ZyXEL Communications GS2210 series Handbook

Hide thumbs Also See for GS2210 series:

User manual (444 pages)

User handbook manual (100 pages)

User manual (531 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

page of 215

/ 215
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Summary of Contents for ZyXEL Communications GS2210 series

Page 1 www.zyxel.com Switch Series Firmware Version 4.50 Edition 04/2018 Handbook Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Copyright © 2018 ZyXEL Communications Corporation 1/215...
Page 2 www.zyxel.com Classifications of Zyxel switches: L2 switches: GS2210/ XGS2210/ GS1920/ XGS1930 series  L2+ switches: XGS3700/ GS3700 series  L3 switches: XGS4600 series  2/215...
Page 3: Table Of Contents
www.zyxel.com Contents Basic principles for network management ..........9 1.1 How to use the Wizard function .............. 9 1.1.1 Basic ....................11 1.1.2 Protection ..................13 1.1.3 VLAN ....................15 1.1.4 QoS ....................16 1.2 How to customize your default configuration ........17 1.2.1 Configuration on Switch ...............
Page 4 www.zyxel.com 1.9.1 Change the default administrator password ......45 1.9.2 Test the Result ................. 46 1.10 How to configure a whitelist for remote management to prevent unauthorized access ................... 47 1.10.1 Configure the whitelist of the remote management ..... 48 1.10.2 Test the Result ................
Page 5 www.zyxel.com 3.1.4 Test the Result ................. 96 3.1.5 What Could Go Wrong ..............97 3.2 How to configure RSTP in a ring topology ........... 98 3.2.1 Configure Switch ................99 3.2.2 Test the Result ................102 3.2.3 What Could Go Wrong ............... 104 3.3 How to configure VRRP to provide hosts with a redundant gateway ........................
Page 6 www.zyxel.com 4.3.1 Configure Switch ................135 4.3.2 Test the Result ................136 Network Security ..................137 5.1 How to configure the port security to limit the number of connected devices ....................... 137 5.1.1 Configure Switch-1 ..............138 5.1.2 Test the Result ................139 5.1.3 What Could Go Wrong ...............
Page 7 www.zyxel.com 5.6.4 What Could Go Wrong? ............. 173 5.7 How to configure the switch to prevent ARP spoofing ..... 175 5.7.1 Configuration in the Switch ............176 5.7.2 Test the Result ................178 5.7.3 What Could Go Wrong? ............. 179 5.8 How to Configure the Switch to Protect Against Rogue DHCP Servers ........................
Page 8 www.zyxel.com 6.3.5 What Could Go Wrong ............... 212 Implementing PoE ..................213 7.1 How does the PoE LED works .............. 213 7.1.1 Meanings of PoE LED ..............214 7.1.2 Examples ..................215 8/215...
Page 9: Basic Principles For Network Management
www.zyxel.com Basic principles for network management 1.1 How to use the Wizard function Wizard is a new function which provides an easier and faster way for users to set up switches. The wizard includes four often-used basic settings, which are: Basic ...
Page 10 www.zyxel.com Note: 1. Applying configurations made in the Wizard menu will cause all other configurations not supported in the Wizard to return to default settings. 2. Original VLAN configurations set on Web GUI will NOT be merged into the Wizard. Following example was tested using XGS1930-28HP (Firmware Version: V4.50).
Page 11: Basic
www.zyxel.com 1.1.1 Basic 1 In IP, users can configure the switch management IP address, Subnet Mask, Gateway and DNS server. 2 In Password, users can change the administrator password as well as configure SNMP settings. We can configure passwords for Get, Set and Trap communities. 11/215...
Page 12 www.zyxel.com 3 In Link Aggregation, users can configure Link aggregation settings with a maximum of 5 trunks. 4 In Summary, users can confirm final settings on this page. 12/215...
Page 13: Protection
www.zyxel.com 1.1.2 Protection 1 By using Loop Guard, users can prevent loops from happening. 2 In Broadcast Storm Control, users can limit broadcast traffic by pkt/s. 13/215...
Page 14 www.zyxel.com 3 In Summary, we can confirm setting of Loop Guard and Broadcast Storm Control. 14/215...
Page 15: Vlan
www.zyxel.com 1.1.3 VLAN 1 We can use the Wizard to setup VLAN with a faster and easier way. Users can configure 5 VLANs. 15/215...
Page 16: Qos
www.zyxel.com 1.1.4 QoS Users can configure QoS as High, Medium and Low to divide packets into different priorities. Below are the meanings of High, Medium and Low. High: Priority= 5  Medium: Priority= 3  Low: Priority= 1  16/215...
Page 17: How To Customize Your Default Configuration
www.zyxel.com 1.2 How to customize your default configuration This example shows administrators how to define your own configuration as the default configuration. Sometimes, when users configure settings on the switch, they might accidentally change settings that could cause service downtime. However, it might be difficult to recover it in a short time because too many changes have been made.
Page 18 www.zyxel.com Condition in which the network works fine Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using XGS1930-28HP (Firmware Version: V4.50). 18/215...
Page 19: Configuration On Switch
www.zyxel.com 1.2.1 Configuration on Switch 1 After making sure running configurations work fine. Enter the web GUI and go to Menu Management > Maintenance > Save Configuration > Custom Default. The running configuration will be saved to Custom Default. 19/215...
Page 20: Test The Result
www.zyxel.com 1.2.2 Test the Result If customer accidentally deletes the IP interface in VLAN 200 (192.168.200.1), Switch-B will not be able to ping Switch. Users can use two methods to restore Switch to Custom Default and prevent service down-time. 1 Hardware button Press and hold down the RESTORE button on the panel for 3 ~ 6 seconds until Power LED turns blinking green.
Page 21 www.zyxel.com 2 Web GUI Go to Menu Management > Maintenance > Reboot System > Custom Default. 21/215...
Page 22: How To Change The Switch Management Ip Address To Avoid Accessing The Wrong Device
www.zyxel.com 1.3 How to change the switch management IP address to avoid accessing the wrong device This example shows administrators how to use the Web GUI to manage the IP addresses of the switches and avoid administrators from unintentionally accessing the wrong devices. As shown below, there are two switches in the environment.
Page 23 www.zyxel.com 3 Open a browser (IE, Chrome, Safari, Firefox, etc….). Go to website http://192.168.1.1 (default management IP address). Key in “username: admin; password: 1234” and log in. 23/215...
Page 24: Test The Result
www.zyxel.com 4 Enter the webpage and go to Menu > Basic Setting > IP Setup > IP Configuration. Set the IP address you prefer, for example 192.168.1.2. Then click Add. 5 Log back in using the new IP address 192.168.1.2. After logging in again, remember to click the Save icon to save the new configurations.
Page 25: How To Configure The Switch With A Device Name To Avoid Accessing The Wrong Device
www.zyxel.com 1.4 How to configure the switch with a device name to avoid accessing the wrong device This example shows administrators how to use the Web GUI to manage device name and avoid accessing the wrong devices. As shown below, the PC connects with Switch-1 in the environment.
Page 26: Configuration In Switch-1
www.zyxel.com 1.4.1 Configuration in Switch-1 1 Enter the web GUI and go to Menu > Basic Setting > General Setup. Change the System Name (Switch-1 in this example) and click Apply. 2 Click “Save” to save the configuration. 26/215...
Page 27: Test The Result
www.zyxel.com 1.4.2 Test the Result Enter the web GUI and you will see the page of the switch information. Check if the System Name is the name you configured (Switch-1 in this example) or not. 27/215...
Page 28: How To Configure The Switch To Update The Time From An Ntp Server28
www.zyxel.com 1.5 How to configure the switch to update the time from an NTP server This example shows administrators how to use the NTP server to update the system time of the switch. As shown below, the PC connects with Switch and Switch connects with the USG in the environment.
Page 29: Configuration In Switch
www.zyxel.com 1.5.1 Configuration in Switch 1 Enter the web GUI and go to Menu > Basic Setting > IP Setup > IP Configuration. Set the default Gateway as USG IP: 192.168.1.1. Then click “Apply”. 2 Go to Menu > Basic Setting > General Setup. Select “Use Time Server when Bootup”...
Page 30: Test The Result
www.zyxel.com 1.5.2 Test the Result 1 Go to Menu > Basic Setting > General Setup. Both the Current Time and Current Date should be the current time in your location. If the current time is not updated as the correct time, click “Refresh”.
Page 31 www.zyxel.com 31/215...
Page 32: What Could Go Wrong
www.zyxel.com 1.5.3 What could go wrong? 1 Switch may not be able to access the NTP Server successfully. Follow the step to test if NTP Server is available. Go to Menu > Management > Diagnostic. Select IPv4 as in-band and type the IP address of NTP Server (216.239.35.12) into the IP Address field.
Page 33: How To Configure The Switch To Backup Events On A Syslog Server
