Page 1 T2600G-28TS (TL-SG3424) T2600G-52TS (TL-SG3452) JetStream Gigabit L2 Managed Switch REV1.0.1 1910011412...
Page 2: Fcc Statement
Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK TECHNOLOGIES CO., LTD.
Page 3: Safety Information
Explanation of the symbols on the product label Symbol Explanation AC voltage RECYCLING This product bears the selective sorting symbol for Waste electrical and electronic equipment (WEEE). This means that this product must be handled pursuant to European directive 2012/19/EU in order to be recycled or dismantled to minimize its impact on the environment.
Page 4: Declaration Of Conformity
DECLARATION OF CONFORMITY Company: TP-LINK TECHNOLOGIES CO., LTD. We declare under our own responsibility for the following equipment: Product Description: JetStream 24-Port Gigabit L2 Managed Switch with 4 SFP Slots/JetStream 48-Port Gigabit L2 Managed Switch with 4 SFP Slots Model No.: T2600G-28TS/T2600G-52TS...
Page 5: Table Of Contents
CONTENTS Package Contents ..........................1 Chapter 1 About this Guide ......................2 Intended Readers ......................2 Conventions ........................2 Overview of This Guide ....................2 Chapter 2 Introduction ........................7 Overview of the Switch ....................7 Appearance Description ....................7 2.2.1 Front Panel ......................
Page 6 4.4.5 Telnet Config ..................... 36 SDM Template ......................36 4.5.1 SDM Template Config ..................36 Chapter 5 Switching ........................38 Port ..........................38 5.1.1 Port Config ......................38 5.1.2 Port Mirror......................39 5.1.3 Port Security ...................... 41 5.1.4 Port Isolation ..................... 43 5.1.5 Loopback Detection ..................
Page 7 6.5.2 Protocol Group ....................77 6.5.3 Protocol Template ....................77 Application Example for Protocol VLAN ..............79 VLAN VPN ........................81 6.7.1 VPN Config ......................82 6.7.2 Port Enable ......................83 6.7.3 VLAN Mapping ....................83 GVRP ........................... 86 Private VLAN ........................ 89 6.9.1 PVLAN Config ....................
Page 8 Chapter 9 Multicast ........................136 IGMP Snooping ......................140 9.1.1 Snooping Config ....................142 9.1.2 Port Config ...................... 144 9.1.3 VLAN Config ....................145 9.1.4 Multicast VLAN ....................146 9.1.5 Querier Config ....................150 9.1.6 Profile Config ....................151 9.1.7 Profile Binding ....................
Page 9 10.4.4 Binding Table ....................200 10.4.5 Packet Statistics ....................201 10.4.6 Application Example for DHCP Server and Relay .......... 202 10.5 DHCP Relay ....................... 204 10.5.1 Global Config ....................206 10.5.2 DHCP Server ....................207 10.6 ARP ..........................208 10.6.1 ARP Table ......................
Page 10 12.3.2 Policy Create ....................237 12.3.3 Action Create ....................237 12.4 ACL Binding........................ 238 12.4.1 Binding Table ....................239 12.4.2 Port Binding ..................... 240 12.4.3 VLAN Binding ....................241 12.5 Policy Binding ......................241 12.5.1 Binding Table ....................242 12.5.2 Port Binding .....................
Page 11 13.11 AAA ..........................285 13.11.1 Global Config ................... 286 13.11.2 Privilege Elevation ................... 286 13.11.3 RADIUS Server Config ................286 13.11.4 TACACS+ Server Config ................. 287 13.11.5 Authentication Server Group Config ............288 13.11.6 Authentication Method List Config ............290 13.11.7 Application Authentication List Config .............
Page 12 16.1 System Monitor ......................327 16.1.1 CPU Monitor ....................327 16.1.2 Memory Monitor ....................328 16.2 sFlow .......................... 329 16.2.1 SFlow Collector ....................330 16.2.2 SFlow Sampler ....................331 16.2.3 Default Settings ....................332 16.3 Log ..........................332 16.3.1 Log Table ......................332 16.3.2 Local Log ......................
Page 13: Package Contents
One JetStream Gigabit L2 Managed Switch  One power cord  Two mounting brackets and other fittings  Installation Guide  Resource CD for T2600G-28TS/ T2600G-52TS, including:  This User Guide • CLI Reference Guide • SNMP Mibs • 802.1X Client Software and its User Guide •...
Page 14: Chapter 1 About This Guide
JetStream Gigabit L2 Managed Switch without any explanation. Tips: The T2600G-28TS and T2600G-52TS are sharing this User Guide. They just differ in the number of LED indicators and ports. For simplicity, we will take T2600G-28TS for example throughout this Guide. However, differences with significance will be presented with figures or notes as to attract your attention.
Page 15 Chapter Introduction Chapter 4 System This module is used to configure system properties of the switch. Here mainly introduces: System Info: Configure the description, system time and  network parameters of the switch. User Management: Configure the user name and password ...
Page 16 Chapter Introduction Chapter 8 Ethernet OAM This module is used to configure Ethernet OAM function of the switch. Here mainly introduces: Basic Config: Enable the Ethernet OAM function, configure its  OAM mode, and check out the connection status. Link Monitoring: Configure the parameters about OAM link ...
Page 17 Chapter Introduction Chapter 12 ACL This module is used to configure match rules and process policies of packets to filter packets in order to control the access of the illegal users to the network. Here mainly introduces: Time-Range: Configure the effective time for ACL rules. ...
Page 18 Network Diagnostics: Test if the destination is reachable and  the account of router hops from the switch to the destination. Appendix A Password Introduces the procedure to reset passwords on TP-LINK Recovery switches Appendix B Specifications Lists the hardware specifications of the switch.
Page 19: Chapter 2 Introduction
Chapter 2 Introduction Thanks for choosing the T2600G-28TS/ T2600G-52TS JetStream Gigabit L2 Managed Switch! 2.1 Overview of the Switch Designed for workgroups and departments, T2600G-28TS/ T2600G-52TS from TP-LINK provides wire-speed performance and full set of L2 and L2+ management features. It provides a variety of service features and multiple powerful functions with high security.
Page 20 10/100/1000Mbps RJ45 port has a corresponding 1000Mbps LED and Link/Act LED.  SFP Port Designed to install the SFP module. T2600G-28TS features 4 individual SFP ports and supports 1000M SFP module connection only. The front panel of T2600G-52TS is shown as Figure 2-2.
Page 21: Rear Panel
T2600G-28TS T2600G-52TS 2.2.2 Rear Panel The rear panel of T2600G-28TS/ T2600G-52TS features a Kensington security slot, a Grounding Terminal (marked with ) and a power socket. Figure 2-3 Rear Panel  Kensington Security Slot: Secure the lock (not provided) into the security slot to prevent the...
Page 22  Grounding Terminal: The switch already comes with lightning protection mechanism. You can also ground the switch through the PE (Protecting Earth) cable of AC cord or with Ground Cable.  AC Power Socket: Connect the female connector of the power cord here, and the male connector to the AC power outlet.
Page 23: Chapter 3 Login To The Switch
Chapter 3 Login to the Switch 3.1 Login 1) To access the configuration utility, open a web-browser and type in the default address http://192.168.0.1 in the address field of the browser, then press the Enter key. Figure 3-1 Web-browser Tips: To log in to the switch, the IP address of your PC should be set in the same subnet addresses of the switch.
Page 24: Configuration
3.2 Configuration After a successful login, the main page will appear as Figure 3-3, and you can configure the function by clicking the setup menu on the left side of the screen. Figure 3-3 Main Setup-Menu Note: Clicking Apply can only make the new configurations effective before the switch is rebooted. If you want to keep the configurations effective even the switch is rebooted, please click Save Config.
Page 25: Chapter 4 System
Chapter 4 System The System module is mainly for system configuration of the switch, including four submenus: System Info, User Management, System Tools, Access Security and SDM Template. 4.1 System Info The System Info, mainly for basic properties configuration, can be implemented on System Summary, Device Description, System Time, Daylight Saving Time and Serial Port Setting pages.
Page 26 When the cursor moves on the port, the detailed information of the port will be displayed. Figure 4-2 Port Information Port Info  Port: Displays the port number of the switch. Type: Displays the type of the port. Rate: Displays the maximum transmission rate of the port. Status: Displays the connection status of the port.
Page 27: Device Description
4.1.2 Device Description On this page you can configure the description of the switch, including device name, device location and system contact. Choose the menu System→System Info→Device Description to load the following page. Figure 4-4 Device Description The following entries are displayed on this screen: Device Description ...
Page 28: Daylight Saving Time
The following entries are displayed on this screen: Time Info  Current System Time: Displays the current date and time of the switch. Current Time Source: Displays the current time source of the switch. Time Config  Manual: When this option is selected, you can set the date and time manually.
Page 29: Serial Port Setting
The following entries are displayed on this screen: DST Config  DST Status: Enable or disable the DST. Predefined Mode: Select a predefined DST configuration. USA: Second Sunday in March, 02:00 ~ First Sunday in  November, 02:00. Australia: First Sunday in October, 02:00 ~ First Sunday in ...
Page 30: User Management
The following entries are displayed on this screen: Serial Port Settings  Baud Rate: Configure the baud rate of the console connection. It is 38400 bps by default. Data Bits: Displays the default data bits. Parity Bits: Displays the parity bits. Stop Bits: Displays the stop bits.
Page 31 Choose the menu System→User Management→User Config to load the following page. Figure 4-9 User Config The following entries are displayed on this screen: User Info  User Name: Create a name for users’ login. Access Level: Select the access level to login. Admin: Admin can edit, modify and view all the settings of ...
Page 32: System Tools
4.3 System Tools The System Tools function, allowing you to manage the configuration file of the switch, can be implemented on Boot Config, Config Restore, Config Backup, Firmware Upgrade, System Reboot, Reboot Schedule and System Reset pages. 4.3.1 Boot Config On this page you can configure the boot file of the switch.
Page 33: Config Restore
Current Startup Displays the current startup image. Image: Next Startup Image: Select the next startup image. Backup Image: Select the backup boot image. 4.3.2 Config Restore On this page you can upload a backup configuration file to restore your switch to this previous configuration.
Page 34: Firmware Upgrade
4.3.4 Firmware Upgrade The switch system can be upgraded via the Web management page. To upgrade the system is to get more functions and better performance. Go to http://www.tp-link.com to download the updated firmware. Choose the menu System→System Tools→Firmware Upgrade to load the following page.
Page 35: System Reboot
is not checked, the uploaded firmware file will take place of the Backup Image. To start with the uploaded firmware, you should exchange the Next Startup Image and Backup Image in Boot Config and reboot the switch. Note: Upgrading the firmware will only upgrade the backup image. You are suggested to backup the configuration before upgrading.
Page 36: System Reset
The following entries are displayed on this screen: Reboot Schedule Setting  Time Interval: Specify a period of time. The switch will reboot after this period. It ranges from 1 to 43200 minutes. This reboot schedule recurs if users check the Save Before Reboot. Time: Specify the time for the switch to reboot, in the format of HH:MM.
Page 37 Choose the menu System→Access Security→Access Control to load the following page. Figure 4-17 Access Control The following entries are displayed on this screen: Access Control Config  Control Mode: Select the control mode for users to log on to the Web management page.
Page 38: Http Config
4.4.2 HTTP Config With the help of HTTP (Hyper Text Transfer Protocol), you can manage the switch through a standard browser. The standards development of HTTP was coordinated by the Internet Engineering Task Force and the World Wide Web Consortium. On this page you can configure the HTTP function.
Page 39 SSL mainly provides the following services: Authenticate the users and the servers based on the certificates to ensure the data are transmitted to the correct users and servers; Encrypt the data transmission to prevent the data being intercepted; Maintain the integrality of the data to prevent the data being altered in the transmission. Adopting asymmetrical encryption technology, SSL uses key pair to encrypt/decrypt information.
Page 40 Choose the menu System→Access Security→HTTPS Config to load the following page. Figure 4-19 HTTPS Config The following entries are displayed on this screen Global Config  HTTPS: Select Enable/Disable the HTTPS function on the switch. SSL Version 3: Enable or Disable Secure Sockets Layer Version 3.0. By default, it’s enabled.
Page 41: Ssh Config
CipherSuite Config  RSA_WITH_RC4_128_MD5: Key exchange with RC4 128-bit encryption and MD5 for message digest. By default, it’s enabled. RSA_WITH_RC4_128_SHA: Key exchange with RC4 128-bit encryption and SHA for message digest. By default, it’s enabled. RSA_WITH_DES_CBC_SHA: Key exchange with DES-CBC for message encryption and SHA for message digest.
Page 42 information security and powerful authentication when you log on to the switch remotely through an insecure network environment. It can encrypt all the transmission data and prevent the information in a remote management being leaked. Comprising server and client, SSH has two versions, V1 and V2 which are not compatible with each other.
Page 43 Idle Timeout: Specify the idle timeout time. The system will automatically release the connection when the time is up. The default time is 120 seconds. Max Connect: Specify the maximum number of the connections to the SSH server. No new connection will be established when the number of the connections reaches the maximum number you set.
Page 44 Application Example 1 for SSH: Network Requirements  1. Log on to the switch via password authentication using SSH and the SSH function is enabled on the switch. 2. PuTTY client software is recommended. Configuration Procedure  1. Open the software to log on to the interface of PuTTY. Enter the IP address of the switch into Host Name field;...
Page 45 Application Example 2 for SSH: Network Requirements  1. Log on to the switch via key authentication using SSH and the SSH function is enabled on the switch. 2. PuTTY client software is recommended. Configuration Procedure  1. Select the key type and key length, and generate SSH key. Note: The key length is in the range of 512 to 3072 bits.
