Download Print this page

TP-Link Jetstream T1500G-8T User Manual

TP-Link Jetstream T1500G-8T User Manual

Hide thumbs Also See for Jetstream T1500G-8T:

Installation manual (2 pages)

,

User manual (860 pages)

,

Mounting manual (5 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

User Guide

Jetstream Smart Switches

T1500G-8T (TL-SG2008)/T1500-28PCT (TL-SL2428P)

TL-SG2210MP/TL-SG2210P

1910012765 REV3.3.0

March 2020

Downloaded from

ManualsNet.com

search engine

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the Jetstream T1500G-8T and is the answer not in the manual?

Questions and answers

Summary of Contents for TP-Link Jetstream T1500G-8T

Page 1 User Guide Jetstream Smart Switches T1500G-8T (TL-SG2008)/T1500-28PCT (TL-SL2428P) TL-SG2210MP/TL-SG2210P 1910012765 REV3.3.0 March 2020 Downloaded from ManualsNet.com search engine...
Page 2: Table Of Contents
CONTENTS About This Guide Intended Readers ................................1 Conventions ................................... 1 More Information ................................. 2 Accessing the Switch Determine the Management Method .......................... 4 Web Interface Access ................................ 5 Login ..........................................5 Save Config Function ....................................6 Disable the Web Server ..................................7 Change the Switch's IP Address and Default Gateway ......................7 Command Line Interface Access ..........................
Page 3 Using the CLI ......................................33 Viewing the System Summary ............................33 Configuring the Device Description ..........................34 Configuring the System Time ............................36 Configuring the Daylight Saving Time ...........................38 Configuring LED (Only for Certain Devices) .......................40 Configuring the System IP ..............................40 Configuring System IPv6 Parameters ..........................41 User Management Configurations ..........................
Page 4 Configuring the PoE Parameters Using the Profile ....................72 SDM Template Configuration ............................75 Using the GUI ......................................75 Using the CLI ......................................76 Time Range Configuration ............................. 78 Using the GUI ......................................78 Adding Time Range Entries ..............................78 Configuring Holiday .................................80 Using the CLI ......................................81 Adding Time Range Entries ..............................81 Configuring Holiday .................................82 Example for PoE Configurations ..........................
Page 5 Example for Loopback Detection...............................107 Network Requirements ...............................107 Configuration Scheme ................................107 Using the GUI ....................................108 Using the CLI ....................................109 Appendix: Default Parameters ...........................110 Configuring LAG LAG .......................................112 Overview ........................................112 Supported Features ...................................112 LAG Configuration ................................113 Using the GUI ......................................114 Configuring Load-balancing Algorithm ........................114 Configuring Static LAG or LACP............................115 Using the CLI ......................................117 Configuring Load-balancing Algorithm ........................117...
Page 6 Modifying the Aging Time of Dynamic Address Entries...................134 Adding MAC Filtering Address Entries........................135 Appendix: Default Parameters ...........................137 Configuring 802.1Q VLAN Overview ...................................139 802.1Q VLAN Configuration ............................140 Using the GUI ......................................141 Configuring the VLAN ................................141 Configuring the Port Parameters for 802.1Q VLAN ...................142 Using the CLI ......................................143 Creating a VLAN ..................................143 Adding the Port to the Specified VLAN ........................144...
Page 7 Using the CLI ......................................167 Appendix: Default Parameters ...........................171 Configuring Protocol VLAN Overview ....................................173 Protocol VLAN Configuration.............................174 Using the GUI ......................................174 Configuring 802.1Q VLAN ..............................174 Creating Protocol Template ............................175 Configuring Protocol VLAN .............................176 Using the CLI ......................................177 Configuring 802.1Q VLAN ..............................177 Creating a Protocol Template ............................177 Configuring Protocol VLAN ..............................178 Configuration Example ..............................181...
Page 8 IGMP Snooping Configuration ...........................215 Using the GUI ......................................215 Configuring IGMP Snooping Globally .........................215 Configuring IGMP Snooping for VLANs ........................216 Configuring IGMP Snooping for Ports ........................220 Configuring Hosts to Statically Join a Group ......................220 Using the CLI ......................................221 Configuring IGMP Snooping Globally .........................221 Configuring IGMP Snooping for VLANs ........................223 Configuring IGMP Snooping for Ports ........................228 Configuring Hosts to Statically Join a Group ......................229...
Page 9 Creating the Multicast Profile ............................258 Binding the Profile to Ports ...............................261 Viewing Multicast Snooping Information .......................265 Using the GUI ......................................265 Viewing IPv4 Multicast Table ............................265 Viewing IPv4 Multicast Statistics on Each Port .....................266 Viewing IPv6 Multicast Table ............................267 Viewing IPv6 Multicast Statistics on Each Port .....................268 Using the CLI ......................................269 Viewing IPv4 Multicast Snooping Information .......................269 Viewing IPv6 Multicast Snooping Configurations ....................269...
Page 10 Default Parameters for Multicast Filtering ..........................296 Configuring Spanning Tree Spanning Tree ..................................298 Overview ........................................298 Basic Concepts ....................................298 STP/RSTP Concepts ................................298 MSTP Concepts ..................................302 STP Security ......................................303 STP/RSTP Configurations ............................306 Using the GUI ......................................306 Configuring STP/RSTP Parameters on Ports ......................306 Configuring STP/RSTP Globally .............................308 Verifying the STP/RSTP Configurations ........................310 Using the CLI ......................................312 Configuring STP/RSTP Parameters on Ports ......................312...
Page 11 Using the CLI ......................................350 Appendix: Default Parameters ...........................357 Configuring LLDP LLDP .....................................360 Overview ........................................360 Supported Features ...................................360 LLDP Configurations ..............................361 Using the GUI ......................................361 Configuring LLDP Globally ..............................361 Configuring LLDP For the Port ............................363 Using the CLI ......................................364 Global Config ....................................364 Port Config ....................................366 LLDP-MED Configurations ............................369 Using the GUI ......................................369...
Page 12 Configuring DHCP Service DHCP ....................................396 Overview ........................................396 Supported Features ...................................396 DHCP Relay Configuration ............................400 Using the GUI ......................................400 Enabling DHCP Relay and Configuring Option 82 ....................400 Configuring DHCP VLAN Relay ............................402 Using the CLI ......................................403 Enabling DHCP Relay ................................403 (Optional) Configuring Option 82 ..........................404 Configuring DHCP VLAN Relay ............................406 DHCP L2 Relay Configuration ............................408 Using the GUI ......................................408...
Page 13 Configuring QoS QoS .......................................436 Overview ........................................436 Supported Features ...................................436 Class of Service Configuration ..........................438 Using the GUI ......................................439 Configuring Port Priority ..............................439 Configuring 802.1p Priority ..............................441 Configuring DSCP Priority ..............................443 Specifying the Scheduler Settings ..........................446 Using CLI ........................................447 Configuring Port Priority ..............................447 Configuring 802.1p Priority ..............................449 Configuring DSCP Priority ..............................452 Specifying the Scheduler Settings ..........................456...
Page 14 Example for Voice VLAN .................................481 Network Requirements ...............................481 Configuration Scheme ................................482 Using the GUI ....................................482 Using the CLI ....................................486 Example for Auto VoIP ..................................489 Network Requirements ...............................489 Configuration Scheme ................................490 Using the GUI ....................................490 Using the CLI ....................................495 Appendix: Default Parameters ...........................500 Configuring Access Security Access Security ................................505 Overview ........................................505...
Page 15 Configuring the Method List ............................532 Configuring the AAA Application List .........................534 Configuring Login Account and Enable Password .....................534 Using the CLI ......................................535 Adding Servers ..................................535 Configuring Server Groups ...............................538 Configuring the Method List ............................539 Configuring the AAA Application List .........................540 Configuring Login Account and Enable Password .....................543 Configuration Example ..............................546 Network Requirements ..................................546...
Page 16 Configuring Port Security Overview ....................................579 Port Security Configuration ............................580 Using the GUI ......................................580 Using the CLI ......................................581 Appendix: Default Parameters ...........................584 Configuring ACL Overview ....................................586 ACL Configuration ................................587 Using the GUI ......................................587 Configuring Time Range ..............................587 Creating an ACL ..................................587 Configuring ACL Rules ................................588 Configuring MAC ACL Rule ..........................588 Configuring IP ACL Rule .............................592...
Page 17 Using the GUI ......................................632 Binding Entries Manually ..............................632 Binding Entries via ARP Scanning ..........................633 Binding Entries via DHCP Snooping ..........................635 Viewing the Binding Entries ..............................637 Using the CLI ......................................638 Binding Entries Manually ..............................638 Binding Entries via DHCP Snooping ..........................640 Viewing Binding Entries ..............................641 ARP Detection Configuration .............................642 Using the GUI ......................................642 Adding IP-MAC Binding Entries .............................642...
Page 18 Appendix: Default Parameters ...........................661 Configuring IPv6 IMPB IPv6 IMPB ...................................664 Overview ........................................664 Supported Features ...................................664 IPv6-MAC Binding Configuration ..........................666 Using the GUI ......................................666 Binding Entries Manually ..............................666 Binding Entries via ND Snooping ...........................667 Binding Entries via DHCPv6 Snooping........................669 Viewing the Binding Entries ..............................670 Using the CLI ......................................671 Binding Entries Manually ..............................671 Binding Entries via ND Snooping ...........................673...
Page 19 Network Requirements ...............................684 Configuration Scheme ................................684 Using the GUI ....................................685 Using the CLI ....................................687 Example for IPv6 Source Guard ..............................688 Network Requirements ...............................688 Configuration Scheme ................................689 Using the GUI ....................................689 Using the CLI ....................................691 Appendix: Default Parameters ...........................692 Configuring DHCP Filter DHCP Filter ..................................695 Overview ........................................695 Supported Features ...................................695...
Page 20 Configuration Scheme ................................712 Using the GUI ....................................712 Using the CLI ....................................714 Appendix: Default Parameters ...........................716 Configuring DoS Defend Overview ....................................718 DoS Defend Configuration ............................719 Using the GUI ......................................719 Using the CLI ......................................720 Appendix: Default Parameters ...........................723 Monitoring the System Overview ...................................725 Monitoring the CPU ...............................726 Using the GUI ......................................726 Using the CLI ......................................726...
Page 21 Configuring DLDP Overview ...................................747 DLDP Configuration ...............................748 Using the GUI ......................................748 Using the CLI ......................................750 Appendix: Default Parameters ...........................752 Configuring SNMP & RMON SNMP ....................................754 Overview ........................................754 Basic Concepts ....................................754 SNMP Configurations ..............................758 Using the GUI ......................................758 Enabling SNMP ..................................758 Creating an SNMP View..............................759 Creating SNMP Communities (For SNMP v1/v2c) ....................760 Creating an SNMP Group (For SNMP v3)........................761...
Page 22 Configuring Alarm Group ..............................788 Using the CLI ......................................790 Configuring Statistics ................................790 Configuring History ................................792 Configuring Event ..................................793 Configuring Alarm ..................................794 Configuration Example ..............................797 Network Requirements ..................................797 Configuration Scheme ..................................798 Using the GUI ......................................798 Using the CLI ......................................803 Appendix: Default Parameters ...........................809 Diagnosing the Device &...
Page 23 Configuration Example ..............................830 Network Requirements ..................................830 Configuration Scheme ..................................830 Using the GUI ......................................830 Using the CLI ......................................831 Appendix: Default Parameters ...........................832 Downloaded from ManualsNet.com search engine...
Page 24: About This Guide
Some models featured in this guide may be unavailable in your country or region. For local sales information, visit https://www.tp-link.com. PoE budget calculations are based on laboratory testing. Actual PoE power budget is not guaranteed and will vary as a result of client limitations and environmental factors.
Page 25: More Information
■ The Installation Guide (IG) can be found where you find this guide or inside the package of the switch. ■ Specifications can be found on the product page at https://www.tp-link.com. ■ To ask questions, find answers, and communicate with TP-Link users or engineers, please visit https://community.tp-link.com to join TP-Link Community.
Page 26: Accessing The Switch
Part 1 Accessing the Switch CHAPTERS 1. Determine the Management Method 2. Web Interface Access 3. Command Line Interface Access Downloaded from ManualsNet.com search engine...
Page 27: Determine The Management Method
Omada Software Controller, Hardware Controller or Cloud-Based Controller, refer to the Omada SDN Controller User Guide. The guide can be found on the download center of our official website: https://www.tp-link.com/download-center.html. ■ Standalone Mode If you have a relatively small-sized network and only one or just a small number of devices need to be managed, Standalone Mode is recommended.
Page 28: Web Interface Access
Accessing the Switch Web Interface Access Web Interface Access You can access the switch’s web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication. The following example shows how to login via the HTTP server. Login To manage your switch through a web browser in the host PC: 1) Make sure that the route between the host PC and the switch is available.
Page 29: Save Config Function
Accessing the Switch Web Interface Access 5) The typical web interface displays below. You can view the switch’s running status and configure the switch on this interface. Figure 2-3 Web interface Save Config Function The switch’s configuration files fall into two types: the running configuration file and the start-up configuration file.
Page 30: Disable The Web Server
Accessing the Switch Web Interface Access Disable the Web Server You can shut down the HTTP server and HTTPS server to block any access to the web interface. Go to SECURITY > Access Security > HTTP Config, disable the HTTP server and click Apply. Figure 2-5 Shut down HTTP server Go to SECURITY >...
Page 31 Accessing the Switch Web Interface Access Figure 2-7 Change the switch's IP address and default gateway 2) Enter the new IP address in the web browser to access the switch. 3) Click to save the settings. User Guide Downloaded from ManualsNet.com search engine...
Page 32: Command Line Interface Access
Accessing the Switch Command Line Interface Access Command Line Interface Access Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines. Console connection requires the host PC connecting to the switch’s console port directly, while Telnet and SSH connection support both local and remote access.
Page 33 Accessing the Switch Command Line Interface Access Figure 3-1 CLI Main Window Note: The first time you log in, change the password to better protect your network and devices. 4) Enter enable to enter the User EXEC Mode to further configure the switch. Figure 3-2 User EXEC Mode Note: In Windows XP, go to Start >...
Page 34: Telnet Login
