Page 1: Configuration Guide
Configuration Guide T1600G Series Switches T1600G-18TS T1600G-28TS (TL-SG2424) / T1600G-52TS (TL-SG2452) T1600G-28PS (TL-SG2424P) / T1600G-52PS (TL-SG2452P) 1910012255 REV2.1.1 Sept 2017...
Page 2: Table Of Contents
CONTENTS About This Guide Intended Readers ................................1 Conventions ................................... 1 More Information ................................. 2 Accessing the Switch Overview ....................................4 Web Interface Access ................................ 5 Login ..........................................5 Save Config Function ....................................6 Disable the Web Server ..................................7 Configure the Switch's IP Address and Default Gateway ....................8 Command Line Interface Access ..........................
Page 3 Setting the System Time ..............................31 Setting the Daylight Saving Time .............................34 User Management Configurations ..........................37 Using the GUI ......................................37 Creating Admin Accounts ..............................37 Creating Accounts of Other Types ..........................38 Using the CLI ......................................40 Creating Admin Accounts ..............................40 Creating Accounts of Other Types ..........................41 System Tools Configurations ............................
Page 4 Enabling the Telnet Function ..............................69 SDM Template Configuration ............................70 Using the GUI ......................................70 Using the CLI ......................................71 Appendix: Default Parameters ............................. 73 Managing Physical Interfaces Physical Interface ................................77 Overview ........................................77 Supported Features ....................................77 Basic Parameters Configurations ..........................78 Using the GUI ......................................78 Using the CLI ......................................79 Port Mirror Configuration ...............................
Page 5 Network Requirements ...............................102 Configuration Scheme ................................102 Using the GUI ....................................102 Using the CLI ....................................103 Appendix: Default Parameters ...........................105 Configuring LAG LAG .......................................108 Overview ........................................108 Supported Features ...................................108 LAG Configuration ................................109 Using the GUI ......................................110 Configuring Load-balancing Algorithm ........................110 Configuring Static LAG or LACP............................111 Using the CLI ......................................113 Configuring Load-balancing Algorithm ........................113 Configuring Static LAG or LACP............................114...
Page 6 Using the GUI ......................................133 Adding Static MAC Address Entries ..........................133 Modifying the Aging Time of Dynamic Address Entries...................135 Adding MAC Filtering Address Entries........................136 Viewing Address Table Entries ............................136 Using the CLI ......................................137 Adding Static MAC Address Entries ..........................137 Modifying the Aging Time of Dynamic Address Entries...................138 Adding MAC Filtering Address Entries........................139 Security Configurations ...............................141 Using the GUI ......................................141...
Page 7 Using the GUI ......................................160 Using the CLI ......................................162 Appendix: Default Parameters ..........................164 Configuring MAC VLAN Overview ....................................166 MAC VLAN Configuration ............................167 Using the GUI ......................................167 Configuring 802.1Q VLAN ..............................167 Binding the MAC Address to the VLAN ........................168 Enabling MAC VLAN for the Port ...........................168 Using the CLI ......................................169 Configuring 802.1Q VLAN ..............................169 Binding the MAC Address to the VLAN ........................169...
Page 8 Using the CLI ......................................194 Appendix: Default Parameters ...........................198 Configuring Spanning Tree Spanning Tree ..................................200 Overview ........................................200 Basic Concepts ....................................200 STP/RSTP Concepts ................................200 MSTP Concepts ..................................204 STP Security ......................................205 STP/RSTP Configurations ............................208 Using the GUI ......................................208 Configuring STP/RSTP Parameters on Ports ......................208 Configuring STP/RSTP Globally .............................210 Verifying the STP/RSTP Configurations ........................212 Using the CLI ......................................213...
Page 9 Configuration Example for MSTP ..........................244 Network Requirements ..................................244 Configuration Scheme ..................................244 Using the GUI ......................................245 Using the CLI ......................................256 Appendix: Default Parameters ...........................263 Configuring Layer 2 Multicast Layer 2 Multicast ................................266 Overview ........................................266 Supported Layer 2 Multicast Protocols ..........................267 IGMP Snooping Configurations ..........................268 Using the GUI ......................................268 Configuring IGMP Snooping Globally .........................268 Enabling IGMP Snooping Globally ........................268...
Page 10 Creating Profile ...............................277 Searching Profile ..............................277 Editing IP Range of the Profile ........................278 Binding Profile and Member Ports ..........................278 Binding Profile and Member Ports .......................279 Configuring Max Groups a Port Can Join....................279 Viewing IGMP Statistics on Each Port ........................280 Configuring Auto Refresh ..........................280 Viewing IGMP Statistics .............................281 Enabling IGMP Accounting and Authentication ....................281 Configuring IGMP Accounting Globally .....................282...
Page 11 Configuring Query Interval, Max Response Time and General Query Source IP ....300 Configuring Multicast Filtering ............................301 Creating Profile ...............................301 Binding Profile to the Port ..........................302 Enabling IGMP Accounting and Authentication ....................304 Enabling IGMP Authentication on the Port ....................304 Enabling IGMP Accounting Globally ......................305 Configuring MLD Snooping............................306 Using the GUI ......................................306 Configuring MLD Snooping Globally ...........................306...
Page 12 Configuring Max Groups a Port Can Join....................318 Viewing MLD Statistics on Each Port .........................319 Configuring Auto Refresh ..........................319 Viewing MLD Statistics ............................319 Configuring Static Member Port ............................320 Configuring Static Member Port ........................320 Viewing MLD Static Multicast Groups ......................320 Using the CLI ......................................321 Enabling MLD Snooping Globally ..........................321 Enabling MLD Snooping on the Port ...........................321 Configuring MLD Snooping Parameters Globally ....................322...
Page 13 Using the CLI ......................................342 Viewing IPv4 Multicast Snooping Configurations ....................342 Viewing IPv6 Multicast Snooping Configurations ....................343 Configuration Examples ...............................345 Example for Configuring Basic IGMP Snooping .........................345 Network Requirements ...............................345 Configuration Scheme ................................345 Using the GUI ....................................346 Using the CLI ....................................349 Example for Configuring Multicast VLAN ..........................351 Network Requirements ...............................351 Configuration Scheme ................................351...
Page 14 Viewing Detail Information of the Interface ......................383 Using the CLI ......................................383 Creating a Layer 3 Interface .............................383 Configuring IPv4 Parameters of the Interface .......................385 Configuring IPv6 Parameters of the Interface .......................386 Appendix: Default Parameters ...........................389 Configuring Static Routing Overview ....................................391 IPv4 Static Routing Configuration ..........................392 Using the GUI ......................................392 Using the CLI ......................................393...
Page 15 Using the GUI ......................................412 Enabling DHCP Relay and Configuring Option 82 ....................412 Specifying DHCP Server for the Interface or VLAN ...................413 Using the CLI ......................................415 Enabling DHCP Relay ................................415 (Optional) Configuring Option 82 ..........................415 Specifying DHCP Server for Interface or VLAN ....................417 Configuration Examples ...............................421 Example for DHCP Interface Relay ............................421 Network Requirements ...............................421...
Page 16 Configuring Rate Limit .................................448 Configuring Storm Control ...............................449 Using the CLI ......................................451 Configuring Rate Limit on Port ............................451 Configuring Storm Control ...............................452 Configuration Example ..............................455 Network Requirements ..................................455 Configuration Scheme ..................................455 Using the GUI ......................................456 Using the CLI ......................................457 Appendix: Default Parameters ...........................459 Configuring Voice VLAN Overview ...................................462 Voice VLAN Configuration ............................464...
Page 17 Configuring the PoE Parameters Manually ......................493 Configuring the PoE Parameters Using the Profile .....................495 Time-Range Function Configurations ........................497 Using the GUI ......................................497 Creating a Time-Range ...............................497 Configuring the Holiday Parameters ...........................499 Viewing the Time-Range Table ............................499 Using the CLI ......................................500 Configuring a Time-Range ..............................500 Configuring the Holiday Parameters ...........................502 Viewing the Time-Range Table ............................503...
Page 18 Using the CLI ......................................536 Appendix: Default Parameters ...........................538 Configuring Network Security Network Security ................................540 Overview ........................................540 Supported Features ...................................540 IP-MAC Binding Configurations..........................545 Using the GUI ......................................545 Binding Entries Manually ..............................545 Binding Entries Dynamically .............................546 Viewing the Binding Entries ..............................548 Using the CLI ......................................549 Binding Entries Manually ..............................549 Viewing Binding Entries ..............................551 DHCP Snooping Configuration ..........................552...
Page 19 Using the GUI ......................................571 Configuring the RADIUS Server .............................571 Configuring 802.1X Globally ............................575 Configuring 802.1X on Ports ............................577 Using the CLI ......................................578 Configuring the RADIUS Server .............................578 Configuring 802.1X Globally ............................580 Configuring 802.1X on Ports ............................582 AAA Configuration ................................585 Using the GUI ......................................586 Globally Enabling AAA .................................586 Adding Servers ..................................586 Configuring Server Groups ...............................588...
Page 20 Using the GUI ....................................617 Using the CLI ....................................620 Appendix: Default Parameters ...........................623 Configuring LLDP LLDP .....................................628 Overview ........................................628 Supported Features ...................................628 LLDP Configurations ..............................629 Using the GUI ......................................629 Global Config ....................................629 Port Config ....................................631 Using the CLI ......................................632 Global Config ....................................632 Port Config ....................................634 LLDP-MED Configurations ............................637 Using the GUI ......................................637...
Page 21 Example for Configuring LLDP-MED ............................659 Network Requirements ...............................659 Configuration Scheme ................................659 Network Topology .................................659 Using the GUI ....................................660 Using the CLI ....................................664 Appendix: Default Parameters ...........................671 Configuring Maintenance Maintenance ..................................673 Overview ........................................673 Supported Features ...................................673 Monitoring the System ..............................674 Using the GUI ......................................674 Monitoring the CPU ................................674 Monitoring the Memory ..............................675 Using the CLI ......................................676...
Page 22 Configuring the Tracert Test ............................689 Example for Configuring Remote Log ........................690 Network Requirements ..................................690 Configuration Scheme ..................................690 Using the GUI ......................................690 Using the CLI ......................................691 Appendix: Default Parameters ...........................692 Configuring SNMP & RMON SNMP Overview ................................694 SNMP Configurations ..............................695 Using the GUI ......................................696 Enabling SNMP ..................................696 Creating an SNMP View..............................696 Creating an SNMP Group ..............................697...
Page 23 Configuring History ................................725 Configuring Event ..................................726 Configuring Alarm ..................................728 Configuration Example ..............................730 Network Requirements ..................................730 Configuration Scheme ..................................730 Network Topology ....................................731 Using the GUI ......................................731 Using the CLI ......................................736 Appendix: Default Parameters ...........................742...
Page 24: About This Guide
Conventions Some models featured in this guide may be unavailable in your country or region. For local sales information, visit http://www.tp-link.com. When using this guide, please notice that features of the switch may vary slightly depending on the model and software version you have. All screenshots, images, parameters and descriptions documented in this guide are used for demonstration only.
Page 25: More Information
 The Installation Guide (IG) can be found where you find this guide or inside the package of the switch.  Specifications can be found on the product page at http://www.tp-link.com.  A Technical Support Forum is provided for you to discuss our products at http://forum.tp-link.com.
Page 26: Accessing The Switch
Part 1 Accessing the Switch CHAPTERS 1. Overview 2. Web Interface Access 3. Command Line Interface Access...
Page 27: Overview
Accessing the Switch Overview Overview You can access and manage the switch using the GUI (Graphical User Interface, also called web interface in this text) or using the CLI (Command Line Interface). There are equivalent functions in the web interface and the command line interface, while web configuration is easier and more visual than the CLI configuration.
Page 28: Web Interface Access
Accessing the Switch Web Interface Access Web Interface Access You can access the switch’s web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication. The following example shows how to login via the HTTP server. Login To manage your switch through a web browser in the host PC: 1) Make sure that the route between the host PC and the switch is available.
Page 29: Save Config Function
Accessing the Switch Web Interface Access Figure 2-3 Web interface 2.2 Save Config Function The switch’s configuration files fall into two types: the running configuration file and the start-up configuration file. After you perform configurations on the sub-interfaces and click Apply, the modifications will be saved in the running configuration file.
Page 30: Disable The Web Server
Accessing the Switch Web Interface Access Figure 2-4 Save Config Disable the Web Server You can shut down the HTTP server or HTTPS server to block any access to the web interface. Go to System > Access Security > HTTP Config, disable the HTTP server and click Apply. Figure 2-5 Shut down HTTP server Configuration Guide...
Page 31: Configure The Switch's Ip Address And Default Gateway
Accessing the Switch Web Interface Access Go to System > Access Security > HTTPS Config , disable the HTTPS server and click Apply. Figure 2-6 Disbale the HTTPS Server 2.4 Configure the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.
Page 32 Accessing the Switch Web Interface Access Figure 2-8 Specify the IP address 3) Enter the new IP address in the web browser to access the switch. 4) Click Save Config to save the settings.  Configure the Default Gateway The following example shows how to configure the switch’s gateway. By default, the switch has no default gateway.
Page 33 Accessing the Switch Web Interface Access Distance Specify the distance as 1. 2) Click Save Config to save the settings. 3) Check the routing table to verify the default gateway you configured. The entry marked in red box displays the valid default gateway. Figure 2-10 View the default gateway Configuration Guide...
Page 34: Command Line Interface Access
Accessing the Switch Command Line Interface Access Command Line Interface Access Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines. Console connection requires the host PC connecting to the switch’s console port directly, while Telnet and SSH connection support both local and remote access.
Page 35 Accessing the Switch Command Line Interface Access Figure 3-1 CLI Main Window 4) Enter enable to enter the User EXEC Mode to further configure the switch. Figure 3-2 User EXEC Mode Note: In Windows XP, go to Start > All Programs > Accessories > Communications > Hyper Terminal to open the Hyper Terminal and configure the above settings to log in to the switch.
Page 36: Telnet Login
Accessing the Switch Command Line Interface Access Telnet Login The switch supports Login Local Mode for authentication by default. Login Local Mode: Username and password are required, which are both admin by default. The following steps show how to manage the switch via the Login Local Mode: 1) Make sure the switch and the PC are in the same LAN (Local Area Network).
Page 37: Ssh Login
Accessing the Switch Command Line Interface Access Figure 3-6 Enter Privileged EXEC Mode Now you can manage your switch with CLI commands through Telnet connection. 3.3 SSH Login SSH login supports the following two modes: Password Authentication Mode and Key Authentication Mode. You can choose one according to your needs:  Password Authentication Mode: Username and password are required, which are both admin by default.
Page 38 Accessing the Switch Command Line Interface Access Figure 3-8 Configurations in PuTTY 2) Enter the login username and password to log in to the switch, and you can continue to configure the switch. Figure 3-9 Log In to the Switch Key Authentication Mode 1) Open the PuTTY Key Generator.
Page 39 Accessing the Switch Command Line Interface Access Figure 3-10 Generate a Public/Private Key Pair Note: The key length should be between 512 and 3072 bits. • You can accelerate the key generation process by moving the mouse quickly and randomly in •...
Page 40 Accessing the Switch Command Line Interface Access 3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure: Figure 3-12 Download the Public Key to the Switch Note: The key type should accord with the type of the key file. In the above CLI, v1 corresponds to •...
Page 41: Disable Telnet Login
Accessing the Switch Command Line Interface Access Figure 3-14 Download the Private Key to PuTTY 6) After negotiation is completed, enter the username to log in. If you can log in without entering the password, the key authentication completed successfully. Figure 3-15 Log In to the Switch 3.4 Disable Telnet login You can shut down the Telnet function to block any Telnet access to the CLI interface.
Page 42: Disable Ssh Login
Accessing the Switch Command Line Interface Access  Using the CLI: Switch#configure Switch(config)#telnet disable Disable SSH login You can shut down the SSH server to block any SSH access to the CLI interface.  Using the GUI: Go to System > Access Security > SSH Config, disable the SSH server and click Apply. Figure 3-17 Shut down SSH server  Using the CLI: Switch#configure...
Page 43: Change The Switch's Ip Address And Default Gateway
Accessing the Switch Command Line Interface Access 3.7 Change the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.
Page 44: Managing System
Part 2 Managing System CHAPTERS 1. System 2. System Info Configurations 3. User Management Configurations 4. System Tools Configurations 5. Access Security Configurations 6. SDM Template Configuration 7. Appendix: Default Parameters...
Page 45: System
Managing System System System 1.1 Overview The System module is mainly used to configure and view the system information of the switch. It provides controls over the type of the access users and the access security. 1.2 Supported Features System Info The System Info is mainly used for the basic properties configuration.
Page 46 Managing System System SSH Config function is based on the SSH protocol, a security protocol established on application and transport layers. The function with SSH is similar to a telnet connection, but SSH can provide information security and powerful authentication. SDM Template The switch SDM (Switch Database Management) templates prioritize system resources to optimize support for certain features.
Page 47: System Info Configurations
Managing System System Info Configurations System Info Configurations With system information configurations, you can:  View the system summary  Specify the device description  Set the system time  Set the daylight saving time 2.1 Using the GUI 2.1.1 Viewing the System Summary Choose the menu System >...
Page 48 Managing System System Info Configurations Indicates the SFP port is at the speed of 1000Mbps. Move the cursor to the port to view the detailed information of the port. Figure 2-2 Port Information Port Information Indication Port Displays the port number of the switch. Type Displays the type of the port.
Page 49: Specifying The Device Description
Managing System System Info Configurations 2.1.2 Specifying the Device Description Choose the menu System > System Info > Device Description to load the following page. Figure 2-4 Specifying the Device Description 1) In the Device Description section, specify the following information. Device Name Enter the name of the switch.
Page 50 Managing System System Info Configurations Current System Displays the current date and time of the switch. Time Current Time Displays the current time source of the switch. Source In the Time Config section, follow these steps to configure the system time: 1) Choose one method to set the system time and specify the information.
Page 51: Setting The Daylight Saving Time
Managing System System Info Configurations 2.1.4 Setting the Daylight Saving Time Choose the menu System > System Info > Daylight Saving Time to load the following page. Figure 2-6 Setting the Daylight Saving Time Follow these steps to configure Daylight Saving Time: 1) In the DST Config section, select Enable to enable the Daylight Saving Time function.
Page 52: Using The Cli
Managing System System Info Configurations Recurring Mode If you select Recurring Mode, specify a cycle time range for the Daylight Saving Time of the switch. This configuration will be used every year. Offset: Specify the time to set the clock forward by. Start Time: Specify the start time of Daylight Saving Time.
Page 53: Specifying The Device Description
Switch#show system-info System Description - JetStream 48-Port Gigabit L2 Managed Switch with 4 SFP Slots System Name - T1600G-52TS System Location - SHENZHEN Contact Information - www.tp-link.com Hardware Version - T1600G-52TS 2.0 Software Version - 2.0.0 Build 20160923 Rel.39814(s) System Time...
Page 54: Setting The System Time
Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the device name as Switch_A, set the location as BEIJING and set the contact information as http://www.tp-link.com. Switch#configure Switch(config)#hostname Switch_A Switch(config)#location BEIJING Switch(config)#contact-info http://www.tp-link.com...
Page 55 Managing System System Info Configurations Step 2 Use the following command to set the system time manually: system-time manual time Configure the system time manually. : Specify the date and time manually in the format of MM/DD/YYYY-HH:MM:SS. The valid time value of the year ranges from 2000 to 2037.
Page 56 Managing System System Info Configurations The detailed information of each time-zone are displayed as follows: UTC-12:00 —— TimeZone for International Date Line West. UTC-11:00 —— TimeZone for Coordinated Universal Time-11. UTC-10:00 —— TimeZone for Hawaii. UTC-09:00 —— TimeZone for Alaska. UTC-08:00 ——...
Page 57: Setting The Daylight Saving Time
Managing System System Info Configurations Step 3 Use the following command to verify the system time information. show system-time Verify the system time information. Use the following command to verify the NTP mode configuration information. show system-time ntp Verify the system time information of NTP mode. Step 4 Return to privileged EXEC mode.
Page 58 Managing System System Info Configurations Step 2 Use the following command to select a predefined Daylight Saving Time configuration: system-time dst predefined [ USA | Australia | Europe | New-Zealand ] Specify the Daylight Saving Time using a predefined schedule. USA | Australia | Europe | New-Zealand: Select one mode of Daylight Saving Time.
Page 59 Managing System System Info Configurations : Enter the start month of Daylight Saving Time. There are 12 values showing as follows: smonth Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. : Enter the start day of Daylight Saving Time, which ranges from 1 to 31. sday : Enter the start time of Daylight Saving Time,in the format of HH:MM.
Page 60: User Management Configurations
Managing System User Management Configurations User Management Configurations With user management configurations, you can:  Create Admin accounts  Create accounts of other types Using the GUI 3.1.1 Creating Admin Accounts Choose the menu System > User Management > User Config to load the following page. Figure 3-1 Create Admin Accounts Follow these steps to create an Admin account: 1) In the User Info section, select Admin from the drop-down list and specify the user...
Page 61: Creating Accounts Of Other Types
Managing System User Management Configurations Access Level Select the access level as Admin. Admin: Admin can edit, modify and view all the settings of different functions. Operator: Operator can edit, modify and view most of the settings of different functions. Power User: Power User can edit, modify and view some of the settings of different functions.
Page 62 Managing System User Management Configurations User Name Create a user name for users' login. It contains 16 characters at most, composed of digits, English letters and under dashes only. Access Level Select the access level as Operator, Power User or User. Admin: Admin can edit, modify and view all the settings of different functions.
Page 63: Using The Cli
Managing System User Management Configurations 3.2 Using the CLI 3.2.1 Creating Admin Accounts Follow these steps to create an Admin account: Step 1 configure Enter global configuration mode. Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege admin } password { [ 0 ] password | 7 encrypted-password } Create an account whose access level is Admin.
Page 64: Creating Accounts Of Other Types
Managing System User Management Configurations Step 3 show user account-list Verify the information of the current users. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. 3.2.2 Creating Accounts of Other Types You can create accounts with the access level of Operator, Power user and User here.
Page 65 Managing System User Management Configurations Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege operator | power_user | user } password { [ 0 ] password | 7 encrypted-password } Create an account whose access level is Operator, Power User or User.
Page 66 Managing System User Management Configurations Step 4 Use the following command to create an enable password unencrypted or symmetric encrypted. enable admin password { [ 0 ] password | 7 encrypted-password } Create an Enable Password. It can change the users’ access level to Admin. By default, it is empty.
Page 67 Managing System User Management Configurations The following example shows how to create a uesr with the access level of Operator, set the user name as user1 and set the password as 123. Enable AAA function and set the enable password as abc123. Switch#configure Switch(config)#user name user1 privilege operator password 123 Switch(config)#aaa enable...
Page 68: System Tools Configurations
Managing System System Tools Configurations System Tools Configurations With system tools configurations, you can:  Configure the boot file  Restore the configuration of the switch  Back up the configuration file  Upgrade the firmware  Reboot the switch  Configure the reboot schedule  Reset the switch Using the GUI...
Page 69: Restoring The Configuration Of The Switch
Managing System System Tools Configurations Select Select one or more units to be configured. Unit Displays the number of the unit. Current Startup Displays the current startup image. Image Next Startup Select the next startup image. When the switch is powered on, it will try to start up Image with the next startup image.
Page 70: Backing Up The Configuration File
Managing System System Tools Configurations 4.1.3 Backing up the Configuration File Choose the menu System > System Tools > Config Backup to load the following page. Figure 4-3 Backing up the Configuration File In the Config Backup section, select one unit and click Export to export the configuration file.
Page 71: Rebooting The Switch
Select this option to save the configuration before the reboot. 4.1.6 Configuring the Reboot Schedule Note: T1600G-18TS does not support this feature. Choose the menu System > System Tools > Reboot Schedule to load the following page. Figure 4-6 Configuring the Reboot Schedule...
Page 72: Reseting The Switch
Managing System System Tools Configurations Time Interval Specify a period of time. The switch will reboot after this period. The valid values are from 1 to 43200 minutes. This reboot schedule recurs if users check the Save Before Reboot. Time (HH:MM)/ Specify the date and time for the switch to reboot.
Page 73: Restoring The Configuration Of The Switch
Managing System System Tools Configurations Step 2 boot application filename { image1 | image2 } { startup | backup } Specify the configuration of the boot file. By default, the image1.bin is the startup image and the image2.bin is the backup image. image1 | image2: Select the image file to be configured.
Page 74: Backing Up The Configuration File
Managing System System Tools Configurations Note: It will take a long time to restore the configuration. Please wait without any operation. • After the configuration is restored successfully, the device will reboot to make the configura- • tion change effective. The following example shows how to restore the configuration file named file1 from the TFTP server with IP address 192.168.0.100.
Page 75: Rebooting The Switch
Managing System System Tools Configurations Step 2 firmware upgrade ip-address ip-addr filename name Upgrade the switch’s backup image via TFTP server. To boot up with the new firmware, you need to choose to reboot the switch with the backup image. : Specify the IP address of the TFTP server.
Page 76 Managing System System Tools Configurations Step 2 Use the following command to set the interval to reboot: reboot-schedule in interval [ save_before_reboot ] (Optional) Specify the reboot schedule. : Specify a period of time. The switch will reboot after this period. The valid values are interval from 1 to 43200 minutes.
Page 77: Reseting The Switch
Managing System System Tools Configurations 4.2.7 Reseting the Switch Follow these steps to reset the switch: Step 1 enable Enter privileged mode. Step 2 reset Reset the switch. Note: After the system is reset, configurations of the switch will be reset to the default. Configuration Guide...
Page 78: Access Security Configurations