Page 46 2. After the key is successfully generated, please save the public key and private key to the computer. 3. On the Web management page of the switch, download the public key file saved in the computer to the switch. Note: The key type should accord with the type of the key file.
Page 47 4. After the public key and private key are downloaded, please log on to the interface of PuTTY and enter the IP address for login. 5. Click Browse to download the private key file to SSH client software and click Open.
Page 48: Telnet Config
After successful authentication, please enter the login user name. If you log on to the switch without entering password, it indicates that the key has been successfully downloaded. 4.4.5 Telnet Config On this page you can Enable/Disable Telnet function globally on the switch. Choose the menu System→Access Security→Telnet Config to load the following page.
Page 49 Choose the menu System→SDM Template→SDM Template Config to load the following page. Figure 4-22 SDM Template Config Select Options  Current Template Displays the SDM template currently in use. Next Template ID: Displays the SDM template that will become active after a reboot. Select Next Configure the SDM template that will become active after the next Template:...
Page 50: Chapter 5 Switching
Chapter 5 Switching Switching module is used to configure the basic functions of the switch, including four submenus: Port, LAG, Traffic Monitor, MAC Address and L2PT. 5.1 Port The Port function, allowing you to configure the basic features for the port, is implemented on the Port Config, Port Mirror, Port Security, Port Isolation and Loopback Detection pages.
Page 51: Port Mirror
Description: Give a description to the port for identification. Status: Allows you to Enable/Disable the port. When Enable is selected, the port/LAG can forward the packets normally. Speed: Select the Speed mode for the port. The device connected to the switch should be in the same Speed and Duplex mode with the switch.
Page 52 Mode: Displays the mirror mode. The value will be "Ingress Only", "Egress Only" or “Both”. Source: Displays the mirrored ports. Operation: You can configure the mirror session by clicking Edit, or clear the mirror session configuration by clicking the Clear. Click Edit to display the following figure.
Page 53: Port Security
enabled, the incoming packets received by the mirrored port will be copied to the mirroring port. Egress: Select Enable/Disable the Egress feature. When the Egress is enabled, the outgoing packets sent by the mirrored port will be copied to the mirroring port. LAG: Displays the LAG number which the port belongs to.
Page 54 Choose the menu Switching→Port→Port Security to load the following page. Figure 5-4 Port Security The following entries are displayed on this screen: Port Security  Select: Select the desired port for Port Security configuration. It is multi-optional. Port: Displays the port number. Max Learned MAC: Specify the maximum number of MAC addresses that can be learned on the port.
Page 55: Port Isolation
Status: Select Enable/Disable the Port Security feature for the port. Note: The Port Security function is disabled for the LAG port member. Only the port is removed from the LAG, will the Port Security function be available for the port. 5.1.4 Port Isolation Port Isolation provides a method of restricting traffic flow to improve the network security by forbidding the port to forward packets to the ports that are not on its forward portlist.
Page 56: Loopback Detection
Click Edit to display the following figure. Figure 5-6 Port Isolation Config 5.1.5 Loopback Detection With loopback detection feature enabled, the switch can detect loops using loopback detection packets. When a loop is detected, the switch will display an alert or further block the corresponding port according to the port configuration.
Page 57 Choose the menu Switching→Port→Loopback Detection to load the following page. Figure 5-7 Loopback Detection Config The following entries are displayed on this screen Global Config  LoopbackDetection Here you can enable or disable Loopback Detection function Status: globally. Detection Interval: Set a loopback detection interval between 1 and 1000 seconds.
Page 58: Lag
Status: Enable or disable Loopback Detection function for the port. Operation Mode: Select the mode how the switch processes the detected loops. • Alert: When a loop is detected, display an alert. Port based: When a loop is detected, display an alert and •...
Page 59: Lag Table
The LAG function is implemented on the LAG Table, Static LAG and LACP Config configuration pages. 5.2.1 LAG Table On this page, you can view the information of the current LAG of the switch. Choose the menu Switching→LAG→LAG Table to load the following page. Figure 5-8 LAG Table The following entries are displayed on this screen: Global Config...
Page 60: Static Lag
Operation: Allows you to view or modify the information for each LAG. • Edit: Click to modify the settings of the LAG. • Detail: Click to get the information of the LAG. Click the Detail button for the detailed information of your selected LAG. Figure 5-9 Detailed Information 5.2.2 Static LAG On this page, you can manually configure the LAG.
Page 61: Lacp Config
The following entries are displayed on this screen: LAG Config  Group Number: Select a Group Number for the LAG. Description: Displays the description of the LAG. Member Port  Member Port: Select the port as the LAG member. Clearing all the ports of the LAG will delete this LAG.
Page 62 On this page, you can configure the LACP feature of the switch. Choose the menu Switching→LAG→LACP Config to load the following page. Figure 5-11 LACP Config The following entries are displayed on this screen Global Config  System Priority: Specify the system priority for the switch. The system priority and MAC address constitute the system identification (ID).
Page 63: Traffic Monitor
Port Priority: Specify a Port Priority for the port. This value determines the priority of the port to be selected as the dynamic aggregation group member. The port with smaller Port Priority will be considered as the preferred one. If the two port priorities are equal; the port with smaller port number is preferred.
Page 64: Traffic Statistics
Traffic Summary  UNIT:1/LAGS: Click 1 to show the information of the physical ports. Click LAGS to show the information of the link aggregation groups Select: Select the desired port for clearing. It is multi-optional. Port: Displays the port number. Packets Rx: Displays the number of packets received on the port.
Page 65: Mac Address
automatically. Refresh Rate: Enter a value in seconds to specify the refresh interval. Port Select  UNIT:1/LAGS: Click 1 to show the information of the physical ports. Click LAGS to show the information of the link aggregation groups. Port: Enter a port number and click the Select button or select the port to view the traffic statistics of the corresponding port.
Page 66 information, which is the base for the switch to forward packets quickly. The entries in the Address Table can be updated by auto-learning or configured manually. Most entries are generated and updated by auto-learning. In the stable networks, the static MAC address entries can facilitate the switch to reduce broadcast packets and enhance the efficiency of packets forwarding remarkably.
Page 67: Address Table
5.4.1 Address Table On this page, you can view all the information of the Address Table. Choose the menu Switching→MAC Address→Address Table to load the following page. Figure 5-14 Address Table The following entries are displayed on this screen: Search Option ...
Page 68: Static Address
Port: Displays the corresponding Port number of the MAC address. Type: Displays the type of the MAC address. Aging Status: Displays the aging status of the MAC address. 5.4.2 Static Address The static address table maintains the static address entries which can be added or removed manually, independent of the aging time.
Page 69: Dynamic Address
VLAN ID: Enter the VLAN ID number of your desired entry.  Port: Enter the Port number of your desired entry.  Static Address Table  Select: Select the entry to delete or modify the corresponding port number. It is multi-optional. MAC Address: Displays the static MAC Address.
Page 70 Choose the menu Switching→MAC Address→Dynamic Address to load the following page. Figure 5-16 Dynamic Address The following entries are displayed on this screen: Aging Config  Auto Aging: Allows you to Enable/Disable the Auto Aging feature. Aging Time: Enter the Aging Time for the dynamic address. Search Option ...
Page 71: Filtering Address
Tips: Setting aging time properly helps implement effective MAC address aging. The aging time that is too long or too short results in a decrease of the switch performance. If the aging time is too long, excessive invalid MAC address entries maintained by the switch may fill up the MAC address table. This prevents the MAC address table from updating with network changes in time.
Page 72: Mac Notification
VLAN ID: Displays the corresponding VLAN ID. Port: Here the symbol “--” indicates no specified port. Type: Displays the type of the MAC address. Aging Status: Displays the aging status of the MAC address. Note: The MAC address in the Filtering Address Table cannot be added to the Static Address Table or bound to a port dynamically.
Page 73: Mac Vlan Security
MAC Notification Port Config  Select: Select the specified port(s) for configuration. It is multi-optional. Port: Displays the port number. Learned Mode Enable/Disable the Learned Mode Change notification on the port. Change: The port’s learned mode includes: Dynamic, Static and Permanent. Exceed Max Enable/Disable the Exceed Max Learned notification on the port.
Page 74: L2Pt
VLAN Security Table  Select: Select the desired entry to delete the corresponding VLAN security entry. It's multi-optional. VLAN ID: Displays the VLAN ID of the VLAN security entry. Max Learned Displays the max learned MAC number of VLAN security entry. MAC: Learned Number: Displays the learned MAC number of VLAN security entry.
Page 75: L2Pt Config
5.5.1 L2PT Config Choose the menu Switching→L2PT→L2PT Config to load the following page. Figure 5-2 L2PT Config Configuration Procedure: 1) Enable the Layer 2 Protocol Tunneling globally under Global Config. 2) Configure the tunneling and protocol type on the speicified port under Port Config. 3) Click Apply to save your configurations.
Page 76 their destination MAC address as 01000CCCCCCC, which includes CDP, VTP, PAgP and UDLD. • 01000CCCCCCD: Enable protocol tunneling for the PVST+ packets. • ALL: All the above Layer 2 protocols are supported for tunneling. Threshold Configure the threshold for packets-per-second accepted for encapsulation.
Page 77: Chapter 6 Vlan
Chapter 6 VLAN The traditional Ethernet is a data network communication technology based on CSMA/CD (Carrier Sense Multiple Access/Collision Detect) via shared communication medium. Through the traditional Ethernet, the overfull hosts in LAN will result in serious collision, flooding broadcasts, poor performance or even breakdown of the Internet.
Page 78: Q Vlan
6.1 802.1Q VLAN VLAN tags in the packets are necessary for the switch to identify packets of different VLANs. The switch works at the data link layer in OSI model and it can identify the data link layer encapsulation of the packet only, so you can add the VLAN tag field into the data link layer encapsulation for identification.
Page 79: Vlan Config
PVID  PVID (Port VLAN ID) is the default VID of the port. When the switch receives an un-VLAN-tagged packet, it will add a VLAN tag to the packet according to the PVID of its received port and forward the packets. When creating VLANs, the PVID of each port, indicating the default VLAN to which the port belongs, is an important parameter with the following two purposes: When the switch receives an un-VLAN-tagged packet, it will add a VLAN tag to the packet...
Page 80: Port Config
The following entries are displayed on this screen: VLAN Table  Select: Select the desired entry to delete the corresponding VLAN. It is multi-optional. VLAN ID: Displays the VLAN ID. Name: Displays the name of the specific VLAN. Members: Displays the port members in the VLAN. Operation: Allows you to view or modify the information for each entry.
Page 81 Choose the menu VLAN→802.1Q VLAN→Port Config to load the following page. Figure 6-5 Port Config The following entries are displayed on this screen: VLAN Port Config  UNIT:1/LAGS: Click 1 to configure the physical ports. Click LAGS to configure the link aggregation groups.
Page 82: Application Example For 802.1Q Vlan
VLAN: Click the Detail button to view the information of the VLAN to which the port belongs. Click the Detail button to view the information of the corresponding VLAN. Figure 6-6 View the Current VLAN of Port The following entries are displayed on this screen: VLAN of Port ...
Page 83: Mac Vlan
Network Diagram  Configuration Procedure  Configure switch A  Step Operation Description Configure Required. On VLAN→802.1Q VLAN→Port Config page, configure Link Type of the the link type of Port 2, Port 3 and Port 4 as ACCESS, TRUNK and ports ACCESS respectively Create VLAN10...
Page 84: Mac Vlan
• When receiving an untagged packet, the switch matches the packet with the current MAC VLAN. If the packet is matched, the switch will add a corresponding MAC VLAN tag to it. If no MAC VLAN is matched, the switch will add a tag to the packet according to the PVID of the received port.
Page 85: Port Enable
Operation: Click the Edit button to modify the settings of the entry. And click the Modify button to apply your settings. 6.3.2 Port Enable On this page, you can enable the port for the MAC VLAN feature. Only the port is enabled, can the configured MAC VLAN take effect.
Page 86 The two departments are in VLAN10 and VLAN20 respectively. The two notebooks can just  access the server of their own departments, that is, Server A and Server B, in the two meeting rooms; The MAC address of Notebook A is 00-19-56-8A-4C-71, Notebook B’s MAC address is ...
Page 87: Protocol Vlan
Configure switch B  Step Operation Description Configure the Required. On VLAN→802.1Q VLAN→Port Config page, configure the Link Type of the link type of Port 21 and Port 22 as GENERAL and TRUNK respectively. ports Create VLAN10 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 10, owning Port 21 and Port 22, and configure the egress rule of Port 21 as Untag.
Page 88: Protocol Group Table
Protocol Type Type value 0x8137 IS-IS 0x8000 LACP 0x8809 802.1X 0x888E Table 6-1 Protocol types in common use The packet in Protocol VLAN is processed in the following way: When receiving an untagged packet, the switch matches the packet with the current Protocol VLAN.
Page 89: Protocol Group
6.5.2 Protocol Group On this page, you can configure the Protocol Group. Choose the menu VLAN→Protocol VLAN→Protocol Group to load the following page. Figure 6-10 Enable Protocol VLAN for Port Protocol Group Config  Protocol Name: Select the defined protocol template. VLAN ID: Enter the ID number of the Protocol VLAN.
Page 90 Choose the menu VLAN→Protocol VLAN→Protocol Template to load the following page. Figure 6-11 Create and View Protocol Template The following entries are displayed on this screen: Create Protocol Template  Protocol Name: Give a name for the Protocol Template. Frame Type: Select a Frame Type for the Protocol Template.
