Page 1 T2500-28TC (TL-SL5428E) 24-Port 10/100Mbps + 4-Port Gigabit JetStream L2 Managed Switch REV1.0.0 1910011796...
Page 2: Fcc Statement
Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK TECHNOLOGIES CO., LTD.
Page 3: Safety Information
Safety Information When product has power button, the power button is one of the way to shut off the product;  When there is no power button, the only way to completely shut off power is to disconnect the product or the power adapter from the power source. Don’t disassemble the product, or make repairs yourself.
Page 4: Table Of Contents
CONTENTS Package Contents ..........................1 Chapter 1 About This Guide ......................2 Intended Readers ......................2 Conventions ........................2 Overview of This Guide ....................3 Chapter 2 Introduction ........................7 Overview of the Switch ....................7 Appearance Description ....................7 2.2.1 Front Panel ......................
Page 5 5.1.1 Port Config ......................39 5.1.2 Port Mirror......................40 5.1.3 Port Security ...................... 41 5.1.4 Port Isolation ..................... 43 5.1.5 Loopback Detection ..................44 DDM ..........................45 5.2.1 DDM Config ....................... 45 5.2.2 Temperature Threshold ..................46 5.2.3 Voltage Threshold ..................... 47 5.2.4 Bias Current Threshold ..................
Page 6 Application Example for MAC VLAN ................78 Application Example for Protocol VLAN ..............79 VLAN VPN ........................81 6.7.1 VPN Config ......................82 6.7.2 VLAN Mapping ....................82 6.7.3 Port Enable ......................83 Private VLAN ........................ 85 6.8.1 PVLAN Config ....................88 6.8.2 Port Config ......................
Page 7 DHCP Relay ....................... 138 Chapter 10 Multicast ........................142 10.1 IGMP Snooping ......................146 10.1.1 Snooping Config ....................147 10.1.2 VLAN Config ....................148 10.1.3 Port Config ...................... 149 10.1.4 IP-Range ......................151 10.1.5 Multicast VLAN ....................152 10.1.6 Static Multicast IP .................... 155 10.1.7 Packet Statistics ....................
Page 8 12.1 Time-Range ........................ 187 12.1.1 Time-Range Summary ..................187 12.1.2 Time-Range Create ..................188 12.1.3 Holiday Config ....................189 12.2 ACL Config ......................... 189 12.2.1 ACL Summary ....................189 12.2.2 ACL Create ...................... 190 12.2.3 MAC ACL ......................191 12.2.4 Standard-IP ACL ....................
Page 9 13.6.1 Global Config ....................226 13.6.2 Port Config ...................... 228 13.7 AAA ..........................229 13.7.1 Global Config ....................230 13.7.2 Privilege Elevation ................... 231 13.7.3 RADIUS Server Config ..................231 13.7.4 TACACS+ Server Config ................. 232 13.7.5 Authentication Server Group Config ............... 233 13.7.6 Authentication Method List Config ..............
Page 10 15.4.2 Port Config ...................... 268 15.4.3 Local Info ......................271 15.4.4 Neighbor Info ....................272 Chapter 16 Cluster........................274 16.1 NDP ..........................275 16.1.1 Neighbor Info ....................275 16.1.2 NDP Summary ....................276 16.1.3 NDP Config ...................... 278 16.2 NTDP .......................... 279 16.2.1 Device Table ....................
Page 11: Package Contents
One power cord  One console cable  Two mounting brackets and other fittings  Installation Guide  Resource CD for T2500-28TC switch, including:  This User Guide • The CLI Reference Guide • SNMP Mibs • 802.1X Client Software •...
Page 12: Chapter 1 About This Guide
Chapter 1 About This Guide This User Guide contains information for setup and management of T2500-28TC switch. Please read this guide carefully before operation. 1.1 Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies.
Page 13: Overview Of This Guide
T2500-28TC switch. Chapter 3 Login to the switch Introduces how to log on to T2500-28TC Web management page. Chapter 4 System This module is used to configure system properties of the switch. Here mainly introduces: System Info: Configure the description, system time and ...
Page 14 Chapter Introduction Chapter 6 VLAN This module is used to configure VLANs to control broadcast in LANs. Here mainly introduces: 802.1Q VLAN: Configure port-based VLAN.  MAC VLAN: Configure MAC-based VLAN without changing  the 802.1Q VLAN configuration. Protocol VLAN: Create VLANs in application layer to make ...
Page 15 Chapter Introduction Chapter 10 Multicast This module is used to configure multicast function of the switch. Here mainly introduces: IGMP Snooping: Configure global parameters of IGMP  Snooping function, port properties, VLAN and multicast VLAN. MLD Snooping: Configure global parameters of MLD Snooping ...
Page 16 Chapter Introduction Chapter 14 SNMP This module is used to configure SNMP function to provide a management frame to monitor and maintain the network devices. Here mainly introduces: SNMP Config: Configure global settings of SNMP function.  Notification: Configure notification function ...
Page 17: Chapter 2 Introduction
Chapter 2 Introduction Thanks for choosing the T2500-28TC 24-Port 10/100Mbps + 4-Port Gigabit JetStream L2 Managed Switch! 2.1 Overview of the Switch Designed for workgroups and departments, T2500-28TC from TP-LINK provides wire-speed performance and full set of layer 2 management features. It provides a variety of service features and multiple powerful functions with high security.
Page 18: Rear Panel
Data is being transmitted or received. No device is connected to the corresponding port. 2.2.2 Rear Panel The rear panel of T2500-28TC features a power socket and a Grounding Terminal (marked with ). Figure 2-2 Rear Panel  Grounding Terminal: T2500-28TC already comes with Lightning Protection Mechanism. You can also ground the switch through the PE (Protecting Earth) cable of AC cord or with Ground Cable.
Page 19: Chapter 3 Login To The Switch
Chapter 3 Login to the Switch 3.1 Login 1. To access the configuration utility, open a web-browser and type in the default address http://192.168.0.1 in the address field of the browser, then press the Enter key. Figure 3-1 Web-browser Tips: To log in to the switch, the IP address of your PC should be set in the same subnet addresses of the switch.
Page 20 Figure 3-3 Main Setup-Menu Note: Clicking Apply can only make the new configurations effective before the switch is rebooted. If you want to keep the configurations effective even the switch is rebooted, please click Save Config. You are suggested to click Save Config before cutting off the power or rebooting the switch to avoid losing the new configurations.
Page 21: Chapter 4 System
Chapter 4 System The System module is mainly for system configuration of the switch, including four submenus: System Info, User Management, System Tools and Access Security. 4.1 System Info The System Info, mainly for basic properties configuration, can be implemented on System Summary, Device Description, System Time, Daylight Saving Time, System IP and System IPv6 pages.
Page 22 Indicates the 1000Mbps port is at the speed of 1000Mbps. Indicates the 1000Mbps port is at the speed of 10Mbps or 100Mbps. Indicates the SFP port is not connected to a device. Indicates the SFP port is at the speed of 1000Mbps. Indicates the SFP port is at the speed of 100Mbps.
Page 23: Device Description
Select Tx to display the bandwidth utilization of sending packets on this port. 4.1.2 Device Description On this page you can configure the description of the switch, including device name, device location and system contact. Choose the menu System→System Info→Device Description to load the following page. Figure 4-4 Device Description The following entries are displayed on this screen: Device Description...
Page 24: Daylight Saving Time
Figure 4-5 System Time The following entries are displayed on this screen: Time Info  Current System Date: Displays the current date and time of the switch. Current Time Source: Displays the current time source of the switch. Time Config ...
Page 25 Figure 4-6 Daylight Saving Time The following entries are displayed on this screen: DST Config  DST Status: Enable or Disable DST. Predefined Mode: Select a predefined DST configuration: USA: Second Sunday in March, 02:00 – First Sunday in  November, 02:00.
Page 26: System Ip
When the DST is enabled, the default daylight saving time is of Europe in predefined mode. 4.1.5 System IP Each device in the network possesses a unique IP Address. You can log on to the Web management page to operate the switch using this IP Address. The switch supports three modes to obtain an IP address: Static IP, DHCP and BOOTP.
Page 27: System Ipv6
The switch only possesses an IP address. The IP address configured will replace the original IP address. If the switch gets the IP address from DHCP server, you can see the configuration of the switch in the DHCP server; if DHCP option is selected but no DHCP server exists in the network, the switch will keep obtaining IP address from DHCP server until success.
Page 28 In addition, a host can generate a link-local address on basis of its own link-layer address and the default prefix (FE80::/64) to communicate with other hosts on the link. 6. Enhanced neighbor discovery mechanism: The IPv6 neighbor discovery protocol is a group of Internet control message protocol version 6 (ICMPv6) messages that manages the information exchange between neighbor nodes on the same link.
Page 29 Multicast address: An identifier for a set of interfaces (typically belonging to different nodes),  similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. There are no broadcast addresses in IPv6. Their function is superseded by multicast addresses.
Page 30 Figure 4-8 Global Unicast Address Format An interface ID is used to identify interfaces on a link. The interface ID must be unique to the link. It may also be unique over a broader scope. In many cases, an interface ID will be the same as or based on the link-layer address of an interface.
Page 31 Note: You can configure multiple IPv6 addresses per interface, but only one link-local address. IPv6 Neighbor Discovery  The IPv6 neighbor discovery process uses ICMP messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and track neighboring devices.
Page 32 RA messages typically include the following information: One or more onlink IPv6 prefixes that nodes on the local link can use to automatically  configure their IPv6 addresses Lifetime information for each prefix included in the advertisement  Sets of flags that indicate the type of autoconfiguration (stateless or stateful) that can be ...
Page 33 Choose the menu System →System Info →System IPv6 to load the following page. Figure 4-10 System IPv6 The following entries are displayed on this screen: Global Config  IPv6: Enable/Disable IPv6 function globally on the Switch. Link-local Address Config  Config Mode: Select the link-local address configuration mode.
Page 34 Status: Displays the status of the link-local address. Normal: Indicates that the link-local address is normal.  Try: Indicates that the link-local address may be newly  configured Repeat: Indicates that the link-local address is duplicate. It is  illegal to access the switch using the IPv6 address (including link-local and global address).
Page 35: User Management
Status: Displays the status of the global address. Normal: Indicates that the global address is normal.  Try: Indicates that the global address may be newly  configured. Repeat: Indicates that the corresponding address is duplicate.  It is illegal to access the switch using this address. Tips: After adding a global IPv6 address to your switch manually here, you can configure your PC’s global IPv6 address in the same subnet with the switch and login to the switch via its global IPv6...
Page 36: System Tools
Choose the menu System→User Management→User Config to load the following page. Figure 4-12 User Config The following entries are displayed on this screen: User Info  User Name: Create a name for users’ login. Access Level: Select the access level to login. Admin: Admin can edit, modify and view all the settings of ...
Page 37: Config Restore
4.3.1 Config Restore On this page you can upload a backup configuration file to restore your switch to this previous configuration. Choose the menu System→System Tools→Config Restore to load the following page. Figure 4-13 Config Restore The following entries are displayed on this screen: Config Restore ...
Page 38: Firmware Upgrade
4.3.3 Firmware Upgrade The switch system can be upgraded via the Web management page. To upgrade the system is to get more functions and better performance. Go to http://www.tp-link.com to download the updated firmware. Choose the menu System→System Tools→Firmware Upgrade to load the following page.
Page 39: System Reset
Note: To avoid damage, please don't turn off the device while rebooting. 4.3.5 System Reset On this page you can reset the switch to the default. All the settings will be cleared after the switch is reset. Choose the menu System→System Tools→System Reset to load the following page. Figure 4-17 System Reset Note: After the system is reset, the switch will be reset to the default and all the settings will be cleared.
