Page 1: User Guide
User Guide Jetstream Gigabit L2 Managed Switch T2500G-10TS (TL-SG3210) REV1.0.0 1910011848...
Page 2: Fcc Statement
Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK TECHNOLOGIES CO., LTD.
Page 3: Industry Canada Statement
Продукт сертифіковано згідно с правилами системи УкрСЕПРО на відповідність вимогам нормативних документів та вимогам, що передбачені чинними законодавчими актами України. Industry Canada Statement CAN ICES-3 (A)/NMB-3(A) Safety Information When product has power button, the power button is one of the way to shut off the ...
Page 4: Table Of Contents
CONTENTS Package Contents ........................... 1 Chapter 1 About This Guide ......................2 Intended Readers ......................2 Conventions ........................2 Overview of This Guide....................3 Chapter 2 Introduction ........................7 Overview of the Switch ....................7 Appearance Description ....................7 Front Panel ......................7 2.2.1 Rear Panel ......................
Page 5 HTTP Config ...................... 31 4.4.2 HTTPS Config ....................32 4.4.3 SSH Config ......................36 4.4.4 Telnet Config ....................42 4.4.5 Chapter 5 Switching ........................43 Port ..........................43 Port Config ......................43 5.1.1 Port Mirror ......................44 5.1.2 Port Security ..................... 46 5.1.3 Port Isolation .....................
Page 6 Protocol Template .................... 78 6.3.3 Application Example for 802.1Q VLAN ............... 79 Application Example for MAC VLAN ................80 Application Example for Protocol VLAN ..............82 VLAN VPN ........................84 VPN Config ......................85 6.7.1 VLAN Mapping ....................86 6.7.2 GVRP ..........................
Page 7 MLD Snooping ......................141 Global Config ....................143 9.2.1 VLAN Config ....................144 9.2.2 Filter Config ....................145 9.2.3 Port Config ...................... 146 9.2.4 Static Multicast ....................147 9.2.5 Querier Config ....................148 9.2.6 Packet Statistics ..................... 149 9.2.7 Multicast Table ......................151 IPv4 Multicast Table ..................
Page 8 Extend-IP ACL ....................176 11.2.5 Policy Config ......................177 11.3 Policy Summary ....................177 11.3.1 Policy Create ....................178 11.3.2 Action Create ....................179 11.3.3 Policy Binding ......................180 11.4 Binding Table ....................180 11.4.1 Port Binding ....................181 11.4.2 VLAN Binding ....................
Page 9 Default Settings ....................220 12.5.9 12.6 PPPoE ........................221 Chapter 13 SNMP ......................... 224 13.1 SNMP Config ......................226 Global Config ....................226 13.1.1 SNMP View ...................... 227 13.1.2 SNMP Group ....................228 13.1.3 SNMP User ...................... 230 13.1.4 SNMP Community ..................231 13.1.5 13.2 Notification ........................
Page 10 Local Log ......................261 15.2.2 Remote Log ....................262 15.2.3 Backup Log ..................... 262 15.2.4 15.3 Device Diagnostics ....................263 15.4 Network Diagnostics ....................264 Ping ......................... 264 15.4.1 Tracert......................265 15.4.2 15.5 DLDP .......................... 266 Chapter 16 System Maintenance via FTP ................... 270 Appendix A: Glossary ........................
Page 11: Package Contents
One power cord  One console cable  Two mounting brackets and other fittings  Installation Guide  Resource CD for T2500G-10TS switch, including:  This User Guide • The CLI Reference Guide • SNMP Mibs • 802.1X Client Software •...
Page 12: Chapter 1 About This Guide
Chapter 1 About This Guide This User Guide contains information for setup and management of T2500G-10TS switch. Please read this guide carefully before operation. 1.1 Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies.
Page 13: Overview Of This Guide
The Installation Guide (IG) can be found where you find this guide or inside the package of  the switch. Specifications can be found on the product page at http://www.tp-link.com.  A Technical Support Forum is provided for you to discuss our products at ...
Page 14 Chapter Introduction Chapter 6 VLAN This module is used to configure VLANs to control broadcast in LANs. Here mainly introduces: 802.1Q VLAN: Configure port-based VLAN.  MAC VLAN: Configure MAC-based VLAN without changing  the 802.1Q VLAN configuration. Protocol VLAN: Create VLANs in application layer to make ...
Page 15 Chapter Introduction Chapter 10 QoS This module is used to configure QoS function to provide different quality of service for various network applications and requirements. Here mainly introduces: DiffServ: Configure priorities, port priority, 802.1P priority and  DSCP priority. Bandwidth Control: Configure rate limit feature to control the ...
Page 16 Chapter Introduction Chapter 14 LLDP This module is used to configure LLDP function to provide information for SNMP applications to simplify troubleshooting. Here mainly introduces: Basic Config: Configure the LLDP parameters of the device.  Device Info: View the LLDP information of the local device ...
Page 17: Chapter 2 Introduction
Link aggregation (LACP) increases aggregated bandwidth, optimizing the transport of business critical data. SNMP, RMON, WEB/Telnet/SSH Log-in bring abundant management policies. T2500G-10TS switch integrates multiple functions with excellent performance, and is friendly to manage, which can fully meet the need of the users demanding higher networking performance.
Page 18: Rear Panel
 10/100/1000Mbps RJ45 Ports: Designed to connect to the device with a bandwidth of 10Mbps, 100Mbps or 1000Mbps. Each 10/100/1000Mbps RJ45 port has a corresponding 10/100/1000M LED.  SFP Ports: Designed to install the SFP module. T2500G-10TS features 2 individual SFP ports and supports 1000M SFP module connection only. 2.2.2 Rear Panel The rear panel of T2500G-10TS features a power socket and a Grounding Terminal (marked with ).
Page 19: Chapter 3 Login To The Switch
Chapter 3 Login to the Switch 3.1 Login 1. To access the configuration utility, open a web-browser and type in the default address http://192.168.0.1 in the address field of the browser, then press the Enter key. Figure 3-1 Web-browser Tips: To log in to the switch, the IP address of your PC should be set in the same subnet addresses of the switch.
Page 20 Figure 3-3 Main Setup-Menu Note: Clicking Apply can only make the new configurations effective before the switch is rebooted. If you want to keep the configurations effective even the switch is rebooted, please click Save Config. You are suggested to click Save Config before cutting off the power or rebooting the switch to avoid losing the new configurations.
Page 21: Chapter 4 System
Chapter 4 System The System module is mainly for system configuration of the switch, including four submenus: System Info, User Management, System Tools and Access Security. 4.1 System Info The System Info, mainly for basic properties configuration, can be implemented on System Summary, Device Description, System Time, Daylight Saving Time, System IP and System IPv6 pages.
Page 22 Indicates the 1000Mbps port is at the speed of 10Mbps or 100Mbps. Indicates the SFP port is not connected to a device. Indicates the SFP port is at the speed of 1000Mbps. When the cursor moves on the port, the detailed information of the port will be displayed. Figure 4-2 Port Information Port Info ...
Page 23: Device Description
4.1.2 Device Description On this page you can configure the description of the switch, including device name, device location and system contact. Choose the menu System→System Info→Device Description to load the following page. Figure 4-4 Device Description The following entries are displayed on this screen: Device Description ...
Page 24: Daylight Saving Time
The following entries are displayed on this screen: Time Info  Current System Date: Displays the current date and time of the switch. Current Time Source: Displays the current time source of the switch. Time Config  Manual: When this option is selected, you can set the date and time manually.
Page 25 Figure 4-6 Daylight Saving Time The following entries are displayed on this screen: DST Config  DST Status: Enable or Disable DST. Predefined Mode: Select a predefined DST configuration: USA: Second Sunday in March, 02:00 – First Sunday in  November, 02:00.
Page 26: System Ip
Note: When the DST is disabled, the predefined mode, recurring mode and date mode cannot be configured. When the DST is enabled, the default daylight saving time is of Europe in predefined mode. 4.1.5 System IP Each device in the network possesses a unique IP Address. You can log on to the Web management page to operate the switch using this IP Address.
Page 27: System Ipv6
Subnet Mask: Enter the subnet mask of the switch. Default Gateway: Enter the default gateway of the switch. Note: Changing the IP address to a different IP segment will interrupt the network communication, so please keep the new IP address in the same IP segment with the local network.
Page 28 5. Automatic address configuration: To simplify the host configuration, IPv6 supports stateful and stateless address configuration. Stateful address configuration means that a host acquires an IPv6 address and related  information from a server (for example, DHCP server). Stateless address configuration means that a host automatically configures an IPv6 ...
Page 29 An IPv6 address prefix is represented in "IPv6 address/prefix length" format, where "IPv6 address" is an IPv6 address in any of the above-mentioned formats and "prefix length" is a decimal number indicating how many leftmost bits from the preceding IPv6 address are used as the address prefix.
Page 30 IPv6 unicast address can be classified into several types, including global unicast address, link-local address, and site-local address. The two most common types are introduced below: Global unicast address  A Global unicast address is an IPv6 unicast address that is globally unique and is routable on the global Internet.
Page 31 can use link-local addresses to communicate; the nodes do not need globally unique addresses to communicate. The figure below shows the structure of a link-local address. Figure 4-9 Address Format Link-local IPv6 devices must not forward packets that have link-local source or destination addresses to other links.
Page 32 solicitation message with an unspecified source address and a tentative link-local address in the body of the message. If another node is already using that address, the node returns a neighbor advertisement message that contains the tentative link-local address. If another node is simultaneously verifying the uniqueness of the same address, that node also returns a neighbor solicitation message.
Page 33 A value of 137 in the type field of the ICMP packet header identifies an IPv6 neighbor redirect message. Devices send neighbor redirect messages to inform hosts of better first-hop nodes on the path to a destination. A device will send an IPv6 ICMP redirect message when the following conditions are satisfied: The receiving interface is the forwarding interface.
Page 34 The following entries are displayed on this screen: Global Config  IPv6: Enable/Disable IPv6 function globally on the Switch. Link-local Address Config  Config Mode: Select the link-local address configuration mode. Manual: When this option is selected, you should assign a ...
Page 35: User Management
Global address Table  Select: Select the desired entry to delete or modify the corresponding global address. Global Address: Modify the global address. Prefix Length: Modify the prefix length of the global address. Type: Displays the configuration mode of the global address. Manual: Indicates that the corresponding address is ...
Page 36: User Config
4.2.2 User Config On this page you can configure the access level of the user to log on to the Web management page. The switch provides four access levels: Admin, Operator, Power User and User. “Admin” means that you can edit, modify and view all the settings of different functions. “Operator” means that you can edit, modify and view most of the settings of different functions.