Page 91: Application Example For Protocol Vlan
Step Operation Description Create VLAN. Required. On the VLAN→802.1Q VLAN→VLAN Config page, click the Create button to create a VLAN. Enter the VLAN ID and the description for the VLAN. Meanwhile, specify its member ports. Create Protocol Template. Required. On the VLAN→Protocol VLAN→Protocol Template page, create the Protocol Template before configuring Protocol VLAN.
Page 92 Network Diagram  Configuration Procedure  Configure switch A  Step Operation Description Required. On VLAN→802.1Q VLAN→Port Config page, configure the Configure Link Type of the link type of Port 11 and Port 13 as ACCESS, and configure the link type ports of Port 12 as GENERAL.
Page 93: Vlan Vpn
Step Operation Description Create Protocol Required. On VLAN→Protocol VLAN→Protocol Template page, Template configure the protocol template practically. E.g. the Ether Type of IP network packets is 0800 and that of AppleTalk network packets is 809B. Create Protocol On VLAN→Protocol VLAN→Protocol Group page, create protocol VLAN 10 VLAN 10 with Protocol as IP.
Page 94: Vpn Config
Protocol type Value LACP 0x8809 802.1X 0x888E Table 6-2 Values of Ethernet frame protocol type in common use This VLAN VPN function is implemented on the VPN Config, VLAN Mapping and Port Enable pages. 6.7.1 VPN Config This page allows you to enable the VPN function, adjust the global TPID for VLAN-VPN packets and enable the VPN up-link port.
Page 95: Port Enable
6.7.2 Port Enable On this page, you can enable the port for the VLAN Mapping function. Only the port is enabled, can the configured VLAN Mapping function take effect. Figure 6-13 Enable Port for VLAN Mapping VPN Port Enable  UNIT: Click 1 to configure the physical ports.
Page 96 Choose the menu VLAN→VLAN VPN→VLAN Mapping to load the following page. Figure 6-14 Create VLAN Mapping Entry The following entries are displayed on this screen: Global Config  VLAN Mapping: Enable/Disable the VLAN mapping function. Enable/Disable the VLAN mapping function. If VLAN mapping is disabled and VLAN VPN is enabled, the packet will be encapsulated with an outer tag according to the PVID of its arriving port.
Page 97 Figure 6-15 VLAN Mapping Entry Config Modify the SP VLAN and name of the selected entry and click Edit to apply. Note: When VPN mode is globally enabled, VPN function takes effect on all ports. If VPN mode is disabled, VLAN Mapping function can be enabled by selecting your desired port on this Port Enable page.
Page 98: Gvrp
Step Operation Description Create VLAN Mapping Required. On the VLAN→VLAN VPN→VLAN Mapping entries. page, configure the VLAN Mapping entries basing on the actual application. Enable VLAN Mapping Required. On the VLAN→VLAN VPN→Port Enable page, function for port. enable VLAN Mapping function for the ports. Create (Service Optional.
Page 99 Join Timer: To transmit the Join messages reliably to other entities, a GARP entity sends • each Join message two times. The Join timer is used to define the interval between the two sending operations of each Join message. • Leave Timer: When a GARP entity expects to deregister a piece of attribute information, it sends out a Leave message.
Page 100 Figure 6-16 GVRP Config Note: If the GVRP feature is enabled for a member port of LAG, please ensure all the member ports of this LAG are set to be in the same status and registration mode. The following entries are displayed on this screen: Global Config ...
Page 101: Private Vlan
• Fixed: In this mode, a port cannot register/deregister a VLAN dynamically. It only propagates static VLAN information. • Forbidden: In this mode, a port cannot register/deregister VLANs. It only propagates VLAN 1 information. LeaveAll Timer: Once the LeaveAll Timer is set, the port with GVRP enabled can send a LeaveAll message after the timer times out, so that other GARP ports can re-register all the attribute information.
Page 102 devices need to identify Primary VLANs but not Secondary VLANs. Therefore, they can save VLAN resources without considering the VLAN configuration in the lower layer. Meanwhile, the service provider can assign each user an individual Secondary VLAN, so that users are separated at the Layer 2 level.
Page 103: Pvlan Config
Private VLAN functions are implemented on the PVLAN Config and Port Config pages. 6.9.1 PVLAN Config On this page, you can create Private VLAN and view the information of the current defined Private VLANs. Choose the menu VLAN→Private VLAN→PVLAN Config to load the following page. Figure 6-17 Create Private VLAN The following entries are displayed on this screen: Create Private VLAN...
Page 104: Port Config
Primary VLAN: Displays the Primary VLAN ID number of the Private VLAN. Secondary VLAN: Displays the Secondary VLAN ID number of the Private VLAN. Port: Displays the port list of the Private VLAN. 6.9.2 Port Config The Private VLAN provides two Port Types for the ports, Promiscuous and Host. Usually, the Promiscuous port is used to connect to uplink devices while the Host port is used to connect to the he terminal hosts, such as PC and Server.
Page 105: Application Example For Private Vlan
UNIT: Click 1 to configure the physical ports. Click LAGS to configure the link aggregation groups. Private VLAN Port Table  Port ID: Displays the port number. Port Type: Displays the corresponding Port Type. Note: A Host Port can only join to one Private VLAN. A Promiscuous Port can only join to one Primary VLAN.
Page 106 Network Diagram  Configuration Procedure  Configure Switch C  Step Operation Description Create VLAN6 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 6, owning Port 1/0/1. Configure switch A  Step Operation Description Required.
Page 107 Required. On the VLAN→Private VLAN→Port Config page, Promiscuous configure the port type of Port 1/0/3 as Promiscuous, enter Primary port to Private VLAN 6 and Secondary VLAN 5, and click the Apply button. VLANs Add Host port to Required. On the VLAN→Private VLAN→Port Config page, Private VLANs configure the port type of 1/0/12 as Host, enter Primary VLAN 6 and Secondary VLAN 5, and click the Apply button.
Page 108: Chapter 7 Spanning Tree
Chapter 7 Spanning Tree STP (Spanning Tree Protocol), subject to IEEE 802.1D standard, is to disbranch a ring network in the Data Link layer in a local network. Devices running STP discover loops in the network and block ports by exchanging information, in that way, a ring network can be disbranched to form a tree-topological ring-free network to prevent packets from being duplicated and forwarded endlessly in the network.
Page 109 Figure 7-1 Basic STP diagram STP Timers  Hello Time: Hello Time ranges from 1 to 10 seconds. It specifies the interval to send BPDU packets. It is used to test the links. Max. Age: Max. Age ranges from 6 to 40 seconds. It specifies the maximum time the switch can wait without receiving a BPDU before attempting to reconfigure.
Page 110 Comparing BPDUs  Each switch sends out configuration BPDUs and receives a configuration BPDU on one of its ports from another switch. The following table shows the comparing operations. Step Operation If the priority of the BPDU received on the port is lower than that of the BPDU if of the port itself, the switch discards the BPDU and does not change the BPDU of the port.
Page 111 The condition for the root port to transit its port state rapidly: The old root port of the switch  stops forwarding data and the designated port of the upstream switch begins to forward data. The condition for the designated port to transit its port state rapidly: The designated port is ...
Page 112 The following figure shows the network diagram in MSTP. Figure 7-2 Basic MSTP diagram MSTP  MSTP divides a network into several MST regions. The CST is generated between these MST regions, and multiple spanning trees can be generated in each MST region. Each spanning tree is called an instance.
Page 113: Stp Config
The following diagram shows the different port roles. Figure 7-3 Port roles The Spanning Tree module is mainly for spanning tree configuration of the switch, including four submenus: STP Config, Port Config, MSTP Instance and STP Security. 7.1 STP Config The STP Config function, for global configuration of spanning trees on the switch, can be implemented on STP Config and STP Summary pages.
Page 114 The following entries are displayed on this screen: Global Config  Spanning-Tree: Select Enable/Disable STP function globally on the switch. Mode: Select the desired STP mode on the switch. • STP: Spanning Tree Protocol. • RSTP: Rapid Spanning Tree Protocol. •...
Page 115: Stp Summary
7.1.2 STP Summary On this page you can view the related parameters for Spanning Tree function. Choose the menu Spanning Tree→STP Config→STP Summary to load the following page. Figure 7-5 STP Summary...
Page 116: Port Config
7.2 Port Config On this page you can configure the parameters of the ports for CIST. Choose the menu Spanning Tree→Port Config to load the following page. Figure 7-6 Port Config The following entries are displayed on this screen: Port Config ...
Page 117: Mstp Instance
Port Mode: Display the spanning tree mode of the port. Port Role: Displays the role of the port played in the STP Instance. Root Port: Indicates the port that has the lowest path cost from  this bridge to the Root Bridge and forwards packets to the root. Designated Port: Indicates the port that forwards packets to a ...
Page 118: Region Config
7.3.1 Region Config On this page you can configure the name and revision of the MST region. Choose the menu Spanning Tree→MSTP Instance→Region Config to load the following page. Figure 7-7 Region Config The following entries are displayed on this screen: Region Config ...
Page 119: Instance Port Config
The following entries are displayed on this screen: VLAN-Instance Mapping  Instance ID: Enter the corresponding instance ID. VLAN ID: Enter the desired VLAN ID. After modification here, the new VLAN ID will be added to the corresponding instance ID and the previous VLAN ID won’t be replaced.
Page 120 Choose the menu Spanning Tree→MSTP Instance→Instance Port Config to load the following page. Figure 7-9 Instance Port Config The following entries are displayed on this screen: Instance ID Select  Instance ID: Select the desired instance ID for its port configuration. Instance Port Config ...
Page 121: Stp Security
Port Role: Displays the role of the port played in the MSTP Instance. Port Status: Displays the working status of the port. LAG: Displays the LAG number which the port belongs to. Note: The port status of one port in different spanning tree instances can be different. Global configuration Procedure for Spanning Tree function: Step Operation Description...
Page 122 packets from the upstream switch and spanning trees are regenerated, and thereby loops can be prevented. Root Protect  A CIST and its secondary root bridges are usually located in the high-bandwidth core region. Wrong configuration or malicious attacks may result in configuration BPDU packets with higher priorities being received by the legal root bridge, which causes the current legal root bridge to lose its position and network topology jitter to occur.
Page 123 Choose the menu Spanning Tree→STP Security→Port Protect to load the following page. Figure 7-10 Port Protect The following entries are displayed on this screen: Port Protect  UNIT:1/LAGS: Click 1 to configure the physical ports. Click LAGS to configure the link aggregation groups.
Page 124: Tc Protect
7.4.2 TC Protect When TC Protect is enabled for the port on Port Protect page, the TC threshold and TC protect cycle need to be configured on this page. Choose the menu Spanning Tree→STP Security→TC Protect to load the following page. Figure 7-11 TC Protect The following entries are displayed on this screen: TC Protect...
Page 125 On Spanning Tree→STP Config→Port Config page, enable MSTP function for the port. Configure the region name and Spanning Tree→MSTP Instance→Region the revision of MST region Config page, configure the region as TP-LINK and keep the default revision setting. Configure VLAN-to-Instance Spanning Tree→MSTP Instance→Instance...
Page 126 Step Operation Description Configure the region name and Spanning Tree→MSTP Instance→Region the revision of MST region Config page, configure the region as TP-LINK and keep the default revision setting. Configure VLAN-to-Instance Spanning Tree→MSTP Instance→Instance mapping table of the MST region Config page, configure VLAN-to-Instance mapping table.
Page 127 On Spanning Tree→STP Config→Port Config page, enable MSTP function for the port. Configure the region name and Spanning Tree→MSTP Instance→Region Config page, configure the region as TP-LINK and the revision of MST region keep the default revision setting. On Spanning Tree→MSTP Instance→Instance Configure VLAN-to-Instance...
Page 128 Suggestion for Configuration  Enable TC Protect function for all the ports of switches.  Enable Root Protect function for all the ports of root bridges.  Enable Loop Protect function for the non-edge ports.  Enable BPDU Protect function or BPDU Filter function for the edge ports which are connected to the PC and server.
Page 129: Chapter 8 Ethernet Oam
Chapter 8 Ethernet OAM OAM Overview  Ethernet OAM (Operation, Administration, and Maintenance) is a Layer 2 protocol for monitoring and troubleshooting Ethernet networks. It can report the network status to network administrators through the OAMPDUs exchanged between two OAM entities, facilitating network management. Ethernet OAM is a slow protocol with very limited bandwidth requirement.
Page 130 Information OAMPDU: Information OAMPDU is used for discovery. It transmits the state information of an OAM entity (including local, remote, and organization-specific information) to another OAM entity, and maintains OAM connection. Event Notification OAMPDU: Event Notification OAMPDU is used for link monitoring. It is sent as an alarm when a failure occurs to the link connecting the local OAM entity and a remote OAM entity.
Page 131 Item Active OAM mode Passive OAM mode Transmitting Loopback Control Available Unavailable OAMPDUs Available Responding to Loopback Control Available (if both sides operate OAMPDUs in active OAM mode) Transmitting organization-specific Available Available OAMPDUs Table 8-1 Differences between active OAM mode and passive OAM mode After an OAM connection is established, the OAM entities on both sides exchange Information OAMPDUs periodically to keep the OAM connection valid.
Page 132: Basic Config
Information OAMPDUs are sent between the OAM entities periodically, an OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs. So the network administrator can get informed of the link faults and take action in time. Remote Loopback Remote loopback helps to ensure the quality of links during installation or when troubleshooting.
Page 133: Basic Config
8.1.1 Basic Config Choose the menu Ethernet OAM→ Basic Config→ Basic Config to load the following page. Figure 8-4 Basic Config The following entries are displayed on this screen: Basic Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered.
Page 134: Discovery Info
8.1.2 Discovery Info Choose the menu Ethernet OAM→ Basic Config→ Discovery Info to load the following page. Figure 8-5 Discovery Info The following entries are displayed on this screen: Local Client  The local client part shows the information of the local OAM entity. OAM: Displays whether the OAM function is enabled or disabled on the selected port.
