
2. 802.1P Priority Figure 11-2 802.1Q frame As shown in the figure above, each 802.1Q Tag has a Pri field, comprising 3 bits. The 3-bit priority field is 802.1p priority in the range of 0 to 7. 802.1P priority determines the priority of the packets based on the Pri value.
Page 171
Figure 11-4 SP-Mode WRR-Mode: Weight Round Robin Mode. In this mode, packets in all the queues are sent in order based on the weight value for each queue and every queue can be assured of a certain service time. The weight value indicates the occupied proportion of the resource. WRR queue overcomes the disadvantage of SP queue that the packets in the queues with lower priority cannot get service for a long time.
Equ-Mode: Equal-Mode. In this mode, all the queues occupy the bandwidth equally. The weight value ratio of all the queues is 1:1:1:1:1:1:1:1. Note: In SP + WRR mode, TC7 and the queue with its weight value set as 0 are in the SP group. The QoS module is mainly for traffic control and priority configuration, including three submenus: DiffServ, Bandwidth Control and Voice VLAN.
The following entries are displayed on this screen: Port Priority Config UNIT/LAGS: Click unit number to configure the physical ports of this unit member. Click LAGS to configure the link aggregation groups. Select: Select the desired port to configure its priority. It is multi-optional. Port: Displays the physical port number of the switch.
The following entries are displayed on this screen Schedule Mode Config Schedule Mode: Select a schedule mode. SP-Mode:Strict-Priority Mode. In this mode, the queue with higher priority will occupy the whole bandwidth. Packets in the queue with lower priority are sent only when the queue with higher priority is empty.
Choose the menu QoS→DiffServ→802.1P Priority to load the following page. Figure 11-8 802.1P Priority The following entries are displayed on this screen: Priority and CoS-mapping Config Select: Select the desired 802.1P tag-id/cos-id for 802.1P priority configuration. It is multi-optional. Tag-id/CoS-id: Indicates the precedence level defined by IEEE 802.1P and the CoS ID.
Page 176
Choose the menu QoS→DiffServ→DSCP Priority to load the following page. Figure 11-9 DSCP Priority The following entries are displayed on this screen DSCP Priority Config DSCP Priority: Select Enable or Disable DSCP Priority. Priority Level Select: Select the desired DSCP value for DSCP priority configuration. It is multi-optional.
11.2 Bandwidth Control Bandwidth function, allowing you to control the traffic rate and broadcast flow on each port to ensure network in working order, can be implemented on Rate Limit and Storm Control pages. 11.2.1 Rate Limit Rate limit functions to control the ingress/egress traffic rate on each port via configuring the available bandwidth of each port.
Egress Configure the bandwidth for sending packets on the port. You can Rate(1-1000000Kbps): select a rate from the dropdown list or manually set Egress rate, the system will automatically select integral multiple of 64Kbps that closest to the rate you entered as the real Egress rate. LAG: Displays the LAG number which the port belongs to.
Port: Displays the port number of the switch. PPS: Enable or disable the PPS mode. Broadcast Rate Select the broadcast rate mode, pps mode is invalid if the PPS is Mode: disabled. kbps: Specify the threshold in kbits per second. ...
Page 180
Number OUI Address Vendor 00-01-e3-00-00-00 Siemens phone 00-03-6b-00-00-00 Cisco phone 00-04-0d-00-00-00 Avaya phone 00-60-b9-00-00-00 Philips/NEC phone 00-d0-1e-00-00-00 Pingtel phone 00-e0-75-00-00-00 Polycom phone 00-e0-bb-00-00-00 3com phone Table 11-1 OUI addresses on the switch Port Voice VLAN Mode A voice VLAN can operate in two modes: automatic mode and manual mode. Automatic Mode: In this mode, the switch automatically adds a port which receives voice packets to voice VLAN and determines the priority of the packets through learning the source MAC of the UNTAG packets sent from IP phone when it is powered on.
Security Mode of Voice VLAN When voice VLAN is enabled for a port, you can configure its security mode to filter data stream. If security mode is enabled, the port just forwards voice packets, and discards other packets whose source MAC addresses do not match OUI addresses.
VLAN ID: Enter the VLAN ID of the voice VLAN. Aging Time: Specifies the living time of the member port in auto mode after the OUI address is aging out. Priority: Select the priority of the port when sending voice data. 11.3.2 Port Config Before the voice VLAN function is enabled, the parameters of the ports in the voice VLAN should be configured on this page.