Page 37: System Tools
User Table  Select: Select the desired entry to delete the corresponding user information. It is multi-optional The current user information can’t be deleted. User ID, Name and Displays the current user ID, user name and access level. Access Level: Operation: Click the Edit button of the desired entry, and you can edit the corresponding user information.
Page 38: Config Restore
4.3.2 Config Restore On this page you can upload a backup configuration file to restore your switch to this previous configuration. Choose the menu System→System Tools→Config Restore to load the following page. Figure 4-14 Config Restore The following entries are displayed on this screen: Config Restore ...
Page 39: Firmware Upgrade
4.3.4 Firmware Upgrade The switch system can be upgraded via the Web management page. To upgrade the system is to get more functions and better performance. Go to http://www.tp-link.com to download the updated firmware. Choose the menu System→System Tools→Firmware Upgrade to load the following page.
Page 40: System Reset
Choose the menu System→System Tools→System Reboot to load the following page. Figure 4-17 System Reboot Note: To avoid damage, please don't turn off the device while rebooting. 4.3.6 System Reset On this page you can reset the switch to the default. All the settings will be cleared after the switch is reset.
Page 41: Http Config
Choose the menu System→Access Security→Access Control to load the following page. Figure 4-19 Access Control The following entries are displayed on this screen: Access Control Config  Select the control mode for users to log on to the Web Control Mode: management page.
Page 42: Https Config
Choose the menu System→Access Security→HTTP Config to load the following page. Figure 4-20 HTTP Config The following entries are displayed on this screen Global Config  HTTP: Select Enable/Disable the HTTP function on the switch. Session Config  Session Timeout: If you do nothing with the Web management page within the timeout time, the system will log out automatically.
Page 43 Maintain the integrality of the data to prevent the data being altered in the transmission. Adopting asymmetrical encryption technology, SSL uses key pair to encrypt/decrypt information. A key pair refers to a public key (contained in the certificate) and its corresponding private key.
Page 44 Choose the menu System→Access Security→HTTPS Config to load the following page. Figure 4-21 HTTPS Config The following entries are displayed on this screen Global Config  HTTPS: Select Enable/Disable the HTTPS function on the switch. SSL Version 3: Enable or Disable Secure Sockets Layer Version 3.0. By default, it’s enabled.
Page 45 CipherSuite Config  RSA_WITH_RC4_128_MD5: Key exchange with RC4 128-bit encryption and MD5 for message digest. By default, it’s enabled. RSA_WITH_RC4_128_SHA: Key exchange with RC4 128-bit encryption and SHA for message digest. By default, it’s enabled. RSA_WITH_DES_CBC_SHA: Key exchange with DES-CBC for message encryption and SHA for message digest.
Page 46: Ssh Config
4.4.4 SSH Config As stipulated by IETF (Internet Engineering Task Force), SSH (Secure Shell) is a security protocol established on application and transport layers. SSH-encrypted-connection is similar to a telnet connection, but essentially the old telnet remote management method is not safe, because the password and data transmitted with plain-text can be easily intercepted.
Page 47 The following entries are displayed on this screen Global Config  SSH: Select Enable/Disable SSH function. Protocol V1: Select Enable/Disable SSH V1 to be the supported protocol. Protocol V2: Select Enable/Disable SSH V2 to be the supported protocol. Idle Timeout: Specify the idle timeout time.
Page 48 Key Download  Key Type: Select the type of SSH Key to download. The switch supports two types: SSH-2 RSA/DSA and SSH-1 RSA. Key File: Please ensure the key length of the downloaded file is in the range of 512 to 3072 bits. Download: Click the Download button to download the desired key file to the switch.
Page 49 2. Click the Open button in the above figure to log on to the switch. Enter the login user name and password, and then you can continue to configure the switch. Application Example 2 for SSH: Network Requirements  1. Log on to the switch via key authentication using SSH and the SSH function is enabled on the switch.
Page 50 During the key generation, randomly moving the mouse quickly can accelerate the key generation. 2. After the key is successfully generated, please save the public key and private key to the computer. 3. On the Web management page of the switch, download the public key file saved in the computer to the switch.
Page 51 4. After the public key and private key are downloaded, please log on to the interface of PuTTY and enter the IP address for login. 5. Click Browse to download the private key file to SSH client software and click Open.
Page 52: Telnet Config
After successful authentication, please enter the login user name. If you log on to the switch without entering password, it indicates that the key has been successfully downloaded. 4.4.5 Telnet Config On this page you can Enable/Disable Telnet function globally on the switch. Choose the menu System→Access Security→Telnet Config to load the following page.
Page 53: Chapter 5 Switching
Chapter 5 Switching Switching module is used to configure the basic functions of the switch, including four submenus: Port, DDM, LAG, Traffic Monitor and MAC Address. 5.1 Port The Port function, allowing you to configure the basic features for the port, is implemented on the Port Config, Port Mirror, Port Security, Port Isolation and Loopback Detection pages.
Page 54: Port Mirror
Status: Allows you to Enable/Disable the port. When Enable is selected, the port can forward the packets normally. Speed and Duplex: Select the Speed and Duplex mode for the port. The device connected to the switch should be in the same Speed and Duplex mode with the switch.
Page 55 Mirroring: Displays the mirroring port number. Mode: Displays the mirror mode. The value will be "Ingress" or "Egress". Mirrored Port: Displays the mirrored ports. Operation: You can configure the mirror group by clicking Edit. Click Edit to display the following figure. Figure 5-3 Port Mirror Config The following entries are displayed on this screen: Mirror Group...
Page 56: Port Security
Ingress: Select Enable/Disable the Ingress feature. When the Ingress is enabled, the incoming packets received by the mirrored port will be copied to the mirroring port. Egress: Select Enable/Disable the Egress feature. When the Egress is enabled, the outgoing packets sent by the mirrored port will be copied to the mirroring port.
Page 57 Choose the menu Switching→Port→Port Security to load the following page. Figure 5-4 Port Security The following entries are displayed on this screen: Port Security  Select: Select the desired port for Port Security configuration. It is multi-optional. Port: Displays the port number. Max Learned MAC: Specify the maximum number of MAC addresses that can be learned on the port.
Page 58: Port Isolation
Note: The Port Security function is disabled for the LAG port member. Only the port is removed from the LAG, will the Port Security function be available for the port. The Port Security function is disabled when the 802.1X function is enabled. 5.1.4 Port Isolation Port Isolation provides a method of restricting traffic flow to improve the network security by forbidding the port to forward packets to the ports that are not on its forward portlist.
Page 59: Loopback Detection
5.1.5 Loopback Detection With loopback detection feature enabled, the switch can detect loops using loopback detection packets. When a loop is detected, the switch will display an alert or further block the corresponding port according to the port configuration. Choose the menu Switching→Port→LoopbackDetection to load the following page. Figure 5-6 Loopback Detection Config The following entries are displayed on this screen: Global Config...
Page 60: Lag
Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for Loopback Detection configuration. It is multi-optional. Port: Displays the port number. Status: Enable or disable Loopback Detection function for the port. Operation Mode: Select the mode how the switch processes the detected loops.
Page 61: Lag Table
It’s not suggested to add the ports with ARP Inspection and DoS Defend enabled to the  LAG. If the LAG is needed, you are suggested to configure the LAG function here before configuring the other functions for the member ports. Tips: Calculate the bandwidth for a LAG: If a LAG consists of the four ports in the speed of 1000Mbps Full Duplex, the whole bandwidth of the LAG is up to 8000Mbps (2000Mbps * 4)
Page 62: Static Lag
LAG Table  Select: Select the desired LAG. It is multi-optional. Group Number: Displays the LAG number here. Description: Displays the description of LAG. Member: Displays the LAG member. Operation: Allows you to view or modify the information for each LAG. Edit: Click to modify the settings of the LAG.
Page 63: Lacp Config
The following entries are displayed on this screen: LAG Config  Group Number: Select a Group Number for the LAG. Description: Give a description to the LAG for identification. LAG Table  Member Port: Select the port as the LAG member. Clearing all the ports of the LAG will delete this LAG.
Page 64 Choose the menu Switching→LAG→LACP Config to load the following page. Figure 5-10 LACP Config The following entries are displayed on this screen: Global Config  System Priority: Specify the system priority for the switch. The system priority and MAC address constitute the system identification (ID). A lower system priority value indicates a higher system priority.
Page 65: Traffic Monitor
Status: Enable/Disable the LACP feature for your selected port. LAG: Displays the LAG number which the port belongs to. 5.3 Traffic Monitor The Traffic Monitor function, monitoring the traffic of each port, is implemented on the Traffic Summary and Traffic Statistics pages. 5.3.1 Traffic Summary Traffic Summary screen displays the traffic information of each port, which facilitates you to monitor the traffic and analyze the network abnormity.
Page 66: Traffic Statistics
Packets Tx: Displays the number of packets transmitted on the port. Octets Rx: Displays the number of octets received on the port. The error octets are counted in. Octets Tx: Displays the number of octets transmitted on the port. Statistics: Click the Statistics button to view the detailed traffic statistics of the port.
Page 67: Mac Address
Broadcast: Displays the number of good broadcast packets received or transmitted on the port. The error frames are not counted in. Multicast: Displays the number of good multicast packets received or transmitted on the port. The error frames are not counted in. Unicast: Displays the number of good unicast packets received or transmitted on the port.
Page 68: Address Table
The types and the features of the MAC Address Table are listed as the following: Being kept after reboot Relationship between the bound Configuration Aging Type MAC address and the port (if the configuration is saved) Static Manually The bound MAC address cannot Address configuring be learned by the other ports in the...
Page 69: Static Address
The following entries are displayed on this screen: Search Option  MAC Address: Enter the MAC address of your desired entry. VLAN ID: Enter the VLAN ID of your desired entry. Port: Select the corresponding port number of your desired entry. Type: Select the type of your desired entry.
Page 70 Choose the menu Switching→MAC Address→Static Address to load the following page. Figure 5-14 Static Address The following entries are displayed on this screen: Create Static Address  MAC Address: Enter the static MAC Address to be bound. VLAN ID: Enter the corresponding VLAN ID of the MAC address. Port: Select a port from the pull-down list to be bound.
Page 71: Dynamic Address
Port: Displays the corresponding Port number of the MAC address. Here you can modify the port number to which the MAC address is bound. The new port should be in the same VLAN. Type: Displays the Type of the MAC address. Aging Status: Displays the Aging Status of the MAC address.