Page 135 Link Monitoring: Displays whether the local client supports link monitoring function. Variable Request: Displays whether the local client supports variable request. If supports, the local client can send some variable requests to the remote client to learn about the link status from the response of the remote client.
Page 136: Link Monitoring
Variable Request: Displays whether the remote client supports variable request. PDU Revision: Displays the TLV revision of the OAMPDU. Vendor Information: Displays the vender information of the remote client. 8.2 Link Monitoring On this page, you can configure the parameters about OAM link events, including the threshold and the detection period.
Page 137: Rfi
Threshold: Specify the threshold for the selected link event. For Symbol Period Error, it is the number of error symbols in  the period that is required to be exceeded. For Frame Error, it is the number of error frames in the period ...
Page 138: Remote Loopback
Select: Select the desired port for configuration. It is multi-optional. Dying Gasp Notify: Choose whether to notify the dying gasp or not. Critical Event Choose whether to notify the critical event or not. Notify: 8.4 Remote Loopback On this page, you can initiate remote loopback if the OAM connection is established and the local client works in active mode.
Page 139: Statistics
Remote Loopback: To start or stop the remote loopback. 8.5 Statistics You can view the statistics about the detailed Ethernet OAM traffic information and event log information of a specific port here. 8.5.1 Statistics On this page, you can view the detailed Ethernet OAM traffic information of a specific port. The device will recount the numbers every time you click the clear button or the device is rebooted.
Page 140: Event Log
Unique Event Displays the number of unique event notification OAMPDUs that Notification have been transmitted or received on the port. OAMPDUs: Duplicate Event Displays the number of duplicate event notification OAMPDUs Notification that have been transmitted or received on the port. OAMPDUs: Variable Request...
Page 141: Dldp
The following entries are displayed on this screen: Event Log Statistics  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Local: Displays the number of link events that have occurred on the local link.
Page 142 spanning-tree topology loops. Once detecting a unidirectional link, DLDP can shut down the related port automatically or inform users. DLDP Operation Mechanism  1. DLDP Link States DLDP defines 6 link states for a device：Initial, Inactive, Active, Advertisement, Probe and Disable. State Description Initial...
Page 143 ○ 3 : If the device doesn’t receive any DLDP packets within 5 seconds, the DLDP link state will transit to Advertisement. ○ 4 : After receiving a packet from an unknown neighbor, the device’s link state will transit from Active to Probe, and then send out several probe packets to detect the link state.
Page 144 Figure 8-12 DLDP Config The following entries are displayed on this screen: Global Config  DLDP State: Enable/Disable the DLDP function globally. Adver Interval: Config the interval to send advertisement packets, ranging from 1 to 30 seconds. The default value is 5 seconds. Shut Mode: Once detecting a unidirectional link, the port can be shut down in one of the following two modes:...
Page 145: Application Example For Dldp
Web Refresh State: Enable/Disable the web automatic refresh function. Web Refresh Configure the interval to refresh the web page, ranging from 1 to Interval: 100 seconds, and the default value is 5 seconds. Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered.
Page 146 Network Diagram  Figure 8-13 DLDP Application Example Configuration Procedure  Step Operation Description Enable DLDP globally. Required. On the Ethernet OAM→DLDP→DLDP page, configure DLDP State as enable under the Global Config tab in device A and B. Required. On the Ethernet OAM→DLDP→DLDP page, Enable DLDP on the specified ports.
Page 147 After these four ports are correctly connected, select ports 1/0/27 and 1/0/28 in the Port Config table and click the Reset button to restore their state from Disable.
Page 148: Chapter 9 Multicast
Chapter 9 Multicast Multicast Overview  In the network, packets are sent in three modes: unicast, broadcast and multicast. In unicast, the source server sends separate copy information to each receiver. When a large number of users require this information, the server must send many pieces of information with the same content to the users.
Page 149 IPv4 Multicast Address  1. IPv4 Multicast IP Address: As specified by IANA (Internet Assigned Numbers Authority), Class D IP addresses are used as destination addresses of multicast packets. The multicast IP addresses range from 224.0.0.0~239.255.255.255. The following table displays the range and description of several special multicast IP addresses.
Page 150 IPv6 Multicast Address  1. IPv6 Multicast Address An IPv6 multicast address is an identifier for a group of interfaces, and has the following format: 0XFF at the start of the address identifies the address as being a multicast address. ...
Page 151 Group ID: 112 bits, IPv6 multicast group identifier that uniquely identifies an IPv6 multicast  group in the scope defined by the Scope field. Reserved Multicast Addresses: Address Indication FF01::1 All interface-local IPv6 nodes FF02::1 All link-local IPv6 nodes FF01::2 All interface-local IPv6 routers FF02::2 All link-local IPv6 routers...
Page 152: Igmp Snooping
The high-order 16 bits of the IP multicast address are 0x3333, identifying the IPv6 multicast group. The low-order 32 bits of the IPv6 multicast IP address are mapped to the multicast MAC address. Multicast Address Table  The switch is forwarding multicast packets based on the multicast address table. As the transmission of multicast packets cannot span the VLAN, the first part of the multicast address table is VLAN ID, based on which the received multicast packets are forwarded in the VLAN owning the receiving port.
Page 153 IGMP Messages  The switch, running IGMP Snooping, processes the IGMP messages of different types as follows. 1. IGMP Query Message IGMP query message, sent by the router, falls into two types, IGMP general query message and IGMP group-specific-query message. The router regularly sends IGMP general message to query if the multicast groups contain any member.
Page 154: Snooping Config
2. Timers Router Port Time: Within the time, if the switch does not receive IGMP query message from the router port, it will consider this port is not a router port any more. The default value is 300 seconds. Member Port Time: Within the time, if the switch does not receive IGMP report message from the member port, it will consider this port is not a member port any more.
Page 155 The following entries are displayed on this screen: Global Config  IGMP Snooping: Select Enable/Disable IGMP Snooping function globally on the switch. Unknown Multicast: Select the operation for the switch to process unknown multicast, Forward or Discard. Report Message Enable or disable Report Message Suppression function globally. Suppression: If this function is enabled, the first Report Message from the listener will be forwarded to the router ports while the subsequent...
Page 156: Port Config
9.1.2 Port Config On this page you can enable or disable the IGMP Snooping and Fast Leave feature for ports of the switch. Choose the menu Multicast →IGMP Snooping →Port Config to load the following page. Figure 9-6 Port Config The following entries are displayed on this screen: Port Config ...
Page 157: Vlan Config
Note: Fast Leave on the port is effective only when the host supports IGMPv2 or IGMPv3. When both Fast Leave feature and Unknown Multicast Discard feature are enabled, the leaving of a user connected to a port owning multi-user will result in the other users intermitting the multicast business.
Page 158: Multicast Vlan
Router Ports: Specify the static router port which is mainly used in the network with stable topology. VLAN Table  Select: Select the desired VLAN ID for configuration. It is multi-optional. VLAN ID: Displays the VLAN ID. Router Port Time: Displays the router port time of the VLAN.
Page 159 Choose the menu Multicast→IGMP Snooping→Multicast VLAN to load the following page. Figure 9-8 Multicast VLAN The following entries are displayed on this screen: Multicast VLAN  Multicast VLAN: Select Enable/Disable Multicast VLAN feature. VLAN ID: Enter the VLAN ID of the multicast VLAN. Router Port Time: Specify the aging time of the router port.
Page 160 Replace Source IP: Specify the IP address with which the switch will replace the source of IGMP packets. Dynamic Router Displays the dynamic router ports of the multicast VLAN. Ports: Static Router Ports: Specify the static router port which is mainly used in the network with stable topology.
Page 161 Switch: Port 3 is connected to the router and the packets are transmitted in VLAN3; port 4 is connected to user A and the packets are transmitted in VLAN4; port 5 is connected to user B and the packets are transmitted in VLAN5. User A: Connected to Port 4 of the switch.
Page 162: Querier Config
Check Multicast VLAN Port 3-5 and Multicast VLAN 3 will be displayed in the IGMP Snooping Status table Multicast→IGMP Snooping→Snooping Config page. 9.1.5 Querier Config In an IP multicast network that runs IGMP, a Layer 3 multicast device works as an IGMP querier to send IGMP queries and manage the multicast table.
Page 163: Profile Config
General Query Displays the source IP of the general query frame sent by IGMP Source IP: Snooping Querier. 9.1.6 Profile Config On this page you can configure an IGMP profile. Choose the menu Multicast→IGMP Snooping→Profile Config to load the following page. Figure 9-10 Profile Config The following entries are displayed on this screen: Profile Creation...
Page 164 Mode: Displays the attribute of the profile. Permit: Only permit the IP address within the IP range and  deny others. Deny: Only deny the IP address within the IP range and permit  others. Bind Ports: Displays the ports that the Profile bound to. Operation: Click the Edit button to configure the mode or IP-range of the Profile.
Page 165: Profile Binding
9.1.7 Profile Binding When the switch receives IGMP report message, it examines the profile ID bound to the access port to determine if the port can join the multicast group. If the multicast IP is not filtered, the switch will add the port to the forward port list of the multicast group. Otherwise, the switch will drop the IGMP report message.
Page 166: Packet Statistics
Overflow Action: The policy should be taken when the number of multicast group a port has joined reach the maximum. Drop: Drop the successive report packet, and this port can not  join any other multicast group. Replace: When the number of the dynamic multicast groups ...
Page 167 Figure 9-12 Packet Statistics The following entries are displayed on this screen: Auto Refresh  Auto Refresh: Select Enable/Disable auto refresh feature. Refresh Period: Enter the time from 3 to 300 in seconds to specify the auto refresh period. IGMP Statistics ...
Page 168: Igmp Authentication
9.1.9 IGMP Authentication IGMP Authentication (Internet Group membership Authentication Protocol) is a multicast authentication protocol used to authenticate who wants to join the limited multicast source. On this page you can configure IGMP Authentication feature for port. Choose the menu Multicast→IGMP Snooping→IGMP Authentication to load the following page.
Page 169: Mld Snooping
General Query Enter the source IP of the general query frame sent by IGMP Source IP: Snooping Querier. It should not be a multicast IP or a broadcast IP. IGMP Select Enable/Disable IGMP Authentication for the desired port. Authentication: LAG: Displays the LAG number which the port belongs to.
Page 170: Snooping Config
General Query Interval: The interval between the multicast router sends out general queries. Last Listener Query Interval: The interval between the switch sends out MASQs. Last Listener Query Count: The number of MASQs that the switch sends before aging out a multicast address when there is no MLD report response.
Page 171 Chose the menu Multicast→MLD Snooping→Snooping Config to load the following page. Figure 9-14 Snooping Config The following entries are displayed on this screen: Global Config  MLD Snooping: Enable or disable MLD Snooping function globally. Unknown Multicast: Choose to forward or drop unknown multicast data. Unknown IPv6 multicast packets refer to those packets without corresponding forwarding entries in the IPv6 multicast table: When unknown multicast filter is enabled, the switch will discard...
Page 172 Last Listener Query Enter the interval between the switch sends out MASQs. Interval: Last Listener Query Enter the number of MASQs that the switch sends before aging Count: out a multicast address when there is no MLD report response. MLD Snooping Status ...
Page 173: Port Config
9.2.2 Port Config On this page you can configure MLD Snooping function with each single port. Choose the menu Multicast→MLD Snooping→Port Config to load the following page. Figure 9-15 Port Config The following entries are displayed on this screen: Port Config ...
Page 174: Vlan Config
9.2.3 VLAN Config On this page you can configure MLD Snooping function with each single VLAN. You need to create VLAN if you want to enable MLD Snooping function in this VLAN. Choose the menu Multicast→MLD Snooping→VLAN Config to load the following page. Figure 9-16 VLAN Config The following entries are displayed on this screen: VLAN Config...
Page 175: Multicast Vlan
Router Port Time: Displays the router port time of this VLAN. Member Port Time: Displays the member port time of this VLAN. Static Router Ports: Displays the static router ports of this VLAN. Dynamic Router Displays the dynamic router ports of this VLAN. Ports：...
Page 176 Figure 9-17 Multicast VLAN Config The following entries are displayed on this screen: Multicast VLAN  Multicast VLAN: Select Enable/Disable Multicast VLAN feature. VLAN ID: Enter the VLAN ID of the multicast VLAN. Router Port Time: Specify the aging time of the router port. Within this time, if the switch doesn’t receive IGMP query message from the router port, it will consider this port is not a router port any more.
Page 177: Querier Config
Forbidden Router Specify the forbidden router ports which is mainly used to forbid Ports: ports becoming router ports. Note: The router port should be in the multicast VLAN, otherwise the member ports cannot receive multicast streams. The Multicast VLAN won't take effect unless you first complete the configuration for the corresponding VLAN owning the port on the 802.1Q VLAN page.
Page 178: Profile Config
Select: Select the Querier you want to change. VLAN ID: Displays the VLAN ID. Query Interval: Displays the Query message interval time. Max Response Time: Displays the value of Maximum Response Time of the Query message. General Query Displays the Query message source IP address. Source IP: Note: The MLD Snooping Querier doesn’t participate in the MLD Querier Election, but an MLD Snooping...
Page 179 All: Display all profile entries.  Profile ID: Display profile entry of the ID.  MLD Profile Info  Select: Select the profile entries you want to config. Profile ID: Displays the profile ID. Mode: Displays the attribute of the profile. Permit: Only permit the IP address within the IP ...