Page 40 Choose the menu System→Access Security→Access Control to load the following page. Figure 4-18 Access Control The following entries are displayed on this screen: Access Control Config  Control Mode: Select the control mode for users to log on to the Web management page.
Page 41: Ssl Config
Port: The field can be available for configuration only when Port-based mode is selected. Only the users connected to these ports you set here are allowed for login. Session Config  Session Timeout: If you do nothing with the Web management page within the timeout time, the system will log out automatically.
Page 42: Ssh Config
On this page you can configure the SSL function. Choose the menu System→Access Security→SSL Config to load the following page. Figure 4-19 SSL Config The following entries are displayed on this screen: Global Config  SSL: Enable/Disable the SSL function on the switch. Certificate Download ...
Page 43 an insecure network environment. It can encrypt all the transmission data and prevent the information in a remote management being leaked. Comprising server and client, SSH has two versions, V1 and V2 which are not compatible with each other. In the communication, SSH server and client can auto-negotiate the SSH version and the encryption algorithm.
Page 44 Key File: Select the desired key file to download. Download: Click the Download button to down the desired key file to the switch. Note: Please ensure the key length of the downloaded file is in the range of 256 to 3072 bits. After the Key File is downloaded, the user’s original key of the same type will be replaced.
Page 45 Application Example 2 for SSH: Network Requirements  1. Log on to the switch via key authentication using SSH and the SSH function is enabled on the switch. 2. PuTTY client software is recommended. Configuration Procedure  1. Select the key type and key length, and generate SSH key. Note: The key length is in the range of 512 to 3072 bits.
Page 46 2. After the key is successfully generated, please save the public key and private key to the computer. 3. On the Web management page of the switch, download the public key file saved in the computer to the switch. Note: The key type should accord with the type of the key file.
Page 47 5. Click Browse to download the private key file to SSH client software and click Open. After successful authentication, please enter the login user name. If you log on to the switch without entering password, it indicates that the key has been successfully loaded.
Page 48 Note: Following the steps above, you have already entered the User EXEC Mode of the switch. However, to configure the switch, you need a password to enter the Privileged EXEC Mode first. For a switch with factory settings, the Privileged EXEC Mode password can only be configured through the console connection.
Page 49: Chapter 5 Switching
Chapter 5 Switching Switching module is used to configure the basic functions of the switch, including four submenus: Port, DDM, LAG, Traffic Monitor and MAC Address. 5.1 Port The Port function, allowing you to configure the basic features for the port, is implemented on the Port Config, Port Mirror, Port Security, Port Isolation and Loopback Detection pages.
Page 50: Port Mirror
Status: Allows you to Enable/Disable the port. When Enable is selected, the port can forward the packets normally. Speed and Duplex: Select the Speed and Duplex mode for the port. The device connected to the switch should be in the same Speed and Duplex mode with the switch.
Page 51: Port Security
The following entries are displayed on this screen. Mirroring Port  Mirroring Port: Select a port from the pull-down list as the mirroring port. When disable is selected, the Port Mirror feature will be disabled. Mirrored Port  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered.
Page 52 Choose the menu Switching→Port→Port Security to load the following page. Figure 5-3 Port Security The following entries are displayed on this screen: Port Security  Select: Select the desired port for Port Security configuration. It is multi-optional. Port: Displays the port number. Max Learned MAC: Specify the maximum number of MAC addresses that can be learned on the port.
Page 53: Port Isolation
Note: The Port Security function is disabled for the LAG port member. Only the port is removed from the LAG, will the Port Security function be available for the port. The Port Security function is disabled when the 802.1X function is enabled. 5.1.4 Port Isolation Port Isolation provides a method of restricting traffic flow to improve the network security by forbidding the port to forward packets to the ports that are not on its forward portlist.
Page 54: Loopback Detection
5.1.5 Loopback Detection With loopback detection feature enabled, the switch can detect loops using loopback detection packets. When a loop is detected, the switch will display an alert or further block the corresponding port according to the port configuration. Choose the menu Switching→Port→LoopbackDetection to load the following page. Figure 5-5 Loopback Detection Config The following entries are displayed on this screen: Global Config...
Page 55: Ddm
Select: Select the desired port for Loopback Detection configuration. It is multi-optional. Port: Displays the port number. Status: Enable or disable Loopback Detection function for the port. Operation Mode: Select the mode how the switch processes the detected loops. Alert: When a loop is detected, display an alert. ...
Page 56: Temperature Threshold
Choose the menu Switching→DDM→DDM Config to load the following page. Figure 5-6 DDM Config The following entries are displayed on this screen: Port Config  Select: Select the desired port for configuration. It is multi-optional. Port: Displays the port number. DDM Status: Select Enable/Disable the DDM status of the port.
Page 57: Voltage Threshold
The following entries are displayed on this screen: Port Config  Select: Select the desired port for configuration. It is multi-optional. Port: Displays the port number. High Alarm: This is the highest threshold for the alarm. When the operating parameter rises above this value, action associated with the alarm will be taken.
Page 58: Bias Current Threshold
High Warning: This is the highest threshold for the warning. When the operating parameter rises above this value, action associated with the warning will be taken. Low Warning: This is the lowest threshold for the warning. When the operating parameter falls below this value, action associated with the warning will be taken.
Page 59: Rx Power Threshold
Figure 5-10 Tx Power Threshold The following entries are displayed on this screen: Port Config  Select: Select the desired port for configuration. It is multi-optional. Port: Displays the port number. High Alarm: This is the highest threshold for the alarm. When the operating parameter rises above this value, action associated with the alarm will be taken.
Page 60: Ddm Status
Port: Displays the port number. High Alarm: This is the highest threshold for the alarm. When the operating parameter rises above this value, action associated with the alarm will be taken. Low Alarm: This is the lowest threshold for the alarm. When the operating parameter falls below this value, action associated with the alarm will be taken.
Page 61: Lag
5.3 LAG LAG (Link Aggregation Group) is to combine a number of ports together to make a single high-bandwidth data path, so as to implement the traffic load sharing among the member ports in the group and to enhance the connection reliability. For the member ports in an aggregation group, their basic configuration must be the same.
Page 62 Choose the menu Switching→LAG→LAG Table to load the following page. Figure 5-13 LAG Table The following entries are displayed on this screen: Global Config  Hash Algorithm: Select the applied scope of aggregate hash arithmetic, which results in choosing a port to transfer the packets. •...
Page 63: Static Lag
Click the Detail button for the detailed information of your selected LAG. Figure 5-14 Detail Information 5.3.2 Static LAG On this page, you can manually configure the LAG. The LACP feature is disabled for the member ports of the manually added Static LAG. Choose the menu Switching→LAG→Static LAG to load the following page.
Page 64: Lacp Config
LAG Table  Member Port: Select the port as the LAG member. Clearing all the ports of the LAG will delete this LAG. Tips: The LAG can be deleted by clearing its all member ports. A port can only be added to a LAG. If a port is the member of a LAG or is dynamically aggregated as the LACP member, the port number will be displayed in gray and cannot be selected.
Page 65 Choose the menu Switching→LAG→LACP Config to load the following page. Figure 5-16 LACP Config The following entries are displayed on this screen: Global Config  System Priority: Specify the system priority for the switch. The system priority and MAC address constitute the system identification (ID). A lower system priority value indicates a higher system priority.
Page 66: Traffic Monitor
Status: Enable/Disable the LACP feature for your selected port. LAG: Displays the LAG number which the port belongs to. 5.4 Traffic Monitor The Traffic Monitor function, monitoring the traffic of each port, is implemented on the Traffic Summary and Traffic Statistics pages. 5.4.1 Traffic Summary Traffic Summary screen displays the traffic information of each port, which facilitates you to monitor the traffic and analyze the network abnormity.
Page 67: Traffic Statistics
Packets Tx: Displays the number of packets transmitted on the port. Octets Rx: Displays the number of octets received on the port. The error octets are counted in. Octets Tx: Displays the number of octets transmitted on the port. Statistics: Click the Statistics button to view the detailed traffic statistics of the port.
Page 68: Mac Address
Sent: Displays the details of the packets transmitted on the port. Broadcast: Displays the number of good broadcast packets received or transmitted on the port. The error frames are not counted in. Multicast: Displays the number of good multicast packets received or transmitted on the port.
Page 69: Address Table
The types and the features of the MAC Address Table are listed as the following: Being kept after reboot Relationship between the bound Configuration Aging Type MAC address and the port (if the configuration is saved) Static Manually The bound MAC address cannot be Address configuring learned by the other ports in the...
Page 70: Static Address
Type: Select the type of your desired entry. All: This option allows the address table to display all the  address entries. Static: This option allows the address table to display the static  address entries only. Dynamic: This option allows the address table to display the ...
Page 71: Dynamic Address
The following entries are displayed on this screen: Create Static Address  MAC Address: Enter the static MAC Address to be bound. VLAN ID: Enter the corresponding VLAN ID of the MAC address. Port: Select a port from the pull-down list to be bound. Search Option ...
Page 72 On this page, you can configure the dynamic MAC address entry. Choose the menu Switching→MAC Address→Dynamic Address to load the following page. Figure 5-21 Dynamic Address The following entries are displayed on this screen: Aging Config  Auto Aging: Allows you to Enable/Disable the Auto Aging feature. Aging Time: Enter the Aging Time for the dynamic address.
Page 73: Filtering Address
Bind: Click the Bind button to bind the MAC address of your selected entry to the corresponding port statically. Tips: Setting aging time properly helps implement effective MAC address aging. The aging time that is too long or too short results decreases the performance of the switch. If the aging time is too long, excessive invalid MAC address entries maintained by the switch may fill up the MAC address table.
Page 74 Filtering Address Table  Select: Select the entry to delete the corresponding filtering address. It is multi-optional. MAC Address: Displays the filtering MAC Address. VLAN ID: Displays the corresponding VLAN ID. Port: Here the symbol “__” indicates no specified port. Type: Displays the Type of the MAC address.
Page 75: Chapter 6 Vlan
Chapter 6 VLAN The traditional Ethernet is a data network communication technology basing on CSMA/CD (Carrier Sense Multiple Access/Collision Detect) via shared communication medium. Through the traditional Ethernet, the overfull hosts in LAN will result in serious collision, flooding broadcasts, poor performance or even breakdown of the Internet.
Page 76: Q Vlan
6.1 802.1Q VLAN VLAN tags in the packets are necessary for the switch to identify packets of different VLANs. The switch works at the data link layer in OSI model and it can identify the data link layer encapsulation of the packet only, so you can add the VLAN tag field into the data link layer encapsulation for identification.
Page 77: Vlan Config
PVID  PVID (Port VLAN ID) is the default VID of the port. When the switch receives an un-VLAN-tagged packet, it will add a VLAN tag to the packet according to the PVID of its received port and forward the packets. When creating VLANs, the PVID of each port, indicating the default VLAN to which the port belongs, is an important parameter with the following two purposes: 1.
Page 78 To ensure the normal communication of the factory switch, the default VLAN of all ports is set to VLAN1. The following entries are displayed on this screen: VLAN Table  Click the Select button to quick-select the corresponding entry VLAN ID Select： based on the VLAN ID number you entered.