Page 72 Figure 5-15 Dynamic Address The following entries are displayed on this screen: Aging Config  Auto Aging: Allows you to Enable/Disable the Auto Aging feature. Aging Time: Enter the Aging Time for the dynamic address. Search Option  Search Option: Select a Search Option from the pull-down list and click the Search button to find your desired entry in the Dynamic Address Table.
Page 73: Filtering Address
Tips: Setting aging time properly helps implement effective MAC address aging. The aging time that is too long or too short results decreases the performance of the switch. If the aging time is too long, excessive invalid MAC address entries maintained by the switch may fill up the MAC address table.
Page 74: L2Pt
Filtering Address Table  Select: Select the entry to delete the corresponding filtering address. It is multi-optional. MAC Address: Displays the filtering MAC Address. VLAN ID: Displays the corresponding VLAN ID. Port: Here the symbol “__” indicates no specified port. Type: Displays the Type of the MAC address.
Page 75: L2Pt Config
Figure 5-1 A Typical L2PT Topology 5.5.1 L2PT Config Choose the menu Switching→L2PT→L2PT Config to load the following page. Figure 5-2 L2PT Config Configuration Procedure: 1) Enable the Layer 2 Protocol Tunneling globally under Global Config. 2) Configure the tunneling and protocol type on the speicified port under Port Config. 3) Click Apply to save your configurations.
Page 76 Select: Specify the port(s) to configure its L2PT feature. It is multi-optional. Type: Choose the port type according to its connecting device in the network. • None: Disable the L2PT on this port. • UNI: Specify the port’s type as UNI if it is connecting to the user’s local network.
Page 77: Chapter 6 Vlan
Chapter 6 VLAN The traditional Ethernet is a data network communication technology basing on CSMA/CD (Carrier Sense Multiple Access/Collision Detect) via shared communication medium. Through the traditional Ethernet, the overfull hosts in LAN will result in serious collision, flooding broadcasts, poor performance or even breakdown of the Internet. Though connecting the LANs through switches can avoid the serious collision, the flooding broadcasts cannot be prevented, which will occupy plenty of bandwidth resources, causing potential serious security problems.
Page 78: Q Vlan
segment. This switch supports three ways, namely, 802.1Q VLAN, MAC VLAN and Protocol VLAN, to classify VLANs. VLAN tags in the packets are necessary for the switch to identify packets of different VLANs. The switch can analyze the received untagged packets on the port and match the packets with the MAC VLAN, Protocol VLAN and 802.1Q VLAN in turn.
Page 79 1. ACCESS: The ACCESS port can be added in a single VLAN, and the egress rule of the port is UNTAG. The PVID is same as the current VLAN ID. If the ACCESS port is added to another VLAN, it will be removed from the current VLAN automatically. 2.
Page 80: Vlan Config
Receiving Packets Port Type Forwarding Packets Untagged Packets Tagged Packets If the VID of packet is the same as the PVID of the port, the packet will be received. The packet will be forwarded Access after removing its VLAN tag. If the VID of packet is not the same as the PVID of When untagged...
Page 81 Select the desired entry to delete the corresponding VLAN. It is Select： multi-optional. VLAN ID： Displays the ID number of VLAN. Name： Displays the user-defined name of VLAN. Members： Displays the port members in the VLAN. Operation： Allows you to view or modify the information for each entry. Edit: Click to modify the settings of VLAN.
Page 82: Port Config
VLAN Members  Port Select: Click the Select button to quick-select the corresponding entry based on the port number you entered. Select: Select the desired port to be a member of VLAN or leave it blank. It's multi-optional. Port: Displays the port number. Link Type: Displays the Link Type of the port.
Page 83 Select the desired port for configuration. It is multi-optional. Select: Displays the port number. Port: Select the Link Type from the pull-down list for the port. Link Type: ACCESS: The ACCESS port can be added in a single VLAN, • and the egress rule of the port is UNTAG.
Page 84: Mac Vlan
Configuration Procedure: Step Operation Description Set the link type for Required. On the VLAN→802.1Q VLAN→Port Config page, set port. the link type for the port basing on its connected device. Create VLAN. Required. On the VLAN→802.1Q VLAN→VLAN Config page, click the Create button to create a VLAN. Enter the VLAN ID and the description for the VLAN.
Page 85 Choose the menu VLAN→MAC VLAN to load the following page. Figure 6-7 Create and View MAC VLAN The following entries are displayed on this screen: VLAN Table  MAC Address: Enter the MAC address. Description: Give a description to the MAC address for identification. VLAN ID: Enter the ID number of the MAC VLAN.
Page 86: Protocol Vlan
Create MAC VLAN. Required. On the VLAN→MAC VLAN page, create the MAC VLAN. For the device in a MAC VLAN, it’s required to set its connected port of switch to be a member of this VLAN so as to ensure the normal communication.
Page 87: Protocol Group
Choose the menu VLAN→Protocol VLAN→Protocol Group Table to load the following page. Figure 6-8 Create Protocol VLAN The following entries are displayed on this screen: Protocol Group Table  Select: Select the desired entry. It is multi-optional. Protocol Name: Displays the protocol of the protocol group. VLAN ID: Displays the corresponding VLAN ID of the protocol group.
Page 88: Protocol Template
Protocol Template Table  Select your desired port for Protocol VLAN Group. 6.3.3 Protocol Template The Protocol Template should be created before configuring the Protocol VLAN. By default, the switch has defined the IP Template, ARP Template, RARP Template, etc. You can add more Protocol Template on this page.
Page 89: Application Example For 802.1Q Vlan
Note: The Protocol Template bound to VLAN cannot be deleted. Configuration Procedure: Step Operation Description Set the link type for port. Required. On the VLAN→802.1Q VLAN→Port Config page, set the link type for the port basing on its connected device. Create VLAN.
Page 90: Application Example For Mac Vlan
Network Diagram  Configuration Procedure  Configure switch A  Step Operation Description Configure Required. On VLAN→802.1Q VLAN→Port Config page, configure Link Type of the the link type of Port 2, Port 3 and Port 4 as ACCESS, TRUNK and ports ACCESS respectively Create VLAN10...
Page 91 Notebook A and Notebook B, special for meeting room, are of two different departments;  The two departments are in VLAN10 and VLAN20 respectively. The two notebooks can just  access the server of their own departments, that is, Server A and Server B, in the two meeting rooms;...
Page 92: Application Example For Protocol Vlan
Step Operation Description Port Enable Required. On the VLAN→MAC VLAN→Port Enable page, select and enable Port 11 and Port 12 for MAC VLAN feature. Configure switch B  Step Operation Description Configure Required. On VLAN→802.1Q VLAN→Port Config page, configure the Link Type of the link type of Port 21 and Port 22 as GENERAL and TRUNK ports...
Page 93 IP host, in VLAN10, is served by IP server while AppleTalk host is served by AppleTalk  server; Switch B is connected to IP server and AppleTalk server.  Network Diagram  Configuration Procedure  Configure switch A  Step Operation Description Configure Required.
Page 94: Vlan Vpn
Step Operation Description Create VLAN20 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 20, owning Port 3 and Port 5, and configure the egress rule of Port 3 as Untag. Create Protocol Required. On VLAN→Protocol VLAN→Protocol Template page, Template configure the protocol template practically.
Page 95: Vpn Config
forwards or receives a packet, you must not configure the following protocol type values listed in the following table as the TPID value. Protocol type Value 0x0806 0x0800 MPLS 0x8847/0x8848 0x8137 IS-IS 0x8000 LACP 0x8809 802.1X 0x888E Table 6-3 Values of Ethernet frame protocol type in common use This VLAN VPN function is implemented on the VPN Config, VLAN Mapping and Port Enable pages.
Page 96: Vlan Mapping
Note: If VPN mode is enabled, please create VLAN Mapping entries on the VLAN Mapping function page. 6.7.2 VLAN Mapping VLAN Mapping function allows the VLAN TAG of the packets to be replaced with the new VLAN TAG according to the VLAN Mapping entries. And these packets can be forwarded in the new VLAN.
Page 97: Gvrp
C VLAN: Displays the ID number of the Customer VLAN. C VLAN refers to the VLAN to which the packet received by switch belongs. SP VLAN: Displays the ID number of the Service Provider VLAN. SP PRI Displays the Service Provider Priority. Description: Displays a description to the VLAN Mapping entry.
Page 98 Join Timer: To transmit the Join messages reliably to other entities, a GARP entity sends • each Join message two times. The Join timer is used to define the interval between the two sending operations of each Join message. Leave Timer: When a GARP entity expects to deregister a piece of attribute information, it •...
Page 99 Choose the menu VLAN→GVRP→GVRP Config to load the following page. Figure 6-13 GVRP Config Note: If the GVRP feature is enabled for a member port of LAG, please ensure all the member ports of this LAG are set to be in the same status and registration mode. The following entries are displayed on this screen: Global Config ...
Page 100 LeaveAll Timer: Once the LeaveAll Timer is set, the port with GVRP enabled can send a LeaveAll message after the timer times out, so that other GARP ports can re-register all the attribute information. After that, the LeaveAll timer will start to begin a new cycle. The LeaveAll Timer ranges from 1000 to 30000 centiseconds.
Page 101: Chapter 7 Spanning Tree
Chapter 7 Spanning Tree STP (Spanning Tree Protocol), subject to IEEE 802.1D standard, is to disbranch a ring network in the Data Link layer in a local network. Devices running STP discover loops in the network and block ports by exchanging information, in that way, a ring network can be disbranched to form a tree-topological ring-free network to prevent packets from being duplicated and forwarded endlessly in the network.
Page 102 Bridge: Switch A is the root bridge in the whole network; switch B is the designated bridge of  switch C. Port: Port 3 is the root port of switch B and port 5 is the root port of switch C; port 1 is the ...
Page 103 STP Generation  In the beginning  In the beginning, each switch regards itself as the root, and generates a configuration BPDU for each port on it as a root, with the root path cost being 0, the ID of the designated bridge being that of the switch, and the designated port being itself.
Page 104 Tips： In an STP with stable topology, only the root port and designated port can forward data, and the other ports are blocked. The blocked ports only can receive BPDUs. RSTP (Rapid Spanning Tree Protocol), evolved from the 802.1D STP standard, enable Ethernet ports to transit their states rapidly.
Page 105 Figure 7-2 Basic MSTP diagram MSTP  MSTP divides a network into several MST regions. The CST is generated between these MST regions, and multiple spanning trees can be generated in each MST region. Each spanning trees is called an instance. As well as STP, MSTP uses BPDUs to generate spanning tree. The only difference is that the BPDU for MSTP carries the MSTP configuration information on the switches.
Page 106: Stp Config
The following diagram shows the different port roles. Figure 7-3 Port roles The Spanning Tree module is mainly for spanning tree configuration of the switch, including four submenus: STP Config, Port Config, MSTP Instance and STP Security. 7.1 STP Config The STP Config function, for global configuration of spanning trees on the switch, can be implemented on STP Config and STP Summary pages.
Page 107 The following entries are displayed on this screen: Global Config  STP: Enable/Disable STP function globally on the switch. Version: Select the desired STP version on the switch.  STP: Spanning Tree Protocol.  RSTP: Rapid Spanning Tree Protocol.  MSTP: Multiple Spanning Tree Protocol. Parameters Config ...
Page 108: Stp Summary
increases the network load of the switches and wastes network resources. The default value is recommended. A too small max age parameter may result in the switches regenerating spanning trees frequently and cause network congestions to be falsely regarded as link problems. A too large max age parameter result in the switches unable to find the link problems in time, which in turn handicaps spanning trees being regenerated in time and makes the network less adaptive.