Page 180: Profile Binding
IP-range Table  Select: Select the desired entry for configuration. Index: Displays index of the IP-range which is not configurable. Start IP: Displays the start IP address of the IP-range. End IP: Displays the end IP address of the IP-range. 9.2.7 Profile Binding When the switch receives MLD report message, it examines the profile ID bound to the access port to determine if the port can join the multicast group.
Page 181: Packet Statistics
Port: The port to be bound. Profile ID: The existing Profile ID bound to the selected port. Max Group: The maximum multicast group a port can join, range from 0 to 1000. Overflow Action: The policy should be taken when the number of multicast group a port has joined reach the maximum.
Page 182 Choose the menu Multicast→MLD Snooping→Packet Statistics to load the following page. Figure 9-21 Packet Statistics The following entries are displayed on this screen: Auto Fresh  Auto Fresh: Select Enable/Disable auto fresh feature. Fresh Period: Enter the time from 3 to 300 seconds to specify the auto fresh period.
Page 183: Multicast Table
Error Packet: Displays the number of error packets the port received. 9.3 Multicast Table In a network, receivers can join different multicast groups appropriate to their needs. The switch forwards multicast streams based on IPv4/IPv6 multicast address table. The Multicast Table function is implemented on the IPv4 Multicast Table, Static IPv4 Multicast Table, IPv6 Multicast Table and Static IPv6 Multicast Table pages.
Page 184 Figure 9-23 Static IPv4 Multicast Table The following entries are displayed on this screen: Create Static Multicast  Multicast IP: Enter the multicast IP address the desired entry must carry. VLAN ID: Enter the VLAN ID the desired entry must carry. Forward Port: Enter the forward ports.
Page 185: Ipv6 Multicast Table
VLAN ID: Displays the VLAN ID of the multicast group. Forward Port: Displays the forward port of the multicast group. 9.3.3 IPv6 Multicast Table This page displays the IPv6 multicast groups which are already on the switch. Choose the menu Multicast→Multicast Table→IPv6 Multicast Table to load the following page. Figure 9-24 IPv6 Multicast Table The following entries are displayed on this screen: Search Option...
Page 186 Figure 9-25 IPv6 Multicast Table The following entries are displayed on this screen: Create Static Multicast  Multicast IP: Enter the multicast IP address the desired entry must carry. VLAN ID: Enter the VLAN ID the desired entry must carry. Forward Port: Enter the forward ports.
Page 187 The max number of multicast entries is 1000. The IPv4 multicast table and IPv6 multicast table share the total entry number of 1000. Return to CONTENTS...
Page 188: Chapter 10 Routing
Chapter 10 Routing Routing is the method by which the host or gateway decides where to send the datagram. Routing is the task of finding a path from a sender to a desired destination. It may be able to send the datagram directly to the destination, if that destination is on one of the networks that are directly connected to the host or gateway.
Page 189 5. Automatic address configuration: To simplify the host configuration, IPv6 supports stateful and stateless address configuration. Stateful address configuration means that a host acquires an IPv6 address and related  information from a server (for example, DHCP server). Stateless address configuration means that a host automatically configures an IPv6 ...
Page 190 An IPv6 address prefix is represented in "IPv6 address/prefix length" format, where "IPv6 address" is an IPv6 address in any of the above-mentioned formats and "prefix length" is a decimal number indicating how many leftmost bits from the preceding IPv6 address are used as the address prefix.
Page 191 IPv6 unicast address is an identifier for a single interface. It consists of a subnet prefix and an interface ID. Subnet Prefix: This section is allocated by the IANA (The Internet Assigned Numbers  Authority), the ISP (Internet Service Provider) or the organizations. Interface ID: An interface ID is used to identify interfaces on a link.
Page 192 Link-local address A link-local address is an IPv6 unicast address that can be automatically configured on any interface using the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in the modified EUI-64 format. Link-local addresses are used in the neighbor discovery protocol and the stateless autoconfiguration process.
Page 193 After receiving the NS message, node B judges whether the destination address of the  packet corresponds to the solicited-node multicast address. If yes, node B can learn the link-layer address of node A, and unicasts an NA message containing its link-layer address. Node A acquires the link-layer address of node B from the NA message.
Page 194 Default router information (whether the device sending the advertisement should be used  as a default router and, if so, the amount of time, in seconds, the device should be used as a default router). Additional information for hosts, such as the hop limit and maximum transmission unit (MTU) ...
Page 195 The following entries are displayed on this screen: Create Interface  Interface ID: Enter the ID of the interface corresponding to VLAN interface, loopback interface, routed port or port channel. IP Address Mode: Specify IP Address allocation mode. None: without ip. ...
Page 196 For IPv4 interface  Click Edit to display the following figure: Figure 10-4 IPv4 Interface Config Modify Interface  Interface ID: Display the ID of the interface corresponding to the VLAN interface, loopback interface, routed port or port channel. IP Address Mode: View and modify the IP address allocation mode.
Page 197 Subnet Mask: Displays the subnet mask of the secondary IP address. For IPv6 interface  Click Edit to display the following figure: Figure 10-5 System IPv6 The following entries are displayed on this screen: Global Config  IPv6: Enable/Disable IPv6 function globally on the switch. Interface ID: Choose the interface type and input the interface ID.
Page 198 Status: Displays the status of the link-local address. Normal: Indicates that the link-local address is normal.  Try: Indicates that the link-local address may be newly  configured. Repeat: Indicates that the link-local address is duplicate. It is  illegal to access the switch using the IPv6 address (including link-local and global address).
Page 199 Status: Displays the status of the global address. Normal: Indicates that the global address is normal.  Try: Indicates that the global address may be newly  configured. Repeat: Indicates that the corresponding address is duplicate.  It is illegal to access the switch using this address. Tips: After adding a global IPv6 address to your switch manually here, you can configure your PC’s global IPv6 address in the same subnet with the switch and login to the switch via its global IPv6...
Page 200: Routing Table
Admin Status: Displays the Admin status. Choose Disable to disable the interface's Layer 3 capabilities. Interface Name: Displays the name of the interface. Interface Setting Detail Information  Displays the detailed setting information of the interface. 10.2 Routing Table This page displays the routing information summary generated by different routing protocols. 10.2.1 IPv4 Routing Table Choose the menu Routing→Routing Table→IPv4 Routing Table to load the following page.
Page 201: Static Routing
The following entries are displayed on this screen: IPv6 Routing Information Summary  Displays the protocol of the route. Protocol Displays the destination and subnet of the route. Destination/Mask: Next Hop: Displays the IPv6 address to which the packet should be sent next. Distance: Displays the management distance of the route.
Page 202: Ipv6 Static Routing Config
Static Route Table  Select: Specify the static route entries to modify. Destination Displays the destination IP address of the packets. Address: Subnet Mask: Displays the subnet mask of the destination IP address. Next Hop: Displays the IP address to which the packet should be sent next. Distance: Displays the distance metric of route.
Page 203: Dhcp Server
Next Hop: Displays the IPv6 address to which the packet should be sent next. Distance: Displays the distance metric of route. The smaller the distance, the higher the priority. Metric: Displays the metric of the route. Interface Name: Displays the name of the VLAN interface. 10.4 DHCP Server DHCP module is used to configure the DHCP functions of the switch, including two submenus, DHCP Server and DHCP Relay.
Page 204 Figure 10-11 DHCP model To meet the different requirements of DHCP clients, DHCP server is always designed to supply hosts with the configuration parameters in three policies. Manual Assignment: For the specific DHCP clients (e.g., web server), the configuration parameters are manually specified by the administrator and are assigned to these clients via a DHCP server.
Page 205 identifier and the IP address offered by the server. Based on the server’s identifier, servers are informed whose offer the client has accepted. DHCP acknowledgement: The server selected in the DHCP-REQUEST message commits the binding for the client to persistent storage and responds with a DHCP-ACK message containing the configuration parameters for the requesting client.
Page 206 unicast IP datagrams before its protocol software has been configured should clear the first bit to 0. A server or relay agent sending or relaying a DHCP message directly to a DHCP client should examine the first bit in the 'flags' field. If this bit is set to 1, the DHCP message should be sent as an IP broadcast and if the bit is cleared to 0, the message should be sent as an IP unicast.
Page 207 option 51：Lease Time option. In DHCP-OFFER and DHCP-ACK message, the DHCP server uses this option to specify the lease time in which the clients can use the IP address legally. option 53：Message Type option. This option is used to convey the type of the DHCP message.
Page 208 Figure 10-15 DHCP Server Application To guarantee the process of assigning IP address fluency and in safety, and to keep the network run steadily, the DHCP Server function on the switch performs the following tasks. Create different IP pool for every VLAN. The device in different VLAN can get the IP address ...
Page 209: Dhcp Server
Configure the Excluded IP address which cannot be assigned by the switch, e.g. web server’s IP, broadcast IP of subnet and gateway’s IP. Specify IP address for specific clients, and then the switch will supply these IP address to them only forever. Configure the IP pool in which the IP address can be assigned to the clients.
Page 210: Pool Setting
Option 138: Configure DHCP option 138. If this option is configured, DHCP server will response packets containing this option if the client running CAPWAP protocol request this option. Ping Time Config  Ping Packets: The number of packets to be sent. Ping Timeout: The time it takes to determine the specific IP not exist.
Page 211: Manual Binding
Figure 10-17 Pool Setting The following entries are displayed on this screen: DHCP Server Pool  Pool Name: Enter the name of the pool. Network Address: Specify the network number of the IP addresses in the pool. Subnet Mask: Specify the corresponding subnet mask of the IP address in the pool.
Page 212: Binding Table
Choose the menu Routing→DHCP Server→Manual Binding to load the following page. Figure 10-18 Manual Binding The following entries are displayed on this screen: Manual Binding  Pool Name: Select the IP Pool containing the IP address to be bound. IP Address: Specify the IP address to be bound.
Page 213: Packet Statistics
Type: Displays the type of this binding entry. Lease Time Left(s): Displays the lease time of the client left. Click Delete to delete the selected entry. 10.4.5 Packet Statistics In this page, you can view the DHCP packets the switch received or sent. Choose the menu Routing→DHCP Server→Packet Statistics to load the following page.
Page 214: Application Example For Dhcp Server And Relay
Configuration Procedure: Step Operation Description Set the link type for port. Required. On the VLAN→802.1Q VLAN→Port Config page, set the link type for the port basing on its connected device. Create VLAN. Required. On the VLAN→802.1Q VLAN→VLAN Config page, click the Create button to create a VLAN. Enter the VLAN ID and the description for the VLAN.
Page 215 Network Diagram  Use the central switch and enable its DHCP server function to allocate IP addresses to clients in the network. Enable the DHCP relay function on each access switch in VLAN 10, 20 and 30. For details about DHCP relay, please refer to 10.5 DHCP Relay.
Page 216: Dhcp Relay
Step Operation Note Manually binding Optional. On page Routing→ DHCP Server→Manual Binding, IP addresses bind specified ip addresses to the specific clients. Configure Access Switch  Step Operation Note Required. On the Routing→DHCP Server→Global Config page, Enable DHCP • Relay. enable the DHCP Server function, and the DHCP Relay function will be enabled at the same time.
Page 217 To allow all clients in different VLAN request IP address from one server successfully, the DHCP Relay function can transmit the DHCP packet between clients and server in different VLANs, and all clients in different VLANs can share one DHCP Server. When receiving DHCP-DISCOVER and DHCP-REQUEST packets, the switch will fill the ...
Page 218: Global Config
Figure10-23 Option 82 Note: The option 82 parameters configured on the switch should base on and meet the requirement of the network. The DHCP Relay, allowing the clients to get the IP address from the server in another subnet, is implemented on the DHCP Relay page.
Page 219: Dhcp Server
Customization: Enable or disable the switch to define the Option 82 field. Circuit ID: Enter the sub-option Circuit ID for the customized Option 82 field. Remote ID: Enter the sub-option Remote ID for the customized Option 82 field. 10.5.2 DHCP Server This page enables you to configure DHCP Servers on the specified interface.
Page 220: Arp
10.6 ARP Address Resolution Protocol (ARP) records the mapping relationship between IP addresses and MAC addresses in the ARP table. You can also define a static ARP cache entry on the page Static ARP. 10.6.1 ARP Table Choose the menu Routing→ARP→ARP Table to load the following page. Figure 10-26 ARP Table The following entries are displayed on this screen: ARP Table...
Page 221 Return to CONTENTS...
Page 222: Chapter 11 Qos
Chapter 11 QoS QoS (Quality of Service) functions to provide different quality of service for various network applications and requirements and optimize the bandwidth resource distribution so as to provide a network service experience of a better quality.  This switch classifies the ingress packets, maps the packets to different priority queues and then forwards the packets according to specified scheduling algorithms to implement QoS function.
Page 223 2. 802.1P Priority Figure 11-2 802.1Q frame As shown in the figure above, each 802.1Q Tag has a Pri field, comprising 3 bits. The 3-bit priority field is 802.1p priority in the range of 0 to 7. 802.1P priority determines the priority of the packets based on the Pri value.
Page 224 Figure 11-4 SP-Mode WRR-Mode: Weight Round Robin Mode. In this mode, packets in all the queues are sent in order based on the weight value for each queue and every queue can be assured of a certain service time. The weight value indicates the occupied proportion of the resource. WRR queue overcomes the disadvantage of SP queue that the packets in the queues with lower priority cannot get service for a long time.