Page 79: Port Config
The following entries are displayed on this screen: VLAN Config  VLAN ID: Enter the ID number of VLAN. Description: Give a description to the VLAN for identification. Check: Click the Check button to check whether the VLAN ID you entered is valid or not.
Page 80 Choose the menu VLAN→802.1Q VLAN→Port Config to load the following page. Figure 6-5 802.1Q VLAN – Port Config The following entries are displayed on this screen: VLAN Port Config  Port Select: Click the Select button to quick-select the corresponding entry based on the port number you entered.
Page 81: Mac Vlan
Click the Detail button to view the information of the corresponding VLAN. Figure 6-6 View the Current VLAN of Port The following entries are displayed on this screen: VLAN of Port  VLAN ID Select: Click the Select button to quick-select the corresponding entry based on the VLAN ID number you entered.
Page 82: Mac Vlan
received port. Thus, the packet is assigned automatically to the corresponding VLAN for transmission. When receiving tagged packet, the switch will process it basing on the 802.1Q VLAN. If the received port is the member of the VLAN to which the tagged packet belongs, the packet will be forwarded normally.
Page 83: Port Enable
6.2.2 Port Enable On this page, you can enable the port for the MAC VLAN feature. Only the port is enabled, can the configured MAC VLAN take effect. Choose the menu VLAN→MAC VLAN→Port Enable to load the following page. Figure 6-8 Enable MAC VLAN for Port Select your desired port for VLAN Mapping function.
Page 84: Protocol Vlan
Protocol Type Type value 0x8137 IS-IS 0x8000 LACP 0x8809 802.1X 0x888E Table 6-2 Protocol types in common use The packet in Protocol VLAN is processed in the following way: When receiving an untagged packet, the switch matches the packet with the current Protocol VLAN.
Page 85: Protocol Template
Protocol VLAN Table  Select: Select the desired entry. It is multi-optional. Protocol: Displays the protocol template of the VLAN. Ether Type: Displays the Ethernet protocol type field in the protocol template. VLAN ID: Displays the corresponding VLAN ID of the protocol. Operation: Click the Edit button to modify the settings of the entry.
Page 86: Port Enable
6.3.3 Port Enable On this page, you can enable the port for the Protocol VLAN feature. Only the port is enabled, can the configured Protocol VLAN take effect. Choose the menu VLAN→Protocol VLAN→Port Enable to load the following page. Figure 6-11 Enable Protocol VLAN for Port Select your desired port for VLAN Mapping function.
Page 87 Switch B is connecting to PC B and Server A;  PC A and Server A is in the same VLAN;  PC B and Server B is in the same VLAN;  PCs in the two VLANs cannot communicate with each other. ...
Page 88: Application Example For Mac Vlan
6.5 Application Example for MAC VLAN Network Requirements  Switch A and switch B are connected to meeting room A and meeting room B respectively, and  the two rooms are for all departments; Notebook A and Notebook B, special for meeting room, are of two different departments; ...
Page 89: Application Example For Protocol Vlan
Step Operation Description Configure MAC On VLAN→MAC VLAN→MAC VLAN page, create MAC VLAN10 with VLAN 10 the MAC address as 00-19-56-8A-4C-71. On VLAN→MAC VLAN→MAC VLAN page, create MAC VLAN10 with Configure MAC VLAN 20 the MAC address as 00-19-56-82-3B-70. Port Enable Required.
Page 90 IP host, in VLAN10, is served by IP server while AppleTalk host is served by AppleTalk server;  Switch B is connected to IP server and AppleTalk server.  Network Diagram  Configuration Procedure  Configure switch A  Step Operation Description Configure Required.
Page 91: Vlan Vpn
Step Operation Description Create Protocol Required. On VLAN→Protocol VLAN→Protocol Template page, Template configure the protocol template practically. E.g. the Ether Type of IP network packets is 0800 and that of AppleTalk network packets is 809B. Port Enable Required. On the VLAN→Protocol VLAN→Port Enable page, select and enable Port 3, Port 4 and Port 5 for Protocol VLAN feature.
Page 92: Vpn Config
Protocol type Value LACP 0x8809 802.1X 0x888E Table 6-3 Values of Ethernet frame protocol type in common use This VLAN VPN function is implemented on the VPN Config, VLAN Mapping and Port Enable pages. 6.7.1 VPN Config This page allows you to enable the VPN function, adjust the global TPID for VLAN-VPN packets and enable the VPN up-link port.
Page 93: Port Enable
Choose the menu VLAN→VLAN VPN→VLAN Mapping to load the following page. Figure 6-13 Create VLAN Mapping Entry The following entries are displayed on this screen: VLAN Mapping Config  C VLAN: Enter the ID number of the Customer VLAN. C VLAN refers to the VLAN to which the packet received by switch belongs.
Page 94 Figure 6-14 Enable VLAN Mapping for Port Select your desired port for VLAN Mapping function. All the ports are disabled for VLAN Mapping function by default. Configuration Procedure of VLAN VPN Function: Step Operation Description Enable VPN mode. Required. On the VLAN→VLAN VPN→VPN Config page, enable the VPN mode.
Page 95: Private Vlan
6.8 Private VLAN Private VLANs, designed to save VLAN resources of uplink devices and decrease broadcast, are sets of VLAN pairs that share a common primary identifier. To guarantee user information security, the ease with which to manage and account traffic for service providers, in campus network, service providers usually require that each individual user is layer-2 separated.
Page 96 Packets from different Secondary VLANs can be forwarded to the uplink device via  promiscuous port and carry no corresponding Secondary VLAN information. Packets from Primary VLANs can be sent to end users via host port and carry no Primary ...
Page 97 Port PVID Allowed VLANs Port5 VLAN5 Port2 VLAN2 Port3 VLAN3 Table 6-4 Port settings before configuration synchronization Port PVID Allowed VLANs Port5 VLAN2, 3, 5 Port2 VLAN2, 5 Port3 VLAN2, 5 Table 6-5 Port settings after configuration synchronization MAC address duplication: After port configuration synchronization, packets from Secondary ...
Page 98: Pvlan Config
Packet forwarding in Private VLAN  The Private VLAN packet forwarding process (here we take traffic transmission for PC2) based on the figure above is illustrated as follows: PC2 sends out its first upstream packet with the source MAC as mac_2 and the destination MAC as mac_a.
Page 99: Port Config
Choose the menu VLAN→Private VLAN→PVLAN Config to load the following page. Figure 6-16 Create Private VLAN The following entries are displayed on this screen: Create Private VLAN  Primary VLAN: Enter the ID number of the Primary VLAN. Secondary VLAN: Enter the ID number of the Secondary VLAN.
Page 100 Choose the menu VLAN→Private VLAN→Port Config to load the following page. Figure 6-17 Create and View Protocol Template The following entries are displayed on this screen: Port Config  Port: Select the desired port for configuration. Port Type: Select the Port Type from the pull-down list for the port. Primary VLAN: Specify the Primary VLAN the port belongs to.
Page 101: Gvrp
Step Operation Description Delete VLAN. Optional. On the VLAN→Private VLAN→PVLAN Config page, select the desired entry to delete the corresponding VLAN by clicking the Delete button. 6.9 GVRP GVRP (GARP VLAN Registration Protocol) is an implementation of GARP (generic attribute registration protocol).
Page 102 LeaveAll Timer: Once a GARP entity starts up, it starts the LeaveAll timer, and sends out a • LeaveAll message after the timer times out, so that other GARP entities can re-register all the attribute information on this entity. After that, the entity restarts the LeaveAll timer to begin a new cycle.
Page 103 Choose the menu VLAN→GVRP→GVRP Config to load the following page. Figure 6-18 GVRP Config Note: If the GVRP feature is enabled for a member port of LAG, please ensure all the member ports of this LAG are set to be in the same status and registration mode. The following entries are displayed on this screen: Global Config ...
Page 104: Application Example For Private Vlan
LeaveAll Timer: Once the LeaveAll Timer is set, the port with GVRP enabled can send a LeaveAll message after the timer times out, so that other GARP ports can re-register all the attribute information. After that, the LeaveAll timer will start to begin a new cycle. The LeaveAll Timer ranges from 1000 to 30000 centiseconds.
Page 105 Network Diagram  Configuration Procedure  Configure switch A  Step Operation Description Create VLAN6 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 6, owning Port 1. Configure switch B  Step Operation Description Create Private Required.
Page 106 Configure switch C  Step Operation Description Create Private Required. On the VLAN→Private VLAN→PVLAN Config page, VLANs. Enter the Primary VLAN 6 and Secondary VLAN 2-3, and then click the Create button. Required. On the VLAN→Private VLAN→Port Config page, Promiscuous configure the port type of Port8 as Promiscuous, enter Primary VLAN 6 and Secondary VLAN 2-3, and click the Add button.
Page 107: Chapter 7 Spanning Tree
Chapter 7 Spanning Tree STP (Spanning Tree Protocol), subject to IEEE 802.1D standard, is to disbranch a ring network in the Data Link layer in a local network. Devices running STP discover loops in the network and block ports by exchanging information, in that way, a ring network can be disbranched to form a tree-topological ring-free network to prevent packets from being duplicated and forwarded endlessly in the network.
Page 108 Figure 7-1 Basic STP diagram STP Timers  Hello Time: Hello Time ranges from 1 to 10 seconds. It specifies the interval to send BPDU packets. It is used to test the links. Max. Age: Max. Age ranges from 6 to 40 seconds. It specifies the maximum time the switch can wait without receiving a BPDU before attempting to reconfigure.
Page 109 Step Operation If the priority of the BPDU received on the port is lower than that of the BPDU if of the port itself, the switch discards the BPDU and does not change the BPDU of the port. If the priority of the BPDU is higher than that of the BPDU of the port itself, the switch replaces the BPDU of the port with the received one and compares it with those of other ports on the switch to obtain the one with the highest priority.
Page 110 can transit to forwarding state after getting response from the downstream switch through handshake. RSTP Elements  Edge Port: Indicates the port connected directly to terminals. P2P Link: Indicates the link between two switches directly connected. MSTP (Multiple Spanning Tree Protocol), compatible with both STP and RSTP and subject to IEEE 802.1s standard, not only enables spanning trees to converge rapidly, but also enables packets of different VLANs to be forwarded along their respective paths so as to provide redundant links with a better load-balancing mechanism.
Page 111: Stp Config
Port States  In an MSTP, ports can be in the following four states: Forwarding: In this status the port can receive/forward data, receive/send BPDU packets as  well as learn MAC address. Learning: In this status the port can receive/send BPDU packets and learn MAC address. ...
Page 112 Choose the menu Spanning Tree→STP Config→STP Config to load the following page. Figure 7-4 STP Config The following entries are displayed on this screen: Global Config  STP: Enable/Disable STP function globally on the switch. Version: Select the desired STP version on the switch. ...
Page 113: Stp Summary
Note: The forward delay parameter and the network diameter are correlated. A too small forward delay parameter may result in temporary loops. A too large forward delay may cause a network unable to resume the normal state in time. The default value is recommended. An adequate hello time parameter can enable the switch to discover the link failures occurred in the network without occupying too much network resources.
Page 114: Port Config
7.2 Port Config On this page you can configure the parameters of the ports for CIST Choose the menu Spanning Tree→Port Config to load the following page. Figure 7-6 Port Config The following entries are displayed on this screen: Port Config ...
Page 115: Mstp Instance
Port Role: Displays the role of the port played in the STP Instance. Root Port: Indicates the port that has the lowest path cost from  this bridge to the Root Bridge and forwards packets to the root. Designated Port: Indicates the port that forwards packets to a ...
Page 116: Instance Config
Figure 7-7 Region Config The following entries are displayed on this screen: Region Config  Region Name: Create a name for MST region identification using up to 32 characters. Revision: Enter the revision from 0 to 65535 for MST region identification. 7.3.2 Instance Config Instance Configuration, a property of MST region, is used to describe the VLAN to Instance mapping configuration.
Page 117: Instance Port Config
Select: Select the desired Instance ID for configuration. It is multi-optional. Instance: Displays Instance ID of the switch. Status: Displays status of the instance. Priority: Enter the priority of the switch in the instance. It is an important criterion on determining if the switch will be chosen as the root bridge in the specific instance.
Page 118 Figure 7-9 Instance Port Config The following entries are displayed on this screen: Port Config  Instance ID: Select the desired instance ID for its port configuration. Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port to specify its priority and path cost.