Page 109 Choose the menu Spanning Tree→Port Config to load the following page. Figure 7-6 Port Config The following entries are displayed on this screen: Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for STP configuration.
Page 110: Mstp Instance
Port Role: Displays the role of the port played in the STP Instance. Root Port: Indicates the port that has the lowest path cost from  this bridge to the Root Bridge and forwards packets to the root. Designated Port: Indicates the port that forwards packets to a ...
Page 111: Region Config
7.3.1 Region Config On this page you can configure the name and revision of the MST region Choose the menu Spanning Tree→MSTP Instance→Region Config to load the following page. Figure 7-7 Region Config The following entries are displayed on this screen: Region Config ...
Page 112 Choose the menu Spanning Tree→MSTP Instance→Instance Config to load the following page. Figure 7-8 Instance Config The following entries are displayed on this screen: Instance Table  Instance ID Select: Click the Select button to quick-select the corresponding Instance ID based on the ID number you entered. Select: Select the desired Instance ID for configuration.
Page 113: Instance Port Config
VLAN-Instance Mapping  VLAN ID: Enter the desired VLAN ID. After modification here, the new VLAN ID will be added to the corresponding instance ID and the previous VLAN ID won’t be replaced. Instance ID: Enter the corresponding instance ID. Note: In a network with both GVRP and MSTP enabled, GVRP packets are forwarded along the CIST.
Page 114: Stp Security
Select: Select the desired port to specify its priority and path cost. It is multi-optional. Port: Displays the port number of the switch. Priority: Enter the priority of the port in the instance. It is an important criterion on determining if the port connected to this port will be chosen as the root port.
Page 115: Port Protect
7.4.1 Port Protect On this page you can configure loop protect feature, root protect feature, TC protect feature, BPDU protect feature and BPDU filter feature for ports. You are suggested to enable corresponding protection feature for the qualified ports. Loop Protect ...
Page 116 network topology jitter. Normally these ports do not receive BPDUs, but if a user maliciously attack the switch by sending BPDUs, network topology jitter occurs. To prevent this attack, MSTP provides BPDU protect function. With this function enabled on the switch, the switch shuts down the edge ports that receive BPDUs and reports these cases to the administrator.
Page 117: Tc Protect
Root Protect: Root Protect is to prevent wrong network topology change caused by the role change of the current legal root bridge. TC Protect: TC Protect is to prevent the decrease of the performance and stability of the switch brought by continuously removing MAC address entries upon receiving TC-BPDUs in the STP network.
Page 118 On Spanning Tree→STP Config→Port Config page, enable MSTP function for the port. Configure the region name and On Spanning Tree→MSTP Instance→Region Config the revision of MST region page, configure the region as TP-LINK and keep the default revision setting. Configure VLAN-to-Instance Spanning Tree→MSTP...
Page 119 On Spanning Tree→STP Config→Port Config page, enable MSTP function for the port. Configure the region name and On Spanning Tree→MSTP Instance→Region Config the revision of MST region page, configure the region as TP-LINK and keep the default revision setting. Configure VLAN-to-Instance Spanning Tree→MSTP...
Page 120 On Spanning Tree→STP Config→Port Config page, enable MSTP function for the port. Configure the region name and On Spanning Tree→MSTP Instance→Region Config the revision of MST region page, configure the region as TP-LINK and keep the default revision setting. Configure VLAN-to-Instance Spanning Tree→MSTP...
Page 121 Suggestion for Configuration  Enable TC Protect function for all the ports of switches.  Enable Root Protect function for all the ports of root bridges.  Enable Loop Protect function for the non-edge ports.  Enable BPDU Protect function or BPDU Filter function for the edge ports which are connected to the PC and server.
Page 122: Chapter 8 Dhcp
Chapter 8 DHCP DHCP (Dynamic Host Configuration Protocol) is a client-server protocol which is widely used in LAN environments to dynamically assign host IP addresses from a centralized server. As workstations and personal computers proliferate on the Internet, the administrative complexity of maintaining a network is increased by an order of magnitude.
Page 123 the DHCP server with a fixed period of time (e.g., 2 hours), allowing the DHCP server to reclaim (and then reallocate) IP addresses that are not renewed. The Process of DHCP  DHCP uses UDP as its transport protocol. DHCP messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68).
Page 124 when its lease time expires. If the client wants to use the IP address continually, it should unicast a DHCP-REQUEST message to the server to extend its lease. After obtaining parameters via DHCP, a host should be able to exchange packets with any other host in the networks.
Page 125 ciaddr：Client IP address, filled in by client in DHCPREQUEST when verifying previously allocated configuration parameters. yiaddr：'your' (client) IP address, configuration parameters allocated to the client by DHCP server. 10) siaddr：IP address of next server to use in bootstrap, returned in DHCPOFFER, DHCPACK and DHCPNAK by server.
Page 126: Dhcp Relay
DHCP relay agent solves the problem. With the help of a relay agent, a DHCP client can request an IP address from the DHCP server in another VLAN. Details of DHCP Relay on T2500G-10TS  A typical application of T2500G-10TS working at DHCP Relay function is shown below. It can be altered to meet the network requirement.
Page 127 Figure 8-5 DHCP Relay Application To allow all clients in different VLANs request IP address from one server successfully, the DHCP Relay function can transmit the DHCP packets between clients and server in different VLANs. When receiving DHCP-DISCOVER and DHCP-REQUEST packets, the switch will fill the ...
Page 128 DHCP Relay Configuration  Configure the Option 82 parameters to record the information of the clients. You are suggested to configure the option82 on the nearest Relay of the client. Specify the DHCP Server which assigns IP addresses actually. Option 82 ...
Page 129 Choose the menu DHCP→DHCP Relay→DHCP Relay to load the following page. Figure 8-8 Global Config The following entries are displayed on this screen: Global Config  DHCP Relay: Enable or disable the DHCP Relay function. Option 82 configuration  Configure the Option 82 which cannot be assigned by the switch. Option 82 Support: Enable or disable the Option 82 feature.
Page 130 Remote ID: Enter the sub-option Remote ID for the customized Option 82 field. Add DHCP Server Address  IP Address: Enter the IP address of the DHCP Server. Name: Enter the name of the DHCP Server for identification. DHCP Server List ...
Page 131: Chapter 9 Multicast
Chapter 9 Multicast Multicast Overview  In the network, packets are sent in three modes: unicast, broadcast and multicast. In unicast, the source server sends separate copy information to each receiver. When a large number of users require this information, the server must send many pieces of information with the same content to the users.
Page 132 3. Each user can join and leave the multicast group at any time; 4. Real time is highly demanded and certain packets drop is allowed. IPv4 Multicast Address  1. IPv4 Multicast IP Address: As specified by IANA (Internet Assigned Numbers Authority), Class D IP addresses are used as destination addresses of multicast packets.
Page 133 0XFF at the start of the address identifies the address as being a multicast address. Flags have 4 bits. The high-order flag is reserved, and must be initialized to 0. T=0 indicates a permanently-assigned multicast address assigned by the Internet Assgined Numbers Authority (IANA).
Page 134 The solicited-node multicast address is a multicast group that corresponds to an IPv6 unicast or anycast address. It is usually used for obtaining the Layer 2 link-layer addresses of neighboring nodes within the local-link or applied in IPv6 Duplicate Address Detection. A node is required to join the associated Solicited-Node multicast addresses for all unicast and anycast addresses that have been configured for the node's interfaces.
Page 135: Igmp Snooping
IGMP Snooping  In the network, the hosts apply to the near router for joining (leaving) a multicast group by sending IGMP (Internet Group Management Protocol) messages. When the up-stream device forwards down the multicast data, the switch is responsible for sending them to the hosts. IGMP Snooping is a multicast control mechanism, which can be used on the switch for dynamic registration of the multicast group.
Page 136 When receiving IGMP general query message, the switch will forward them to all other ports in the VLAN owning the receiving port. The receiving port will be processed: if the receiving port is not a router port yet, it will be added to the router port list with its router port time specified; if the receiving port is already a router port, its router port time will be directly reset.
Page 137: Snooping Config
The IGMP Snooping function can be implemented on the following pages: Snooping Config, VLAN Config, Port Config, IP-Range, Multicast VLAN, Static Multicast IP and Packet Statistics. 9.1.1 Snooping Config To configure the IGMP Snooping on the switch, please firstly configure IGMP global configuration and related parameters on this page.
Page 138: Vlan Config
9.1.2 VLAN Config Multicast groups established by IGMP Snooping are based on VLANs. On this page you can configure different IGMP parameters for different VLANs. Choose the menu Multicast→IGMP Snooping→VLAN Config to load the following page. Figure 9-6 VLAN Config The following entries are displayed on this screen: VLAN Config ...
Page 139: Port Config
Select: Select the desired VLAN ID for configuration. It is multi-optional. VLAN ID: Displays the VLAN ID. Router Port Time: Displays the router port time of the VLAN. Member Port Time: Displays the member port time of the VLAN. Leave Time: Displays the leave time of the VLAN.
Page 140 Choose the menu Multicast →IGMP Snooping →Port Config to load the following page. Figure 9-7 Port Config The following entries are displayed on this screen: Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select desired...
Page 141: Ip-Range
Note: Fast Leave on the port is effective only when the host supports IGMPv2 or IGMPv3. When both Fast Leave feature and Unknown Multicast Discard feature are enabled, the leaving of a user connected to a port owning multi-user will result in the other users intermitting the multicast business.
Page 142: Multicast Vlan
Start Multicast IP: Displays start multicast IP of the IP-range. End Multicast IP: Displays end multicast IP of the IP-range. 9.1.5 Multicast VLAN In old multicast transmission mode, when users in different VLANs apply for join the same multicast group, the multicast router will duplicate this multicast information and deliver each VLAN owning a receiver one copy.
Page 143 Leave Time: Specify the interval between the switch receiving a leave message from a host, and the switch removing the host from the multicast groups. Router Ports: Enter the static router port which is mainly used in the network with stable topology. Note: The router port should be in the multicast VLAN, otherwise the member ports cannot receive multicast streams.
Page 144 Router: Its WAN port is connected to the multicast source; its LAN port is connected to the switch. The multicast packets are transmitted in VLAN3. Switch: Port 3 is connected to the router and the packets are transmitted in VLAN3; port 4 is connected to user A and the packets are transmitted in VLAN4;...
Page 145: Static Multicast Ip
Step Operation Description Enable Multicast Enable Multicast VLAN, configure the VLAN ID of a multicast VLAN VLAN as 3 and keep the other parameters as default on Multicast→IGMP Snooping→Multicast VLAN page. Check Multicast 3-5 and Multicast VLAN 3 will be displayed in the IGMP VLAN Snooping Status...
Page 146: Igmp Snooping Querier