Managing System Access Security Configurations Access Security Configurations With access security configurations, you can:  Configure the Access Control feature  Configure the HTTP feature  Configure the HTTPS feature  Configure the SSH feature  Enable the telnet function Using the GUI 5.1.1 Configuring the Access Control Feature Choose the menu System >...
Page 79 Managing System Access Security Configurations Access Select the interface to control the methods for users’ accessing. The selected Interface access interfaces will only affect the users you set before. SNMP: A function to manage the network devices via NMS. Telnet: A connection type for users to remote login. SSH: A connection type based on SSH protocol.
Page 80: Configuring The Http Function
Specify the maximum number of users whose access level is Admin. Guest Number Specify the maximum number of users whose access level is Operator, Power User or User. Note: For T1600G-18TS, the number of Operator, Power User and User can be set respectively. 4) Click Apply. Configuration Guide...
Page 81: Configuring The Https Function
Managing System Access Security Configurations 5.1.3 Configuring the HTTPS Function Choose the menu System > Access Security > HTTPS Config to load the following page. Table 5-1 Configuring the HTTPS Function 1) In the Global Config section, select Enable to enable HTTPS function and select the protocol the switch supports.
Page 82 Specify the maximum number of users whose access level is Operator, Power User or User. Note: For T1600G-18TS, the number of Operator, Power User and User can be set respectively. 5) In the Certificate Download and Key Download section, download the certificate and key.
Page 83: Configuring The Ssh Feature
Managing System Access Security Configurations Key File Select the desired Key to download to the switch. The key must be BASE64 encoded. The SSL certificate and key downloaded must match each other, otherwise the HTTPS connection will not work. 5.1.4 Configuring the SSH Feature Choose the menu System >...
Page 84: Enabling The Telnet Function
Managing System Access Security Configurations Max Connect Specify the maximum number of the connections to the SSH server. New connection will not be established when the number of the connections reaches the maximum number you set. 2) In the Encryption Algorithm section, select the encryption algorithm you want the switch to support and click Apply.
Page 85 Managing System Access Security Configurations Step 2 Use the following command to control the users’ access by limiting the IP address: user access-control ip-based { ip-addr ip-mask } [ snmp ] [ telnet ] [ ssh ] [ http ] [ https ] [ ping ] [ all ] Only the users within the IP-range you set here are allowed to access the switch.
Page 86: Configuring The Http Function
Specify the maximum number of users that are allowed to connect to the HTTP server. The total number of users should be no more than 16. For T1600G-18TS, the number of Operator, Power User and User can be set respectively. : Enter the maximum number of users whose access level is Admin. The valid values admin-num are from 1 to 16.
Page 87: Configuring The Https Function
Managing System Access Security Configurations Switch(config)#ip http server Switch(config)#ip http session timeout 9 Switch(config)#ip http max-user 6 5 Switch(config)#show ip http configuration HTTP Status: Enabled HTTP Session Timeout: HTTP User Limitation: Enabled HTTP Max Admin Users: HTTP Max Guest Users: Switch(config)#end Switch#copy running-config startup-config 5.2.3 Configuring the HTTPS Function...
Page 88 Specify the maximum number of users that are allowed to connect to the HTTPS server. The total number of users should be no more than 16. For T1600G-18TS, the number of Operator, Power User and User can be set respectively. : Enter the maximum number of users whose access level is Admin. The valid value admin-num are from 1 to 16.
Page 89: Configuring The Ssh Feature
Managing System Access Security Configurations Switch(config)#ip http secure-ciphersuite 3des-ede-cbc-sha Switch(config)#ip http secure-session timeout 15 Switch(config)#ip http secure-max-users 1 2 Switch(config)#ip http secure-server download certificate ca.crt ip-address 192.168.0.100 Start to download SSL certificate..Download SSL certificate OK. Switch(config)#ip http secure-server download key ca.key ip-address 192.168.0.100 Start to download SSL key..
Page 90 Managing System Access Security Configurations Step 4 ip ssh timeout value Specify the idle timeout time. The system will automatically release the connection when the time is up. : Enter the value of the timeout time, which ranges from 1 to 120 seconds. The default value value is 120 seconds.
Page 91 Managing System Access Security Configurations Switch(config)#ip ssh version v2 Switch(config)#ip ssh timeout 100 Switch(config)#ip ssh max-client 4 Switch(config)#ip ssh algorithm AES128-CBC Switch(config)#ip ssh algorithm Cast128-CBC Switch(config)#ip ssh algorithm HMAC-MD5 Switch(config)#ip ssh download v2 publickey ip-address 192.168.0.100 Start to download SSH key file..Download SSH key file OK.
Page 92: Enabling The Telnet Function
Managing System Access Security Configurations Switch(config)#end Switch#copy running-config startup-config 5.2.5 Enabling the Telnet Function Follow these steps enable the Telnet function: Step 1 configure Enter global configuration mode. Step 2 telnet enable Enable the telnet function. By default, it is enabled. Step 3 Return to privileged EXEC mode.
Page 93: Sdm Template Configuration
Managing System SDM Template Configuration SDM Template Configuration SDM Template function is used to configure system resources in the switch to optimize support for specific features. The switch provides three templates, and the hardware resources allocation is different. Users can choose one according to how the switch is used in the network.
Page 94: Using The Cli
Managing System SDM Template Configuration The Template Table displays the resources allocation of each template. SDM Template Displays the name of the templates. IP ACL Rules Displays the number of IP ACL Rules including Lay3 ACL Rules and Lay4 ACL Rules. MAC ACL Rules Displays the number of Lay2 ACL Rules.
Page 95 Managing System SDM Template Configuration Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the SDM template as enterpriseV4. Switch#config Switch(config)#show sdm prefer enterpriseV4 “enterpriseV4” template: number of IP ACL Rules : 120 number of MAC ACL Rules : 84...
Page 96: Appendix: Default Parameters
Default Settings of Device Description Configuration Parameter Default Setting Device Name The model name of the switch. Device Location SHENZHEN System Contact www.tp-link.com Table 7-2 Default Settings of System Time Configuration Parameter Default Setting Time Source Manual System Time 2006-01-01...
Page 97 Managing System Appendix: Default Parameters Default settings of Access Security are listed in the following tables. Table 7-6 Default Settings of Access Control Configuration Parameter Default Setting Control Mode Disabled Table 7-7 Default Settings of HTTP Configuration Parameter Default Setting HTTP Enabled Session Timeout...
Page 98 Managing System Appendix: Default Parameters Parameter Default Setting HMAC-SHA1 Enabled HMAC-MD5 Enabled Key Type: SSH-2 RSA/DSA Table 7-10 Default Settings of Telnet Configuration Parameter Default Setting Control Mode Enabled Default settings of SDM Template are listed in the following table. Table 7-11 Default Settings of SDM Template Configuration Parameter...
Page 99: Managing Physical Interfaces
Part 3 Managing Physical Interfaces CHAPTERS 1. Physical Interface 2. Basic Parameters Configurations 3. Port Mirror Configuration 4. Port Security Configuration 5. Port Isolation Configurations 6. Loopback Detection Configuration 7. Configuration Examples...
Page 100: Physical Interface
Managing Physical Interfaces Physical Interface Physical Interface Overview Interfaces of a device are used to exchange data and interact with other network devices. Interfaces are classified into physical interfaces and logical interfaces.  Physical interfaces are the ports on the front panel or rear panel of the switch.  Logical interfaces are manually configured and do not physically exist, such as loopback interfaces and routing interfaces.
Page 101: Basic Parameters Configurations
Select and configure your desired ports or LAGs. Then click Apply. Jumbo For T1600G-18TS, you can set the MTU (Maximum Transmission Unit) size for frames globally as needed. The valid values are from 1518 to 9216 bytes, and the default is 1518 bytes.
Page 102: Using The Cli
Enter global configuration mode. Step 2 jumbo-size size (For T1600G-18TS) Change the MTU (Maximum Transmission Unit) size globally to support jumbo frames. size : Specify the size of MTU (Maximum Transmission Unit) ranging from 1518 to 9216 bytes. The default value is 1518.
Page 103 By default, this feature is disabled. jumbo (Except T1600G-18TS) Enable Jumbo on the port. For the port with Jumbo enabled, the MTU size is up to 9216 bytes, thus allowing the port to send jumbo frames. By default, it is disabled and the MTU size for frames received and sent on the port is 1518 bytes.
Page 104 Managing Physical Interfaces Basic Parameters Configurations Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#no shutdown Switch(config-if)#description router connection Switch(config-if)#speed auto Switch(config-if)#duplex auto Switch(config-if)#flow-control Switch(config-if)#jumbo Switch(config-if)#show interface configuration gigabitEthernet 1/0/1 Port State Speed Duplex FlowCtrl Jumbo Description -------- ----- -------- ------ -------- -------- ----------- Gi1/0/1 Enable Auto...
Page 105: Port Mirror Configuration
Managing Physical Interfaces Port Mirror Configuration Port Mirror Configuration 3.1 Using the GUI Choose the menu Switching > Port > Port Mirror to load the following page. Figure 3-1 Mirror Session List The above page displays a mirror session, and no more session can be created. Click Edit to configure this mirror session on the following page.
Page 106 Managing Physical Interfaces Port Mirror Configuration Figure 3-2 Configuring Port Mirror Follow these steps to configure Port Mirror: 1) In the Destination Port section, specify a monitoring port for the mirror session, and click Apply. 2) In the Source Port section, select one or multiple monitored ports for configuration. Then set the parameters and click Apply.
Page 107: Using The Cli
Managing Physical Interfaces Port Mirror Configuration Note: The member port of an LAG cannot be set as a monitoring port or monitored port. • A port cannot be set as the monitoring port and monitored port at the same time. •...
Page 108 Managing Physical Interfaces Port Mirror Configuration Destination Port: Gi1/0/10 Source Ports(Ingress): Gi1/0/1-3 Source Ports(Egress): Gi1/0/1-3 Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 109: Port Security Configuration
Managing Physical Interfaces Port Security Configuration Port Security Configuration 4.1 Using the GUI Choose the menu Switching > Port > Port Security to load the following page. Figure 4-1 Port Security Follow these steps to configure Port Security: 1) Select one or multiple ports for security configuration. 2) Specify the maximum number of the MAC addresses that can be learned on the port, and then select the learn mode of the MAC addresses.
Page 110: Using The Cli
Managing Physical Interfaces Port Security Configuration Learn Mode Select the learn mode of the MAC addresses on the port. Three modes are provided: Dynamic: The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting. Static: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually.
Page 111 Managing Physical Interfaces Port Security Configuration Step 3 mac address-table max-mac-count { [max-number num ] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ] } Enable the port security feature of the port and configure the related parameters. num : The maximum number of MAC addresses that can be learned on the port.
Page 112 Managing Physical Interfaces Port Security Configuration Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 113: Port Isolation Configurations
Managing Physical Interfaces Port Isolation Configurations Port Isolation Configurations 5.1 Using the GUI Choose the menu Switching > Port > Port Isolation to load the following page. Figure 5-1 Port Isolation List The above page displays the port isolation list. Click Edit to configure Port Isolation on the following page.
Page 114: Using The Cli
Managing Physical Interfaces Port Isolation Configurations Figure 5-2 Port Isolation Follow these steps to configure Port Isolation: 1) In the Port section, select one or multiple ports to be isolated. 2) In the Forward Portlist section, select the forward ports or LAGs which the isolated ports can only communicate with.
Page 115 Managing Physical Interfaces Port Isolation Configurations Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add ports 1/0/1-3 and LAG 4 to the forward list of port 1/0/5: Switch#configure Switch(config)#interface gigabitEthernet 1/0/5 Switch(config-if)#port isolation gi-forward-list 1/0/1-3 po-forward-list 4 Switch(config-if)#show port isolation interface gigabitEthernet 1/0/5 Port...
Page 116: Loopback Detection Configuration
Managing Physical Interfaces Loopback Detection Configuration Loopback Detection Configuration Using the GUI To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring QoS . Choose the menu Switching > Port > Loopback Detection to load the following page. Figure 6-1 Loopback Detection Follow these steps to configure loopback detection: 1) In the Global Config section, enable loopback detection and configure the global...
Page 117: Using The Cli
Managing Physical Interfaces Loopback Detection Configuration Automatic Set the recovery time globally, after which the blocked port/VLAN in Auto Recovery Time Recovery mode can automatically recover to normal status. The valid values are from 60 to 1000000 seconds and the default value is 90 seconds.
Page 118 Managing Physical Interfaces Loopback Detection Configuration Step 3 loopback-detection interval interval-time Set the interval of sending loopback detection packets which is used to detect the loops in the network. The interval of sending loopback detection packets. The valid values are from interval-time: 1 to 1000 seconds.
Page 119 Managing Physical Interfaces Loopback Detection Configuration Switch(config)#loopback-detection Switch(config)#show loopback-detection global Loopback detection global status : enable Loopback detection interval : 30 s Loopback detection recovery time : 90 s Switch(config-if)#end Switch#copy running-config startup-config The following example shows how to enable loopback detection of port 1/0/3 and set the process mode as alert and recovery mode as auto: Switch#configure Switch(config)#interface gigabitEthernet 1/0/3...
Page 120: Configuration Examples
Managing Physical Interfaces Configuration Examples Configuration Examples Example for Port Mirror 7.1.1 Network Requirements As shown below, several hosts and a network analyzer are directly connected to the switch. For network security and troubleshooting, the network manager needs to use the network analyzer to monitor the data packets from the end hosts.
Page 121 Managing Physical Interfaces Configuration Examples Figure 7-2 Mirror Session List 2) Click Edit on the above page to load the following page. In the Destination Port section, select port 1/0/1 as the monitoring port and click Apply. Figure 7-3 Destination Port Configuration 3) In the Source Port section, select ports 1/0/2-5 as the monitored ports, and enable Ingress and Egress to allow the received and sent packets to be copied to the monitoring port.
Page 122: Using The Cli
Managing Physical Interfaces Configuration Examples 7.1.4 Using the CLI Switch#configure Switch(config)#monitor session 1 destination interface gigabitEthernet 1/0/1 Switch(config)#monitor session 1 source interface gigabitEthernet 1/0/2-5 both Switch(config)#end Switch#copy running-config startup-config Verify the Configuration Switch#show monitor session 1 Monitor Session: Destination Port: Gi1/0/1 Source Ports(Ingress): Gi1/0/2-5 Source Ports(Egress): Gi1/0/2-5...
Page 123: Configuration Scheme
Managing Physical Interfaces Configuration Examples 7.2.2 Configuration Scheme You can configure port isolation to implement the requirement. Set 1/0/4 as the only forwarding port for port 1/0/1, thus forbidding Host A to forward packets to the other hosts. Demonstrated with T1600G-52TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 124: Using The Cli
Managing Physical Interfaces Configuration Examples Figure 7-7 Port Isolation Configuration 3) Click Save Config to save the settings. 7.2.4 Using the CLI Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#port isolation gi-forward-list 1/0/4 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Switch#show port isolation interface Port Forward-List ----...
Page 125: Example For Loopback Detection
Managing Physical Interfaces Configuration Examples 7.3 Example for Loopback Detection 7.3.1 Network Requirements As shown below, Switch A is a convergence-layer switch connecting several access- layer switches. Loops can be easily caused in case of misoperation on the access- layer switches. If there is a loop on an access-layer switch, broadcast storms will occur on Switch A or even in the entire network, creating excessive traffic and degrading the network performance.
Page 126: Using The Cli
Managing Physical Interfaces Configuration Examples Figure 7-9 Global Configuration 3) In the Port Config section, enable ports 1/0/1-3, select the operation mode as Port based so that the port will be blocked when a loop is detected, and keep the recovery mode as Auto so that the port will recover to normal status after the automatic recovery time.
Page 127 Managing Physical Interfaces Configuration Examples Switch(config-if)#loopback-detection Switch(config-if)#loopback-detection config process-mode port-based recovery-mode auto Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Verify the global configuration: Switch#show loopback-detection global Loopback detection global status : enable Loopback detection interval: 30 s Loopback detection recovery time : 90 s Verify the loopback detection configuration on ports: Switch#show loopback-detection interface Port...
Page 128: Appendix: Default Parameters
Managing Physical Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 8-1 Configurations for Ports Parameter Default Setting Port Config Type Copper Status Enable Speed Auto Duplex Auto Flow Control Disable Jumbo Disable Port Mirror...
Page 129 Managing Physical Interfaces Appendix: Default Parameters Parameter Default Setting Port Status Disable Operation mode Alert Recovery mode Auto Configuration Guide...
Page 130: Configuring Lag
Part 4 Configuring LAG CHAPTERS 1. LAG 2. LAG Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 131: Lag
Configuring LAG 1.1 Overview With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface to increase link bandwidth and configure the backup ports to enhance the connection reliability. 1.2 Supported Features You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol).
Page 132: Lag Configuration
Configuring LAG LAG Configuration LAG Configuration To complete LAG configuration, follow these steps: 1) Configure the global load-balancing algorithm. 2) Configure Static LAG or LACP. Configuration Guidelines  Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should be set as LACP mode.
Page 133: Using The Gui
Configuring LAG LAG Configuration 2.1 Using the GUI 2.1.1 Configuring Load-balancing Algorithm Choose the menu Switching > LAG > LAG Table to load the following page. Figure 2-1 Global Config In the Global Config section, select the load-balancing algorithm. Click Apply. Hash Algorithm Select the Hash Algorithm, based on which the switch can choose the port to send the received packets.
Page 134: Configuring Static Lag Or Lacp
Configuring LAG LAG Configuration Figure 2-2 Hash Algorithm Configuration Switch A Switch B Hosts Server 2.1.2 Configuring Static LAG or LACP For one port, you can choose only one LAG mode: Static LAG or LACP. And make sure both ends of a link use the same LAG mode.  Configuring Static LAG Choose the menu Switching >...
Page 135 Configuring LAG LAG Configuration  Configuring LACP Choose the menu Switching > LAG > LACP to load the following page. Figure 2-4 LACP Config Follow these steps to configure LACP: 1) Specify the system priority for the switch and click Apply. System Priority Specify the system priority for the switch.
Page 136: Using The Cli
Configuring LAG LAG Configuration Port Priority Specify the Port Priority. A smaller value means a higher port priority. (0-65535) The port with higher priority in an LAG will be selected as the active port to forward data. If two ports have the same priority value, the port with a smaller port number has the higher priority.
Page 137: Configuring Static Lag Or Lacp
Configuring LAG LAG Configuration Step 3 show etherchannel load-balance Verify the configuration of load-balancing algorithm. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the global load-balancing mode as src-dst-mac: Switch#configure Switch(config)#port-channel load-balance src-dst-mac Switch(config)#show etherchannel load-balance...
Page 138 Configuring LAG LAG Configuration Step 4 show etherchannel num summary Verify the configuration of the static LAG. : The group number of the LAG. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add ports1/0/5-8 to LAG 2 and set the mode as static LAG: Switch#configure...
Page 139 Configuring LAG LAG Configuration Step 2 lacp system-priority pri Specify the system priority for the switch. To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device. The device with higher priority will determine its active ports, and the other device can select its active ports according to the selection result of the device with higher priority.
Page 140 Configuring LAG LAG Configuration The following example shows how to specify the system priority of the switch as 2: Switch#configure Switch(config)#lacp system-priority 2 Switch(config)#show lacp sys-id 2, 000a.eb13.2397 Switch(config)#end Switch#copy running-config startup-config The following example shows how to add ports 1/0/1-4 to LAG 6, set the mode as LACP, and select the LACPDU sending mode as active: Switch#configure Switch(config)#interface range gigabitEthernet 1/0/1-4...
Page 141: Configuration Example
Configuring LAG Configuration Example Configuration Example 3.1 Network Requirements As shown below, users and servers are connected to Switch A and Switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches.
Page 142: Using The Gui
Configuring LAG Configuration Example Using the GUI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Choose the menu Switching > LAG > LAG Table to load the following page. Select the hash algorithm as ‘SRC MAC+DST MAC’.
Page 143: Using The Cli
Configuring LAG Configuration Example Figure 3-4 LACP Configuration 4) Click Save Config to save the settings. 3.4 Using the CLI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Configure the load-balancing algorithm as “src-dst-mac”. Switch#configure Switch(config)#port-channel load-balance src-dst-mac 2) Specify the system priority of Switch A as 0.
Page 144 Configuring LAG Configuration Example 4) Add port 1/0/9 to LAG 1 and set the mode as LACP. Then specify the port priority as 1 to set it as a backup port. When any of the active ports is down, this port will be preferentially selected to work as an active port.
Page 145 Configuring LAG Configuration Example Gi1/0/5 SA Down 0x45 Gi1/0/6 SA Down 0x45 Gi1/0/7 SA Down 0x45 Gi1/0/8 SA Down 0x45 Gi1/0/9 SA Down 0x45 Gi1/0/10 SA Down 0x45 Configuration Guide...
Page 146: Appendix: Default Parameters
Configuring LAG Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in the following tables. Table 4-1 Default Settings of LAG Parameter Default Setting LAG Table Hash Algorithm SRC MAC+DST MAC LACP Config System Priority 32768 Admin Key Port Priority 32768 Mode...
Page 147: Monitoring Traffic
Part 5 Monitoring Traffic CHAPTERS 1. Traffic Monitor 2. Appendix: Default Parameters...
Page 148: Traffic Monitor
Monitoring Traffic Traffic Monitor Traffic Monitor With Traffic Monitor function, you can monitor the traffic on the switch, including:  Traffic Summary  Traffic Statistics in Detail Using the GUI 1.1.1 Viewing the Traffic Summary Choose the menu Switching > Traffic Monitor > Traffic Summary to load the following page.
Page 149: Viewing The Traffic Statistics In Detail
Monitoring Traffic Traffic Monitor Packets Rx: Displays the number of packets received on the port. Error packets are not counted in. Packets Tx: Displays the number of packets transmitted on the port. Error packets are not counted in. Octets Rx: Displays the number of octets received on the port.
Page 150 Monitoring Traffic Traffic Monitor Refresh Rate: Specify the refresh interval in seconds. 2) In Port Select, select a port or LAG, and click Select. 3) In the Statistics section, view the detailed information of the selected port or LAG. Received: Displays the detailed information of received packets.
Page 151: Using The Cli
Monitoring Traffic Traffic Monitor 1.2 Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to view the traffic information of each port or LAG: show interface counters [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port- channel port-channel-id ] : The port number.
Page 152: Appendix: Default Parameters
Monitoring Traffic Appendix: Default Parameters Appendix: Default Parameters Table 2-1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disable Refresh Rate 10 seconds Traffic Statistics Auto Refresh Disable Refresh Rate 10 seconds Configuration Guide...
Page 153: Managing Mac Address Table
Part 6 Managing MAC Address Table CHAPTERS 1. MAC Address Table 2. Address Configurations 3. Security Configurations 4. Example for Security Configurations 5. Appendix: Default Parameters...
Page 154: Mac Address Table
Managing MAC Address Table MAC Address Table MAC Address Table Overview The MAC address table contains address information that the switch uses to forward traffic between ports. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports. These entries can be manually input or automatically learned by the switch. Based on the MAC-address-to-port mapping in the table, the switch forwards the packet only to the associated port.
Page 155 Managing MAC Address Table MAC Address Table Security Configurations  Configuring MAC Notification Traps You can configure traps and SNMP (Simple Network Management Protocol) to monitor and receive notifications of the usage of the MAC address table and the MAC address change activity.
Page 156: Address Configurations
Managing MAC Address Table Address Configurations Address Configurations With MAC address table, you can:  Add static MAC address entries  Change the address aging time  Add filtering address entries  View address table entries Using the GUI 2.1.1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.
Page 157 Managing MAC Address Table Address Configurations VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received. Port Specify a port to which packets with the specific MAC address are forwarded. The port must belong to the specified VLAN. After you have added the static MAC address, if the corresponding port number of the MAC address is not correct, or the connected port (or the device) has been changed, the switch cannot forward the packets correctly.
Page 158: Modifying The Aging Time Of Dynamic Address Entries
Managing MAC Address Table Address Configurations 2.1.2 Modifying the Aging Time of Dynamic Address Entries Choose the menu Switching > MAC Address > Dynamic Address to load the following page. Figure 2-3 Modifying the Aging Time of Dynamic Address Entries Follow these steps to modify the aging time of dynamic address entries: 1) In the Aging Config section, enable Auto Aging, and enter your desired length of time.
Page 159: Adding Mac Filtering Address Entries
Managing MAC Address Table Address Configurations 2.1.3 Adding MAC Filtering Address Entries Choose the menu Switching > MAC Address > Filtering Address to load the following page. Figure 2-4 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries: 1) In the Create Filtering Address section, enter the MAC Address and VLAN ID.
Page 160: Using The Cli
Managing MAC Address Table Address Configurations Choose the menu Switching > MAC Address > Address Table to load the following page. Figure 2-5 Viewing Address Table Entries Using the CLI 2.2.1 Adding Static MAC Address Entries Follow these steps to add static MAC address entries: Step 1 configure Enter global configuration mode.
Page 161: Modifying The Aging Time Of Dynamic Address Entries
Managing MAC Address Table Address Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. Note: In the same VLAN, once an address is configured as a static address, it cannot be set as a filter- •...
Page 162: Adding Mac Filtering Address Entries
Managing MAC Address Table Address Configurations Step 2 mac address-table aging-time aging-time Set your desired length of address aging time for dynamic address entries. Set the length of time that a dynamic entry remains in the MAC address table after aging-time: the entry is used or updated.
Page 163 Managing MAC Address Table Address Configurations Step 4 copy running-config startup-config Save the settings in the configuration file. Note: In the same VLAN, once an address is configured as a filtering address, it cannot be set as a • static address, and vice versa. Multicast or broadcast addresses cannot be set as filtering addresses .
Page 164: Security Configurations
Managing MAC Address Table Security Configurations Security Configurations Note: T1600G-18TS does not support security configurations. With security configurations of the MAC address table, you can:  Configure MAC notification traps  Limit the number of MAC addresses in VLANs Using the GUI 3.1.1 Configuring MAC Notification Traps...
Page 165 Managing MAC Address Table Security Configurations Follow these steps to configure MAC notification traps: 1) In the MAC Notification Global Config section, enable this feature, configure the relevant options, and click Apply. Global Status Enable MAC notification feature globally. Table Full Enable Table Full Notification, and when address table is full, a notification will be Notification generated and sent to the management host .
Page 166: Limiting The Number Of Mac Addresses In Vlans
Managing MAC Address Table Security Configurations 3.1.2 Limiting the Number of MAC Addresses in VLANs Choose the menu Switching > MAC Address > MAC VLAN Security to load the following page. Figure 3-2 Limiting the Number of MAC Addresses in VLANs Follow these steps to limit the number of MAC addresses in VLANs: 1) Enter the VLAN ID to limit the number of MAC addresses that can be learned in the specified VLAN.
Page 167: Using The Cli
Managing MAC Address Table Security Configurations 3.2 Using the CLI 3.2.1 Configuring MAC Notification Traps Follow these steps to configure MAC notification traps: Step 1 configure Enter global configuration mode. Step 2 mac address-table notification global-status {enable | disable} Enable MAC Notification globally. enable | disable: Enable or disable MAC Notification globally.
Page 168: Limiting The Number Of Mac Addresses In Vlans
Managing MAC Address Table Security Configurations Now you have configured MAC notification traps. To receive notifications, you need to further enable SNMP and set a management host. For detailed SNMP configurations, please refer to Configuring SNMP & RMON. The following example shows how to enable new-MAC-learned trap on port 1, and set the interval time as 10 seconds.
Page 169 Managing MAC Address Table Security Configurations Step 2 mac address-table security vid vid max-learn num {drop | forward | disable} Configure the maximum number of MAC addresses in the specified VLAN and select a mode for the switch to adopt when the maximum number is exceeded. vid : Specify an existing VLAN in which you want to limit the number of MAC addresses.
Page 170: Example For Security Configurations
Managing MAC Address Table Example for Security Configurations Example for Security Configurations Network Requirements Several departments are connected to the company network as shown in Figure 4-1. Now the Marketing Department that is in VLAN 10 has network requirements as follows:  Free the network system from illegal accesses and MAC address attacks by limiting the number of access users in this department to 100.
Page 171: Using The Gui
Managing MAC Address Table Example for Security Configurations 4.3 Using the GUI 1) Choose the menu Switching > MAC Address > MAC VLAN Security to load the following page. Set the maximum number of MAC address in VLAN 10 as 100, choose drop mode and click Create.
Page 172: Using The Cli
Managing MAC Address Table Example for Security Configurations 3) Click Save Config to save the settings. 4) Enable SNMP and set a management host. For detailed SNMP configurations, please refer to Configuring SNMP & RMON. Using the CLI 1) Set the maximum number of MAC address in VLAN 10 as 100, and choose drop mode. Switch#configure Switch(config)#mac address-table security vid 10 max-learn 100 drop 2) Configure the new-MAC-learned trap on port 2 and set notification interval as 10...
Page 173: Appendix: Default Parameters
Managing MAC Address Table Appendix: Default Parameters Appendix: Default Parameters Default settings of the MAC Address Table are listed in the following tables. Table 5-1 Entries in the MAC Address Table Parameter Default Setting Static Address Entries None Dynamic Address Entries Auto-learning Filtering Address Entries None...
Page 174: Configuring 802.1Q Vlan
Part 7 Configuring 802.1Q VLAN CHAPTERS 1. Overview 2. 802.1Q VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 175: Overview
Configuring 802.1Q VLAN Overview Overview VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions:  To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN.
Page 176: Q Vlan Configuration
Configuring 802.1Q VLAN 802.1Q VLAN Configuration 802.1Q VLAN Configuration To complete 802.1Q VLAN configuration, follow these steps: 1) Configure PVID (Port VLAN ID) of the port; 2) Configure the VLAN, including creating a VLAN and adding the configured port to the VLAN.
Page 177: Configuring The Vlan
Configuring 802.1Q VLAN 802.1Q VLAN Configuration PVID The default VLAN ID of the port with the values between 1 and 4094. It is used mainly in the following two ways: When the port receives a tagged packet, the switch inserts a VLAN tag to •...
Page 178: Using The Cli