Page 119: Stp Security
Global configuration Procedure for Spanning Tree function: Step Operation Description Make clear roles the switches Preparation. play spanning tree instances: root bridge designated bridge Globally configure MSTP Required. Enable Spanning Tree function on the switch parameters configure MSTP parameters Spanning Tree→STP Config→STP Config page.
Page 120 its position and network topology jitter to occur. In this case, flows that should travel along high-speed links may lead to low-speed links, and network congestion may occur. To avoid this, MSTP provides root protect function. Ports with this function enabled can only be set as designated ports in all spanning tree instances.
Page 121: Tc Protect
Figure 7-10 Port Protect The following entries are displayed on this screen: Port Protect  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for port protect configuration. It is multi-optional.
Page 122: Application Example For Stp Function
Figure 7-11 TC Protect The following entries are displayed on this screen: TC Protect  TC Threshold: Enter a number from 1 to 100. It is the maximum number of the TC-BPDUs received by the switch in a TC Protect Cycle. The default value is 20.
Page 123 On Spanning Tree→STP Config→Port Config page, enable MSTP function for the port. Configure the region name and On Spanning Tree→MSTP Instance→Region Config the revision of MST region page, configure the region as TP-LINK and keep the default revision setting. Configure VLAN-to-Instance Spanning Tree→MSTP...
Page 124 On Spanning Tree→STP Config→Port Config page, enable MSTP function for the port. Configure the region name and On Spanning Tree→MSTP Instance→Region Config the revision of MST region page, configure the region as TP-LINK and keep the default revision setting. Spanning Tree→MSTP Instance→Instance...
Page 125 The configuration procedure for switch E and F is the same with that for switch D.  The topology diagram of the two instances after the topology is stable  For Instance 1 (VLAN 101, 103 and 105), the red paths in the following figure are connected ...
Page 126: Chapter 8 Ethernet Oam
Chapter 8 Ethernet OAM OAM Overview  Ethernet OAM (Operation, Administration, and Maintenance) is a Layer 2 protocol for monitoring and troubleshooting Ethernet networks. It can report the network status to network administrators through the OAMPDUs exchanged between two OAM entities, facilitating network management. Ethernet OAM is a slow protocol with very limited bandwidth requirement.
Page 127 Information OAMPDU: Information OAMPDU is used for discovery. It transmits the state  information of an OAM entity (including local, remote, and organization-specific information) to another OAM entity, and maintains OAM connection. Event Notification OAMPDU: Event Notification OAMPDU is used for link monitoring. It is ...
Page 128 Item Active OAM mode Passive OAM mode Transmitting Loopback Control Available Unavailable OAMPDUs Available Responding to Loopback Control Available (if both sides operate OAMPDUs in active OAM mode) Transmitting organization-specific Available Available OAMPDUs Table 8-1 Differences between active OAM mode and passive OAM mode After an OAM connection is established, the OAM entities on both sides exchange Information OAMPDUs periodically to keep the OAM connection valid.
Page 129: Basic Config
Information OAMPDUs are sent between the OAM entities periodically, an OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs. So the network administrator can get informed of the link faults and take action in time. Remote Loopback Remote loopback helps to ensure the quality of links during installation or when troubleshooting.
Page 130 Figure 8-4 Basic Config The following entries are displayed on this screen: Basic Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for configuration. It is multi-optional. Mode: Select the OAM mode for the desired port.
Page 131: Discovery Info
8.1.2 Discovery Info Choose the menu Ethernet OAM→ Basic Config→ Discovery Info to load the following page. Figure 8-5 Discovery Info The following entries are displayed on this screen: Local Client  The local client part shows the information of the local OAM entity. OAM: Displays whether the OAM function is enabled or disabled on the selected port.
Page 132 Link Monitoring: Displays whether the local client supports link monitoring function. Variable Request: Displays whether the local client supports variable request. If supports, the local client can send some variable requests to the remote client to learn about the link status from the response of the remote client.
Page 133: Link Monitoring
Variable Request: Displays whether the remote client supports variable request. PDU Revision: Displays the TLV revision of the OAMPDU. Vendor Information: Displays the vender information of the remote client. 8.2 Link Monitoring On this page, you can configure the parameters about OAM link events, including the threshold and the detection period.
Page 134: Rfi
Threshold: Specify the threshold for the selected link event. For Symbol Period Error, it is the number of error symbols in  the period that is required to be exceeded. For Frame Error, it is the number of error frames in the period ...
Page 135: Remote Loopback
Select: Select the desired port for configuration. It is multi-optional. Dying Gasp Notify: Choose whether to notify the dying gasp or not. Critical Event Choose whether to notify the critical event or not. Notify: 8.4 Remote Loopback On this page, you can initiate remote loopback if the OAM connection is established and the local client works in active mode.
Page 136: Statistics
Remote Loopback: To start or stop the remote loopback. 8.5 Statistics You can view the statistics about the detailed Ethernet OAM traffic information and event log information of a specific port here. 8.5.1 Statistics On this page, you can view the detailed Ethernet OAM traffic information of a specific port. The device will recount the numbers every time you click the clear button or the device is rebooted.
Page 137: Event Log
Variable Request Displays the number of variable request OAMPDUs that have OAMPDUs: been transmitted or received on the port. Variable Response Displays the number of variable response OAMPDUs that have OAMPDUs: been transmitted or received on the port. Loopback Control Displays the number of loopback control OAMPDUs that have OAMPDUs: been transmitted or received on the port.
Page 138: Dldp
Error Frame Event: Displays the number of error frame link events that have occurred on the local link or remote link. Error Frame Period Displays the number of error frame period link events that have Event: occurred on the local link or remote link. Error Frame Displays the number of error frame seconds link events that have Seconds Event:...
Page 139 State Description Advertisement This state indicates that no unidirectional link is detected, which includes two kinds of situations: 1. This device establishes bidirectional links with all its neighbors. 2. DLDP remains in Active state for more than 5 seconds. Probe A device enters this state from the Active state if it receives a packet from an unknown neighbor.
Page 140 ○ ○ ○ The typical bidirectional link detection process is 2 → 4 → 5 , and the typical unidirectional link ○ ○ ○ detection process is 2 → 4 → On the DLDP page, you can enable the DLDP state globally and configure the interval of the advertisement packets and the port shutdown mode.
Page 141: Application Example For Dldp
Shut Mode: Once detecting a unidirectional link, the port can be shut down in one of the following two modes: • Auto: In this mode, DLDP generates logs and traps and shuts down corresponding port detecting unidirectional links, and the DLDP link state transits to Disable.
Page 142 2. The unidirectional link should be disconnected once being detected, and the ports shut down by DLDP can be restored after the fiber pairs are correctly connected. Network Diagram  Figure 8-13 DLDP Application Example Configuration Procedure  Step Operation Description Enable DLDP globally.
Page 143 After these four ports are correctly connected, select ports 1/0/27 and 1/0/28 in the Port Config table and click the Reset button to restore their state from Disable. Return to CONTENTS...
Page 144: Chapter 9 Dhcp
Chapter 9 DHCP DHCP (Dynamic Host Configuration Protocol) is a client-server protocol which is widely used in LAN environments to dynamically assign host IP addresses from a centralized server. As workstations and personal computers proliferate on the Internet, the administrative complexity of maintaining a network is increased by an order of magnitude.
Page 145 The Process of DHCP  DHCP uses UDP as its transport protocol. DHCP messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68).
Page 146 for the fields given in the figure will be used throughout this document to refer to the fields in DHCP messages. Figure 9-3 The Format of DHCP Message op：Message type, ‘1’ = BOOT-REQUEST, ‘2’ = BOOT-REPLY. htype：Hardware address type, '1' for ethernet. hlen：Hardware address length, '6' for ethernet.
Page 147 14) file：Boot file name, null terminated string, "generic" name or null in DHCPDISCOVER, fully qualified directory-path name in DHCPOFFER. 15) options： Optional parameters field. See the options documents (RFC 2132) for a list of defined options. We will introduce some familiar options in the next section. DHCP Option ...
Page 148: Dhcp Relay
IP address from the DHCP server in another VLAN. Details of DHCP Relay on T2500-28TC  A typical application of T2500-28TC working at DHCP Relay function is shown below. It can be altered to meet the network requirement. Figure 9-5 DHCP Relay Application To allow all clients in different VLANs request IP address from one server successfully, the DHCP Relay function can transmit the DHCP packets between clients and server in different VLANs.
Page 149 When receiving DHCP-OFFER and DHCP-ACK packets from the server, the switch will  delete the option 82 information and forward the packets to the port which receives the request. The process is shown as follows. Figure 9-6 DHCP Relay Process DHCP Relay Configuration ...
Page 150 Note: The option 82 parameters configured on the switch should base on and meet the requirement of the network. The DHCP Relay, allowing the clients to get the IP address from the server in another VLAN, is implemented on the DHCP Relay page. Choose the menu DHCP→DHCP Relay→DHCP Relay to load the following page.
Page 151 Existed Option 82 Select the operation for the existed Option 82 field of the Field: DHCP request packets from the Host. Keep: Indicates to keep the Option 82 field of the packets.  Replace: Indicates to replace the Option 82 field of the ...
Page 152: Chapter 10 Multicast
Chapter 10 Multicast Multicast Overview  In the network, packets are sent in three modes: unicast, broadcast and multicast. In unicast, the source server sends separate copy information to each receiver. When a large number of users require this information, the server must send many pieces of information with the same content to the users.
Page 153 IPv4 Multicast Address  1. IPv4 Multicast IP Address: As specified by IANA (Internet Assigned Numbers Authority), Class D IP addresses are used as destination addresses of multicast packets. The multicast IP addresses range from 224.0.0.0–239.255.255.255. The following table displays the range and description of several special multicast IP addresses.
Page 154 Flags have 4 bits. The high-order flag is reserved, and must be initialized to 0. T=0 indicates a permanently-assigned multicast address assigned by the Internet Assgined Numbers Authority (IANA). T=1 indicates a non-permanently-assigned multicast address. Scope is a 4-bit value used to limit the scope of the multicast group. The values are as follows: Value Indication reserved...
Page 155 The IPv6 solicited-node multicast address has the prefix FF02:0:0:0:0:1:FF00:0000/104 concatenated with the 24 low-order bits of a corresponding IPv6 unicast or anycast address. 2. IPv6 Multicast MAC Address The high-order 16 bits of an IPv6 multicast MAC address begins with 0x3333 while the low-order 32 bits of an IPv6 multicast MAC address are the low-order 32 bits of the IPv6 multicast IP address.
Page 156: Igmp Snooping
selectively forwarded to a list of ports that want to receive the data, instead of being flooded to all ports in a VLAN. The list is constructed and maintained by snooping IPv6 multicast control packets. MLD snooping performs a similar function in IPv6 as IGMP snooping in IPv4. The Multicast module is mainly for multicast management configuration of the switch, including three submenus: IGMP Snooping, MLD Snooping and Multicast Table.
Page 157: Snooping Config
times out. The host, running IGMPv2 or IGMPv3, sends IGMP leave message when leaving a multicast group to inform the multicast router of its leaving. When receiving IGMP leave message, the switch will forward IGMP group-specific-query message to check if other members in the multicast group of the port need this multicast and reset the member port time to the leave time.
Page 158: Vlan Config
The following entries are displayed on this screen: Global Config  IGMP Snooping: Enable/Disable IGMP Snooping function globally on the switch. Unknown Multicast: Select the operation for the switch to process unknown multicast, Forward or Discard. IGMP Snooping Status  Description: Displays IGMP Snooping status.