Search Option  Search Option: Select the rules for displaying multicast IP table to find the desired entries quickly. All: Displays all static multicast IP entries.  Multicast IP: Enter the multicast IP address the desired  entry must carry. VLAN ID: Enter the VLAN ID the desired entry must carry.
Page 147 Choose the menu Multicast→IGMP Snooping→IGMP Snooping Querier to load the following page. Figure 9-11 Packet Statistics The following entries are displayed on this screen: IGMP Snooping Querier Config  VLAN ID: Enter the ID of the VLAN that enables IGMP Snooping Querier. Query Interval: Enter the time interval of sending a general query frame by IGMP Snooping Querier.
Page 148: Packet Statistics
Last Member Query Enter the times of sending specific query frames by IGMP Times: Snooping Querier. At receiving a leave frame, a specific query frame will be sent by IGMP Snooping Querier. If a report frame is received before sending specific frames number reaches "Last Member Query Times", the switch will still treat the port as group member and stop sending specific query frames to the port, otherwise the port will be removed from forward-ports of the IP...
Page 149 Choose the menu Multicast→IGMP Snooping→Packet Statistics to load the following page. Figure 9-12 Packet Statistics The following entries are displayed on this screen: Auto Refresh  Auto Refresh: Enable/Disable auto refresh feature. Refresh Period: Enter the time from 3 to 300 in seconds to specify the auto refresh period.
Page 150: Igmp Authentication
Leave Packet: Displays the number of leave packets the port received. Error Packet: Displays the number of error packets the port received. 9.1.9 IGMP Authentication IGMP Authentication (Internet Group membership Authentication Protocol) is a multicast authentication protocol used to authenticate users who want to join the limited multicast source.
Page 151: Mld Snooping
IGMP Select Enable/Disable IGMP Authentication for the desired port. Authentication: LAG: Displays the LAG number which the port belongs to. Note: The IGMP Authentication feature will take effect only when AAA function is enabled and the RADIUS server is configured. For how to enable AAA function and configure RADIUS server, please refer to 12.5 AAA.
Page 152 Member Port Aging Time: Within this time, if the switch does not receive MLD reports from the member port, it will delete this port from the MLD multicast group. The default value is 260 seconds. General Query Interval: The interval between the multicast router sends out general queries. Last Listener Query Interval: The interval between the switch sends out MASQs.
Page 153: Global Config
9.2.1 Global Config To configure the MLD Snooping on the switch, please firstly configure MLD global configuration and related parameters on this page. Chose the menu Multicast→MLD Snooping→Global Config to load the following page. Figure 9-14 Global Config The following entries are displayed on this screen: Global Config ...
Page 154: Vlan Config
Last Listener Query Enter the Last Listener Query interval time. When the multicast Interval: group has no more member ports, it will send the Specific Query Message with this interval time to check whether there is another listener. Last Listener Query Enter the Last Listener Query numbers.
Page 155: Filter Config
Member Port Aging Enter the member port aging time for this VLAN. It will override Time: the global configured aging time. Immediate Leave: Enable or disable immediate leave function for this VLAN. If this function is enabled, the multicast group member port will be deleted immediately if Done Message receive, not sending Specific Query for listener checking.
Page 156: Port Config
Choose the menu Multicast→MLD Snooping→Filter Config to load the following page. Figure 9-16 Filter Config The following entries are displayed on this screen: Filter Config  Filter ID: Enter the Filter ID which identifies the filter. Start Multicast Enter the start of the IP range. End Multicast IP: Enter the end of the IP range.
Page 157: Static Multicast
Choose the menu Multicast→MLD Snooping→Port Config to load the following page. Figure 9-17 Port Config The following entries are displayed on this screen: Port Config  Select: Select the port you want to configure. Port: Displays the port number. Filter: Choose to enable or disable filter function in this port.
Page 158: Querier Config
Choose the menu Multicast→MLD Snooping→Static Multicast to load the following page. Figure 9-18 Static Multicast The following entries are displayed on this screen: Static Multicast Config  VLAN ID: Enter the VLAN ID. Multicast IP: Enter the multicast IP address. Member Ports: Enter the member ports of the static multicast group.
Page 159: Packet Statistics
Choose the menu Multicast→MLD Snooping→Querier Config to load the following page. Figure 9-19 Querier Config The following entries are displayed on this screen: Querier Config  VLAN ID: Enter the VLAN ID which you want to start Querier. Maximum Response Enter the value of Maximum Response Time field of Time: the Query message.
Page 160 Choose the menu Multicast→MLD Snooping→Packet Statistics to load the following page. Figure 9-20 Packet Statistics The following entries are displayed on this screen: Auto Fresh  Auto Fresh: Enable/Disable auto fresh feature. Fresh Period: Enter the time from 3 to 300 seconds to specify the auto fresh period.
Page 161: Multicast Table
9.3 Multicast Table In a network, receivers can join different multicast groups appropriate to their needs. The switch forwards multicast streams based on IPv4/IPv6 multicast address table. The Multicast Table function is implemented on the IPv4 Multicast Table and IPv6 Multicast Table pages.
Page 162: Ipv6 Multicast Table
Forward Port: Displays the forward port of the multicast group. Type: Displays the type of the multicast IP. 9.3.2 IPv6 Multicast Table This page displays the IPv6 multicast groups already on the switch. Choose the menu Multicast→Multicast Table→IPv6 Multicast Table to load the following page.
Page 163: Chapter 10 Qos
Chapter 10 QoS QoS (Quality of Service) functions to provide different quality of service for various network applications and requirements and optimize the bandwidth resource distribution so as to provide a network service experience of a better quality.  This switch classifies the ingress packets, maps the packets to different priority queues and then forwards the packets according to specified scheduling algorithms to implement QoS function.
Page 164 2. 802.1P Priority Figure 10-2 802.1Q frame As shown in the figure above, each 802.1Q Tag has a Pri field, comprising 3 bits. The 3-bit priority field is 802.1p priority in the range of 0 to 7. 802.1P priority determines the priority of the packets based on the Pri value.
Page 165 Figure 10-4 SP-Mode WRR-Mode: Weight Round Robin Mode. In this mode, packets in all the queues are sent in order based on the weight value for each queue and every queue can be assured of a certain service time. The weight value indicates the occupied proportion of the resource. WRR queue overcomes the disadvantage of SP queue that the packets in the queues with lower priority cannot get service for a long time.
Page 166: Diffserv
The QoS module is mainly for traffic control and priority configuration, including three submenus: DiffServ, Bandwidth Control and Voice VLAN. 10.1 DiffServ This switch classifies the ingress packets, maps the packets to different priority queues and then forwards the packets according to specified scheduling algorithms to implement QoS function.
Page 167: Dscp Priority
Note: To complete QoS function configuration, you have to go to the Schedule Mode page to select a schedule mode after the configuration is finished on this page. Configuration Procedure: Step Operation Description Select the port priority Required. On QoS→DiffServ→Port Priority page, configure the port priority.
Page 168 Figure 10-7 DSCP Priority The following entries are displayed on this screen: DSCP Priority Config  DSCP Priority: Enable/Disable DSCP Priority. Priority Level  DSCP: Indicates the priority determined by the DSCP region of IP datagram. It ranges from 0 to 63. Priority Level: Indicates the 802.1P priority the packets with tag are mapped to.
Page 169: P/Cos Mapping
Step Operation Description Required. On QoS→DiffServ→802.1P Priority page, Configure the mapping relation configure the mapping relation between the CoS and between the CoS and the TC the TC. Required. On QoS→DiffServ→Schedule Mode page, Select a schedule mode select a schedule mode. 10.1.3 802.1P/CoS Mapping On this page you can configure the mapping relation between the 802.1P priority tag-id/CoS-id and the TC-id.
Page 170: Schedule Mode
Configuration Procedure: Step Operation Description Configure mapping Required. On QoS→DiffServ→802.1P/CoS mapping relation between the 802.1P page, configure the mapping relation between the priority Tag/CoS and the TC 802.1P priority Tag/CoS and the TC. Select a schedule mode Required. QoS→DiffServ→Schedule Mode page,, select a schedule mode.
Page 171: Bandwidth Control
SP+WRR-Mode: Strict-Priority + Weight Round Robin Mode. In this mode, this switch provides two scheduling groups, SP group and WRR group. Queues in SP group and WRR group are scheduled strictly based on strict-priority mode while the queues inside WRR group follow the WRR mode. In SP+WRR mode, TC3 is in the SP group;...
Page 172: Storm Control
Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for Rate configuration. It is multi-optional. Port: Displays the port number of the switch. Ingress Rate (bps): Configure the bandwidth for receiving packets on the port.
Page 173 Choose the menu QoS→Bandwidth Control→Storm Control to load the following page. Figure 10-11 Storm Control The following entries are displayed on this screen: Storm Control Config  Click the Select button to quick-select the corresponding port Port Select: based on the port number you entered. Select: Select the desired port for Storm Control configuration.
Page 174: Voice Vlan
Note: If you enable storm control feature for the ingress rate limit-enabled port, ingress rate limit feature will be disabled for this port. 10.3 Voice VLAN Voice VLANs are configured specially for voice data stream. By configuring Voice VLANs and adding the ports with voice devices attached to voice VLANs, you can perform QoS-related configuration for voice data, ensuring the transmission priority of voice data stream and voice quality.
Page 175 Manual Mode: You need to manually add the port of IP phone to voice VLAN, and then the switch will assign ACL rules and configure the priority of the packets through learning the source MAC address of packets and matching OUI address. In practice, the port voice VLAN mode is configured according to the type of packets sent out from voice device and the link type of the port.
Page 176: Global Config
Security Packet Type Processing Mode Mode UNTAG packet When the source MAC address of the packet is the OUI address that can be identified, the packet can be Packet with voice transmitted in the voice VLAN. Otherwise, the packet will VLAN TAG be discarded.
Page 177: Port Config
Aging Time: Specifies the living time of the member port in auto mode after the OUI address is aging out. Priority: Select the priority of the port when sending voice data. 10.3.2 Port Config Before the voice VLAN function is enabled, the parameters of the ports in the voice VLAN should be configured on this page.
Page 178: Oui Config
Port Mode: Select the mode for the port to join the voice VLAN. Auto: In this mode, the switch automatically adds a port to  the voice VLAN or removes a port from the voice VLAN by checking whether the port receives voice data or not. Manual: In this mode, you can manually add a port to the ...
Page 179 Description: Give a description to the OUI for identification. OUI Table  Select: Select the desired entry to view the detailed information. OUI: Displays the OUI address of the voice device. Mask: Displays the OUI address mask of the voice device. Description: Displays the description of the OUI.
Page 180: Chapter 11 Acl
Chapter 11 ACL ACL (Access Control List) is used to filter packets by configuring match rules and process policies of packets in order to control the access of the illegal users to the network. Besides, ACL functions to control traffic flows and save network resources. It provides a flexible and secured access control policy and facilitates you to control the network security.