Accessing the Switch Command Line Interface Access Telnet Login The switch supports Login Local Mode for authentication by default. Login Local Mode: Username and password are required, which are both admin by default. The following steps show how to manage the switch via the Login Local Mode: 1) Make sure the switch and the PC are in the same LAN (Local Area Network).
Page 35: Ssh Login
Accessing the Switch Command Line Interface Access 4) Type in enable command and you will enter Privileged EXEC Mode. By default no password is needed. Later you can set a password for users who want to access the Privileged EXEC Mode. Figure 3-6 Enter Privileged EXEC Mode Now you can manage your switch with CLI commands through Telnet connection.
Page 36 Accessing the Switch Command Line Interface Access Password Authentication Mode 1) Open PuTTY and go to the Session page. Enter the IP address of the switch in the Host Name field and keep the default value 22 in the Port field; select SSH as the Connection type.
Page 37 Accessing the Switch Command Line Interface Access Figure 3-10 Generate a Public/Private Key Pair Note: • The key length should be between 512 and 3072 bits. • You can accelerate the key generation process by moving the mouse quickly and randomly in the Key section.
Page 38 Accessing the Switch Command Line Interface Access 3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure: Figure 3-12 Download the Public Key to the Switch Note: • The key type should accord with the type of the key file. In the above CLI, v1 corresponds to SSH-1 (RSA), and v2 corresponds to SSH-2 RSA and SSH-2 DSA.
Page 39: Disable Telnet Login
Accessing the Switch Command Line Interface Access 5) Go to Connection > SSH > Auth. Click Browse to download the private key file to PuTTY. Click Open to start the connection and negotiation. Figure 3-14 Download the Private Key to PuTTY 6) After negotiation is completed, enter the username to log in.
Page 40: Disable Ssh Login
Accessing the Switch Command Line Interface Access Figure 3-16 Disable Telnet login ■ Using the CLI: Switch#configure Switch(config)#telnet disable Disable SSH Login You can shut down the SSH server to block any SSH access to the CLI interface. ■ Using the GUI: Go to SECURITY >...
Page 41: Change The Switch's Ip Address And Default Gateway
Accessing the Switch Command Line Interface Access If you need to keep he configurations after the switch reboots, please user the command copy running-config startup-config to save the configurations in the start-up configuration file. Switch(config)#end Switch#copy running-config startup-config Change the Switch's IP Address and Default Gateway If you want to access the switch, you can configure the system IP address of the switch.
Page 42: Managing System
Part 2 Managing System CHAPTERS 1. System 2. System Info Configurations 3. User Management Configurations 4. System Tools Configurations 5. EEE Configuration 6. PoE Configurations (Only for Certain Devices) 7. SDM Template Configuration 8. Time Range Configuration 9. Example for PoE Configurations 10.
Page 43: System
Managing System System System Overview In System module, you can view the system information and configure the system parameters and features of the switch. Supported Features System Info You can view the switch’s port status and system information, and configure the device description, system time, daylight saving time, and system IP/IPv6.
Page 44 Powered device (PD) is a device receiving power from the PSE, for example, IP phones and access points. According to whether PDs comply with IEEE standard, they can be classified into standard PDs and non-standard PDs. Only standard PDs can be powered via TP-Link PoE switches.
Page 45: System Info Configurations
Managing System System Info Configurations System Info Configurations With system information configurations, you can: ■ View the System Summary ■ Configure the Device Description ■ Configure the System Time ■ Configure the Daylight Saving Time ■ Configuring LED (Only for Certain Devices) ■...
Page 46 Managing System System Info Configurations Indicates that the corresponding 1000Mbps port is at the speed of 10Mbps or 100Mbps. Indicates that the corresponding SFP port is not connected to a device. Indicates the SFP port is at the speed of 1000Mbps. Indicates the SFP port is at the speed of 100Mbps.
Page 47 Managing System System Info Configurations Figure 2-3 Bnadwidth Utilization Displays the bandwidth utilization of receiving packets on this port. Displays the bandwidth utilization of sending packets on this port. User Guide Downloaded from ManualsNet.com search engine...
Page 48 Managing System System Info Configurations Viewing the System Information In the System Info section, you can view the system information of the switch. Figure 2-4 System Information System Displays the system description of the switch. Description Device Name Displays the name of the switch. You can edit it on the Device Description page. Device Location Displays the location of the switch.
Page 49: Configuring The Device Description
Managing System System Info Configurations MAC Address Displays the MAC address of the switch. System Time Displays the system time of the switch. Running Time Displays the running time of the switch. Serial Number Displays the serial number of the switch. Jumbo Frame Displays whether Jumbo Frame is enabled.
Page 50: Configuring The System Time
Managing System System Info Configurations Device Name Specify a name for the switch. Device Location Enter the location of the switch. System Contact Enter the contact information. 2) Click Apply. 2.1.3 Configuring the System Time Choose the menu SYSTEM > System Info > System Time to load the following page. Figure 2-6 Configuring the System Time In the Time Info section, you can view the current time information of the switch.
Page 51: Configuring The Daylight Saving Time
Managing System System Info Configurations Get Time from Get the system time from an NTP server. Make sure the NTP server is accessible NTP Server on your network. If the NTP server is on the internet, connect the switch to the internet first.
Page 52: Configuring Led (Only For Certain Devices)
Managing System System Info Configurations Recurring Mode If you select Recurring Mode, specify a cycle time range for the Daylight Saving Time of the switch. This configuration will be used every year. Offset: Specify the time to set the clock forward by. Start Time: Specify the start time of Daylight Saving Time.
Page 53: Configuring The System Ip
Managing System System Info Configurations 2.1.6 Configuring the System IP Choose the menu SYSTEM > System Info > System IP to load the following page. Figure 2-9 Configuring the Sysrtem IP Parameters Follow these steps to configure the System IP: 1) Configure the corresponding parameters for the system IP Management Specify the management VLAN of the switch.
Page 54: Configuring The System Ipv6
Managing System System Info Configurations 2.1.7 Configuring the System IPv6 Choose the menu SYSTEM > System Info > System IPv6 to load the following page. Figure 2-10 Configuring the System IPv6 Parameters 1) In the System IPv6 Config section, enable IPv6 feature for the interface and configure the corresponding parameters .
Page 55 Managing System System Info Configurations Status Displays the status of the link-local address. An IPv6 address cannot be used before pass the DAD (Duplicate Address Detection), which is used to detect the address conflicts. In the DAD process, the IPv6 address may in three different status: Normal: Indicates that the link-local address passes the DAD and can be used normally.
Page 56: Using The Cli
Managing System System Info Configurations Prefix Length Configure the prefix length of the global address. 3) View the global address entry in the Global Address Config section. Global Address View or modify the global address. Prefix Length View or modify the prefix length of the global address. Type Displays the configuration mode of the global address.
Page 57: Configuring The Device Description
System Location - SHENZHEN Contact Information - www.tp-link.com Hardware Version T1500-28PCT Software Version - 3.0.0 Build 20171129 Rel.38400(s) Bootloader Version - TP-LINK BOOTUTIL(v1.0.0) Mac Address - 00-0A-EB-13-23-A0 Serial Number System Time - 2017-12-12 11:23:32 Running Time - 1 day - 2 hour - 33 min - 42 sec 2.2.2 Configuring the Device Description...
Page 58 Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the device name as Switch_A, set the location as BEIJING and set the contact information as https://www.tp-link.com. Switch#configure Switch(config)#hostname Switch_A Switch(config)#location BEIJING Switch(config)#contact-info https://www.tp-link.com...
Page 59: Configuring The System Time
Managing System System Info Configurations 2.2.3 Configuring the System Time Follow these steps to configure the system time: Note: The mode of Synchronize with PC’s Clock does not support CLI command. Step 1 configure Enter global configuration mode. Step 2 Use the following command to set the system time manually: system-time manual time Configure the system time manually.
Page 60 Managing System System Info Configurations UTC+04:00 —— TimeZone for Moscow, St.Petersburg, Volgograd, Tbilisi, Port Louis. UTC+04:30 —— TimeZone for Kabul. UTC+05:00 —— TimeZone for Islamabad, Karachi, Tashkent. UTC+05:30 —— TimeZone for Chennai, Kolkata, Mumbai, New Delhi. UTC+05:45 —— TimeZone for Kathmandu. UTC+06:00 ——...
Page 61: Configuring The Daylight Saving Time
Managing System System Info Configurations Backup NTP server: 139.78.100.163 Last successful NTP server: 133.100.9.2 Update Rate: 11 hour(s) Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring the Daylight Saving Time Follow these steps to configure the Daylight Saving Time: Step 1 configure Enter global configuration mode.
Page 62 Managing System System Info Configurations Use the following command to set the Daylight Saving Time in date mode: system-time dst date { smonth } { sday } { stime } { syear } { emonth } { eday } { etime } { eyear } [ offset ] Specify the Daylight Saving Time in Date mode.
Page 63: Configuring Led (Only For Certain Devices)
Managing System System Info Configurations 2.2.5 Configuring LED (Only for Certain Devices) Note: Only TL-SG2210P supports LED On/Off. Follow these steps to configure the LED status: Step 1 configure Enter global configuration mode. Step 2 service led {on | off} Configure the LED status.
Page 64: Configuring System Ipv6 Parameters
Managing System System Info Configurations Step 5 show interface vlan { vlan-id } vlan-id: The management VLAN ID. Verify the summary information of the management interface. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch’s IP address as 192.168.0.10/24 and configure the default gateway as 192.168.0.100.
Page 65 Managing System System Info Configurations Step 4 ipv6 enable Enable the IPv6 feature on the management interface. Step 5 Configure the IPv6 link-local address for the management interface: Manually configure the ipv6 link-local address for the management interface: ipv6 address ipv6-addr link-local ipv6-addr : Specify the link-local address of the interface.
Page 66 Managing System System Info Configurations Switch(config)#interface vlan 1 Switch(config-if)#ipv6 enable Switch(config-if)#ipv6 address autoconfig Switch(config-if)#ipv6 address dhcp Switch(config-if)#show ipv6 interface Vlan2 is up, line protocol is up IPv6 is enable, Link-Local Address: fe80::20a:ebff:fe13:237b[NOR] Global Address RA: Disable Global Address DHCPv6: Enable Global unicast address(es): ff02::1:ff13:237b Joined group address(es): ff02::1 ICMP error messages limited to one every 1000 milliseconds...
Page 67: User Management Configurations
Managing System User Management Configurations User Management Configurations With User Management, you can create and manage the user accounts for login to the switch. Using the GUI There are four types of user accounts with different access levels: Admin, Operator, Power User and User.
Page 68: Configuring Enable Password
Managing System User Management Configurations Figure 3-2 Adding Account Follow these steps to create a new user account. 1) Configure the following parameters: Username Specify a username for the account. It contains 16 characters at most, composed of digits, English letters and symbols. No spaces, question marks and double quotation marks are allowed.
Page 69: Using The Cli
Managing System User Management Configurations Follow these steps to configure Enable Password: 1) Select Set Password and specify the enable password in the Password field. It should be a string with 31 characters at most, which can contain only English letters (case sensitive) digits and 17 kinds of special characters.
Page 70 Managing System User Management Configurations Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege admin | operator | power_user | user } password { [ 0 ] password | 7 encrypted-password } name : Enter a user name for users’...
Page 71: Configuring Enable Password
Managing System User Management Configurations Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. 3.2.2 Configuring Enable Password Follow these steps to create an account of other type: Step 1 configure Enter global configuration mode.
Page 72 Managing System User Management Configurations Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. Tips: The logged-in users can enter the enable-admin command and the Enable Password to get the administrative privileges. The following example shows how to create a uesr with the access level of Operator, set the username as user1 and password as 123, and set the enable password as abc123.
Page 73: System Tools Configurations
Managing System System Tools Configurations System Tools Configurations With System Tools, you can: ■ Configure the boot file ■ Restore the configuration of the switch ■ Back up the configuration file ■ Upgrade the firmware ■ Reboot the switch ■ Reset the switch Using the GUI 4.1.1 Configuring the Boot File Choose the menu SYSTEM >...
Page 74 Managing System System Tools Configurations Follow these steps to configure the boot file: 1) In the Boot Table section, select one or more units and configure the relevant parameters. Unit Displays the number of the unit. Current Startup Displays the current startup image. Image Next Startup Select the next startup image.
Page 75: Restoring The Configuration Of The Switch
Managing System System Tools Configurations 4.1.2 Restoring the Configuration of the Switch Choose the menu SYSTEM > System Tools > Restore Config to load the following page. Figure 4-2 Restoring the Configuration of the Switch Follow these steps to restore the current configuration of the switch: 1) In the Restore Config section, select the unit to be restored.
Page 76: Upgrading The Firmware
Managing System System Tools Configurations 4.1.4 Upgrading the Firmware Choose the menu SYSTEM > System Tools > Firmware Upgrade to load the following page. Figure 4-4 Upgrading the Firmware You can view the current firmware information on this page: Firmware Version Displays the current firmware version of the system.
Page 77: Rebooting The Switch
Managing System System Tools Configurations 4.1.5 Rebooting the switch There are two methods to reboot the switch: manually reboot the switch and configure reboot schedule to automatically reboot the switch. Manually Rebooting the Switch Choose the menu SYSTEM > System Tools > System Reboot > System Reboot to load the following page.
Page 78: Reseting The Switch
Managing System System Tools Configurations Special Time Specify the date and time for the switch to reboot. Month/Day/Year: Specify the date for the switch to reboot. Time (HH:MM): Specify the time for the switch to reboot, in the format of HH:MM. 2) Choose whether to save the current configuration before the reboot.
Page 79 Managing System System Tools Configurations Step 3 boot config filename { config1 | config2 } { startup | backup } Specify the configuration of the boot file. By default, config1.cfg is the startup configuration file and config2.cfg is the backup configuration file. config1 | config2: Select the configuration file to be configured.
Page 80: Restoring The Configuration Of The Switch
Managing System System Tools Configurations 4.2.2 Restoring the Configuration of the Switch Follow these steps to restore the configuration of the switch: Step 1 enable Enter privileged mode. copy tftp startup-config ip-address ip-addr filename name Step 2 Download the configuration file to the switch from TFTP server. ip-addr : Specify the IP address of the TFTP server.
Page 81: Upgrading The Firmware
Managing System System Tools Configurations Backup user config file OK. 4.2.4 Upgrading the Firmware Follow these steps to upgrade the firmware: Step 1 enable Enter privileged mode. Step 2 firmware upgrade tftp ip-address ip-addr filename name Upgrade the switch’s backup image via TFTP server. To boot up with the new firmware, you need to choose to reboot the switch with the backup image.
Page 82 Managing System System Tools Configurations Step 2 Use the following command to set the interval of reboot: reboot-schedule in interval [ save_before_reboot ] (Optional) Specify the reboot schedule. interval : Specify a period of time. The switch will reboot after this period. The valid values are from 1 to 43200 minutes.
Page 83: Reseting The Switch
Managing System System Tools Configurations 4.2.6 Reseting the Switch Follow these steps to reset the switch: Step 1 enable Enter privileged mode. Step 2 reset [ except-ip ] Reset the switch, and all configurations of the switch will be reset to the factory defaults. except-ip: To maintain the IP address when resetting the switch, add this part to the command Follow these steps to disable the reset function of console port or reset button: Step 1...
Page 84: Eee Configuration
Managing System EEE Configuration EEE Configuration Choose the menu SYSTEM > EEE to load the following page. Figure 5-1 Configuring EEE Follow these steps to configure EEE: 1) In the EEE Config section, select one or more ports to be configured. 2) Enable or disable EEE on the selected port(s).
Page 85 Managing System EEE Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the EEE feature on port 1/0/1. Switch#config Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#eee Switch(config-if)#show interface eee Port...
Page 86: Poe Configurations (Only For Certain Devices)
Managing System PoE Configurations (Only for Certain Devices) PoE Configurations (Only for Certain Devices) Note: Only T1500-28PCT, TL-SG2210MP and TL-SG2210P support the PoE feature. With the PoE feature, you can: ■ Configure the PoE parameters manually ■ Configure the PoE parameters using the profile You can configure the PoE parameters one by one via configuring the PoE parameters manually.
Page 87: Using The Gui
Managing System PoE Configurations (Only for Certain Devices) Using the GUI 6.1.1 Configuring the PoE Parameters Manually Choose the menu SYSTEM > PoE > PoE Config to load the following page. Figure 6-1 Configuring PoE Parameters Manually Follow these steps to configure the basic PoE parameters: 1) In the PoE Config section, you can view the current PoE parameters.
Page 88 Managing System PoE Configurations (Only for Certain Devices) Figure 6-2 Configuring System Power Limit Unit Displays the unit number. System Power Specify the maximum power the PoE switch can supply. Limit 2) In the Port Config section, select the port you want to configure and specify the parameters.
Page 89 Managing System PoE Configurations (Only for Certain Devices) Power (W) Displays the port’s real-time power supply. Current (mA) Displays the port’s real-time current. Voltage (V) Displays the port’s real-time voltage. PD Class Displays the class the linked PD belongs to. Power Status Displays the port’s real-time power status.
Page 90: Configuring The Poe Parameters Using The Profile
Managing System PoE Configurations (Only for Certain Devices) 6.1.2 Configuring the PoE Parameters Using the Profile ■ Creating a PoE Profile Choose the menu SYSTEM > PoE > PoE Profile and click to load the following page. Figure 6-3 Creating a PoE Profile Follow these steps to create a PoE profile: 1) In the Create PoE Profile section, specify the desired configurations of the profile.
Page 91 Managing System PoE Configurations (Only for Certain Devices) ■ Binding the Profile to the Corresponding Ports Choose the menu SYSTEM > PoE > PoE Config to load the following page. Figure 6-4 Binding the Profile to the Corresponding Ports Follow these steps to bind the profile to the corresponding ports: 1) In the PoE Config section, you can view the current PoE parameters.