Page 159: Port Config
Static Router Ports: Enter the static router port which is mainly used in the network with stable topology. VLAN Table  VLAN ID Select: Click the Select button to quick-select the corresponding VLAN ID based on the ID number you entered. Select: Select the desired VLAN ID for configuration.
Page 160 Figure 10-7 Port Config The following entries are displayed on this screen: Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for IGMP Snooping feature configuration. It is multi-optional.
Page 161: Ip-Range
Note: Fast Leave on the port is effective only when the host supports IGMPv2 or IGMPv3. When both Fast Leave feature and Unknown Multicast Discard feature are enabled, the leaving of a user connected to a port owning multi-user will result in the other users intermitting the multicast business.
Page 162: Multicast Vlan
10.1.5 Multicast VLAN In old multicast transmission mode, when users in different VLANs apply for join the same multicast group, the multicast router will duplicate this multicast information and deliver each VLAN owning a receiver one copy. This mode wastes a lot of bandwidth. The problem above can be solved by configuring a multicast VLAN.
Page 163 Router Ports: Enter the static router port which is mainly used in the network with stable topology. Replace Source IP: Specify the source IP which will replace the source of IGMP Request in multicast vlan. Note: The router port should be in the multicast VLAN, otherwise the member ports cannot receive multicast streams.
Page 164 Switch: Port 3 is connected to the router and the packets are transmitted in VLAN3; port 4 is connected to user A and the packets are transmitted in VLAN4; port 5 is connected to user B and the packets are transmitted in VLAN5. User A: Connected to Port 4 of the switch.
Page 165: Static Multicast Ip
10.1.6 Static Multicast IP Static Multicast IP table, isolated from dynamic multicast group and multicast filter, is not learned by IGMP Snooping. It can enhance the quality and security for information transmission in some fixed multicast groups. Choose the menu Multicast→IGMP Snooping→Static Multicast IP to load the following page. Figure 10-10 Static Multicast IP Table The following entries are displayed on this screen: Create Static Multicast...
Page 166: Packet Statistics
10.1.7 Packet Statistics On this page you can view the multicast data traffic on each port of the switch, which facilitates you to monitor the IGMP messages in the network. Choose the menu Multicast→IGMP Snooping→Packet Statistics to load the following page. Figure 10-11 Packet Statistics The following entries are displayed on this screen: Auto Refresh...
Page 167: Querier Config
Error Packet: Displays the number of error packets the port received. 10.1.8 Querier Config In an IPv4 multicast network that runs IGMP, a Layer 3 multicast device works as an IGMP querier to send IGMP queries and manage the multicast table. But IGMP is not supported by the devices in Layer 2 network.
Page 168: Igmp Authentication
Last Member Query Enter the times of sending specific query frames by IGMP Times: Snooping Querier. At receiving a leave frame, a specific query frame will be sent by IGMP Snooping Querier. If a report frame is received before sending specific frames number reaches "Last Member Query Times", the switch will still treat the port as group member and stop sending specific query frames to the port, otherwise the port will be removed from forward-ports of the IP...
Page 169: Mld Snooping
Figure 10-13 IGMP Authentication The following entries are displayed on this screen: IGMP Authentication  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for IGMP Authentication feature configuration.
Page 170 The switch, running MLD Snooping, listens to the MLD messages transmitted between the host and the router, and tracks the MLD messages and the registered port. When receiving MLD report message, the switch adds the port to the multicast address table; when the switch listens to MLD Done message from the host, the router sends the Multicast-Address-Specific Query message of the port to check if other hosts need this multicast, if yes, the switch will receive MLD report message;...
Page 171: Global Config
port will be processed: if the receiving port is a new member port, it will be added to the forward list of the multicast group with its member port aging time specified; if the receiving port is already a member port, its member port aging time will be directly reset. Member Leave The host will send MLD Done message when leaving a multicast group to inform the router of its leaving.
Page 172: Vlan Config
Report Message Enable or disable Report Message Suppression function globally. Suppression: If this function is enabled, the first Report Message from the listener will forward to the router ports while the subsequent Report Message from the group will be suppressed to reduce the MLD traffic in the network.
Page 173 Figure 10-15 VLAN Config The following entries are displayed on this screen: VLAN Config  VLAN ID: Enter the VLAN ID you want to configure. Router Port Aging Enter the router port aging time for this VLAN. It will override the Time: global configured aging time.
Page 174: Filter Config
2. When the router port aging time or member port aging time is set for a VLAN, this value overrides the value configured globally. 3. You should only use the Immediate-Leave feature when there is a single receiver present on every port in the VLAN.
Page 175: Static Multicast
Figure 10-17 Port Config The following entries are displayed on this screen: Port Config  Select: Select the port you want to configure. Port: Displays the port number. Filter: Choose to enable or disable filter function in this port. Filter Mode: Choose the filter action mode.
Page 176: Querier Config
Figure 10-18 Static Multicast The following entries are displayed on this screen: Static Multicast Config  VLAN ID: Enter the VLAN ID. Multicast IP: Enter the multicast IP address. Member Ports: Enter the member ports of the static multicast group. Static Multicast List ...
Page 177: Packet Statistics
The following entries are displayed on this screen: Querier Config  VLAN ID: Enter the VLAN ID which you want to start Querier. Maximum Response Enter the value of Maximum Response Time field of Time: the Query message. Query Interval: Enter the Query message interval time.
Page 178: Multicast Table
Figure 10-20 Packet Statistics The following entries are displayed on this screen: Auto Fresh  Auto Fresh: Enable/Disable auto fresh feature. Fresh Period: Enter the time from 3 to 300 seconds to specify the auto fresh period. MLD Packet Statistics ...
Page 179: Ipv4 Multicast Table
10.3.1 IPv4 Multicast Table On this page you can view the information of the multicast groups already on the switch. Multicast IP addresses range from 224.0.0.0 to 239.255.255.255. The range for receivers to join is from 224.0.1.0 to 239.255.255.255. Choose the menu Multicast→Multicast Table→IPv4 Multicast Table to load the following page. Figure 10-21 IPv4 Multicast Table The following entries are displayed on this screen: Search Option...
Page 180 Choose the menu Multicast→Multicast Table→IPv6 Multicast Table to load the following page. Figure 10-22 IPv6 Multicast Table The following entries are displayed on this screen: Search Option  Multicast IP: Enter the multicast IP address the desired entry must carry. VLAN ID: Enter the VLAN ID the desired entry must carry.
Page 181: Chapter 11 Qos
Chapter 11 QoS QoS (Quality of Service) functions to provide different quality of service for various network applications and requirements and optimize the bandwidth resource distribution so as to provide a network service experience of a better quality.  This switch classifies the ingress packets, maps the packets to different priority queues and then forwards the packets according to specified scheduling algorithms to implement QoS function.
Page 182 2. 802.1P Priority Figure 11-2 802.1Q frame As shown in the figure above, each 802.1Q Tag has a Pri field, comprising 3 bits. The 3-bit priority field is 802.1p priority in the range of 0 to 7. 802.1P priority determines the priority of the packets based on the Pri value.
Page 183 Figure 11-4 SP-Mode WRR-Mode: Weight Round Robin Mode. In this mode, packets in all the queues are sent in order based on the weight value for each queue and every queue can be assured of a certain service time. The weight value indicates the occupied proportion of the resource. WRR queue overcomes the disadvantage of SP queue that the packets in the queues with lower priority cannot get service for a long time.
Page 184: Diffserv
11.1 DiffServ This switch classifies the ingress packets, maps the packets to different priority queues and then forwards the packets according to specified scheduling algorithms to implement QoS function. This switch implements three priority modes based on port, on 802.1P and on DSCP, and supports four queue scheduling algorithms.
Page 185: Dscp Priority
Configuration Procedure: Step Operation Description Select the port priority Required. On QoS→DiffServ→Port Priority page, configure the port priority. Configure mapping Required. On QoS→DiffServ→802.1P/CoS mapping relation between the CoS page, configure the mapping relation between the CoS priority and TC and TC. Select a schedule mode Required.
Page 186: P/Cos Mapping
Priority Level  DSCP: Indicates the priority determined by the DSCP region of IP datagram. It ranges from 0 to 63. Priority Level: Indicates the priority level the packets with tag are mapped to. The priority levels are labeled as TC0, TC1, TC2 and TC3. Note: To complete QoS function configuration, you have to go to the Schedule Mode page to select a schedule mode after the configuration is finished on this page.
Page 187: Schedule Mode
The following entries are displayed on this screen: 802.1P Priority Config  802.1P Priority: Enable/Disable 802.1P Priority. Priority and CoS-mapping Config  Tag-id/Cos-id: Indicates the precedence level defined by IEEE802.1P and the CoS ID. Queue TC-id: Indicates the priority level of egress queue the packets with tag and CoS-id are mapped to.
Page 188: Bandwidth Control
WRR-Mode: Weight Round Robin Mode. In this mode, packets in all the queues are sent in order based on the weight value for each queue. The weight value ratio of TC0, TC1, TC2 and TC3 is 1:2:4:8. SP+WRR-Mode: Strict-Priority + Weight Round Robin Mode. In this mode, this switch provides two scheduling groups, SP group and WRR group.
Page 189: Storm Control
The following entries are displayed on this screen: Rate Limit Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for Rate configuration. It is multi-optional. Port: Displays the port number of the switch.
Page 190 Figure 11-11 Storm Control The following entries are displayed on this screen: Storm Control Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for Storm Control configuration. It is multi-optional.
Page 191: Voice Vlan
11.3 Voice VLAN Voice VLANs are configured specially for voice data stream. By configuring Voice VLANs and adding the ports with voice devices attached to voice VLANs, you can perform QoS-related configuration for voice data, ensuring the transmission priority of voice data stream and voice quality.
Page 192 Port Voice Voice Link type of the port and processing mode VLAN Mode Stream Type ACCESS: Not supported. TRUNK: Supported. The default VLAN of the port cannot be TAG voice voice VLAN. stream GENERAL: Supported. The default VLAN of the port cannot be voice VLAN and the egress rule of the access port in the voice VLAN should be TAG.
Page 193: Global Config
Note: Don’t transmit voice stream together with other business packets in the voice VLAN except for some special requirements. The Voice VLAN function can be implemented on Global Config, Port Config and OUI Config pages. 11.3.1 Global Config On this page, you can configure the global parameters of the voice VLAN, including VLAN ID, aging time, the transmission priority of the voice packets and so on.
Page 194 Figure 11-13 Port Config Note: To enable voice VLAN function for the LAG member port, please ensure its member state accords with its port mode. If a port is a member port of voice VLAN, changing its port mode to be “Auto” will make the port leave the voice VLAN and will not join the voice VLAN automatically until it receives voice streams.
Page 195: Oui Config
Member State: Displays the state of the port in the current voice VLAN. LAG: Displays the LAG number which the port belongs to. 11.3.3 OUI Config The switch supports OUI creation and adds the MAC address of the special voice device to the OUI table of the switch.
Page 196 Configuration Procedure of Voice VLAN: Step Operation Description Configure the link type of Required. On VLAN→802.1Q VLAN→Port Config page, the port configure the link type of ports of the voice device. Create VLAN Required. On VLAN→802.1Q VLAN→Port Config page, click the Create button to create a VLAN. Add OUI address Optional.
Page 197: Chapter 12 Acl
Chapter 12 ACL ACL (Access Control List) is used to filter packets by configuring match rules and process policies of packets in order to control the access of the illegal users to the network. Besides, ACL functions to control traffic flows and save network resources. It provides a flexible and secured access control policy and facilitates you to control the network security.