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Tagged port The selected ports will forward tagged packets in the target VLAN. 3) Click Apply. Using the CLI 2.2.1 Creating a VLAN Follow these steps to create a VLAN: Step 1 configure Enter global configuration mode. Step 2 vlan vlan-list When you enter a new VLAN ID, the switch creates a new VLAN and enters VLAN...
Page 179: Configuring The Pvid Of The Port
Configuring 802.1Q VLAN 802.1Q VLAN Configuration VLAN Name Status Ports ------- -------- --------- --------- active Switch(config-vlan)#end Switch#copy running-config startup-config 2.2.2 Configuring the PVID of the Port Follow these steps to configure the port: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list }...
Page 180: Adding The Port To The Specified Vlan
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Vlan Name Egress-rule ---- ----------- --------------- System-VLAN Untagged Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Adding the Port to the Specified VLAN Follow these steps to add the port to the specified VLAN: Step 1 configure Enter global configuration mode.
Page 181 Configuring 802.1Q VLAN 802.1Q VLAN Configuration Link Type: General Member in VLAN: Vlan Name Egress-rule ------- ------------------ --------------- System-VLAN Untagged Tagged Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 182: Configuration Example
Configuring 802.1Q VLAN Configuration Example Configuration Example Network Requirements  Offices of both Department A and Department B in the company are located in different places, and computers in different offices are connected to different switches.  It is required that computers can communicate with each other in the same department but not with computers in the other department.
Page 183: Network Topology
Configuring 802.1Q VLAN Configuration Example 3.3 Network Topology The figure below shows the network topology. Host A1 and Host A2 are used in Department A, while Host B1 and Host B2 are used in Department B. Switch 1 and Switch 2 are located in two different places.
Page 184 Configuring 802.1Q VLAN Configuration Example Figure 3-2 Create VLAN 10 for Department A 2) Click Create again to load the following page. Create VLAN 20 with the description of Department-B. Add port 1/0/2 as an untagged port and port 1/0/4 as a tagged port to VLAN 20.
Page 185: Using The Cli
Configuring 802.1Q VLAN Configuration Example 3.5 Using the CLI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Create VLAN 10 for Department A, and configure the description as Department-A. Similarly, create VLAN 20 for Department B, and configure the description as Department-B.
Page 186 Configuring 802.1Q VLAN Configuration Example Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/49, Gi1/0/50, Gi1/0/51, Gi1/0/52 Department-A active Gi1/0/2, Gi1/0/4 Department-B active Gi1/0/3, Gi1/0/4 Configuration Guide...
Page 187: Appendix: Default Parameters
Configuring 802.1Q VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1Q VLAN are listed in the following table. Table 4-1 Default Settings of 802.1Q VLAN Parameter Default Setting VLAN ID PVID Egress rule Untagged Configuration Guide...
Page 188: Configuring Mac Vlan
Part 8 Configuring MAC VLAN CHAPTERS 1. Overview 2. MAC VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 189: Overview
Configuring MAC VLAN Overview Overview VLAN is generally divided by ports. This way of division is simple but isn’t suitable for those networks that require frequent topology changes. With the popularity of mobile office, a terminal device may access the switch via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time.
Page 190: Mac Vlan Configuration
Configuring MAC VLAN MAC VLAN Configuration MAC VLAN Configuration To complete MAC VLAN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Bind the MAC address to the VLAN. 3) Enable MAC VLAN for the port. Configuration Guidelines When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN.
Page 191: Binding The Mac Address To The Vlan
Configuring MAC VLAN MAC VLAN Configuration 2.1.2 Binding the MAC Address to the VLAN Choose the menu VLAN > MAC VLAN > MAC VLAN to load the following page. Figure 2-1 MAC VLAN Configuration Follow these steps to bind the MAC address to the VLAN: 1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN.
Page 192: Using The Cli
Configuring MAC VLAN MAC VLAN Configuration Choose the menu VLAN > MAC VLAN > Port Enable to load the following page. Figure 2-2 Enable MAC VLAN for the Port Follow these steps to enable MAC VLAN for the port: Select your desired ports to enable MAC VLAN, and click Apply. Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG but not its own.
Page 193: Enabling Mac Vlan For The Port
Configuring MAC VLAN MAC VLAN Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to bind the MAC address 00:19:56:8A:4C:71 to VLAN 10, with the address description as Dept.A. Switch#configure Switch(config)#mac-vlan mac-address 00:19:56:8a:4c:71 vlan 10 description Dept.A Switch(config)#show mac-vlan vlan 10...
Page 194 Configuring MAC VLAN MAC VLAN Configuration The following example shows how to enable MAC VLAN for port 1/0/1. Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#mac-vlan Switch(config-if)#show mac-vlan interface Port STATUS ------- ----------- Gi1/0/1 Enable Gi1/0/2 Disable ..Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 195: Configuration Example
Configuring MAC VLAN Configuration Example Configuration Example 3.1 Network Requirements Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B.
Page 196: Using The Gui
Configuring MAC VLAN Configuration Example Untagged; for the ports connecting to other switch, set the link type as General, and set the egress rule as Tagged. 2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports.
Page 197 Configuring MAC VLAN Configuration Example Figure 3-3 VLAN 20 Configuration 3) Choose the menu VLAN > MAC VLAN > MAC VLAN to load the following page. Enter MAC Address, Description, VLAN ID and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20.
Page 198 Configuring MAC VLAN Configuration Example Figure 3-5 Enable MAC VLAN for the Port 5) Click Save Config to save the settings.  Configurations for Switch 3 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page.
Page 199: Using The Cli
Configuring MAC VLAN Configuration Example Figure 3-7 VLAN 20 Configuration 3) Click Save Config to save the settings. 3.4 Using the CLI  Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example.
Page 200 Configuring MAC VLAN Configuration Example 3) Set port 1/0/1 as untagged port, and add it to both VLAN 10 and VLAN 20. Then enable MAC VLAN for port 1/0/1. Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10,20 untagged Switch_1(config-if)#mac-vlan Switch_1(config-if)#exit 4) Bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20.
Page 201 Configuring MAC VLAN Configuration Example Switch_3(config-if)#switchport general allowed vlan 10 untagged Switch_3(config-if)#exit Switch_3(config)#interface gigabitEthernet 1/0/5 Switch_3(config-if)#switchport general allowed vlan 20 untagged Switch_3(config-if)#end Switch_3#copy running-config startup-config Verify the Configurations  Switch 1 Switch_1#show mac-vlan all MAC Address Description VLAN ---------------------- ----------------- ---------- 00:19:56:8A:4C:71 00:19:56:82:3B:70...
Page 202: Appendix: Default Parameters
Configuring MAC VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of MAC VLAN are listed in the following table. Table 4-1 Default Settings of MAC VLAN Parameter Default Setting MAC Address None Description None VLAN ID None Port Enable Disable Configuration Guide...
Page 203: Configuring Protocol Vlan
Part 9 Configuring Protocol VLAN CHAPTERS 1. Overview 2. Protocol VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 204: Overview
Configuring Protocol VLAN Overview Overview Protocol VLAN is a technology that divides VLANs based on the network layer protocol. With the protocol VLAN rule configured on the basis of the existing 802.1Q VLAN, the switch can analyze special fields of received packets, encapsulate the packets in specific formats, and forward the packets of different protocols to the corresponding VLANs.
Page 205: Protocol Vlan Configuration
3) Configure Protocol VLAN. Configuration Guidelines  You can use the IP, ARP, RARP, and other protocol templates provided by TP-Link switches, or create new protocol templates.  In a protocol VLAN, when a port receives an untagged data packet, the switch will first search for the protocol VLAN matching the protocol type value of the packet.
Page 206: Creating Protocol Template
Enter the name of the new protocol template. Frame Type Select the frame type of the new protocol template. For T1600G-18TS, the supported frame type is Ethernet II, and cannot be configured. Ether Type When the frame type is Ethernet II or SNAP, enter the Ethernet protocol type value for the protocol template.
Page 207: Configuring Protocol Vlan
Configuring Protocol VLAN Protocol VLAN Configuration 2.1.3 Configuring Protocol VLAN Choose the menu VLAN > Protocol VLAN > Protocol Group to load the following page. Figure 2-2 Configure the Protocol Group Follow these steps to configure the protocol group: 1) In the Protocol Group Config section, select the protocol name and enter the VLAN ID to bind the protocol type to the VLAN.
Page 208: Creating A Protocol Template
Follow these steps to create a protocol template: Step 1 configure Enter global configuration mode. Step 2 For T1600G-18TS: protocol-vlan template name protocol-name frame ether-type type Create a protocol template. Specify the protocol name with 1 to 8 characters. protocol-name: : Specify the Ethernet protocol type with 4 hexadecimal numbers.
Page 209: Configuring Protocol Vlan
Configuring Protocol VLAN Protocol VLAN Configuration EthernetII ether-type 0806 RARP EthernetII ether-type 8035 SNAP ether-type 8137 SNAP ether-type 809B IPv6 EthernetII ether-type 86DD Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring Protocol VLAN Follow these steps to configure protocol VLAN: Step 1 configure Enter global configuration mode.
Page 210 Configuring Protocol VLAN Protocol VLAN Configuration The following example shows how to bind the IPv6 protocol template to VLAN 10: Switch#configure Switch(config)#show protocol-vlan template Index Protocol Name Protocol Type -------- ------------------ -------------------------------- EthernetII ether-type 0800 EthernetII ether-type 0806 RARP EthernetII ether-type 8035 SNAP ether-type 8137 SNAP...
Page 211: Configuration Example
Configuring Protocol VLAN Configuration Example Configuration Example 3.1 Network Requirements A company uses both IPv4 and IPv6 hosts, and these hosts access the IPv4 network and IPv6 network respectively via different routers. It is required that IPv4 packets are forwarded to the IPv4 network, IPv6 packets are forwarded to the IPv6 network, and other packets are dropped.
Page 212: Using The Gui
Configuring Protocol VLAN Configuration Example 1) Create VLAN 10 and VLAN 20, set the port type, and add each port to the corresponding VLAN. 2) Use the IPv4 protocol template provided by the switch, and create the IPv6 protocol template. 3) Bind the protocol templates to the corresponding VLANs to form protocol groups, and add port 1/0/1 to the groups.
Page 213 Configuring Protocol VLAN Configuration Example 2) Click Create to load the following page. Create VLAN 20, and add ports 1/0/2-3 as untagged ports to VLAN 20. Click Apply. Figure 3-3 Create VLAN 20 3) Click Save Config to save the settings. Configuration Guide...
Page 214 Configuring Protocol VLAN Configuration Example  Configurations for Switch 2 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10, and add port 1/0/1 as tagged port and port 1/0/2 as untagged port to VLAN 10.
Page 215 Configuring Protocol VLAN Configuration Example 2) Click Create to load the following page. Create VLAN 20, and add port 1/0/1 as tagged port and port 1/0/3 as untagged port to VLAN 20. Click Apply. Figure 3-5 Create VLAN 20 3) Choose the menu VLAN > Protocol VLAN > Protocol Template to load the following page.
Page 216 Configuring Protocol VLAN Configuration Example Figure 3-6 Create the IPv6 Protocol Template 4) Choose the menu VLAN > Protocol VLAN > Protocol Group to load the following page. Select the IP protocol name (that is the IPv4 protocol template), enter VLAN ID 10, select port 1, and click Apply.
Page 217: Using The Cli
Configuring Protocol VLAN Configuration Example Figure 3-8 Configure the IPv6 Protocol Group 5) Choose the menu VLAN > Protocol VLAN > Protocol Group Table to load the following page. Here you can view the protocol VLAN configuration. Figure 3-9 Protocol VLAN configuration 6) Click Save Config to save the settings.
Page 218 Configuring Protocol VLAN Configuration Example 2) Set port 1/0/3 as untagged port, and add it to both VLAN 10 and VLAN 20. Switch_1(config)#interface gigabitEthernet 1/0/3 Switch_1(config-if)#switchport general allowed vlan 10,20 untagged Switch_1(config-if)#exit 3) Set port 1/0/1 and port 1/0/2 as untagged ports, and add them to VLAN 10 and VLAN 20 respectively.
Page 219 Configuring Protocol VLAN Configuration Example Switch_2(config-if)#exit Switch_2(config)#interface gigabitEthernet 1/0/3 Switch_2(config-if)#switchport general allowed vlan 20 untagged Switch_2(config-if)#exit 4) Create the IPv6 protocol template. Switch_2(config)#protocol-vlan template name IPv6 frame ether_2 ether-type 86dd Switch_2(config)#show protocol-vlan template Index Protocol Name Protocol Type ---- ----------------- ------------------------------------ EthernetII ether-type 0800 EthernetII ether-type 0806...
Page 220 Configuring Protocol VLAN Configuration Example Verify the Configurations  Switch 1 Verify 802.1Q VLAN configuration: Switch_1#show vlan VLAN Name Status Ports -------- ------------- --------- ------------------------------------------------ System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 ..Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28 IPv4 active Gi1/0/1, Gi1/0/3 IPv6 active Gi1/0/2, Gi1/0/3...
Page 221: Appendix: Default Parameters
Configuring Protocol VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of Protocol VLAN are listed in the following table. Table 4-1 Default Settings of Protocol VLAN Parameter Default Setting Ethernet II ether-type 0800 Ethernet II ether-type 0806 Protocol Template Table RARP Ethernet II ether-type 8035 SNAP ether-type 8137...
Page 222: Configuring Spanning Tree
Part 10 Configuring Spanning Tree CHAPTERS 1. Spanning Tree 2. STP/RSTP Configurations 3. MSTP Configurations 4. STP Security Configurations 5. Configuration Example for MSTP 6. Appendix: Default Parameters...
Page 223: Spanning Tree
Configuring Spanning Tree Spanning Tree Spanning Tree 1.1 Overview STP (Spanning Tree Protocol) is a layer 2 Protocol that prevents loops in the network. As is shown in Figure 1-1, STP helps to:  Block specified ports of the switches to build a loop-free topology.  Detect topology changes and automatically generate a loop-free topology.
Page 224: Root Bridge
Configuring Spanning Tree Spanning Tree Figure 1-2 STP/RSTP Topology Root bridge Designated port Designated port Root port Root port Designated port Designated port Root port Root port Designated port Backup port Alternate port Root Bridge The root bridge is the root of a spanning tree. There is only one root bridge in each spanning tree, and the root bridge has the lowest bridge ID.
Page 225 Configuring Spanning Tree Spanning Tree In RSTP/MSTP, the alternate port is the backup for the root port. It is blocked when the root port works normally. Once the root port fails, the alternate port will become the new root port. In STP, the alternate port is always blocked.
Page 226 Spanning Tree Learning and Forwarding status correspond exactly to the Learning and Forwarding status specified in STP. In TP-Link switches, the port status includes: Blocking, Learning, Forwarding and Disconnected.  Blocking In this status, the port receives and sends BPDUs. The other packets are dropped.
Page 227: Mstp Concepts
Configuring Spanning Tree Spanning Tree BPDU The packets used to generate the spanning tree. The BPDUs (Bridge Protocol Data Unit) contain a lot of information, like bridge ID, root path cost, port priority and so on. Switches share these information to help determine the tree topology. 1.2.2 MSTP Concepts MSTP, compatible with STP and RSTP, has the same basic elements used in STP and RSTP.
Page 228: Stp Security
Configuring Spanning Tree Spanning Tree Figure 1-4 MST Region Instance 1 (root bridge: A) VLAN 3 Instance 1 Instance 2 (root bridge: B) VLAN 4-5 Instance 2 Other VLANs IST (root bridge: C) Blocked port VLAN-Instance Mapping VLAN-Instance Mapping describes the mapping relationship between VLANs and instances.
Page 229 Configuring Spanning Tree Spanning Tree If the switch cannot receive BPDUs because of link congestions or link failures, the root port will become a designated port and the alternate port will transit to forwarding status, so loops will occur. With Loop Protect function enabled, the port will temporarily transit to blocking state when the port does not receive BPDUs.
Page 230 Configuring Spanning Tree Spanning Tree A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology). If a user maliciously sends a large number of TC-BPDUs to a switch in a short period, the switch will be busy with removing MAC address entries, which may decrease the performance and stability of the network.
Page 231: Stp/Rstp Configurations
Configuring Spanning Tree STP/RSTP Configurations STP/RSTP Configurations To complete the STP/RSTP configuration, follow these steps: 1) Configure STP/RSTP parameters on ports. 2) Configure STP/RSTP globally. 3) Verify the STP/RSTP configurations. Configuration Guidelines  Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
Page 232 Configuring Spanning Tree STP/RSTP Configurations Status Enable or disable spanning tree function on the desired port. Priority Enter the value of the port priority from 0 to 240, which is divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port.
Page 233: Configuring Stp/Rstp Globally
Configuring Spanning Tree STP/RSTP Configurations Port Role Displays the role that the port plays in the spanning tree. Root Port: Indicates the port is a root port. Designated Port: Indicates the port is a designated port . Alternate Port: Indicates the port is a backup of a root port. Backup Port: Indicates the port is a backup of a designated port.
Page 234 Configuring Spanning Tree STP/RSTP Configurations Follow these steps to configure STP/RSTP globally: 1) In the Parameters Config section, configure the global parameters of STP/RSTP and click Apply. CIST Priority Specify the CIST priority of the switch. The valid values are from 0 to 61440, which are divisible by 4096.By default, it is 32768.
Page 235: Verifying The Stp/Rstp Configurations
Configuring Spanning Tree STP/RSTP Configurations Mode Select the desired spanning tree mode as STP/RSTP on the switch. By default, it’s STP. STP: Specify the spanning tree mode as STP. RSTP: Specify the spanning tree mode as RSTP. MSTP: Specify the spanning tree mode as MSTP. 2.1.3 Verifying the STP/RSTP Configurations Verify the STP/RSTP information of your switch after all the configurations are finished.
Page 236: Using The Cli
Configuring Spanning Tree STP/RSTP Configurations Spanning-Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local bridge. The local bridge is the current switch. Root Bridge Displays the bridge ID of the root bridge. External Path Cost Displays the root path cost from the switch to the root bridge.
Page 237 Configuring Spanning Tree STP/RSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure STP/RSTP parameters on the desired port . Specify the value of port priority.
Page 238: Configuring Global Stp/Rstp Parameters
Configuring Spanning Tree STP/RSTP Configurations Interface State Prio Ext-Cost Int-Cost Edge Mode Role Status ---------- ------- ---- ------ -------- ---- --------- ----- ----- ------- Gi1/0/3 Enable Auto Auto No(auto) LnkDwn Switch(config-if)#end Switch#copy running-config startup-config 2.2.2 Configuring Global STP/RSTP Parameters Follow these steps to configure global STP/RSTP parameters of the switch: Step 1 configure Enter global configuration mode.
Page 239: Enabling Stp/Rstp Globally
Configuring Spanning Tree STP/RSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age •...
Page 240 Configuring Spanning Tree STP/RSTP Configurations Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to enable spanning tree function, configure the spanning tree mode as RSTP and verify the configurations: Switch#configure Switch(config)#spanning tree mode rstp Switch(config)#spanning-tree Switch(config)#show spanning-tree active Spanning tree is enabled...
Page 241: Mstp Configurations
Configuring Spanning Tree MSTP Configurations MSTP Configurations To complete the MSTP configuration, follow these steps: 1) Configure parameters on ports in CIST. 2) Configure the MSTP region. 3) Configure the MSTP globally. 4) Verify the MSTP configurations. Configuration Guidelines  Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
Page 242 Configuring Spanning Tree MSTP Configurations Status Enable or disable spanning tree function on the desired port. Priority Enter the value of port priority from 0 to 240 divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in CIST.
Page 243: Configuring The Mstp Region
Configuring Spanning Tree MSTP Configurations Port Role Displays the role that the port plays in CIST. Root Port: Indicates the port is the root port in CIST. Designated Port: Indicates the port is the designated port in CIST. Master Port: Indicates the port provides the lowest root path cost from the region to the root bridge in CIST.
Page 244 Configuring Spanning Tree MSTP Configurations Follow these steps to create an MST region: 1) In the Region Config section, set the name and revision level to specify an MSTP region. Region Name Configure the name for an MST region using up to 32 characters. By default, it is the MAC address of the switch.
Page 245 Configuring Spanning Tree MSTP Configurations Instance ID Displays the instance ID. Status Displays the status of the instance. Priority Enter a value from 0 to 61440 to specify the priority of the switch, which is divisible by 4096, and the default value is 32768. The switch with the lower value has the higher priority, and the switch with the highest priority will be elected as the root bridge in the desired instance.
Page 246 Configuring Spanning Tree MSTP Configurations  Configuring Parameters on Ports in the Instance Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Figure 3-4 Configuring Port Parameters in the Instance Follow these steps to configure port parameters in the instance: 1) In the Instance ID Select section, select the desired instance ID for its port configuration.
Page 247 Configuring Spanning Tree MSTP Configurations Priority Enter the value of port priority from 0 to 240, which is divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in the desired instance.
Page 248: Configuring Mstp Globally
Configuring Spanning Tree MSTP Configurations 3.1.3 Configuring MSTP Globally Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Figure 3-5 Configure MSTP Function Globally Follow these steps to configure MSTP globally: 1) In the Parameters Config section, Configure the global parameters of MSTP and click Apply.
Page 249 Configuring Spanning Tree MSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age •...
Page 250: Verifying The Mstp Configurations
Configuring Spanning Tree MSTP Configurations 3.1.4 Verifying the MSTP Configurations Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 3-6 Verifying the MSTP Configurations The STP Summary section shows the summary information of CIST: Spanning Tree Displays the status of the spanning tree function.
Page 251: Using The Cli
Configuring Spanning Tree MSTP Configurations Internal Path Cost Displays the internal path cost. It is the root path cost from the current switch to the root bridge in IST. Designated Bridge Displays the bridge ID of the designated bridge in CIST. Root Port Displays the root port of in CIST.
Page 252 Configuring Spanning Tree MSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ int-cost int-cost ][ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure the parameters on ports in CIST. Specify the value of port priority.
Page 253: Configuring The Mstp Region
Configuring Spanning Tree MSTP Configurations Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree common-config port-priority 32 Switch(config-if)#show spanning-tree interface gigabitEthernet 1/0/3 MST-Instance 0 (CIST) Interface State Prio Ext-Cost Int-Cost Edge Mode Role Status ----------- -------- ---- -------- -------- ---- --------- ----- ------- -------- Gi1/0/3 Enable Auto...
Page 254 Configuring Spanning Tree MSTP Configurations Step 4 name name Configure the region name of the region. : Specify the region name, used to identify an MST region. The valid values are from 1 to name 32 characters. Step 5 revision revision Configure the revision level of the region.
Page 255 Configuring Spanning Tree MSTP Configurations MST-Instance Vlans-Mapped ---------------- ------------------------------------------------------------ 1,7-4094 2-6, ---------------------------------------------------------------------------- Switch(config-mst)#end Switch#copy running-config startup-config  Configuring the Parameters on Ports in Instance Follow these steps to configure the priority and path cost of ports in the specified instance: Step 1 configure Enter global configuration mode.
Page 256: Configuring Global Mstp Parameters
Configuring Spanning Tree MSTP Configurations Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to configure the priority as 144, the path cost as 200 of port 1/0/3 in instance 5: Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree mst instance 5 port-priority 144 cost 200 Switch(config-if)#show spanning-tree interface gigabitEthernet 1/0/3 MST-Instance 0 (CIST)
Page 257 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree timer {[ forward-time forward-time ] [ hello-time hello-time ] [ max-age max-age ]} (Optional) Configure the Forward Delay, Hello Time and Max Age. Specify the value of Forward Delay. The valid values are from 4 to 30 in seconds, forward-time: and the default value is 15.
Page 258: Enabling Spanning Tree Globally
Configuring Spanning Tree MSTP Configurations Switch(config-if)#spanning-tree hold-count 8 Switch(config-if)#spanning-tree max-hops 25 Switch(config-if)#show spanning-tree bridge State Mode Priority Hello-Time Fwd-Time Max-Age Hold-Count Max-Hops ------- ------- -------- -------- -------- -------- --------- -------- Enable Mstp 36864 Switch(config-if)#end Switch#copy running-config startup-config 3.2.4 Enabling Spanning Tree Globally Follow these steps to configure the spanning tree mode as MSTP and enable spanning tree function globally: Step 1...
Page 259 Configuring Spanning Tree MSTP Configurations Spanning-tree’s mode: MSTP (802.1s Multiple Spanning Tree Protocol) Latest topology change time: 2006-01-04 10:47:42 MST-Instance 0 (CIST) Root Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 External Cost : 200000 Root Port : Gi/0/20 Designated Bridge Priority : 32768 Address...
Page 260 Configuring Spanning Tree MSTP Configurations Priority : 32768 Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status ---------- ---- -------- ------- -------- Gi/0/16 128 200000 Altn Gi/0/20 128 200000 Mstr Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 261: Stp Security Configurations
Configuring Spanning Tree STP Security Configurations STP Security Configurations With STP security, you can:  Configure the Loop Protect function.  Configure the Root Protect function.  Configure the TC Protect function.  Configure the BPDU Protect function.  Configure the BPDU Filter function. 4.1 Using the GUI 4.1.1 Configuring the STP Security Choose the menu Spanning Tree >...
Page 262: Configuring The Threshold And Cycle Of Tc Protect
BPDUs, but it sends out its own BPDUs, preventing the switch from being attacked by BPDUs. 4.1.2 Configuring the Threshold and Cycle of TC Protect T1600G-18TS does not support configuring the threshold and cycle of TC protect. Configuration Guide...
Page 263: Using The Cli
Configuring Spanning Tree STP Security Configurations When you enable TC Protect function on ports, set the TC threshold and TC Protect Cycle here. If the number of the received TC-BPDUs exceeds the maximum number you set in the TC threshold field, the switch will not remove MAC address entries in the TC protect cycle. Choose the menu Spanning Tree >...
Page 264 Configuring Spanning Tree STP Security Configurations Step 4 spanning-tree guard root (Optional) Enable the Root Protect function on the port. It is recommended to enable this function on the designated ports of the root bridge. Root Protect function is used to ensure that the desired root bridge will not lose its position. With root protect function enabled, the port will temporarily transit to blocking state when it receives higher-priority BDPUs.
Page 265: Configuring The Tc Protect
Enter global configuration mode. Step 2 spanning-tree tc-defend threshold threshold period period (Except T1600G-18TS) Configure the threshold and cycle of TC protect globally. Specify the TC threshold, the valid values ranges from 1 to 100 packets. By default, threshold: it is 20. TC threshold is the maximum number of the TC-BPDUs received by the switch in a TC protect cycle.
Page 266 Configuring Spanning Tree STP Security Configurations Switch(config)#spanning-tree tc-defend threshold 25 period 8 Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree guard tc Switch(config-if)#show spanning-tree interface-security gigabitEthernet 1/0/3 Interface BPDU-Filter BPDU-Guard Loop-Protect Root-Protect TC-Protect ---------- ----------- ---------- ------------ ------------ --------- Gi1/0/3 Enable Enable Enable Enable Enable Switch(config-if)#end Switch#copy running-config startup-config...
Page 267: Configuration Example For Mstp
Configuring Spanning Tree Configuration Example for MSTP Configuration Example for MSTP MSTP, backwards-compatible with STP and RSTP, can map VLANs to instances to enable load-balancing, thus providing a more flexible method in network management. Here we take the MSTP configuration as an example. 5.1 Network Requirements As shown in figure 5-1, the network consists of three switches.
Page 268: Using The Gui
Configuring Spanning Tree Configuration Example for MSTP Figure 5-2 VLAN-Instance Mapping Switch A Gi1/0/1 Gi1/0/1 Gi1/0/1 Switch B Switch C Instance 1: VLAN 101 -VLAN 103 Instance 2: VLAN 104 -VLAN 106 Blocked Port The overview of configuration is as follows: 1) Enable the Spanning Tree function on the ports in each switch.
Page 269 Configuring Spanning Tree Configuration Example for MSTP Figure 5-3 Enable Spanning Tree Function on Ports 2) Choose the menu Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Figure 5-4 Configuring the MST Region 3) Choose the menu Spanning Tree >...
Page 270 Configuring Spanning Tree Configuration Example for MSTP Figure 5-5 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Set the path cost of port 1/0/1 in instance 1 as 400000. Configuration Guide...
Page 271 Configuring Spanning Tree Configuration Example for MSTP Figure 5-6 Configure the Path Cost of Port 1/0/1 In Instance 1 5) Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings.
Page 272 Configuring Spanning Tree Configuration Example for MSTP Figure 5-7 Configure the Global MSTP Parameters of the Switch 6) Click Save Config to save the settings.  Configurations for Switch B 1) Choose the menu Spanning Tree > STP Config > Port Config to load the following page.
Page 273 Configuring Spanning Tree Configuration Example for MSTP Figure 5-9 Configuring the Region 3) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2. Figure 5-10 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree >...
Page 274 Configuring Spanning Tree Configuration Example for MSTP Figure 5-11 Configuring the Priority of Switch B in Instance 1 5) Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Set the path cost of port 1/0/2 in instance 2 as 400000. Configuration Guide...
Page 275 Configuring Spanning Tree Configuration Example for MSTP Figure 5-12 Configure the Path Cost of Port 1/0/2 in Instance 2 6) Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally. Here we leave the values of the other global parameters as default settings.
Page 276 Configuring Spanning Tree Configuration Example for MSTP Figure 5-13 Configuring the MSTP Globally 7) Click Save Config to save the settings.  Configurations for Switch C 1) Choose the menu Spanning Tree > STP Config > Port Config to load the following page.
Page 277 Configuring Spanning Tree Configuration Example for MSTP Figure 5-15 Configuring the Region 3) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2. Figure 5-16 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree >...
Page 278 Configuring Spanning Tree Configuration Example for MSTP Figure 5-17 Configuring the Priority of Switch C in Instance 2 5) Choose the menu Spanning Tree > STP Instance > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings.
Page 279: Using The Cli
Configuring Spanning Tree Configuration Example for MSTP 5.4 Using the CLI  Configurations for Switch A 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/1 in instance 1 as 400000. Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#spanning-tree...
Page 280 Configuring Spanning Tree Configuration Example for MSTP Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree mst instance 2 cost 400000 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#spanning-tree Switch(config-if)#exit 2) Configure the region name as 1, the revision number as 100; map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2; configure the priority of Switch B in instance 1 as 0 to set it as the root bridge in instance 1: Switch(config)#spanning-tree mst configuration Switch(config-mst)#name 1...
Page 281 Configuring Spanning Tree Configuration Example for MSTP Switch(config-mst)#name 1 Switch(config-mst)#revision 100 Switch(config-mst)#instance 1 vlan 101-103 Switch(config-mst)#instance 2 vlan 104-106 Switch(config-mst)#exit Switch(config)#spanning-tree mst instance 2 priority 0 3) Configure the spanning tree mode as MSTP, then enable spanning tree function globally. Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree Switch(config)#end...
Page 282 Configuring Spanning Tree Configuration Example for MSTP Interface Prio Cost Role Status --------- ---- -------- ------ ----- ---- Gi1/0/1 400000 Root Gi1/0/2 200000 Altn Verify the configurations of Switch A in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority Address...