Page 92 Managing System PoE Configurations (Only for Certain Devices) Figure 6-5 Configuring System Power Limit Unit Displays the unit number. System Power Specify the maximum power the PoE switch can supply. Limit 2) In the Port Config section, select one or more ports and configure the following two parameters: Time Range and PoE Profile.
Page 93: Using The Cli
Managing System PoE Configurations (Only for Certain Devices) Using the CLI 6.2.1 Configuring the PoE Parameters Manually Follow these steps to configure the basic PoE parameters: Step 1 configure Enter global configuration mode. Step 2 power inline consumption power-limit Specify the maximum power the PoE switch can supply globally. power-limit : Specify the maximum power the PoE switch can supply.
Page 94 Managing System PoE Configurations (Only for Certain Devices) Step 8 show power inline Verify the global PoE information of the system. Step 9 show power inline configuration interface [ fastEthernet { port | port-list } | gigabitEthernet { port | port-list } | ten-gigabitEthernet { port | port-list }] Verify the PoE configuration of the corresponding port.
Page 95: Configuring The Poe Parameters Using The Profile
Managing System PoE Configurations (Only for Certain Devices) Switch(config-if)#show power inline information interface gigabitEthernet 1/0/5 Interface Power(w) Current(mA) Voltage(v) PD-Class Power-Status ---------- -------- ----------- ---------- ----------- ---------------- Gi1/0/5 1.3 53.5 Class 2 Switch(config-if)#end Switch#copy running-config startup-config 6.2.2 Configuring the PoE Parameters Using the Profile Follow these steps to configure the PoE profile: Step 1 configure...
Page 96 Managing System PoE Configurations (Only for Certain Devices) Step 4 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter Interface Configuration mode. port : Specify the Ethernet port number, for example 1/0/1. port-list: Specify the list of Ethernet ports, for example 1/0/1-3, 1/0/5.
Page 97 Managing System PoE Configurations (Only for Certain Devices) Index Name Status Priority Power-Limit(w) ----- ------------ ---------- --------- -------------- profile1 Enable Middle Class2 Switch(config)#interface gigabitEthernet 1/0/6 Switch(config-if)#power inline profile profile1 Switch(config-if)#show power inline configuration interface gigabitEthernet 1/0/6 Interface PoE-Status PoE-Prio Power-Limit(w) Time-Range PoE-Profile ---------- ---------- ----------...
Page 98: Sdm Template Configuration
Managing System SDM Template Configuration SDM Template Configuration Using the GUI Choose the menu SYSTEM > SDM Template to load the following page. Figure 7-1 Configuring SDM Template In SDM Template Config section, select one template and click Apply. The setting will be effective after the switch is rebooted.
Page 99: Using The Cli
Managing System SDM Template Configuration MAC ACL Rules Displays the number of Layer 2 ACL Rules. Combined ACL Displays the number of combined ACL rules. Rules IPv6 ACL Rules Displays the number of IPv6 ACL rules. IPv4 Source Displays the number of IPv4 source guard entries. Guard Entries IPv6 Source Displays the number of IPv6 source guard entries.
Page 100 Managing System SDM Template Configuration “enterpriseV4” template: number of IP ACL Rules : 120 number of MAC ACL Rules : 84 number of Combined ACL Rules : 50 number of IPV6 ACL Rules number of IPV4 Source Guard Entries : 253 number of IPV6 Source Guard Entries : 0 Switch(config)#sdm prefer enterpriseV4 Switch to “enterpriseV4”...
Page 101: Time Range Configuration
Managing System Time Range Configuration Time Range Configuration To complete Time Range configuration, follow these steps: 1) Add time range entries. 2) Configure Holiday time range. Using the GUI 8.1.1 Adding Time Range Entries Choose the menu SYSTEM > Time Range > Time Range Config and click to load the following page.
Page 102 Managing System Time Range Configuration 2) In the Period Time Config section, click and the following window will pop up. Figure 8-2 Adding Period Time Configure the following parameters and click Create: Date Specify the start date and end date of this time range. Time Specify the start time and end time of a day.
Page 103: Configuring Holiday
Managing System Time Range Configuration 3) Similarly, you can add more entries of period time according to your needs. The final period time is the sum of all the periods in the table. Click Create. Figure 8-3 View Configruation Result 8.1.2 Configuring Holiday Choose the menu SYSTEM >...
Page 104: Using The Cli
Managing System Time Range Configuration Using the CLI 8.2.1 Adding Time Range Entries Follow these steps to add time range entries: Step 1 configure Enter global configuration mode. Step 2 time-range name Create a time-range entry. name : Specify a name for the entry. Step 3 holiday { exclude | include } Include or exclude the holiday in the time range.
Page 105: Configuring Holiday
Managing System Time Range Configuration The following example shows how to create a time range entry and set the name as time1, holiday mode as exclude, absolute time as 10/01/2017 to 10/31/2017 and periodic time as 8:00 to 20:00 on every Monday and Tuesday: Switch#config Switch(config)#time-range time1 Switch(config-time-range)#holiday exclude...
Page 106 Managing System Time Range Configuration Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a holiday entry and set the entry name as holiday1 and set start date and end date as 07/01 and 09/01: Switch#config Switch(config)#holiday holiday1 start-date 07/01 end-date 09/01 Switch(config)#show holiday...
Page 107: Example For Poe Configurations
Managing System Example for PoE Configurations Example for PoE Configurations Network Requirements The network topology of a company is shown as below. Camera1 and Camera2 work for the security of the company and cannot be power off all the time. AP1 and AP2 provide the internet service and only work in the office time.
Page 108 Managing System Example for PoE Configurations Figure 9-2 Creating Time Range 2) Click and the following window will pop up. Set Date, Time and Day of Week as the following figure shows. Click Create. Figure 9-3 Creating a Periodic Time User Guide Downloaded from ManualsNet.com search engine...
Page 109 Managing System Example for PoE Configurations 3) Specify a name for the time range. Click Create. Figure 9-4 Configuring Time Range 4) Choose the menu SYSTEM > PoE > PoE Config to load the following page. Select port 1/0/3 and set the Time Range as OfficeTime. Click Apply. Figure 9-5 ...
Page 110: Using The Cli
Managing System Example for PoE Configurations Using the CLI The configurations of Port1/0/4 is similar with the configuration of port 1/0/3. Here we take port 1/0/3 for example. 1) Create a time-range. Switch_A#config Switch_A(config)#time-range office-time Switch_A(config-time-range)#holiday exclude Switch_A(config-time-range)#absolute from 01/01/2017 to 01/01/2018 Switch_A(config-time-range)#periodic start 08:30 end 18:00 day-of-the-week 1-5 Switch_A(config-time-range)#exit 2) Enable the PoE function on the port 1/0/3.
Page 111: Appendix: Default Parameters
Parameter Default Setting Device Name The model name of the switch. Device Location SHENZHEN System Contact www.tp-link.com Table 10-2 Default Settings of System Time Configuration Parameter Default Setting Time Source Manual Table 10-3 Default Settings of Daylight Saving Time Configuration...
Page 112 Managing System Appendix: Default Parameters Parameter Default Setting Backup Config config2.cfg Default setting of EEE is listed in the following table. Table 10-6 Default Settings of EEE Configuration Parameter Default Setting Status Disabled (For T1500-28PCT / TL-SG2210MP / TL-SG2210P) Default settings of PoE is listed in the following table.
Page 113 Managing System Appendix: Default Parameters Default settings of Time Range are listed in the following table. Table 10-9 Default Settings of Time Range Configuration Parameter Default Setting Holiday Include User Guide Downloaded from ManualsNet.com search engine...
Page 114: Managing Physical Interfaces
Part 3 Managing Physical Interfaces CHAPTERS 1. Physical Interface 2. Basic Parameters Configurations 3. Port Isolation Configurations 4. Loopback Detection Configuration 5. Configuration Examples 6. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 115: Physical Interface
Managing Physical Interfaces Physical Interface Physical Interface Overview Interfaces are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into physical interfaces and layer 3 interfaces. ■ Physical interfaces are the ports on the switch panel. They forward packets based on MAC address table.
Page 116: Basic Parameters Configurations
Managing Physical Interfaces Basic Parameters Configurations Basic Parameters Configurations Using the GUI Choose the menu L2 FEATURES > Switching > Port > Port Config to load the following page. Figure 2-1 Configuring Basic Parameters Follow these steps to configure basic parameters for the ports: 1) Configure the MTU size of jumbo frames for all ports, then click Apply.
Page 117: Using The Cli
Managing Physical Interfaces Basic Parameters Configurations Description (Optional) Enter a description for the port. Status With this option enabled, the port forwards packets normally. Otherwise, the port cannot work. By default, it is enabled. Speed Select the appropriate speed mode for the port. When Auto is selected, the port automatically negotiates speed mode with the neighbor device.
Page 118 Managing Physical Interfaces Basic Parameters Configurations Step 4 Configure basic parameters for the port: description string Give a port description for identification. string : Content of a port description, ranging from 1 to 16 characters. shutdown no shutdown Use shutdown to disable the port, and use no shutdown to enable the port. When the status is enabled, the port can forward packets normally, otherwise it will discard the received packets.
Page 119 Managing Physical Interfaces Basic Parameters Configurations Switch(config-if)#description router connection Switch(config-if)#speed auto Switch(config-if)#duplex auto Switch(config-if)#flow-control Switch(config-if)#show interface configuration gigabitEthernet 1/0/1 Port State Speed Duplex FlowCtrl Description -------- ----- -------- ------ -------- ----------- Gi1/0/1 Enable Auto Auto Enable router connection Switch(config-if)#show jumbo-size Global jumbo size : 9216 Switch(config-if)#end Switch#copy running-config startup-config...
Page 120: Port Isolation Configurations
Managing Physical Interfaces Port Isolation Configurations Port Isolation Configurations Using the GUI Port Isolation is used to limit the data transmitted by a port. The isolated port can only send packets to the ports specified in its Forwarding Port List. Choose the menu L2 FEATURES >...
Page 121: Using The Cli
Managing Physical Interfaces Port Isolation Configurations Figure 3-2 Port Isolation Follow these steps to configure Port Isolation: 1) In the Port section, select one or multiple ports to be isolated. 2) In the Forwarding Port List section, select the forwarding ports or LAGs which the isolated ports can only communicate with.
Page 122 Managing Physical Interfaces Port Isolation Configurations Step 3 port isolation { [fa-forward-list fa-forward-list ] [gi-forward-list gi-forward-list ] [te- forward-list te-forward-list ] [ po-forward-list po-forward-list ] } Add ports or LAGs to the forwarding port list of the isolated port. It is multi-optional. fa-forward-list / gi-forward-list / te-forward-list : Specify the forwarding Ethernet ports.
Page 123: Loopback Detection Configuration
Managing Physical Interfaces Loopback Detection Configuration Loopback Detection Configuration Using the GUI To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the following page.
Page 124 Managing Physical Interfaces Loopback Detection Configuration Loopback Enable loopback detection globally. Detection Status Detection Set the interval of sending loopback detection packets in seconds. Interval The valid value ranges from 1 to 1000 and the default value is 30. Auto-recovery Set the recovery time globally.
Page 125: Using The Cli
Managing Physical Interfaces Loopback Detection Configuration Using the CLI Follow these steps to configure loopback detection: Step 1 configure Enter global configuration mode. Step 2 loopback-detection Enable the loopback detection feature globally. By default, it is disabled. Step 3 loopback-detection interval interval-time Set the interval of sending loopback detection packets which is used to detect the loops in the network.
Page 126 Managing Physical Interfaces Loopback Detection Configuration Step 10 show loopback-detection interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel } Verify the Loopback Detection configuration of the specified port. Step 11 Return to privileged EXEC mode. Step 12 copy running-config startup-config Save the settings in the configuration file.
Page 127: Configuration Examples
Managing Physical Interfaces Configuration Examples Configuration Examples Example for Port Isolation 5.1.1 Network Requirements As shown below, three hosts and a server are connected to the switch and all belong to VLAN 10. Without changing the VLAN configuration, Host A is not allowed to communicate with the other hosts except the server, even if the MAC address or IP address of Host A is changed.
Page 128 Managing Physical Interfaces Configuration Examples Figure 5-2 Port Isolation List 2) Click Edit on the above page to load the following page. Select port 1/0/1 as the port to be isolated, and select port 1/0/4 as the forwarding port. Click Apply. Figure 5-3 Port Isolation Configuration 3) Select port 1/0/4 as the port to be isolated, and select port 1/0/1 as the forwarding port.
Page 129: Using The Cli
Managing Physical Interfaces Configuration Examples Figure 5-4 Port Isolation Configuration 4) Click to save the settings. 5.1.4 Using the CLI Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#port isolation gi-forward-list 1/0/4 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#port isolation gi-forward-list 1/0/1 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Switch#show port isolation interface User Guide Downloaded from...
Page 130: Example For Loopback Detection
Managing Physical Interfaces Configuration Examples Port Forward-List ---- ------------ Gi1/0/1 Gi1/0/4 Gi1/0/2 Gi1/0/1-28,Po1-14 Gi1/0/3 Gi1/0/1-28,Po1-14 Gi1/0/4 Gi1/0/1 Example for Loopback Detection 5.2.1 Network Requirements As shown below, Switch A is a convergence-layer switch connecting to several access- layer switches. Loops can be easily caused in case of misoperation on the access- layer switches.
Page 131: Using The Gui
Managing Physical Interfaces Configuration Examples 5.2.3 Using the GUI 1) Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the configuration page. 2) In the Loopback Detection section, enable loopback detection and web refresh globally. Keep the other parameters as default values and click Apply. Figure 5-6 Global Configuration 3) In the Port Config section, enable ports 1/0/1-3, select the operation mode as Port -Based so that the port will be blocked when a loop is detected, and keep the recovery...
Page 132: Using The Cli
Managing Physical Interfaces Configuration Examples 5.2.4 Using the CLI 1) Enable loopback detection globally and configure the detection interval and recovery time. Switch#configure Switch(config)#loopback-detection Switch(config)#loopback-detection interval 30 Switch(config)#loopback-detection recovery-time 3 2) Enable loopback detection on ports 1/0/1-3 and set the process mode and recovery mode.
Page 133: Appendix: Default Parameters
Managing Physical Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 6-1 Configurations for Ports Parameter Default Setting Port Config Jumbo 1518 bytes Copper (For RJ45 Ports) Type Fiber (For SFP Ports) Status Enabled Auto (For RJ45 Ports)
Page 134: Configuring Lag
Part 4 Configuring LAG CHAPTERS 1. LAG 2. LAG Configuration 3. Configuration Example 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 135: Lag
Configuring LAG Overview With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface, increasing link bandwidth and providing backup ports to enhance the connection reliability. Supported Features You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol).
Page 136: Lag Configuration
Configuring LAG LAG Configuration LAG Configuration To complete LAG configuration, follow these steps: 1) Configure the global load-balancing algorithm. 2) Configure Static LAG or LACP. Configuration Guidelines ■ Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should also be set as LACP mode.
Page 137: Using The Gui
Configuring LAG LAG Configuration Using the GUI 2.1.1 Configuring Load-balancing Algorithm Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page. Figure 2-1 Global Config In the Global Config section, select the load-balancing algorithm (Hash Algorithm), then click Apply.
Page 138: Configuring Static Lag Or Lacp
Configuring LAG LAG Configuration as “SRC MAC” to allow Switch A to determine the forwarding port based on the source MAC addresses of the received packets. Figure 2-2 Hash Algorithm Configuration Switch A Switch B Hosts Server 2.1.2 Configuring Static LAG or LACP For one port, you can choose only one LAG mode: Static LAG or LACP.
Page 139 Configuring LAG LAG Configuration Note: Clearing all member ports will delete the LAG. ■ Configuring LACP Choose the menu L2 FEATURES > Switching > LAG > LACP to load the following page. Figure 2-4 LACP Config Follow these steps to configure LACP: 1) Specify the system priority for the switch and click Apply.
Page 140: Using The Cli
Configuring LAG LAG Configuration Group ID Specify the group ID of the LAG. Note that the group ID of other static LAGs cannot be set as this value. The valid value of the Group ID is determined by the maximum number of LAGs supported by your switch.
Page 141: Configuring Static Lag Or Lacp
Configuring LAG LAG Configuration Step 2 port-channel load-balance { src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip } Select the Hash Algorithm. The switch will choose the ports to transfer the packets based on the Hash Algorithm. In this way, different data flows are forwarded on different physical links to implement load balancing.
Page 142 Configuring LAG LAG Configuration ■ Configuring Static LAG Follow these steps to configure static LAG: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Enter interface configuration mode.
Page 143 Configuring LAG LAG Configuration ■ Configuring LACP Follow these steps to configure LACP: Step 1 configure Enter global configuration mode. Step 2 lacp system-priority pri Specify the system priority for the switch. To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device.
Page 144 Configuring LAG LAG Configuration Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to specify the system priority of the switch as 2: Switch#configure Switch(config)#lacp system-priority 2 Switch(config)#show lacp sys-id 2, 000a.eb13.2397 Switch(config)#end Switch#copy running-config startup-config The following example shows how to add ports 1/0/1-4 to LAG 6, set the mode as LACP,...
Page 145: Configuration Example
Configuring LAG Configuration Example Configuration Example Network Requirements As shown below, hosts and servers are connected to Switch A and Switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches.
Page 146: Using The Gui
Configuring LAG Configuration Example Using the GUI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page.
Page 147: Using The Cli
Configuring LAG Configuration Example Using the CLI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Configure the load-balancing algorithm as “src-dst-mac”. Switch#configure Switch(config)#port-channel load-balance src-dst-mac 2) Specify the system priority of Switch A as 0. Remember to ensure that the system priority value of Switch B is bigger than 0.
Page 148 Configuring LAG Configuration Example 0, 000a.eb13.2397 Verify the LACP configuration: Switch#show lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in active mode P - Device is in passive mode Channel group 1 Port Flags State LACP Port Priority Admin Key Oper Key Port Number Port State...
Page 149: Appendix: Default Parameters