Port: Displays the port number of the switch. Port Mode: Select the mode for the port to join the voice VLAN. Auto: In this mode, the switch automatically adds a port to the voice VLAN or removes a port from the voice VLAN by checking whether the port receives voice data or not.
Page 184
OUI Table Select: Select the desired entry to view the detailed information. OUI: Displays the OUI address of the voice device. Mask: Displays the OUI address mask of the voice device. Description: Displays the description of the OUI. Configuration Procedure of Voice VLAN: Step Operation Description Create VLAN...
Chapter 12 ACL ACL (Access Control List) is used to filter packets by configuring match rules and process policies of packets in order to control the access of the illegal users to the network. Besides, ACL functions to control traffic flows and save network resources. It provides a flexible and secured access control policy and facilitates you to control the network security.
12.1.2 Time-Range Create On this page you can create time-ranges. Choose the menu ACL→Time-Range→Time-Range Create to load the following page. Figure 12-2 Time-Range Create Note: To successfully configure time-ranges, please firstly specify time-slices and then time-ranges. The following entries are displayed on this screen: Create Time-Range ...
End Time: Displays the end time of the time-slice. Delete: Click the Delete button to delete the corresponding time-slice. 12.1.3 Holiday Config Holiday mode is applied as a different secured access control policy from the week mode. On this page you can define holidays according to your work arrangement. Choose the menu ACL→Time-Range→Holiday Config to load the following page.
Choose the menu ACL→ACL Config→ACL Summary to load the following page. Figure 12-4 ACL Summary The following entries are displayed on this screen: Search Option Select ACL: Select the ACL you have created ACL Type: Displays the type of the ACL you select. Rule Order: Displays the rule order of the ACL you select.
Figure 12-6 Create MAC Rule The following entries are displayed on this screen: Create MAC-Rule ACL ID: Select the desired MAC ACL for configuration. Rule ID: Enter the rule ID. Operation: Select the operation for the switch to process packets which match the rules.
Rule ID: Enter the rule ID. Operation: Select the operation for the switch to process packets which match the rules. Permit: Forward packets. Deny: Discard Packets. S-IP: Enter the source IP address contained in the rule. D-IP: Enter the destination IP address contained in the rule. Mask: Enter IP address mask.
IP Protocol: Select IP protocol contained in the rule. S-Port: Configure TCP/IP source port contained in the rule when TCP/UDP is selected from the pull-down list of IP Protocol. D-Port: Configure TCP/IP destination port contained in the rule when TCP/UDP is selected from the pull-down list of IP Protocol. 12.3 Policy Config A Policy is used to control the data packets those match the corresponding ACL rules by configuring ACLs and actions together for effect.
Figure 12-10 Create Policy The following entries are displayed on this screen: Create Policy Policy Name: Enter the name of the policy. 12.3.3 Action Create On this page you can add ACLs for the policy. Choose the menu ACL→Policy Config→Action Create to load the following page. Figure 12-11 Action Create The following entries are displayed on this screen: Create Action...
12.4.1 Binding Table On this page view the ACL bound to port/VLAN. Choose the menu ACL→ACL Binding→Binding Table to load the following page. Figure 12-12 Binding Table The following entries are displayed on this screen: Search Option Show Mode: Select a show mode appropriate to your needs.
12.4.2 Port Binding On this page you can bind a ACL to a port. Choose the menu ACL→ACL Binding→Port Binding to load the following page. Figure 12-13 Bind the policy to the port The following entries are displayed on this screen: Port-Bind Config ...
12.4.3 VLAN Binding On this page you can bind an ACL to a VLAN. Choose the menu ACL→ACL Binding→VLAN Binding to load the following page. Figure 12-14 Bind the policy to the VLAN The following entries are displayed on this screen: VLAN-Bind Config ...
12.5.1 Binding Table On this page view the policy bound to port/VLAN. Choose the menu ACL→Policy Binding→Binding Table to load the following page. Figure 12-15 Binding Table The following entries are displayed on this screen: Search Option Show Mode: Select a show mode appropriate to your needs.
12.5.2 Port Binding On this page you can bind a policy to a port. Choose the menu ACL→ACL Binding→Port Binding to load the following page. Figure 12-16 Bind the policy to the port The following entries are displayed on this screen: Port-Bind Config ...