Page 198: Time-Range Create
12.1.2 Time-Range Create On this page you can create time-ranges. Choose the menu ACL→Time-Range→Time-Range Create to load the following page. Figure 12-2 Time-Range Create Note: To successfully configure time-ranges, please firstly specify time-slices and then time-ranges. The following entries are displayed on this screen: Create Time-Range ...
Page 199: Holiday Config
12.1.3 Holiday Config Holiday mode is applied as a different secured access control policy from the week mode. On this page you can define holidays according to your work arrangement. Choose the menu ACL→Time-Range→Holiday Config to load the following page. Figure 12-3 Holiday Configuration The following entries are displayed on this screen: Create Holiday...
Page 200: Acl Create
Choose the menu ACL→ACL Config→ACL Summary to load the following page. Figure 12-4 ACL Summary The following entries are displayed on this screen: Search Option  Select ACL: Select the ACL you have created ACL Type: Displays the type of the ACL you select. Rule Order: Displays the rule order of the ACL you select.
Page 201: Mac Acl
12.2.3 MAC ACL MAC ACLs analyze and process packets based on a series of match conditions, which can be the source MAC addresses, destination MAC addresses, VLAN ID, and EtherType carried in the packets. Choose the menu ACL→ACL Config→MAC ACL to load the following page. Figure12-6 Create MAC Rule The following entries are displayed on this screen: Create MAC-Rule...
Page 202: Extend-Ip Acl
Choose the menu ACL→ACL Config→Standard-IP ACL to load the following page. Figure12-7 Create Standard-IP Rule The following entries are displayed on this screen: Create Standard-IP Rule  ACL ID: Select the desired Standard-IP ACL for configuration. Rule ID: Enter the rule ID. Operation: Select the operation for the switch to process packets which match the rules.
Page 203 Figure12-8 Create Extend-IP Rule The following entries are displayed on this screen: Create Extend-IP Rule  ACL ID: Select the desired Extend-IP ACL for configuration. Rule ID: Enter the rule ID. Operation: Select the operation for the switch to process packets which match the rules.
Page 204: Combined Acl
S-Port: Configure TCP/IP source port contained in the rule when TCP/UDP is selected from the pull-down list of IP Protocol. D-Port: Configure TCP/IP destination port contained in the rule when TCP/UDP is selected from the pull-down list of IP Protocol. DSCP: Enter the DSCP information contained in the rule.
Page 205: Policy Config
Operation: Select the operation for the switch to process packets which match the rules. Permit: Forward packets.  Deny: Discard Packets.  S-MAC: Enter the source MAC address contained in the rule. D-MAC: Enter the destination MAC address contained in the rule. Mask: Enter IP address mask.
Page 206: Policy Create
The following entries are displayed on this screen: Search Options  Select Policy: Select name of the desired policy for view. If you want to delete the desired policy, please click the Delete button. Action Table  Select: Select the desired entry to delete the corresponding policy. Index: Enter the index of the policy.
Page 207 Figure 12-11 Action Create The following entries are displayed on this screen: Create Action  Select Policy: Select the name of the policy. Select ACL: Select the ACL for configuration in the policy. S-Mirror: Select S-Mirror to mirror the data packets in the policy to the specific port.
Page 208: Policy Binding
12.4 Policy Binding Policy Binding function can have the policy take its effect on a specific port/VLAN. The policy will take effect only when it is bound to a port/VLAN. In the same way, the port/VLAN will receive the data packets and process them based on the policy only when the policy is bound to the port/VLAN.
Page 209: Vlan Binding
Figure 12-13 Bind the policy to the port The following entries are displayed on this screen: Port-Bind Config  Policy Name: Select the name of the policy you want to bind. Port: Enter the number of the port you want to bind. Port-Bind Table ...
Page 210: Application Example For Acl
VLAN ID: Displays the ID of the VLAN bound to the corresponding policy. Direction: Displays the binding direction. Configuration Procedure: Step Operation Description Configure effective Required. On ACL→Time-Range configuration pages, time-range configure the effective time-ranges for ACLs. Configure ACL rules Required.
Page 211 Configuration Procedure  Step Operation Description Configure On ACL→Time-Range page, create a time-range named work_time. Time-range Select Week mode and configure the week time from Monday to Friday. Add a time-slice 08:00–18:00. Configure for On ACL→ACL Config→ACL Create page, create ACL 11. requirement 1 On ACL→ACL Config→MAC ACL page, select ACL 11, create Rule 1, configure...
Page 212: Chapter 13 Network Security
Chapter 13 Network Security Network Security module is to provide the multiple protection measures for the network security, including six submenus: IP-MAC Binding, DHCP Snooping, ARP Inspection, IP Source Guard, DoS Defend, 802.1X and PPPoE Config. Please configure the functions appropriate to your need.
Page 213: Manual Binding
The following entries are displayed on this screen: Search Option  Source: Select a Source from the pull-down list and click the Search button to view your desired entry in the Binding Table. All: All the bound entries will be displayed. •...
Page 214 Choose the menu Network Security→IP-MAC Binding→Manual Binding to load the following page. Figure 13-2 Manual Binding The following entries are displayed on this screen: Manual Binding Option  Host Name: Enter the Host Name. IP Address: Enter the IP Address of the Host. MAC Address: Enter the MAC Address of the Host.
Page 215: Arp Scanning
13.1.3 ARP Scanning ARP (Address Resolution Protocol) is used to analyze and map IP addresses to the corresponding MAC addresses so that packets can be delivered to their destinations correctly. IP address is the address of the Host on Network layer. MAC address, the address of the Host on Data link layer, is necessary for the packet to reach the very device.
Page 216: Dhcp Snooping
Choose the menu Network Security→IP-MAC Binding→ARP Scanning to load the following page. Figure 13-4 ARP Scanning The following entries are displayed on this screen: Scanning Option  Start IP Address: Specify the Start IP Address. End IP Address: Specify the End IP Address. VLAN ID: Enter the VLAN ID.
Page 217 network configuration protocol optimized and developed basing on the BOOTP, functions to solve the above mentioned problems. DHCP Working Principle  DHCP works via the “Client/Server” communication mode. The Client applies to the Server for configuration. The Server assigns the configuration information, such as the IP address, to the Client, so as to reach a dynamic employ of the network source.
Page 218 DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet, the DHCP Server selects an IP address from the IP pool according to the assigning priority of the IP addresses and replies to the Client with DHCP-OFFER packet carrying the IP address and other information.
Page 219 Figure 13-7 DHCP Cheating Attack Implementation Procedure DHCP Snooping feature only allows the port connected to the DHCP Server as the trusted port to forward DHCP packets and thereby ensures that users get proper IP addresses. DHCP Snooping is to monitor the process of the Host obtaining the IP address from DHCP server, and record the IP address, MAC address, VLAN and the connected Port number of the Host for automatic binding.
Page 220: Dhcp Snooping
13.2.1 DHCP Snooping Choose the menu Network Security→DHCP Snooping→DHCP Snooping to load the following page. Figure 13-8 DHCP Snooping Note: If you want to enable the DHCP Snooping feature for the member port of LAG, please ensure the parameters of all the member ports are the same. The following entries are displayed on this screen: DHCP Snooping Config ...
Page 221: Option 82
Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select your desired port for configuration. It is multi-optional. Port: Displays the port number. Trusted Port: Enable/Disable the port to be a Trusted Port. Only the Trusted Port can receive the DHCP packets from DHCP servers.
Page 222: Arp Inspection
Option 82 Support: Enable/Disable the Option 82 feature. Existed Option 82 field: Select the operation for the Option 82 field of the DHCP request packets from the Host. Keep: Indicates to keep the Option 82 field of the packets. • Replace: Indicates to replace the Option 82 field of the •...
Page 223 As the above figure shown, the attacker sends the fake ARP packets with a forged Gateway address to the normal Host, and then the Host will automatically update the ARP table after receiving the ARP packets. When the Host tries to communicate with Gateway, the Host will encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication.
Page 224 Figure 13-12 ARP Attack – Cheating Terminal Hosts As the above figure shown, the attacker sends the fake ARP packets of Host A to Host B, and then Host B will automatically update its ARP table after receiving the ARP packets. When Host B tries to communicate with Host A, it will encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication.
Page 225: Arp Detect
Suppose there are three Hosts in LAN connected with one another through a switch. Host A: IP address is 192.168.0.101; MAC address is 00-00-00-11-11-11. Host B: IP address is 192.168.0.102; MAC address is 00-00-00-22-22-22. Attacker: IP address is 192.168.0.103; MAC address is 00-00-00-33-33-33. First, the attacker sends the false ARP response packets.
Page 226 Choose the menu Network Security→ARP Inspection→ARP Detect to load the following page. Figure 13-14 ARP Detect The following entries are displayed on this screen: ARP Detect  ARP Detect: Enable/Disable the ARP Detect function, and click the Apply button to apply. Trusted Port ...
Page 227: Arp Defend
13.3.2 ARP Defend With the ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood. Choose the menu Network Security→ARP Inspection→ARP Defend to load the following page.
Page 228: Arp Statistics
13.3.3 ARP Statistics ARP Statistics feature displays the number of the illegal ARP packets received on each port, which facilitates you to locate the network malfunction and take the related protection measures. Choose the menu Network Security→ARP Inspection→ARP Statistics to load the following page.
Page 229: Dos Defend
Choose the menu Network Security→IP Source Guard to load the following page. Figure 13-17 IP Source Guard The following entries are displayed on this screen: IP Source Guard Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered.
Page 230 packets may incur a breakdown of the network. The switch can defend several types of DoS attack listed in the following table. DoS Attack Type Description Land Attack The attacker sends a specific fake SYN packet to the destination Host. Since both the source IP address and the destination IP address of the SYN packet are set to be the IP address of the Host, the Host will be trapped in an endless circle for building the initial connection.
Page 231: Dos Defend
DoS Attack Type Description Ping Of Death ICMP ECHO Request Packet whose sum of "Fragment Offset" and "Total Length" fields in the IP header is greater than 65535 may cause Ping of Death attack. As the maximum packet length of an IPv4 packet including the IP header is 65,535 bytes, many computer systems could not properly handle this malformed or malicious ICMP ECHO Request Packet.
Page 232: Dos Detect
Defend Type: Displays the Defend Type name. Attack Count: Displays the count of the corresponding attack. 13.5.2 DoS Detect DoS Detect functions to detect the details of the DoS attack packets, based on which you can quickly locate the attacker in the local network. Choose the menu Network Security→DoS Defend→DoS Detect to load the following page.
Page 233 Note that the client program must support the 802.1X authentication protocol. Authenticator System: The authenticator system is usually an 802.1X-supported network device, such as this TP-LINK switch. It provides the physical or logical port for the supplicant system to access the LAN and authenticates the supplicant system.
Page 234 802.1X client program to initiate an 802.1X authentication through the sending of an EAPOL-Start packet to the switch, This TP-LINK switch can authenticate supplicant systems in EAP relay mode or EAP terminating mode. The following illustration of these two modes will take the 802.1X authentication procedure initiated by the supplicant system for example.
Page 235 Upon receiving the key (encapsulated in an EAP-Request/MD5 Challenge packet) from the switch, the client program encrypts the password of the supplicant system with the key and sends the encrypted password (contained in an EAP-Response/MD5 Challenge packet) to the RADIUS server through the switch. (The encryption is irreversible.) The RADIUS server compares the received encrypted password (contained in a RADIUS Access-Request packet) with the locally-encrypted password.
Page 236: Global Config
packet to the supplicant system if the supplicant system fails to respond in the specified timeout period. RADIUS server timer (Server Timeout): This timer is triggered by the switch after the switch sends an authentication request packet to RADIUS server. The switch will resend the authentication request packet if the RADIUS server fails to respond in the specified timeout period.