www.zyxel.com 1.6 How to configure the switch to backup events on a SYSLOG server The example shows administrators how to set up the switch to send system log events to a remote syslog server. Upload the syslog automatically to the server Note: All network IP addresses and subnet masks are used as examples in this article.
Page 34: Configure The Switch-1
www.zyxel.com 1.6.1 Configure the Switch-1 1 Enter the web GUI and go to Menu > Management > Syslog Setup > Syslog Server Setup. Activate the syslog server setup and set up the server IP address. In this example, it is 192.168.1.200.
Page 35 www.zyxel.com 3 Click Save to save the configuration. 35/215...
Page 36: Test The Result
www.zyxel.com 1.6.2 Test the Result 1 Unplug and re-plug PC-1 from the switch. 2 The Syslog Server should receive an event log from the switch. 3 We can also check the directory (“C:\app\Tftpd64” in this example) to find out if a text file is created on the Syslog Server.
Page 37: What Could Go Wrong
www.zyxel.com 1.6.3 What could go wrong? 1 If Switch-1 and Syslog Server are in different subnets, remember to set default gateway so that Switch-1 and the Syslog Server can communicate with each other. 2 Confirm the service port number of the Switch-1 and the Syslog Server are the same.
Page 38: How To Configure The Switch With A Port Name To Quickly Identify Directly Connected Devices
www.zyxel.com 1.7 How to configure the switch with a port name to quickly identify directly connected devices The example shows administrators how to configure the switch with a port name to quickly identify directly connected devices. By doing this, administrators and quickly identify which port connects to which device, location, or section of the network.
Page 39: Configure Switch-1
www.zyxel.com 1.7.1 Configure Switch-1 1 Enter the web GUI and go to Menu > Basic Setting > Port Setup. Type the name of each directly connected devices on the corresponding port name. For example, you can type Switch-2 in port 2 and AP in port 3. Then click “Apply”. 2 Click Save to save the configuration.
Page 40: Test The Result
www.zyxel.com 1.7.2 Test the Result 1 Go to Menu > Maintenance > Port Status. You will see the name you type in the column of name. 40/215...
Page 41: How To Collect The Diagnostic Info
www.zyxel.com 1.8 How to collect the Diagnostic Info The example shows local administrators how to collect the Diagnostic Info by web GUI. The Diagnostic Info is a set of logs that includes useful information such as System Information, CPU utilization history, system logs and debug reports for issue analysis.
Page 42: Collect The Diagnostic Info From Web Gui
www.zyxel.com 1.8.1 Collect the Diagnostic Info from web GUI 1 Enter the web GUI and go to Menu > Management > Maintenance > Tech-Support > Click Here. Click the Download button for All. You can also select the specific Diagnostic Info you need. (Ex: Crash, ROM,…..) 42/215...
Page 43: Test The Result
www.zyxel.com 1.8.2 Test the Result 1 Open the file and you can view the Diagnostic Info. (In this example, we use the Notepad++ to open the .txt file.) 43/215...
Page 44: How To Change The Default Administrator Password
www.zyxel.com 1.9 How to change the default administrator password The example shows administrators how to change the default administrator password used for management access. Failure to change the default administrator password is a security risk that allows unauthorized user access to your device’s management. Change the default administrator password Note: All network IP addresses and subnet masks are used as examples in this article.
Page 45: Change The Default Administrator Password
www.zyxel.com 1.9.1 Change the default administrator password 1 Enter the web GUI and go to Menu > Management > Access Control > Logins > Click Here. Enter the Old Password and New Password. Then click “Apply”. 2 After clicking the “Apply”, the browser will show a message similar below.
Page 46: Test The Result
www.zyxel.com 1.9.2 Test the Result 1 Close the web GUI and login again with the OLD password. The “Authentication Required” window will pop up again. 2 Use the new password to login. Switch-1 web GUI should be accessible. 46/215...
Page 47: How To Configure A Whitelist For Remote Management To Prevent Unauthorized Access
www.zyxel.com 1.10 How to configure a whitelist for remote management to prevent unauthorized access The example shows administrators how to configure a whitelist for host devices that prevents attempted access from unauthorized devices or subnets. The whitelist inspects the source IP addresses of hosts and the types of services accessing the switch (Ex: Telnet, FTP, HTTP…..).
Page 48: Configure The Whitelist Of The Remote Management
www.zyxel.com 1.10.1 Configure the whitelist of the remote management 1 Enter the web GUI and go to Menu > Management > Access Control > Remote Management > Click Here using AdministratorPC. Enter the range of IP addresses and the corresponding types of services that are allowed to access the Switch.
Page 49: Test The Result
www.zyxel.com 1.10.2 Test the Result 1 In setting, range: 192.168.10.100-192.168.10.120, which is allowed to access the Switch by all protocol types, EXCEPT HTTP. Therefore, if we use PC-1 (192.168.10.100) to access the Switch by HTTP, the Switch will refuse the connection. If we try to access the web GUI by HTTPS (Enter the https://192.168.10.1), PC-1 can connect to the Switch successfully.
Page 50: What Could Go Wrong
www.zyxel.com 1.10.3 What could go wrong? 1 The IP address is setting up repeatedly, but the setting is different. The logic rule of whitelist is OR. For example, if we set the range of the IP addresses shown below. 192.168.10.120 is repeatedly set up accidently. The result is that all types of services are ALLOWED for 192.168.10.120.
Page 51: How To Configure Dhcp Auto-Configuration
www.zyxel.com 1.11 How to configure DHCP auto-configuration The example shows how new switches are being deployed across sites with unique configurations. A SI (System Integrator) would normally complete this setup by restoring switch configurations before handing over the switch to the customer. However, there is a possibility that the restored configuration was for a different site.
Page 52 Note: DHCP Auto-configuration is only supported by L2: GS2210 series firmware version: 4.50. Client server environment must correctly setup DHCPv4 and TFTP server for auto-configuration feature to work properly. 52/215...
Page 53: Dhcp Auto-Configuration Flow
www.zyxel.com 1.11.1 DHCP auto-configuration flow 1.11.2 Configure DHCP auto-configuration Install a TFTP server. For example, “Tftpd” software for commonly-used and free server. Configure the path where to get the configuration file in the Current Directory and select the correct Server interfaces IP, then click Settings. 53/215...
Page 54 www.zyxel.com Enter Global field and check the TFTP server box. 54/215...
Page 55 www.zyxel.com Go to TFTP server tab and specify the path of the configuration file then click OK to save the configuration. 55/215...
Page 56 www.zyxel.com For the DHCP server we’ve used “haneWIN” software for the test to show the difference between with and without class-ID. First, create a new profile: Option > Manage Profiles. Click Add and specify a profile name “TEST”, then click OK. 56/215...
Page 57 www.zyxel.com In the Basic Profile, select the TFTP server IP from the Interface IP Address and configure DHCP IP Address Pool. Enter the Boot tab to instruct where the DHCP client can download its configuration file. Fill up the TFTP server IP in the Next Server IP Address. Fill the filename “config_GS2210_1.log”...
Page 58 www.zyxel.com class-ID “ZyxelCorp”. Click OK to save the settings. Note: If the Vendor Class-ID is not enabled, the server will only send “config_GS2210_1.log”, which is used as a default switch configuration. The server will only send “config_GS2210.log” when it receives a DHCP packet with Class-ID “ZyxelCorp”.
Page 59 www.zyxel.com Enter web GUI and go to: Management > Maintenance > Auto Configuration. Check the Active box and choose DHCP then click Apply to save the settings. 10 Go to Basic Setting > IP Setup, choose DHCP Client and check Option-60.
Page 60: Test The Result
www.zyxel.com Note: DHCP server and switch Class-ID must have the same settings to work properly. 1.11.3 Test the Result Connect a console cable to the switch. Input the command show running-config via CLI to check the initial configuration. Reboot the switch. It will automatically download the configuration from the TFTP server and update the switch’s 60/215...
Page 61 www.zyxel.com configuration. Enter web GUI Management > System Log to verify the result. Enter web GUI and go to Management > Maintenance > Auto Configuration to verify the auto-configuration status. With Class-ID: 61/215...
Page 62 www.zyxel.com Without Class-ID: Enter web GUI Management > Maintenance > Backup Configuration to download and verify the config file. With Class-ID: 62/215...
Page 63 www.zyxel.com Without Class-ID: 63/215...
Page 64: What Could Go Wrong
www.zyxel.com 1.11.4 What Could Go Wrong If you encountered an error message like in the screenshot below. Please check the following information: Please check the IP interface settings on the TFTP server, and make sure that the server IP is correct. The TFTP server IP configured in the DHCP server settings must be the same.
Page 65: Designing The Local Area Network