Page 283 Configuring Spanning Tree Configuration Example for MSTP Local bridge is the root bridge Designated Bridge Priority Address : 00-0a-eb-13-12-ba Local Bridge Priority Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status ---------- ---- -------- ------- -------- Gi1/0/1 200000 Desg Gi1/0/2 200000 Desg Verify the configurations of Switch B in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2...
Page 284 Configuring Spanning Tree Configuration Example for MSTP  Switch C Verify the configurations of Switch C in instance 1: Switch(config)#show spanning-tree mst instance 1 MST-Instance 1 Root Bridge Priority Address : 00-0a-eb-13-12-ba Internal Cost : 200000 Root Port Designated Bridge Priority Address : 00-0a-eb-13-12-ba...
Page 285 Configuring Spanning Tree Configuration Example for MSTP Local Bridge Priority Address : 3c-46-d8-9d-88-f7 Interface Prio Cost Role Status ----------- ------ --------- ------- ---------- Gi1/0/1 200000 Desg Gi1/0/2 200000 Desg Configuration Guide...
Page 286: Appendix: Default Parameters
Configuring Spanning Tree Appendix: Default Parameters Appendix: Default Parameters Default settings of the Spanning Tree feature are listed in the following table. Table 6-1 Default Settings of the Global Parameters Parameter Default Setting Spanning-tree Disable Mode CIST Priority 32768 Hello Time 2 seconds Max Age 20 seconds...
Page 287 Configuring Spanning Tree Appendix: Default Parameters Parameter Default Setting Port Priority Path Cost Auto Configuration Guide...
Page 288: Configuring Layer 2 Multicast
Part 11 Configuring Layer 2 Multicast CHAPTERS 1. Layer 2 Multicast 2. IGMP Snooping Configurations 3. Configuring MLD Snooping 4. Viewing Multicast Snooping Configurations 5. Configuration Examples 6. Appendix: Default Parameters...
Page 289: Layer 2 Multicast
Configuring Layer 2 Multicast Layer 2 Multicast Layer 2 Multicast 1.1 Overview In a point-to-multipoint network, packets can be sent in three ways: unicast, broadcast and multicast. With unicast, many copies of the same information will be sent to all the receivers, occupying a large bandwidth.
Page 290: Supported Layer 2 Multicast Protocols
Configuring Layer 2 Multicast Layer 2 Multicast Demonstrated as below: Figure 1-1 IGMP Snooping Multicast packets transmission Multicast packets transmission with without IGMP Snooping IGMP Snooping Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host B Host C Host A Host B...
Page 291: Igmp Snooping Configurations
Configuring Layer 2 Multicast IGMP Snooping Configurations IGMP Snooping Configurations 2.1 Using the GUI 2.1.1 Configuring IGMP Snooping Globally Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Figure 2-1 IGMP Snooping Global Config Enabling IGMP Snooping Globally Before configuring functions related to IGMP Snooping, enable IGMP Snooping globally first.
Page 292: Optional) Configuring Report Message Suppression
Configuring Layer 2 Multicast IGMP Snooping Configurations For switches that support MLD Snooping, IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable MLD Snooping globally on the Multicast > MLD Snooping > Snooping Config page at the same time. Follow these steps to configure unknown multicast.
Page 293: Configuring Igmp Snooping Last Listener Query
Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring IGMP Snooping Last Listener Query Configure the Last Listener Query Interval and Last Listener Query Count when the switch receives an IGMP leave message. If specified count of Multicast-Address-Specific Queries (MASQs) are sent and no report message is received, the switch will delete the multicast address from the multicast forwarding table.
Page 294: Configuring The Port's Basic Igmp Snooping Features
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.1.2 Configuring the Port’s Basic IGMP Snooping Features Choose the menu Multicast > IGMP Snooping > Port Config to load the following page. Figure 2-2 Enable IGMP Snooping on Port Enabling IGMP Snooping on the Port Follow these steps to enable or disable IGMP Snooping on the port.
Page 295: Configuring Igmp Snooping In The Vlan
Configuring Layer 2 Multicast IGMP Snooping Configurations Fast Leave With Fast Leave enabled on a port, the switch will remove this port from the forwarding list of the corresponding multicast group once the port receives a leave message. You should only use this function when there is a single receiver present on the port.
Page 296: Optional) Configuring The Static Router Ports In The Vlan
Configuring Layer 2 Multicast IGMP Snooping Configurations Router Port Specify the aging time of the router ports in the VLAN. If the router port does not Time receive any IGMP general query message within the router port time, the switch will no longer consider this port as a router port and delete it from the router port list.
Page 297: Creating Multicast Vlan And Configuring Basic Settings
Configuring Layer 2 Multicast IGMP Snooping Configurations Choose the menu Multicast > IGMP Snooping > Multicast VLAN to load the following page. Figure 2-4 Multicast VLAN Config Creating Multicast VLAN and Configuring Basic Settings In the Multicast VLAN section, follow these steps to enable Multicast VLAN and to finish the basic settings: 1) Set up the VLAN that the router ports and the member ports are in.
Page 298: Optional) Creating Replace Source Ip
Configuring Layer 2 Multicast IGMP Snooping Configurations Member Port Specify the aging time of the member ports in the multicast VLAN. If the member Time port does not receive any IGMP membership report message from the multicast group within the member port time, the switch will no longer consider this port as a member port and delete it from the multicast forwarding table.
Page 299: Optional) Configuring The Querier
Configuring Layer 2 Multicast IGMP Snooping Configurations Note: When configuration is finished, all multicast data through the ports in the VLAN will be processed in this multicast VLAN. 2.1.5 (Optional) Configuring the Querier IGMP Snooping Querier sends general query packets regularly to maintain the multicast forwarding table.
Page 300: Configuring Igmp Profile
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.1.6 Configuring IGMP Profile With IGMP Profile, the switch can define a blacklist or whitelist of multicast addresses so as to filter multicast sources, Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page.
Page 301: Editing Ip Range Of The Profile
Configuring Layer 2 Multicast IGMP Snooping Configurations Editing IP Range of the Profile Follow these steps to edit profile mode and its IP range: 1) Click Edit in the IGMP Profile Info table. Edit its IP range and click Add to save the settings.
Page 302: Binding Profile And Member Ports
Configuring Layer 2 Multicast IGMP Snooping Configurations Figure 2-8 Profile Binding Binding Profile and Member Ports Follow these steps to bind the profile to the port. 1) Select the port to be bound, and enter the Profile ID in the Profile ID column. Select Select the port to be bound.
Page 303: Viewing Igmp Statistics On Each Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Max Group Enter the number of multicast groups the port can join. The valid values are from 0 to 1000. Overflow Action Select the action towards the new multicast group when the number of multicast groups the port joined exceeds max group.
Page 304: Viewing Igmp Statistics
The IGMP Statistics table displays all kinds of IGMP statistics of all the ports. 2.1.9 Enabling IGMP Accounting and Authentication T1600G-18TS does not support this feature. Choose the menu Multicast > IGMP Snooping > IGMP Authentication to load the following page.
Page 305: Configuring Igmp Accounting Globally
Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring IGMP Accounting Globally To use this function, you should also enable Authentication, Authorization and Accounting (AAA) globally and configure RADIUS server on the switch. Follow these steps to enable IGMP Accounting globally. 1) Enable IGMP Accounting globally.
Page 306: Configuring Static Member Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Figure 2-11 Static Member Port Configuring Static Member Port Follow these steps to configure static member port. 1) Enter the Multicast IP and VLAN ID. Specify the Static Member Port. Multicast IP Specify the multicast group that the static member is in. VLAN ID Specify the VLAN that the static member is in.
Page 307: Enabling Igmp Snooping Globally
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2 Using the CLI 2.2.1 Enabling IGMP Snooping Globally Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping Enable IGMP Snooping Globally. Step 3 Return to privileged EXEC mode. Step 4 show ip igmp snooping Show the basic IGMP snooping configuration.
Page 308: Configuring Igmp Snooping Parameters Globally
Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#ip igmp snooping Switch(config-if)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time :300 Global Report Suppression :Disable Global Authentication Accounting:Disable Enable Port:Gi1/0/3...
Page 309: Configuring Unknown Multicast
Configuring Layer 2 Multicast IGMP Snooping Configurations The following example shows how to enable Report Message Suppression: Switch#configure Switch(config)#ip igmp snooping Switch(config)#ip igmp snooping report-suppression Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time...
Page 310: Configuring Igmp Snooping Parameters On The Port
Configuring Layer 2 Multicast IGMP Snooping Configurations For switches that support MLD Snooping, IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable MLD Snooping globally at the same time. The following example shows how to configure the switch to discard unknown multicast data: Switch#configure Switch(config)#ip igmp snooping...
Page 311: Configuring Fast Leave
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 3 Return to privileged EXEC mode. Step 4 show ip igmp snooping Show the basic IGMP snooping configuration. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the global router port time and member port time as 200 seconds: Switch#configure Switch(config)#ip igmp snooping...
Page 312: Configuring Max Group And Overflow Action On The Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 3 ip igmp snooping immediate-leave Enable Fast Leave on the specified port. With Fast Leave enabled on a port, the switch will delete the port-multicast group entry from the multicast forwarding table once the port receives a leave message.
Page 313: Configuring Igmp Snooping Last Listener Query
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 4 ip igmp snooping max-groups action {drop | replace} Specify the action towards the new multicast group when the number of multicast groups the port joined exceeds max group. drop: Drop all subsequent membership report messages, and the port join no more new multicast groups.
Page 314 Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 ip igmp snooping last-listener query-inteval interval determines the interval between MASQs sent by the switch. The valid values are from interval 1 to 5 seconds. Step 3 ip igmp snooping last-listener query-count num determines the number of MASQs sent by the switch.
Page 315: Configuring Igmp Snooping Parameters In The Vlan
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.6 Configuring IGMP Snooping Parameters in the VLAN Configuring Router Port Time and Member Port Time Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list [rtime router-time | mtime member-time ] is the aging time of the router ports in the specified VLAN, ranging from 60 to 600 router-time seconds.
Page 316: Configuring Static Router Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Member Time:400 Static Router Port:None Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list [rport interface {gigabitEthernet port-list | port- channel port-channel-id }] are the static router ports in the specified VLAN.
Page 317: Configuring Forbidden Router Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Switch#copy running-config startup-config Configuring Forbidden Router Port Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list router-ports-forbidden interface {gigabitEthernet port-list | port-channel port-channel-id } are the ports that cannot become router ports in the specified port-list port-channel-id VLAN.
Page 318: Configuring Static Multicast (Multicast Ip And Forward Port)
Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring Static Multicast (Multicast IP and Forward Port) Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping vlan-config vlan-id-list static ip interface {gigabitEthernet port-list | port- channel port-channel-id } specifies the VLAN to be configured. vlan-id-list specifies the static multicast IP address.
Page 319: Configuring Static Router Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] [rtime router-time | mtime member-time ] specifies the VLAN to be created or to be configured. vlan-id is the aging time of the router ports in the multicast VLAN, ranging from 60 to 600 router-time seconds.
Page 320: Configuring Forbidden Router Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] [rport interface {gigabitEthernet port-list | port- channel port-channel-id }] specifies the VLAN to be created or to be configured. vlan-id are the static router ports in the multicast VLAN. port-list port-channel-id Step 3...
Page 321: Configuring Replace Source Ip
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] router-ports-forbidden interface {gigabitEthernet port-list | port-channel port-channel-id } specifies the multicast VLAN to be configured. vlan-id are the ports that cannot become router ports in the multicast port-list port-channel-id VLAN.
Page 322: Configuring The Querier
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 ip igmp snooping multi-vlan-config [ vlan-id ] replace-sourceip ip specifies the multicast VLAN to be configured. vlan-id specifies the new source IP. The switch will replace the source IP in the IGMP multicast data sent by the multicast VLAN with the IP address you enter.
Page 323: Configuring Query Interval, Max Response Time And General Query Source Ip
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 ip igmp snooping querier vlan vlan-id specifies the VLAN to enable IGMP Querier. vlan-id Step 3 show ip igmp snooping querier [vlan vlan-id ] Show the IGMP querier configuration. Step 4 Return to privileged EXEC mode.
Page 324: Configuring Multicast Filtering
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 3 show ip igmp snooping querier [vlan vlan-id ] Show the detailed IGMP querier configuration. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable IGMP Snooping and IGMP Querier in VLAN 4, set the query interval as 100 seconds, the max response time as 20 seconds, and the general query source IP as 192.168.0.1:...
Page 325: Binding Profile To The Port
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 3 permit deny Configure the profile's filtering mode. permit is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups. deny is similar to a blacklist, indicating that the switch disallow specific member ports to join specific multicast groups.
Page 326 Configuring Layer 2 Multicast IGMP Snooping Configurations Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | port-channel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode Step 3 ip igmp filter profile-id Bind profile-id to the specified port.
Page 327: Enabling Igmp Accounting And Authentication
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.10 Enabling IGMP Accounting and Authentication T1600G-18TS does not support this feature. Enabling IGMP Authentication on the Port Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range...
Page 328: Enabling Igmp Accounting Globally
Configuring Layer 2 Multicast IGMP Snooping Configurations Enabling IGMP Accounting Globally Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping accounting Enable IGMP Accounting globally. Step 3 show ip igmp snooping Show the global IGMP snooping configuration. Step 4 Return to privileged EXEC mode.
Page 329: Configuring Mld Snooping Globally
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring MLD Snooping 3.1 Using the GUI 3.1.1 Configuring MLD Snooping Globally Choose the menu Multicast > MLD Snooping > Snooping Config Figure 3-1 MLD Snooping Global Config Enabling MLD Snooping Globally Before configuring functions related to MLD Snooping, enable MLD Snooping globally first. 1) Select Enable to enable MLD Snooping globally.
Page 330: Optional) Configuring Report Message Suppression
Configuring Layer 2 Multicast Configuring MLD Snooping IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable IGMP Snooping globally on the Multicast > IGMP Snooping > Snooping Config page at the same time. Follow these steps to configure unknown multicast.
Page 331: Configuring Mld Snooping Last Listener Query
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring MLD Snooping Last Listener Query Configure the Last Listener Query Interval and Last Listener Query Count when the switch receives an MLD leave message. If specified count of Multicast-Address-Specific Queries (MASQs) are sent and no report message is received, the switch will delete the multicast address from the multicast forwarding table.
Page 332: Configuring The Port's Basic Mld Snooping Features
Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.2 Configuring the Port’s Basic MLD Snooping Features Choose the menu Multicast > MLD Snooping > Port Config to load the following page. Figure 3-2 Enable MLD Snooping on Port Enabling MLD Snooping on the Port Follow these steps to enable or disable MLD Snooping on the port.
Page 333: Configuring Mld Snooping In The Vlan
Configuring Layer 2 Multicast Configuring MLD Snooping Fast Leave With Fast Leave enabled on a port, the switch will remove this port from the forwarding list of the corresponding multicast group once the port receives a leave message. You should only use this function when there is a single receiver present on the port.
Page 334: Optional) Configuring The Static Router Ports In The Vlan
Configuring Layer 2 Multicast Configuring MLD Snooping Router Port Specify the aging time of the router ports in the VLAN. If the router port does not Time receive any MLD general query message within the router port time, the switch will no longer consider this port as a router port and delete it from the router port list.
Page 335: Creating Multicast Vlan And Configuring Basic Settings
Configuring Layer 2 Multicast Configuring MLD Snooping Choose the menu Multicast > MLD Snooping > Multicast VLAN to load the following page. Figure 3-4 Multicast VLAN Config Creating Multicast VLAN and Configuring Basic Settings In the Multicast VLAN section, follow these steps to enable Multicast VLAN and to finish the basic settings: 1) Set up the VLAN that the router ports and the member ports are in.
Page 336: Optional) Creating Replace Source Ip
Configuring Layer 2 Multicast Configuring MLD Snooping Member Port Specify the aging time of the member ports in the multicast VLAN. If the member Time port does not receive any MLD membership report message from the multicast group within the member port time, the switch will no longer consider this port as a member port and delete it from the multicast forwarding table.
Page 337: Optional) Configuring The Querier
Configuring Layer 2 Multicast Configuring MLD Snooping Note: When configuration is finished, all multicast data through the ports in the VLAN will be processed in this multicast VLAN. 3.1.5 (Optional) Configuring the Querier MLD Snooping Querier sends general query packets regularly to maintain the multicast forwarding table.
Page 338: Configuring Mld Profile
Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.6 Configuring MLD Profile With MLD Profile, the switch can define a blacklist or whitelist of multicast addresses so as to filter multicast sources, Choose the menu Multicast > MLD Snooping > Profile Config to load the following page.
Page 339: Editing Ip Range Of The Profile
Configuring Layer 2 Multicast Configuring MLD Snooping Editing IP Range of the Profile Follow these steps to edit profile mode and its IP range: 1) Click Edit in the MLD Profile Info table. Edit its IP range and click Add to save the settings.
Page 340: Binding Profile And Member Ports
Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.7 Binding Profile and Member Ports With this function, you can configure each port’s filtering profile and the number of multicast groups a port can join. Choose the menu Multicast > MLD Snooping > Profile Binding to load the following page.
Page 341: Configuring Max Groups A Port Can Join
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Max Groups a Port Can Join Follow these steps to configure the maximum groups a port can join and overflow action. 1) Select a port to configure its Max Group and Overflow Action. Select Select the port to be configured.
Page 342: Viewing Mld Statistics On Each Port
Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.8 Viewing MLD Statistics on Each Port Choose the menu Multicast > MLD Snooping > Packet Statistic to load the following page. Figure 3-9 View MLD Statistics on the Port Configuring Auto Refresh Follow these steps to configure auto refresh. 1) Enable or disable Auto Refresh.
Page 343: Configuring Static Member Port
Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.9 Configuring Static Member Port This function allows you to specify a port as a static member port in the multicast group. Choose the menu Multicast > Multicast Table > Static IPv4 Multicast Table to load the following page.
Page 344: Using The Cli
Configuring Layer 2 Multicast Configuring MLD Snooping Using the CLI 3.2.1 Enabling MLD Snooping Globally Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping Enable MLD Snooping Globally. Step 3 show ipv6 mld snooping Show the basic MLD snooping configuration. Step 4 Return to privileged EXEC mode.
Page 345: Configuring Mld Snooping Parameters Globally
Configuring Layer 2 Multicast Configuring MLD Snooping Switch(config-if)#ipv6 mld snooping Switch(config-if)#show ipv6 mld snooping MLD Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time :300 Global Report Suppression :Disable Enable Port:Gi1/0/3 Enable VLAN: Switch(config-if)#end...
Page 346: Configuring Unknown Multicast
Configuring Layer 2 Multicast Configuring MLD Snooping Switch(config)#ipv6 mld snooping report-suppression Switch(config)#show ipv6 mld snooping MLD Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time :300 Global Report Suppression :Enable Enable Port: Enable VLAN:...
Page 347: Configuring Mld Snooping Parameters On The Port
Configuring Layer 2 Multicast Configuring MLD Snooping Switch(config)#ip igmp snooping Switch(config)#ipv6 mld snooping drop-unknown Switch(config)#show ipv6 mld snooping MLD Snooping :Enable Unknown Multicast :Discard Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time :300 Global Report Suppression :Disable Enable Port:...
Page 348: Configuring Fast Leave
Configuring Layer 2 Multicast Configuring MLD Snooping Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping rtime 200 Switch(config)#ipv6 mld snooping mtime 200 Switch(config)#show ipv6 mld snooping MLD Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :200 Global Router Age Time :200...
Page 349: Configuring Max Group And Overflow Action On The Port
Configuring Layer 2 Multicast Configuring MLD Snooping The following example shows how to enable Fast Leave on port 1/0/3: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#interface gigabitEternet 1/0/3 Switch(config-if)#ipv6 mld snooping Switch(config-if)#ipv6 mld snooping immediate-leave Switch(config-if)#show ipv6 mld snooping interface gigabitEthernet 1/0/3 basic-config Port MLD-Snooping Fast-Leave...
Page 350: Configuring Mld Snooping Last Listener Query
Configuring Layer 2 Multicast Configuring MLD Snooping Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the Max Group as 500 and the Overflow Action as Drop on port 1/0/3: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#interface gigabitEternet 1/0/3...
Page 351: Configuring Mld Snooping Parameters In The Vlan
Configuring Layer 2 Multicast Configuring MLD Snooping The following example shows how to configure the last listener query count as 5 and the last listener query interval as 5 seconds: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping last-listener query-count 5 Switch(config)#ipv6 mld snooping last-listener query-interval 5 Switch(config)#show ipv6 mld snooping MLD Snooping...
Page 352: Configuring Static Router Port
Configuring Layer 2 Multicast Configuring MLD Snooping Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable MLD Snooping in VLAN 2 and VLAN 3, configure the router port time as 500 seconds and the member port time as 400 seconds: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping vlan-config 2-3 rtime 500...
Page 353: Configuring Forbidden Router Port
Configuring Layer 2 Multicast Configuring MLD Snooping Step 3 show ipv6 mld snooping vlan vlan-id Show the basic MLD snooping configuration in the specified VLAN. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable MLD Snooping in VLAN 2 and configure port 1/0/2 as the static router port: Switch#configure...
Page 354: Configuring Static Multicast (Multicast Ip And Forward Port)
Configuring Layer 2 Multicast Configuring MLD Snooping Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable MLD Snooping in VLAN 2 and forbid port 1/0/4-6 from becoming router ports (port 1/0/4-6 will drop all multicast data from Layer 3 devices): Switch#config Switch(config)#ipv6 mld snooping...
Page 355: Configuring Mld Snooping Parameters In The Multicast Vlan
Configuring Layer 2 Multicast Configuring MLD Snooping Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure ff01::1234:02 as the static multicast IP and specify port 1/0/9-10 as the forward ports: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping vlan-config 2 static ff01::1234:02 interface...
Page 356: Configuring Static Router Port
Configuring Layer 2 Multicast Configuring MLD Snooping The following example shows how to configure VLAN 5 as the multicast VLAN, set the router port time as 500 seconds and the member port time as 400 seconds: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping multi-vlan-config 5 rtime 500 Switch(config)#ipv6 mld snooping multi-vlan-config 5 mtime 400 Switch(config)#show ipv6 mld snooping multi-vlan...
Page 357: Configuring Forbidden Router Port
Configuring Layer 2 Multicast Configuring MLD Snooping The following example shows how to configure VLAN 5 as the multicast VLAN, and set port 1/0/5 as the static router port: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping multi-vlan-config 5 rport interface gigabitEthernet 1/0/5 Switch(config)#show ipv6 mld snooping multi-vlan Multicast Vlan:Enable...
Page 358: Configuring Replace Source Ip
Configuring Layer 2 Multicast Configuring MLD Snooping The following example shows how to configure VLAN 5 as the multicast VLAN, and set port 1/0/6 as the forbidden router port: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping multi-vlan-config 5 router-ports-forbidden interface gigabitEthernet 1/0/6 Switch(config)#show ipv6 mld snooping multi-vlan Multicast Vlan:Enable...
Page 359: Configuring The Querier
Configuring Layer 2 Multicast Configuring MLD Snooping The following example shows how to configure VLAN 5 as the multicast VLAN and replace the source IP in the MLD packets sent by the switch with FE80::02FF:FFFF:FE00:0001: Switch#configure Switch(config)#ipv6 mld snooping S w i t c h ( c o n f i g ) # i p v 6 m l d s n o o p i n g m u l t i - v l a n - c o n f i g 5 r e p l a c e - s o u r c e i p fe80::02ff:ffff:fe00:0001 Switch(config)#show ipv6 mld snooping multi-vlan Multicast Vlan:Enable...
Page 360: Configuring Query Interval, Max Response Time And General Query Source Ip
Configuring Layer 2 Multicast Configuring MLD Snooping The following example shows how to enable MLD Snooping and MLD Querier in VLAN 4: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping querier vlan 4 Switch(config)#show ipv6 mld snooping querier VLAN 4: -------------- Maximum Response Time: Query Interval: General Query Source IP:...
Page 361: Configuring Multicast Filtering
Configuring Layer 2 Multicast Configuring MLD Snooping Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping querier vlan 4 query-interval 100 Switch(config)#ipv6 mld snooping querier vlan 4 max-response-time 20 Switch(config)#ipv6 mld snooping querier vlan 4 general-query source-ip fe80::2ff:ffff:fe00:1 Switch(config)#show ipv6 mld snooping querier VLAN 4: -------------- Maximum Response Time:...
Page 362: Binding Profile To The Port
Configuring Layer 2 Multicast Configuring MLD Snooping Step 6 show ipv6 mld profile [ id ] Show the detailed MLD profile configuration. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure Profile 1 so that the switch filters multicast data sent to ff01::1234:5-ff01::1234:8: Switch#configure Switch(config)#ipv6 mld snooping...
Page 363 Configuring Layer 2 Multicast Configuring MLD Snooping The following example shows how to bind Profile 1 to port 1/0/2 so that port 1/0/2 filters multicast data sent to ff01::1234:5-ff01::1234:8: Switch#configure Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld profile 1 Switch(config-mld-profile)#deny Switch(config-mld-profile)#range ff01::1234:5 ff01::1234:8 Switch(config-mld-profile)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#ipv6 mld snooping...
Page 364: Viewing Multicast Snooping Configurations
Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations Viewing Multicast Snooping Configurations Using the GUI 4.1.1 Viewing IPv4 Multicast Snooping Configurations Choose the menu Multicast > Multicast Table > IPv4 Multicast Table to view all valid Multicast IP-VLAN-Port entries . Figure 4-1 IPv4 Multicast Table Search Option Search Option...
Page 365: Viewing Ipv6 Multicast Snooping Configurations
Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations 4.1.1 Viewing IPv6 Multicast Snooping Configurations Choose the menu Multicast > Multicast Table > IPv6 Multicast Table to view all valid Multicast IP-VLAN-Port entries. Figure 4-2 IPv6 Multicast Table 4.2 Using the CLI 4.2.1 Viewing IPv4 Multicast Snooping Configurations show ip igmp snooping Displays global settings of IGMP Snooping.
Page 366: Viewing Ipv6 Multicast Snooping Configurations
Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations show ip igmp snooping groups [ vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN. count: displays the number of multicast groups.
Page 367 Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations show ipv6 mld snooping groups [vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN. count displays the number of multicast groups.
Page 368: Configuration Examples
Configuring Layer 2 Multicast Configuration Examples Configuration Examples Example for Configuring Basic IGMP Snooping 5.1.1 Network Requirements Host B, Host C and Host D are in the same VLAN of the switch. All of them want to receive multicast data sent to multicast group 225.1.1.1. As shown in the following topology, Host B, Host C and Host D are connected to port 1/0/1, port 1/0/2 and port 1/0/3 respectively.
Page 369: Using The Gui
Configuring Layer 2 Multicast Configuration Examples Enable IGMP Snooping in the VLAN. Demonstrated with T1600G-52TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.1.3 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page.
Page 370 Configuring Layer 2 Multicast Configuration Examples Figure 5-3 Enable IGMP Snooping on the Ports 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10 and add Untagged port 1/0/1-3 and Tagged port 1/0/4 to VLAN 10. Figure 5-4 Configure Link Type Configuration Guide...
Page 371 Configuring Layer 2 Multicast Configuration Examples 4) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the PVID of port 1/0/1-4 as 10. Figure 5-5 Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page.
Page 372: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 5-6 Enable IGMP Snooping in the VLAN 6) Click Save Config to save the settings. 5.1.4 Using the CLI 1) Enable IGMP Snooping globally. Switch#configure Switch(config)#ip igmp snooping 2) Enable IGMP Snooping on port 1/0/1-4. Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit...
Page 373 Configuring Layer 2 Multicast Configuration Examples Switch(config-if-range)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 5) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 6) Enable IGMP Snooping in VLAN 10. Switch(config)#ip igmp snooping vlan-config 10 7) Save the settings.
Page 374: Example For Configuring Multicast Vlan
Configuring Layer 2 Multicast Configuration Examples Global Report Suppression :Disable Global Authentication Accounting:Disable Enable Port:Gi1/0/1-4 Enable VLAN:10 Example for Configuring Multicast VLAN 5.2.1 Network Requirements Host B, Host C and Host D are in three different VLANs of the switch. All of them want to receive multicast data sent to multicast group 225.1.1.1.
Page 375: Using The Gui
Configuring Layer 2 Multicast Configuration Examples Figure 5-7 Network Topoloy for Multicast VLAN Source Querier VLAN 40 Gi1/0/4 Gi1/0/1 Gi1/0/3 Gi1/0/2 Host D Host B Host C Receiver Receiver Receiver Demonstrated with T1600G-52TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.2.4 Using the GUI 1) Choose the menu Multicast >...
Page 376 Configuring Layer 2 Multicast Configuration Examples Figure 5-8 Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Enable IGMP Snooping on port 1/0/1-4. Figure 5-9 Configure IGMP Snooping Globally Configuration Guide...
Page 377 Configuring Layer 2 Multicast Configuration Examples 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 40 and add Untagged port 1/0/1-4 to VLAN 40. Figure 5-10 Configure Link Type 4) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the PVID of port 1/0/1 as 10, port 1/0/2 as 20, port 1/0/3 as 30 and port 1/0/4 as 40.
Page 378: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 5-11 Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > Multicast VLAN to load the following page. Enable Multicast VLAN and configure VLAN 40 as the multicast VLAN. Keep Router Port Time and Member Port Time as 0.
Page 379 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit 3) Create VLAN 10. Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 4) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged.
Page 380: Example For Configuring Unknown Multicast And Fast Leave
Configuring Layer 2 Multicast Configuration Examples vlan10 active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 Show status of IGMP Snooping globally, on the ports and in the multicast VLAN: Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time...