Configuring LAG Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in the following tables. Table 4-1 Default Settings of LAG Parameter Default Setting LAG Table Hash Algorithm SRC MAC+DST MAC LACP Config System Priority 32768 Admin Key Port Priority 32768 Mode...
Page 150: Managing Mac Address Table
Part 5 Managing MAC Address Table CHAPTERS 1. MAC Address Table 2. MAC Address Configurations 3. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 151: Mac Address Table
Managing MAC Address Table MAC Address Table MAC Address Table Overview The MAC address table contains address information that the switch uses to forward packets. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports. These entries can be manually added or automatically learned by the switch. Based on the MAC-address-to-port mapping in the table, the switch can forward packets only to the associated port.
Page 152: Mac Address Configurations
Managing MAC Address Table MAC Address Configurations MAC Address Configurations With MAC address table, you can: ■ Add static MAC address entries ■ Change the MAC address aging time ■ Add filtering address entries ■ View address table entries Using the GUI 2.1.1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.
Page 153 Managing MAC Address Table MAC Address Configurations MAC Address Enter the static MAC address to be added to the static MAC address entry. VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received. Port Specify a port to which packets with the specific MAC address are forwarded.
Page 154: Modifying The Aging Time Of Dynamic Address Entries
Managing MAC Address Table MAC Address Configurations Note: • In the same VLAN, once an address is configured as a static address, it cannot be set as a filtering address, and vice versa. • Multicast or broadcast addresses cannot be set as static addresses. •...
Page 155: Adding Mac Filtering Address Entries
Managing MAC Address Table MAC Address Configurations 2.1.3 Adding MAC Filtering Address Entries Choose the menu L2 FEATURES > Switching > MAC Address > Filtering Address and click to load the following page. Figure 2-4 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries: 1) Enter the MAC Address and VLAN ID.
Page 156: Using The Cli
Managing MAC Address Table MAC Address Configurations Choose the menu L2 FEATURES > Switching > MAC Address > Address Table and click to load the following page. Figure 2-5 Viewing Address Table Entries Using the CLI 2.2.1 Adding Static MAC Address Entries Follow these steps to add static MAC address entries: Step 1 configure...
Page 157: Modifying The Aging Time Of Dynamic Address Entries
Managing MAC Address Table MAC Address Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. Note: • In the same VLAN, once an address is configured as a static address, it cannot be set as a filtering address, and vice versa.
Page 158: Adding Mac Filtering Address Entries
Managing MAC Address Table MAC Address Configurations Step 2 mac address-table aging-time aging-time Set your desired length of address aging time for dynamic address entries. aging-time: Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.
Page 159 Managing MAC Address Table MAC Address Configurations Note: • In the same VLAN, once an address is configured as a filtering address, it cannot be set as a static address, and vice versa. • Multicast or broadcast addresses cannot be set as filtering addresses . The following example shows how to add the MAC filtering address 00:1e:4b:04:01:5d to VLAN 10.
Page 160: Appendix: Default Parameters
Managing MAC Address Table Appendix: Default Parameters Appendix: Default Parameters Default settings of the MAC Address Table are listed in the following tables. Table 3-1 Entries in the MAC Address Table Parameter Default Setting Static Address Entries None Dynamic Address Entries Auto-learning Filtering Address Entries None...
Page 161: Configuring 802.1Q Vlan
Part 6 Configuring 802.1Q VLAN CHAPTERS 1. Overview 2. 802.1Q VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 162: Overview
Configuring 802.1Q VLAN Overview Overview VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions: ■ To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN.
Page 163: Q Vlan Configuration
Configuring 802.1Q VLAN 802.1Q VLAN Configuration 802.1Q VLAN Configuration To complete 802.1Q VLAN configuration, follow these steps: 1) Configure the VLAN, including creating a VLAN and adding the desired ports to the VLAN. 2) Configure port parameters for 802.1Q VLAN. User Guide Downloaded from ManualsNet.com...
Page 164: Using The Gui
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Using the GUI 2.1.1 Configuring the VLAN Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Figure 2-1 Configuring VLAN Follow these steps to configure VLAN: 1) Enter a VLAN ID and a description for identification to create a VLAN.
Page 165: Configuring The Port Parameters For 802.1Q Vlan
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Untagged port The selected ports will forward untagged packets in the target VLAN. Tagged port The selected ports will forward tagged packets in the target VLAN. 3) Click Apply. 2.1.2 Configuring the Port Parameters for 802.1Q VLAN Choose the menu L2 FEATURES >...
Page 166: Using The Cli
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Displays the LAG (Link Aggregation Group) which the port belongs to. Details Click the Details button to view the VLANs to which the port belongs. Using the CLI 2.2.1 Creating a VLAN Follow these steps to create a VLAN: Step 1 configure Enter global configuration mode.
Page 167: Adding The Port To The Specified Vlan
Configuring 802.1Q VLAN 802.1Q VLAN Configuration VLAN Name Status Ports ------- -------- --------- --------- active Switch(config-vlan)#end Switch#copy running-config startup-config 2.2.2 Adding the Port to the Specified VLAN Follow these steps to add the port to the specified VLAN: Step 1 configure Enter global configuration mode.
Page 168: Configuring The Port
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Acceptable frame type: All Ingress Checking: Enable Member in LAG: N/A Link Type: General Member in VLAN: Vlan Name Egress-rule ---- ----------- ----------- System-VLAN Untagged Tagged Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Configuring the Port Follow these steps to configure the port: Step 1 configure...
Page 169 Configuring 802.1Q VLAN 802.1Q VLAN Configuration The following example shows how to configure the PVID of port 1/0/5 as 2, enable the ingress checking and set the acceptable frame type as all: Switch#configure Switch(config)#interface gigabitEthernet 1/0/5 Switch(config-if)#switchport pvid 2 Switch(config-if)#switchport check ingress Switch(config-if)#switchport acceptable frame all Switch(config-if)#show interface switchport gigabitEthernet 1/0/5 Port Gi1/0/5:...
Page 170: Configuration Example
Configuring 802.1Q VLAN Configuration Example Configuration Example Network Requirements ■ Offices of Department A and Department B in the company are located in different places, and some computers in different offices connect to the same switch. ■ It is required that computers can communicate with each other in the same department but not with computers in the other department.
Page 171: Network Topology
Configuring 802.1Q VLAN Configuration Example Network Topology The figure below shows the network topology. Host A1 and Host A2 are in Department A, while Host B1 and Host B2 are in Department B. Switch 1 and Switch 2 are located in two different places.
Page 172 Configuring 802.1Q VLAN Configuration Example Figure 3-2 Creating VLAN 10 for Department A 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20 with the description of Department_B.
Page 173 Configuring 802.1Q VLAN Configuration Example Figure 3-3 Creating VLAN 20 for Department B 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 as 10 and click Apply. Set the PVID of port 1/0/3 as 20 and click Apply.
Page 174: Using The Cli
Configuring 802.1Q VLAN Configuration Example Figure 3-4 Specifying the PVID for the ports 4) Click to save the settings. Using the CLI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Create VLAN 10 for Department A, and configure the description as Department-A.
Page 175 Configuring 802.1Q VLAN Configuration Example Switch_1(config)#interface fastEthernet 1/0/3 Switch_1(config-if)#switchport general allowed vlan 20 untagged Switch_1(config-if)#exit Switch_1(config)#interface fastEthernet 1/0/4 Switch_1(config-if)#switchport general allowed vlan 10 tagged Switch_1(config-if)#switchport general allowed vlan 20 tagged Switch_1(config-if)#exit 3) Set the PVID of port 1/0/2 as 10, and set the PVID of port 1/0/3 as 20. Switch_1(config)#interface fastEthernet 1/0/2 Switch_1(config-if)#switchport pvid 10 Switch_1(config-if)#exit...
Page 176 Configuring 802.1Q VLAN Configuration Example Verify the VLAN configuration: Switch_1(config)#show interface switchport Port Type PVID Acceptable frame type Ingress Checking ------- ---- ---- --------------------- ---------------- Fa1/0/1 General Enable Fa1/0/2 General Enable Fa1/0/3 General Enable Fa1/0/4 General Enable Fa1/0/5 General Enable ..
Page 177: Appendix: Default Parameters
Configuring 802.1Q VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1Q VLAN are listed in the following table. Table 4-1 Default Settings of 802.1Q VLAN Parameter Default Setting VLAN ID PVID Ingress Checking Enabled Acceptable Frame Types Admit All User Guide Downloaded from ManualsNet.com...
Page 178: Configuring Mac Vlan
Part 7 Configuring MAC VLAN CHAPTERS 1. Overview 2. MAC VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 179: Overview
Configuring MAC VLAN Overview Overview VLAN is generally divided by ports. It is a common way of division but isn’t suitable for those networks that require frequent topology changes. With the popularity of mobile office, at different times a terminal device may access the network via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time.
Page 180: Mac Vlan Configuration
Configuring MAC VLAN MAC VLAN Configuration MAC VLAN Configuration To complete MAC VLAN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Bind the MAC address to the VLAN. 3) Enable MAC VLAN for the port. Configuration Guidelines When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN.
Page 181: Enabling Mac Vlan For The Port
Configuring MAC VLAN MAC VLAN Configuration 1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN. MAC Address Enter the MAC address of the device in the format of 00-00-00-00-00-01. Description Give a MAC address description for identification with up to 8 characters.
Page 182: Using The Cli
Configuring MAC VLAN MAC VLAN Configuration Using the CLI 2.2.1 Configuring 802.1Q VLAN Before configuring MAC VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN. 2.2.2 Binding the MAC Address to the VLAN Follow these steps to bind the MAC address to the VLAN: Step 1 configure...
Page 183: Enabling Mac Vlan For The Port
Configuring MAC VLAN MAC VLAN Configuration Switch#copy running-config startup-config 2.2.3 Enabling MAC VLAN for the Port Follow these steps to enable MAC VLAN for the port: Step 1 configure Enter global configuration mode. interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range Step 2 gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list }...
Page 184: Configuration Example
Configuring MAC VLAN Configuration Example Configuration Example Network Requirements Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in.
Page 185: Using The Gui
Configuring MAC VLAN Configuration Example egress rule as Untagged; for the ports connecting to other switch, set the egress rule as Tagged. 2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports. Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 186 Configuring MAC VLAN Configuration Example Figure 3-2 Creating VLAN 10 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20, and add untagged port 1/0/1 and tagged port 1/0/2 to VLAN 20. Click Create. User Guide Downloaded from ManualsNet.com...
Page 187 Configuring MAC VLAN Configuration Example Figure 3-3 Creating VLAN 20 3) Choose the menu L2 FEATURES > VLAN > MAC VLAN and click to load the following page. Specify the corresponding parameters and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN Figure 3-4 Creating MAC VLAN 4) Choose the menu L2 FEATURES >...
Page 188 Configuring MAC VLAN Configuration Example Figure 3-5 Enabing MAC VLAN for the Port 5) Click to save the settings. ■ Configurations for Switch 3 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add untagged port 1/0/4 and tagged ports 1/0/2-3 to VLAN 10.
Page 189 Configuring MAC VLAN Configuration Example Figure 3-6 Creating VLAN 10 2) Click Create to load the following page. Create VLAN 20, and add untagged port 1/0/5 and tagged ports 1/0/2-3 to VLAN 20. Click Create. User Guide Downloaded from ManualsNet.com search engine...
Page 190: Using The Cli
Configuring MAC VLAN Configuration Example Figure 3-7 Creating VLAN 20 3) Click to save the settings. Using the CLI ■ Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example.
Page 191 Configuring MAC VLAN Configuration Example Switch_1(config)#vlan 20 Switch_1(config-vlan)#name deptB Switch_1(config-vlan)#exit 2) Add tagged port 1/0/2 and untagged port 1/0/1 to both VLAN 10 and VLAN 20. Then enable MAC VLAN on port 1/0/1. Switch_1(config)#interface fastEthernet 1/0/2 Switch_1(config-if)#switchport general allowed vlan 10,20 tagged Switch_1(config-if)#exit Switch_1(config)#interface fastEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10,20 untagged...
Page 192 Configuring MAC VLAN Configuration Example Switch_3(config)#interface fastEthernet 1/0/3 Switch_3(config-if)#switchport general allowed vlan 10,20 tagged Switch_3(config-if)#exit 3) Add untagged port 1/0/4 to VLAN 10 and untagged port 1/0/5 to VLAN 20. Switch_3(config)#interface fastEthernet 1/0/4 Switch_3(config-if)#switchport general allowed vlan 10 untagged Switch_3(config-if)#exit Switch_3(config)#interface fastEthernet 1/0/5 Switch_3(config-if)#switchport general allowed vlan 20 untagged Switch_3(config-if)#end...
Page 193 Configuring MAC VLAN Configuration Example VLAN Name Status Ports -------- --------------- ------------- ------------------------------------- System-VLAN active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8 DeptA active Fa1/0/2, Fa1/0/3, Fa1/0/4 DeptB active Fa1/0/2, Fa1/0/3, Fa1/0/5 User Guide Downloaded from ManualsNet.com search engine...
Page 194: Appendix: Default Parameters
Configuring MAC VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of MAC VLAN are listed in the following table. Table 4-1 Default Settings of MAC VLAN Parameter Default Setting MAC Address None Description None VLAN ID None Port Enable Disabled User Guide Downloaded from...
Page 195: Configuring Protocol Vlan
Part 8 Configuring Protocol VLAN CHAPTERS 1. Overview 2. Protocol VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 196: Overview
Configuring Protocol VLAN Overview Overview Protocol VLAN is a technology that divides VLANs based on the network layer protocol. With the protocol VLAN rule configured on the basis of the existing 802.1Q VLAN, the switch can analyze specific fields of received packets, encapsulate the packets in specific formats, and forward the packets with different protocols to the corresponding VLANs.
Page 197: Protocol Vlan Configuration
3) Configure Protocol VLAN. Configuration Guidelines ■ You can use the IP, ARP, RARP, and other protocol templates provided by TP-Link switches, or create new protocol templates. ■ In a protocol VLAN, when a port receives an untagged data packet, the switch will first search for the protocol VLAN matching the protocol type value of the packet.
Page 198: Creating Protocol Template
Configuring Protocol VLAN Protocol VLAN Configuration 2.1.2 Creating Protocol Template Choose the menu L2 FEATURES > VLAN > Protocol VLAN > Protocol Template to load the following page. Figure 2-1 Check the Protocol Template Follow these steps to create a protocol template: 1) Check whether your desired template already exists in the Protocol Template Config section.
Page 199: Configuring Protocol Vlan
Configuring Protocol VLAN Protocol VLAN Configuration DSAP Enter the DSAP value for the protocol template. It is available when LLC is selected. It is the DSAP field in the frame and is used to identify the data type of the frame. SSAP Enter the SSAP value for the protocol template.
Page 200: Using The Cli
Configuring Protocol VLAN Protocol VLAN Configuration 802.1p Priority Specify the 802.1p priority for the packets that belong to the protocol VLAN. The switch will determine the forwarding sequence according this value. The packets with larger value of 802.1p priority have the higher priority. 2) Select the desired ports.
Page 201: Configuring Protocol Vlan
Configuring Protocol VLAN Protocol VLAN Configuration The following example shows how to create an IPv6 protocol template: Switch#configure Switch(config)#protocol-vlan template name IPv6 frame ether_2 ether-type 86dd Switch(config)#show protocol-vlan template Index Protocol Name Protocol Type ------- ----------------- -------------------------------- EthernetII ether-type 0800 EthernetII ether-type 0806 RARP EthernetII ether-type 8035...
Page 202 Configuring Protocol VLAN Protocol VLAN Configuration Step 5 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 6 protocol-vlan group entry-id Add the specified port to the protocol group.
Page 203 Configuring Protocol VLAN Protocol VLAN Configuration Index Protocol-Name VID Priority Member ------ ------------------ ------ -------- ------------ IPv6 Gi1/0/2 Switch(config-if)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 204: Configuration Example
Configuring Protocol VLAN Configuration Example Configuration Example Network Requirements A company uses both IPv4 and IPv6 hosts, and these hosts access the IPv4 network and IPv6 network respectively via different routers. It is required that IPv4 packets are forwarded to the IPv4 network, IPv6 packets are forwarded to the IPv6 network, and other packets are dropped.
Page 205 Configuring Protocol VLAN Configuration Example 1) Create VLAN 10 and VLAN 20 and add each port to the corresponding VLAN. 2) Use the IPv4 protocol template provided by the switch, and create the IPv6 protocol template. 3) Bind the protocol templates to the corresponding VLANs to form protocol groups, and add port 1/0/1 to the groups.
Page 206: Using The Gui
Configuring Protocol VLAN Configuration Example Using the GUI ■ Configurations for Switch 1 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add untagged port 1/0/1 and untagged port 1/0/3 to VLAN 10.
Page 207 Configuring Protocol VLAN Configuration Example 2) Click to load the following page. Create VLAN 20, and add untagged ports 1/0/2-3 to VLAN 20. Click Create. Figure 3-3 Create VLAN 20 3) Click to save the settings. User Guide Downloaded from ManualsNet.com search engine...
Page 208 Configuring Protocol VLAN Configuration Example ■ Configurations for Switch 2 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add tagged port 1/0/1 and untagged port 1/0/2 to VLAN 10.
Page 209 Configuring Protocol VLAN Configuration Example 2) Click to load the following page. Create VLAN 20, and add tagged port 1/0/1 and untagged port 1/0/3 to VLAN 20. Click Create. Figure 3-5 Create VLAN 20 User Guide Downloaded from ManualsNet.com search engine...
Page 210 Configuring Protocol VLAN Configuration Example 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 and port 1/0/3 as 10 and 20 respectively . Click Apply. Figure 3-6 Port Configuration 4) Choose the menu L2 FEATURES >...
Page 211: Using The Cli
Configuring Protocol VLAN Configuration Example Figure 3-8 Configure the IPv4 Protocol Group Figure 3-9 Configure the IPv6 Protocol Group 6) Click to save the settings. Using the CLI ■ Configurations for Switch 1 1) Create VLAN 10 and VLAN 20. User Guide Downloaded from ManualsNet.com search engine...
Page 212 Configuring Protocol VLAN Configuration Example Switch_1#configure Switch_1(config)#vlan 10 Switch_1(config-vlan)#name IPv4 Switch_1(config-vlan)#exit Switch_1(config)#vlan 20 Switch_1(config-vlan)#name IPv6 Switch_1(config-vlan)#exit 2) Add untagged port 1/0/1 to VLAN 10. Add untagged port 1/0/2 to VLAN 20. Add untagged port 1/0/3 to both VLAN10 and VLAN 20. Switch_1(config)#interface fastEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10 untagged Switch_1(config-if)#exit...