Page 225: Diffserv
Equ-Mode: Equal-Mode. In this mode, all the queues occupy the bandwidth equally. The weight value ratio of all the queues is 1:1:1:1:1:1:1:1. Note: In SP + WRR mode, TC7 and the queue with its weight value set as 0 are in the SP group. The QoS module is mainly for traffic control and priority configuration, including three submenus: DiffServ, Bandwidth Control and Voice VLAN.
Page 226: Schedule Mode
The following entries are displayed on this screen: Port Priority Config  UNIT:1/LAGS: Click 1 to configure the physical ports. Click LAGS to configure the link aggregation groups. Select: Select the desired port to configure its priority. It is multi-optional. Port: Displays the physical port number of the switch.
Page 227: P Priority
The following entries are displayed on this screen Schedule Mode Config  Schedule Mode: Select a schedule mode. SP-Mode：Strict-Priority Mode. In this mode, the queue with  higher priority will occupy the whole bandwidth. Packets in the queue with lower priority are sent only when the queue with higher priority is empty.
Page 228: Dscp Priority
Choose the menu QoS→DiffServ→802.1P Priority to load the following page. Figure 11-8 802.1P Priority The following entries are displayed on this screen: Priority and CoS-mapping Config  Select: Select the desired 802.1P tag-id/cos-id for 802.1P priority configuration. It is multi-optional. Tag-id/CoS-id: Indicates the precedence level defined by IEEE 802.1P and the CoS ID.
Page 229 Choose the menu QoS→DiffServ→DSCP Priority to load the following page. Figure 11-9 DSCP Priority The following entries are displayed on this screen DSCP Priority Config  DSCP Priority: Select Enable or Disable DSCP Priority. Priority Level  Select: Select the desired DSCP value for DSCP priority configuration. It is multi-optional.
Page 230: Bandwidth Control
11.2 Bandwidth Control Bandwidth function, allowing you to control the traffic rate and broadcast flow on each port to ensure network in working order, can be implemented on Rate Limit and Storm Control pages. 11.2.1 Rate Limit Rate limit functions to control the ingress/egress traffic rate on each port via configuring the available bandwidth of each port.
Page 231: Storm Control
Egress Configure the bandwidth for sending packets on the port. You can Rate(1-1000000Kbps): select a rate from the dropdown list or manually set Egress rate, the system will automatically select integral multiple of 64Kbps that closest to the rate you entered as the real Egress rate. LAG: Displays the LAG number which the port belongs to.
Page 232: Voice Vlan
Port: Displays the port number of the switch. PPS: Enable or disable the PPS mode. Broadcast Rate Select the broadcast rate mode, pps mode is invalid if the PPS is Mode: disabled. kbps: Specify the threshold in kbits per second. ...
Page 233 Number OUI Address Vendor 00-01-e3-00-00-00 Siemens phone 00-03-6b-00-00-00 Cisco phone 00-04-0d-00-00-00 Avaya phone 00-60-b9-00-00-00 Philips/NEC phone 00-d0-1e-00-00-00 Pingtel phone 00-e0-75-00-00-00 Polycom phone 00-e0-bb-00-00-00 3com phone Table 11-1 OUI addresses on the switch Port Voice VLAN Mode  A voice VLAN can operate in two modes: automatic mode and manual mode. Automatic Mode: In this mode, the switch automatically adds a port which receives voice packets to voice VLAN and determines the priority of the packets through learning the source MAC of the UNTAG packets sent from IP phone when it is powered on.
Page 234: Global Config
Security Mode of Voice VLAN  When voice VLAN is enabled for a port, you can configure its security mode to filter data stream. If security mode is enabled, the port just forwards voice packets, and discards other packets whose source MAC addresses do not match OUI addresses.
Page 235: Port Config
VLAN ID: Enter the VLAN ID of the voice VLAN. Aging Time: Specifies the living time of the member port in auto mode after the OUI address is aging out. Priority: Select the priority of the port when sending voice data. 11.3.2 Port Config Before the voice VLAN function is enabled, the parameters of the ports in the voice VLAN should be configured on this page.
Page 236: Oui Config
Port: Displays the port number of the switch. Port Mode: Select the mode for the port to join the voice VLAN. Auto: In this mode, the switch automatically adds a port to the  voice VLAN or removes a port from the voice VLAN by checking whether the port receives voice data or not.
Page 237 OUI Table  Select: Select the desired entry to view the detailed information. OUI: Displays the OUI address of the voice device. Mask: Displays the OUI address mask of the voice device. Description: Displays the description of the OUI. Configuration Procedure of Voice VLAN: Step Operation Description Create VLAN...
Page 238: Chapter 12 Acl
Chapter 12 ACL ACL (Access Control List) is used to filter packets by configuring match rules and process policies of packets in order to control the access of the illegal users to the network. Besides, ACL functions to control traffic flows and save network resources. It provides a flexible and secured access control policy and facilitates you to control the network security.
Page 239: Time-Range Create
12.1.2 Time-Range Create On this page you can create time-ranges. Choose the menu ACL→Time-Range→Time-Range Create to load the following page. Figure 12-2 Time-Range Create Note: To successfully configure time-ranges, please firstly specify time-slices and then time-ranges. The following entries are displayed on this screen: Create Time-Range ...
Page 240: Holiday Config
End Time: Displays the end time of the time-slice. Delete: Click the Delete button to delete the corresponding time-slice. 12.1.3 Holiday Config Holiday mode is applied as a different secured access control policy from the week mode. On this page you can define holidays according to your work arrangement. Choose the menu ACL→Time-Range→Holiday Config to load the following page.
Page 241: Acl Create
Choose the menu ACL→ACL Config→ACL Summary to load the following page. Figure 12-4 ACL Summary The following entries are displayed on this screen: Search Option  Select ACL: Select the ACL you have created ACL Type: Displays the type of the ACL you select. Rule Order: Displays the rule order of the ACL you select.
Page 242 Choose the menu ACL→ACL Config→MAC ACL to load the following page. Figure 12-6 Create MAC Rule The following entries are displayed on this screen: Create MAC-Rule  ACL ID: Select the desired MAC ACL for configuration. Rule ID: Enter the rule ID. Operation: Select the operation for the switch to process packets which match the rules.
Page 243: Standard-Ip Acl
12.2.4 Standard-IP ACL Standard-IP ACLs analyze and process data packets based on a series of match conditions, which can be the source IP addresses and destination IP addresses carried in the packets. Choose the menu ACL→ACL Config→Standard-IP ACL to load the following page. Figure 12-7 Create Standard-IP Rule The following entries are displayed on this screen: Create Standard-IP ACL...
Page 244: Extend-Ip Acl
12.2.5 Extend-IP ACL Extend-IP ACLs analyze and process data packets based on a series of match conditions, which can be the source IP addresses, destination IP addresses, IP protocol and other information of this sort carried in the packets. Choose the menu ACL→ACL Config→Extend-IP ACL to load the following page. Figure 12-8 Create Extend-IP Rule The following entries are displayed on this screen: Create Extend-IP ACL...
Page 245: Combined Acl
Configure TCP flag when TCP is selected from the pull-down list of IP TCP Flag： Protocol. S-Port: Configure TCP/IP source port contained in the rule when TCP/UDP is selected from the pull-down list of IP Protocol. D-Port: Configure TCP/IP destination port contained in the rule when TCP/UDP is selected from the pull-down list of IP Protocol.
Page 246: Ipv6 Acl
S-MAC: Enter the source MAC address contained in the rule. D-MAC: Enter the destination MAC address contained in the rule. Mask: Enter IP address mask. If it is set to 1, it must strictly match the address. VLAN ID Enter the VLAN ID contained in the rule. EtherType Enter EtherType contained in the rule.
Page 247 Choose the menu ACL→ACL Config→IPv6 ACL to load the following page. Figure 12-10 IPv6 ACL Config The following entries are displayed on this screen: Create Extend-IP ACL  ACL ID: Select the desired IPv6 ACL for configuration. Rule ID: Enter the rule ID. Operation: Select the operation for the switch to process packets which match the rules.
Page 248: Policy Config
D-IP: Enter the destination IPv6 address contained in the rule, you can input all the 128 bits, but only upper 64 bits are verified. Mask: Enter IP address mask. If it is set to 1, the upper 64 bits in the destination address of the packet must strictly match the D-IP you configured.
Page 249: Policy Create
S-Mirror: Displays the source mirror port of the policy. S-Condition: Displays the source condition added to the policy. Redirect: Displays the redirect added to the policy. QoS Remark: Displays the QoS remark added to the policy. Operation: Edit the information of this action. 12.3.2 Policy Create On this page you can create the policy.
Page 250: Acl Binding
Select Policy: Select the name of the policy. Select ACL: Select the ACL for configuration in the policy. S-Mirror: Select S-Mirror to mirror the data packets in the policy to the specific port. S-Condition: Select S-Condition to limit the transmission rate of the data packets in the policy.
Page 251: Binding Table
12.4.1 Binding Table On this page view the ACL bound to port/VLAN. Choose the menu ACL→ACL Binding→Binding Table to load the following page. Figure 12-14 Binding Table The following entries are displayed on this screen: Search Option  Show Mode: Select a show mode appropriate to your needs.
Page 252: Port Binding
12.4.2 Port Binding On this page you can bind an ACL to a port. Choose the menu ACL→ACL Binding→Port Binding to load the following page. Figure 12-15 Bind the policy to the port The following entries are displayed on this screen: Port-Bind Config ...
Page 253: Vlan Binding
12.4.3 VLAN Binding On this page you can bind an ACL to a VLAN. Choose the menu ACL→ACL Binding→VLAN Binding to load the following page. Figure 12-16 Bind the policy to the VLAN The following entries are displayed on this screen: VLAN-Bind Config ...
Page 254: Binding Table
12.5.1 Binding Table On this page view the policy bound to port/VLAN. Choose the menu ACL→Policy Binding→Binding Table to load the following page. Figure 12-17 Binding Table The following entries are displayed on this screen: Search Option  Show Mode: Select a show mode appropriate to your needs.
Page 255: Port Binding
12.5.2 Port Binding On this page you can bind a policy to a port. Choose the menu ACL→ACL Binding→Port Binding to load the following page. Figure 12-18 Bind the policy to the port The following entries are displayed on this screen: Port-Bind Config ...
Page 256: Vlan Binding
12.5.3 VLAN Binding On this page you can bind a policy to a VLAN. Choose the menu ACL→Policy Binding→VLAN Binding to load the following page. Figure 12-19 Bind the policy to the VLAN The following entries are displayed on this screen: VLAN-Bind Config ...
Page 257 3. The staff of the marketing department can access to the Internet but cannot visit the forum. 4. The R&D department and marketing department cannot communicate with each other. Network Diagram  Configuration Procedure  Step Operation Description On ACL→ACL Config→ACL Create page, create ACL 11. Configure requirement 1 On ACL→ACL Config→MAC ACL page, select ACL 11, create Rule 1,...
Page 258 Step Operation Description Configure On ACL→ACL Config→ACL Create page, create ACL 500. requirement On ACL→ACL Config→Standard-IP ACL page, select ACL 500, and 4 create Rule 1, configure operation as Deny, configure S-IP as 10.10.70.0 and mask as 255.255.255.0, configure D-IP as 10.10.50.0 and mask as 255.255.255.0.
Page 259: Chapter 13 Network Security
Chapter 13 Network Security Network Security module is to provide the multiple protection measures for the network security, including five submenus: IP-MAC Binding, IPv6-MAC Binding, DHCP Snooping, DHCPv6 Snooping, ARP Inspection, ND Detection, IP Source Guard, DoS Defend, 802.1X, PPPoE and AAA.
Page 260: Manual Binding
The following entries are displayed on this screen: Search  Source: Displays the Source of the entry. • All: All the bound entries will be displayed. • Manual: Only the manually added entries will be displayed. Scanning: Only the entries formed via ARP Scanning •...
Page 261 Choose the menu Network Security→IP-MAC Binding→Manual Binding to load the following page. Figure 13-2 Manual Binding The following entries are displayed on this screen: Manual Binding Option  Host Name: Enter the Host Name. IP Address: Enter the IP Address of the Host. MAC Address: Enter the MAC Address of the Host.
Page 262: Arp Scanning
Collision: Displays the Collision status of the entry. • Warning: Indicates that the collision may be caused by the MSTP function. • Critical: Indicates that the entry has a collision with the other entries. 13.1.3 ARP Scanning ARP (Address Resolution Protocol) is used to analyze and map IP addresses to the corresponding MAC addresses so that packets can be delivered to their destinations correctly.
Page 263: Ipv6-Mac Binding
Choose the menu Network Security→IP-MAC Binding→ARP Scanning to load the following page. Figure 13-4 ARP Scanning The following entries are displayed on this screen: Scanning Option  Start IP Address: Specify the Start IP Address. End IP Address: Specify the End IP Address. VLAN ID: Enter the VLAN ID.
Page 264: Binding Table
detection and IPv6 Source Guard functions can control the network access and only allow the Hosts matching the bound entries to access the network. The following three IPv6-MAC Binding methods are supported by the switch. Manually: You can manually bind the IPv6 address, MAC address, VLAN ID and the Port number together in the condition that you have got the related information of the Hosts in the LAN.
Page 265: Manual Binding
• DHCP Snooping: Only the entries generated via DHCP Snooping will be displayed. IP Select Click the Select button to quick-select the corresponding entry based on the IPv6 address you entered. Binding Table  Select: Select the desired entry to modify the Host Name and Protect Type.
Page 266 Choose the menu Network Security→IPv6-MAC Binding→Manual Binding to load the following page. Figure 13-6 Manual Binding The following entries are displayed on this screen: Manual Binding Option  Host Name: Enter the Host Name. IP Address: Enter the IPv6 Address of the Host. MAC Address: Enter the MAC Address of the Host.
Page 267: Nd Snooping
Collision: Displays the Collision status of the entry. • Warning: Indicates that the collision may be caused by the MSTP function. • Critical: Indicates that the entry has a collision with the other entries. 13.2.3 ND Snooping ND snooping maintains an ND snooping table using the DAD NS messages in IPv6. ND snooping entries in this table is used to: •...
Page 268 out, the switch removes the entry when the timer expires. Choose the menu Network Security→IPv6-MAC Binding→ND Snooping to load the following page. Figure 13-7 ARP Scanning The following entries are displayed on this screen: ND Snooping  ND Snooping: Enable/Disable the ND Snooping function globally. VLAN ID: Enable/Disable the ND Snooping function in the specified VLAN.