Page 181: Time-Range Create
Operation: Click the Edit button to modify the time-range. Click the Detail button to display the complete information of this time–range. 11.1.2 Time-Range Create On this page you can create time-ranges. Choose the menu ACL→Time-Range→Time-Range Create to load the following page. Figure 11-2 Time-Range Create Note: To successfully configure time-ranges, please firstly specify time-slices and then time-ranges.
Page 182: Holiday Config
End Time: Set the end time of the time-slice. Time-Slice Table  Index: Displays the index of the time-slice. Start Time: Displays the start time of the time-slice. End Time: Displays the end time of the time-slice. Delete: Click the Delete button to delete the corresponding time-slice. 11.1.3 Holiday Config Holiday mode is applied as a different secured access control policy from the week mode.
Page 183: Acl Config
11.2 ACL Config An ACL may contain a number of rules, and each rule specifies a different package range. Packets are matched in match order. Once a rule is matched, the switch processes the matched packets taking the operation specified in the rule without considering the other rules, which can enhance the performance of the switch.
Page 184: Mac Acl
Figure 11-5 ACL Create The following entries are displayed on this screen: Create ACL  ACL ID: Enter ACL ID of the ACL you want to create. Rule Order: User Config order is set to be match order in this ACL. 11.2.3 MAC ACL MAC ACLs analyze and process packets based on a series of match conditions, which can be the source MAC addresses, destination MAC addresses, VLAN ID, and EtherType carried in the...
Page 185: Standard-Ip Acl
Rule ID: Enter the rule ID. Operation: Select the operation for the switch to process packets which match the rules. Permit: Forward packets.  Deny: Discard Packets.  S-MAC: Enter the source MAC address contained in the rule. D-MAC: Enter the destination MAC address contained in the rule. MASK: Enter MAC address mask.
Page 186: Extend-Ip Acl
Operation: Select the operation for the switch to process packets which match the rules. Permit: Forward packets.  Deny: Discard Packets.  Fragment: Select if the rule will take effect on the fragment. When the fragment is selected, this rule will process all the fragments and the last piece of fragment will be always forwarded.
Page 187: Policy Config
Rule ID: Enter the rule ID. Operation: Select the operation for the switch to process packets which match the rules. Permit: Forward packets.  Deny: Discard Packets.  S-IP: Enter the source IP address contained in the rule. D-IP: Enter the destination IP address contained in the rule. Mask: Enter IP address mask.
Page 188: Policy Create
Figure 11-9 Policy Summary The following entries are displayed on this screen: Search Options  Select Policy: Select name of the desired policy for view. If you want to delete the desired policy, please click the Delete button. Action Table ...
Page 189: Action Create
11.3.3 Action Create On this page you can add ACLs and create corresponding actions for the policy. Choose the menu ACL→Policy Config→Action Create to load the following page. Figure 11-11 Action Create The following entries are displayed on this screen: Create Action ...
Page 190: Policy Binding
QoS Remark: Select QoS Remark to forward the data packets based on the QoS settings. DSCP: Specify the DSCP region for the data packets those  match the corresponding ACL. Local Priority: Specify the local priority for the data packets ...
Page 191: Port Binding
11.4.2 Port Binding On this page you can bind a policy to a port. Choose the menu ACL→Policy Binding→Port Binding to load the following page. Figure 11-13 Bind the policy to the port The following entries are displayed on this screen: Port-Bind Config ...
Page 192: Application Example For Acl
The following entries are displayed on this screen: VLAN-Bind Config  Policy Name: Select the name of the policy you want to bind. VLAN ID: Enter the ID of the VLAN you want to bind. VLAN-Bind Table  Index: Displays the index of the binding policy. Policy Name: Displays the name of the binding policy.
Page 193 Network Diagram  Configuration Procedure  Step Operation Description Configure On ACL→Time-Range page, create a time-range named work_time. Time-range Select Week mode and configure the week time from Monday to Friday. Add a time-slice 08:00–18:00. Configure for On ACL→ACL Config→ACL Create page, create ACL 11. requirement On ACL→ACL Config→MAC ACL page, select ACL 11, create Rule 1, configure the operation as Permit, configure the S-MAC as...
Page 194 Step Operation Description Configure for On ACL→ACL Config→ACL Create page, create ACL 100. requirement On ACL→ACL Config→Standard-IP ACL page, select ACL 100, create 2 and 4 Rule 2, configure operation as Permit, configure S-IP as 10.10.70.0 and mask as 255.255.255.0, configure D-IP as 10.10.88.5 and mask as 255.255.255.255, configure the time-range as work_time.
Page 195: Chapter 12 Network Security
Chapter 12 Network Security Network Security module is to provide the multiple protection measures for the network security, including six submenus: IP-MAC Binding, ARP Inspection, DoS Defend, 802.1X and PPPoE. Please configure the functions appropriate to your need. 12.1 IP-MAC Binding The IP-MAC Binding function allows you to bind the IP address, MAC address, VLAN ID and the connected Port number of the Host together.
Page 196 Figure 12-1 Binding Table The following entries are displayed on this screen: Search Option  Source: Select a Source from the pull-down list and click the Search button to view your desired entry in the Binding Table. All: All the bound entries will be displayed. •...
Page 197: Manual Binding
Collision: Displays the Collision status of the entry. Warning: Indicates that the collision may be caused by • the MSTP function. Critical: Indicates that the entry has a collision with the • other entries. Note: Among the entries with Critical collision level, the one with the highest Source priority will take effect.
Page 198: Arp Scanning
Manual Binding Table  Select: Select the desired entry to be deleted. It is multi-optional. Host Name: Displays the Host Name here. IP Address: Displays the IP Address of the Host. MAC Address: Displays the MAC Address of the Host. VLAN ID: Displays the VLAN ID here.
Page 199 Since the ARP request packet is broadcasted, all hosts in the LAN can receive it. However, only the Host B recognizes and responds to the request. Host B sends back an ARP reply packet to Host A, with its MAC address carried in the packet. Upon receiving the ARP reply packet, Host A adds the IP address and the corresponding MAC address of Host B to its ARP Table for the further packets forwarding.
Page 200: Dhcp Snooping
Protect Type: Displays the Protect Type of the entry. Collision: Displays the Collision status of the entry. Warning: Indicates that the collision may be caused by • the MSTP function. Critical: Indicates that the entry has a collision with the •...
Page 201 Figure 12-6 Interaction between a DHCP client and a DHCP server DHCP-DISCOVER Stage: The Client broadcasts the DHCP-DISCOVER packet to find the DHCP Server. DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet, the DHCP Server selects an IP address from the IP pool according to the assigning priority of the IP addresses and replies to the Client with DHCP-OFFER packet carrying the IP address and other information.
Page 202 is no universal standard about the content of Option 82, different manufacturers define the sub-options of Option 82 to their need. For this switch, the sub-options are defined as the following: The Circuit ID is defined to be the number of the port which receives the DHCP Request packets and its VLAN number.
Page 203 Choose the menu Network Security→IP-MAC Binding→DHCP Snooping to load the following page. Figure 12-8 DHCP Snooping Note: If you want to enable the DHCP Snooping feature for the member port of LAG, please ensure the parameters of all the member ports are the same.
Page 204 The following entries are displayed on this screen: DHCP Snooping Config  DHCP Snooping: Enable/Disable the DHCP Snooping function globally. Global Flow Control: Select the value to specify the maximum amount of DHCP messages that can be forwarded by the switch per second. The excessive massages will be discarded.
Page 205: Arp Inspection
MAC Verify: Enable/Disable the MAC Verify feature. There are two fields of the DHCP packet containing the MAC address of the Host. The MAC Verify feature is to compare the two fields and discard the packet if the two fields are different. Flow Control: Enable/Disable the Flow Control feature for the DHCP packets.
Page 206 As the above figure shown, the attacker sends the fake ARP packets with a forged Gateway address to the normal Host, and then the Host will automatically update the ARP table after receiving the ARP packets. When the Host tries to communicate with Gateway, the Host will encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication.
Page 207 Figure 12-11 ARP Attack – Cheating Terminal Hosts As the above figure shown, the attacker sends the fake ARP packets of Host A to Host B, and then Host B will automatically update its ARP table after receiving the ARP packets. When Host B tries to communicate with Host A, it will encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication.
Page 208 Figure 12-12 Man-In-The-Middle Attack Suppose there are three Hosts in LAN connected with one another through a switch. Host A: IP address is 192.168.0.101; MAC address is 00-00-00-11-11-11. Host B: IP address is 192.168.0.102; MAC address is 00-00-00-22-22-22. Attacker: IP address is 192.168.0.103; MAC address is 00-00-00-33-33-33. First, the attacker sends the false ARP response packets.
Page 209: Arp Detect
The IP-MAC Binding function allows the switch to bind the IP address, MAC address, VLAN ID and the connected Port number of the Host together when the Host connects to the switch. Basing on the predefined IP-MAC Binding entries, the ARP Inspection functions to detect the ARP packets and filter the illegal ARP packet so as to prevent the network from ARP attacks.
Page 210: Arp Defend
Configuration Procedure: Step Operation Description Bind the IP address, MAC Required. On the IP-MAC Binding page, bind the IP address, VLAN ID and the address, MAC address, VLAN ID and the connected connected Port number of Port number of the Host together via Manual Binding, the Host together.
Page 211: Arp Statistics
The following entries are displayed on this screen: ARP Defend  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select your desired port for configuration. It is multi-optional. Port: Displays the port number.
Page 212: Dos Defend
The following entries are displayed on this screen: Auto Refresh  Auto Refresh: Enable/Disable the Auto Refresh feature. Refresh Interval: Specify the refresh interval to display the ARP Statistics. Illegal ARP Packet  Port: Displays the port number. Trusted Port: Indicates the port is an ARP Trusted Port or not.
Page 213: Dos Defend
DoS Attack Type Description Smurf Attack By pretending to be a Host, the attacker broadcasts request packets for ICMP response in the LAN. When receiving the request packet, all the Hosts in the LAN will respond and send the reply packets to the actual Host, which will causes this Host to be attacked.
Page 214: 204
Figure 12-16 DoS Defend The following entries are displayed on this screen: Defend Config  DoS Defend: Allows you to Enable/Disable DoS Defend function. Defend Table  Select: Select the entry to enable the corresponding Defend Type. Defend Type: Displays the Defend Type name. 12.4 802.1X The 802.1X protocol was developed by IEEE802 LAN/WAN committee to deal with the security issues of wireless LANs.
Page 215 Authenticator System: The authenticator system is usually an 802.1X-supported network device, such as this TP-LINK switch. It provides the physical or logical port for the supplicant system to access the LAN and authenticates the supplicant system. Authentication Server System: The authentication server system is an entity that provides authentication service to the authenticator system.
Page 216 802.1X client program to initiate an 802.1X authentication through the sending of an EAPOL-Start packet to the switch, This TP-LINK switch can authenticate supplicant systems in EAP relay mode or EAP terminating mode. The following illustration of these two modes will take the 802.1X authentication procedure initiated by the supplicant system for example.