12.5.3 VLAN Binding On this page you can bind a policy to a VLAN. Choose the menu ACL→Policy Binding→VLAN Binding to load the following page. Figure 12-17 Bind the policy to the VLAN The following entries are displayed on this screen: VLAN-Bind Config ...
Page 199
3. The staff of the marketing department can access to the Internet but cannot visit the forum. 4. The R&D department and marketing department cannot communicate with each other. Network Diagram Configuration Procedure Step Operation Description On ACL→ACL Config→ACL Create page, create ACL 11. Configure for requirement 1 On ACL→ACL Config→MAC ACL page, select ACL 11, create Rule 1,...
Page 200
Step Operation Description Configure for On ACL→ACL Config→ACL Create page, create ACL 500. requirement 2 On ACL→ACL Config→Standard-IP ACL page, select ACL 500, and 4 create Rule 1, configure operation as Deny, configure S-IP as 10.10.70.0 and mask as 255.255.255.0, configure D-IP as 10.10.50.0 and mask as 255.255.255.0.
Chapter 13 Network Security Network Security module is to provide the multiple protection measures for the network security. This module includes five submenus: IP-MAC Binding, DHCP Snooping, ARP Inspection, DoS Defend and 802.1X. Please configure the functions appropriate to your need. 13.1 IP-MAC Binding The IP-MAC Binding function allows you to bind the IP address, MAC address, VLAN ID and the connected Port number of the Host together.
The following entries are displayed on this screen: Search Source: Displays the Source of the entry. All: All the bound entries will be displayed. Manual: Only the manually added entries will be displayed. Scanning: Only the entries formed via ARP Scanning will ...
Page 203
Figure 13-2 Manual Binding The following entries are displayed on this screen: Manual Binding Option Host Name: Enter the Host Name. IP Address: Enter the IP Address of the Host. MAC Address: Enter the MAC Address of the Host. VLAN ID: Enter the VLAN ID.
Collision: Displays the Collision status of the entry. Warning: Indicates that the collision may be caused by the MSTP function. Critical: Indicates that the entry has a collision with the other entries. 13.1.3 ARP Scanning ARP (Address Resolution Protocol) is used to analyze and map IP addresses to the corresponding MAC addresses so that packets can be delivered to their destinations correctly.
Page 205
Choose the menu Network Security→IP-MAC Binding→ARP Scanning to load the following page. Figure 13-4 ARP Scanning The following entries are displayed on this screen: Scanning Option Start IP Address: Specify the Start IP Address. End IP Address: Specify the End IP Address. VLAN ID: Enter the VLAN ID.
13.2 DHCP Snooping Nowadays, the network is getting larger and more complicated. The amount of the PCs always exceeds that of the assigned IP addresses. The wireless network and the laptops are widely used and the locations of the PCs are always changed. Therefore, the corresponding IP address of the PC should be updated with a few configurations.
Page 207
The most Clients obtain the IP addresses dynamically, which is illustrated in the following figure. Figure 13-6 Interaction between a DHCP client and a DHCP server DHCP-DISCOVER Stage: The Client broadcasts the DHCP-DISCOVER packet to find the DHCP Server. DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet, the DHCP Server selects an IP address from the IP pool according to the assigning priority of the IP addresses and replies to the Client with DHCP-OFFER packet carrying the IP address and other information.
Page 208
Option 82 can contain 255 sub-options at most. If Option 82 is defined, at least a sub-option should be defined. This switch supports two sub-options: Circuit ID and Remote ID. Since there is no universal standard about the content of Option 82, different manufacturers define the sub-options of Option 82 to their need.
13.2.1 Global Config Choose the menu Network Security→DHCP Snooping→Global Config to load the following page. Figure 13-8 DHCP Snooping The following entries are displayed on this screen: DHCP Snooping Configuration DHCP Snooping: Enable/Disable the DHCP Snooping function globally. VLAN ID: Enable/Disable the DHCP Snooping function in the specified VLAN.
Customization: Enable/Disable the switch to define the Option 82. Remote ID: Enter the sub-option Remote ID for the customized Option 82. 13.2.2 Port Config Choose the menu Network Security→DHCP Snooping→Port Config to load the following page. Figure 13-9 DHCP Snooping DHCP Snooping Port Configuration ...