Page 269: Dhcp Snooping
Select: Select your desired port for configuration. It is multi-optional. Port: Displays the number of port. Maximum Entry: Configure the max ND binding entries a port can learn via ND snooping. LAG: Displays the LAG which the port belongs to. 13.3 DHCP Snooping Nowadays, the network is getting larger and more complicated.
Page 270 The most Clients obtain the IP addresses dynamically, which is illustrated in the following figure. Figure 13-9 Interaction between a DHCP client and a DHCP server DHCP-DISCOVER Stage: The Client broadcasts the DHCP-DISCOVER packet to find the DHCP Server. DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet, the DHCP Server selects an IP address from the IP pool according to the assigning priority of the IP addresses and replies to the Client with DHCP-OFFER packet carrying the IP address and other information.
Page 271 Option 82 can contain 255 sub-options at most. If Option 82 is defined, at least a sub-option should be defined. This switch supports two sub-options: Circuit ID and Remote ID. Since there is no universal standard about the content of Option 82, different manufacturers define the sub-options of Option 82 to their need.
Page 272: Global Config
13.3.1 Global Config Choose the menu Network Security→DHCP Snooping→Global Config to load the following page. Figure 13-11 DHCP Snooping The following entries are displayed on this screen: DHCP Snooping Configuration  DHCP Snooping: Enable/Disable the DHCP Snooping function globally. VLAN ID: Enable/Disable the DHCP Snooping function in the specified VLAN.
Page 273: Port Config
13.3.2 Port Config Choose the menu Network Security→DHCP Snooping→Port Config to load the following page. Figure 13-12 DHCP Snooping DHCP Snooping Port Configuration  UNIT:1/LAGS: Click 1 to configure the physical ports. Click LAGS to configure the link aggregation groups. Select: Select your desired port for configuration.
Page 274: Option 82 Config
LAG: Displays the LAG to which the port belongs. 13.3.3 Option 82 Config The switch can propagate the control information and the network parameters via the Option 82 field to provide more information for the Host. When the DHCP option 82 feature is enabled on the switch, a host is identified by the switch port through which it connects to the network (in addition to its MAC address).
Page 275: Dhcpv6 Snooping
Circuit ID: Enter the sub-option Circuit ID for the customized Option 82 field. Remote ID Enable or disable the switch to define the Option 82 Customization: sub-option Remote ID field. With Disable selected, configure the switch system MAC address as the remote ID default value.
Page 276: Arp Inspection
Trusted Port: Select the port to be a Trusted Port. Only the Trusted Port can forward the DHCPv6 packets from DHCPv6 servers. 13.5 ARP Inspection According to the ARP Implementation Procedure stated in 13.1.3 ARP Scanning, it can be found that ARP protocol can facilitate the Hosts in the same network segment to communicate with one another or access to external network via Gateway.
Page 277 Figure 13-16 ARP Attack – Cheating Gateway As the above figure shown, the attacker sends the fake ARP packets of Host A to the Gateway, and then the Gateway will automatically update its ARP table after receiving the ARP packets. When the Gateway tries to communicate with Host A in LAN, it will encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication.
Page 278 Man-In-The-Middle Attack  The attacker continuously sends the false ARP packets to the Hosts in LAN so as to make the Hosts maintain the wrong ARP table. When the Hosts in LAN communicate with one another, they will send the packets to the attacker according to the wrong ARP table. Thus, the attacker can get and process the packets before forwarding them.
Page 279: Arp Detect
packets and updates its ARP table. As a result, the ARP table is fully occupied by the false entries and unable to learn the ARP entries of legal Hosts, which causes that the legal Hosts cannot access the external network. The IP-MAC Binding function allows the switch to bind the IP address, MAC address, VLAN ID and the connected Port number of the Host together when the Host connects to the switch.
Page 280: Arp Defend
Configuration Procedure: Step Operation Description Bind the IP address, MAC Required. On the IP-MAC Binding page, bind the IP address, VLAN ID and the address, MAC address, VLAN ID and the connected Port connected Port number of number of the Host together via Manual Binding, ARP the Host together.
Page 281: Arp Statistics
Port: Displays the port number. Defend: Select Enable/Disable the ARP Defend feature for the port. Speed(10-100)pps: Enter a value to specify the maximum amount of the received ARP packets per second. Current Speed(pps): Displays the current speed of the received ARP packets. Status Displays the status of the ARP attack.
Page 282: Nd Detection
Auto Refresh: Enable/Disable the Auto Refresh feature. Refresh Interval: Specify the refresh interval to display the ARP Statistics. Illegal ARP Packet  Port: Displays the port number. Trusted Port: Indicates the port is an ARP Trusted Port or not. Illegal ARP Packet: Displays the number of the received illegal ARP packets.
Page 283 gateway or the other hosts who have received these NS/NA/RS packets will update their ND entry with the wrong address information. AS a result, all packets intended for the victim will be sent to the attacking host rather than the victim host. •...
Page 284: Ip Source Guard
Choose the menu Network Security→ND Detection→ND Detection to load the following page. Figure 13-22 ND Detection ND Detection  ND Detection: Enable/Disable the ND Detection function. VLAN ID: Enter the VLAN ID in which you want to enable/disable the ND Detection function.
Page 285 Choose the menu Network Security→IP Source Guard to load the following page. Figure 13-23 IP Source Guard The following entries are displayed on this screen: IP Source Guard Config  Select: Select your desired port for configuration. It is multi-optional. Port: Displays the port number.
Page 286: Dos Defend
13.8 DoS Defend DoS (Denial of Service) Attack is to occupy the network bandwidth maliciously by the network attackers or the evil programs sending a lot of service requests to the Host, which incurs an abnormal service or even breakdown of the network. With DoS Defend function enabled, the switch can analyze the specific fields of the IP packets and distinguish the malicious DoS attack packets.
Page 287: Dos Defend
13.8.1 DoS Defend On this page, you can enable the DoS Defend type appropriate to your need. Choose the menu Network Security→DoS Defend→DoS Defend to load the following page. Figure 13-24 DoS Defend The following entries are displayed on this screen: Defend Config ...
Page 288 Authenticator System: The authenticator system is usually an 802.1X-supported network device, such as this TP-LINK switch. It provides the physical or logical port for the supplicant system to access the LAN and authenticates the supplicant system. Authentication Server System: The authentication server system is an entity that provides authentication service to the authenticator system.
Page 289 EAP Relay Mode This mode is defined in 802.1X. In this mode, EAP-packets are encapsulated in higher level protocol (such as EAPOR) packets to allow them successfully reach the authentication server. This mode normally requires the RADIUS server to support the two fields of EAP: the EAP-message field and the Message-authenticator field.
Page 290 (7) The switch changes the state of the corresponding port to accepted state to allow the supplicant system access the network. And then the switch will monitor the status of supplicant by sending hand-shake packets periodically. By default, the switch will force the supplicant to log off if it cannot get the response from the supplicant for two times.
Page 291: Global Config
On this page, you can enable the 802.1X authentication function globally and control the authentication process by specifying the Authentication Method, Guest VLAN and various Timers. Please disable Handshake feature if you are using other client softwares instead of TP-LINK 802.1X Client.
Page 292: Port Config
Handshake: Enable/Disable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-LINK 802.1X Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP-LINK 802.1X Client. Guest VLAN: Enable/Disable the Guest VLAN feature.
Page 293 Choose the menu Network Security→802.1X→Port Config to load the following page. Figure 13-29 Port Config The following entries are displayed on this screen: Port Config  Select: Select your desired port for configuration. It is multi-optional. Port: Displays the port number. Status: Select Enable/Disable the 802.1X authentication feature for the port.
Page 294: Pppoe
Install 802.1X client software. install the TP-LINK 802.1X Client provided on the CD. Please refer to the software guide in the same directory with the software for more information. Configure the 802.1X globally. Required. By default, the global 802.1X function is disabled.
Page 295 PPPoE ID-Insertion Operation Process  The PPPoE ID insertion includes Circuit-ID tag and Remote-ID tag. The following process takes Circuit-ID insertion as an example: PPPoE Discovery Process Figure 13-1 The PPPoE discovery process is illustrated below: The client sends PADI (PPPoE Active Discovery Initiation) packets to the switch. The switch intercepts PADI packets and inserts a unique Circuit-ID tag to them.
Page 296 Choose the menu Network Security→PPPoE→PPPoE ID Insertion to load the following page. Figure 13-30 PPPoE Circuit-ID Config The following entries are displayed on this screen: Global Config  PPPoE ID Insertion: Enable/Disable the PPPoE Circuit-ID Insertion function globally. Port Config ...
Page 297: Aaa
Remote-ID: Enable or Disable the PPPoE Remote-ID Insertion feature for the port. Remote-ID Value: A user specified string with the maximum length of 40 characters to encode the Remote-id option 13.11 AAA Overview  AAA stands for authentication, authorization and accounting. This feature is used to authenticate users trying to log in to the switch or trying to access the administrative level privilege.
Page 298: Global Config
13.11.1 Global Config This page is used to enable/disable the AAA function globally. Choose the menu Network Security→AAA→Global Conifg to load the following page. Figure 13-31 AAA Global Config Configuration Procedure  Click Enable to enable the AAA function globally. 13.11.2 Privilege Elevation This page is used to elevate the current logged-in user from guest to admin and gain administrator level privileges.
Page 299: Tacacs+ Server Config
Choose the menu Network Security→AAA→RADIUS Conifg to load the following page. Figure 13-33 RADIUS Server Config Configuration Procedure  Configure the RADIUS server’s IP and other relevant parameters under the Server Config. View, edit and delete the configured RADIUS servers in the Server list. Entry Description ...
Page 300: Authentication Server Group Config
Choose the menu Network Security→AAA→TACACS+ Conifg to load the following page. Figure 13-34 TACACS+ Server Config Configuration Procedure  Configure the TACACS+ server’s IP and other relevant parameters under the Server Config. View, edit and delete the configured TACACS+ servers in the Server list. Entry Description ...
Page 301 Choose the menu Network Security→AAA→Server Group to load the following page. Figure 13-35 Create New Server Group Figure 13-36 Add Server to Server Group Configuration Procedure  1) Configure the Server Group name and Server Type to create a server group. 2) Click edit in the Server Group List to configure the corresponding server group.
Page 302: Authentication Method List Config
13.11.6 Authentication Method List Config Before you configure AAA authentication on a certain application, you should define an authentication method list first. An authentication method list describes the sequence and authentication method to be queried to authenticate a user. The switch uses the first method listed to authenticate users, if that method fails to respond, the switch selects the next authentication method in the method list.
Page 303: Application Authentication List Config
Entry Description  Method List Define a method list name. Name: List Type: Specify the authentication type as Login or Enable. Login stands for the Authentication Login Method List, and Enable stands for the Authentication Enable Method list. Pri1, Pri2, Pri3, Specify authentication methods...
Page 304: Authentication Server Config
Entry Description:  Module: Lists of the configurable applications on the switch. Login List: Configure an application for the login utilizing a previously configured method list. Enable List: Configure an application to promote the user level to admin-level users utilizing a previously configured method list. 13.11.8 802.1X Authentication Server Config This page is used to configure the RADIUS server group used in 802.1X Authentication, Accounting and IGMP Authentication.
Page 305 The application console/telnet/ssh/http use the default Login List and default Enable list by default. The 802.1X authentication uses the radius server group by default. The 802.1X accounting uses the radius server group by default. Return to CONTENTS...
Page 306: Chapter 14 Snmp
Chapter 14 SNMP SNMP Overview  SNMP (Simple Network Management Protocol) has gained the most extensive application on the UDP/IP networks. SNMP provides a management frame to monitor and maintain the network devices. It is used for automatically managing the various network devices no matter the physical differences of the devices.
Page 307 SNMP v1: SNMP v1 adopts Community Name authentication. The community name is used to define the relation between SNMP Management Station and SNMP Agent. The SNMP packets failing to pass community name authentication are discarded. The community name can limit access to SNMP Agent from SNMP NMS, functioning as a password.
Page 308: Snmp Config
3. Create SNMP User The User configured in a SNMP Group can manage the switch via the client program on management station. The specified User Name and the Auth/Privacy Password are used for SNMP Management Station to access the SNMP Agent, functioning as the password. SNMP module is used to configure the SNMP function of the switch, including three submenus: SNMP Config, Notification and RMON.
Page 309: Snmp View
Note: The amount of Engine ID characters must be even. 14.1.2 SNMP View The OID (Object Identifier) of the SNMP packets is used to describe the managed objects of the switch, and the MIB (Management Information Base) is the set of the OIDs. The SNMP View is created for the SNMP management station to manage MIB objects.
Page 310: Snmp Group
14.1.3 SNMP Group On this page, you can configure SNMP Group to control the network access by providing the users in various groups with different management rights via the Read View, Write View and Notify View. Choose the menu SNMP→SNMP Config→SNMP Group to load the following page. Figure 14-5 SNMP Group The following entries are displayed on this screen: Group Config...
Page 311: Snmp User