Page 237 Choose the menu Network Security→802.1X→Global Config to load the following page. Figure 13-23 Global Config The following entries are displayed on this screen: Global Config  802.1X: Enable/Disable the 802.1X function. Auth Method: Select the Authentication Method from the pull-down list. EAP-MD5: IEEE 802.1X authentication system •...
Page 238: Port Config
supplicant during the Quiet Period. Retry Times: Specify the maximum transfer times of the repeated authentication request. Supplicant Timeout: Specify the maximum time for the switch to wait for the response from supplicant before resending a request to the supplicant. 13.6.2 Port Config On this page, you can configure the 802.1X features for the ports basing on the actual network.
Page 239: Aaa
Install 802.1X client software. install the TP-LINK 802.1X Client provided on the CD. Please refer to the software guide in the same directory with the software for more information. Configure the 802.1X globally. Required. By default, the global 802.1X function is disabled.
Page 240: Global Config
Username and password pairs are used for login and privilege authentication. The authentication can be processed locally in the switch or centrally in the RADIUS/TACACS+ server(s). The local authentication username and password pairs can be configured in 4.2 User Management. Applicable Access Application ...
Page 241: Privilege Elevation
Click Enable to enable the AAA function globally. 13.7.2 Privilege Elevation This page is used to elevate the current logged-in user from guest to admin and gain administrator level privileges. The authentication password is possibly authenticated in RADIUS/TACACS+ servers, user-defined server groups or local on the switch. Choose the menu Network Security→AAA→Global Config to load the following page.
Page 242: Tacacs+ Server Config
View, edit and delete the configured RADIUS servers in the Server list. Entry Description:  Server IP: Enter the IP of the server running the RADIUS secure protocol. Shared Key: Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
Page 243: Authentication Server Group Config
Port: Specify the TCP port used on the TACACS+ server for AAA. 13.7.5 Authentication Server Group Config On this page users can group authentication servers running the same secure protocol for authentication. The switch has two built-in authentication server group, one for RADIUS and the other for TACACS+.
Page 244: Authentication Method List Config
Note: The two built-in server groups radius and tacacs cannot be deleted or edited. Up to 16 servers can be added to one server group. 13.7.6 Authentication Method List Config Before you configure AAA authentication on a certain application, you should define an authentication method list first.
Page 245: Application Authentication List Config
3) Configure the authencation method with priorities. The options are local, none, radius, tacacs or user-defined server groups. View and delete the configured method priority list in the Authentication Login Method List and Authentication Enable Method List. . Entry Description: ...
Page 246: Authentication Server Config
2) Configure the authentication method list from the Login List drop-down menu. This option defines the authentication method for users accessing the switch. 3) Configure the authentication method list from the Enable List drop-down menu. Thisoption defines the authentication method for users requiring the administrator privilege. Entry Description: ...
Page 247: Pppoe Config
Feature Default Settings Auth port is 1812.  RADIUS server Acct port is 1813.  Retransmit is 2 times.  Timeout is 5 seconds.  Communication port is 1812.  TACACA+ server Timeout is 5 seconds.  Server group Two server groups are preset: radius and tacacs. All RADIUS servers are added in the server group radius.
Page 248 The PPPoE discovery process is illustrated below: The client sends PADI (PPPoE Active Discovery Initiation) packets to the switch. The switch intercepts PADI packets and inserts a unique Circuit-ID tag to them. The switch forwards the PADI packets with Circuit-ID tag to the BRAS. The BRAS responses with the PADO (PPPoE Active Discovery Offer) packets after receiving the PADI packets.
Page 249 The following entries are displayed on this screen: Global Config  PPPoE Circuit-ID Enable/Disable the PPPoE Circuit-ID Insertion function globally. Insertion: Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for configuration.
Page 250: Chapter 14 Snmp
Chapter 14 SNMP SNMP Overview  SNMP (Simple Network Management Protocol) has gained the most extensive application on the UDP/IP networks. SNMP provides a management frame to monitor and maintain the network devices. It is used for automatically managing the various network devices no matter the physical differences of the devices.
Page 251 failing to pass community name authentication are discarded. The community name can limit access to SNMP Agent from SNMP NMS, functioning as a password. SNMP v2c: SNMP v2c also adopts community name authentication. It is compatible with SNMP v1 while enlarges the function of SNMP v1. SNMP v3: Basing on SNMP v1 and SNMP v2c, SNMP v3 extremely enhances the security and manageability.
Page 252: Snmp Config
SNMP module is used to configure the SNMP function of the switch, including three submenus: SNMP Config, Notification and RMON. 14.1 SNMP Config The SNMP Config can be implemented on the Global Config, SNMP View, SNMP Group, SNMP User and SNMP Community pages. 14.1.1 Global Config To enable SNMP function, please configure the SNMP function globally on this page.
Page 253: Snmp View
14.1.2 SNMP View The OID (Object Identifier) of the SNMP packets is used to describe the managed objects of the switch, and the MIB (Management Information Base) is the set of the OIDs. The SNMP View is created for the SNMP management station to manage MIB objects. Choose the menu SNMP→SNMP Config→SNMP View to load the following page.
Page 254 Choose the menu SNMP→SNMP Config→SNMP Group to load the following page. Figure 14-5 SNMP Group The following entries are displayed on this screen: Group Config  Group Name: Enter the SNMP Group name. The Group Name, Security Model and Security Level compose the identifier of the SNMP Group. These three items of the Users in one group should be the same.
Page 255: Snmp User
Group Table  Select: Select the desired entry to delete the corresponding group. It's multi-optional. Group Name: Displays the Group Name here. Security Model: Displays the Security Model of the group. Security Level: Displays the Security Level of the group. Read View: Displays the Read View name in the entry.
Page 256 User Type: Select the type for the User. • Local User: Indicates that the user is connected to a local SNMP engine. • Remote User: Indicates that the user is connected to a remote SNMP engine. Group Name: Select the Group Name of the User. The User is classified to the corresponding Group according to its Group Name, Security Model and Security Level.
Page 257: Snmp Community
14.1.5 SNMP Community SNMP v1 and SNMP v2c adopt community name authentication. The community name can limit access to the SNMP agent from SNMP network management station, functioning as a password. If SNMP v1 or SNMP v2c is employed, you can directly configure the SNMP Community on this page without configuring SNMP Group and User.
Page 258 Configuration Procedure: If SNMPv3 is employed, please take the following steps:  Step Operation Description Enable SNMP function globally. Required. On the SNMP→SNMP Config→Global Config page, enable SNMP function globally. Create SNMP View. Required. On the SNMP→SNMP Config→SNMP View page, create SNMP View of the management agent.
Page 259: Notification
14.2 Notification With the Notification function enabled, the switch can initiatively report to the management station about the important events that occur on the Views (e.g., the managed device is rebooted), which allows the management station to monitor and process the events in time. The notification information includes the following two types: Trap ：...
Page 260: Traps Config
Security Level: Select the Security Level for the SNMP v3 User. • noAuthNoPriv: No authentication and no privacy security level are used. • authNoPriv: Only the authentication security level is used. authPriv: Both the authentication and the privacy security • levels are used.
Page 261 Figure 14-9 Traps Config The following entries are displayed on this screen: SNMP Traps  SNMP If selected, the switch will send an SNMP Authentication trap Authentication: when a received SNMP request fails the authentication. Coldstart: If selected, the switch will send a Coldstart trap when it is rebooted with the SNMP function enabled.
Page 262 Flash Operation: If selected, the switch will send a Flash Operation trap when a flash operation occurs. The flash operations include firmware upgrading, system resetting, config restoring and config saving. VLAN Create/Delete If selected, the switch will send a VLAN Create/Delete trap when a VLAN is being created or deleted.
Page 263: Rmon
DDM Rx Power: If selected, the switch will send a DDM Rx Power trap when the value of DDM Rx power exceeds the threshold. Port Traps  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select your desired port for configuration.
Page 264: History Control
14.3.1 History Control On this page, you can configure the History Group for RMON. Choose the menu SNMP→RMON→History Control to load the following page. Figure 14-10 History Control The following entries are displayed on this screen: History Control Table  Select: Select the desired entry for configuration.
Page 265: Event Config
14.3.2 Event Config On this page, you can configure the RMON events. Choose the menu SNMP→RMON→Event Config to load the following page. Figure 14-11 Event Config The following entries are displayed on this screen: Event Table  Select: Select the desired entry for configuration. Index: Displays the index number of the entry.
Page 266: Alarm Config
14.3.3 Alarm Config On this page, you can configure Statistic Group and Alarm Group for RMON. Choose the menu SNMP→RMON→Alarm Config to load the following page. Figure 14-12 Alarm Config The following entries are displayed on this screen: Alarm Table ...
Page 267 Alarm Type: Specify the type of the alarm. • All: The alarm event will be triggered either the sampled value exceeds the Rising Threshold or is under the Falling Threshold. • Rising: When the sampled value exceeds the Rising Threshold, an alarm event is triggered. •...
Page 268: Chapter 15 Lldp
Chapter 15 LLDP LLDP (Link Layer Discovery Protocol) is a Layer 2 protocol that is used for network devices to advertise their own device information periodically to neighbors on the same IEEE 802 local area network. The advertised information, including details such as device identification, capabilities and configuration settings, is represented in TLV (Type/Length/Value) format according to the IEEE 802.1ab standard, and these TLVs are encapsulated in LLDPDU (Link Layer Discovery Protocol Data Unit).
Page 269 Disable: the port cannot transmit or receive LLDPDUs.  LLDPDU transmission mechanism If the ports are working in TxRx or Tx mode, they will advertise local information by  sending LLDPDUs periodically. If there is a change in the local device, the change notification will be advertised. To ...
Page 270 Maximum Frame TLV are defined by IEEE 802.3. Note: For detailed introduction of TLV, please refer to IEEE 802.1AB standard. In TP-LINK switch, the following LLDP optional TLVs are supported. Description Port Description TLV The Port Description TLV allows network management to advertise the IEEE 802 LAN station's port description.
Page 271: Basic Config
Description System Name TLV The System Name TLV allows network management to advertise the system's assigned name, which should be the system's fully qualified domain name. Management Address The Management Address TLV identifies an address associated with the local LLDP agent that may be used to reach higher entities to assist discovery by network management.
Page 272: Global Config
15.1.1 Global Config On this page you can configure the LLDP parameters of the device globally. Choose the menu LLDP→Basic Config→Global Config to load the following page. Figure 15-1 Global Configuration The following entries are displayed on this screen: Global Config ...
Page 273: Port Config
15.1.2 Port Config On this page you can configure all ports' LLDP parameters. Choose the menu LLDP→Basic Config→Port Config to load the following page. Figure 15-2 Port Configuration The following entries are displayed on this screen: LLDP Port Config  Port Select: Select the desired port to configure.
Page 274: Neighbor Info
Choose the menu LLDP→Device Info→Local Info to load the following page. Figure 15-3 Local Information The following entries are displayed on this screen: Auto Refresh  Auto Refresh: Enable/Disable the auto refresh function. Refresh Rate: Specify the auto refresh rate. Local Info ...
Page 275 The following entries are displayed on this screen: Auto Refresh  Auto Refresh: Enable/Disable the auto refresh function. Refresh Rate: Specify the auto refresh rate. Neighbor Info  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Local Port: Displays the local port number connecting to the neighbor device.
Page 276: Device Statistics