Page 213 Configuring Protocol VLAN Configuration Example Switch_2(config)#interface fastEthernet 1/0/1 Switch_2(config-if)#switchport general allowed vlan 10,20 tagged Switch_2(config-if)#exit Switch_2(config)#interface fastEthernet 1/0/2 Switch_2(config-if)#switchport pvid 10 Switch_2(config-if)#switchport general allowed vlan 10 untagged Switch_2(config-if)#exit Switch_2(config)#interface fastEthernet 1/0/3 Switch_2(config-if)#switchport mode general Switch_2(config-if)#switchport pvid 20 Switch_2(config-if)#switchport general allowed vlan 20 untagged Switch_2(config-if)#exit 3) Create the IPv6 protocol template.
Page 214 Configuring Protocol VLAN Configuration Example IPv6 Switch_2(config)#interface fastEthernet 1/0/1 Switch_2(config-if)#protocol-vlan group 1 Switch_2(config-if)#protocol-vlan group 2 Switch_2(config-if)#exit Switch_2(config)#end Switch_2#copy running-config startup-config Verify the Configurations ■ Switch 1 Verify 802.1Q VLAN configuration: Switch_1#show vlan VLAN Name Status Ports -------- ------------- --------- -------------------------------------------- System-VLAN active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4...
Page 215 Configuring Protocol VLAN Configuration Example Verify protocol group configuration: Switch_2#show protocol-vlan vlan Index Protocol-Name Priority Member -------- --------------------- ------ ------ ----------- Fa1/0/1 IPv6 Fa1/0/1 User Guide Downloaded from ManualsNet.com search engine...
Page 216: Appendix: Default Parameters
Configuring Protocol VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of Protocol VLAN are listed in the following table. Table 4-1 Default Settings of Protocol VLAN Parameter Default Setting Ethernet II ether-type 0800 Ethernet II ether-type 0806 Protocol Template Table RARP Ethernet II ether-type 8035 SNAP ether-type 8137...
Page 217: Configuring Gvrp
Part 9 Configuring GVRP CHAPTERS 1. Overview 2. GVRP Configuration 3. Configuration Example 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 218: Overview
Configuring GVRP Overview Overview GVRP (GARP VLAN Registration Protocol) is a GARP (Generic Attribute Registration Protocol) application that allows registration and deregistration of VLAN attribute values and dynamic VLAN creation. Without GVRP operating, configuring the same VLAN on a network would require manual configuration on each device.
Page 219: Gvrp Configuration
Configuring GVRP GVRP Configuration GVRP Configuration To complete GVRP configuration, follow these steps: 1) Create a VLAN. 2) Enable GVRP globally. 3) Enable GVRP on each port and configure the corresponding parameters. Configuration Guidelines To dynamically create a VLAN on all ports in a network link, you must configure the same static VLAN on both ends of the link.
Page 220: Using The Gui
Configuring GVRP GVRP Configuration Using the GUI Choose the menu L2 FEATURES > VLAN > GVRP > GVRP Config to load the following page. Figure 2-1 GVRP Config Follow these steps to configure GVRP: 1) In the GVRP section, enable GVRP globally, then click Apply. 2) In the Port Config section, select one or more ports, set the status as Enable and configure the related parameters according to your needs.
Page 221: Using The Cli
Configuring GVRP GVRP Configuration LeaveAll Timer When a GARP participant is enabled, the LeaveAll timer will be started. When (centisecond) the LeaveAll timer expires, the GARP participant will send LeaveAll messages to request other GARP participants to re-register all its attributes. After that, the participant restarts the LeaveAll timer.
Page 222 Configuring GVRP GVRP Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 4 gvrp Enable GVRP on the port.
Page 223 Configuring GVRP GVRP Configuration Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: • The member port of an LAG follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.
Page 224: Configuration Example
Configuring GVRP Configuration Example Configuration Example Network Requirements Department A and Department B of a company are connected using switches. Offices of one department are distributed on different floors. As shown in Figure 3-1, the network topology is complicated. Configuration of the same VLAN on different switches is required so that computers in the same department can communicate with each other.
Page 225: Using The Gui
Configuring GVRP Configuration Example Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. Using the GUI GVRP configurations for Switch 3 are the same as Switch 1, and Switch 4 are the same as Switch 2.
Page 226 Configuring GVRP Configuration Example 2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. Figure 3-3 GVRP Configuration 3) Click to save the settings.
Page 227 Configuring GVRP Configuration Example Figure 3-4 Create VLAN 20 2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. User Guide Downloaded from ManualsNet.com...
Page 228 Configuring GVRP Configuration Example Figure 3-5 GVRP Configuration 3) Click to save the settings. ■ Configurations for Switch 5 1) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select ports 1/0/1-3, set Status as Enable, and keep the Registration Mode and the values of the timers as default.
Page 229: Using The Cli
Configuring GVRP Configuration Example Figure 3-6 GVRP Configuration 2) Click to save the settings. Using the CLI GVRP configuration for Switch 3 is the same as Switch 1, and Switch 4 the same as Switch 2. Other switches share similar configurations. The following configuration procedures take Switch 1, Switch 2 and Switch 5 as example.
Page 230 Configuring GVRP Configuration Example Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10 tagged Switch_1(config-if)#gvrp Switch_1(config-if)#gvrp registration fixed Switch_1(config-if)#end Switch_1#copy running-config startup-config ■ Configurations for Switch 2 1) Enable GVRP globally. Switch_2#configure Switch_2(config)#gvrp 2) Create VLAN 20. Switch_2(config)#vlan 20 Switch_2(config-vlan)#name Department_B Switch_2(config-vlan)#exit 3) Add tagged port 1/0/1 to VLAN 20.
Page 231 Configuring GVRP Configuration Example Switch_5#copy running-config startup-config Verify the Configuration ■ Switch 1 Verify the global GVRP configuration: Switch_1#show gvrp global GVRP Global Status ------------------ Enabled Verify GVRP configuration for port 1/0/1: Switch_1#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------...
Page 232 Configuring GVRP Configuration Example Gi1/0/2 Disabled Normal 1000 ■ Switch 5 Verify global GVRP configuration: GVRP Global Status ------------------ Enabled Verify GVRP configuration for ports 1/0/1-3: Switch_5#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------ -------- ------- ------ ----- Gi1/0/1 Enabled...
Page 233: Appendix: Default Parameters
Configuring GVRP Appendix: Default Parameters Appendix: Default Parameters Default settings of GVRP are listed in the following tables. Table 4-1 Default Settings of GVRP Parameter Default Setting Global Config GVRP Disabled Port Config Status Disabled Registration Mode Normal LeaveAll Timer 1000 centiseconds Join Timer 20 centiseconds...
Page 234: Configuring Layer 2 Multicast
Part 10 Configuring Layer 2 Multicast CHAPTERS 1. Layer 2 Multicast 2. IGMP Snooping Configuration 3. MLD Snooping Configuration 4. MVR Configuration 5. Multicast Filtering Configuration 6. Viewing Multicast Snooping Information 7. Configuration Examples 8. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 235: Layer 2 Multicast
Configuring Layer 2 Multicast Layer 2 Multicast Layer 2 Multicast Overview In a point-to-multipoint network, packets can be sent in three ways: unicast, broadcast and multicast. With unicast, many copies of the same information will be sent to all the receivers, occupying a large bandwidth.
Page 236 Configuring Layer 2 Multicast Layer 2 Multicast Demonstrated as below: Figure 1-1 IGMP Snooping Multicast packets transmission Multicast packets transmission without IGMP Snooping with IGMP Snooping IGMP Querier IGMP Querier Source Source Router Port Snooping Switch Non-Snooping Switch Member Port Member Port Host A Host B Host C...
Page 237: Supported Features
Configuring Layer 2 Multicast Layer 2 Multicast Supported Features Layer 2 Multicast protocol for IPv4: IGMP Snooping On the Layer 2 device, IGMP Snooping transmits data on demand on data link layer by analyzing IGMP packets between the IGMP querier and the users, to build and maintain Layer 2 multicast forwarding table.
Page 238: Igmp Snooping Configuration
Configuring Layer 2 Multicast IGMP Snooping Configuration IGMP Snooping Configuration To complete IGMP Snooping configuration, follow these steps: 1) Enable IGMP Snooping globally and configure the global parameters. 2) Configure IGMP Snooping for VLANs. 3) Configure IGMP Snooping for ports. 4) (Optional) Configure hosts to statically join a group.
Page 239: Configuring Igmp Snooping For Vlans
Configuring Layer 2 Multicast IGMP Snooping Configuration IGMP Version Specify the IGMP version. v1: The switch works as an IGMPv1 Snooping switch. It can only process IGMPv1 messages from the host. Messages of other versions are ignored. v2: The switch works as an IGMPv2 Snooping switch. It can process both IGMPv1 and IGMPv2 messages from the host.
Page 240 Configuring Layer 2 Multicast IGMP Snooping Configuration Figure 2-2 Configure IGMP Snooping for VLAN Follow these steps to configure IGMP Snooping for a specific VLAN: 1) Enable IGMP Snooping for the VLAN, and configure the corresponding parameters. VLAN ID Displays the VLAN ID. IGMP Snooping Enable or disable IGMP Snooping for the VLAN.
Page 241 Configuring Layer 2 Multicast IGMP Snooping Configuration Report Enable or disable Report Suppression for the VLAN. Suppression When enabled, the switch will only forward the first IGMP report message for each multicast group to the IGMP querier and suppress subsequent IGMP report messages for the same multicast group during one query interval.
Page 242 Configuring Layer 2 Multicast IGMP Snooping Configuration Query Interval With IGMP Snooping Querier enabled, specify the interval between general query messages sent by the switch. Maximum With IGMP Snooping Querier enabled, specify the host’s maximum response time Response Time to general query messages. Last Member With IGMP Snooping Querier enabled, when the switch receives an IGMP leave Query Interval...
Page 243: Configuring Igmp Snooping For Ports
Configuring Layer 2 Multicast IGMP Snooping Configuration 2.1.3 Configuring IGMP Snooping for Ports Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config � to load the following page. Figure 2-3 Configure IGMP Snooping for Ports Follow these steps to configure IGMP Snooping for ports: 1) Enable IGMP Snooping for the port and enable Fast Leave if there is only one receiver connected to the port.
Page 244: Using The Cli
Configuring Layer 2 Multicast IGMP Snooping Configuration Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Static Group Config and click to load the following page. Figure 2-4 Configure Hosts to Statically Join a Group Follow these steps to configure hosts to statically join a group: 1) Specify the multicast IP address, VLAN ID.
Page 245 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 3 ip igmp snooping version {v1 | v2 | v3} Configure the IGMP version. v1:The switch works as an IGMPv1 Snooping switch. It can only process IGMPv1 report messages from the host. Report messages of other versions are ignored. v2: The switch works as an IGMPv2 Snooping switch.
Page 246: Configuring Igmp Snooping For Vlans
Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping header-validation Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Unknown Multicast :Discard Header Validation :Enable Switch(config)#end Switch#copy running-config startup-config 2.2.2 Configuring IGMP Snooping for VLANs Before configuring IGMP Snooping for VLANs, set up the VLANs that the router ports and the member ports are in.
Page 247 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 3 ip igmp snooping vlan-config vlan-id-list rtime router-time Specify the router port aging time for the VLANs. vlan-id-list: Specify the ID or the ID list of the VLAN(s). router-time: Specify the aging time of the router ports in the specified VLANs. Valid values are from 60 to 600 seconds.
Page 248 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 6 ip igmp snooping vlan-config vlan-id-list immediate-leave (Optional) Enable the Fast Leave for the VLANs. By default, it is disabled. IGMPv1 does not support fast leave. Without Fast Leave, after a receiver sends an IGMP leave message to leave a multicast group, the switch will forward the leave message to the Layer 3 device (the querier).
Page 249 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 9 ip igmp snooping vlan-config vlan-id-list querier (Optional) Enable the IGMP Snooping Querier for the VLAN. By default, it is disabled. When enabled, the switch acts as an IGMP Snooping Querier for the hosts in this VLAN. A querier periodically sends a general query on the network to solicit membership information, and sends group-specific queries when it receives leave messages from hosts.
Page 250 Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping vlan-config 1 mtime 300 Switch(config)#ip igmp snooping vlan-config 1 rtime 320 Switch(config)#ip igmp snooping vlan-config 1 immediate-leave Switch(config)#ip igmp snooping vlan-config 1 report-suppression Switch(config)#show ip igmp snooping vlan 1 Vlan Id: 1 Vlan IGMP Snooping Status: Enable Fast Leave: Enable Report Suppression: Enable...
Page 251: Configuring Igmp Snooping For Ports
Configuring Layer 2 Multicast IGMP Snooping Configuration Query Interval: Last Member Query Interval: 2 Last Member Query Count: General Query Source IP: 192.168.0.5 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring IGMP Snooping for Ports Follow these steps to configure IGMP Snooping for ports: Step 1 configure Enter global configuration mode.
Page 252: Configuring Hosts To Statically Join A Group
Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#interface range fastEhternet 1/0/1-3 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#ip igmp snooping immediate-leave Switch(config-if-range)#show ip igmp snooping interface gigabitEthernet 1/0/1-3 Port IGMP-Snooping Fast-Leave ----------- ------------------- -------------- Gi1/0/1 enable enable Gi1/0/2 enable enable Gi1/0/3 enable enable Switch(config-if-range)#end Switch#copy running-config startup-config 2.2.4 Configuring Hosts to Statically Join a Group...
Page 253 Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping vlan-config 2 static 239.1.2.3 interface gigabitEthernet 1/0/1-3 Switch(config)#show ip igmp snooping groups static Multicast-ip VLAN-id Addr-type Switch-port ------------ ------- --------- ----------- 239.1.2.3 static Gi1/0/1-3 Switch(config)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 254: Mld Snooping Configuration
Configuring Layer 2 Multicast MLD Snooping Configuration MLD Snooping Configuration To complete MLD Snooping configuration, follow these steps: 1) Enable MLD Snooping globally and configure the global parameters. 2) Configure MLD Snooping for VLANs. 3) Configure MLD Snooping for ports. 4) (Optional) Configure hosts to statically join a group.
Page 255: Configuring Mld Snooping For Vlans
Configuring Layer 2 Multicast MLD Snooping Configuration 2) Click Apply. 3.1.2 Configuring MLD Snooping for VLANs Before configuring MLD Snooping for VLANs, set up the VLANs that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN.
Page 256 Configuring Layer 2 Multicast MLD Snooping Configuration Fast Leave Enable or disable Fast Leave for the VLAN. Without Fast Leave, after a receiver sends an MLD done message (equivalent to an IGMP leave message) to leave a multicast group, the switch will forward the done message to the Layer 3 device (the querier).
Page 257 Configuring Layer 2 Multicast MLD Snooping Configuration Leave Time Specify the leave time for the VLAN. When the switch receives a leave message from a port to leave a multicast group, it will wait for a leave time before removing the port from the multicast group. During the period, if the switch receives any report messages from the port, the port will not be removed from the multicast group.
Page 258: Configuring Mld Snooping For Ports
Configuring Layer 2 Multicast MLD Snooping Configuration Forbidden Select the ports to forbid them from being router ports in the VLAN. Router Ports 2) Click Save. 3.1.3 Configuring MLD Snooping for Ports Choose the menu L2 FEATURES > Multicast > MLD Snooping > Port Config to load the following page.
Page 259: Configuring Hosts To Statically Join A Group
Configuring Layer 2 Multicast MLD Snooping Configuration 3.1.4 Configuring Hosts to Statically Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also configure hosts to statically join a group. Choose the menu L2 FEATURES > Multicast > MLD Snooping > Static Group Config and click to load the following page.
Page 260: Configuring Mld Snooping For Vlans
Configuring Layer 2 Multicast MLD Snooping Configuration Step 3 ipv6 mld snooping drop-unknown (Optional) Configure the way how the switch processes multicast streams that are sent to unknown multicast groups as Discard. By default, it is Forward. Unknown multicast groups are multicast groups that do not match any of the groups announced in earlier IGMP membership reports, and thus cannot be found in the multicast forwarding table of the switch.
Page 261 Configuring Layer 2 Multicast MLD Snooping Configuration Follow these steps to configure MLD Snooping for VLANs: Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping vlan-config vlan-id-list mtime member-time Enable MLD Snooping for the specified VLANs, and specify the member port aging time for the VLANs.
Page 262 Configuring Layer 2 Multicast MLD Snooping Configuration Step 5 ipv6 mld snooping vlan-config vlan-id-list report-suppression (Optional) Enable Report Suppression for the VLANs. By default, it is disabled. When enabled, the switch will only forward the first MLD report message for each multicast group to the MLD querier and suppress subsequent MLD report messages for the same multicast group during one query interval.
Page 263 Configuring Layer 2 Multicast MLD Snooping Configuration Step 9 ipv6 mld snooping vlan-config vlan-id-list querier (Optional) Enable MLD Snooping Querier for the VLAN. By default, it is disabled. When enabled, the switch acts as an MLD Snooping Querier for the hosts in this VLAN. A querier periodically sends a general query on the network to solicit membership information, and sends group-specific queries when it receives done messages from hosts.
Page 264 Configuring Layer 2 Multicast MLD Snooping Configuration Switch(config)#ipv6 mld snooping vlan-config 1 rtime 320 Switch(config)#ipv6 mld snooping vlan-config 1 immediate-leave Switch(config)#ipv6 mld snooping vlan-config 1 report-suppression Switch(config)#show ipv6 mld snooping vlan 1 Vlan Id: 1 Vlan MLD Snooping Status: Enable Fast Leave: Enable Report Suppression: Enable Router Time: Enable...
Page 265: Configuring Mld Snooping For Ports
Configuring Layer 2 Multicast MLD Snooping Configuration Last Member Query Interval: Last Member Query Count: General Query Source IP: fe80::1 Switch(config)#end Switch#copy running-config startup-config 3.2.3 Configuring MLD Snooping for Ports Follow these steps to configure MLD Snooping for ports: Step 1 configure Enter global configuration mode.
Page 266: Configuring Hosts To Statically Join A Group
Configuring Layer 2 Multicast MLD Snooping Configuration Switch(config-if-range)#ipv6 mld snooping immediate-leave Switch(config-if-range)#show ipv6 mld snooping interface gigabitEthernet 1/0/1-3 Port MLD-Snooping Fast-Leave ----------- ------------------- -------------- Gi1/0/1 enable enable Gi1/0/2 enable enable Gi1/0/3 enable enable Switch(config-if-range)#end Switch#copy running-config startup-config 3.2.4 Configuring Hosts to Statically Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also configure hosts to statically join a group.
Page 267 Configuring Layer 2 Multicast MLD Snooping Configuration Multicast-ip VLAN-id Addr-type Switch-port -------------- ------- --------- ----------- ff80::1234:01 static Gi1/0/1-3 Switch(config)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 268: Mvr Configuration
Configuring Layer 2 Multicast MVR Configuration MVR Configuration To complete MVR configuration, follow these steps: 1) Configure 802.1Q VLANs. 2) Configure MVR globally. 3) Add multicast groups to MVR. 4) Configure MVR for the ports. 5) (Optional) Statically add ports to MVR groups. Configuration Guidelines ■...