Page 381: Configuration Scheme
Configuring Layer 2 Multicast Configuration Examples Figure 5-13 Network Topology for Unknow Multicast and Fast Leave Source Querier Gi1/0/4 Gi1/0/2 VLAN 10 Host B Receiver 5.3.2 Configuration Scheme After the channel is changed, the client (Host B) still receives irrelevant multicast data, the data from the previous channel and possibly other unknown multicast data, which increases the network load and results in network congestion.
Page 382 Configuring Layer 2 Multicast Configuration Examples Figure 5-14 Configure IGMP Snooping Globally Note: IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable MLD Snooping globally on the Multicast > MLD Snooping > Snooping Config page at the same time.
Page 383 Configuring Layer 2 Multicast Configuration Examples Figure 5-15 Configure IGMP Snooping Globally 3) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Figure 5-16 Enable IGMP Snooping in the VLAN Configuration Guide...
Page 384: Using The Cli
Configuring Layer 2 Multicast Configuration Examples 4) Click Save Config to save the settings. 5.3.4 Using the CLI 1) Enable IGMP Snooping Globally. Switch#configure Switch(config)#ip igmp snooping 2) Configure Unknown Multicast as Discard globally. Switch(config)#ip igmp snooping drop unknown 3) Enable IGMP Snooping on port 1/0/2 and enable Fast Leave. On port 1/0/4, enable IGMP Snooping.
Page 385: Example For Configuring Multicast Filtering
Configuring Layer 2 Multicast Configuration Examples Global Report Suppression :Disable Global Authentication Accounting:Disable Enable Port:Gi1/0/2,1/0/4 Enable VLAN:10 Show settings of IGMP Snooping on port 1/0/2: Switch(config)#show ip igmp snooping interface gigabitEthernet 1/0/2 basic-config Port IGMP-Snooping Fast-Leave ---- ------------- ---------- Gi1/0/2 enable enable 5.4 Example for Configuring Multicast Filtering 5.4.1 Network Requirements...
Page 386: Using The Gui
Configuring Layer 2 Multicast Configuration Examples Figure 5-17 Network Topology for Multicast Filtering Source Querier Gi1/0/4 Gi1/0/1 Gi1/0/3 Gi1/0/2 Host D Host B Host C Receiver Receiver Receiver VLAN 10 Demonstrated with T1600G-52TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.4.4 Using the GUI 1) Choose the menu Multicast >...
Page 387 Configuring Layer 2 Multicast Configuration Examples Figure 5-18 Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Figure 5-19 Enable IGMP Snooping on the Port Configuration Guide...
Page 388 Configuring Layer 2 Multicast Configuration Examples 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10 and add Untagged port 1/0/1-3 and Tagged port 1/0/4 to VLAN 10. Figure 5-20 Configure Link Type 4) Choose the menu VLAN >...
Page 389 Configuring Layer 2 Multicast Configuration Examples Figure 5-21 Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Keep 0 as the Router Port Time and Member Port Time, which means the global settings will be used.
Page 390 Configuring Layer 2 Multicast Configuration Examples Figure 5-22 Enable IGMP Snooping in the VLAN 6) Specify the multicast data that Host C and Host D can receive. a. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page.
Page 391 Configuring Layer 2 Multicast Configuration Examples Figure 5-24 Edit Add IP-range in Profile 1 c. Choose the menu Multicast > IGMP Snooping > Profile Binding to load the following page. Select port 1/0/2 and port 1/0/3, enter 1 in the Profile ID field and click Apply to bind Profile 1 to these ports.
Page 392 Configuring Layer 2 Multicast Configuration Examples Figure 5-26 Profile 2 b. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page. In the IGMP Profile Info table, click Edit in the Profile 2 entry, enter 225.0.0.2 in both Start IP and End IP fields, and click Add.
Page 393: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 5-28 Bind Profile 2 to Port 1/0/1 8) Click Save Config to save the settings. 5.4.5 Using the CLI 1) Enable IGMP Snooping Globally. Switch#configure Switch(config)#ip igmp snooping 2) Enable IGMP Snooping on port 1/0/1-4. Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit...
Page 394 Configuring Layer 2 Multicast Configuration Examples Switch(config-if-range)#switchport general allowed vlan 10 untagged Switch(config-if-range)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 5) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 6) Enable IGMP Snooping in VLAN 10.
Page 395 Configuring Layer 2 Multicast Configuration Examples 11) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times Last Query Interval Global Member Age Time :260 Global Router Age Time :300...
Page 396: Appendix: Default Parameters
Configuring Layer 2 Multicast Appendix: Default Parameters Appendix: Default Parameters Default Parameters for IGMP Snooping Table 6-1 Default Parameters of IGMP Snooping Function Parameter Default Setting IGMP Snooping Disabled Unknown Multicast Forward Report Message Suppression Disabled G l o b a l S e t t i n g s o f I G M P Router Port Time 300 seconds Snooping...
Page 397: Default Parameters For Mld Snooping
Configuring Layer 2 Multicast Appendix: Default Parameters Function Parameter Default Setting Global Settings of IGMP Accounting Disabled I G M P A c c o u n t i n g a n d Authentication IGMP Authentication Disabled 6.2 Default Parameters for MLD Snooping Table 6-2 Default Parameters of MLD Snooping Function...
Page 398 Configuring Layer 2 Multicast Appendix: Default Parameters Function Parameter Default Setting Enable or Not Disabled Query Interval 60 seconds Max Response Time 10 seconds IGMP Snooping Querier General Query Source IP FE80::02FF:FFFF:FE00:0001 Configuration Guide...
Page 399: Configuring Logical Interfaces
Part 12 Configuring Logical Interfaces CHAPTERS 1. Overview 2. Logical Interfaces Configurations 3. Appendix: Default Parameters...
Page 400: Overview
Configuring Logical Interfaces Overview Overview Interfaces of a device are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into physical interfaces and logical interfaces.  Physical interfaces are the ports on the front panel or rear panel of the switch.  Logical interfaces are manually configured and do not physically exist, such as loopback interfaces and routing interfaces.
Page 401: Logical Interfaces Configurations
Configuring Logical Interfaces Logical Interfaces Configurations Logical Interfaces Configurations To complete IPv4 interface configuration, follow these steps: 1) Create a Layer 3 interface 2) Configure IPv4 parameters of the created interface 3) View detailed information of the created interface To complete IPv6 interface configuration, follow these steps: 1) Create a Layer 3 interface 2) Configure IPv6 parameters of the created interface 3) View detailed information of the created interface...
Page 402: Configuring Ipv4 Parameters Of The Interface
Configuring Logical Interfaces Logical Interfaces Configurations IP Address Mode Specify the IP address assignment mode of the interface. None: No IP address will be assigned. Static: Assign an IP address manually. DHCP: Assign an IP address through DHCP . BOOTP: Assign an IP address through BOOTP. IP Address Specify the IP address of the interface if you choose “Static”...
Page 403: Configuring Ipv6 Parameters Of The Interface
Configuring Logical Interfaces Logical Interfaces Configurations IP Address Mode Specify the IP address assignment mode of the interface. None: No IP address will be assigned. Static: Assign an IP address manually. DHCP: Assign an IP address through DHCP . BOOTP: Assign an IP address through BOOTP. IP Address Specify the IP address of the interface if you choose “Static”...
Page 404 Configuring Logical Interfaces Logical Interfaces Configurations Figure 2-3 Configuring the IPv6 Parameters 1) Enable IPv6 function on the interface of switch in the General Config section. Then click Apply. Interface ID Displays the interface ID. IPv6 Enable or disable IPv6 function on the interface of switch. 2) Configure the IPv6 link-local address of the interface manually or automatically in the Link-local Address Config section.
Page 405 Configuring Logical Interfaces Logical Interfaces Configurations Link-local Enter a link-local address if you choose “Manual” as the link-local address Address configuration mode. Status Displays the status of the link-local address. Normal: Indicates that the link-local address is normal. Try: Indicates that the link-local address may be newly configured. Repeat: Indicates that the link-local address is duplicate.
Page 406: Viewing Detail Information Of The Interface
Configuring Logical Interfaces Logical Interfaces Configurations Valid Lifetime Displays the valid lifetime of the global address. Status Displays the status of the global address. Normal: Indicates that the global address is normal. Try: Indicates that the global address may be newly configured. Repeat: Indicates that the global address is duplicate.
Page 407 Configuring Logical Interfaces Logical Interfaces Configurations Step 2 Create a VLAN interface: interface vlan vlan-id vlan-id : Specify an IEEE 802.1Q VLAN ID that already exists, ranging from 1 to 4094. Create a loopback interface: interface loopback { id } Specify the ID of the loopback interface, ranging from 1 to 64.
Page 408: Configuring Ipv4 Parameters Of The Interface
Configuring Logical Interfaces Logical Interfaces Configurations 2.2.2 Configuring IPv4 Parameters of the Interface Follow these steps to configure the IPv4 parameters of the interface. Step 1 configure Enter global configuration mode. Step 2 interface { interface-type } { interface-number } Enter layer 3 interface configuration mode.
Page 409: Configuring Ipv6 Parameters Of The Interface
Configuring Logical Interfaces Logical Interfaces Configurations Interface IP-Address Method Status Protocol Shutdown --------- ---------- ------ ------ -------- -------- Gi1/0/1 192.168.0.100/24 Static Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Configuring IPv6 Parameters of the Interface Follow these steps to configure the IPv6 parameters of the interface. Step 1 configure Enter global configuration mode.
Page 410 Configuring Logical Interfaces Logical Interfaces Configurations Step 5 Configure the IPv6 global address for the specified interface: Automatically configure the interface’s global IPv6 address via RA message: ipv6 address ra Configure the interface’s global IPv6 address according to the address prefix and other configuration parameters from its received RA (Router Advertisement) message.
Page 411 Configuring Logical Interfaces Logical Interfaces Configurations ICMP error messages limited to one every 1000 milliseconds ICMP redirects are enable MTU is 1500 bytes ND DAD is enable, number of DAD attempts: 1 ND retrans timer is 1000 milliseconds ND reachable time is 30000 milliseconds Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 412: Appendix: Default Parameters
Configuring Logical Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of interface are listed in the following tables. Table 3-1 Configuring the IPv4 Parameters of the Interface Parameter Default Setting Interface ID VLAN IP Address Mode None Admin Status Enable Recovery mode Auto...
Page 413: Configuring Static Routing
Part 13 Configuring Static Routing CHAPTERS 1. Overview 2. IPv4 Static Routing Configuration 3. IPv6 Static Routing Configuration 4. Viewing Routing Table 5. Example for Static Routing 6. Appendix: Default Parameter...
Page 414: Overview
Configuring Static Routing Overview Overview Static routing is a form of routing that is configured manually by adding non-aging entries into a routing table. The manually-configured routing information guides the router in forwarding data packets to the specific destination. On a simple network with a small number of devices, you only need to configure static routes to ensure that the devices from different subnets can communicate with each other.
Page 415: Ipv4 Static Routing Configuration
Configuring Static Routing IPv4 Static Routing Configuration IPv4 Static Routing Configuration 2.1 Using the GUI Choose the menu Routing> Static Routing > IPv4 Static Routing Config to load the following page. Figure 2-1 Configuring the IPv4 Static Routing 1) In the IPv4 Static Routing Config section, configure the corresponding parameters to add an IPv4 static route.
Page 416: Using The Cli
Configuring Static Routing IPv4 Static Routing Configuration Using the CLI Follow these steps to create an IPv4 static route. Step 1 configure Enter global configuration mode. Step 2 ip route { dest-address } { mask } { next-hop-address } [ distance ] Add an IPv4 static route.
Page 417: Ipv6 Static Routing Configuration
Configuring Static Routing IPv6 Static Routing Configuration IPv6 Static Routing Configuration Note: For T1600G-18TS, to configure static IPv6 routing, please select the SDM Template as enterpriseV6 in in Managing System. SDM Template Configuration 3.1 Using the GUI Choose the menu Routing> Static Routing > IPv6 Static Routing Config to load the following page.
Page 418: Using The Cli
Configuring Static Routing IPv6 Static Routing Configuration 3) In the IPv6 Static Route Table section, you can view and modify the IPv6 static routing entries. Using the CLI Follow these steps to enable IPv6 routing function and create an IPv6 static route. Step 1 configure Enter global configuration mode.
Page 419 Configuring Static Routing IPv6 Static Routing Configuration Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 420: Viewing Routing Table
Configuring Static Routing Viewing Routing Table Viewing Routing Table You can view routing tables to learn about the network topology. The switch supports IPv4 routing table and IPv6 routing table. Using the GUI 4.1.1 Viewing IPv4 Routing Table Choose the menu Routing> Routing Table > IPv4 Routing Table to load the following page.
Page 421: Viewing Ipv6 Routing Table
Configuring Static Routing Viewing Routing Table 4.1.2 Viewing IPv6 Routing Table Choose the menu Routing> Routing Table > IPv6 Routing Table to load the following page. Figure 4-2 Viewing IPv6 Routing Table View the IPv6 routes in the IPv6 Routing Information Summary section. Protocol Displays the type of the route entry.
Page 422: Viewing Ipv6 Routing Table
Configuring Static Routing Viewing Routing Table 4.2.2 Viewing IPv6 Routing Table On privileged EXEC mode or any other configuration mode, you can use the following command to view IPv6 routing table: show ipv6 route [ static | connected ] View the IPv6 route entries of the specified type. If not specified, all types of route entries will be displayed.
Page 423: Example For Static Routing
Configuring Static Routing Example for Static Routing Example for Static Routing 5.1 Network Requirements As shown below, Host A and Host B are on different network segments. To meet business needs, Host A and Host B need establish a connection without using dynamic routing protocols to ensure stable connectivity.
Page 424: Using The Cli
Configuring Static Routing Example for Static Routing Figure 5-2 Create a Routed Port Gi1/0/1 for Switch A Figure 5-3 Create a Routed Port Gi1/0/2 for Switch A 2) Choose the menu Routing> Static Routing > IPv4 Static Routing Config to load the following page.
Page 425 Configuring Static Routing Example for Static Routing with the mode as static, the IP address as 10.1.10.1, the mask as 255.255.255.0 and the admin status as Enable. Switch_A#configure Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#no switchport Switch_A(config-if)#ip address 10.1.1.1 255.255.255.0 Switch_A(config-if)#exit Switch_A(config)#interface gigabitEthernet 1/0/2 Switch_A(config-if)#no switchport Switch_A(config-if)#ip address 10.1.10.1 255.255.255.0 2) Add a static route entry with the destination as 10.1.2.0, the subnet mask as...
Page 426 Configuring Static Routing Example for Static Routing * - candidate default 10.1.2.0/24 is directly connected, Vlan30 10.1.10.0/24 is directly connected, Vlan20 10.1.1.0/24 [1/0] via 10.1.10.1, Vlan20  Connectivity Between Switch A and Switch B Run the ping command on switch A to verify the connectivity: Switch_A#ping 10.1.2.1 Pinging 10.1.2.1 with 64 bytes of data : Reply from 10.1.2.1 : bytes=64 time<16ms TTL=64...
Page 427: Appendix: Default Parameter
Configuring Static Routing Appendix: Default Parameter Appendix: Default Parameter Default setting of static routing is listed in the following table. Table 6-1 Configuring Static Routing Parameter Default Setting IPv6 Routing Disable Configuration Guide...
Page 428: Configuring Dhcp
Part 14 Configuring DHCP CHAPTERS 1. DHCP 2. DHCP Client Configuration 3. DHCP Relay Configuration 4. Configuration Examples 5. Appendix: Default Parameters...
Page 429: Dhcp
Configuring DHCP DHCP DHCP 1.1 Overview DHCP (Dynamic Host Configuration Protocol) is widely used in local area networks (LANs) to dynamically assign IP addresses and other network configuration parameters to network devices, which enhances the utilization of IP address. 1.2 Supported Features The supported DHCP features of the switch include DHCP Relay and DHCP Client.
Page 430 Configuring DHCP DHCP The switch supports two kinds of DHCP Relay: DHCP Interface Relay and DHCP VLAN Relay.  DHCP Interface Relay DHCP Interface Relay is used to process and forward DHCP packets between different subnets. Before DHCP Interface Relay configurations, you should configure IP addresses for the layer 3 interfaces connected to the clients.
Page 431 Configuring DHCP DHCP In DHCP VLAN Relay, you can simply specify a layer 3 interface as default agent interface for all VLANs. The swith will fill this default agent interface’s IP address in the relay agent IP address field of the DHCP packets from all VLANs. As the following figure shows, no IP addresses are assigned to VLAN 10 and VLAN 20, but a default relay agent interface is configured with the IP address 192.168.2.1/24.
Page 432: Dhcp Client Configuration
Configuring DHCP DHCP Client Configuration DHCP Client Configuration Using the GUI Choose the menu Routing > Interface > Interface Config to load the following page. Figure 2-1 DHCP Client Configuration Follow these steps to configure DHCP client: 1) In the Creating Interface section, select Interface VLAN or Routed Port as the interface type and enter the interface ID.
Page 433: Using The Cli
Configuring DHCP DHCP Client Configuration 2.2 Using the CLI Follow these steps to configure DHCP client. Step 1 configure Enter global configuration mode. Step 2 Enter interface configuration mode. interface vlan vid Enter VLAN interface configuration mode. Specify the VLAN ID. vid: interface gigabitEthernet port no switchport...
Page 434 Configuring DHCP DHCP Client Configuration Switch(config)#interface gigabitEthernet 1/0/5 Switch(config-if)#no switchport Switch(config-if)#ip address-alloc dhcp Switch(config-if)#show ip interface brief Interface IP-Address Method Status Protocol Shutdown --------- ---------- ------ ------ -------- -------- Gi1/0/5 192.168.0.100/24 DHCP Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 435: Dhcp Relay Configuration
Configuring DHCP DHCP Relay Configuration DHCP Relay Configuration To complete DHCP Relay configuration, follow these steps: 1) Enable DHCP Relay. Configure Option 82 if needed. 2) Specify DHCP server for the Interface or VLAN. 3.1 Using the GUI 3.1.1 Enabling DHCP Relay and Configuring Option 82 Choose the menu Routing >...
Page 436: Specifying Dhcp Server For The Interface Or Vlan
DHCP Interface Relay and DHCP VLAN Relay.  DHCP Interface Relay For T1600G-18TS, choose the menu Routing > DHCP Relay > DHCP Interface Relay to load the following page. For other T1600G series products, choose the menu Routing > DHCP Relay > DHCP Server to load the following page.
Page 437 2) Click Create to specify the DHCP server for the interface.  DHCP VLAN Relay Only T1600G-18TS supports this feature. Choose the menu Routing > DHCP Relay > DHCP VLAN Relay to load the following page. Figure 3-3 Specify DHCP Server for VLAN...
Page 438: Using The Cli
Configuring DHCP DHCP Relay Configuration 2) In the Add DHCP Server Address section, specify the VLAN in which the clients needs IP addresses and the server address. Click Add. VLAN ID Specify the VLAN, in which the clients can get IP addresses from the DHCP server.
Page 439 Configuring DHCP DHCP Relay Configuration Step 1 configure Enter global configuration mode. Step 2 ip dhcp relay information Enable the Option 82 feature. Step 3 ip dhcp relay information policy { keep | replace | drop } Configure how to process Option 82 information. keep: The switch will keep the Option 82 information in the packet.
Page 440: Specifying Dhcp Server For Interface Or Vlan
Configuring DHCP DHCP Relay Configuration Switch(config)#show ip dhcp relay ..DHCP relay option 82 is enabled. Existed option 82 field operation: keep..Switch(config)#end Switch#copy running-config startup-config 3.2.3 Specifying DHCP Server for Interface or VLAN You can specify DHCP server for an layer-3 interface or for a VLAN. The following respectively introduces how to configure DHCP Interface Relay and DHCP VLAN Relay.
Page 441 DHCP relay helper address is configured on the following interfaces: Interface Helper address ---------- -------------- VLAN 66 192.168.1.7 Switch(config-if)#end Switch#copy running-config startup-config  DHCP VLAN Relay Only T1600G-18TS supports this feature. Follow these steps to configure DHCP VLAN Relay: Step 1 configure Enter global configuration mode. Configuration Guide...
Page 442 Configuring DHCP DHCP Relay Configuration Step 2 Enter Layer 3 interface configuration mode: interface vlan vid Enter VLAN interface configuration mode. : Specify the ID of the VLAN that will be configured as the default relay agent interface. The valid values are from 1 to 4094. interface loopback lid Enter loopback configuration mode.
Page 443 Configuring DHCP DHCP Relay Configuration The following example shows how to set the routed port 1/0/2 as the default relay agent interface and configure the DHCP server address as 192.168.1.8 on VLAN 10: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)# ip dhcp relay default-interface Switch(config-if)#exit Switch(config)#ip dhcp relay vlan 10 helper-address 192.168.1.8 Switch(config)#show ip dhcp relay...
Page 444: Configuration Examples
Configuring DHCP Configuration Examples Configuration Examples Example for DHCP Interface Relay 4.1.1 Network Requirements A company wants to assign IP addresses to all computers in two departments, and there is only one DHCP server available. It is required that computers in the same department should be on the same subnet, while computers in different departments should be on different subnets.
Page 445: Using The Gui
VLAN. When these configurations are finished, the DHCP server can assign IP addresses to computers in the two departments, with each department on one subnet. Demonstrated with T1600G-18TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.
Page 446: Using The Cli
Configuring DHCP Configuration Examples Figure 4-2 Specify DHCP Server for Interface VLAN 10 Figure 4-3 Specify DHCP Server for Interface VLAN 20 3) Click Save Config to save the settings. 4.1.4 Using the CLI Follow these steps to configure DHCP Interface Relay: 1) Enable DHCP Relay.
Page 447 Configuring DHCP Configuration Examples DHCP relay is enabled DHCP relay helper address is configured on the following interfaces: Interface Helper address VLAN10 192.168.0.59 VLAN20 192.168.0.59 Configuration Guide...
Page 448: Appendix: Default Parameters
Configuring DHCP Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Relay are listed in the following table. Table 5-1 Default Settings of DHCP Relay Parameter Default Setting DHCP Relay DHCP Relay Disable Option 82 Support Disable Existed Option 82 field Keep Customization Disable...
Page 449: Configuring Arp
Part 15 Configuring ARP CHAPTERS 1. Overview 2. ARP Configurations...
Page 450: Overview
Configuring ARP Overview Overview ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. Taking an IP address as input, ARP learns the associated MAC address, and stores the IP-MAC address association in an ARP entry for rapid retrieval. Configuration Guide...
Page 451: Arp Configurations
Configuring ARP ARP Configurations ARP Configurations With ARP configurations, you can:  View dynamic and static ARP entries.  Add or delete static ARP entries. 2.1 Using the GUI 2.1.1 Viewing the ARP Entries The ARP table consists of two kinds of ARP entries: dynamic and static.  Dynamic Entry: Automatically learned and will be deleted after aging time.
Page 452: Adding Static Arp Entries Manually
Configuring ARP ARP Configurations 2.1.2 Adding Static ARP Entries Manually You can add desired static ARP entries by mannually specifying the IP addresses and MAC addresses. Choose the menu Routing > ARP > Static ARP to load the following page. Figure 2-2 Adding Static ARP Entries Follow these steps to add static ARP Entries: In the ARP Config section, enter the IP address and MAC address and click Create.
Page 453 Configuring ARP ARP Configurations Step 3 show arp [ ip ] [ mac ] show ip arp [ ip ] [ mac ] Verify the ARP entries. : Specify the IP address of your desired ARP entry. mac: Specify the MAC address of your desired ARP entry. Step 4 Return to privileged EXEC mode.
Page 454 Configuring ARP ARP Configurations Step 3 arp timeout timeout Configure the ARP aging time of the VLAN interface or routed port . timeout: Specify the value of aging time, which ranges from 1 to 3000 in seconds. The default value is 600 seconds.
Page 455 Configuring ARP ARP Configurations show ip arp { gigabitEthernet port | port-channel lagid | vlan id } Verify the active ARP entries associated with a Layer 3 interface. Specify the number of the routed port. port: Specify the ID of the LAG. lagid: Specify the VLAN interface ID.
Page 456: Configuring Qos
Part 16 Configuring QoS CHAPTERS 1. QoS 2. DiffServ Configuration 3. Bandwidth Control Configuration 4. Configuration Example 5. Appendix: Default Parameters...
Page 457: Overview
Configuring QoS 1.1 Overview With network scale expanding and applications developing, Internet traffic is dramatically increased, thus resulting in network congestion, packet drops and long transmission delay. Typically, networks treat all traffic equally on FIFO (First In First Out) delivery basis, but nowadays many special applications like VoD, video conferences, etc.
Page 458: Diffserv Configuration
Configuring QoS DiffServ Configuration DiffServ Configuration To complete differentiated services configuration, follow these steps: 1) Configure the priority mode to classify packets with different priorities. 2) Configure the schedule mode to control the forwarding sequence of packets. Configuration Guidelines  Deploy the priority mode appropriate to your network requirements. Three modes are supported on the switch, 802.1P Priority, DSCP Priority and Port Priority.
Page 459: Using The Gui
1) Enable 802.1P Priority and click Apply. 802.1P Priority Enable the 802.1P Priority globally. For T1600G-18TS, the 802.1P priority feature is disabled by default. You can manually enable it. For other T1600G series switches, the 802.1P priority feature is enabled by default and cannot be disabled.
Page 460 CoS-id-TC mapping relations. Go to QoS > DiffServ > 802.1P Priority and check the CoS-id-TC mapping relations before configuring DSCP priority. For T1600G-18TS, the packets are directly mapped to TC queues in DSCP priority mode. Choose the menu QoS > DiffServ > DSCP Priority to load the following page.
Page 461: Configuring Port Priority
In port priority mode, the packets are firstly mapped to CoS, then to TC queues according to the CoS-id-TC mapping relations. Go to QoS > DiffServ > 802.1P Priority and check the CoS-id-TC mapping relations before configuring port priority. For T1600G-18TS, the packets are directly mapped to TC queues in port priority mode. Configuration Guide...
Page 462: Configuring Schedule Mode
Configuring QoS DiffServ Configuration Choose the menu QoS > DiffServ > Port Priority to load the following page. Figure 2-3 Port Priority Follow these steps to configure the port priority: 1) Select the desired port or LAG to set its priority. Priority Specify the CoS that the port will be mapped to.
Page 463 Configuring QoS DiffServ Configuration Figure 2-4 Schedule Mode Follow these steps to configure the schedule mode: 1) Select a schedule mode. SP-Mode Strict-Priority Mode. In this mode, the queue with higher priority will occupy the whole bandwidth. Packets in the queue with lower priority are sent only when the queue with higher priority is empty.
Page 464: Using Cli
The instructions of the three priority modes are described respectively in this section.  Configuring 802.1 Priority Note: The 802.1P priority feature is disabled on T1600G-18TS by default. You can manually enable it. On other T1600G series switches, this feature is enabled by default and cannot be disabled. Step 1...
Page 465 Configuring QoS DiffServ Configuration Step 4 show qos status Verify that 802.1P priority is enabled. show qos cos-map Verify the mapping relations between the Tag-id / CoS-id and TC queues. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file.
Page 466 Configuring QoS DiffServ Configuration Step 4 For T1600G-18TS: qos queue dscp-map { dscp-list } { tc-id } Configure the mapping relations between the DSCP values in the IP header and the TC queues. Enter one or more DSCP values which range from 0 to 63. Enter the multiple values in dscp-list: the format of “1-3,5,7”.
Page 467 Enter interface configuration mode. Step 3 show qos cos-map Check the CoS-id-TC mapping relations. Step 4 For T1600G-18TS: qos tc-id Configure the TC queue of the port. Specify the TC-ID. The valid values are from 0 to 7. tc-id: For other switches: qos cos-id Configure the CoS value of the port.
Page 468 Configuring QoS DiffServ Configuration Step 5 show qos interface [fastEthernet port-list | gigabitEthernet port-list ] [port-channel lagid-list ] Verify the CoS value of the port. If no port is specified, it displays the CoS values of all ports. The list of Ethernet ports. port-list: The list of LAGs.
Page 469: Configuring Schedule Mode
Configuring QoS DiffServ Configuration 2.2.2 Configuring Schedule Mode Follow these steps to configure the schedule mode to control the forwarding sequence of different TC queues when congestion occurs. Step 1 configure Enter global configuration mode. Step 2 qos queue mode {sp | wrr | spwrr | equ} Configure the schedule mode of TC queues.
Page 470 Configuring QoS DiffServ Configuration Step 6 copy running-config startup-config Save the settings in the configuration file. Note: With ACL Redirect feature, the switch maps all the packets that meet the configured ACL rules to the new TC queue, regardless of the mapping relations configured in this section. The following example shows how to configure the schedule mode as WRR, with the weight values of TC0 to TC7 as 4, 7, 10, 13,16,19,22,25: Switch#configure...
Page 471: Bandwidth Control Configuration
Configuring QoS Bandwidth Control Configuration Bandwidth Control Configuration To implement bandwidth control, you can:  Limit the ingress/egress traffic rate on each port by configuring the Rate Limit function;  Limit the broadcast, multicast and UL frame forwarding rate on each port to avoid network broadcast storm by configuring the Storm Control function.
Page 472: Configuring Storm Control
Configuring QoS Bandwidth Control Configuration Egress Rate (1- Configure the bandwidth for sending packets on the port. The valid values are 1000000Kbps) from 1 to 1000000 Kbps. Displays the aggregation group which the port is in. 2) Click Apply. 3.1.2 Configuring Storm Control Choose the menu QoS >...
Page 473 Configuring QoS Bandwidth Control Configuration Broadcast To enable the broadcast rate control, select a broadcast rate mode and specify Rate Mode / the upper rate limit for receiving broadcast packets in the Broadcast field. The Broadcast packet traffic exceeding the rate will be discarded. The switch supports the following three rate modes: kbps: Specify the upper rate limit in kilo-bits per second, which ranges from 1 to 1000000 kbps.
Page 474: Using The Cli
Configuring QoS Bandwidth Control Configuration Note: T1600G-18TS does not support the PPS related features. • For ports in the same LAG, rate limit / storm control should be set to the same value to ensure • a successful port aggregation.
Page 475: Configuring Storm Control
Configuring QoS Bandwidth Control Configuration Switch(config-if)#bandwidth ingress 5120 egress 1024 Switch(config-if)#show bandwidth interface gigabitEthernet 1/0/5 Port IngressRate(Kbps) EgressRate(Kbps) --------- ---------------------- ---------------------- ------------ Gi1/0/5 5120 1024 Switch(config-if)#end Switch#copy running-config startup-config 3.2.2 Configuring Storm Control Configure the upper rate limit on the port for forwarding broadcast packets, multicast packets and unknown unicast frames.
Page 476 Configuring QoS Bandwidth Control Configuration Step 3 Use the following commands to specify the upper rate limit of the broadcast packets, multicast packets and unknown unicast frames in pps: storm-control pps Configure the storm control mode as pps (packets per second) on the port. In PPS mode, the upper rate limit of the broadcast packets, multicast packets and unknown unicast frames can only be specified in packets per second.
Page 477 Configuring QoS Bandwidth Control Configuration Note: T1600G-18TS does not support the PPS related features. The following example shows how to configure the upper rate limit of broadcast packets as 148800 pps on port 1/0/5: Switch#configure Switch(config)#interface gigabitEthernet 1/0/5 Switch(config-if)#storm-control pps...
Page 478: Configuration Example
Configuring QoS Configuration Example Configuration Example Network Requirements Two hosts, Admin and Host A, can access the local network server through the switch. Configure the switch to ensure the traffic from the Admin can be treated preferentially when congestion occurs. Only when the traffic from the Admin is completely forwarded will the traffic from Host A be forwarded.
Page 479: Using The Gui
Configuring QoS Configuration Example 4.3 Using the GUI 1) Choose QoS > DiffServ > 802.1P Priority to load the following page, and check the corresponding CoS-id of TC0 and TC1. Figure 4-2 CoS-TC Mapping relations 2) Choose QoS > DiffServ > Port Priority to load the following page, and set the priority for port 1/0/1 to CoS 0 (mapping to TC1) and priority for port 1/0/2 to CoS 1 (mapping to TC0).
Page 480: Using The Cli
Configuring QoS Configuration Example 3) Choose QoS > DiffServ > Schedule Mode to load the following page, and select SP- Mode as the schedule mode. Click Apply. Figure 4-4 Configure Schedule Mode 4) Click Save Config to save the settings. Using the CLI 1) Check the corresponding CoS-id of TC0 and TC1.