www.zyxel.com Designing the Local Area Network 2.1 How to configure the switch to separate traffic between departments using VLAN The example shows administrators how to set up the switch to make separate traffic between departments. Using Static VLAN, hosts accessing the same VLAN will only be able to communicate with hosts accessing the same VLAN.
Page 66: Configure Switch-1
www.zyxel.com 2.1.1 Configure Switch-1 1 Use AdministratorPC to set VLAN 1 in Switch-1: Port 1, 2 as Normal port. (Prevent VLAN 1 broadcast packets to port 1, 2). Enter the web GUI and go to Menu > Advanced Application > VLAN >...
Page 67 www.zyxel.com 3 Use AdministratorPC to create VLAN 20 in Switch-1: Enter the web GUI and go to Menu > Advanced Application > VLAN > VLAN Configuration > Static VLAN Setup. Check the “ACTIVE” box. Type the Name and VLAN Group ID=20. Select port 2, 5 as Fixed and uncheck Tx Tagging (Untagged) on port 2 and check Tx Tagging (tagged) on port 5.
Page 68 www.zyxel.com 4 Set the PVID on Switch-1: Go to Menu > Advanced Application > VLAN > VLAN Configuration > VLAN Port Setup. Set port 1 as PVID=10 (VLAN 10) and port 2 as PVID=20 (VLAN 20). 68/215...
Page 69: Configure Switch-2
www.zyxel.com 2.1.2 Configure Switch-2 1 Use AdministratorPC to set VLAN 1 in Switch-2: Port 3, 4 as Normal port (this prevents VLAN 1 from broadcasting packets to port 3, 4). Enter the web GUI and go to Menu > Advanced Application >...
Page 70 www.zyxel.com 3 Use AdministratorPC to create VLAN 20 in Switch-2. Enter the web GUI and go to Menu > Advanced Application > VLAN > VLAN Configuration > Static VLAN Setup. Check the “ACTIVE” box. Type the Name and VLAN Group ID=20. Select port 4, 5 as Fixed and uncheck Tx Tagging (Untagged) on port 4 and check Tx Tagging (tagged) on port 5.
Page 71: Test The Result
www.zyxel.com 2.1.3 Test the Result 1 The PC in the same VLAN can ping each other. PC-1 can ping PC-3 successfully, but PC-1 cannot ping PC-2. 2 PC-2 can ping PC-4 successfully, but PC-2 cannot ping PC-3. 71/215...
Page 72: How To Configure The Switch To Route Traffic Across Vlans
www.zyxel.com 2.2 How to configure the switch to route traffic across VLANs The purpose of VLANs are to isolate one broadcast domain from another. If we would like hosts from different VLANs to communicate with each other, we have to set the switch to route traffic. The example shows how to configure the switch to route traffic across one VLAN to another.
Page 73: Configure Vlan 10
www.zyxel.com 2.2.1 Configure VLAN 10 1 Use AdministratorPC to create VLAN 10. Enter the web GUI and go to Menu > Advanced Application > VLAN > VLAN Configuration > Static VLAN Setup. Check the ACTIVE box. Type the Name and VLAN Group ID=10. Select port 1 as Fixed and uncheck Tx Tagging (Untagged).
Page 74 www.zyxel.com 3 Create a Static IP Address for Switch in VLAN 10 (To be the gateway in VLAN 10): Go to Menu > Basic Setting > IP Setup > IP Configuration > IP Interface. Set the Static IP Address: 192.168.10.1 for Switch in VLAN 10. Click “Add”. 74/215...
Page 75: Configure Vlan 20
www.zyxel.com 2.2.2 Configure VLAN 20 1 Create VLAN 20. Follow the same steps. Go to Menu > Advanced Application > VLAN > VLAN Configuration > Static VLAN Setup. Check the ACTIVE box. Type the Name and VLAN Group ID=20. Select port 2 as Fixed and uncheck Tx Tagging (Untagged).
Page 76 www.zyxel.com 3 Create a Static IP Address for Switch in VLAN 20 (To be the gateway in VLAN 20). Go to Menu > Basic Setting > IP Setup > IP Configuration > IP Interface. Set a Static IP Address: 192.168.20.1 for Switch in VLAN 20. Click “Add”. 76/215...
Page 77: Set The Gateway On Pc-1 And Pc-2
www.zyxel.com 2.2.3 Set the gateway on PC-1 and PC-2 1 Set the Gateway of PC-1 as 192.168.10.1 (The Static IP Address of Switch in VLAN 10). 77/215...
Page 78 www.zyxel.com 2 Set the Gateway of PC-2 as 192.168.20.1 (The Static IP Address of Switch in VLAN 20). 78/215...
Page 79: Test The Result
www.zyxel.com 2.2.4 Test the Result 1 PC-1 can ping PC-2 successfully. 79/215...
Page 80: What Could Go Wrong
www.zyxel.com 2.2.5 What could go wrong 1 If PC-1 cannot reach PC-2: a. Verify that the subnet of PC-1 is not using the same subnet as that of PC-2. b. Verify that the default gateways of PC-1 and PC-2 matches the Switch’s IP interface on their respective VLANs.
Page 81: How To Configure The Switch To Perform Dhcp Service In A Vlan
www.zyxel.com 2.3 How to configure the switch to perform DHCP service in a VLAN The example shows administrators how to configure the switch to provide dynamic IP addresses to hosts in each VLANs. Perform DHCP service in different VLAN Note: All network IP addresses and subnet masks are used as examples in this article.
Page 82: Configure Vlan 10
www.zyxel.com 2.3.1 Configure VLAN 10 1 Use AdministratorPC to create VLAN 10. Enter the web GUI and go to Menu > Advanced Application > VLAN > VLAN Configuration > Static VLAN Setup. Check the ACTIVE box. Type the Name and VLAN Group ID=10. Select port 1 as Fixed and uncheck Tx Tagging (Untagged).
Page 83 www.zyxel.com 3 Create a Static IP Address for Switch in VLAN 10 (IP Address to be DHCP Server in VLAN 10): Go to Menu > Basic Setting > IP Setup > IP Configuration > IP Interface. Set the Static IP Address: 192.168.10.1 for Switch in VLAN 10.
Page 84: Configure Vlan 20
www.zyxel.com 2.3.2 Configure VLAN 20 1 Create VLAN 20. Follow the same steps. Go to Menu > Advanced Application > VLAN > VLAN Configuration > Static VLAN Setup. Check the ACTIVE box. Type the Name and VLAN Group ID=20. Select port 2 as Fixed and uncheck Tx Tagging (Untagged).
Page 85 www.zyxel.com 3 Create Static IP Address for Switch in VLAN 20 (IP Address to be DHCP Server in VLAN 20): Go to Menu > Basic Setting > IP Setup > IP Configuration > IP Interface. Set the Static IP Address: 192.168.20.1 for Switch in VLAN 20.
Page 86: Configure The Switch And Pc
www.zyxel.com 2.3.3 Configure the Switch and PC 1 Set up DHCP Server in VLAN 10: Go to Menu > IP Application > DHCP > DHCPv4 > Click Here > VLAN. Set up the VID (VLAN of PC-1) and DHCP Status as Server. The Client IP Pool Starting Address refers to the first IP Address the Switch will assign to DHCP clients.
Page 87 www.zyxel.com 2 Set up DHCP Server in VLAN 20: Go to Menu > IP Application > DHCP > DHCPv4 > Click Here > VLAN. Set up the VID (VLAN of PC-2) and DHCP Status as Server. The Client IP Pool Starting Address refers to the first IP Address the Switch will assign to DHCP clients.
Page 88 www.zyxel.com 3 Set PC-1 and PC-2 as DHCP clients by configuring IPv4 to “Obtain an IP Address automatically”. 88/215...
Page 89: Test The Result
www.zyxel.com 2.3.4 Test the Result 1 PC-1 can get the IP Address assigned by Switch successfully. We can check this by using the command “ipconfig” in command prompt. PC-1 will get an IP address in the range of: 192.168.10.11-192.168.10.20 and the gateway is 192.168.10.1. 2 PC-2 can get the IP Address assigned by Switch successfully.
Page 90: What Could Go Wrong
www.zyxel.com 2.3.5 What Could Go Wrong 1 If some devices are no longer receiving any dynamic IP address from the DHCP server, consider increasing the Size of Client Pool. 2 If you want to surf the Internet using a URL or domain name, please remember to set up DNS Server.
Page 91: Improving Network Reliability
www.zyxel.com Improving Network Reliability 3.1 How to configure a stacked switch to ensure high server availability The example shows administrators how to configure a stacked switch to ensure high server availability. In this example, we stack Switch-1 and Switch-2 into one logical switch. By stacking the switch together, even if one switch goes offline, clients can still reach the server.
Page 92: Configure Switch-1 And Switch-2 For Stacking
www.zyxel.com 3.1.1 Configure Switch-1 and Switch-2 for Stacking 1 Set up Switch-1: Enter the web GUI and go to Menu > Basic Setting > Stacking > Configuration. Key in the system priority (The higher the number is, the higher priority it is to become a master) and click “Apply”.
Page 93 www.zyxel.com 3 Connect Switch-1 and Switch-2 together on port 32 using a 10-Gigabit transceiver. Note: The last two ports are usually reserved for stacking channels when the switch is in stacking mode. These are ports 31 and 32 for the XGS4600-32 switch.
Page 94: Configure Link Aggregation On Stacked Switch
www.zyxel.com 3.1.2 Configure Link Aggregation on Stacked switch 1 Connect to the stacked switch. Enter web GUI and go to Menu > Advanced Application > Link Aggregation > Link Aggregation Setting. Active T1 and T2. Select SLOT 1 and set the Group of port 1/1 and 1/2 as T1 and T2, respectively.
Page 95: Configure Link Aggregation On Switch-3
www.zyxel.com 3.1.3 Configure Link Aggregation on Switch-3 1 Go to Menu > Advanced Application > Link Aggregation > Link Aggregation Setting. Check the Active box for T1 and select the port 1 and 2 as Group T1. Click “Apply”. 2 Go to Menu > Advanced Application > Link Aggregation > Link Aggregation Setting >LACP.
Page 96: Test The Result
www.zyxel.com 3.1.4 Test the Result 1 Configure Link Aggegation between the Server’s two NIC and connect these ports to port 1/2 and 2/2 of the stacked switch. 2 Use PC to ping the Server (192.168.1.40). After few times of ping, try to shut down Switch-1 (Master down). The ping will display “timed out”...
Page 97: What Could Go Wrong
www.zyxel.com 3.1.5 What Could Go Wrong 1 The stacking ports are usually the last 2 ports of the switch. If you connect the two switches using a non-stacking port, you will find that the two switches will not form a stacking system. 2 Remember to save the configuration before doing the test.