Page 269: Configuring Mvr Globally
Configuring Layer 2 Multicast MVR Configuration 4.1.2 Configuring MVR Globally Choose the menu L2 FEATURES > Multicast > MVR > MVR Config to load the following page. Figure 4-1 Configure MVR Globally Follow these steps to configure MVR globally: 1) Enable MVR globally and configure the global parameters. Enable or disable MVR globally.
Page 270: Adding Multicast Groups To Mvr
Configuring Layer 2 Multicast MVR Configuration 4.1.3 Adding Multicast Groups to MVR You need to manually add multicast groups to the MVR. Choose the menu L2 FEATURES > Multicast > MVR > MVR Group Config and click to load the following page. Figure 4-2 Add Multicast Groups to MVR Follow these steps to add multicast groups to MVR: 1) Specify the IP address of the multicast groups.
Page 271: Configuring Mvr For The Port
Configuring Layer 2 Multicast MVR Configuration Status Displays the status of the MVR group. In compatible mode, all the MVR groups are added manually, so the status is always active. In dynamic mode, there are two status: Inactive: The MVR group is added successfully, but the source port has not received any query messages from this multicast group.
Page 272: Optional) Adding Ports To Mvr Groups Statically
Configuring Layer 2 Multicast MVR Configuration Type Configure the port type. None: The port is a non-MVR port. If you attempt to configure a non-MVR port with MVR characteristics, the operation will be unsuccessful. Source: Configure the uplink ports that receive and send multicast data on the multicast VLAN as source ports.
Page 273: Using The Cli
Configuring Layer 2 Multicast MVR Configuration Using the CLI 4.2.1 Configuring 802.1Q VLANs Before configuring MVR, create an 802.1Q VLAN as the multicast VLAN. Add the all source ports to the multicast VLAN as tagged ports. Configure 802.1Q VLANs for the receiver ports according to network requirements.
Page 274 Configuring Layer 2 Multicast MVR Configuration Step 6 mvr group ip-addr count Add multicast groups to the MVR. ip-addr: Specify the start IP address of the contiguous series of multicast groups. count: Specify the number of the multicast groups to be added to the MVR. Valid values are from 1 to 511.
Page 275: Configuring Mvr For The Ports
Configuring Layer 2 Multicast MVR Configuration Switch(config)#show mvr members MVR Group IP status Members ---------------- --------- ---------------- 239.1.2.3 active 239.1.2.4 active 239.1.2.5 active Switch(config)#end Switch#copy running-config startup-config 4.2.3 Configuring MVR for the Ports Follow these steps to configure MVR for the ports: Step 1 configure Enter global configuration mode.
Page 276 Configuring Layer 2 Multicast MVR Configuration Step 6 mvr vlan vlan-id group ip-addr (Optional) Statically add the port to an MVR group. Then the port can receive multicast traffic sent to the IP multicast address via the multicast VLAN. This command applies to only receiver ports. The switch adds or removes the receiver ports to the corresponding multicast groups by snooping the report and leave messages from the hosts.
Page 277 Configuring Layer 2 Multicast MVR Configuration Port Mode Type Status Immediate Leave ----------- ---------- ------------ --------------------- --------------------- Gi1/0/1 Enable Receiver INACTIVE/InVLAN Enable Gi1/0/2 Enable Receiver INACTIVE/InVLAN Enable Gi1/0/3 Enable Receiver INACTIVE/InVLAN Enable Gi1/0/7 Enable Source INACTIVE/InVLAN Disable Switch(config-if-range)#show mvr members MVR Group IP status Members...
Page 278: Multicast Filtering Configuration
Configuring Layer 2 Multicast Multicast Filtering Configuration Multicast Filtering Configuration To complete multicast filtering configuration, follow these steps: 1) Create the IGMP profile or MLD profile. 2) Configure multicast groups a port can join and the overflow action. Using the GUI 5.1.1 Creating the Multicast Profile You can create multicast profiles for both IPv4 and IPv6 network.
Page 279 Configuring Layer 2 Multicast Multicast Filtering Configuration Figure 5-1 Create IPv4 Profile Follow these steps to create a profile. 1) In the General Config section, specify the Profile ID and Mode. Profile ID Enter a profile ID between 1 and 999. Mode Select Permit or Deny as the filtering mode.
Page 280: Configure Multicast Filtering For Ports
Configuring Layer 2 Multicast Multicast Filtering Configuration Figure 5-2 Configure Multicast Groups to Be Filtered 3) In the Bind Ports section, select your desired ports to be bound with the profile. 4) Click Save. 5.1.2 Configure Multicast Filtering for Ports You can modify the mapping relation between ports and profiles in batches, and configure the number of multicast groups a port can join and the overflow action.
Page 281: Using The Cli
Configuring Layer 2 Multicast Multicast Filtering Configuration Follow these steps to bind the profile to ports and configure the corresponding parameters for the ports: 1) Select one or more ports to configure. 2) Specify the profile to be bound, and configure the maximum groups the port can join and the overflow action.
Page 282 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 3 Permit Configure the profile’s filtering mode as permit. Then the profile acts as a whitelist and only allows specific member ports to join specified multicast groups. deny Configure the profile’s filtering mode as deny. Then the profile acts as a blacklist and prevents specific member ports from joining specific multicast groups.
Page 283 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 2 ipv6 mld profile id Create a new profile and enter profile configuration mode. Step 3 Permit Configure the profile’s filtering mode as permit. It is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups.
Page 284: Binding The Profile To Ports
Configuring Layer 2 Multicast Multicast Filtering Configuration 5.2.2 Binding the Profile to Ports You can bind the created IGMP profile or MLD profile to ports, and configure the number of multicast groups a port can join and the overflow action. Binding the IGMP Profile to Ports Step 1 configure...
Page 285 Configuring Layer 2 Multicast Multicast Filtering Configuration The following example shows how to bind the existing Profile 1 to port 1/0/2, and specify the maximum number of multicast groups that port 1/0/2 can join as 50 and the Overflow Action as Drop: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#ip igmp snooping...
Page 286 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 4 ipv6 mld snooping max-groups maxgroup Configure the maximum number of multicast groups the port can join. maxgroup : Specify the maximum number of multicast groups the port can join. Valid values range from 1 to 511.
Page 287 Configuring Layer 2 Multicast Multicast Filtering Configuration Gi1/0/2 Switch(config-if)#show ipv6 mld snooping interface gigabitEthernet 1/0/2 max-groups Port Max-Groups Overflow-Action ------------- --------------- --------------------- Gi1/0/2 Drops Switch(config)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 288: Viewing Multicast Snooping Information
Configuring Layer 2 Multicast Viewing Multicast Snooping Information Viewing Multicast Snooping Information You can view the following multicast snooping information: ■ View IPv4 multicast table. ■ View IPv4 multicast statistics on each port. ■ View IPv6 multicast table. ■ View IPv6 multicast statistics on each port. Using the GUI 6.1.1 Viewing IPv4 Multicast Table Choose the menu L2 FEATURES >...
Page 289: Viewing Ipv4 Multicast Statistics On Each Port
Configuring Layer 2 Multicast Viewing Multicast Snooping Information Forward Ports All ports in the multicast group, including router ports and member ports. 6.1.2 Viewing IPv4 Multicast Statistics on Each Port Choose the menu L2 FEATURES > Multicast > Multicast Info > IPv4 Multicast Statistics to load the following page: Figure 6-2 IPv4 Multicast Statistics Follow these steps to view IPv4 multicast statistics on each port:...
Page 290: Viewing Ipv6 Multicast Table
Configuring Layer 2 Multicast Viewing Multicast Snooping Information Report Packets Displays the number of IGMPv2 report packets received by the port. (v2) Report Packets Displays the number of IGMPv3 report packets received by the port. (v3) Leave Packets Displays the number of leave packets received by the port. Error Packets Displays the number of error packets received by the port.
Page 291: Viewing Ipv6 Multicast Statistics On Each Port
Configuring Layer 2 Multicast Viewing Multicast Snooping Information 6.1.4 Viewing IPv6 Multicast Statistics on Each Port Choose the menu L2 FEATURES > Multicast > Multicast Info > IPv6 Multicast Statistics to load the following page: Figure 6-4 IPv6 Multicast Statistics Follow these steps to view IPv6 multicast statistics on each port: 1) To get the real-time IPv6 multicast statistics, enable Auto Refresh, or click Refresh.
Page 292: Using The Cli
Configuring Layer 2 Multicast Viewing Multicast Snooping Information Error Packets Displays the number of error packets received by the port. Using the CLI 6.2.1 Viewing IPv4 Multicast Snooping Information show ip igmp snooping groups [ vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN.
Page 293: Configuration Examples
Configuring Layer 2 Multicast Configuration Examples Configuration Examples Example for Configuring Basic IGMP Snooping 7.1.1 Network Requirements Host B, Host C and Host D are in the same VLAN of the switch. All of them want to receive multicast streams sent to multicast group 225.1.1.1. As shown in the following topology, Host B, Host C and Host D are connected to port 1/0/1, port 1/0/2 and port 1/0/3 respectively.
Page 294: Using The Gui
Configuring Layer 2 Multicast Configuration Examples ■ Enable IGMP Snooping on the ports. Demonstrated with T1500-28PCT , this section provides configuration procedures in two ways: using the GUI and using the CLI. 7.1.3 Using the GUI 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page.
Page 295 Configuring Layer 2 Multicast Configuration Examples Figure 7-3 Configure PVID for the Ports 3) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Global Config to load the following page. In the Global Config section, enable IGMP Snooping globally. Configure the IGMP version as v3 so that the switch can process IGMP messages of all versions.
Page 296: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 7-5 Enable IGMP Snooping for VLAN 10 5) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Enable IGMP Snooping for ports 1/0/1-4. Figure 7-6 Enable IGMP Snooping for the Ports 6) Click to save the settings.
Page 297 Configuring Layer 2 Multicast Configuration Examples 2) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged. Switch(config)#interface range fastEthernet 1/0/1-3 Switch(config-if-range)#switchport general allowed vlan 10 untagged Switch(config-if-range)#exit Switch(config)#interface fastEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged...
Page 298: Example For Configuring Mvr
Configuring Layer 2 Multicast Configuration Examples Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, vlan10 active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 Show status of IGMP Snooping globally, on the ports and in the VLAN: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Header Validation :Disable Global Authentication Accounting :Disable...
Page 299: Configuration Scheme
Configuring Layer 2 Multicast Configuration Examples Figure 7-7 Network Topoloy for Multicast VLAN Source Querier VLAN 40 Gi1/0/4 Gi1/0/1 Gi1/0/3 Gi1/0/2 Host D Host B Host C Receiver Receiver Receiver 7.2.3 Configuration Scheme As the hosts are in different VLANs, in IGMP Snooping, the Querier need to duplicate multicast streams for hosts in each VLAN.
Page 300 Configuring Layer 2 Multicast Configuration Examples Figure 7-8 VLAN Configurations for Port 1/0/1-3 Figure 7-9 PVID for Port 1/0/1-3 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 40 and add port 1/0/4 to the VLAN as Tagged port.
Page 301 Configuring Layer 2 Multicast Configuration Examples Figure 7-10 Create Multicast VLAN 3) Choose the menu L2 FEATURES > Multicast > MVR > MVR Config to load the following page. Enable MVR globally, and configure the MVR mode as Dynamic, multicast VLAN ID as 40.
Page 302: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 7-12 Add Multicast Group to MVR 5) Choose the menu L2 FEATURES > Multicast > MVR > Port Config to load the following page. Enable MVR for port 1/0/1-4. Configure port 1/0/1-3 as Receiver ports and port 1/0/4 as Source port.
Page 303 Configuring Layer 2 Multicast Configuration Examples Switch(config-if)#switchport pvid 10 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/2 Switch(config-if)#switchport general allowed vlan 20 untagged Switch(config-if)#switchport pvid 20 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/3 Switch(config-if)#switchport general allowed vlan 30 untagged Switch(config-if)#switchport pvid 30 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 40 tagged Switch(config-if)#switchport pvid 40 Switch(config-if)#exit 3) Check whether port1/0/1-3 only belong to VLAN 10, VLAN 20 and VLAN 30...
Page 304 Configuring Layer 2 Multicast Configuration Examples Switch(config)#mvr Switch(config)#mvr mode dynamic Switch(config)#mvr vlan 40 Switch(config)#mvr group 225.1.1.1 1 5) Enable MVR for port 1/0/1-4. Configure port 1/0/1-3 as Receiver ports and port 1/0/4 as Source port. Switch(config)#interface range fastEthernet 1/0/1-3 Switch(config-if-range)#mvr Switch(config-if-range)#mvr type receiver Switch(config-if-range)#exit Switch(config)#interface fastEthernet 1/0/4...
Page 305: Example For Configuring Unknown Multicast And Fast Leave
Configuring Layer 2 Multicast Configuration Examples MVR Multicast Vlan MVR Max Multicast Groups :511 MVR Current Multicast Groups MVR Global Query Response Time :5 (tenths of sec) MVR Mode Type :Dynamic Show the membership of MVR groups: Switch(config)#show mvr members MVR Group IP Status Members...
Page 306: Configuration Scheme
Configuring Layer 2 Multicast Configuration Examples Figure 7-14 Network Topology for Unknow Multicast and Fast Leave Source Querier Gi1/0/4 VLAN 10 Gi1/0/2 VLAN 10 Host B Receiver 7.3.2 Configuration Scheme After the channel is changed, the client (Host B) still receives irrelevant multicast data, the data from the previous channel and possibly other unknown multicast data, which increases the network load and results in network congestion.
Page 307 Configuring Layer 2 Multicast Configuration Examples Figure 7-15 Configure IGMP Snooping Globally Note: IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to > enable MLD Snooping globally on the L2 FEATURES Multicast > MLD Snooping > Global Config page at the same time.
Page 308: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 7-17 Configure IGMP Snooping on Ports 5) Click to save the settings. 7.3.4 Using the CLI 1) Enable IGMP Snooping and MLD Snooping globally. Switch#configure Switch(config)#ip igmp snooping Switch(config)#ipv6 mld snooping 2) Configure Unknown Multicast Groups as Discard globally. Switch(config)#ip igmp snooping drop-unknown 3) Enable IGMP Snooping on port 1/0/2 and enable Fast Leave.
Page 309: Example For Configuring Multicast Filtering
Configuring Layer 2 Multicast Configuration Examples 5) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Unknown Multicast :Discard Enable Port: Gi1/0/1-28 Enable VLAN:10 Show settings of IGMP Snooping on port 1/0/2: Switch(config)#show ip igmp snooping interface fastEthernet 1/0/2 basic-config Port...
Page 310: Network Topology
Configuring Layer 2 Multicast Configuration Examples 7.4.3 Network Topology As shown in the following network topology, Host B is connected to port 1/0/1, Host C is connected to port 1/0/2 and Host D is connected to port 1/0/3. They are all in VLAN 10. Figure 7-18 Network Topology for Multicast Filtering Source Querier...
Page 311 Configuring Layer 2 Multicast Configuration Examples Figure 7-19 Enable IGMP Snooping Globally 3) In the IGMP VLAN Config section, click in VLAN 10 to load the following page. Enable IGMP Snooping for VLAN 10. Figure 7-20 Enable IGMP Snooping for VLAN 10 User Guide Downloaded from ManualsNet.com...
Page 312 Configuring Layer 2 Multicast Configuration Examples 4) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Figure 7-21 Enable IGMP Snooping on the Port 5) Choose the menu L2 FEATURES > Multicast > Multicast Filtering > IPv4 Profile and click to load the following page.
Page 313 Configuring Layer 2 Multicast Configuration Examples Figure 7-22 Configure Filtering Profile for Host C and Host D 6) Click again to load the following page. Create Profile 2, specify the mode as Deny, bind the profile to port 1/0/1, and specify the filtering multicast IP address as 225.0.0.2.
Page 314: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 7-23 Configure Filtering Profile for Host B 7) Click to save the settings. 7.4.5 Using the CLI 1) Create VLAN 10. Switch#configure Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 2) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged.
Page 315 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface fastEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 3) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 4) Enable IGMP Snooping Globally. Switch(config)#ip igmp snooping 5) Enable IGMP Snooping in VLAN 10.
Page 316 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#ip igmp filter 2 Switch(config-if)#exit 11) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Enable Port:Gi1/0/1-4 Enable VLAN:10 Show all profile bindings:...
Page 317: Appendix: Default Parameters
Configuring Layer 2 Multicast Appendix: Default Parameters Appendix: Default Parameters Default Parameters for IGMP Snooping Table 8-1 Default Parameters of IGMP Snooping Function Parameter Default Setting IGMP Snooping Disabled IGMP Version Global Settings of IGMP Snooping Unknown Multicast Groups Forward Header Validation Disabled IGMP Snooping...
Page 318: Default Parameters For Mld Snooping
Configuring Layer 2 Multicast Appendix: Default Parameters Default Parameters for MLD Snooping Table 8-2 Default Parameters of MLD Snooping Function Parameter Default Setting MLD Snooping Disabled Global Settings of IGMP Snooping Unknown Multicast Groups Forward MLD Snooping Disabled Fast Leave Disabled Report Suppression Disabled...
Page 319: Default Parameters For Mvr
Configuring Layer 2 Multicast Appendix: Default Parameters Default Parameters for MVR Table 8-3 Default Parameters of MVR Function Parameter Default Setting Disabled MVR Mode Compatible Global Settings of MVR Multicast VLAN ID Query Response Time 5 tenths of a second Maximum Multicast Groups MVR Group Settings MVR Group Entries...
Page 320: Configuring Spanning Tree
Part 11 Configuring Spanning Tree CHAPTERS 1. Spanning Tree 2. STP/RSTP Configurations 3. MSTP Configurations 4. STP Security Configurations 5. Configuration Example for MSTP 6. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 321: Spanning Tree
Configuring Spanning Tree Spanning Tree Spanning Tree Overview STP (Spanning Tree Protocol) is a layer 2 Protocol that prevents loops in the network. As is shown in Figure 1-1, STP helps to: ■ Block specific ports of the switches to build a loop-free topology. ■...
Page 322 Configuring Spanning Tree Spanning Tree Figure 1-2 STP/RSTP Topology Root bridge Designated port Designated port Root port Root port Designated port Designated port Root port Root port Designated port Backup port Alternate port Root Bridge The root bridge is the root of a spanning tree. The switch with te lowest bridge ID will be the root bridge, and there is only one root bridge in a spanning tree.
Page 323 Configuring Spanning Tree Spanning Tree In RSTP/MSTP, the alternate port is the backup for the root port. It is blocked when the root port works normally. Once the root port fails, the alternate port will become the new root port. In STP, the alternate port is always blocked.
Page 324 Spanning Tree Learning and Forwarding status correspond exactly to the Learning and Forwarding status specified in STP. In TP-Link switches, the port status includes: Blocking, Learning, Forwarding and Disconnected. ■ Blocking In this status, the port receives and sends BPDUs. The other packets are dropped.
Page 325: Mstp Concepts