Page 481: Verify The Configuration
Configuring QoS Configuration Example Switch(config-if)#exit 3) Select SP-Mode as the schedule mode and save the settings. Switch(config)#qos queue mode sp Switch(config)#exit Switch#copy running-config startup-config Verify the configuration Verify the port-CoS mapping: Switch(config)#show qos interface Port CoS Value --------- ------------ ------------ Gi1/0/1 Gi1/0/2 Verify the schedule mode.
Page 482: Appendix: Default Parameters
Enabled. Packets from all ports are mapped to the same TC queue. 802.1P Priority For T1600G-18TS, it is disabled. You can manually enable it. See Table 5-2 for Tag-id/CoS-id-TC mapping relations. For other switches, it is enabled. See Table 5-2 for Tag-id/CoS-id-TC mapping relations.
Page 483: Bandwidth Control
Configuring QoS Appendix: Default Parameters DSCP CoS-id 56~63 CoS 7 Table 5-4 DSCP-TC Mapping DSCP TC Queues (8) 8~15 16~23 24~31 32~39 40~47 48~55 56~63  Bandwidth Control Table 5-5 Bandwidth Control Parameter Default Setting Rate Limit Disabled Storm Control Disabled Configuration Guide...
Page 484: Configuring Voice Vlan
Part 17 Configuring Voice VLAN CHAPTERS 1. Overview 2. Voice VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 485: Overview
Configuring Voice VLAN Overview Overview The voice VLAN feature is used to prioritize the transmission of voice traffic. Voice traffic is typically more time-sensitive than data traffic, and the voice quality can deteriorate a lot because of packet loss and delay. To ensure the high voice quality, you can configure the voice VLAN and set priority for voice traffic.
Page 486 Configuring Voice VLAN Overview  OUI Address (Organizationally Unique Identifier Address) The OUI address is used by the switch to determine whether a packet is a voice packet. An OUI address is the first 24 bits of a MAC address, and is assigned as a unique identifier by IEEE (Institute of Electrical and Electronics Engineers) to a device vendor.
Page 487: Voice Vlan Configuration
Configuring Voice VLAN Voice VLAN Configuration Voice VLAN Configuration To complete the Voice VLAN configuration, follow these steps: 1) Create a VLAN. 2) Configure OUI addresses. 3) Configure Voice VLAN globally. 4) Configure Voice VLAN mode on ports. Configuration Guidelines  Before configuring voice VLAN, you need to create a VLAN for voice traffic.
Page 488: Using The Gui
Configuring Voice VLAN Voice VLAN Configuration Using the GUI 2.1.1 Configuring OUI Addresses If the OUI address of your voice device is not in the OUI table, you need to add the OUI address to the table. Choose the menu QoS > Voice VLAN > OUI Config to load the following page. Figure 2-1 Configuring OUI Addresses Follow these steps to add OUI addresses: 1) Enter an OUI address and the corresponding mask, and give a description about the...
Page 489: Configuring Voice Vlan Globally
Configuring Voice VLAN Voice VLAN Configuration 2.1.2 Configuring Voice VLAN Globally Choose the menu QoS > Voice VLAN > Global Config to load the following page. Figure 2-2 Configuring Voice VLAN Globally Follow these steps to configure the voice VLAN globally: 1) Enable the voice VLAN feature, and enter a VLAN ID.
Page 490: Configuring Voice Vlan Mode On Ports
Configuring Voice VLAN Voice VLAN Configuration 2.1.3 Configuring Voice VLAN Mode on Ports Choose the menu QoS > Voice VLAN > Port Config to load the following page. Figure 2-3 Configuring Voice VLAN Mode on Ports Follow these steps to configure voice VLAN mode on ports: 1) Select your desired ports and choose the port mode.
Page 491: Using The Cli
Configuring Voice VLAN Voice VLAN Configuration Security Mode For packets that will be forwarded in the voice VLAN, you can configure the security mode to prevent malicious traffic with faked voice VLAN tag. For packets to other VLANs, how the switch processes the packets is determined by whether the selected ports permit the VLAN or not, independent of voice VLAN security mode.
Page 492 Configuring Voice VLAN Voice VLAN Configuration Step 5 voice vlan aging time Set the aging time for ports in automatic voice VLAN mode. Specify the length of time that a port remains in the voice VLAN after the port receives a time: voice packet.
Page 493 Configuring Voice VLAN Voice VLAN Configuration Step 13 Return to privileged EXEC mode. Step 14 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set port 1/0/1 in manual voice VLAN mode. Configure the switch to forward voice traffic with an IEEE 802.1p priority of 5 and to transmit only voice traffic whose resource MAC address matches an OUI address in the voice VLAN : Switch#configure...
Page 494: Configuration Example
Configuring Voice VLAN Configuration Example Configuration Example Network Requirements The company plans to install IP phones in the office area and the meeting room, and has requirements as follows:  In the office area » IP phones share switch ports used by computers, because no more ports are available for IP phones.
Page 495: Using The Gui
Configuring Voice VLAN Configuration Example In the meeting room, computers and IP phones are connected to different ports of Switch B. Ports connected to IP phones use the voice VLAN for voice traffic, and ports connected to computers use the default VLAN for data traffic. Voice traffics from Switch A and Switch B are forwarded to voice gateway and Internet through Switch C.
Page 496 Configuring Voice VLAN Configuration Example Figure 3-3 Configuring Voice VLAN Globally 3) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Select port 1/0/1, choose auto mode and enable security mode. Select port 1/0/2 and choose manual mode.
Page 497 Configuring Voice VLAN Configuration Example Figure 3-5 Configuring Voice VLAN Mode on Port 1/0/2 4) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and edit VLAN 10 to load the following page. Add port 1/0/2 to the voice VLAN. Configuration Guide...
Page 498 Configuring Voice VLAN Configuration Example Figure 3-6 Adding Port 1/0/2 to the Voice VLAN 5) Choose the menu LLDP > Basic Config> Global Config to load the following page. Enable LLDP globally. Figure 3-7 Enabling LLDP Globally 6) Choose the menu LLDP > LLDP-MED> Global Config to load the following page. Set fast start count as 4.
Page 499 Configuring Voice VLAN Configuration Example 7) Choose the menu LLDP > LLDP-MED> Port Config to load the following page. Enable LLDP-MED on port 1/0/1. Figure 3-9 Configuring LLDP-MED on Ports Click Detail of port1/0/1 to load the following page. Configure the TLV information which will be carried in LLDP-MED frames and sent out by port 1/0/1.
Page 500 Configuring Voice VLAN Configuration Example Figure 3-10 Configuring TLVs For details about LLDP-MED, please refer to Configuring LLDP. 8) Click Save Config to save the settings.  Configurations for Switch B 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page.
Page 501 Configuring Voice VLAN Configuration Example Figure 3-12 Configuring Voice VLAN Globally 3) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Select ports 1/0/1-3, choose manual mode and enable security mode. Click Apply. Figure 3-13 Configuring Voice VLAN Mode on Ports 4) Choose the menu VLAN >...
Page 502 Configuring Voice VLAN Configuration Example Figure 3-14 Adding Ports to the Voice VLAN 5) Click Save Config to save the settings.  Configurations for Switch C 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page.
Page 503: Using The Cli
Configuring Voice VLAN Configuration Example Figure 3-15 Creating a VLAN and Adding Ports to the VLAN 2) Click Save Config to save the settings. 3.5 Using the CLI  Configurations for Switch A 1) Create VLAN 10. Switch_A#configure Switch_A(config)#vlan 10 Switch_A(config-vlan)#name VoiceVLAN Switch_A(config-vlan)#exit 2) Configure the aging time as 1440 minutes for port in automatic voice VLAN mode, and set the 802.1p priority of voice packets as 6.
Page 504 Configuring Voice VLAN Configuration Example Switch_A(config-if)#switchport voice vlan mode auto Switch_A(config-if)#switchport voice vlan security Switch_A(config-if)#exit 4) Configure port 1/0/2 to manual voice VLAN mode, and add it to the voice VLAN as a tagged port. Switch_A(config)#interface gigabitEthernet 1/0/2 Switch_A(config-if)#switchport voice vlan mode manual Switch_A(config-if)#switchport general allowed vlan 10 tagged Switch_A(config-if)#exit 5) Enable LLDP globally and set the fast start count of LLDP-MED frame as 4.
Page 505 Configuring Voice VLAN Configuration Example 3) Configure ports 1/0/1-3 to manual voice VLAN mode and enable security mode. Switch_B(config)#interface range gigabitEthernet 1/0/1-3 Switch_B(config-if-range)#switchport voice vlan mode manual Switch_B(config-if-range)#switchport voice vlan security Switch_B(config-if-range)#exit 4) Add ports 1/0/1-3 to the voice VLAN. Switch_B(config)#interface range gigabitEthernet 1/0/1-2 Switch_B(config-if-range)#switchport general vlan 10 untagged Switch_B(config-if-range)#exit...
Page 506 Configuring Voice VLAN Configuration Example Voice Priority: 6 Verify the voice VLAN configuration on the ports: Switch_A#show voice vlan switchport Port Auto-mode Security State ------ ------------ ---------- --------- ------ Gi1/0/1 Auto Enabled Inactive Gi1/0/2 Manual Disabled Active Gi1/0/3 Auto Disabled Inactive ..
Page 507 Configuring Voice VLAN Configuration Example VLAN Name Status Ports ----- ------------- --------- ------------------------------ VoiceVlan active Gi1/0/1, Gi1/0/2, Gi1/0/ Configuration Guide...
Page 508 Configuring Voice VLAN Configuration Guide...
Page 509: Appendix: Default Parameters
Configuring Voice VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of voice VLAN are listed in the following tables. Table 4-1 Default Settings of Global Configuration Parameter Default Setting Voice VLAN Disable VLAN ID None Aging Time 1440 minutes Priority Table 4-2 Default Settings of Port Configuration...
Page 510: Configuring Poe
Part 18 Configuring PoE CHAPTERS 1. PoE 2. PoE Power Management Configurations 3. Time-Range Function Configurations 4. Example for PoE Configurations 5. Appendix: Default Parameters...
Page 511: Overview
Powered device (PD) is a device receiving power from the PSE, for example, IP phones and access points. According to whether PDs comply with IEEE standard, they can be classified into standard PDs and non-standard PDs. Only standard PDs can be powered via TP-Link PoE switches.
Page 512: Poe Power Management Configurations
Configuring PoE PoE Power Management Configurations PoE Power Management Configurations With PoE Power Management, you can:  Configure the PoE parameters manually  Configure the PoE parameters using the profile You can configure the PoE parameters one by one via configuring the PoE parameters manually.
Page 513 Configuring PoE PoE Power Management Configurations System Power Displays the real-time system power consumption of the PoE switch. Consumption System Power Displays the real-time system remaining power of the PoE switch. Remain 2) In the Port Config section, select the port you want to configure and specify the parameters.
Page 514: Configuring The Poe Parameters Using The Profile
Configuring PoE PoE Power Management Configurations 2.1.2 Configuring the PoE Parameters Using the Profile  Creating a PoE Profile Choose the menu PoE > PoE Config > PoE Profile to load the following page. Figure 2-2 Create a PoE Profile Follow these steps to create a PoE profile: 1) In the Create PoE Profile section, specify the desired configurations of the profile.
Page 515 Configuring PoE PoE Power Management Configurations  Binding the Profile to the Corresponding Ports Figure 2-3 Bind the Profile to the Corresponding Ports Follow these steps to bind the profile to the corresponding ports: 1) In the Global Config section, specify the System Power Limit and click Apply. System Power Specify the maximum power the PoE switch can supply.
Page 516: Using The Cli
Configuring PoE PoE Power Management Configurations Voltage(v) Displays the port’s real-time voltage. PD Class Displays the class the linked PD belongs to. Power Status Displays the port’s real-time power status. Using the CLI 2.2.1 Configuring the PoE Parameters Manually Follow these steps to configure the basic PoE parameters: Step 1 configure Enter global configuration mode.
Page 517 Configuring PoE PoE Power Management Configurations Step 7 show power inline Verify the global PoE information of the system. Step 8 show power inline configuration interface [ fastEthernet { port | port-list } | gigabitEthernet { port | port-list }] Verify the PoE configuration of the corresponding port.
Page 518: Configuring The Poe Parameters Using The Profile
Configuring PoE PoE Power Management Configurations Switch(config-if)#show power inline information interface gigabitEthernet 1/0/5 Interface Power(w) Current(mA) Voltage(v) PD-Class Power-Status ---------- -------- ----------- ---------- ----------- ---------------- Gi1/0/5 1.3 53.5 Class 2 Switch(config)#end Switch#copy running-config startup-config 2.2.2 Configuring the PoE Parameters Using the Profile Follow these steps to configure the PoE profile: Step 1 configure...
Page 519 Configuring PoE PoE Power Management Configurations Step 5 show power profile Verify the defined PoE profile. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a profile named profile1and bind the profile to the port 1/0/6.
Page 520: Time-Range Function Configurations
Configuring PoE Time-Range Function Configurations Time-Range Function Configurations With Time-Range configurations, you can:  Create a time-range  Configure the holiday parameters  View the time-range table The time range here relies on the switch system clock; therefore, you need a reliable clock source.
Page 521 Configuring PoE Time-Range Function Configurations Holiday Select to Include or Exclude the holiday in a time-range. If Exclude is selected, the time-range will not take effect on holiday and the PoE Status is disabled. Otherwise, the time-range will not be affected by holiday. 2) In the Add Absolute or Periodic section, specify the parameters and click Add.
Page 522: Configuring The Holiday Parameters
Configuring PoE Time-Range Function Configurations 3.1.2 Configuring the Holiday Parameters Choose the menu PoE > Time-Range > Holiday Config to load the following page. Figure 3-4 Configuring the Holiday Parameters Follow these steps to configure the holiday parameters: 1) In the Create Holiday section, enter a name of the holiday and specify the time. Holiday Name Specify a name for the holiday time.
Page 523: Using The Cli
Configuring PoE Time-Range Function Configurations 3.2 Using the CLI 3.2.1 Configuring a Time-Range Follow these steps to create a time-range: Step 1 configure Enter global configuration mode. Step 2 power time-range name Create a time-range for the switch and enter Power Time-range Configuration Mode. : Specify a name for the PoE time-range.
Page 524 Configuring PoE Time-Range Function Configurations Step 6 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter Interface Configuration mode. : Specify the Ethernet port number, for example 1/0/1. port Specify the list of Ethernet ports, for example 1/0/1-3, 1/0/5. port-list: Step 7 power inline time-range name...
Page 525: Configuring The Holiday Parameters
Configuring PoE Time-Range Function Configurations Switch(config)#interface gigabitEthernet 1/0/7 Switch(config-if)#power inline time-range time-range1 Switch(config-if)#end Switch#copy running-config startup-config 3.2.2 Configuring the Holiday Parameters Follow these steps to configure the holiday parameters: Step 1 configure Enter global configuration mode. Step 2 power holiday name start-date start-date end-date end-date Create a time range for the holiday.
Page 526: Viewing The Time-Range Table
Configuring PoE Time-Range Function Configurations 3.2.3 Viewing the Time-Range Table On privileged EXEC mode or any other configuration mode, you can use the following command to view the time-range table: show power time-range [ name ] Verify the defined PoE time-range. name : Specify the name of the time-range desired.
Page 527: Example For Poe Configurations
Configuring PoE Example for PoE Configurations Example for PoE Configurations 4.1 Network Requirements The network topology of a company is shown below. Camera1 and Camera2 work for the security of the company and cannot be power off all the time. AP1 and AP2 provide Internet service and only work in the daytime.
Page 528 Configuring PoE Example for PoE Configurations Figure 4-2 Create a Time-Range 2) Choose the menu PoE > Time-Range > Holiday Config to load the following page. Specify a name for the holiday and set the starting date and ending date. Figure 4-3 ...
Page 529: Using The Cli
Configuring PoE Example for PoE Configurations Figure 4-4 Configure the Port 4.4 Using the CLI The configurations of Port1/0/4 is similar with the configuration of port 1/0/3. Here we take port 1/0/3 for example. 1) Create a time-range. Switch_A#config Switch_A(config)#power time-range “office time” Switch_A(config-time-range)#holiday exclude Switch_A(config-time-range)#periodic start 08:30 end 23:00 day-of-the-week 1-5 Switch_A(config-time-range)#exit...
Page 530 Configuring PoE Example for PoE Configurations Switch_A#copy running-config startup-config Verify the Configuration Verify the configuration of the holiday: Switch_A(config)#show power holiday Index Holiday Name Start-End ----- ------------ --------- Christmas 12.22-12.31 Verify the configuration of the time-range: Switch_A(config)#show power time-range Time-range entry: office time (Active) holiday: exclude number of absolute time: 0 (01/01/2000-00:00 to 12/31/2099-24:00 by default)
Page 531: Appendix: Default Parameters
Configuring PoE Appendix: Default Parameters Appendix: Default Parameters Table 5-1 Default Settings of PoE Configuration Parameter Default Setting System Power Limit 384.0W PoE Status Enable PoE Priority Power Limit (0.1w-30.0w) Class 4 Time Range No Limit PoE Profile None Table 5-2 Default Settings of PoE Profile Parameter Default Setting...
Page 532: Configuring Acl
Part 19 Configuring ACL CHAPTERS 1. ACL 2. ACL Configurations 3. Configuration Example for ACL 4. Appendix: Default Parameters...
Page 533: Overview
Configuring ACL 1.1 Overview The rapid growth of network size and traffic brings challenges to network security and bandwidth allocation. Packet filtering can help prevent unauthorized access behaviors, limit network traffic and improve bandwidth use. ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs.
Page 534: Acl Configurations
Configuring ACL ACL Configurations ACL Configurations To configure ACL Binding, follow these steps: 1) Create an ACL and configure the rules. 2) Bind the ACL to a port or VLAN. To configure Policy Binding, follow these steps: 1) Create an ACL and configure the rules. 2) Create a Policy and configure the policy action.
Page 535: Configuring Acl Rules
Configuring ACL ACL Configurations Choose the menu ACL > ACL Config > ACL Create to load the following page. Figure 2-1 Creating an ACL Follow these steps to create an ACL: 1) Enter a number to identify the ACL. ACL ID Enter a number to identify the ACL.
Page 536 Configuring ACL ACL Configurations ACL ID Select an MAC ACL from the drop-down list. Rule ID Specify the rule ID, which ranges from 0 to 999. It should not be the same as any existing MAC ACL Rule IDs. Operation Select an operation to be performed when a packet matches the rule.
Page 537 Configuring ACL ACL Configurations Operation Select an operation to be performed when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. 2) Configure the rule’s packet-matching criteria. S-IP/Mask Specify the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.
Page 538 Configuring ACL ACL Configurations 2) Configure the rule’s packet-matching criteria S-IP/Mask Specify the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-IP/Mask Specify the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.
Page 539 S-Port / D-Port Enter the TCP/UDP source and destination port. For T1600G-18TS, S-Port / D-Port can not be configured. 3) Click Apply.  Verifying the Rule Table The rules in an ACL are listed in ascending order of configuration time, regardless of their rule IDs.
Page 540: Configuring Policy
Configuring ACL ACL Configurations Choose the menu ACL > ACL Config > ACL Summary to load the following page. Figure 2-6 ACL Information 2.1.3 Configuring Policy To configure the policy, follow these steps: 1) Create a policy. 2) Apply an ACL to the Policy.  Creating a Policy Choose th menu ACL >...
Page 541: Configuring The Acl Binding And Policy Binding
Configuring ACL ACL Configurations Select your preferred policy and ACL, and click Apply Select Policy Select a Policy from the drop-down list. Select ACL Select an ACL to be applied to the Policy. 2.1.4 Configuring the ACL Binding and Policy Binding You can select ACL binding or Policy binding according to your needs.
Page 542 Configuring ACL ACL Configurations  Binding the ACL to a VLAN Choose the menu ACL > ACL Binding > VLAN Binding to load the following page. Figure 2-10 Binding the ACL to a VLAN Follow these steps to bind the ACL to a VLAN: Select the ACL and enter the VLAN ID, and click Apply ACL ID Select an ACL from the drop-down list.
Page 543 Configuring ACL ACL Configurations Follow these steps to bind the Policy to a Port: Select the Policy and the port to be bound, and click Apply. Policy Name Select a Policy from the drop-down list.  Binding the Policy to a VLAN Choose the menu ACL >...
Page 544 Configuring ACL ACL Configurations Choose the menu ACL > ACL Binding > Binding Table to load the following page. Figure 2-13 Verifying the ACL Binding  Verifying the Policy Binding You can view both port binding and VLAN binding entries in the table. You can also delete existing entries if needed.
Page 545: Using The Cli
Configuring ACL ACL Configurations 2.2 Using the CLI 2.2.1 Configuring ACL Follow the steps to create different types of ACL and configure the ACL rules. You can define the rules based on source or destination IP addresses, source or destination MAC addresses, protocol type and so on.  Configuring the MAC ACL Step 1 configure...
Page 546 Configuring ACL ACL Configurations The following example shows how to create MAC ACL 50 and configure Rule 1 to permit packets with source MAC address 00:34:a2:d4:34:b5: Switch#configure Switch(config)#mac access-list 50 Switch(config-mac-acl)#rule 1 permit smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff Switch(config-mac-acl)#show access-list 50 mac access list 50 Rule 1 permit smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff Switch(config-mac-acl)#end...
Page 547 Configuring ACL ACL Configurations Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create Standard-IP ACL 600, and configure Rule 1 to permit packets with source IP address 192.168.1.100: Switch#configure Switch(config)#access-list create 600 Switch(config)#rule 1 permit sip 192.168.1.100 smask 255.255.255.255...
Page 548 Configuring ACL ACL Configurations Step 3 access-list extended acl-id rule rule-id {deny | permit} [ [sip source-ip] smask source-ip-mask ] [ [dip destination-ip ] dmask destination-ip-mask ] [s-port s-port ] [d-port d-port ] [protocol protocol ] Add a rule to the ACL. The ID number of the ACL you have created.
Page 549 Configuring ACL ACL Configurations  Configuring the IPv6 ACL Step 1 configure Enter global configuration mode Step 2 access-list combined access-list-num Create an IPv6 ACL. Enter an ACL ID. The ID ranges from 3500 to 4999. access-list-num: Step 3 access-list ipv6 acl-id rule rule-id {permit | deny}[dscp dscp-value] [flow-label flow-label- value ] [sip source-ip-address sip-mask source-ip-mask ] [dip destination-ip-address dip-mask destination-ip-mask ] [s-port source-port-number ] [d-port destination-port-number ] Add a rule to the ACL.
Page 550: Configuring Policy
Configuring ACL ACL Configurations Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create IPv6 ACL 3600 and configure Rule 1 to deny packets with source IPv6 address CDCD:910A:2222:5498:8475:1111:3900:2020: Switch#configure Switch(config)#access-list create 3600 Switch(config)#access-list ipv6 3600 Rule 1 deny sip CDCD:910A:2222:5498:8475:1111:3900:2020 sip-mask ffff:ffff:ffff:ffff Switch(config)#show access-list 3600...
Page 551: Acl Binding And Policy Binding
Configuring ACL ACL Configurations The following example shows how to create Policy RD, and apply ACL 600 to Policy RD: Switch#configure Switch(config)#access-list policy name RD Switch(config)#access-list policy action RD 600 Switch(config-action)#exit Switch(config)#show access-list policy RD Policy name : RD access-list 600 Switch(config)#end Switch#copy running-config startup-config 2.2.3 ACL Binding and Policy Binding...
Page 552 Configuring ACL ACL Configurations Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to bind ACL 1 to port 3 and ACL 2 to VLAN 4: Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#access-list bind acl 1...
Page 553 Configuring ACL ACL Configurations Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } access-list bind policy-name (Optional) Enter the interface configuration mode and bind the policy to the port. : The port (ports) to which the policy will bind. port | port-list policy-name : The name of the policy.
Page 554: Configuration Example For Acl
Configuring ACL Configuration Example for ACL Configuration Example for ACL Network Requirements A company’s server group can provide different types of services. It is required that:  The Marketing department can only access the server group.  The Marketing department can only visit HTTP and HTTPS websites on the Internet. Network Topology As shown below, computers in the Marketing department are connected to the switch via port 1/0/1 , and the server group is connected to the switch via port 1/0/2.
Page 555: Using The Gui
Configuring ACL Configuration Example for ACL 2) Configure permit rules to match packets with source IP address 10.10.70.0/24, and destination ports TCP 80, TCP 443 and TCP/UDP 53. These rules allow the Marketing department to visit http and HTTPS websites on the Internet. 3) Configure a deny rule to match packets with source IP address 10.10.70.0.
Page 556 Configuring ACL Configuration Example for ACL Figure 3-3 Configuring Rule 1 3) Choose the menu ACL > ACL Config > Extend ACL to load the the following page. Configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and UDP 443 (HTTPS service port).
Page 557 Configuring ACL Configuration Example for ACL 4) Choose the menu ACL > Policy Config > Policy Create to load the following page. Configure Rule 4 and Rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port). Figure 3-6 Configuring Rule 4 Figure 3-7 Configuring Rule 5 5) Choose the menu ACL >...
Page 558 Configuring ACL Configuration Example for ACL Figure 3-8 Configuring Rule 6 6) Choose the menu ACL > Policy Config > Policy Createto load the the following page. Then create Policy Market. Figure 3-9 Creating the Policy 7) Choose the menu ACL > Policy Config > Action Create to load the the following page. Then apply ACL 1600 to Policy Market.
Page 559: Using The Cli
Configuring ACL Configuration Example for ACL Figure 3-11 Binding the Policy to Port 1/0/1 9) Click Save Config to save the settings. 3.5 Using the CLI 1) Create Extended-IP ACL 1600. Switch#configure Switch(config)#access-list create 1600 2) Configure rule 1 to permit packets with source IP 10.10.70.0 and destination IP 10.10.80.0.
Page 560 Configuring ACL Configuration Example for ACL Switch(config)#access-list extended 1600 rule 6 deny sip 10.10.70.0 smask 255.255.255.0 6) Create Policy Market, and then apply ACL 1600 to it. Switch(config)#access-list policy name Market Switch(config)#access-list policy action Market 1600 Switch(config-action)#exit 7) Bind Policy Market to port 1/0/1. Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#access-list bind Market Switch(config-if)#end...
Page 561: Appendix: Default Parameters
Configuring ACL Appendix: Default Parameters Appendix: Default Parameters For MAC ACL: Parameter Default Setting Operation Permit For Standard-IP ACL: Parameter Default Setting Operation Permit For Extend-IP ACL: Parameter Default Setting Operation Permit IP Protocol For IPv6 ACL: Parameter Default Setting Operation Permit Configuration Guide...
Page 562: Configuring Network Security
Part 20 Configuring Network Security CHAPTERS 1 . Network Security 6 . 802.1X Configuration 2 . IP-MAC Binding Configurations 7 . AAA Configuration 3 . DHCP Snooping Configuration 8 . Configuration Examples 4 . ARP Inspection Configurations 9 . Appendix: Default Parameters 5 .
Page 563: Network Security
Configuring Network Security Network Security Network Security 1.1 Overview Network Security provides multiple protection measures for the network. Users can configure the security functions according to their needs. 1.2 Supported Features The switch supports multiple network security features, for example, IP-MAC Binding, DHCP Snooping, ARP Inspection and so on.
Page 564: Arp Inspection
Configuring Network Security Network Security Figure 1-1 Network Topology of Basic DHCP Security Legal DHCP Server Trusted Port Untrusted Port Untrusted Port Switch Clients Illegal DHCP Server Additionally, with DHCP Snooping, the switch can monitor the IP address obtaining process of each client host and record the IP address, MAC address, VLAN ID and the connected port number of the host for automatic binding.
Page 565 Configuring Network Security Network Security  Prevent ARP Flooding Attack With the ARP Defend feature the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP flooding attack.
Page 566  Client A client, usually a computer, is connected to the authenticator via a physical port. We recommend that you install TP-Link 802.1X authentication client software on the client hosts, enabling them to request 802.1X authentication to access the LAN.
Page 567 Configuring Network Security Network Security Figure 1-3 Network Topology of AAA RADIUS Server Users Switches Configuration Guide...
Page 568: Ip-Mac Binding Configurations
Configuring Network Security IP-MAC Binding Configurations IP-MAC Binding Configurations You can complete IP-MAC binding in two ways:  Manual Binding  Dynamical Binding (including ARP Scanning and DHCP Snooping) Additionally, you can search the specified entries in the Binding Table. Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IP address, MAC address, VLAN ID and the Port number...
Page 569: Binding Entries Dynamically
Configuring Network Security IP-MAC Binding Configurations Host Name Enter the host name for identification. IP Address Enter the IP address. MAC Address Enter the MAC address. VLAN ID Enter the VLAN ID. 2) Select protect type for the entry. Protect Type Select the protect type for the entry: None: This entry will not be applied to any feature.
Page 570 Configuring Network Security IP-MAC Binding Configurations Choose the menu Network Security > IP-MAC Binding > ARP Scanning to load the following page. Figure 2-2 ARP Scanning Follow these steps to configure IP-MAC Binding via ARP scanning: 1) In the Scanning Option section, specify an IP address range and a VLAN ID. Then click Scan to scan the entries in the specified IP address range and VLAN.
Page 571: Viewing The Binding Entries
Configuring Network Security IP-MAC Binding Configurations Collision Displays the collision status of the entry. Warning: The collision entries have the same IP address and MAC address, and all the collision entries are valid. This kind of collision may be caused by the MSTP function.
Page 572: Using The Cli
Configuring Network Security IP-MAC Binding Configurations Enter an IP address and click Search to search the specific entry. In the Binding Table section, you can view the searched entries. Additionally, you can configure the host name and protect type for one or more entries, and click Apply. Host Name Enter a host name for identification.
Page 573 Configuring Network Security IP-MAC Binding Configurations Step 2 ip source binding hostname ip-addr mac-addr vlan vlan-id interface gigabitEthernet port { none | arp-detection } [ forced-source {arp-scanning | dhcp-snooping} ] Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.
Page 574: Viewing Binding Entries
Configuring Network Security IP-MAC Binding Configurations 2.2.2 Viewing Binding Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries: show ip source binding View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port number, protect type and collision status.
Page 575: Dhcp Snooping Configuration
Configuring Network Security DHCP Snooping Configuration DHCP Snooping Configuration To complete DHCP Snooping configuration, follow these steps: 1) Enable DHCP Snooping on VLAN. 2) Configure DHCP Snooping on the specified port. 3) (Optional) Configure Option 82 on the specified port. The switch can dynamically bind the entries via DHCP Snooping after step 1 and step Tips: 2 are completed.
Page 576: Configuring Dhcp Snooping On Ports
Configuring Network Security DHCP Snooping Configuration VLAN ID Specify the VLAN ID in the format shown on the page. VLAN Displays the VLANs that have been enabled with DHCP Snooping. Configuration Display 3) Click Apply. 3.1.2 Configuring DHCP Snooping on Ports Choose the menu Network Security >...
Page 577: Optional) Configuring Option 82
Configuring Network Security DHCP Snooping Configuration MAC Verify Enable or disable the MAC Verify feature. There are two fields in the DHCP packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCP packet and discards the packet if the two fields are different. This prevents the IP address resource on the DHCP server from being exhausted by forged MAC addresses.
Page 578: Using The Cli
Configuring Network Security DHCP Snooping Configuration Operation Select the operation for the Option 82 field of the DHCP request packets. Strategy Keep: Indicates keeping the Option 82 field of the packets. Replace: Indicates replacing the Option 82 field of the packets with one defined by the switch.
Page 579: Configuring Dhcp Snooping On Ports
Configuring Network Security DHCP Snooping Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCP Snooping globally and on VLAN 5: Switch#configure Switch(config)#ip dhcp snooping Switch(config)#ip dhcp snooping vlan 5 Switch(config)#show ip dhcp snooping...
Page 580 Configuring Network Security DHCP Snooping Configuration Step 5 ip dhcp snooping limit rate value Enable the limit rate feature and specify the maximum number of DHCP messages that can be forwarded on the port per second. The excessive DHCP packets will be discarded. Specify the limit rate value.
Page 581: Optional) Configuring Option 82