15.3 Device Statistics You can view the LLDP statistics of local device through this feature. Choose the menu LLDP→Device Statistics→Statistic Info to load the following page. Figure 15-5 Device Statistics The following entries are displayed on this screen: Auto Refresh ...
Page 277: Lldp-Med
Neighbor Statistics  Port Select Click the Select button to quick-select the corresponding port based on the port number you entered. Port: Displays local device's port number. Transmit Total: Displays the number of LLDPDUs sent by this port. Receive Total: Displays the number of LLDPDUs received by this port.
Page 278: Global Config
Location Identification TLV The Location Identification TLV provides for advertisement of location identifier information to Communication Endpoint Devices, based on configuration of the Network Connectivity Device it's connected to. You can set the Location Identification content in Location Identification Parameters. If Location Identification TLV is included and Location Identification Parameters isn't set, a default value is used in Location Identification TLV.
Page 279 Choose the menu LLDP→LLDP-MED→Port Config to load the following page. Figure 15-7 LLDP-MED Port Configuration The following entries are displayed on this screen LLDP-MED Port Config  Select: Select the desired port to configure. LLDP-MED Status: Configure the port's LLDP-MED status: Enable: Enable the port's LLDP-MED status, and the port's •...
Page 280 Figure 15-8 Configure TLVs of LLDP-MED Port Included TLVs  Select TLVs to be included in outgoing LLDPDU. Location Identification Parameters  Configure the Location Identification TLV's content in outgoing LLDPDU of the port. Emergency Emergency number is Emergency Call Service ELIN identifier, Number: which is used during emergency call setup to a traditional CAMA or ISDN trunk-based PSAP.
Page 281: Local Info
close physical proximity to the server or network element. Country Code: The two-letters ISO 3166 country code in • capital ASCII letters, e.g., CN or US. Language, Province/State, etc.: a part of civic address. • 15.4.3 Local Info On this page you can see all ports' LLDP-MED configuration. Choose the menu LLDP→LLDP-MED→Local Info to load the following page.
Page 282: Neighbor Info
VLAN tagged: Indicates the VLAN type the specified application type is using, 'tagged' or 'untagged'. Media Policy VLAN Displays the application (eg. Voice VLAN) VLAN identifier (VID) for the port. Media Policy Layer Displays the Layer 2 priority to be used for the specified 2 Priority: application type.
Page 283 Information: Click the Information button to display the detailed information of the corresponding neighbor. Return to CONTENTS...
Page 284: Chapter 16 Cluster
Chapter 16 Cluster With the development of network technology, the network scale is getting larger and more network devices are required, which may result in a more complicated network management system. As a large number of devices need to be assigned different network addresses and every management device needs to be respectively configured to meet the application requirements, manpower are needed.
Page 285: Ndp
The commander switch discovers and determines candidate switches by collecting related  information. After being added to the cluster, the candidate switch becomes to be the member switch.  After being removed from the cluster, the member switch becomes to be the candidate switch. ...
Page 286: Ndp Summary
The following entries are displayed on this screen: Neighbor  Search Option: Select the information the desired entry should contain and then click the Search button to display the desired entry in the following Neighbor Information table. Neighbor Info  Native Port: Displays the port number of the switch.
Page 287 The following entries are displayed on this screen: Global Config  NDP: Displays the global NDP status (enabled or disabled) for the switch. Aging Time: Displays the period for the neighbor switch to keep the NDP packets from this switch. Hello Time: Displays the interval to send NDP packets.
Page 288: Ndp Config
16.1.3 NDP Config On this page you can configure the NDP function for the switch. Choose the menu Cluster→NDP→NDP Config to load the following page. Figure 16-4 NDP Config The following entries are displayed on this screen: Global Config  NDP: Enable/Disable NDP function globally.
Page 289: Ntdp
Note: NDP function is effective only when NDP function is enabled globally and for the port. The aging time should be set over the hello time value, otherwise this setting will be invalid and will not take effect. 16.2 NTDP NTDP (Neighbor Topology Discovery Protocol）is used for the commander switch to collect NDP information.
Page 290 Role: Displays the role this device plays in the cluster. Commander: Indicates the device that can configure and  manage all the devices in a cluster. Member: Indicates the device that is managed in a cluster.  Candidate: Indicates the device that does not belong to any ...
Page 291: Ntdp Summary
16.2.2 NTDP Summary On this page you can view the NTDP configuration. Choose the menu Cluster→NTDP→NTDP Summary to load the following page. Figure 16-7 NTDP Summary The following entries are displayed on this screen: Global Config  NTDP: Displays the NTDP status (enabled or disabled) of the switch globally.
Page 292: Ntdp Config
16.2.3 NTDP Config On this page you can configure NTDP globally. Choose the menu Cluster→NTDP→NTDP Config to load the following page. Figure 16-8 NTDP Config The following entries are displayed on this screen: Global Config  NTDP: Enable/Disable NTDP for the switch globally. NTDP Interval Time: Enter the interval to collect topology information.
Page 293: Cluster
Port Config  Select: Select the desired port for NTDP status configuration. Port: Displays the port number of the switch. NTDP: Displays NTDP status (enabled or disabled) of the current port. Enable: Click the Enable button to enable NTDP feature for the port you select.
Page 294 For a commander switch，the following page is displayed:  Figure 16-10 Cluster Summary for Commander Switch The following entries are displayed on this screen: Global Config  Cluster: Displays the cluster status (enabled or disabled) of the switch. Cluster Role: Displays the role the switch plays in the cluster.
Page 295 Hops: Displays the hop count from the member switch to the commander switch. For a member switch, the following page is displayed:  Figure 16-11 Cluster Summary for Member Switch The following entries are displayed on this screen: Global Config ...
Page 296: Cluster Config
16.3.2 Cluster Config On this page you can configure the status of the cluster the switch belongs to. Choose the menu Cluster→Cluster→Cluster Config to load the following page. For a candidate switch, the following page is displayed.  Figure 16-13 Cluster Configuration for Candidate Switch The following entries are displayed on this screen: Current Role ...
Page 297 For a commander switch, the following page is displayed.  Figure 16-14 Cluster Configuration for Commander Switch The following entries are displayed on this screen: Current Role  Role: Displays the role the current switch plays in the cluster. Role Change ...
Page 298: Member Config
Role Change  Individual: Select this option to change the role of the switch to be individual switch. For an individual switch, the following page is displayed.  Figure 16-16 Cluster Configuration for Individual Switch The following entries are displayed on this screen: Current Role ...
Page 299: Cluster Topology
Member Info  Select: Select the desired entry to manage/delete the corresponding member switch. Device Name: Display the description of the member switch. Member MAC: Displays the MAC address of the member switch. IP Address: Displays the IP address of the member switch used in the cluster. Status: Displays the connection status of the member switch.
Page 300 The following entries are displayed on this screen: Graphic Show  Collect Topology: Click the Collect Topology button to display the cluster topology. Manage: If the current device is the commander switch in the cluster and the selected device is a member switch in the cluster, you can click the Manage button to log on to Web management page of the corresponding switch.
Page 301 Step Operation Description Manually collect NTDP Optional. On Cluster→NTDP→Device Table page, click the Collect Topology button to manually collect information NTDP information. On Cluster→Cluster→Cluster Topology page, click the Collect Topology button to manually collect NTDP information. View the detailed information of Optional.
Page 302: Chapter 17 Maintenance
Chapter 17 Maintenance Maintenance module, assembling the commonly used system tools to manage the switch, provides the convenient method to locate and solve the network problem. System Monitor: Monitor the utilization status of the memory and the CPU of switch. Log: View the configuration parameters of the switch and find out the errors via the Logs.
Page 303: Memory Monitor
17.1.2 Memory Monitor Choose the menu Maintenance→System Monitor→Memory Monitor to load the following page. Figure 17-2 Memory Monitor Click the Monitor button to enable the switch to monitor and display its Memory utilization rate every four seconds. 17.2 Log The Log system of switch can record, classify and manage the system information effectively, providing powerful support for network administrator to monitor network operation and diagnose malfunction.
Page 304: Log Table
The Log function is implemented on the Log Table, Local Log, Remote Log and Backup Log pages. 17.2.1 Log Table The switch supports logs output to two directions, namely, log buffer and log file. The information in log buffer will be lost after the switch is rebooted or powered off whereas the information in log file will be kept effective even the switch is rebooted or powered off.
Page 305: Local Log
17.2.2 Local Log Local Log is the log information saved in switch. By default, all system logs are saved in log buffer and the logs with severities from level_0 to level_2 are saved in log file meanwhile. On this page, you can set the output channel for logs.
Page 306: Backup Log
Choose the menu Maintenance→Log→Remote Log to load the following page. Figure 17-5 Log Host The following entries are displayed on this screen: Log Host  Index: Displays the index of the log host. The switch supports 4 log hosts. Host IP: Configure the IP for the log host.
Page 307: Device Diagnostics
The following entry is displayed on this screen: Backup Log  Backup Log: Click the Backup Log button to save the log as a file to your computer. Note: It will take a few minutes to backup the log file. Please wait without any operation. 17.3 Device Diagnostics This switch provides Cable Test functions for device diagnostics.
Page 308: Network Diagnostics
If the port is 100Mbps and its connection status is normal, cable test can’t get the length of the cable. 17.4 Network Diagnostics This switch provides Ping test and Tracert test functions for network diagnostics. 17.4.1 Ping Ping test function, testing the connectivity between the switch and one node of the network, facilitates you to test the network connectivity and reachability of the host so as to locate the network malfunctions.
Page 309: Tracert
17.4.2 Tracert Tracert test function is used to test the connectivity of the gateways during its journey from the source to destination of the test data. When malfunctions occur to the network, you can locate trouble spot of the network with this tracert test. Choose the menu Maintenance→Network Diagnostics→Tracert to load the following page.
Page 310: Chapter 18 System Maintenance Via Ftp
Data bits: 8  Parity: none  Stop bits: 1  Flow control: none  3） The DOS prompt “T2500-28TC>” will appear after pressing the Enter button as shown in Figure 18-2. It indicates that you can use the CLI now.
Page 311 255.255.255.0 gateway xxx.xxx.xxx.xxx. For example: Configure the IP address as 10.10.70.22, mask as 255.255.255.0 and gateway as10.10.70.1. The detailed command is shown as the figure below. Enter the command and press Enter. [TP-LINK]: ifconfig ip 10.10.70.22 mask 255.255.255.0 gateway 10.10.70.1...
Page 312 The detailed command is shown as the following figure. Enter the command and press Enter. [TP-LINK]: ftp host 10.10.70.146 user 123 pwd 123 file t2500_28tc _up.bin 5） Enter the upgrade command and press Enter to upgrade the firmware. After a while, the prompt “You can only use the port 1 to upgrade”...
Page 313: Appendix A: Glossary
Appendix A: Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 314 Generic Multicast Registration Protocol (GMRP) GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. Group Attribute Registration Protocol (GARP) See Generic Attribute Registration Protocol. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol.
Page 315 Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses. Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device.
Page 316 Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.

This manual is also suitable for:

Tl-sl5428e

TP-Link T2500-28TC User Manual

Chapter 1 About this Guide

Chapter 2 Introduction

Chapter 3 Login to the Switch

Chapter 4 System

Chapter 5 Switching

Chapter 6 VLAN

Chapter 7 Spanning Tree

Chapter 8 Ethernet OAM

Chapter 9 DHCP

Chapter 10 Multicast

Chapter 11 Qos

Chapter 12 ACL

Chapter 13 Network Security

Chapter 14 SNMP

Chapter 15 LLDP

Chapter 16 Cluster

Chapter 17 Maintenance

Chapter 18 System Maintenance Via FTP

Appendix A: Glossary

Quick Links

Related Manuals for TP-Link T2500-28TC

Summary of Contents for TP-Link T2500-28TC