Circuit ID: Enter the sub-option circuit ID for the customized Option 82 field. LAG: Displays the LAG to which the port belongs to. 13.3 ARP Inspection According to the ARP Implementation Procedure stated in 13.1.3 ARP Scanning, it can be found that ARP protocol can facilitate the Hosts in the same network segment to communicate with one another or access to external network via Gateway.
Page 212
Cheating Gateway The attacker sends the wrong IP address-to-MAC address mapping entries of Hosts to the Gateway, which causes that the Gateway cannot communicate with the legal terminal Hosts normally. The ARP Attack implemented by cheating Gateway is illustrated in the following figure. Figure 13-11 ARP Attack –...
Page 213
Figure 13-12 ARP Attack – Cheating Terminal Hosts As the above figure shown, the attacker sends the fake ARP packets of Host A to Host B, and then Host B will automatically update its ARP table after receiving the ARP packets. When Host B tries to communicate with Host A, it will encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication.
Page 214
Figure 13-13 Man-In-The-Middle Attack Suppose there are three Hosts in LAN connected with one another through a switch. Host A: IP address is 192.168.0.101; MAC address is 00-00-00-11-11-11. Host B: IP address is 192.168.0.102; MAC address is 00-00-00-22-22-22. Attacker: IP address is 192.168.0.103; MAC address is 00-00-00-33-33-33. First, the attacker sends the false ARP response packets.
The IP-MAC Binding function allows the switch to bind the IP address, MAC address, VLAN ID and the connected Port number of the Host together when the Host connects to the switch. Basing on the predefined IP-MAC Binding entries, the ARP Inspection functions to detect the ARP packets and filter the illegal ARP packet so as to prevent the network from ARP attacks.
Configuration Procedure: Step Operation Description Bind the IP address, MAC Required. On the IP-MAC Binding page, bind the IP address, VLAN ID and the address, MAC address, VLAN ID and the connected Port connected Port number of number of the Host together via Manual Binding, ARP the Host together.
The following entries are displayed on this screen: ARP Defend UNIT: Click unit number to configure the physical ports of this unit member. Select: Select your desired port for configuration. It is multi-optional. Port: Displays the port number. Defend: Select Enable/Disable the ARP Defend feature for the port.
Choose the menu Network Security→ARP Inspection→ARP Statistics to load the following page. Figure 13-16 ARP Statistics The following entries are displayed on this screen: Auto Refresh Auto Refresh: Enable/Disable the Auto Refresh feature. Refresh Interval: Specify the refresh interval to display the ARP Statistics. Illegal ARP Packet ...
Page 219
With DoS Defend function enabled, the switch can analyze the specific fields of the IP packets and distinguish the malicious DoS attack packets. Upon detecting the packets, the switch will discard the illegal packets directly and limit the transmission rate of the legal packets if the over legal packets may incur a breakdown of the network.
13.4.1 DoS Defend On this page, you can enable the DoS Defend type appropriate to your need. Choose the menu Network Security→DoS Defend→DoS Defend to load the following page. Figure 13-17 DoS Defend The following entries are displayed on this screen: Defend Config ...
Page 221
Authenticator System: The authenticator system is usually an 802.1X-supported network device, such as this TP-LINK switch. It provides the physical or logical port for the supplicant system to access the LAN and authenticates the supplicant system. Authentication Server System: The authentication server system is an entity that provides authentication service to the authenticator system.
Page 222
EAP Relay Mode This mode is defined in 802.1X. In this mode, EAP-packets are encapsulated in higher level protocol (such as EAPOR) packets to allow them successfully reach the authentication server. This mode normally requires the RADIUS server to support the two fields of EAP: the EAP-message field and the Message-authenticator field.
Page 223
The switch changes the state of the corresponding port to accepted state to allow the supplicant system access the network. And then the switch will monitor the status of supplicant by sending hand-shake packets periodically. By default, the switch will force the supplicant to log off if it cannot get the response from the supplicant for two times.
Quiet-period timer (Quiet Period): This timer sets the quiet-period. When a supplicant system fails to pass the authentication, the switch quiets for the specified period before it processes another authentication request re-initiated by the supplicant system. Guest VLAN Guest VLAN function enables the supplicants that do not pass the authentication to access the specific network resource.