Configuring Network Security DHCP Snooping Configuration 3.2.3 (Optional) Configuring Option 82 Option 82 records the location of the DHCP client. The switch can add the Option 82 to the DHCP request packet and then transmit the packet to the DHCP server. Administrators can check the location of the DHCP client via option 82.
Page 582 Configuring Network Security DHCP Snooping Configuration Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable Option 82 on port 1/0/7 and configure the strategy as replace, the circuit-id as VLAN20 and the remote-id as Host1: Switch#configure Switch(config)#interface gigabitEthernet 1/0/7...
Page 583: Arp Inspection Configurations
Configuring Network Security ARP Inspection Configurations ARP Inspection Configurations With ARP Inspection configurations, you can:  Configure ARP Detection  Configure ARP Defend  View ARP Statistics 4.1 Using the GUI 4.1.1 Configuring ARP Detection The ARP Detection feature allows the switch to detect the ARP packets based on the binding entries in the IP-MAC Binding Table and filter out the illegal ARP packets.
Page 584: Configuring Arp Defend
Configuring Network Security ARP Inspection Configurations 4.1.2 Configuring ARP Defend With ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood. Choose the menu Network Security >...
Page 585: Viewing Arp Statistics
Configuring Network Security ARP Inspection Configurations Displays the LAG that the port is in. Operation Click the Recover button to restore the port to the normal status. The ARP Defend for this port will be re-enabled. 2) Click Apply. 4.1.3 Viewing ARP Statistics You can view the number of the illegal ARP packets received on each port, which facilitates you to locate the network malfunction and take the related protection measures.
Page 586: Using The Cli
Configuring Network Security ARP Inspection Configurations In the Illegal ARP Packet section, you can view the number of illegal ARP packets on each port. Trusted Port Indicates whether the port is an ARP trusted port or not. Illegal ARP Displays the number of the received illegal ARP packets. Packet Using the CLI 4.2.1 Configuring ARP Detection...
Page 587: Configuring Arp Defend
Configuring Network Security ARP Inspection Configurations Switch(config)#ip arp inspection Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#ip arp inspection trust Switch(config-if)#show ip arp inspection ARP detection global status: Enabled Port Trusted Gi1/0/1 Gi1/0/2 ..Switch(config-if)#end Switch#copy running-config startup-config 4.2.2 Configuring ARP Defend With ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood.
Page 588 Configuring Network Security ARP Inspection Configurations Step 6 ip arp inspection recover (Optional) For ports which the speed of receiving ARP packets has exceeded the limit, use this command to restore the port from Discard status to Normal status. Step 7 Return to privileged EXEC mode.
Page 589: Viewing Arp Statistics
Configuring Network Security ARP Inspection Configurations Port OverSpeed Rate Current Status Gi1/0/1 Disabled Normal Switch(config-if)#end Switch#copy running-config startup-config 4.2.3 Viewing ARP Statistics On privileged EXEC mode or any other configuration mode, you can use the following command to view ARP statistics: show ip arp inspection statistics View the ARP statistics on each port, including whether the port is trusted port and the number of received ARP packets on the port.
Page 590: Dos Defend Configuration
Configuring Network Security DoS Defend Configuration DoS Defend Configuration Using the GUI Choose the menu Network Security > DoS Defend > DoS Defend to load the following page. Figure 5-1 Dos Defend Follow these steps to configure DoS Defend: 1) In the Configure section, enable DoS Protection. 2) In the Defend Table section, select one or more defend types according to your needs.
Page 591: Using The Cli
Configuring Network Security DoS Defend Configuration SYN sPort less The attacker sends the illegal packet with its TCP SYN field set to 1 and source 1024 port smaller than 1024. Blat Attack The attacker sends the illegal packet with the same source port and destination port on Layer 4 and with its URG field set to 1.
Page 592 Configuring Network Security DoS Defend Configuration Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping- flood | syn-flood | win-nuke | smurf | ping-of-death } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows.
Page 593 Configuring Network Security DoS Defend Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the DoS Defend type named land: Switch#configure Switch(config)#ip dos-prevent Switch(config)#ip dos-prevent type land Switch(config)#show ip dos-prevent Type...
Page 594: X Configuration
Configuring Network Security 802.1X Configuration 802.1X Configuration To complete the 802.1X configuration, follow these steps: 1) Configure the RADIUS server. 2) Configure 802.1X globally. 3) Configure 802.1X on ports. Configuration Guidelines 802.1X authentication and Port Security cannot be enabled at the same time. Before enabling 802.1X authentication, make sure that Port Security is disabled.
Page 595 Configuring Network Security 802.1X Configuration  Adding the RADIUS Server Choose the menu Network Security > AAA > RADIUS Config to load the following page. Figure 6-2 RADIUS Config Follow these steps to create a protocol template: 1) In the Server Config section, configure the parameters of RADIUS server. 2) Click Apply.
Page 596 Configuring Network Security 802.1X Configuration Choose the menu Network Security > AAA > Server Group to load the following page. Figure 6-3 Adding a Server Group Follow these steps to create a protocol template: 1) In the Add New Server Group section, specify the name and server type for the new server group, and click Add.
Page 597 Configuring Network Security 802.1X Configuration Figure 6-5 Add Server to Group  Configuring the Dot1x List Choose the menu Network Security > AAA > Dot1x List to load the following page. Figure 6-6 Configuring the Dot1x List Follow these steps to configure RADIUS server groups for 802.1X authentication and accounting: 1) In the Authentication Dot1x Method List section, select an existing RADIUS server group for authentication from the Pri1 drop-down list and click Apply.
Page 598: Configuring 802.1X Globally
Handshake Enable or disable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1X Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP- Link 802.1X Client.
Page 599 Configuring Network Security 802.1X Configuration Guest VLAN Select whether to enable Guest VLAN. By default, it is disabled. If the Guest VLAN is enabled, a port can access resources in the guest VLAN even though the port is not yet authenticated; if guest VLAN is disabled and the port is not authenticated, the port cannot visit any resource in the LAN.
Page 600: Configuring 802.1X On Ports
Configuring Network Security 802.1X Configuration 6.1.3 Configuring 802.1X on Ports Choose the menu Network Security > 802.1X > Port Config to load the following page. Figure 6-8 Port Config Configure 802.1X authentication on the desired port and click Apply . Status Enable 802.1X authentication on the port.
Page 601: Using The Cli
Configuring Network Security 802.1X Configuration Note: If a port is in an LAG, its 802.1X authentication function cannot be enabled. Also, a port with 802.1X authentication enabled cannot be added to any LAG. 6.2 Using the CLI 6.2.1 Configuring the RADIUS Server Follow these steps to configure RADIUS: Step 1 configure...
Page 602 Configuring Network Security 802.1X Configuration Step 5 server ip-address Add the existing servers to the server group. ip-address : Specify IP address of the server to be added to the group. Step 6 exit Return to global configuration mode. Step 7 aaa authentication dot1x default { method } Select the radius group for 802.1X authentication.
Page 603: Configuring 802.1X Globally
Configuring Network Security 802.1X Configuration Switch#configure Switch#aaa enable Switch(config)#radius-server host 192.168.0.100 key 123456 auth-port 1812 acct-port 1813 Switch(config)#aaa group radius radius1 Switch(aaa-group)#server 192.168.0.100 Switch(aaa-group)#exit Switch(config)#aaa authentication dot1x default radius1 Switch(config)#aaa accounting dot1x default radius1 Switch(config)#show radius-server Server Ip Auth Port Acct Port Timeout Retransmit Shared key...
Page 604 Configuring Network Security 802.1X Configuration Step 2 dot1x system-auth-control Enable 802.1X authentication globally. Step 3 dot1x auth-method { pap | eap } Configure the 802.1X authentication method. pap: Specify the authentication method as PAP. If this option is selected, the 802.1X authentication system uses EAP (Extensible Authentication Protocol) packets to exchange information between the switch and the client.
Page 605: Configuring 802.1X On Ports
Configuring Network Security 802.1X Configuration Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable 802.1X authentication, configure PAP as the authentication method and keep other parameters as default: Switch#configure Switch(config)#dot1x system-auth-control Switch(config)#dot1x auth-method pap...
Page 606 Configuring Network Security 802.1X Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. Enter the ID of the port to be configured. port: Step 3 dot1x Enable 802.1X authentication for the port. Step 4 dot1x port-method { mac-based | port-based } Configure the control type for the port.
Page 607 Configuring Network Security 802.1X Configuration Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#dot1x Switch(config-if)#dot1x port-method port-based Switch(config-if)#dot1x port-control auto Switch(config-if)#show dot1x interface gigabitEthernet 1/0/2 Port State GuestVLAN PortControl PortMethod Authorized ---- ----- --------- -------- -------- -------------- Gi1/0/2 enabled disabled auto port-based unauthorized N/A Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 608: Aaa Configuration
Configuring Network Security AAA Configuration AAA Configuration In the AAA feature, the authentication can be processed locally on the switch or centrally on the RADIUS/TACACS+ server(s). To ensure the stability of the authentication system, you can configure multiple servers and authentication methods at the same time. This chapter introduces how to configure this kind of comprehensive authentication in AAA.
Page 609: Using The Gui
Configuring Network Security AAA Configuration  AAA Application List The switch supports the following access applications: Telnet, SSH and HTTP. You can select the configured authentication method lists for each application. 7.1 Using the GUI 7.1.1 Globally Enabling AAA Choose the menu Network Security > AAA > Global Conifg to load the following page. Figure 7-1 Global Configuration Follow these steps to globally enable AAA: 1) In the Global Config section, enable AAA.
Page 610 Configuring Network Security AAA Configuration Follow these steps to add a RADIUS server: 1) In the Server Config section, configure the following parameters. Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
Page 611: Configuring Server Groups
Configuring Network Security AAA Configuration Shared Key Enter the shared key between the TACACS+ server and the switch. The TACACS+ server and the switch use the key string to encrypt passwords and exchange responses. Server Port Specify the TCP port used on the TACACS+ server for AAA. The default setting is 2) Click Add to add the TACACS+ server on the switch.
Page 612: Configuring The Method List
Configuring Network Security AAA Configuration Figure 7-5 Edit the Group 3) Select the server to be added to the group from the Server IP drop-down list . Then click Add to add this server to the server group. Figure 7-6 Add Server to Group 7.1.4 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users.
Page 613 Configuring Network Security AAA Configuration Choose the menu Network Security > AAA > Method List to load the following page. Figure 7-7 Add New Method There are two default methods respectively for the Login authentication and the Enable authentication. You can edit the default methods or follow these steps to add a new method: 1) In the Add Method List section, configure the parameters for the method to be added.
Page 614: Configuring The Aaa Application List
Configuring Network Security AAA Configuration 7.1.5 Configuring the AAA Application List Choose the menu Network Security > AAA > Global Config to load the following page. Figure 7-8 Configure Application List Follow these steps to configure the AAA application list. 1) In the AAA Application List section, select an access application and configure the Login list and Enable list.
Page 615: Using The Cli
Configuring Network Security AAA Configuration The logged-in guests can enter the Enable password on this page to get Tips: administrative privileges.  On the Server The accounts created by the RADIUS/TACACS+ server can only view the configurations and some network information without the Enable password. Some configuration principles on the server are as follows:  For Login authentication configuration, more than one login account can be created on the server.
Page 616: Adding Servers
Configuring Network Security AAA Configuration Switch#configure Switch(config)#aaa enable Switch(config)#show aaa global AAA global status: Enable ..Switch(config)#end Switch#copy running-config startup-config 7.2.2 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server with the highest priority authenticates the users trying to access the switch, and the others act as backup servers in case the first one breaks down.
Page 617 Configuring Network Security AAA Configuration Step 3 show radius-server Verify the configuration of RADIUS server. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add a RADIUS server on the switch. Set the IP address of the server as 192.168.0.10, the authentication port as 1812, the shared key as 123456, the timeout as 8 seconds and the retransmit number as 3.
Page 618 Configuring Network Security AAA Configuration Step 2 tacacs-server host ip-address [ port port-id ] [ timeout time ] [ key { [ 0 ] string | 7 encrypted- string } ] Add the RADIUS server and configure the related parameters as needed. host ip-address Enter the IP address of the server running the TACACS+ protocol.
Page 619: Configuring Server Groups
Configuring Network Security AAA Configuration 7.2.3 Configuring Server Groups The switch has two built-in server groups, one for RADIUS and the other for TACACS+. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. The two default server groups cannot be deleted or edited.
Page 620: Configuring The Method List
Configuring Network Security AAA Configuration Switch(aaa-group)#end Switch#copy running-config startup-config 7.2.4 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges.
Page 621: Configuring The Aaa Application List
Configuring Network Security AAA Configuration Methodlist pri1 pri2 pri3 pri4 default local Login1 radius local Switch(config)#end Switch#copy running-config startup-config The following example shows how to create an Enable method list named Enable1, and configure the method 1 as the default radius server group and the method 2 as local. Switch#configure Switch(config)##aaa authentication enable Enable1 radius local Switch(config)#show aaa authentication enable...
Page 622 Configuring Network Security AAA Configuration Step 4 enable authentication { method-list } Apply the Enable method list for the application Telnet. Specify the name of the Enable method list. method-list Step 5 show aaa global Verify the configuration of application list. Step 6 Return to privileged EXEC mode.
Page 623 Configuring Network Security AAA Configuration Step 3 login authentication { method-list } Apply the Login method list for the application SSH. Specify the name of the Login method list. method-list Step 4 enable authentication { method-list } Apply the Enable method list for the application SSH. Specify the name of the Enable method list.
Page 624: Configuring Login Account And Enable Password
Configuring Network Security AAA Configuration Step 1 configure Enter global configuration mode. Step 2 ip http login authentication { method-lis t } Apply the Login method list for the application HTTP. Specify the name of the Login method list. method-list Step 3 ip http enable authentication { method-lis t } Apply the Enable method list for the application HTTP.
Page 625 Configuring Network Security AAA Configuration  On the Switch The local username and password for login can be configured in the User Management feature. For details, refer to Managing System. To configure the local Enable password for getting administrative privileges, follow these steps: Step 1 configure...
Page 626 Configuring Network Security AAA Configuration On TACACS+ server, configure the value of “enable 15“ as the Enable password in the configuration file. All the users trying to get administrative privileges share this Enable password. The logged-in guests can get administrative privileges by using the command Tips: enable-admin and providing the Enable password.
Page 627: Configuration Examples
Configuring Network Security Configuration Examples Configuration Examples 8.1 Example for DHCP Snooping and ARP Detection 8.1.1 Network Requirements As shown below, User 1 and User 2 get IP addresses from the legal DHCP server, and User 3 has a static IP address. All of them are in the default VLAN 1. Now, untrusted DHCP packets need to be filtered to ensure that the DHCP clients (User 1 and User 2) can get the IP addresses from the legal DHCP server.
Page 628: Using The Gui
Configuring Network Security Configuration Examples 2) Configure IP-MAC Binding on Switch A. The binding entries for User 1 and User 2 will be automatically learned via DHCP Snooping, and you need to manually bind the entry for User 3. 3) Enable ARP Detection on Switch A to prevent ARP cheating attacks. 4) Configure ARP Defend on Switch A to limit the speed of receiving the legal ARP packets on each port, thus to prevent ARP flooding attacks.
Page 629 Configuring Network Security Configuration Examples Figure 8-3 Port Config 3) Choose the menu Network Security > IP-MAC Binding > Manual Binding to load the following page. Enter the host name, IP address, MAC address and VLAN ID of User 3, select ARP Detection as the protect type, and select port 1/0/3 on the panel. Click Bind. Figure 8-4 Manual Binding 4) Choose the menu Network Security >...
Page 630 Configuring Network Security Configuration Examples Figure 8-5 Binding Table 5) Choose the menu Network Security > ARP Inspection > ARP Detect to load the following page. Enable ARP Detection and set ports 1/0/4 as trusted port. Click Apply. Figure 8-6 ARP Detect 6) Choose the menu Network Security >...
Page 631: Using The Cli
Configuring Network Security Configuration Examples Figure 8-7 ARP Defend 7) Click Save Config to save the settings. 8.1.4 Using the CLI 1) Enable DHCP Snooping globally and on VLAN 1. Switch_A#configure Switch_A(config)#ip dhcp snooping Switch_A(config)#ip dhcp snooping vlan 1 2) Configure port 1/0/4 as a trusted port. Switch_A(config)#interface gigabitEthernet 1/0/4 Switch_A(config-if)#ip dhcp snooping trust Switch_A(config-if)#exit...
Page 632 Configuring Network Security Configuration Examples Switch_A(config-if)#exit 5) Configure ARP Defend on ports 1/0/1-3. Switch_A(config)#interface range gigabitEthernet 1/0/1-3 Switch_A(config-if-range)#ip arp inspection Switch_A(config-if-range)#ip arp inspection limit-rate 15 Switch_A(config-if-range)#end Switch_A#copy running-config startup-config Verify the Configuration Verify the configuration of DHCP Snooping: Switch_A#show ip dhcp snooping Global Status: Enable VLAN ID: 1 Switch_A#show ip dhcp snooping interface...
Page 633: Example For 802.1X
Configuring Network Security Configuration Examples Verify the configuration of ARP Detection: Switch_A#show ip arp inspection ARP detection global status: Enabled Port Trusted Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 ..Verify the configuration of ARP Defend: Switch_A#show ip arp inspection interface Port OverSpeed Rate Current Status Gi1/0/1 Enabled Normal...
Page 634: Network Topology
Configuring Network Security Configuration Examples  Keep 802.1X authentication disabled on ports connected to the authentication server and the Internet, which ensures unrestricted connections between the switch and the authentication server or the Internet. 8.2.3 Network Topology As shown in the following figure, Switch A acts as the authenticator. Port 1/0/1 is connected to the client, port 1/0/2 is connected to the RADIUS server, and port 1/0/3 is connected to the Internet.
Page 635 Configuring Network Security Configuration Examples Figure 8-10 RADIUS Config 3) Choose the menu Network Security > AAA > Server Group to load the following page. In the Add New Server Group section, specify the group name as radius1 and the server type as RADIUS. Click Add to create the server group. Figure 8-11 Create Server Group 4) On the same page, select the newly created server group and click edit to load the following page.
Page 636 Configuring Network Security Configuration Examples 6) Choose the menu Network Security > 802.1X Authentication > Global Config to load the following page. Enable 802.1X authentication and configure the Authentication Method as EAP. Enable the Quiet feature and then keep the default authentication settings.
Page 637: Using The Cli
Configuring Network Security Configuration Examples Figure 8-15 Port Config 8) Click Save Config to save the settings. 8.2.5 Using the CLI 1) Enable AAA function globally and configure the RADIUS parameters. Switch_A(config)#aaa enable Switch_A(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch_A(config)#aaa group radius radius1 Switch_A(aaa-group)#server 192.168.0.10 Switch_A(aaa-group)#exit Switch_A(config)#aaa authentication dot1x default radius1...
Page 638 Configuring Network Security Configuration Examples 3) Disable 802.1X authentication on port 1/0/2 and port 1/0/3. Enable 802.1X authentication on port 1/0/1, set the control mode as auto, and set the control type as MAC based. Switch_A(config)#interface gigabitEthernet 1/0/2 Switch_A(config-if)#no dot1x Switch_A(config-if)#exit Switch_A(config)#interface gigabitEthernet 1/0/3 Switch_A(config-if)#no dot1x...
Page 639: Example For Aaa
Configuring Network Security Configuration Examples Verify the configurations of 802.1X authentication on the port: Switch_A#show dot1x interface Port State GuestVLAN PortControl PortMethod Authorized ---- ----- --------- ----------- ---------- ---------- Gi1/0/1 enabled disabled auto mac-based authorized Gi1/0/2 disabled disabled auto mac-based authorized Gi1/0/3 disabled disabled...
Page 640: Configuration Scheme
Configuring Network Security Configuration Examples breaks down and doesn’t respond to the authentication request, RADIUS Server 2 will work, so as to ensure the stability of the authentication system. Figure 8-16 Network Topology RADIUS Server 1 192.168.0.10/24 Auth Port:1812 Administrator Switch RADIUS Server 2 192.168.0.20/24 Auth Port: 1812...
Page 641 Configuring Network Security Configuration Examples 2) Choose the menu Network Security > AAA > RADIUS Server to load the following page. Configure the Server IP as 192.168.0.10, the Shared Key as 123456, the Auth Port as 1812, and keep the other parameters as default. Click Add to add RADIUS Server 1 on the switch.
Page 642 Configuring Network Security Configuration Examples Figure 8-20 Create Server Group 5) On the same page, select the newly created server group and click edit to load the following page. Select 192.168.0.10 from the drop-down list, and click Add to add RADIUS Server 1 to the group. Then select 192.168.0.20 from the drop-down list, and click Add to add RADIUS Server 2 to the group.
Page 643: Using The Cli
Configuring Network Security Configuration Examples 7) On the same page, specify the Method List Name as Method-Enable, select the List Type as Authentication Enable, and select the Pri1 as RADIUS1. Click Add to set the method list for the Enable password authentication. Figure 8-23 Configure Enable Method List 8) Choose the menu Network Security >...
Page 644 Configuring Network Security Configuration Examples Switch(aaa-group)#server 192.168.0.20 Switch(aaa-group)#exit 4) Create two method lists: Method-Login and Method-Enable, and configure the server group RADIUS1 as the authentication method for the two method lists. Switch(config)#aaa authentication login Method-Login RADIUS1 Switch(config)#aaa authentication enable Method-Enable RADIUS1 5) Configure Method-Login and Method-Enable as the authentication method for the Telnet application.
Page 645 Configuring Network Security Configuration Examples Authentication Login Methodlist: Methodlist pri1 pri2 pri3 pri4 default local Method-Login RADIUS1 Authentication Enable Methodlist: Methodlist pri1 pri2 pri3 pri4 default none Method-Enable RADIUS1 ..Verify the status of the AAA feature and the configuration of the AAA application list: Switch#show aaa global AAA global status: Enable Module...
Page 646: Appendix: Default Parameters
Configuring Network Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Security are listed in the following tables. Table 9-1 IP-MAC Binding Parameter Default Setting For Manual Binding: None Protect Type For ARP Scanning: None For DHCP Snooping: All Table 9-2 DHCP Snooping Parameter...
Page 647 Configuring Network Security Appendix: Default Parameters Table 9-3 ARP Inspection Parameter Default Setting ARP Detect ARP Detect Disable Trusted Port None ARP Defend Defend Disable Speed 15 pps ARP Statistics Auto Refresh Disable Refresh Interval 5 seconds Table 9-4 DoS Defend Parameter Default Setting DoS Defend...
Page 648 Configuring Network Security Appendix: Default Parameters Parameter Default Setting Supplicant Timeout 3 seconds Port Config 802.1X Status Disable Guest VLAN Disable Control Mode Auto Control Type MAC Based Dot1X List Authentication Dot1x List Name: default Method List Pri1: radius Accounting Dot1x Method List Name: default List Pri1:radius...
Page 649 Configuring Network Security Appendix: Default Parameters Parameter Defualt Setting Port Server Group: There are two default server groups: radius and tacacs. Method List List name: default A u t h e n t i c a t i o n L o g i n Method List Pri1: local List name: default...
Page 650: Configuring Lldp
Part 21 Configuring LLDP CHAPTERS 1. LLDP 2. LLDP Configurations 3. LLDP-MED Configurations 4. Viewing LLDP Settings 5. Viewing LLDP-MED Settings 6. Configuration Example 7. Appendix: Default Parameters...
Page 651: Lldp
Configuring LLDP LLDP LLDP 1.1 Overview LLDP (Link Layer Discovery Protocol) is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol is a standard IEEE 802.1ab defined protocol and runs over the Layer 2 (the data-link layer) , which allows for interoperability between network devices of different vendors.
Page 652: Lldp Configurations
Configuring LLDP LLDP Configurations LLDP Configurations With LLDP configurations, you can: 1) Enable the LLDP feature on the switch. 2) (Optional) Configure the LLDP feature globally. 3) (Optional) Configure the LLDP feature for the interface. Using the GUI 2.1.1 Global Config Choose the LLDP >...
Page 653 Configuring LLDP LLDP Configurations Follow these steps to enable LLDP and configure the LLDP feature globally. 1) In the Global Config section, enable LLDP. You can also enable the switch to forward LLDP messages when LLDP function is disabled. Click Apply. LLDP Enable or disable LLDP function globally.
Page 654: Port Config
Configuring LLDP LLDP Configurations 2.1.2 Port Config Choose th menu LLDP > Basic Config > Policy Config to load the following page. Figure 2-2 Port Config Follow these steps to configure the LLDP feature for the interface. 1) Select the desired port and set its Admin Status and Notification Mode. Admin Status Set Admin Status for the port to deal with LLDP packets.
Page 655: Using The Cli
Included TLVs Configure the TLVs included in the outgoing LLDP packets. TP-Link supports the following TLVs: PD: Used to advertise the port description defined by the IEEE 802 LAN station. SC: Used to advertise the supported functions and whether or not these functions are enabled.
Page 656 Configuring LLDP LLDP Configurations Step 3 lldp forward_message (Optional) Enable the switch to forward LLDP messages when LLDP function is disabled. Step 4 lldp hold-multiplier (Optional) Specify the amount of time the neighbor device should hold the received information before discarding it. The default is 4. TTL (Time to Live) = Hold Multiplier * Transmit Interval.
Page 657: Port Config
Configuring LLDP LLDP Configurations LLDP Forward Message: Disabled Tx Interval: 30 seconds TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3 LLDP-MED Fast Start Repeat Count: 4 Switch(config)#end Switch#copy running-config startup-config 2.2.2 Port Config Select the desired port and set its Admin Status, Notification Mode and the TLVs included in the LLDP packets.
Page 658 Configuring LLDP LLDP Configurations Step 8 show lldp interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Display LLDP configuration of the corresponding port. Step 9 Return to Privileged EXEC Mode. Step 10 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the port 1/0/1.
Page 659 Configuring LLDP LLDP Configurations Link-Aggregation MAC-Physic Max-Frame-Size Power Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 660: Lldp-Med Configurations
Configuring LLDP LLDP-MED Configurations LLDP-MED Configurations With LLDP-MED configurations, you can: 1) Configure the LLDP-MED feature globally. 2) Enable and configure the LLDP-MED feature on the interface. Configuration Guidelines LLDP-MED is used together with Voice VLAN to implement VoIP access. Besides the configuration of LLDP-MED feature, you also need configure the Voice VLAN feature.
Page 661: Port Config
Configuring LLDP LLDP-MED Configurations 3.1.2 Port Config Choose th menu LLDP > LLDP-MED > Policy Config to load the following page. Figure 3-2 LLDP-MED Port Config Follow these steps to enable LLDP-MED: 1) Select the desired port and enble LLDP-MED. Click Apply. 2) Click Detail to enter the following page.
Page 662 Configuring LLDP LLDP-MED Configurations Figure 3-3 LLDP-MED Port Config-Detail Network Policy Used to advertise VLAN configuration and the associated Layer 2 and Layer 3 attributes of the port to the Endpoint devices. Location Used to assign the location identifier information to the Endpoint devices. Identification If this option is selected, you can configure the emergency number or the detailed address of the Endpoint device in the Location Identification Parameters section.
Page 663: Using The Cli
Configuring LLDP LLDP-MED Configurations Civic Address Configure the address of the audio device in the IETF defined address format. What: Specify the role type of the local device, DHCP Server, Switch or LLDP-MED Endpoint. Country Code: Enter the country code defined by ISO 3166 , for example, CN, US. Language, Province/State etc.: Enter the regular details.
Page 664: Port Config
Configuring LLDP LLDP-MED Configurations TTL Multiplier: Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: LLDP-MED Fast Start Repeat Count: Switch(config)#end Switch#copy running-config startup-config 3.2.2 Port Config Select the desired port, enable LLDP-MED and select the TLVs (Type/Length/Value) included in the outgoing LLDP packets according to your needs.
Page 665 Configuring LLDP LLDP-MED Configurations Step 6 Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable LLDP-MED on port 1/0/1, configure the LLDP- MED TLVs included in the outgoing LLDP packets. Switch(config)#lldp Switch(config)#lldp med-fast-count 4 Switch(config)#interface gigabitEthernet 1/0/1...
Page 666 Configuring LLDP LLDP-MED Configurations LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Location Identification Extended Power Via MDI Inventory Management Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 667: Viewing Lldp Settings
Configuring LLDP Viewing LLDP Settings Viewing LLDP Settings This chapter introduces how to view the LLDP settings on the local device. 4.1 Using GUI 4.1.1 Viewing LLDP Device Info  Viewing the Local Info Choose the menu LLDP > Device Info > Local Info to load the following page. Figure 4-1 Local Info Configuration Guide...
Page 668 Configuring LLDP Viewing LLDP Settings Follow these steps to view the local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Local Info section, select the desired port and view its associated local device information.
Page 669 Configuring LLDP Viewing LLDP Settings  Viewing the Neighbor Info Choose the menu LLDP > Device Info > Neighbor Info to load the following page. Figure 4-2 Neighbor Info Follow these steps to view the neighbor information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
Page 670: Viewing Lldp Statistics
Configuring LLDP Viewing LLDP Settings 4.1.2 Viewing LLDP Statistics Choose the menu LLDP > Device Statistics > Statistics Info to load the following page. Figure 4-3 Static Info Follow these steps to view LLDP statistics: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
Page 671: Using Cli
Configuring LLDP Viewing LLDP Settings Transmit Total Displays the total number of the LLDP packets sent via the port. Receive Total Displays the total number of the LLDP packets received via the port. Discards Displays the total number of the LLDP packets discarded by the port. Errors Displays the total number of the error LLDP packets received via the port.
Page 672: Viewing Lldp-Med Settings
Configuring LLDP Viewing LLDP-MED Settings Viewing LLDP-MED Settings Using GUI  Viewing the Local Info Figure 5-1 LLDP-MED Local Info Follow these steps to view LLDP-MED local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
Page 673 Configuring LLDP Viewing LLDP-MED Settings Application Displays the supported applications of the local device. Type Unknown Policy Displays the unknown location settings included in the network policy TLV. Flag VLAN tagged Displays the VLAN Tag type of the applications, tagged or untagged. Media Policy Displays the 802.1Q VLAN ID of the port.
Page 674: Using Cli
Configuring LLDP Viewing LLDP-MED Settings Application Displays the application type of the neighbor device. Type Location Data Displays the location type of the neighbor device. Format Power Type Displays the power type of the neighbor device. Information View more LLDP-MED details of the neighbor device. Using CLI  Viewing the Local Info show lldp local-information interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port }...
Page 675: Configuration Example
Configuring LLDP Configuration Example Configuration Example 6.1 Example for Configuring LLDP 6.1.1 Network Requirements The network administrator needs view the information of the devices in the company network to know about the link situation and network topology so that he can troubleshoot the potential network faults in advance.