Page 98: How To Configure Rstp In A Ring Topology
www.zyxel.com 3.2 How to configure RSTP in a ring topology The example shows administrators how to set up RSTP (Rapid Spanning Tree Protocol) in the ring topology to implement network redundancy. Configure RSTP in a ring topology Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
Page 99: Configure Switch
www.zyxel.com 3.2.1 Configure Switch 1 Make sure that the link between Switch-2 and Switch-3 is not connected to prevent unintended loops before finishing the RSTP setup. 2 Set up Switch-1: Enter the web GUI. Go to Menu > Advanced Application > Spanning Tree Protocol > Configuration. Check if the Spanning Tree Configuration is Rapid Spanning Tree.
Page 100 www.zyxel.com 4 Set up Switch-2: Enter the web GUI. Go to Menu > Advanced Application > Spanning Tree Protocol > Configuration. Check if the Spanning Tree Configuration is Rapid Spanning Tree. If not, select it and click “Apply”. 5 Set up Switch-2: Enter the web GUI. Go to Menu > Advanced Application >...
Page 101 www.zyxel.com 8 Finally, connect the link between Switch-2 and Switch-3. 101/215...
Page 102: Test The Result
www.zyxel.com 3.2.2 Test the Result 1 Verify the status of Switch-1: Go to Menu > Advanced Application > Spanning Tree Protocol. The Root Bridge ID and the Our Bridge ID should be the same. This means that Switch-1 is the Root Bridge. Both port 1 and 2 should be in FORWARDING state, while both their Port Roles are Designated Ports.
Page 103 www.zyxel.com 3 Verify the status of Switch-3: Go to Menu > Advanced Application > Spanning Tree Protocol. Check the port status of Switch-3. Port 1 should be the Root Port in FORWARDING state, while Port 2 is an Alternate Port in DISCARDING state. 103/215...
Page 104: What Could Go Wrong
www.zyxel.com 3.2.3 What Could Go Wrong 1 If your Root Bridge is not the device you expected: a. Decrease the Spanning Tree priority of this device. b. Increase the Spanning Tree priority of the other devices. The switch with the LOWEST bridge priority will be the Root Bridge.
Page 105: How To Configure Vrrp To Provide Hosts With A Redundant Gateway
www.zyxel.com 3.3 How to configure VRRP to provide hosts with a redundant gateway This example shows how to configure gateway redundancy. Virtual Router Redundancy Protocol (VRRP) is a feature that allows two gateways to use the same IP address. This allows hosts in the local network continues access to the Internet in the event of a failure on one of the gateways.
Page 106: Configuration In The Gateway-A
www.zyxel.com 3.3.1 Configuration in the Gateway-A 1 Access the Gateway-A’s web GUI. 2 Go to Advance Application > VLAN > VLAN Configuration > Static VLAN Setup. Create/Edit VLAN 1 to make sure only Port 23 is a fixed port. Click Add. 3 Go to Advance Application >...
Page 107 www.zyxel.com 4 Go to Advance Application > VLAN > VLAN Configuration > VLAN Port Setup. Configure port 24 with PVID 10. Click Apply. 5 Go to Basic Setting > IP Setup. Configure the IP address for VLAN 1. Click Add and do the same for VLAN 10. 6 Go to Basic Setting >...
Page 108 www.zyxel.com 7 Go to IP Application > VRRP > Configuration. Enable VRRP for network “192.168.1.252/24”. Make sure that the priority is “200”. Click Add. 108/215...
Page 109: Configuration In The Gateway-B
www.zyxel.com 3.3.2 Configuration in the Gateway-B 1 Access the Gateway-B’s web GUI. 2 Go to Advance Application > VLAN > VLAN Configuration > Static VLAN Setup. Create/Edit VLAN 1 to make sure only Port 23 is a fixed port. Click Add. 3 Go to Advance Application >...
Page 110 www.zyxel.com 4 Go to Advance Application > VLAN > VLAN Configuration > VLAN Port Setup. Configure port 24 with PVID 20. Click Apply. 5 Go to Basic Setting > IP Setup. Configure the IP address for VLAN 1. Click Add and do the same for VLAN 20. 6 Go to Basic Setting >...
Page 111 www.zyxel.com 7 Go to IP Application > VRRP > Configuration. Enable VRRP for network “192.168.1.252/24”. Click Add. 111/215...
Page 112: Test The Result
www.zyxel.com 3.3.3 Test the Result 1 Verify that Gateway-A is the Master VRRP Router. Go to IP Application > VRRP. VR Status should display Master. 2 Verify that Gateway-B is the Backup VRRP Router. Go to IP Application > VRRP. VR Status should display Backup. 3 Verify that Gateway-A and Gateway-B has a default route to their respective USG in Maintenance >...
Page 113 www.zyxel.com 4 Configure the Host with a Static IP. The Host should be able to ping the virtual IP address 192.168.1.254. 5 Disconnect port 23 or port 24 of Gateway-A. Hosts should still be able to ping the virtual IP address 192.168.1.254. 113/215...
Page 114: What Could Go Wrong
www.zyxel.com 3.3.4 What Could Go Wrong? 1 If the hosts are not be able to access the Internet when Gateway-A has been disconnected from the network, the following problems may have occurred: a. Verify that the hosts and Gateway-B IP interface are in the same subnet and VLAN.
Page 115: How To Configure Bandwidth Control To Limit Incoming Or Outgoing Traffic Rate
www.zyxel.com 3.4 How to configure bandwidth control to limit incoming or outgoing traffic rate This example shows administrators how to configure bandwidth control to manage traffic rates. We can limit either incoming traffic, outgoing traffic, or both. In this example, we use two computers: FTP Client (PC) and FTP Server (FTPServer).
Page 116: Configure Switch
www.zyxel.com 3.4.1 Configure Switch 1 Enter the web GUI. Go to Menu > Advanced Application > Bandwidth Control. Check the “Active” box. Key in the rate in Ingress Rate (PC Upload rate) = 10240 kbps and Egress Rate (PC Download rate) = 20480 kbps. Remember to check the port “Active”...
Page 117: Test The Result
www.zyxel.com 3.4.2 Test the Result 1 Use PC to upload a file to the FTP Server. Transfer rate should be more or less 1.2 MB/s (or 10240 Mb/s). 2 Use PC to download a file from the FTP Server. Transfer rate should be more or less 2.4 MB/s (or 20480 Mb/s).
Page 118: How To Configure Acl To Rate Limit Ip Traffic
www.zyxel.com 3.5 How to configure ACL to rate limit IP traffic In some networks, it is necessary to configure rate limits among VLANs. For example, VLAN 10 is for employees within the organization; VLAN 20 is for guests. By rate limiting VLAN 20, we can ensure better bandwidth or network performance for users in VLAN 10.
Page 119: Configure Vlan And Route Traffic
www.zyxel.com 3.5.1 Configure VLAN and Route Traffic 1 Configure the VLAN setting (VLAN 10 and VLAN 20) on Switch-1 and Switch-2 (Please refer to the topic: 2.1 How to configure the switch to separate traffic between departments). 2 Configure the route traffic on Switch-1 and Switch-2 (Please refer to the topic: 2.2 How to configure the switch to route traffic across VLANs) 119/215...
Page 120: Configure The Classifier
www.zyxel.com 3.5.2 Configure the Classifier 1 Set up the Classifier on Switch-2: Go to Menu > Advanced Application > Classifier > Classifier Configuration. Set up 4 Classifier: Classifier for download and upload in VALN 10 and VLAN 20. Therefore, there are total 4 Classifiers. Note: ACL causes traffic that matches the criteria of a Classifier to follow its corresponding Policy Rule.
Page 121 www.zyxel.com 3 The Classifier for upload traffic in VLAN 10: Check the “Active” box and key in the Name. Set Layer 3 > Destination as 192.168.1.100/32 (Means the destination is FTPServer) and Source as 192.168.10.0/24 (Means the source is from VLAN 10). Press “Add”.
Page 122: Configure The Acl (Policy Rule)
www.zyxel.com 3.5.3 Configure the ACL (Policy Rule) 1 Set up the Policy Rule on Switch-2: In section 3.5.2, we created 4 Classifiers. We can find that they are shown in the Policy Rule window for us to match. Go to Menu > Advanced Application >...
Page 123 www.zyxel.com 3 The Policy Rule of upload in VLAN 10: Check the “Active” and key in the Name. Select the Classifier of upload in VLAN 10 (UP10). Set up the action to do if match this Classifier: Bandwidth Metering=20480 kbps. Enable Metering and set the Out-of-profile action as “Drop the packet”.
Page 124: Test The Result
www.zyxel.com 3.5.4 Test the Result 1 Go to Menu > Advanced Application > Classifier. Check “Count”. If the traffic matches the classifier, the Match Count for this classifier should be increasing every time the web page refreshes. 2 Use PC-1 to download a file from the FTP Server. Transfer rate should be more or less 5 MB/s (or 40960 Mb/s).
Page 125 www.zyxel.com 5 Use PC-2 to upload a file to the FTP Server. Transfer rate should be more or less 1.2 MB/s (or 10240 Mb/s). 125/215...
Page 126: What Could Go Wrong
www.zyxel.com 3.5.5 What Could Go Wrong 1 When setting up the Classifier, remember to consider both the source and destination of the traffic. In the example, if we only set up the source as VLAN 10 (192.168.10.0/24) during file upload the Server, but didn’t set up the destination (Server IP: 192.168.1.150), it will cause all the traffic to be rate limited when the PC try to send traffic to others from VLAN 10.
Page 127: Designing An Iptv Network
www.zyxel.com Designing an IPTV Network 4.1 Introduction for IGMP Before we begin designing an IPTV Network, there are 3 important concepts of Zyxel’s IGMP (Internet Group Management Protocol) and IGMP Snooping that administrators should be aware of. 4.1.1 What are General Queries and Group Specific Queries? General Query: The querier will send query messages to the multicast clients to learn which multicast groups still have active members within the network.