Handshake: Enable/Disable the Handshake feature. The Handshake feature is used to detect the connection status of the TP-LINK 802.1X Client with the switch. Please disable Handshake feature if you are using other client software instead of TP-LINK 802.1X Client. Guest VLAN: Enable/Disable the Guest VLAN feature.
Page 226
Choose the menu Network Security→802.1X→Port Config to load the following page. Figure 13-22 Port Config The following entries are displayed on this screen: Port Config UNIT: Click unit number to configure the physical ports of this unit member. Select: Select your desired port for configuration.
13.5.3 RADIUS Config RADIUS (Remote Authentication Dial-In User Service) server provides the authentication service for the switch via the stored client information, such as the user name, password, etc, with the purpose to control the authentication and accounting status of the clients. On this page, you can configure the parameters of the authentication server.
Page 228
Install the 802.1X client Required. For the client computers, you are required to software. install the TP-LINK 802.1X Client provided on the CD. Please refer to the software guide in the same directory with the software for more information. Configure 802.1X...
Chapter 14 SNMP SNMP Overview SNMP (Simple Network Management Protocol) has gained the most extensive application on the UDP/IP networks. SNMP provides a management frame to monitor and maintain the network devices. It is used for automatically managing the various network devices no matter the physical differences of the devices.
Page 230
SNMP v1: SNMP v1 adopts Community Name authentication. The community name is used to define the relation between SNMP Management Station and SNMP Agent. The SNMP packets failing to pass community name authentication are discarded. The community name can limit access to SNMP Agent from SNMP NMS, functioning as a password.
3. Create SNMP User The User configured in a SNMP Group can manage the switch via the client program on management station. The specified User Name and the Auth/Privacy Password are used for SNMP Management Station to access the SNMP Agent, functioning as the password. SNMP module is used to configure the SNMP function of the switch, including three submenus: SNMP Config, Notification and RMON.
Note: The amount of Engine ID characters must be even. 14.1.2 SNMP View The OID (Object Identifier) of the SNMP packets is used to describe the managed objects of the switch, and the MIB (Management Information Base) is the set of the OIDs. The SNMP View is created for the SNMP management station to manage MIB objects.
14.1.3 SNMP Group On this page, you can configure SNMP Group to control the network access by providing the users in various groups with different management rights via the Read View, Write View and Notify View. Choose the menu SNMP→SNMP Config→SNMP Group to load the following page. Figure 14-5 SNMP Group The following entries are displayed on this screen: Group Config...
Read View: Select the View to be the Read View. The management access is restricted to read-only, and changes cannot be made to the assigned SNMP View. Write View: Select the View to be the Write View. The management access is writing only and changes can be made to the assigned SNMP View.
Page 235
Choose the menu SNMP→SNMP Config→SNMP User to load the following page. Figure 14-6 SNMP User The following entries are displayed on this screen: User Config User Name: Enter the User Name here. User Type: Select the type for the User. Local User: Indicates that the user is connected to a ...
User Table Select: Select the desired entry to delete the corresponding User. It is multi-optional. User Name: Displays the name of the User. User Type: Displays the User Type. Group Name: Displays the Group Name of the User. Security Model: Displays the Security Model of the User.
Page 237
Access: Defines the access rights of the community. read-only: Management right of the Community is restricted to read-only, and changes cannot be made to the corresponding View. read-write: Management right of the Community is read-write and changes can be made to the corresponding View.
If SNMPv1 or SNMPv2c is employed, please take the following steps: Step Operation Description Enable SNMP function globally. Required. SNMP→SNMP Config→Global Config page, enable SNMP function globally. Create SNMP View. Required. On the SNMP→SNMP Config→SNMP View page, create SNMP View management agent.
Page 239
On this page, you can configure the notification function of SNMP. Choose the menu SNMP→Notification→Notification Config to load the following page. Figure 14-8 Notification Config The following entries are displayed on this screen: Host Config IP Address: Enter the IP Address of the management Host. User: Enter the User name of the management station.
User: Displays the User name of the management station. Security Model: Displays the Security Model of the management station. Security Level: Displays the Security Level for the SNMP v3 User. Type: Displays the type of the notifications. Retry: Displays the amount of times the switch resends an inform request.
The RMON Groups can be configured on the Statistics, History, Event and Alarm pages. 14.3.1 Statistics On this page you can configure and view the statistics entry. Choose the menu SNMP→RMON→Statistics to load the following page. Figure 14-9 Statistics The following entries are displayed on this screen: Statistics Config ...