Configuring Spanning Tree Spanning Tree downstream switch. The value of the accumulated root path cost increases as the BPDU spreads further. BPDU BPDU is a kind of packet that is used to generate and maintain the spanning tree. The BPDUs (Bridge Protocol Data Unit) contain a lot of information, like bridge ID, root path cost, port priority and so on.
Page 326: Stp Security
Configuring Spanning Tree Spanning Tree MST Instance The MST instance is a spanning tree running in the MST region. Multiple MST instances can be established in one MST region and they are independent of each other. As is shown in Figure 1-4, there are three instances in a region, and each instance has its own root bridge.
Page 327 Configuring Spanning Tree Spanning Tree » Loop Protect Loop Protect function is used to prevent loops caused by link congestions or link failures. It is recommended to enable this function on root ports and alternate ports. If the switch cannot receive BPDUs because of link congestions or link failures, the root port will become a designated port and the alternate port will transit to forwarding status, so loops will occur.
Page 328 Configuring Spanning Tree Spanning Tree TC Protect function is used to prevent the switch from frequently removing MAC address entries. It is recommended to enable this function on the ports of non-root switches. A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology).
Page 329: Stp/Rstp Configurations
Configuring Spanning Tree STP/RSTP Configurations STP/RSTP Configurations To complete the STP/RSTP configuration, follow these steps: 1) Configure STP/RSTP parameters on ports. 2) Configure STP/RSTP globally. 3) Verify the STP/RSTP configurations. Configuration Guidelines ■ Before configuring the spanning tree, it’s necessary to make clear the role that each switch plays in a spanning tree.
Page 330 Configuring Spanning Tree STP/RSTP Configurations Follow these steps to configure STP/RSTP parameters on ports: 1) In the Port Config section, configure STP/RSTP parameters on ports. UNIT Select the desired unit or LAGs. Status Enable or disable spanning tree function on the desired port. Priority Specify the Priority for the desired port.
Page 331: Configuring Stp/Rstp Globally
Configuring Spanning Tree STP/RSTP Configurations MCheck Select whether to perform MCheck operations on the port. If a port on an RSTP-enabled/MSTP-enabled device is connected to an STP-enabled device, the port will switch to STP compatible mode and send packets in STP format.
Page 332 Configuring Spanning Tree STP/RSTP Configurations Figure 2-2 Configuring STP/RSTP Globally Follow these steps to configure STP/RSTP globally: 1) In the Parameters Config section, configure the global parameters of STP/RSTP and click Apply. CIST Priority Specify the CIST priority for the switch. CIST priority is a parameter used to determine the root bridge for spanning tree.
Page 333: Verifying The Stp/Rstp Configurations
Configuring Spanning Tree STP/RSTP Configurations Max Hops Specify the maximum BPDU counts that can be forwarded in a MST region. The default value is 20. A switch receives BPDU, then decrements the hop count by one and generates BPDUs with the new value. When the hop reaches zero, the switch will discard the BPDU.
Page 334 Configuring Spanning Tree STP/RSTP Configurations Figure 2-3 Verifying the STP/RSTP Configurations The STP Summary section shows the summary information of spanning tree : Spanning Tree Displays the status of the spanning tree function. Spanning Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local bridge.
Page 335: Using The Cli
Configuring Spanning Tree STP/RSTP Configurations Designated Bridge Displays the bridge ID of the designated bridge. The designated bridge is the switch that has designated ports. Root Port Displays the root port of the current switch. Latest TC Time Displays the latest time when the topology is changed. TC Count Displays how many times the topology has changed.
Page 336 Configuring Spanning Tree STP/RSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure STP/RSTP parameters on the desired port . pri: Specify the Priority for the desired port.
Page 337: Configuring Global Stp/Rstp Parameters
Configuring Spanning Tree STP/RSTP Configurations The following example shows how to enable spanning tree function on port 1/0/3 and configure the port priority as 32 : Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree common-config port-priority 32 Switch(config-if)#show spanning-tree interface gigabitEthernet 1/0/3 Interface State Prio...
Page 338 Configuring Spanning Tree STP/RSTP Configurations Step 3 spanning-tree timer {[ forward-time forward-time ] [hello-time hello-time ] [ max-age max- age ]} (Optional) Configure the Forward Delay, Hello Time and Max Age. forward-time: Specify the value of Forward Delay. It is the interval between the port state transition from listening to learning.
Page 339: Enabling Stp/Rstp Globally
Configuring Spanning Tree STP/RSTP Configurations Switch#configure Switch(config)#spanning-tree priority 36864 Switch(config)#spanning-tree timer forward-time 12 Switch(config)#show spanning-tree bridge State Mode Priority Hello-Time Fwd-Time Max-Age Hold-Count Max-Hops ------- ----- -------- ------ -------- -------- --------- -------- Enable Rstp 36864 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Enabling STP/RSTP Globally Follow these steps to configure the spanning tree mode as STP/RSTP, and enable spanning tree function globally: Step 1...
Page 340 Configuring Spanning Tree STP/RSTP Configurations Switch(config)#show spanning-tree active Spanning tree is enabled Spanning-tree’s mode: RSTP (802.1w Rapid Spanning Tree Protocol) Latest topology change time: 2006-01-02 10:04:02 Root Bridge Priority : 32768 Address : 00-0a-eb-13-12-ba Local bridge is the root bridge Designated Bridge Priority : 32768...
Page 341: Mstp Configurations
Configuring Spanning Tree MSTP Configurations MSTP Configurations To complete the MSTP configuration, follow these steps: 1) Configure parameters on ports in CIST. 2) Configure the MSTP region. 3) Configure the MSTP globally. 4) Verify the MSTP configurations. Configuration Guidelines ■ Before configuring the spanning tree, it’s necessary to make clear the role that each switch plays in a spanning tree.
Page 342 Configuring Spanning Tree MSTP Configurations Follow these steps to configure parameters on ports in CIST: 1) In the Port Config section, configure the parameters on ports. UNIT Select the desired unit or LAGs. Status Enable or disable spanning tree function on the desired port. Priority Specify the Priority for the desired port.
Page 343 Configuring Spanning Tree MSTP Configurations P2P Link Select the status of the P2P (Point-to-Point) link to which the ports are connected. During the regeneration of the spanning tree, if the port of P2P link is elected as the root port or the designated port, it can transit its state to forwarding directly.
Page 344: Configuring The Mstp Region
Configuring Spanning Tree MSTP Configurations Port Status Displays the port status. Forwarding: The port receives and sends BPDUs, and forwards user data. Learning: The port receives and sends BPDUs. It also receives user traffic, but doesn’t forward the traffic. Blocking: The port only receives and sends BPDUs. Disconnected: The port has the spanning tree function enabled but is not connected to any device.
Page 345 Configuring Spanning Tree MSTP Configurations ■ Configuring the VLAN-Instance Mapping and Switch Priority Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config to load the following page. Figure 3-3 Configuring the VLAN-Instance Mapping Follow these steps to map VLANs to the corresponding instance, and configure the priority of the switch in the desired instance: 1) In the Instance Config section, click Add and enter the instance ID, Priority and corresponding VLAN ID.
Page 346 Configuring Spanning Tree MSTP Configurations ■ Configuring Parameters on Ports in the Instance Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Figure 3-5 Configuring Port Parameters in the Instance Follow these steps to configure port parameters in the instance: 1) In the Instance Port Config section, select the desired instance ID.
Page 347 Configuring Spanning Tree MSTP Configurations Port Role Displays the role that the port plays in the desired instance. Root Port: Indicates that the port is the root port in the desired instance. It has the lowest path cost from the root bridge to this switch and is used to communicate with the root bridge.
Page 348: Configuring Mstp Globally
Configuring Spanning Tree MSTP Configurations 3.1.3 Configuring MSTP Globally Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page. Figure 3-6 Configure MSTP Function Globally Follow these steps to configure MSTP globally: 1) In the Parameters Config section, Configure the global parameters of MSTP and click Apply.
Page 349 Configuring Spanning Tree MSTP Configurations Forward Delay Specify the interval between the port state transition from listening to learning. The default value is 15. It is used to prevent the network from causing temporary loops during the regeneration of spanning tree. The interval between the port state transition from learning to forwarding is also the Forward Delay.
Page 350: Verifying The Mstp Configurations
Configuring Spanning Tree MSTP Configurations 3.1.4 Verifying the MSTP Configurations Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 3-7 Verifying the MSTP Configurations The STP Summary section shows the summary information of CIST: Spanning Tree Displays the status of the spanning tree function.
Page 351: Using The Cli
Configuring Spanning Tree MSTP Configurations Regional Root Bridge Displays the bridge ID of the root bridge in IST. Internal Path Cost Displays the internal path cost. It is the root path cost from the current switch to the root bridge in IST. Designated Bridge Displays the bridge ID of the designated bridge in CIST.
Page 352 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree Enable spanning tree function for the desired port. Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ int-cost int-cost ][ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure the parameters on ports in CIST.
Page 353 Configuring Spanning Tree MSTP Configurations Step 6 show spanning-tree interface [ fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel lagid ] [ edge | ext-cost | int-cost | mode | p2p | priority | role | state | status ] (Optional) View the information of all ports or a specified port.
Page 354: Configuring The Mstp Region
Configuring Spanning Tree MSTP Configurations 3.2.2 Configuring the MSTP Region ■ Configuring the MST Region Follow these steps to configure the MST region and the priority of the switch in the instance: Step 1 configure Enter global configuration mode. Step 2 spanning-tree mst instance instance-id priority pri Configure the priority of the switch in the instance.
Page 355 Configuring Spanning Tree MSTP Configurations Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. This example shows how to create an MST region, of which the region name is R1, the revision level is 100 and VLAN 2-VLAN 6 are mapped to instance 5: Switch#configure Switch(config)#spanning-tree mst configuration...
Page 356 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree mst instance instance-id {[ port-priority pri ] | [ cost cost ]} Configure the priority and path cost of ports in the specified instance. instance-id: Specify the instance ID, the valid values ranges from 1 to 8. pri: Specify the Priority for the port in the corresponding instance.
Page 357: Configuring Global Mstp Parameters
Configuring Spanning Tree MSTP Configurations Interface Prio Cost Role Status ----------- ------ ------ -------- --------- ------- Gi1/0/3 144 200 LnkDwn N/A Switch(config-if)#end Switch#copy running-config startup-config 3.2.3 Configuring Global MSTP Parameters Follow these steps to configure the global MSTP parameters of the switch: Step 1 configure Enter global configuration mode.
Page 358 Configuring Spanning Tree MSTP Configurations Step 5 spanning-tree max-hops value (Optional) Specify the maximum BPDU hop counts that can be forwarded in a MST region. A switch receives BPDU, then decrements the hop count by one and generates BPDUs with the new value.
Page 359: Enabling Spanning Tree Globally
Configuring Spanning Tree MSTP Configurations 3.2.4 Enabling Spanning Tree Globally Follow these steps to configure the spanning tree mode as MSTP and enable spanning tree function globally: Step 1 configure Enter global configuration mode. Step 2 spanning-tree mode mstp Configure the spanning tree mode as MSTP. mstp: Specify the spanning tree mode as MSTP.
Page 360 Configuring Spanning Tree MSTP Configurations Priority : 32768 Address : 00-0a-eb-13-23-97 Regional Root Bridge Priority : 36864 Address : 00-0a-eb-13-12-ba Local bridge is the regional root bridge Local Bridge Priority : 36864 Address : 00-0a-eb-13-12-ba Interface State Prio Ext-Cost Int-Cost Edge Mode Role Status...
Page 361: Stp Security Configurations
Configuring Spanning Tree STP Security Configurations STP Security Configurations Using the GUI Choose the menu L2 FEATURES > Spanning Tree > STP Security to load the following page. Figure 4-1 Configuring the Port Protect Configure the Port Protect features for the selected ports, and click Apply. UNIT Select the desired unit or LAGs for configuration.
Page 362: Using The Cli
Configuring Spanning Tree STP Security Configurations Root Protect Enable or disable Root Protect. It is recommended to enable this function on the designated ports of the root bridge. Switches with faulty configurations may produce a higher-priority BPDUs than the root bridge’s, and this situation will cause recalculation of the spanning tree.
Page 363 Configuring Spanning Tree STP Security Configurations Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 spanning-tree guard loop (Optional) Enable Loop Protect.
Page 364 Configuring Spanning Tree STP Security Configurations Step 8 spanning-tree bpduflood (Optional) Enable BPDU Forward. This function only takes effect when the spanning tree function is disabled globally. By default, it is enabled. With BPDU forward enabled, the port can still forward spanning tree BPDUs when the spanning tree function is disabled.
Page 365: Configuration Example For Mstp
Configuring Spanning Tree Configuration Example for MSTP Configuration Example for MSTP MSTP, backwards-compatible with STP and RSTP, can map VLANs to instances to implement load-balancing, thus providing a more flexible method in network management. Here we take the MSTP configuration as an example. Network Requirements As shown in figure 5-1, the network consists of three switches.
Page 366: Using The Gui
Configuring Spanning Tree Configuration Example for MSTP Figure 5-2 VLAN-Instance Mapping Switch A Gi1/0/1 Gi1/0/1 Gi1/0/1 Switch B Switch C Instance 1: VLAN 101 -VLAN 103 Instance 2: VLAN 104 -VLAN 106 Blocked Port The overview of configuration is as follows: 1) Enable MSTP function globally in all the switches.
Page 367 Configuring Spanning Tree Configuration Example for MSTP Figure 5-3 Configure the Global MSTP Parameters of the Switch 2) Choose the menu L2 FEATURES > Spanning Tree > STP Config > Port Config to load the following page. Enable spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings.
Page 368 Configuring Spanning Tree Configuration Example for MSTP Figure 5-5 Configuring the MST Region 4) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config. Click Add, map VLAN101-VLAN103 to instance 1 and set the priority as 32768; map VLAN104-VLAN106 to instance 2 and set the priority as 32768.
Page 369 Configuring Spanning Tree Configuration Example for MSTP Figure 5-7 Configure the Path Cost of Port 1/0/1 In Instance 1 6) Click to save the settings. ■ Configurations for Switch B 1) Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page.
Page 370 Configuring Spanning Tree Configuration Example for MSTP Figure 5-9 Enable Spanning Tree Function on Ports 3) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Click Apply.
Page 371 Configuring Spanning Tree Configuration Example for MSTP 5) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Set the path cost of port 1/0/2 in instance 2 as 300000 so that port 1/0/1 of switch A can be selected as the designated port. Figure 5-12 Configure the Path Cost of Port 1/0/2 in Instance 2 6) Click to save the settings.
Page 372 Configuring Spanning Tree Configuration Example for MSTP 2) Choose the menu L2 FEATURES > Spanning Tree > STP Config > Port Config to load the following page. Enable the spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings. Click Apply. Figure 5-14 Enable Spanning Tree Function on Ports 3) Choose the menu Spanning Tree >...
Page 373: Using The Cli
Configuring Spanning Tree Configuration Example for MSTP Using the CLI ■ Configurations for Switch A 1) Configure the spanning tree mode as MSTP, then enable spanning tree function globally. Switch#configure Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree 2) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/1 in instance 1 as 300000.
Page 374 Configuring Spanning Tree Configuration Example for MSTP 2) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/2 in instance 2 as 300000. Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree mst instance 2 cost 300000 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#spanning-tree...
Page 375 Configuring Spanning Tree Configuration Example for MSTP 3) Configure the region name as 1, the revision number as 100; map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2; configure the priority of Switch C in instance 2 as 0 to set it as the root bridge in instance 2: Switch(config)#spanning-tree mst configuration Switch(config-mst)#name 1 Switch(config-mst)#revision 100...
Page 376 Configuring Spanning Tree Configuration Example for MSTP Interface Prio Cost Role Status --------- ---- -------- ------ ----- ---- Gi1/0/1 300000 Root Gi1/0/2 200000 Altn Verify the configurations of Switch A in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority Address...
Page 377 Configuring Spanning Tree Configuration Example for MSTP Local bridge is the root bridge Designated Bridge Priority Address : 00-0a-eb-13-12-ba Local Bridge Priority Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status ---------- ---- -------- ------- -------- Gi1/0/1 200000 Desg Gi1/0/2 200000 Desg Verify the configurations of Switch B in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2...
Page 378 Configuring Spanning Tree Configuration Example for MSTP ■ Switch C Verify the configurations of Switch C in instance 1: Switch(config)#show spanning-tree mst instance 1 MST-Instance 1 Root Bridge Priority Address : 00-0a-eb-13-12-ba Internal Cost : 200000 Root Port Designated Bridge Priority Address : 00-0a-eb-13-12-ba...
Page 379 Configuring Spanning Tree Configuration Example for MSTP Local Bridge Priority Address : 3c-46-d8-9d-88-f7 Interface Prio Cost Role Status ----------- ------ --------- ------- ---------- Gi1/0/1 200000 Desg Gi1/0/2 200000 Desg User Guide Downloaded from ManualsNet.com search engine...
Page 380: Appendix: Default Parameters
Configuring Spanning Tree Appendix: Default Parameters Appendix: Default Parameters Default settings of the Spanning Tree feature are listed in the following table. Table 6-1 Default Settings of the Global Parameters Parameter Default Setting Spanning-tree Disabled Mode CIST Priority 32768 Hello Time 2 seconds Max Age 20 seconds...
Page 381 Configuring Spanning Tree Appendix: Default Parameters Parameter Default Setting Priority 32768 Port Priority Path Cost Auto Table 6-4 Default Settings of the STP Security Parameter Default Setting Loop Protect Disabled Root Protect Disabled TC Guard Disabled BPDU Protect Disabled BPDU Filter Disabled BPDU Forward Enabled...
Page 382: Configuring Lldp
Part 12 Configuring LLDP CHAPTERS 1. LLDP 2. LLDP Configurations 3. LLDP-MED Configurations 4. Viewing LLDP Settings 5. Viewing LLDP-MED Settings 6. Configuration Example 7. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 383: Lldp
Configuring LLDP LLDP LLDP Overview LLDP (Link Layer Discovery Protocol) is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol is a standard IEEE 802.1ab defined protocol and runs over the Layer 2 (the data-link layer) , which allows for interoperability between network devices of different vendors.
Page 384: Lldp Configurations