Page 128: What Are The Differences Between Igmp Snooping
www.zyxel.com 4.1.3 What are the differences between IGMP Snooping fast/normal/immediate leave? Fast leave: In fast leave mode, the switch itself sends out an IGMP Group-Specific Query (GSQ) message right after receiving an IGMP leave message from a host on a port. This determines whether other hosts connected to the port should remain in the specific multicast group.
Page 129: How To Configure Igmp Routing For Multicast Clients In A Different Lan
www.zyxel.com 4.2 How to configure IGMP routing for multicast clients in a different LAN The example shows administrators how to configure IGMP routing on the Zyxel Layer 3 switch. This is necessary when the multicast clients are in a different LAN or VLAN from the streaming server. Configure IGMP routing for multicast clients in different VLAN Note: All network IP addresses and subnet masks are used as examples in this article.
Page 130: Configure Switch-1
www.zyxel.com 4.2.1 Configure Switch-1 1 Configure the VLAN 10 on Switch-1. (Please refer to the topic: 2.1 How to configure the switch to separate traffic between departments) 2 Configure the IGMP Snooping: Enter the web GUI and go to Menu > Advanced Application > Multicast > IPv4 Multicast > IGMP Snooping.
Page 131: Configure Switch-2
www.zyxel.com 4.2.2 Configure Switch-2 1 Configure the VLAN 10 and VLAN 20 on Switch-2. Please refer to the topic: 2.1 How to configure the switch to separate traffic between departments. 2 Configure the IP addresses for Switch on BOTH VLAN 10 and VLAN 20 as shown in the figure.
Page 132: Test The Result
www.zyxel.com 4.2.3 Test the Result 1 Play the stream on MediaServer using Multicast IP address 239.1.1.2. 2 Have PC send an IGMP join message for 239.1.1.2. 3 Go to Menu > Advanced Application > Multicast > IPv4 Multicast. PC connected to port 10 joins the Multicast Group-239.1.1.2.
Page 133: What Could Go Wrong
www.zyxel.com 4.2.4 What Could Go Wrong 1 The Switch-2 (IGMP Router) must contain both VLAN of MediaServer (VLAN 20) and PC (Client) (VLAN 10) so that the IGMP stream can route successfully. If the stream is not received by the Client, try to check the configuration of the VLAN.
Page 134: How To Configure Igmp Snooping For Multicast Clients In The Same Lan
www.zyxel.com 4.3 How to configure IGMP Snooping for multicast clients in the same LAN The example shows administrators how to configure IGMP Snooping for multicast clients and steaming servers in the same VLAN. When MediaServer multicasts the stream, IGMP snooping allows the switch to learn multicast groups without having the user to manually configure the each switch.
Page 135: Configure Switch
www.zyxel.com 4.3.1 Configure Switch 1 Configure the VLAN 10 on Switch. (Please refer to the topic: 2.1 How to configure the switch to separate traffic between departments). 2 Configure the IGMP Snooping: Enter the web GUI and go to Menu > Advanced Application > Multicast > IPv4 Multicast > IGMP Snooping.
Page 136: Test The Result
www.zyxel.com 4.3.2 Test the Result 1 Play the stream on MediaServer using Multicast IP address 239.1.1.1. 2 Have PC send an IGMP join message for 239.1.1.1. 3 Go to Menu > Advanced Application > Multicast > IPv4 Multicast. connected port joins Multicast Group-239.1.1.1.
Page 137: Network Security
www.zyxel.com Network Security 5.1 How to configure the port security to limit the number of connected devices The example shows administrators how to configure port security to limit the number of connected devices. In a real environment, port security controls the number of users connecting to a server. Configure the port security to limit the number of connected devices Note: All network IP addresses and subnet masks are used as examples in this article.
Page 138: Configure Switch-1
www.zyxel.com 5.1.1 Configure Switch-1 1 Enter web GUI and go to Menu > Advanced Application > Port Security. Check port 3 and set the “Limited Number of Learned MAC Address” to 2. Note: The Zyxel switch sends Link Layer Discovery Protocol (LLDP) packets every period of time by default.
Page 139: Test The Result
www.zyxel.com 5.1.2 Test the Result 1 PC-1 can ping Server successfully. 2 Connect PC-2 to port 2. 3 PC-2 cannot ping Server. 4 Access Switch-1 web GUI. Go to Menu > Management > MAC Table > Search. The MAC Address Table should show MAC address ofPC-1 (and Switch-2), but not the MAC address of PC-2.
Page 140: What Could Go Wrong
www.zyxel.com 5.1.3 What Could Go Wrong 1 The MAC address of Switch-2 will also be learned in Switch-1 MAC address table. Therefore, remember to consider Switch-2’s MAC address when setting the number of Limited Number of Learned MAC Address. 140/215...
Page 141: How To Configure Mac Filter To Block Unwanted Traffic
www.zyxel.com 5.2 How to configure MAC filter to block unwanted traffic The example shows administrators how to configure MAC filter to block unwanted traffic. In this example, Switch-1 will block traffic based on which device sends the packet or which device receives the packet. Configure MAC filter to block unwanted traffic Note: All network IP addresses and subnet masks are used as examples in this article.
Page 142: Configure Switch-1
www.zyxel.com 5.2.1 Configure Switch-1 1 Enter web GUI and go to Menu > Advanced Application > Filtering. Check the “Active” box and set the filter Name. Choose the Action as “Discard source”. Key in the MAC you want to block and the VID. Click “Add”. Note: Use Discard source to drop traffic sent by the device with the configured MAC entry.
Page 143: Test The Result
www.zyxel.com 5.2.2 Test the Result 1 PC-1 (with MAC address 00:1E:33:27:04:93) fails to ping Server. 2 PC-2 can ping Server successfully. 143/215...
Page 144: What Could Go Wrong
www.zyxel.com 5.2.3 What Could Go Wrong 1 The MAC address set on Switch-1 should be identical to the MAC address of PC-1 so that the traffic can be blocked successfully. 144/215...
Page 145: How To Configure The Switch To Prevent Ip Scanning
www.zyxel.com 5.3 How to configure the switch to prevent IP scanning In this example, we will use Anti-ARP Scan to prevent attackers from identifying all network devices in the local area network. ARP Scanning is a method by which attackers send multiple ARP request packets in a very short period of time to flood across the entire broadcast domain.
Page 146: Configuration In The Switch
www.zyxel.com 5.3.1 Configuration in the Switch 1 Access the Switch’s Web GUI. 2 Go to Advance Application > Anti-Arpscan > Configure. Check the Active box and configure the uplink port (port 24) as “Trusted” state. Click Apply. -Optional- 3 Go to Advance Application > Errdisable > Errdisable Recovery.
Page 147: Test The Result
www.zyxel.com 5.3.2 Test the Result 1 Download and install an IP Scanning software into Host-A and Host-C. 2 Connect Host-A and Host-B via the Wireless Access Point. 3 Host-A should initiate a scan for IP address 192.168.1.1 to 192.168.1.20. 4 Host-A should no longer be able to reach the USG. 147/215...
Page 148 www.zyxel.com 5 Access the Switch’s Web GUI. Go to Advance Application > Anti-Arpscan > Host Status. An entry for Host-A should appear with an “Err-Disable” state. Note: If Errdisable Recovery has been configured, the Host-A entry should recover after the Errdisable Recovery Interval. Host-A will be able to reach the USG, afterwards.
Page 149 www.zyxel.com 9 Host-C should no longer be able to reach the USG. 10 Access the Switch’s Web GUI. Go to Advance Application > Anti-Arpscan. Port 2 should now be in an Err-disabled state. Note: If Errdisable Recovery has been configured, Port 2 state should change to forwarding after the Errdisable Recovery Interval.
Page 150: What Could Go Wrong
www.zyxel.com 5.3.3 What Could Go Wrong? 1 If access to servers or the local gateway is no longer possible after enabling Anti-Arpscan, make sure that only ports directly connected to hosts or Wireless Access Points are “untrusted”. Ports to servers and the local gateway should be “trusted”.
Page 151: How To Configure The Switch And Radius Server To Provide Network Access Through 802.1X Port Authentication
www.zyxel.com 5.4 How to Configure the Switch and RADIUS Server to Provide Network Access through 802.1x Port Authentication This example will instruct the administrator on how to configure the switch to provide access to machines that provides valid user credentials. With 802.1x Port Authentication, the organization can ensure that only authorized personnel can access core network resources.
Page 152: Configuration In The Switch
www.zyxel.com 5.4.1 Configuration in the Switch 1 Access the Switch’s Web GUI. 2 Go to Advance Application > AAA > RADIUS Server Setup. Configure the RADIUS server’s IP address and set the shared secret. Click Apply. Note: The shared secret must match the secret of your RADIUS server’s client profile.
Page 153 www.zyxel.com 153/215...
Page 154: Configuration In The Radius-Server
www.zyxel.com 5.4.2 Configuration in the RADIUS-Server 1 Edit the client profile in /etc/freeradius/clients.conf. Save the file and exit. Note: The client IP address and secret must match the management IP and shared secret of the Switch. 2 Add the following user profiles in /etc/freeradius/users. Save the file and exit.
Page 155: Test The Result