14.3.2 History On this page, you can configure the History Group for RMON. Choose the menu SNMP→RMON→History to load the following page. Figure 14-10 History Control The following entries are displayed on this screen: History Control Table Select: Select the desired entry for configuration. Index: Displays the index number of the entry.
14.3.3 Event On this page, you can configure the RMON events. Choose the menu SNMP→RMON→Event to load the following page. Figure 14-11 Event Config The following entries are displayed on this screen: Event Table Select: Select the desired entry for configuration. Index: Displays the index number of the entry.
14.3.4 Alarm Config On this page, you can configure Statistic Group and Alarm Group for RMON. Choose the menu SNMP→RMON→Alarm to load the following page. Figure 14-12 Alarm Config The following entries are displayed on this screen: Alarm Config Select: Select the desired entry for configuration.
Page 245
Alarm Type: Specify the type of the alarm. All: The alarm event will be triggered either the sampled value exceeds the Rising Threshold or is under the Falling Threshold. Rising: When the sampled value exceeds the Rising Threshold, an alarm event is triggered. Falling: When the sampled value is under the Falling ...
Chapter 15 Maintenance Maintenance module, assembling the commonly used system tools to manage the switch, provides the convenient method to locate and solve the network problem. System Monitor: Monitor the utilization status of the memory and the CPU of switch. Log: View the configuration parameters of the switch and find out the errors via the Logs.
Click the Monitor button to enable the switch to monitor and display its CPU utilization rate every four seconds. 15.1.2 Memory Monitor Choose the menu Maintenance→System Monitor→Memory Monitor to load the following page. Figure 15-2 Memory Monitor Click the Monitor button to enable the switch to monitor and display its Memory utilization rate every four seconds.
Level Description Severity warnings Warnings conditions notifications Normal but significant conditions informational Informational messages debugging Debug-level messages Table 15-1 Log Level The Log function is implemented on the Log Table, Local Log, Remote Log and Backup Log pages. 15.2.1 Log Table The switch supports logs output to two directions, namely, log buffer and log file.
Severity: Displays the severity level of the log information. You can select a severity level to display the log information whose severity level value is the same or smaller. Content: Displays the content of the log information. Note: The logs are classified into eight levels based on severity. The higher the information severity is, the lower the corresponding level is.
15.2.3 Remote Log Remote log feature enables the switch to send system logs to the Log Server. Log Server is to centralize the system logs from various devices for the administrator to monitor and manage the whole network. Choose the menu Maintenance→Log→Remote Log to load the following page. Figure 15-5 Log Host The following entries are displayed on this screen: Log Host...
Choose the menu Maintenance→Log→Backup Log to load the following page. Figure 15-6 Backup Log The following entry is displayed on this screen: Backup Log Backup Log: Click the Backup Log button to save the log as a file to your computer. Note: When a critical error results in the breakdown of the system, you can export the log file to get some related important information about the error for device diagnosis after the switch is...
Choose the menu Maintenance→Device Diagnostics→Cable Test to load the following page. Figure 15-7 Cable Test The following entries are displayed on this screen: Cable Test UNIT: Click unit number to configure the physical ports of this unit member. Port: Select the port for cable testing.
15.4.1 Ping Ping test function, testing the connectivity between the switch and one node of the network, facilitates you to test the network connectivity and reachability of the host so as to locate the network malfunctions. Choose the menu Maintenance→Network Diagnostics→Ping to load the following page. Figure 15-8 Ping The following entries are displayed on this screen: Ping Config...
Page 254
Choose the menu Maintenance→Network Diagnostics→Tracert to load the following page. Figure 15-9 Tracert The following entries are displayed on this screen: Tracert Config Destination IP: Enter the IP address of the destination device. Both IPv4 and IPv6 are supported. Max Hop: Specify the maximum number of the route hops the test data can pass through.
Appendix B: Glossary Bootstrap Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file. Class of Service (CoS) CoS is supported by prioritizing packets based on the required level of service, and then placing them in the appropriate output queue.
Page 257
Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast routers and IP Multicast host groups to identify IP Multicast group members.
Page 258
Remote Authentication Dial-in User Service (RADIUS) RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types.
Need help?
Do you have a question about the T1700G-28TQ and is the answer not in the manual?
Questions and answers