Page 217 Upon receiving the user name from the switch, the RADIUS server retrieves the user name, finds the corresponding password by matching the user name in its database, encrypts the password using a randomly-generated key, and sends the key to the switch through an RADIUS Access-Challenge packet.
Page 218: Global Config
server for further authentication. Whereas the randomly-generated key in EAP-MD5 relay mode is generated by the authentication server, and the switch is responsible to encapsulate the authentication packet and forward it to the RADIUS server. 802.1X Timer  In 802.1 x authentication, the following timers are used to ensure that the supplicant system, the switch, and the RADIUS server interact in an orderly way: Supplicant system timer (Supplicant Timeout): This timer is triggered by the switch after the switch sends a request packet to a supplicant system.
Page 219 Choose the menu Network Security→802.1X→Global Config to load the following page. Figure 12-20 Global Config The following entries are displayed on this screen: Global Config  802.1X: Enable/Disable the 802.1X function. Auth Method: Select the Authentication Method from the pull-down list.
Page 220: Port Config
Accounting: Enable/Disable the 802.1X accounting feature. Authentication Config  Quiet: Enable/Disable the Quiet timer. Quiet Period: Specify a value for Quiet Period. Once the supplicant failed to the 802.1X Authentication, then the switch will not respond to the authentication request from the same supplicant during the Quiet Period.
Page 221 Description Required. For the client computers, you are required to Install 802.1X client install the TP-LINK 802.1X Client provided on the CD. software. Please refer to the software guide in the same directory with the software for more information. Configure 802.1X...
Page 222: Aaa
2. The 802.1X function cannot be enabled for LAG member ports. That is, the port with 802.1X function enabled cannot be added to the LAG. 3. The 802.1X function should not be enabled for the port connected to the authentication server.
Page 223: Global Config
will ask the first server in the server group list for authentication. If no response is received, the second server will be queried, and so on. The switch has two built-in authentication server group, one for RADIUS and the other for TACACS+.
Page 224: Radius Server Config
12.5.3 RADIUS Server Config This page is used to configure the authentication servers running the RADIUS security protocols. Choose the menu Network Security→AAA→RADIUS Conifg to load the following page. Figure 12-3 RADIUS Server Config Configuration Procedure:  Configure the RADIUS server’s IP and other relevant parameters under the Server Config. View, edit and delete the configured RADIUS servers in the Server list.
Page 225: Tacacs+ Server Config
12.5.4 TACACS+ Server Config This page is used to configure the authentication servers running the TACACS+ security protocols. Choose the menu Network Security→AAA→TACACS+ Conifg to load the following page. Figure 12-4 TACACS+ Server Config Configuration Procedure:  Configure the TACACS+ server’s IP and other relevant parameters under the Server Config. View, edit and delete the configured TACACS+ servers in the Server list.
Page 226 Choose the menu Network Security→AAA→Server Group to load the following page. Figure 12-5 Create New Server Group Figure 12-6 Add Server to Server Group Configuration Procedure:  1) Configure the Server Group name and Server Type to create a server group. (Figure 12-5) 2) Click edit in the Server Group List to configure the corresponding server group.
Page 227: Authentication Method List Config
Note: The two built-in server groups radius and tacacs cannot be deleted or edited. Up to 16 servers can be added to one server group. 12.5.6 Authentication Method List Config Before you configure AAA authentication on a certain application, you should define an authentication method list first.
Page 228: Application Authentication List Config
Configuration Procedure:  1) Enter the method list name. 2) Specify the authentication type as Login or Enable. 3) Configure the authencation method with priorities. The options are local, none, radius, tacacs or user-defined server groups. View and delete the configured method priority list in the Authentication Login Method List and Authentication Enable Method List.
Page 229: Authentication Server Config
Choose the menu Network Security→AAA→Global Config to load the following page. Figure 12-8 Application Authentication Settings Configuration Procedure:  1) Select the application module. 2) Configure the authentication method list from the Login List drop-down menu. This option defines the authentication method for users accessing the switch. 3) Configure the authentication method list from the Enable List drop-down menu.
Page 230: Default Settings
Choose the menu Network Security→AAA→Dot1x List to load the following page. Configuration Procedure:  1) Configure the 802.1X function both globally and on the supplicant-connected port. Please refer to 13.6 802.1X for more details. 2) Go to Network Security→AAA→Global Conifg to enable AAA function. 3) Configure the 802.1X Aunthentication RADIUS server group in the Authentication Dot1x Method List Table.
Page 231: Pppoe
Feature Default Settings Authentication enable The list is empty, which means users can promote to method list administrator privilege without password. Access application The application console/telnet/ssh/http use the default Login authentication List and default Enable list. 802.1X authentication server 802.1X authentication uses the radius server group. 802.1X and accounting server accounting uses the radius server group.
Page 232 Upon receiving the PADO packets with the Circuit-ID tag, the switch will remove the tag and send the packets to the client. The switch will forward the PADO packets without the Circuit-ID tag directly. The client sends PADR (PPPoE Active Discovery Request) packets according to the process.
Page 233 Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered. Select: Select the desired port for configuration. It is multi-optional. Port: Displays the port number. Circuit-ID: Select Enable/Disable the PPPoE Circuit-ID Insertion feature for the port.
Page 234: Chapter 13 Snmp
Chapter 13 SNMP SNMP Overview  SNMP (Simple Network Management Protocol) has gained the most extensive application on the UDP/IP networks. SNMP provides a management frame to monitor and maintain the network devices. It is used for automatically managing the various network devices no matter the physical differences of the devices.
Page 235 SNMP Versions  This switch supports SNMP v3, and is compatible with SNMP v1 and SNMP v2c. The SNMP versions adopted by SNMP Management Station and SNMP Agent should be the same. Otherwise, SNMP Management Station and SNMP Agent cannot communicate with each other normally.
Page 236: Snmp Config
SNMP Management Station by configuring its view type (included/excluded). The OID of managed object can be found on the SNMP client program running on the SNMP Management Station. 2. Create SNMP Group After creating the SNMP View, it’s required to create an SNMP Group. The Group Name, Security Model and Security Level compose the identifier of the SNMP Group.
Page 237: Snmp View
The following entries are displayed on this screen: Global Config  SNMP: Enable/Disable the SNMP function. Local Engine  Local Engine ID: Specify the switch’s Engine ID for the remote clients. The Engine ID is a unique alphanumeric string used to identify the SNMP engine on the switch.
Page 238: Snmp Group
View Config  View Name: Give a name to the View for identification. Each View can include several entries with the same name. MIB Object ID: Enter the Object Identifier (OID) for the entry of View. View Type: Select the type for the view entry. Include: The view entry can be managed by the SNMP •...
Page 239 These three items of the Users in one group should be the same. Security Model: Select the Security Model for the SNMP Group. v1: SNMPv1 is defined for the group. In this model, the • Community Name is used for authentication. SNMP v1 can be configured on the SNMP Community page directly.
Page 240: Snmp User
the Modify button to apply. Note: Every Group should contain a Read View. The default Read View is viewDefault. 13.1.4 SNMP User The User in an SNMP Group can manage the switch via the management station software. The User and its Group have the same security level and access right. You can configure the SNMP User on this page.
Page 241: Snmp Community
Auth Mode: Select the Authentication Mode for the SNMP v3 User. None: No authentication method is used. • MD5: The port authentication is performed via • HMAC-MD5 algorithm. SHA: The port authentication is performed via SHA • (Secure Hash Algorithm). This authentication mode has a higher security than MD5 mode.
Page 242 Figure 13-7 SNMP Community The following entries are displayed on this screen: Community Config  Community Name: Enter the Community Name here. Access: Defines the access rights of the community. read-only: Management right of the Community is • restricted to read-only, and changes cannot be made to the corresponding View.
Page 243 Step Operation Description Enable SNMP function globally. Required. On the SNMP→SNMP Config→Global Config page, enable SNMP function globally. Create SNMP View. Required. On the SNMP→SNMP Config→SNMP View page, create SNMP View of the management agent. The default View Name is viewDefault and the default OID is 1.
Page 244: Notification
13.2 Notification With the Notification function enabled, the switch can initiatively report to the management station about the important events that occur on the Views (e.g., the managed device is rebooted), which allows the management station to monitor and process the events in time. The notification information includes the following two types: Trap：Trap is the information that the managed device initiatively sends to the Network management station without request.
Page 245 Security Level: Select the Security Level for the SNMP v3 User. noAuthNoPriv: No authentication and no privacy security • level are used. authNoPriv: Only the authentication security level is • used. authPriv: Both the authentication and the privacy • security levels are used. Type: Select the type for the notifications.
Page 246: Rmon
13.3 RMON RMON (Remote Monitoring) basing on SNMP (Simple Network Management Protocol) architecture, functions to monitor the network. RMON is currently a commonly used network management standard defined by Internet Engineering Task Force (IETF), which is mainly used to monitor the data traffic across a network segment or even the entire network so as to enable the network administrator to take the protection measures in time to avoid any network malfunction.
Page 247: History Control
13.3.1 History Control On this page, you can configure the History Group for RMON. Choose the menu SNMP→RMON→History Control to load the following page. Figure 13-9 History Control The following entries are displayed on this screen: History Control Table  Select: Select the desired entry for configuration.
Page 248: Event Config
13.3.2 Event Config On this page, you can configure the RMON events. Choose the menu SNMP→RMON→Event Config to load the following page. Figure 13-10 Event Config The following entries are displayed on this screen: Event Table  Select: Select the desired entry for configuration. Index: Displays the index number of the entry.
Page 249: Alarm Config
13.3.3 Alarm Config On this page, you can configure Statistic Group and Alarm Group for RMON. Choose the menu SNMP→RMON→Alarm Config to load the following page. Figure 13-11 Alarm Config The following entries are displayed on this screen: Alarm Table ...
Page 250 Alarm Type: Specify the type of the alarm. All: The alarm event will be triggered either the sampled • value exceeds the Rising Threshold or is under the Falling Threshold. Rising: When the sampled value exceeds the Rising • Threshold, an alarm event is triggered. Falling: When the sampled value is under the Falling •...
Page 251: Chapter 14 Lldp