www.zyxel.com 5.4.3 Test the Result 1 Access User-A, User-B, and Guest device. 2 If using Windows OS, click the Start button and type services.msc into the search box. 3 In the Services window, locate the service named Wired AutoConfig. Make sure the service status is “Started”. 4 Right-click on your network adapter and select Properties.
Page 156 www.zyxel.com 5 Click on the Authentication tab and check “Enable IEEE 802.1X authentication”. Make sure that network authentication method is Microsoft: Protected EAP (PEAP) 6 Click on Additional Settings, select Specify authentication mode and specify User authentication. 156/215...
Page 157 www.zyxel.com 7 Connect User-A device to the Switch. User-A should show an “Additional information is needed to connect to this network.” pop-up message. 8 Enter the username (User-A) and password (zyxeluserA) which must be consistent with the RADIUS-Server’s user profile settings.
Page 158 www.zyxel.com 11 Enter the username (Guest) and a random password. 12 Device using Guest credentials cannot communicate with USG and Private-Server. 158/215...
Page 159: What May Go Wrong
www.zyxel.com 5.4.4 What May Go Wrong? 1 If the Switch does not allow access to users that submitted the correct credentials, the following problems may have occurred: a. Usernames and passwords are case-sensitive. Make sure that the user input the correct lower-case or upper-case characters.
Page 160: How To Configure The Switch To Send Unauthorized Users In A Guest Vlan
www.zyxel.com 5.5 How to configure the switch to send unauthorized users in a guest VLAN The example shows administrators how to use Guest VLAN for users that fails or used an invalid user credential during 802.1x port authentication. In a real application, we may need to allow guests to access the USG so that they can access the Internet, but still isolated from Private-Server.
Page 161: Configure 802.1X Port Authentication On The Switch
www.zyxel.com 5.5.1 Configure 802.1x Port Authentication on the Switch 1 Configure 802.1x on all towards users. Do not enable Port Authentication on ports to the USG, RADIUS-Server, and Private-Server. To configure Port Authentication, please refer to the topic: 5.4 How to Configure the Switch and RADIUS Server to Provide Network Access through 802.1x Port Authentication.
Page 162: Configure The Radiusserver
www.zyxel.com 5.5.4 Configure the RadiusServer 1 Edit the client profile in /etc/freeradius/clients.conf. Save the file and exit. Note: The client IP address and secret must match the management IP and shared secret of the Switch. 2 Add the following user profiles in /etc/freeradius/users. Save the file and exit.
Page 163: Configure The Setting On User-A, User-B And Guest
www.zyxel.com 5.5.5 Configure the setting on User-A, User-B and Guest 1 In the Services window, locate the service named Wired AutoConfig. Make sure the service status is “Started”. 2 Right-click on your network adapter and select Properties. Click on the Authentication tab and check “Enable IEEE 802.1X authentication”.
Page 164 www.zyxel.com 3 Click on Additional Settings, select Specify authentication mode and specify User authentication. 164/215...
Page 165: Test The Result
www.zyxel.com 5.5.6 Test the Result 1 Disconnect and connect the PC with Switch. PC should show an “Additional information is needed to connect to this network.” pop-up message. 2 Enter the username (User-A) and password (zyxeluserA) which must be consistent with the RADIUS-Server’s user profile settings.
Page 166 www.zyxel.com 7 Check the MAC table of the Switch. The device of users with wrong credentials are assigned to VLAN 100. (Menu > Management > MAC Table > Search) 166/215...
Page 167: What Could Go Wrong
www.zyxel.com 5.5.7 What Could Go Wrong 1 If the PC doesn’t pop up the authentication message after connecting the PC to the switch: a. Try to use the Switch to ping Radius-Server. The Switch should be able to ping Radius-Server. b.
Page 168 www.zyxel.com 4 If devices sent to the Guest VLAN cannot reach the USG, make sure that the switch has created and configured the Guest VLAN in Advance Application > VLAN > VLAN Configuration > Static VLAN Setup. 168/215...
Page 169: How To Configure The Switch And Radius Server To Provide Network Access Through Device Mac Address
www.zyxel.com 5.6 How to Configure the Switch and RADIUS Server to Provide Network Access through Device MAC Address This example will instruct the administrator on how to configure the switch to provide access to machines with specific MAC addresses. With MAC Authentication, the organization can ensure that only devices provided by the organization can access internal resources.
Page 170 www.zyxel.com 2 Go to Advance Application > AAA > RADIUS Server Setup. Configure the RADIUS server’s IP address and set the shared secret. Click Apply. Note: The shared secret must match the secret of your RADIUS server’s client profile. 3 Go to Advance Application > Port Authentication > MAC Authentication.
Page 171: Configuration In The Radius-Server
www.zyxel.com ports connected to either the USG, RADIUS-Server, or Private-Server. 5.6.2 Configuration in the RADIUS-Server 1 Edit the client profile in /etc/freeradius/clients.conf. Save the file and exit. 171/215...
Page 172: Test The Result
www.zyxel.com Note: The client IP address and secret must match the management IP and shared secret of the Switch. 2 Add the following user profiles in /etc/freeradius/users. Username format should be <Name Prefix><MAC Address of your device>. Save the file and exit. 3 Restart FreeRADIUS service.
Page 173: What Could Go Wrong
www.zyxel.com 2 PC-A and PC-B should be able to reach the USG and Private-Server. 3 PC-Guest should not be able to reach the USG and Private-Server. 5.6.4 What Could Go Wrong? 1 If the Switch does not allow access to authorized devices: a.
Page 174 www.zyxel.com upper-case characters of the device’s MAC Address separated by dashes (-) instead of colons (:). b. Machines, like laptops or notebooks have more than one MAC addresses (LAN, Wireless, etc). Make sure that the correct MAC address is used in the RADIUS-Server’s user profile.
Page 175: How To Configure The Switch To Prevent Arp Spoofing
www.zyxel.com 5.7 How to configure the switch to prevent ARP spoofing This example will instruct the administrator on how to configure the switch to protect the network from attackers using the same IP Addresses of core network components (ex. servers or gateways). ARP Spoofing is a type of attack that can cause either denial of services or an unwanted man-in-the-middle receiving sensitive information.
Page 176: Configuration In The Switch
www.zyxel.com 5.7.1 Configuration in the Switch 1 Access the Switch’s Web GUI. 2 Configure DHCP Snooping (Refer to section 5.6.1). Note: DHCP Snooping must be enabled before configuring ARP Inspection. 3 Go to Advance Application > IP Source Guard > IPv4 Source Guard Setup >...
Page 177 www.zyxel.com 5 Go to Advance Application > IP Source Guard > IPv4 Source Guard Setup > ARP Inspection > Configure > VLAN. Input the Start VID and End VID. Make sure that the PVID of the access ports are included in this range. Click Apply. 6 After inputting the VID range, a list of VID should appear below.
Page 178: Test The Result
www.zyxel.com 5.7.2 Test the Result 1 Connect a device using dynamic IP address in one of the Switch’s access ports. This device should be able to communicate with the USG. 2 After the device has successfully received an IP address, access the Switch’s web GUI.
Page 179: What Could Go Wrong
www.zyxel.com 5.7.3 What Could Go Wrong? 1 If the devices in the Local Network cannot reach the USG, Make sure that DHCP Snooping is configured on the Switch, first. 2 If the devices in the Local Network still cannot reach the USG after configuring and enabling DHCP Snooping, wait for a few minutes before attempting to reach the USG again.
Page 180: How To Configure The Switch To Protect Against Rogue Dhcp Servers
www.zyxel.com 5.8 How to Configure the Switch to Protect Against Rogue DHCP Servers This example will instruct the administrator on how to configure the switch to protect the network from attackers sending false IP configurations to clients. DHCP Snooping blocks DHCP offers coming from an untrusted port.
Page 181: Configuration In The Switch
www.zyxel.com 5.8.1 Configuration in the Switch 1 Access the Switch’s Web GUI. 2 Go to Go to Advance Application > VLAN > VLAN Configuration > Static VLAN Setup. For this example, all traffic entering access ports are sent to VLAN 1. VLAN 1 should be fixed and untagged for all access ports.
Page 182 www.zyxel.com 4 Go to Advance Application > IP Source Guard > IPv4 Source Guard Setup > DHCP Snooping > Configure. Check the Active box under DHCP Snooping Configure. Click Apply. 5 Go to Advance Application > IP Source Guard > IPv4 Source Guard Setup >...
Page 183 www.zyxel.com 6 Go to Advance Application > IP Source Guard > IPv4 Source Guard Setup > DHCP Snooping > Configure > VLAN. Input the Start VID and End VID. Make sure that the PVID of the access ports are included in this range. Click Apply. 7 After inputting the VID range, a list of VID should appear below.
Page 184: Test The Result
www.zyxel.com 5.8.2 Test the Result 1 Connect the Rogue-DHCP on one of the access ports. Create the following DHCP Pool on the LAN interface: Starting IP Address : 172.16.1.10 End IP Address : 172.16.1.20 2 Connect DHCP clients on the other access ports. The clients should only be receiving IP Addresses provided by the USG.