Read View: Select the View to be the Read View. The management access is restricted to read-only, and changes cannot be made to the assigned SNMP View. Write View: Select the View to be the Write View. The management access is writing only and changes can be made to the assigned SNMP View.
Page 312 Choose the menu SNMP→SNMP Config→SNMP User to load the following page. Figure 14-6 SNMP User The following entries are displayed on this screen: User Config  User Name: Enter the User Name here. User Type: Select the type for the User. •...
Page 313: Snmp Community
User Table  Select: Select the desired entry to delete the corresponding User. It is multi-optional. User Name: Displays the name of the User. User Type: Displays the User Type. Group Name: Displays the Group Name of the User. Security Model: Displays the Security Model of the User.
Page 314: Configuration Procedure
Access: Defines the access rights of the community. • read-only: Management right of the Community is restricted to read-only, and changes cannot be made to the corresponding View. • read-write: Management right of the Community is read-write and changes can be made to the corresponding View.
Page 315: Notification
If SNMPv1 or SNMPv2c is employed, please take the following steps:  Step Operation Description Enable SNMP function globally. Required. SNMP→SNMP Config→Global Config page, enable SNMP function globally. Create SNMP View. Required. On the SNMP→SNMP Config→SNMP View page, create SNMP View management agent.
Page 316 On this page, you can configure the notification function of SNMP. Choose the menu SNMP→Notification→Notification Config to load the following page. Figure 14-8 Notification Config The following entries are displayed on this screen: Host Config  IP Address: Enter the IP Address of the management Host. User: Enter the User name of the management station.
Page 317: Rmon
User: Displays the User name of the management station. Security Model: Displays the Security Model of the management station. Security Level: Displays the Security Level for the SNMP v3 User. Type: Displays the type of the notifications. Retry: Displays the amount of times the switch resends an inform request.
Page 318: Statistics
The RMON Groups can be configured on the Statistics, History, Event and Alarm pages. 14.3.1 Statistics On this page you can configure and view the statistics entry. Choose the menu SNMP→RMON→Statistics to load the following page. Figure 14-9 Statistics The following entries are displayed on this screen: Statistics Config ...
Page 319: History
14.3.2 History On this page, you can configure the History Group for RMON. Choose the menu SNMP→RMON→History to load the following page. Figure 14-10 History Control The following entries are displayed on this screen: History Control Table  Select: Select the desired entry for configuration. Index: Displays the index number of the entry.
Page 320: Event
14.3.3 Event On this page, you can configure the RMON events. Choose the menu SNMP→RMON→Event to load the following page. Figure 14-11 Event Config The following entries are displayed on this screen: Event Table  Select: Select the desired entry for configuration. Index: Displays the index number of the entry.
Page 321: Alarm Config
14.3.4 Alarm Config On this page, you can configure Statistic Group and Alarm Group for RMON. Choose the menu SNMP→RMON→Alarm to load the following page. Figure 14-12 Alarm Config The following entries are displayed on this screen: Alarm Config  Select: Select the desired entry for configuration.
Page 322 Alarm Type: Specify the type of the alarm. • All: The alarm event will be triggered either the sampled value exceeds the Rising Threshold or is under the Falling Threshold. • Rising: When the sampled value exceeds the Rising Threshold, an alarm event is triggered. •...
Page 323: Chapter 15 Lldp
Chapter 15 LLDP LLDP (Link Layer Discovery Protocol) is a Layer 2 protocol that is used for network devices to advertise their own device information periodically to neighbors on the same IEEE 802 local area network. The advertised information, including details such as device identification, capabilities and configuration settings, is represented in TLV (Type/Length/Value) format according to the IEEE 802.1ab standard, and these TLVs are encapsulated in LLDPDU (Link Layer Discovery Protocol Data Unit).
Page 324 Disable: the port cannot transmit or receive LLDPDUs.  LLDPDU transmission mechanism If the ports are working in TxRx or Tx mode, they will advertise local information by  sending LLDPDUs periodically. If there is a change in the local device, the change notification will be advertised. To ...
Page 325 Maximum Frame TLV are defined by IEEE 802.3. Note: For detailed introduction of TLV, please refer to IEEE 802.1AB standard. In TP-LINK switch, the following LLDP optional TLVs are supported. Port Description TLV The Port Description TLV allows network management to advertise the IEEE 802 LAN station's port description.
Page 326: Basic Config
System Description TLV The System Description TLV allows network management to advertise the system's description, which should include the full name and version identification of the system's hardware type, software operating system, and networking software. System Name TLV The System Name TLV allows network management to advertise the system's assigned name, which should be the system's fully qualified domain name.
Page 327: Port Config
Choose the menu LLDP→Basic Config→Global Config to load the following page. Figure 15-1 Global Configuration The following entries are displayed on this screen: Global Config  LLDP: Choose to enable/disable LLDP. Parameters Config  Transmit Interval: This parameter indicates the interval at which LLDP frames are transmitted on behalf of this LLDP agent.
Page 328: Device Info
Choose the menu LLDP→Basic Config→Port Config to load the following page. Figure 15-2 Port Configuration The following entries are displayed on this screen: Port Config  Select: Select the desired entry for configuration. It is multi-optional. Port: Displays the port number to be configured. Admin Status: Configure the ports' LLDP state.
Page 329 Choose the menu LLDP→Device Info→Local Info to load the following page. Figure 15-3 Local Information The following entries are displayed on this screen: Auto Refresh  Auto Refresh: Enable/Disable the auto refresh function. Refresh Rate: Configure the auto refresh rate. Local Info ...
Page 330: Neighbor Info
Indicates the specific identifier for the port in local device. Port ID： TTL: Indicates the number of seconds that the recipient LLDP agent is to regard the information associated with this chassis ID and port ID identifier to be valid. Displays local port's description.
Page 331: Device Statistics
System Name: Displays the system name of the neighbor device. Chassis ID: Displays the Chassis ID of the neighbor device. System Description: Displays the system description of the neighbor. Neighbor Port: Displays the port number of the neighbor linking to local port. Click to display the detail information of the neighbor.
Page 332: Lldp-Med
Total Inserts: Display the number of neighbors during latest update time. Total Deletes: Displays the number of neighbors deleted by local device. Total Drops: Displays the number of neighbors dropped by local device. Total Ageouts: Displays the number of overtime neighbors in local device. Neighbors Statistics ...
Page 333: Global Config
Location Identification TLV The Location Identification TLV provides for advertisement of location identifier information to Communication Endpoint Devices, based on configuration of the Network Connectivity Device it's connected to. You can set the Location Identification content in Location Identification Parameters. If Location Identification TLV is included and Location Identification Parameters isn't set, a default value is used in Location Identification TLV.
Page 334 Choose the menu LLDP→LLDP-MED→Port Config to load the following page. Figure 15-7 LLDP-MED Port Configuration The following entries are displayed on this screen LLDP-MED Port Config  Select: Select the desired port to configure. LLDP-MED Status: Configure the port's LLDP-MED status: •...
Page 335 Figure 15-8 Configure TLVs of LLDP-MED Port Included TLVs  Select TLVs to be included in outgoing LLDPDU. Location Identification Parameters  Configure the Location Identification TLV's content in outgoing LLDPDU of the port. Emergency Emergency number is Emergency Call Service ELIN identifier, Number: which is used during emergency call setup to a traditional CAMA or ISDN trunk-based PSAP.
Page 336: Local Info
capital ASCII letters, e.g., CN or US. Language, Province/State, etc.: a part of civic address. • 15.4.3 Local Info On this page you can see all ports' LLDP-MED configuration. Choose the menu LLDP→LLDP-MED→Local Info to load the following page. Figure 15-9 LLDP-MED Local Information The following entries are displayed on this screen Auto Refresh ...
Page 337: Neighbor Info
Unknown Policy Displays whether the local device will explicitly advertise the policy Flag: required by the device but currently unknown. VLAN tagged: Indicates the VLAN type the specified application type is using, 'tagged' or 'untagged'. Media Policy VLAN Displays the application (eg. Voice VLAN) VLAN identifier (VID) for the port.
Page 338 Application Type: Displays the application type of the neighbor. Application Type indicates the primary function of the applications defined for the network policy. Local Data Format: Displays the location identification of the neighbor. Power Type: Displays the power type of the neighbor device, either Power Sourcing Entity (PSE) or Powered Device (PD).
Page 339: Chapter 16 Maintenance
Chapter 16 Maintenance Maintenance module, assembling the commonly used system tools to manage the switch, provides the convenient method to locate and solve the network problem. （1） System Monitor: Monitor the utilization status of the memory and the CPU of switch. （2）...
Page 340: Memory Monitor
Figure 16-1 CPU Monitor Click the Monitor button to enable the switch to monitor and display its CPU utilization rate every four seconds. 16.1.2 Memory Monitor Choose the menu Maintenance→System Monitor→Memory Monitor to load the following page.
Page 341: Sflow
Figure 16-2 Memory Monitor Click the Monitor button to enable the switch to monitor and display its Memory utilization rate every four seconds. 16.2 sFlow sFlow (Sampled Flow) is a technology for accurately monitoring network traffic at high speeds. The sFlow monitoring system consists of an sFlow agent (embedded in a switch or router or in a standalone probe) and a central sFlow collector.
Page 342: Sflow Collector
16.2.1 SFlow Collector Figure 16-3 sFlow Collector Configuration Procedure: 1) Click Enable to enable the sFlow function globally and configure the sFlow agent’s IP under the Global Config. For example, you can set the switch’s management IP as the sFlow agent’s IP. 2) Select your desired collector and configure relevant parameters under the Collector Config.
Page 343: Sflow Sampler
16.2.2 SFlow Sampler Figure 16-4 sFlow Sampler Configuration Procedure: Configure one or more ports to be a sampler and configure relevant parameters under the Sampler Config. One port can only be bound to one collector. Entry Description: Select Configure the desired port to be the sFlow sampler. Port: Displays the port of the switch here.
Page 344: Default Settings
16.2.3 Default Settings Feature Default Settings Global sFlow function Disabled. sFlow Agent The Agent Address is not defined. Collector Port is 6343.  sFlow Collector Max Datagram is 300 bytes.  The other parameters are not defined.  Collector ID is 0.It means no collector is ...
Page 345: Local Log
Figure 16-1 Log Table The following entries are displayed on this screen: Log Info  Index: Displays the index of the log information. Time: Displays the time when the log event occurs. The log can get the correct time after you configure on the System ->System Info->System Time Web management page.
Page 346: Remote Log
Figure 16-2 Local Log The following entries are displayed on this screen: Local Log Config  Select: Select the desired entry to configure the corresponding local log. Channel: • Log buffer: Indicates the RAM for saving system log. The inforamtion in the log buffer is displayed on the Log Table page.
Page 347: Backup Log
Choose the menu Maintenance→Log→Remote Log to load the following page. Figure 16-3 Log Host The following entries are displayed on this screen: Log Host  Index: Displays the index of the log host. The switch supports 4 log hosts. Host IP: Configure the IP for the log host.
Page 348: Device Diagnostics
Figure 16-4 Backup Log The following entry is displayed on this screen: Backup Log  Backup Log: Click the Backup Log button to save the log as a file to your computer. Note: When a critical error results in the breakdown of the system, you can export the log file to get some related important information about the error for device diagnosis after the switch is restarted.
Page 349: Network Diagnostics
Pair: Displays the Pair number. Status: Displays the connection status of the cable connected to the port. The test results of the cable include normal, close, open or impedance. Length: If the connection status is normal, here displays the length range of the cable.
Page 350: Tracert
and IPv6 are supported. Ping Times: Enter the amount of times to send test data during Ping testing. The default value is recommended. Data Size: Enter the size of the sending data during Ping testing. The default value is recommended. Interval: Specify the interval to send ICMP request packets.
Page 351: Appendix A. Password Recovery
Appendix A. Password Recovery This chapter introduces the procedure to reset passwords on TP-LINK switches. Steps to reset the password: 1. For Security reasons, the Password Recovery feature requires the user to physically access the switch. Please attach a terminal or PC with terminal emulation program to the RJ-45/Micro-USB console port of the switch.
Page 352: Appendix B. Specifications
100Base-TX: UTP/STP of Cat. 5 or above Transmission Medium 1000Base-T: 4-pair UTP (≤100m) of Cat. 5e, Cat.6 or above 1000Base-X: MMF or SMF SFP Module (Optional) T2600G-28TS: PWR, SYS, 1000Mbps, Link/Act T2600G-52TS: PWR,SYS, 10/100/1000Mbps (port 1-48), Link/Act (port 49-52) Transmission Method Store and Forward 10BASE-T：14881pps/port...
Page 353: Appendix C. Glossary
Appendix C. Glossary Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file. Class of Service (CoS) CoS is supported by prioritizing packets based on the required level of service, and then placing them in the appropriate output queue.
Page 354 Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast routers and IP Multicast host groups to identify IP Multicast group members.
Page 355 Remote Authentication Dial-in User Service (RADIUS) RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types.

This manual is also suitable for:

Tl-sg3452 Tl-sg3424 T2600g-52ts

TP-Link T2600G-28TS User Manual

Chapter 1 About this Guide

Chapter 2 Introduction

Chapter 3 Login to the Switch

Chapter 4 System

Chapter 5 Switching

Chapter 6 VLAN

Chapter 7 Spanning Tree

Chapter 8 Ethernet OAM

Chapter 9 Multicast

Chapter 10 Routing

Chapter 11 Qos

Chapter 12 ACL

Chapter 13 Network Security

Chapter 14 SNMP

Chapter 15 LLDP

Chapter 16 Maintenance

Appendix A. Password Recovery

Appendix B. Specifications

Appendix C. Glossary

Quick Links

Related Manuals for TP-Link T2600G-28TS

Summary of Contents for TP-Link T2600G-28TS