Chapter 14 LLDP LLDP (Link Layer Discovery Protocol) is a Layer 2 protocol that is used for network devices to advertise their own device information periodically to neighbors on the same IEEE 802 local area network. The advertised information, including details such as device identification, capabilities and configuration settings, is represented in TLV (Type/Length/Value) format according to the IEEE 802.1ab standard, and these TLVs are encapsulated in LLDPDU (Link Layer Discovery Protocol Data Unit).
Page 252 Tx&Rx: the port can both transmit and receive LLDPDUs.  Rx_Only: the port can receive LLDPDUs only.  Tx_Only: the port can transmit LLDPDUs only.  Disable: the port cannot transmit or receive LLDPDUs.  LLDPDU transmission mechanism If the ports are working in TxRx or Tx mode, they will advertise local information by ...
Page 253 The following table shows the details about the currently defined TLVs. TLV Type TLV Name Description Usage in LLDPDU End of LLDPDU Mark the end of the TLV sequence in LLDPDUs. Mandatory Any information following an End Of LLDPDU TLV shall be ignored. Chassis ID Identifies Chassis...
Page 254 Note: For detailed introduction of TLV, please refer to IEEE 802.1AB standard. In TP-LINK switch, the following LLDP optional TLVs are supported. Description Port Description TLV The Port Description TLV allows network management to advertise the IEEE 802 LAN station's port description.
Page 255: Basic Config
Description Power Via MDI TLV The Power Via MDI TLV allows network management to advertise and discover the MDI power support capabilities of the sending IEEE 802.3 LAN station. The LLDP module is mainly for LLDP function configuration of the switch, including three submenus: Basic Config, Device Info and Device Statistics.
Page 256: Port Config
Transmit Delay: Enter a value from 1 to 8192 in seconds to specify the time for the local device to transmit LLDPDU to its neighbors after changes occur so as to prevent LLDPDU being sent frequently. The default value is 2 seconds. Reinit Delay: This parameter indicates the amount of delay from when LLDP status becomes "disable"...
Page 257: Device Info
Admin Status: Select the port’s LLDP operating mode: Tx&Rx: Send and receive LLDP frames.  Rx_Only: Only receive LLDP frames.  Tx_Only: Only send LLDP frames.  Disable: Neither send nor receive LLDP frames.  Notification Mode: Enable/Disable the ports' SNMP notification. If enabled, the local device will notify the trap event to SNMP server.
Page 258: Neighbor Info
The following entries are displayed on this screen: Auto Refresh  Auto Refresh: Enable/Disable the auto refresh function. Refresh Rate: Specify the auto refresh rate. Local Info  Enter the desired port number and click Select to display the information of the corresponding port.
Page 259: Device Statistics
Neighbor Port: Displays the he port number of the neighbor linking to local port. Click Information to display the detailed information of the Information： neighbor device. 14.3 Device Statistics You can view the LLDP statistics of local device through this feature. Choose the menu LLDP→Device Statistics→Statistic Info to load the following page.
Page 260: Lldp-Med
Total Inserts: Displays the number of neighbors inserted till last update time. Total Deletes: Displays the number of neighbors deleted by local device. Total Drops: Displays the number of neighbors dropped by local device. Total Ageouts: Displays the number of overtime neighbors in local device. Neighbor Statistics ...
Page 261: Global Config
Network Policy TLV The Network Policy TLV allows both Network Connectivity Devices and Endpoints to advertise VLAN configuration and associated Layer 2 and Layer 3 attributes that apply for a set of specific applications on that port. Location Identification TLV The Location Identification TLV provides for advertisement location identifier information Communication...
Page 262: Port Config
The following entries are displayed on this screen LLDP-MED Parameters Config  Fast Start Count: When LLDP-MED fast start mechanism is activated, multiple LLDP-MED frames will be transmitted (the number of frames equals this parameter). The default value is 4. Device Class: LLDP-MED devices are comprised of two primary device types: Network Connectivity Devices and Endpoint Devices.
Page 263 Detail: Click the Detail button to display the included TLVs and select the desired TLVs. Figure 14-8 Configure TLVs of LLDP-MED Port Included TLVs  Select TLVs to be included in outgoing LLDPDU. Location Identification Parameters  Configure the Location Identification TLV's content in outgoing LLDPDU of the port. Emergency Emergency number is Emergency Call Service ELIN identifier, Number:...
Page 264: Local Info
network element believed to be closest to the client (1: Switch) or the location of the client (2: LLDP-MED Endpoint). Option (2) should be used, but may not be known. Options (0) and (1) should not be used unless it is known that the DHCP client is in close physical proximity to the server or network element.
Page 265: Neighbor Info
Device Type: Specify the auto refresh rate. Application Type: Application Type indicates the primary function of the applications defined for the network policy. Unknown Policy Displays whether the local device will explicitly advertise the Flag: policy required by the device but currently unknown. VLAN tagged: Indicates the VLAN type the specified application type is using, 'tagged' or 'untagged'.
Page 266 Application Type: Displays the application type of the neighbor. Application Type indicates the primary function of the applications defined for the network policy. Local Data Format: Displays the location identification of the neighbor. Power Type: Displays the power type of the neighbor device, either Power Sourcing Entity (PSE) or Powered Device (PD).
Page 267: Chapter 15 Maintenance
Chapter 15 Maintenance Maintenance module, assembling the commonly used system tools to manage the switch, provides the convenient method to locate and solve the network problem. System Monitor: Monitor the utilization status of the memory and the CPU of switch. Log: View the configuration parameters of the switch and find out the errors via the Logs.
Page 268: Memory Monitor
Figure 15-1 CPU Monitor Click the Monitor button to enable the switch to monitor and display its CPU utilization rate every four seconds. 15.1.2 Memory Monitor Choose the menu Maintenance→System Monitor→Memory Monitor to load the following page.
Page 269: Log
Figure 15-2 Memory Monitor Click the Monitor button to enable the switch to monitor and display its Memory utilization rate every four seconds. 15.2 Log The Log system of switch can record, classify and manage the system information effectively, providing powerful support for network administrator to monitor network operation and diagnose malfunction.
Page 270: Log Table
Level Description Severity Informational messages informational debugging Debug-level messages Table 15-1 Log Level The Log function is implemented on the Log Table, Local Log, Remote Log and Backup Log pages. 15.2.1 Log Table The switch supports logs output to two directions, namely, log buffer and log file. The information in log buffer will be lost after the switch is rebooted or powered off whereas the information in log file will be kept effective even the switch is rebooted or powered off.
Page 271: Local Log
Module: Displays the module which the log information belongs to. You can select a module from the drop-down list to display the corresponding log information. Severity: Displays the severity level of the log information. You can select a severity level to display the log information whose severity level value is the same or smaller.
Page 272: Remote Log
Status: Enable/Disable the channel. 15.2.3 Remote Log Remote log feature enables the switch to send system logs to the Log Server. Log Server is to centralize the system logs from various devices for the administrator to monitor and manage the whole network. Choose the menu Maintenance→Log→Remote Log to load the following page.
Page 273: Device Diagnostics
Figure 15-6 Backup Log The following entry is displayed on this screen: Backup Log  Backup Log: Click the Backup Log button to save the log as a file to your computer. Note: It will take a few minutes to backup the log file. Please wait without any operation. 15.3 Device Diagnostics This switch provides Cable Test functions for device diagnostics.
Page 274: Network Diagnostics
Error: If the connection status is close, open or impedance, here displays the error length of the cable. Note: The interval between two cable tests for one port must be more than 3 seconds. The result is more reasonable when the cable pair is in the open status. The test result is just for your reference.
Page 275: Tracert
The following entries are displayed on this screen: Ping Config  Destination IP: Enter the IP address of the destination node for Ping test. Both IPv4 and IPv6 are supported. Ping Times: Enter the amount of times to send test data during Ping testing. The default value is recommended.
Page 276: Dldp
15.5 DLDP DLDP Overview  DLDP (Device Link Detection Protocol) is a Layer 2 protocol that enables devices connected through fiber or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect whether a unidirectional link exists. When a unidirectional link appears, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device.
Page 277 DLDP Process Figure 15-10 The process is illustrated below 1 : When DLDP is enabled on the link in down state, the DLDP link state will transit to Inactive. ○ 2 : When the DLDP-enabled link is up, the DLDP link state will transit to Active. The device will ○...
Page 278 Choose the menu Maintenance→DLDP→DLDP to load the following page. Figure 15-11 DLDP Config The following entries are displayed on this screen: Global Config  DLDP State: Enable/Disable the DLDP function globally. Adver Interval: Config the interval to send advertisement packets, ranging from 1 to 30 seconds.
Page 279 Web Refresh State: Enable/Disable the web automatic refresh function. Web Refresh Configure the interval to refresh the web page, ranging from 1 Interval: to 100 seconds, and the default value is 5 seconds. Port Config  Port Select: Click the Select button to quick-select the corresponding port based on the port number you entered.
Page 280: Chapter 16 System Maintenance Via Ftp
Data bits: 8  Parity: none  Stop bits: 1  Flow control: none  3） The DOS prompt “T2500G-10TS>” will appear after pressing the Enter button as shown in Figure 16-2. It indicates that you can use the CLI now.
Page 281 Figure 16-2 Open Hyper Terminal 3. Download Firmware via bootUtil menu To download firmware to the switch via FTP function, you need to enter into the bootUtil menu of the switch and take the following steps. 1） Connect the console port of the PC to the console port of the switch and open hyper terminal.
Page 282 The detailed command is shown as the following figure. Enter the command and press Enter. [TP-LINK]: ftp host 10.10.70.146 user 123 pwd 123 file t2500_28tc _up.bin 5） Enter the upgrade command and press Enter to upgrade the firmware. After a while, the prompt “You can only use the port 1 to upgrade”...
Page 283: Appendix A: Glossary
Appendix A: Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 284 Generic Multicast Registration Protocol (GMRP) GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. Group Attribute Registration Protocol (GARP) See Generic Attribute Registration Protocol. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol.
Page 285 Multicast Switching A process whereby the switch filters incoming multicast frames for services forwhich no attached host has registered, or forwards them to all ports contained within the designated multicast group. Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses.
Page 286 Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch.

This manual is also suitable for:

Tl-sg3210

TP-Link T2500G-10TS User Manual

Chapter 1 About this Guide

Chapter 2 Introduction

Chapter 3 Login to the Switch

Chapter 4 System

Chapter 5 Switching

L2Pt

Chapter 6 VLAN

Chapter 7 Spanning Tree

Chapter 8 DHCP

Chapter 9 Multicast

Chapter 10 Qos

Chapter 11 ACL

Chapter 12 Network Security

Chapter 13 SNMP

Chapter 14 LLDP

Chapter 15 Maintenance

Chapter 16 System Maintenance Via FTP

Appendix A: Glossary

Quick Links

User Guide

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for TP-Link T2500G-10TS

Summary of Contents for TP-Link T2500G-10TS