Page 185: What Could Go Wrong
www.zyxel.com 5.8.3 What Could Go Wrong? 1 If the DHCP clients in the publicly accessible ports are using IP Addresses provided by the Rogue-DHCP: a. Make sure that all ports connected to publicly accessible ports are an untrusted port in Advance Application > IP Source Guard >...
Page 186: How To Configure Ipsg Static Binding For Trusted Network Devices
www.zyxel.com 5.9 How to configure IPSG static binding for trusted network devices This example will instruct the administrator on how to configure the switch to allow an administrator device to use a static IP address on the access port even while ARP Inspection in enabled. This allows the administrator device more freedom and take advantage of IP-specific policies configured on the network while non-administrative devices must still use IP addresses offered by the real DHCP server.
Page 187: Configuration In The Switch
www.zyxel.com 5.9.1 Configuration in the Switch 1 Access the Switch’s Web GUI. 2 Configure ARP Inspection (Refer to section 5.7.1). Note: DHCP Snooping and ARP Inspection must be enabled when applying Static Binding. 3 Go to Advance Application > IP Source Guard > IPv4 Source Guard Setup >...
Page 188: Test The Result
www.zyxel.com 5.9.2 Test the Result 1 Go to Advance Application > IP Source Guard. An entry with your device’s MAC Address and IP Address should appear with “Static” Type and “Infinity” Lease in the IP Source Guard Table. 2 Configure your Admin-PC with the Static IP address. In this example, we use “192.168.1.10”.
Page 189: How To Configure Acl To Block Unwanted Traffic
www.zyxel.com 5.10 How to configure ACL to block unwanted traffic The example shows administrators how to use ACL to block unwanted traffic. We can set different criteria to identify unwanted traffic. The example will use ACL to prevent only a single host in VLAN 10 from accessing the Server.
Page 190: Configure Vlan And Route Traffic
www.zyxel.com 5.10.1 Configure VLAN and Route Traffic 1 Configure the VLAN setting (VLAN 10 and VLAN 20) on Switch (Please refer to the topic: 2.1 How to configure the switch to separate traffic between departments). 2 Configure the VLAN IP interfaces on Switch (Please refer to the topic: 2.2 How to configure the switch to route traffic across VLANs) 190/215...
Page 191: Configure The Classifier
www.zyxel.com 5.10.2 Configure the Classifier 1 Set up the Classifier: Go to Menu > Advanced Application > Classifier > Classifier Configuration. Set up Classifier: For VLAN Note: For more details about ACL, please refer to topic: 3.5 How to configure ACL to rate limit VLAN traffic.
Page 192 www.zyxel.com 192/215...
Page 193: Configure The Policy Rule
www.zyxel.com 5.10.3 Configure the Policy Rule 1 Set up the Policy Rule: Go to Menu > Advanced Application > Policy Rule. The policy rule of VLAN 20: Check the “Active” and key in the Policy Rule Name. Select the Classifier in VLAN 20 (VLAN20).
Page 194: Test The Result
www.zyxel.com 5.10.4 Test the Result 1 PC-1 can ping Server successfully. 2 Due to the ACL setting, the PC-2 (VLAN 20) cannot ping Server successfully. 194/215...
Page 195: What Could Go Wrong
www.zyxel.com 5.10.5 What Could Go Wrong 1 When setting up the Classifier, remember to consider both source and destination. In the example, if we only created a policy rule for source VLAN 20, but didn’t create the policy rule for destination IP (Server IP: 192.168.1.150), the switch will block all the traffic from VLAN 20 no matter where the destination is.
Page 196: Implementing Voip
www.zyxel.com Implementing VOIP 6.1 How to configure an IP Phone's VLAN using LLDP-MED The example shows administrators how to use LLDP-MED to configure an IP Phone’s VLAN ID. Any IP Phone connected to the switch will be assigned to the certain VLAN based on the switch’s port. In the following topic, we will also introduce other ways to send VOIP traffic into a specific (Voice) VLAN.
Page 197: Configure Vlan For Ip Phone
www.zyxel.com 6.1.1 Configure VLAN for IP Phone 1 Configure VLAN 100 on Switch (Please refer to the topic: 2.1 How to configure the switch to separate traffic between departments). VLAN 100 is created for the IP Phone. 197/215...
Page 198: Configure Switch
www.zyxel.com 6.1.2 Configure Switch 1 Enter the web GUI and go to Menu > Advanced Application > LLDP > LLDP Configuration. Make sure that the LLDP configuration is active. 2 Enter web GUI and go to Menu > Advanced Application > LLDP >...
Page 199 www.zyxel.com 199/215...
Page 200: Test The Result
www.zyxel.com 6.1.3 Test the Result 1 Go to Menu > Management > MAC Table > Search. Check the MAC table. The IP Phone’s MAC address should be in VLAN 100. 2 Enter the web GUI and go to Menu > Management > Diagnostic >...
Page 201: What Could Go Wrong
www.zyxel.com 6.1.4 What Could Go Wrong 1 If the MAC address of the IP Phone is not assigned to the VLAN 100 successfully, please check if the IP Phone supports LLDP-MED. LLDP-MED must be enabled on the switch. 2 Since the IP Phone is assigned a VLAN ID via the function of the Network Policy in LLDP-MED, The voice traffic from the switch must be tagged backed to the IP Phone.
Page 202: How To Configure The Switch To Separate Voip Traffic From Data Traffic
www.zyxel.com 6.2 How to configure the switch to separate VOIP traffic from data traffic The example shows administrators how to use Voice VLAN to separate untagged VOIP traffic from untagged data traffic. Unlike traditional VOIP applications, the Voice VLAN feature separates VOIP and data traffic as traffic reaches the switch.
Page 203: Configure Vlan 100 For Ip Phone
www.zyxel.com 6.2.1 Configure VLAN 100 for IP Phone 1 Configure VLAN 100 on Switch (Please refer to the topic: 2.1 How to configure the switch to separate traffic between departments). VLAN 100 is created as the Voice VLAN for the IP Phone.
Page 204: Configure Voice Vlan
www.zyxel.com 6.2.2 Configure Voice VLAN 1 Enter the web GUI and go to: Menu > Advanced Application > VLAN > VLAN Configuration > Voice VLAN Setup. Input the Voice VLAN. In this example, it is VLAN 100. Click “Apply”. 2 Configure the OUI Setup: Enter the web GUI and go to: Menu > Advanced Application >...
Page 205: Test The Result
www.zyxel.com 6.2.3 Test the Result 1 Go to Menu > Management > MAC Table > Search. Check the MAC address table. The IP Phone is assigned to VLAN 100. 2 Enter web GUI and go to Menu > Management > Diagnostic > Ping test.
Page 206: What Could Go Wrong
www.zyxel.com 6.2.4 What Could Go Wrong 1 If the IP phone is not assigned to the voice VLAN, please verify the MAC address of the IP phone. The MAC address can usually be found on the label or sticker underneath the IP phones.
Page 207: How To Configure The Switch To Improve Voice Traffic Quality
www.zyxel.com 6.3 How to configure the switch to improve Voice traffic quality The example shows administrators how to use Voice VLAN to improve Voice traffic. Like the introduction in topic 6.2, Voice VLAN not only groups voice traffic into an assigned VLAN, but also assign the voice traffic a certain priority.
Page 208: Configure Vlan For Voice Traffic
www.zyxel.com 6.3.1 Configure VLAN for voice traffic 1 Configure VLAN 100 on Switch-1 and Switch-2. (Please refer to the topic: 2.1 How to configure the switch to separate traffic between departments). VLAN 100 is created for the Voice VLAN. Make sure that devices in VLAN 100 can communicate across Switch-1 and Switch-2.
Page 209: Configure Voice Vlan
www.zyxel.com 6.3.2 Configure Voice VLAN 1 Enter the web GUI and go to: Menu > Advanced Application > VLAN > VLAN Configuration > Voice VLAN Setup. Key in the Voice VLAN. In this example, it is VLAN 100. Assign a priority to the traffic, for example, priority=6.
Page 210: Configure Mirroring (For "Test The Result")
www.zyxel.com 6.3.3 Configure Mirroring (For “Test the Result”) 1 To verify that results are acceptable, we have to use the mirroring function to check if the priority of the packet is what we assigned. Enter the web GUI and go to Menu > Advanced Application >...
Page 211: Test The Result
www.zyxel.com 6.3.4 Test the Result 1 Connect the PC and Switch-1. Open Wireshark to monitor the packet. Filter “arp || igmp”. 2 Use Switch-2 to ping IP Phone: Enter web GUI and go to Menu > Management > Diagnostic > Ping test. Switch-2 can ping IP Phone successfully.
Page 212: What Could Go Wrong
www.zyxel.com 6.3.5 What Could Go Wrong 1 If the priority is not the same as the setting in voice VLAN, please verify the MAC address of the IP phone. The MAC address can usually be found on the label or sticker underneath the IP phones.
Page 213: Implementing Poe
www.zyxel.com Implementing PoE 7.1 How does the PoE LED works In traditional design, users have to check the status of PoE by using either Web GUI or CLI. In this new design, ZYXEL provides an additional method to check power consumption from device panel to help users directly identify the switch’s power consumption.
Page 214: Meanings Of Poe Led
www.zyxel.com 7.1.1 Meanings of PoE LED 1 We can observe the behavior of the PoE LEDs below. Each segment represents Power consumption. LEDs – Power Consumption is 0%. 214/215...
Page 215: Examples
www.zyxel.com 7.1.2 Examples 2 Segment 1 Steady Green: It means power consumption is > 0 and <= 20%. a. PoE LED: b. Web GUI: 3 Segment 5 Steady Red: It means power consumption >80%. a. PoE LED: b. Web GUI: 215/215...