Page 676: Using Cli
Configuring LLDP Configuration Example Figure 6-2 LLDP Global Config 2) Choose the menu LLDP > Basic Config > Port Config to load the following page. Set the Admin Status of port Gi1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Figure 6-3 LLDP Port Config 6.1.5 Using CLI 1) Enable LLDP globally and configure the corresponding parameters.
Page 677 Configuring LLDP Configuration Example Switch_A(config)#lldp timer tx-interval 30 tx-delay 2 reinit-delay 3 notify-interval 5 fast- count 3 2) Set the Admin Status of port Gi1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Switch_A#configure Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#lldp receive...
Page 678 Configuring LLDP Configuration Example Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power LLDP-MED Status: Disabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management View the Local Info Switch_A#show lldp local-information interface gigabitEthernet 1/0/1 LLDP local Information: gigabitEthernet 1/0/1: Chassis type:...
Page 679 Configuring LLDP Configuration Example TTL: System name: T1600G-28TS System description: JetStream 24-Port Gigabit L2 Managed Switch with 4 SFP Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.226 Management address interface type: IfIndex Management address interface ID: Management address OID: Port VLAN ID(PVID):...
Page 680 Hardware Revision: T1600G-28TS 2.0 Firmware Revision: Reserved Software Revision: 2.0.0 Build 20160905 Rel.74744(s) Serial Number: Reserved Manufacturer Name: TP-Link Model Name: T1600G-28TS 2.0 Asset ID: unknown View the Neighbor Info Switch_A#show lldp neighbor-information interface gigabitEthernet 1/0/1 LLDP Neighbor Information: gigabitEthernet 1/0/1:...
Page 681 Configuring LLDP Configuration Example System name: T1600G-52PS System description: JetStream 48-Port Gigabit Smart PoE Switch with 4 SFP Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.1 Management address interface type: IfIndex Management address interface ID: Management address OID:...
Page 682: Example For Configuring Lldp-Med
Configuring LLDP Configuration Example Example for Configuring LLDP-MED 6.2.1 Network Requirements The marketing department needs establish the voice conversation with the field office. They want to install IP phones in their office and meet the following requirements:  Save the switch ports for more IP phones due to the limited number of the ports on the switch in the office;...
Page 683: Using The Gui
Configuring LLDP Configuration Example 6.2.4 Using the GUI 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10, and name it as Voice VLAN. Figure 6-5 Creating a VLAN 2) Enable and configure the Voice VLAN. Choose the menu QoS >...
Page 684 Configuring LLDP Configuration Example Figure 6-7 Configuring Voice VLAN Mode on Port 1/0/1 Figure 6-8 Configuring Voice VLAN Mode on Port 1/0/2 Configuration Guide...
Page 685 Configuring LLDP Configuration Example Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Add port 1/0/2 to the Voice VLAN. Figure 6-9 Adding Port 1/0/2 to the Voice VLAN 3) Choose the LLDP > Basic Config > Global Config to load the following page and enable LLDP globally.
Page 686 Configuring LLDP Configuration Example Figure 6-12 LLDP-MED Port Config Click Detail in the Port 1/0/1 entry to configure TLVs included in the outgoing LLDP- MED packets. Figure 6-13 LLDP-MED Port Config-Detail In the Location Identification Parameters section, configure the detailed address of the IP phone.
Page 687: Using The Cli
Configuring LLDP Configuration Example Figure 6-14 Configure the detailed address of the IP phone 6.2.5 Using the CLI 1) Create VLAN 10 and name it as Voice VLAN. Switch_A(config)#vlan 10 Switch_A(config-vlan)#name Voice_VLAN Switch_A(config)#voice vlan 10 2) Configure the Voice VLAN mode on port Gi1/0/1 as Auto. Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#switchport voice vlan mode auto Switch_A(config-if)#exit...
Page 688 Configuring LLDP Configuration Example Switch_A(config)#interface gigabitEthernet 1/0/2 Switch_A(config-if)#switchport voice vlan mode manual Switch_A(config-if)#switchport general allowed vlan 10 tagged Switch_A(config-if)#exit 4) Enable LLDP globally. Switch_A(config)#lldp 5) Configure the fast start count of LLDP-MED. The default is 4. Switch_A(config)# lldp med-fast-count 4 6) Enable the LLDP-MED on port Gi1/0/1.
Page 689 Configuring LLDP Configuration Example gigabitEthernet 1/0/1: Admin Status: TxRx SNMP Trap: Enabled Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power LLDP-MED Status: Enabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management View the local information: Switch_A#show lldp local-information interface gigabitEthernet 1/0/1 LLDP local Information:...
Page 690 Configuring LLDP Configuration Example Port ID type: Interface name Port ID: GigabitEthernet1/0/1 Port description: GigabitEthernet1/0/1 Interface TTL: System name: Switch System description: JetStream 24-Port Gigabit L2 Managed Switch with 4 SFP Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4...
Page 691 - Street: Keyuan Road - Name: South Building No.5 - Postal/Zip Code: 518057 Hardware Revision: T1600G-28TS 2.0 Firmware Revision: Reserved Software Revision: 1.0.1 Build 20151216 Rel.65850(s) Serial Number: Reserved Manufacturer Name: TP-Link Model Name: T1600G-28TS 2.0 Asset ID: unknown Configuration Guide...
Page 692 Configuring LLDP Configuration Example View the neighbor information: Switch_A#show lldp neighbor-information interface gigabitEthernet 1/0/1 LLDP Neighbor Information: gigabitEthernet 1/0/1: Neighbor index 1: Chassis type: Network address Chassis ID: 192.168.1.117 Port ID type: Locally assigned Port ID: 64A0E714DC54:P1 Port description: SW PORT TTL: System name: SEP64A0E714DC54...
Page 693 Configuring LLDP Configuration Example PSE power supported: PSE power enabled: PSE pairs control ability: Maximum frame size: LLDP-MED Capabilities: Capabilities Network Policy Extended Power via MDI - PD Inventory Device Type: Endpoint Class III Application type: Voice Unknown policy: Tagged: VLAN ID: 4095 Layer 2 Priority:...
Page 694: Appendix: Default Parameters
Configuring LLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of LLDP are listed in the following tables. Default LLDP Settings Table 7-1 Default LLDP Settings Parameter Default Setting LLDP Disable LLDP Forward Message Disable Transmit Interval 30 seconds Hold Multiplier Transmit Delay 2 seconds Reinit Delay...
Page 695: Configuring Maintenance
Part 22 Configuring Maintenance CHAPTERS 1. Maintenance 2. Monitoring the System 3. System Log Configurations 4. Diagnosing the Device 5. Diagnosing the Network 6. Example for Configuring Remote Log 7. Appendix: Default Parameters...
Page 696: Maintenance
Configuring Maintenance Maintenance Maintenance Overview The maintenance module assembles various system tools for network troubleshooting. Supported Features The maintenance module includes system monitor, log, device diagnose, and network diagnose. System Monitor You can monitor the memory and the CPU utilizations of the switch. You can check system messages for debugging and network management.
Page 697: Monitoring The System
Configuring Maintenance Monitoring the System Monitoring the System The system monitor configurations include:  Monitoring the CPU;  Monitoring the memory. Configuration Guidelines The CPU and memory utilizations should be always under 80%, and excessive use may result in switch malfunctions. For example, the switch fails to respond to management requests.
Page 698: Monitoring The Memory
Configuring Maintenance Monitoring the System Click Monitor to enable the switch to monitor and display its CPU utilization rate every four seconds. 2.1.2 Monitoring the Memory Choose the menu Maintenance > System Monitor > Memory Monitor to load the following page.
Page 699: Using The Cli
Configuring Maintenance Monitoring the System 2.2 Using the CLI 2.2.1 Monitoring the CPU On privileged EXEC mode or any other configuration mode, you can use the following command to view the CPU utilization: show cpu-utilization View the memory utilization of the switch in the last 5 seconds, 1minute and 5minutes. The following example shows how to monitor the CPU: Switch#show cpu-utilization Unit |...
Page 700: System Log Configurations
Configuring Maintenance System Log Configurations System Log Configurations System log configurations include:  Configuring the local log;  Configuring the remote log;  Backing up log files;  Viewing the log table. Configuration Guidelines Logs are classified into the following eight levels. Messages of levels 0 to 4 mean the functionality of the switch is affected.
Page 701: Using The Gui
Configuring Maintenance System Log Configurations 3.1 Using the GUI 3.1.1 Configuring the Local Log Choose the menu Maintenance > Log> Local Log to load the following page. Figure 3-1 Configuring the Local Log Follow these steps to configure the local log: 1) Select your desired channel and configure the corresponding severity and status.
Page 702: Configuring The Remote Log
Configuring Maintenance System Log Configurations 3.1.2 Configuring the Remote Log Remote Log enables the switch to send system logs to a host. To display the logs, the host should run a log server that complies with the syslog standard. Choose the menu Maintenance > Log> Remote Log to load the following page. Figure 3-2 Configuring the Remote Log Follow these steps to configure remote log: 1) Select an entry to enable the status, and then set the host IP address and severity.
Page 703: Viewing The Log Table
Configuring Maintenance System Log Configurations 3.1.4 Viewing the Log Table Choose the menu Maintenance > Log> Log Table to load the following page. Figure 3-4 Viewing the Log Table Select a module and a severity to view the corresponding log information. Time To get the exact time when the log event occurs, you need to configure the system time on the System >...
Page 704 Configuring Maintenance System Log Configurations Step 2 logging buffer The switch stores the system log messages to the RAM. And the information will be lost when the switch is restarted. You can view the logs with show logging buffer command. Step 3 logging buffer level level Specify the severity level of the log information that should be saved to the buffer.
Page 705: Configuring The Remote Log
Configuring Maintenance System Log Configurations Switch(config)#logging file flash level 2 Switch(config)#show logging local-config Channel Level Status Sync-Periodic ------- ----- ------ ------------- Buffer enable Immediately Flash enable 10 hour(s) Monitor enable Immediately Switch(config)#end Switch#copy running-config startup-config 3.2.2 Configuring the Remote Log Remote Log enables the switch to send system logs to a host.
Page 706 Configuring Maintenance System Log Configurations The following example shows how to set the remote log on the switch. Enable log host 2, set its IP address as 192.168.0.148, and allow logs of levels 0 to 5 to be sent to the host: Switch#configure Switch(config)# logging host index 2 192.168.0.148 5 Switch(config)# show logging loghost...
Page 707: Diagnosing The Device
Configuring Maintenance Diagnosing the Device Diagnosing the Device 4.1 Using the GUI Choose the menu Maintenance > Device Diagnose > Cable Test to load the following page. Figure 4-1 Diagnosing the Device 1) In the Port section, select your desired port for the test. 2) In the Result section, click Apply and check the test results.
Page 708: Using The Cli
Configuring Maintenance Diagnosing the Device Error If the connection status is short, close or crosstalk, here displays the length from the port to the trouble spot. The value makes sense only when the cable is longer than 30m. Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to check the connection status of the cable that is connected to the switch.
Page 709: Diagnosing The Network
Configuring Maintenance Diagnosing the Network Diagnosing the Network The configuration includes:  Configuring the Ping Test;  Configuring the Tracert Test. 5.1 Using the GUI 5.1.1 Configuring the Ping Test Choose the menu Maintenance > Network Diagnose > Ping to load the following page. Figure 5-1 Configuring the Ping Test Follow these steps to test the connectivity between the switch and another device in the network:...
Page 710: Configuring The Tracert Test
Configuring Maintenance Diagnosing the Network Destination IP Enter the IP address of the destination node for Ping test. Both IPv4 and IPv6 are supported. Ping Times Enter the amount of times to send test data for Ping test. We recommend that you keep the default 4 times.
Page 711: Using The Cli
Configuring Maintenance Diagnosing the Network 5.2 Using the CLI 5.2.1 Configuring the Ping Test On privileged EXEC mode or any other configuration mode, you can use the following command to test the connectivity between the switch and one node of the network. ping [ ip | ipv6 ] { ip_addr } [ -n count ] [ -l count ] [ -i count ] Test the connectivity between the switch and destination device.
Page 712: Configuring The Tracert Test
Configuring Maintenance Diagnosing the Network 5.2.2 Configuring the Tracert Test On privileged EXEC mode or any other configuration mode, you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination: tracert [ ip | ipv6 ] ip_addr [ maxHops ] Test the connectivity of the gateways along the path from the source to the destination.
Page 713: Example For Configuring Remote Log
Configuring Maintenance Example for Configuring Remote Log Example for Configuring Remote Log 6.1 Network Requirements The company network manager needs to monitor network of department A for troubleshooting. Figure 6-1 Network Topology Switch Department A IP: 1.1.0.2/16 IP: 1.1.0.1/16 6.2 Configuration Scheme The network manager can configure the remote log to receive system logs from monitored devices.
Page 714: Using The Cli
Configuring Maintenance Example for Configuring Remote Log Using the CLI Configure the remote log host. Switch#configure Switch(config)# logging host index 1 1.1.0.1 5 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Switch# show logging loghost Index Host-IP Severity Status ----- ------- -------- ------ 1.1.0.1...
Page 715: Appendix: Default Parameters
Configuring Maintenance Appendix: Default Parameters Appendix: Default Parameters Default settings of maintenance are listed in the following tables. Table 7-1 Default Settings of Local Log Parameter Default Setting Status of Log Buffer Enabled Severity of Log Buffer Level_6 Sync-Periodic of Log Immediately Buffer Status of Log File...
Page 716 Part 23 Configuring SNMP & RMON CHAPTERS 1. SNMP Overview 2. SNMP Configurations 3. Notification Configurations 4. RMON Overview 5. RMON Configurations 6. Configuration Example 7. Appendix: Default Parameters...
Page 717: Snmp Overview
Configuring SNMP & RMON SNMP Overview SNMP Overview SNMP (Simple Network Management Protocol) is a standard network management protocol, widely used on TCP/IP networks. It facilitates device management using NMS (Network Management System) software. With SNMP, network managers can view or modify network device information, and troubleshoot according to notifications sent by those devices in a timely manner.
Page 718: Snmp Configurations
Configuring SNMP & RMON SNMP Configurations SNMP Configurations To complete the SNMP configuration, choose an SNMP version according to network requirements and supportability of the NMS software, and then follow these steps:  Choose SNMPv3 1) Enable SNMP. 2) Create an SNMP view for managed objects. 3) Create an SNMP group, and specify the access rights.
Page 719: Using The Gui
Configuring SNMP & RMON SNMP Configurations 2.1 Using the GUI 2.1.1 Enabling SNMP Choose the SNMP > SNMP Config > Global Config to load the following page. Figure 2-1 Global Config Follow these steps to configure SNMP globally: 1) In the Global Config section, enable SNMP. Click Apply. 2) In the Local Engine section, configure the local engine ID.
Page 720: Creating An Snmp Group
Configuring SNMP & RMON SNMP Configurations Figure 2-2 SNMP View Set the view name and one MIB variable that is related to the view. Choose the view type and click Create to add the view entry. View Name Set the view name with 1 to 16 characters. A complete view consists of all MIB objects that have the same view name.
Page 721 Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP Group to load the following page. Figure 2-3 SNMP Group Follow these steps to create an SNMP Group: 1) Set the group name and security model. If you choose SNMPv3 as the security model, you need to further configure security level.
Page 722: Creating Snmp Users
Configuring SNMP & RMON SNMP Configurations Read View Choose a view to allow parameters to be viewed but not modified by the NMS. The view is necessary for any group. By default, the view is viewDefault. To modify parameters of a view, you need to add it to Write View. Write View Choose a view to allow parameters to be modified but not viewed by the NMS.
Page 723: Creating Snmp Communities
Configuring SNMP & RMON SNMP Configurations Security Model Choose the SNMP version of the security model. The default is SNMPv1. The setting should be identical with that of the specified group. v1: The group’s security model is SNMPv1. v2c: In this mode, Community Name is used for authentication. You can configure Community Name on the SNMP Community.
Page 724: Using The Cli
Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP Community to load the following page. Figure 2-5 SNMP Community Set the community name, access rights and the related view. Click Create. Community Name Set the community name with 1 to 16 characters. For SNMPv1 and SNMPv2c, the community name match is used for authentication.
Page 725 Configuring SNMP & RMON SNMP Configurations Step 3 snmp-server engineID {[ local local-engineID ] [remote remote-engineID ]} (Optional) Configure the local engine ID and the remote engine ID. Enter the local engine ID with 10 to 64 hexadecimal digits. The ID must contain local-engineID: an even number of characters.
Page 726: Creating An Snmp View
Configuring SNMP & RMON SNMP Configurations 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors(Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Switch(config)#show snmp-server engineID Local engine ID : 80002e5703000aeb132397 Remote engine ID: 123456789a...
Page 727: Creating An Snmp Group
Configuring SNMP & RMON SNMP Configurations Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set a view to allow the NMS to manage all function. Name the view as View: Switch#configure Switch(config)#snmp-server view View 1 include Switch(config)#show snmp-server view...
Page 728 Configuring SNMP & RMON SNMP Configurations Step 2 snmp-server group name [ smode {v1 | v2c | v3}] [ slev {noAuthNoPriv | authNoPriv | authPriv}] [ read read-view ] [ write write-view ] [ notify notify-view ] Set an SNMP group. Enter the group name with 1 to 16 characters.
Page 729: Creating Snmp Users
Configuring SNMP & RMON SNMP Configurations 2.2.4 Creating SNMP Users Configure users of the SNMP group. Users belong to the group, and use the same security level and access rights as the group. Step 1 configure Enter global configuration mode. Step 2 snmp-server user name { local | remote } group-name [ smode { v1 | v2c | v3 }] [ slev { noAuthNoPriv | authNoPriv | authPriv }] [ cmode { none | MD5 | SHA }] [ cpwd confirm-pwd ] [...
Page 730: Creating Snmp Communities
Configuring SNMP & RMON SNMP Configurations security level, SHA as the authentication algorithm, 1234 as the authentication password, DES as the privacy algorithm and 1234 as the privacy password: Switch#configure Switch(config)#snmp-server user admin remote nms-monitor smode v3 slev authPriv cmode SHA cpwd 1234 emode DES epwd 1234 Switch(config)#show snmp-server user No.
Page 731 Configuring SNMP & RMON SNMP Configurations Switch(config)#snmp-server community nms-monitor read-write View Switch(config)#show snmp-server community Index Name Type MIB-View ----- ---------------- ------------ -------- nms-monitor read-write View Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 732: Notification Configurations
Configuring SNMP & RMON Notification Configurations Notification Configurations With Notification enabled, the switch can send notifications to the NMS about important events relating to the device’s operation. This facilitates the monitoring and management of the NMS. Configuration Guidelines  To guarantee the communication between the switch and the NMS, ensure the switch and the NMS are able to reach one another.
Page 733 Configuring SNMP & RMON Notification Configurations IP Mode Choose an IP mode for the host, which should be coordinated with the IP Address. 2) Specify the user name or community name used by the NMS, and configure the security model and security level based on the settings of the user or community. User Name Specify the user name or community name used by the NMS.
Page 734: Using The Cli
Configuring SNMP & RMON Notification Configurations Using the CLI 3.2.1 Configuring the Host Configure parameters of the NMS host and packet handling mechanism. Step 1 configure Enter global configuration mode. Step 2 snmp-server host ip udp-port user-name [smode { v1 | v2c | v3 }] [slev {noAuthNoPriv | authNoPriv | authPriv }] [type { trap | inform}] [retries retries ] [timeout timeout ] Configure parameters of the NMS host and packet handling mechanism.
Page 735: Enabling Snmp Notification
Configuring SNMP & RMON Notification Configurations Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the NMS host IP address as 172.168.1.222, UDP port as port 162, name used by the NMS as admin, security model as SNMPv3, security level as authPriv, notification type as Inform, retry times as 3, and the timeout interval as 100 seconds: Switch#configure...
Page 736 Configuring SNMP & RMON Notification Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to send linkup traps: Switch#configure Switch(config)#snmp-server traps snmp linkup Switch(config)#end Switch#copy running-config startup-config  (Optional) Enabling the SNMP Extended trap...
Page 737 Configuring SNMP & RMON Notification Configurations Step 2 snmp-server traps { bandwidth-control | cpu | flash | lldp remtableschange | lldp topologychange | loopback-detection | storm-control | spanning-tree | memory } Configure parameters of extended traps supported on the switch. bandwidth-control: The trap is used to monitor whether the bandwidth has reached the limit that you have set.
Page 738 Configuring SNMP & RMON Notification Configurations  (Optional) Enabling the DDM Trap Step 1 configure Enter global configuration mode. Step 2 snmp-server traps DDM [ create | delete ] Enable SNMP extended DDM-related traps. create: Enable DDM-created trap. It is sent when new DDM is created successfully. By default, it is disabled.
Page 739 Configuring SNMP & RMON Notification Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to enable all the SNMP DDM trap: Switch#configure Switch(config)#snmp-server traps DDM...
Page 740 Configuring SNMP & RMON Notification Configurations Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Configure notification traps on the specified ports. The number or the list of the Ethernet ports that you desire to configure port/port-list: notification traps.
Page 741: Rmon Overview
Configuring SNMP & RMON RMON Overview RMON Overview RMON (Remote Network Monitoring) together with the SNMP system allows the network manager to monitor remote network devices efficiently. RMON reduces traffic flow between the NMS and managed devices, which is convenient for management in large networks.
Page 742: Rmon Configurations
Configuring SNMP & RMON RMON Configurations RMON Configurations With RMON configurations, you can:  Configuring the statistics group.  Configuring the history group.  Configuring the event group.  Configuring the alarm group. Configuration Guidelines To ensure that the NMS receives notifications normally, please complete configurations of SNMP and SNMP Notification before RMON configurations.
Page 743: Configuring History
Configuring SNMP & RMON RMON Configurations Specify the entry ID, the port to be monitored, and the owner name of the entry. Set the entry as valid or underCreation, and click Create. Enter the ID of the entry. Port Click Choose to specify an Ethernet port to be monitored in the entry, or enter the port number in the format of 1/0/1.
Page 744: Configuring Event
Configuring SNMP & RMON RMON Configurations Interval Set the sample interval from 10 to 3600 seconds; the default is 1800 seconds. Every history entry has its own timer. For the monitored port, the switch collects packet information and generates a record in every interval. Max Buckets Set the maximum number of records for the history entry.
Page 745: Configuring Alarm
Configuring SNMP & RMON RMON Configurations Description Give a description to the event. Type Specify the action type of the event; then the switch will take the specified action to deal with the event. By default, the type is None. None: No action.
Page 746 Configuring SNMP & RMON RMON Configurations Variable Set the alarm variable to be monitored. The switch will monitor the specified variable in sample intervals and act in the set way when the alarm is triggered. The default variable is RecBytes. RecBytes: Total received bytes.
Page 747: Using The Cli
Configuring SNMP & RMON RMON Configurations Alarm Type Specify the alarm type for the entry. By default, the alarm type is all. Rising: The alarm is triggered only when the sampled value exceeds the rising threshold. Falling: The alarm is triggered only when the sampled value is below the falling threshold.
Page 748: Configuring History
Configuring SNMP & RMON RMON Configurations Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create two statistics entries on the switch to monitor port 1/0/1 and 1/0/2 respectively. The owner of the entry is monitor and the entry is valid: Switch#configure Switch(config)#rmon statistics 1 interface gigabitEthernet 1/0/1 owner monitor status valid...
Page 749: Configuring Event
Configuring SNMP & RMON RMON Configurations Step 3 show rmon history [ index ] Displays the specified history entry and related configurations. Enter the index of history entries that you want to view. The range is 1 to 12, and the index: format is 1-3 or 5.
Page 750 Configuring SNMP & RMON RMON Configurations Step 2 rmon event index [ user user-name ] [ description description ] [ type { none | log | notify | log-notify }] [ owner owner-name ] Configuring RMON event entries. Enter the index of the event entry from 1 to12 in the format of 1-3 or 5. index: Enter the SNMP user name or community name of the entry.
Page 751: Configuring Alarm
Configuring SNMP & RMON RMON Configurations 5.2.4 Configuring Alarm Step 1 configure Enter global configuration mode. Step 2 rmon alarm index { stats-index sindex } [ alarm-variable { revbyte | revpkt | bpkt | mpkt | crc- align | undersize | oversize | jabber | collision | 64 | 65-127 | 128-255 | 256-511 | 512-1023 | 1024-10240}] [ s-type {absolute | delta}] [ rising-threshold r-hold ] [ rising-event-index r-event ] [ falling-threshold f-hold ] [ falling-event-index f-event ] [ a-type {rise | fall | all} ] [ owner owner-name ] [ interval interval ]...
Page 752 Configuring SNMP & RMON RMON Configurations Step 3 show rmon alarm [ index ] Displays the specified alarm entry and related configurations. Enter the index of alarm entries that you want to view. The range is 1 to 12, and the index: format is 1-3 or 5.
Page 753: Configuration Example
Configuration Example Configuration Example 6.1 Network Requirements A company that deploys NMS to monitor the operation status of TP-Link switches has requirements as follows: 1) Monitor traffic flow of specified ports, and send notifications to the NMS when the actual rate of transmitting and receiving packets exceeds the preset threshold.
Page 754: Network Topology
Configuring SNMP & RMON Configuration Example Network Topology As shown in the following figure, the NMS host with IP address 172.168.1.222 is connected to the core switch, Switch B. On Switch A, ports 1/0/1 and 1/0/2 are monitored by the NMS; port 1/0/3 is connected to Switch B.
Page 755 Configuring SNMP & RMON Configuration Example Figure 6-2 Enabling SNMP 2) Choose SNMP > SNMP Config > SNMP View to load the following page. Name the SNMP view as View, set MIB Object ID as 1 (which means all functions), and set the view type as Include.
Page 756 Configuring SNMP & RMON Configuration Example Figure 6-4 SNMP Group Configuration 4) Choose SNMP > SNMP Config > SNMP User to load the following page. Create a user named admin for the NMS, set the user type as Remote User and specify the group name.
Page 757 Configuring SNMP & RMON Configuration Example Figure 6-6 Notification Configuration 6) Click Save Config to save the settings.  Enabling Bandwith-control Trap The feature can be configured only with the CLI. You can enter the following commands under the CLI configuration mode: Switch>enable Enter Privileged EXEC Mode.
Page 758 Configuring SNMP & RMON Configuration Example Figure 6-8 Configuring Entry 2 2) Choose the menu SNMP > RMON > History to load the following page. Configure entries 1 and 2. Bind entries 1 and 2 to ports 1/0/1 and 1/0/2 respectively, and set the Interval as 100 seconds, Max Buckets as 50, the owner of the entries as monitor, and the status as Enable.
Page 759: Using The Cli
Configuring SNMP & RMON Configuration Example Figure 6-10 Event Configuration 4) Choose SNMP > RMON > Alarm to load the following page. Configure entries 1 and 2. For entry 1, set the alarm variable as BPackets, related statistics entry ID as 1 (bound to port 1/0/1), the sample type as Absolute, the rising threshold as 3000, associated rising event entry ID as 1 (which is the notify type), the falling threshold as 2000, the associated falling event entry ID as 2 (which is the log type), the alarm type as all, the...
Page 760 Configuring SNMP & RMON Configuration Example  Configuring SNMP 1) Enable SNMP and specify the remote engine ID. Switch#configure Switch(config)#snmp-server Switch(config)#snmp-server engineID remote 123456789a 2) Create a view with the name View; set the MIB Object ID as 1 (which represents all functions), and the view type as Include.
Page 761 Configuring SNMP & RMON Configuration Example Switch(config)#rmon history 2 interface gigabitEthernet 1/0/2 interval 100 owner monitor buckets 50 3) Create two event entries named admin, which is the SNMP user name. Set entry 1 as the Notify type and its description as “rising notify”. Set entry 2 as the Log type and its description as “falling log”.
Page 762 Configuring SNMP & RMON Configuration Example 0 Too big errors(Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Verify SNMP engine ID: Switch(config)#show snmp-server engineID Local engine ID : 80002e5703000aeb132397 Remote engine ID: 123456789a Verify SNMP view configurations: Switch(config)#show snmp-server view...
Page 763 Configuring SNMP & RMON Configuration Example No. U-Name U-Type G-Name S-Mode S-Lev A-Mode P-Mode --- ----------- ------ ------ ------ ----- ------ ------ admin remote nms-monitor authPriv Verify SNMP host configurations: Switch(config)#show snmp-server host No. Des-IP Name SecMode SecLev Type Retry Timeout --- ---------------- ----- -------- --------- ---------- ------- -----...
Page 764 Configuring SNMP & RMON Configuration Example Verify RMON alarm configurations: Switch(config)#show rmon alarm Index-State: 1-Enabled Statistics index: 1 Alarm variable: BPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: Interval: Owner: monitor Index-State: 2-Enabled Statistics index: 2 Alarm variable: BPkt Sample Type: Absolute...
Page 765: Appendix: Default Parameters
Configuring SNMP & RMON Appendix: Default Parameters Appendix: Default Parameters Default settings of SNMP are listed in the following table. Table 7-1 Default Global Config Settings Parameter Default Setting SNMP Disable Local Engine ID Automatically Remote Engine ID None Table 7-2 Default SNMP View Settings Parameter Default Setting...
Page 766 Configuring SNMP & RMON Appendix: Default Parameters Table 7-5 Default User Settings Parameter Default Setting User Name None User Type Local User Group Name None Security Model Security Level noAuthNoPriv Auth Mode None Auth Password None Privacy Mode None Privacy Password None Table 7-6 Default Community Settings...
Page 767 Configuring SNMP & RMON Appendix: Default Parameters Table 7-8 Default Statistics Config Settings Parameter Default Setting None Port None Owner None IP Mode valid Table 7-9 Default Settings for History Entries Parameter Default Setting Port 1/0/1 Interval 1800 seconds Max Buckets Owner monitor Status...
Page 768 Configuring SNMP & RMON Appendix: Default Parameters Parameter Default Setting Status Disable Configuration Guide...
Page 769: Fcc Statement
Specifications are subject to change without notice. is a registered trademark of TP-Link Technologies Co., Ltd. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-Link Technologies Co., Ltd.
Page 770: Bsmi Notice
If you ne ed service, please contact us.  Avoid water and wet locations. CE DOC TP-Link hereby declares that the device is in compliance with the essential requirements and other relevant provisions of directives 2014/30/EU, 2014/35/EU, 2009/125/EC and 2011/65/EU.
Page 771 Explanation of the symbols on the product label Symbol Explanation AC voltage Indoor use only RECYCLING This product bears the selective sorting symbol for Waste electrical and electronic equipment (WEEE). This means that this product must be handled pursuant to European directive 2012/19/EU in order to be recycled or dismantled to minimize its impact on the environment.

This manual is also suitable for:

T1600g-28ps T1600g-28ts Tl-sg2424p T1600g-52ps Tl-sg2452p Tl-sg2424 ... Show all

TP-Link T1600G-18TS Configuration Manual

About this Guide

Accessing the Switch

Managing System

Appendix: Default Parameters

Managing Physical Interfaces

Appendix: Default Parameters

Configuring LAG

Appendix: Default Parameters

Monitoring Traffic

Appendix: Default Parameters

Managing MAC Address Table

Appendix: Default Parameters

Configuring 802.1Q VLAN

Appendix: Default Parameters

Configuring MAC VLAN

Appendix: Default Parameters

Configuring Protocol VLAN

Appendix: Default Parameters

Appendix: Default Parameters

Configuring Spanning Tree

Appendix: Default Parameters

Appendix: Default Parameters

Configuring Layer 2 Multicast

Configuring MLD Snooping

Quick Links

Configuration Guide

Related Manuals for TP-Link T1600G-18TS

Summary of Contents for TP-Link T1600G-18TS