This manual is also suitable for:

Xgs2210 series Xgs1930 series Gs1920 series Gs3700 series Xgs3700 Xgs4600 series

ZyXEL Communications GS2210 series Handbook

Basic Principles for Network Management

How to Use the Wizard Function

How to Customize Your Default Configuration

How to Change the Switch Management IP Address to Avoid Accessing the Wrong Device

How to Configure the Switch with a Device Name to Avoid Accessing the Wrong Device

How to Configure the Switch to Update the Time from an NTP Server

How to Configure the Switch to Backup Events on a SYSLOG Server

How to Configure the Switch with a Port Name to Quickly Identify Directly Connected Devices

How to Collect the Diagnostic Info

How to Change the Default Administrator Password

How to Configure a Whitelist for Remote Management to Prevent Unauthorized Access

How to Configure DHCP Auto-Configuration

Designing the Local Area Network

How to Configure the Switch to Separate Traffic between Departments Using VLAN

How to Configure the Switch to Route Traffic Across Vlans

How to Configure the Switch to Perform DHCP Service in a VLAN

Improving Network Reliability

How to Configure a Stacked Switch to Ensure High Server Availability

How to Configure RSTP in a Ring Topology

How to Configure VRRP to Provide Hosts with a Redundant Gateway

How to Configure Bandwidth Control to Limit Incoming or Outgoing Traffic Rate

How to Configure ACL to Rate Limit IP Traffic

Designing an IPTV Network

Introduction for IGMP

How to Configure IGMP Routing for Multicast Clients in a Different LAN

How to Configure IGMP Snooping for Multicast Clients in the same LAN

Network Security

How to Configure the Port Security to Limit the Number of Connected Devices

How to Configure MAC Filter to Block Unwanted Traffic

How to Configure the Switch to Prevent IP Scanning

How to Configure the Switch and RADIUS Server to Provide Network Access through 802.1X Port Authentication

How to Configure the Switch to Send Unauthorized Users in a Guest VLAN

How to Configure the Switch and RADIUS Server to Provide Network Access through Device MAC Address

How to Configure the Switch to Prevent ARP Spoofing

How to Configure the Switch to Protect against Rogue DHCP Servers

How to Configure IPSG Static Binding for Trusted Network Devices

How to Configure ACL to Block Unwanted Traffic

Implementing VOIP

How to Configure an IP Phone's VLAN Using LLDP-MED

How to Configure the Switch to Separate VOIP Traffic from Data Traffic

How to Configure the Switch to Improve Voice Traffic Quality

Implementing Poe

How Does the Poe LED Works

Quick Links

Related Manuals for ZyXEL Communications GS2210 series

Summary of Contents for ZyXEL Communications GS2210 series