Configuring LLDP LLDP Configurations LLDP Configurations T configure LLDP function, follow the steps: 1) Configure the LLDP feature globally. 2) Configure the LLDP feature for the port. Using the GUI 2.1.1 Configuring LLDP Globally Choose the L2 FEATURES > LLDP > LLDP Config > Global Config to load the following page.
Page 385 Configuring LLDP LLDP Configurations Follow these steps to configure the LLDP feature globally. 1) In the Global Config section, enable LLDP. You can also enable the switch to forward LLDP messages when LLDP function is disabled. Click Apply. LLDP Enable LLDP function globally. LLDP (Optional) Enable the switch to forward LLDP messages when LLDP function is Forwarding...
Page 386: Configuring Lldp For The Port
Configuring LLDP LLDP Configurations 2.1.2 Configuring LLDP For the Port Choose th menu L2 FEATURES > LLDP > LLDP Config > Port Config to load the following page. Figure 2-2 Port Config Follow these steps to configure the LLDP feature for the interface. 1) Select one or more ports to configure.
Page 387: Using The Cli
Configuring LLDP LLDP Configurations Included TLVs Configure the TLVs included in the outgoing LLDP packets. The switch supports the following TLVs: PD: Used to advertise the port description defined by the IEEE 802 LAN station. SC: Used to advertise the supported functions and whether or not these functions are enabled.
Page 388 Configuring LLDP LLDP Configurations Step 3 lldp forward_message (Optional) Enable the switch to forward LLDP messages when LLDP function is disabled. Step 4 lldp hold-multiplier multiplier (Optional) Specify the amount of time the neighbor device should hold the received information before discarding it. This parameter is a multiplier on the Transmit Interval that determines the actual TTL (Time To Live) value used in an LLDP packet.
Page 389: Port Config
Configuring LLDP LLDP Configurations Switch(config)#lldp timer tx-delay 2 Switch(config)#lldp timer reinit-delay 3 Switch(config)#lldp timer notify-interval 5 Switch(config)#lldp timer fast-count 3 Switch(config)#show lldp LLDP Status: Enabled LLDP Forward Message: Disabled Tx Interval: 30 seconds TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3...
Page 390 Configuring LLDP LLDP Configurations Step 6 lldp tlv-select (Optional) Configure the TLVs included in the outgoing LLDP packets. By default, the outgoing LLDP packets include all TLVs. Step 7 show lldp interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Display LLDP configuration of the corresponding port.
Page 391 Configuring LLDP LLDP Configurations Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power Switch(config-if)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 392: Lldp-Med Configurations
Configuring LLDP LLDP-MED Configurations LLDP-MED Configurations To configure LLDP-MED function, follow the steps: 1) Enable LLDP feature globally and configure the LLDP parametres for the ports. 2) Configuring LLDP-MED fast repeat count globally. 3) Enable and configure the LLDP-MED feature on the port. Configuration Guidelines LLDP-MED is used together with Auto VoIP to implement VoIP access.
Page 393: Configuring Lldp-Med For Ports
Configuring LLDP LLDP-MED Configurations Device Class Display the current device class. LLDP-MED defines two device classes, Network Connectivity Device and Endpoint Device. The switch is a Network Connectivity device. 3.1.2 Configuring LLDP-MED for Ports Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config to load the following page.
Page 394 Configuring LLDP LLDP-MED Configurations Figure 3-3 LLDP-MED Port Config-Detail Network Policy Used to advertise VLAN configuration and the associated Layer 2 and Layer 3 attributes of the port to the endpoint devices. Location Used to assign the location identifier information to the Endpoint devices. Identification If this option is selected, you can configure the emergency number and the detailed address of the endpoint device in the Location Identification Parameters...
Page 395: Using The Cli
Configuring LLDP LLDP-MED Configurations Civic Address Configure the address of the audio device in the IETF defined address format. What: Specify the role type of the local device, DHCP Server, Switch or LLDP-MED Endpoint. Country Code: Enter the country code defined by ISO 3166 , for example, CN, US. Language, Province/State etc.: Enter the regular details.
Page 396: Port Config
Configuring LLDP LLDP-MED Configurations TTL Multiplier: Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: LLDP-MED Fast Start Repeat Count: Switch(config)#end Switch#copy running-config startup-config 3.2.2 Port Config Select the desired port, enable LLDP-MED and select the TLVs (Type/Length/Value) included in the outgoing LLDP packets according to your needs.
Page 397 Configuring LLDP LLDP-MED Configurations Step 6 Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable LLDP-MED on port 1/0/1, configure the LLDP- MED TLVs included in the outgoing LLDP packets. Switch(config)#lldp Switch(config)#lldp med-fast-count 4 Switch(config)#interface gigabitEthernet 1/0/1...
Page 398 Configuring LLDP LLDP-MED Configurations LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Location Identification Extended Power Via MDI Inventory Management Switch(config)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 399: Viewing Lldp Settings
Configuring LLDP Viewing LLDP Settings Viewing LLDP Settings This chapter introduces how to view the LLDP settings on the local device. Using GUI 4.1.1 Viewing LLDP Device Info ■ Viewing the Local Info Choose the menu L2 FEATURES > LLDP > LLDP Config > Local Info to load the following page.
Page 400 Configuring LLDP Viewing LLDP Settings Follow these steps to view the local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Local Info section, select the desired port and view its associated local device information.
Page 401 Configuring LLDP Viewing LLDP Settings Port And Protocol Displays whether the local device supports port and protocol VLAN feature. Supported Port And Protocol Displays the status of the port and protocol VLAN feature. VLAN Enabled VLAN Name of Displays the VLAN name of VLAN 1 for the local device. VLAN 1 Protocol Identify Displays the particular protocol that the local device wants to advise.
Page 402 Configuring LLDP Viewing LLDP Settings ■ Viewing the Neighbor Info Choose the menu L2 FEATURES > LLDP > LLDP Config > Neighbor Info to load the following page. Figure 4-2 Neighbor Info Follow these steps to view the neighbor information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
Page 403: Viewing Lldp Statistics
Configuring LLDP Viewing LLDP Settings 4.1.2 Viewing LLDP Statistics Choose the menu L2 FEATURES > LLDP > LLDP Config > Statistics Info to load the following page. Figure 4-3 Static Info Follow these steps to view LLDP statistics: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
Page 404: Using Cli
Configuring LLDP Viewing LLDP Settings Total Age-outs Displays the latest number of neighbors that have aged out on the local device. 3) In the Neighbors Statistics section, view the statistics of the corresponding port. Transmit Total Displays the total number of the LLDP packets sent via the port. Receive Total Displays the total number of the LLDP packets received via the port.
Page 405: Viewing Lldp-Med Settings
Configuring LLDP Viewing LLDP-MED Settings Viewing LLDP-MED Settings Using GUI Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Local Info to load the following page. ■ Viewing the Local Info Figure 5-1 LLDP-MED Local Info User Guide Downloaded from ManualsNet.com search engine...
Page 406 Configuring LLDP Viewing LLDP-MED Settings Follow these steps to view LLDP-MED local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the LLDP-MED Local Info section, select the desired port and view the LLDP-MED settings.
Page 407 Configuring LLDP Viewing LLDP-MED Settings Serial Number Displays the serial number of the local device. Manufacturer Displays the manufacturer name of the local device. Name Model Name Displays the model name of the local device. Asset ID Displays the asset ID of the local device. ■...
Page 408: Using Cli
Configuring LLDP Viewing LLDP-MED Settings Using CLI ■ Viewing the Local Info show lldp local-information interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port View the LLDP details of a specific port or all the ports on the local device. ■...
Page 409: Configuration Example
Configuring LLDP Configuration Example Configuration Example Network Requirements The network administrator needs view the information of the devices in the company network to know about the link situation and network topology so that he can troubleshoot the potential network faults in advance. Network Topology Exampled with the following situation: Port Fa1/0/1 on Switch A is directly connected to port Fa1/0/2 on Switch B.
Page 410: Using Cli
Configuring LLDP Configuration Example Figure 6-2 LLDP Global Config 2) Choose the menu L2 FEATURES > LLDP > LLDP Config > Port Config to load the following page. Set the Admin Status of port Fa1/0/1 as Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Figure 6-3 LLDP Port Config Using CLI 1) Enable LLDP globally and configure the corresponding parameters.
Page 411 Configuring LLDP Configuration Example Switch_A(config)#lldp Switch_A(config)#lldp hold-multiplier 4 Switch_A(config)#lldp timer tx-interval 30 Switch_A(config)#lldp timer tx-delay 2 Switch_A(config)#lldp timer reinit-delay 3 Switch_A(config)#lldp timer notify-interval 5 Switch_A(config)#lldp timer fast-count 3 2) Set the Admin Status of port Fa1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets.
Page 412 Configuring LLDP Configuration Example Switch_A#show lldp interface fastEthernet 1/0/1 LLDP interface config: fastEthernet 1/0/1: Admin Status: TxRx SNMP Trap: Enabled Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power LLDP-MED Status: Disabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management...
Page 413 Configuring LLDP Configuration Example Chassis type: MAC address Chassis ID: 00:0A:EB:13:A2:11 Port ID type: Interface name Port ID: FastEthernet1/0/1 Port description: FastEthernet1/0/1 Interface TTL: System name: T1500-28PCT System description: JetStream 24-Port 10/100Mbps + 4 -Port Gigabit Smart PoE+ Switch System capabilities supported: Bridge System capabilities enabled: Bridge...
Page 414 Power Source: Primary Power Priority: Power Value: 30.0w Hardware Revision: T1500-28PCT 3.0 Firmware Revision: Reserved Software Revision: 3.0.0 Build 20180309 Rel.34341(s) Serial Number: Reserved Manufacturer Name: TP-Link Model Name: T1500-28PCT 3.0 Asset ID: unknown User Guide Downloaded from ManualsNet.com search engine...
Page 415 Configuring LLDP Configuration Example View the Neighbor Info Switch_A#show lldp neighbor-information interface fastEthernet 1/0/1 LLDP Neighbor Information: fastEthernet 1/0/1: Neighbor index 1: Chassis type: MAC address Chassis ID: 00:0A:EB:13:18:2D Port ID type: Interface name Port ID: GigabitEthernet1/0/2 Port description: GigabitEthernet1/0/2 Interface TTL: System name: T1500-28PCT...
Page 416 Configuring LLDP Configuration Example Link aggregation supported: Link aggregation enabled: Aggregation port ID: Power port class: PSE power supported: PSE power enabled: PSE pairs control ability: Maximum frame size: 1518 User Guide Downloaded from ManualsNet.com search engine...
Page 417: Appendix: Default Parameters
Configuring LLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of LLDP are listed in the following tables. Default LLDP Settings Table 7-1 Default LLDP Settings Parameter Default Setting LLDP Disabled LLDP Forward Message Disabled Transmit Interval 30 seconds Hold Multiplier Transmit Delay 2 seconds Reinitialization Delay...
Page 418: Configuring Dhcp Service
Part 13 Configuring DHCP Service CHAPTERS 1. DHCP 2. DHCP Relay Configuration 3. DHCP L2 Relay Configuration 4. Configuration Examples 5. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 419: Dhcp
Configuring DHCP Service DHCP DHCP Overview DHCP (Dynamic Host Configuration Protocol) is widely used to automatically assign IP addresses and other network configuration parameters to network devices, enhancing the utilization of IP address. Supported Features The supported DHCP features of the switch include DHCP Relay and DHCP L2 Relay. DHCP Relay DHCP Relay is used to process and forward DHCP packets between different subnets or VLANs.
Page 420 Configuring DHCP Service DHCP TP-Link switches preset a default circuit ID and remote ID in TLV (Type, Length, and Value) format. You can also configure the format to include Value only and customize the Value. Table 1-1 Table 1-2 show the packet formats of the Agent Circuit ID and Agent Remote ID, respectively.
Page 421 Configuring DHCP Service DHCP *Value Indicates the value of the sub-option. The switch has preset a default circuit ID and remoter ID. You can also customize them with Circuit ID Customization and Remote ID Customization enabled. ■ Default circuit ID: A 4-byte value which consists of 2-byte VLAN ID and 2-byte Port ID.
Page 422 Configuring DHCP Service DHCP Figure 1-1 Application Scenario of DHCP VLAN Relay DHCP Server DHCP Relay DHCP Clients DHCP Clients Default Agent Interface: VLAN 10 VLAN 20 192.168.2.1/24 192.168.2.0/24 192.168.2.0/24 Note: Only the management VLAN interface can be specified as the default relay agent interface. DHCP L2 Relay Unlike DHCP relay, DHCP L2 Relay is used in the situation that the DHCP server and clients are in the same VLAN.
Page 423: Dhcp Relay Configuration
Configuring DHCP Service DHCP Relay Configuration DHCP Relay Configuration To complete DHCP Relay configuration, follow these steps: 1) Enable DHCP Relay. Configure Option 82 if needed. 2) Specify DHCP server for the Interface or VLAN. Using the GUI 2.1.1 Enabling DHCP Relay and Configuring Option 82 Choose the menu L3 FEATURES >...
Page 424 Configuring DHCP Service DHCP Relay Configuration DHCP Relay Enable DHCP Relay globally. DHCP Relay Specify the DHCP relay hops. Hops DHCP Relay Hops defines the maximum number of hops (DHCP Relay agent) that the DHCP packets can be relayed. If a packet’s hop count is more than the value you set here, the packet will be dropped.
Page 425: Configuring Dhcp Vlan Relay
Configuring DHCP Service DHCP Relay Configuration Remote ID Enable or disable Remote ID Customization. Enable it if you want to manually Customization configure the remote ID. Otherwise, the switch uses its own MAC address as the remote ID. Remote ID Enter the customized remote ID with up to 64 characters.
Page 426: Using The Cli
Configuring DHCP Service DHCP Relay Configuration Figure 2-3 Specify a DHCP server for the VLAN Specify the VLAN the clients belong to and the server address. Click Create. VLAN ID Specify the VLAN in which the clients can get IP addresses from the DHCP server. Server Address Enter the IP address of the DHCP server.
Page 427: (Optional) Configuring Option 82
Configuring DHCP Service DHCP Relay Configuration Step 6 Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCP Relay, configure the relay hops as 5 and configure the relay time as 10 seconds : Switch#configure Switch(config)#service dhcp relay...
Page 428 Configuring DHCP Service DHCP Relay Configuration Step 4 ip dhcp relay information strategy { keep | replace | drop } Specify the operation for the switch to take when receiving DHCP packets that include the Option 82 field. keep: The switch keeps the Option 82 field of the packets. replace: The switch replaces the Option 82 field of the packets with a new one.
Page 429: Configuring Dhcp Vlan Relay
Configuring DHCP Service DHCP Relay Configuration Switch(config)#interface gigabitEthernet 1/0/7 Switch(config-if)#ip dhcp relay information option Switch(config-if)#ip dhcp relay information strategy replace Switch(config-if)#ip dhcp relay information format normal Switch(config-if)#ip dhcp relay information circut-id VLAN20 Switch(config-if)#ip dhcp relay information remote-id Host1 Switch(config-if)#show ip dhcp relay information interface gigabitEthernet 1/0/7 Interface Option 82 Status Operation Strategy Format Circuit ID Remote ID ---------...
Page 430 Configuring DHCP Service DHCP Relay Configuration Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the VLAN interface 1 (the default management VLAN interface) as the default relay agent interface and configure the DHCP server address as 192.168.1.8 on VLAN 10: Switch#configure Switch(config)#interface vlan 1...
Page 431: Dhcp L2 Relay Configuration
Configuring DHCP Service DHCP L2 Relay Configuration DHCP L2 Relay Configuration To complete DHCP L2 Relay configuration, follow these steps: 1) Enable DHCP L2 Relay. 2) Configure Option 82 for ports. Using the GUI 3.1.1 Enabling DHCP L2 Relay Choose the menu L3 FEATURES > DHCP Service > DHCP L2 Relay > Global Config to load the following page.
Page 432: Configuring Option 82 For Ports
Configuring DHCP Service DHCP L2 Relay Configuration 3.1.2 Configuring Option 82 for Ports Choose the menu L3 FEATURES > DHCP Service > DHCP L2 Relay > Port Config to load the following page. Figure 3-2 Configure Option 82 for Ports Follow these steps to enable DHCP Relay and configure Option 82: 1) Select one or more ports to configure Option 82.
Page 433: Using The Cli
Configuring DHCP Service DHCP L2 Relay Configuration Circuit ID Enable or disable Circuit ID Customization. Enable it if you want to manually Customization configure the circuit ID. Otherwise, the switch uses the default one when inserting Option 82 to DHCP packets. The default circuit ID is a 4-byte value which consists of 2-byte VLAN ID and 2-byte Port ID.
Page 434: Configuring Option 82 For Ports
Configuring DHCP Service DHCP L2 Relay Configuration The following example shows how to enable DHCP L2 Relay globally and for VLAN 2: Switch#configure Switch(config)#ip dhcp l2relay Switch(config)#ip dhcp l2relay vlan 2 Switch(config)#show ip dhcp l2relay Global Status: Enable VLAN ID: 2 Switch(config)#end Switch#copy running-config startup-config 3.2.2 Configuring Option 82 for Ports...
Page 435 Configuring DHCP Service DHCP L2 Relay Configuration Step 6 ip dhcp l2relay information circuit-id string (Optional) A default circuit ID is preset on the switch, and you can also run this command to customize the circuit ID. The circuit ID configurations of the switch and the DHCP server should be compatible with each other.
Page 436 Configuring DHCP Service DHCP L2 Relay Configuration Switch(config-if)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 437: Configuration Examples
Configuring DHCP Service Configuration Examples Configuration Examples Example for DHCP VLAN Relay 4.1.1 Network Requirements The administrator needs to deploy the office network for the Marketing department and the R&D department. The detailed requirements are listed below: ■ The Marketing department and the R&D department belong to VLAN 10 and VLAN 20, respectively.
Page 438: Using The Gui
Configuring DHCP Service Configuration Examples 3) Configure DHCP VLAN Relay on the DHCP relay agent. Enable DHCP Relay globally, choose the VLAN interface 1 (the default management VLAN interface) as the default relay agent interface, and specify the DHCP server address for VLAN 10 and VLAN 20. In this example, the DHCP server is demonstrated with T2600G-28TS and the DHCP relay agent is demonstrated with T1500-28PCT.
Page 439 Configuring DHCP Service Configuration Examples ■ Configuring the VLANs on the Relay Agent 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10 for the Marketing department and add port 1/0/1 as untagged port to the VLAN.
Page 440 Configuring DHCP Service Configuration Examples 2) On the same page, click again to create VLAN 20 for the R&D department and add port 1/0/2 as untagged port to the VLAN. Figure 4-5 Creating VLAN 20 ■ Configuring DHCP VLAN Relay on the Relay Agent 1) Choose the menu L3 FEATURES >...
Page 441: Using The Cli
Configuring DHCP Service Configuration Examples VLAN interface 1 (the default management VLAN interface) as the default relay-agent interface. Click Apply. Figure 4-7 Specify the Default Relay Agent Interface 3) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP VLAN Relay and click to load the following page.
Page 442 Configuring DHCP Service Configuration Examples Switch(dhcp-config)#lease 120 Switch(dhcp-config)#default-gateway 192.168.0.1 Switch(dhcp-config)#dns-server 192.168.0.2 Switch(dhcp-config)#end Switch#copy running-config startup-config ■ Configuring the VLAN on the Relay Agent Switch#configure Switch(config)# vlan 10 Switch(config-vlan)#name Marketing Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#exit Switch(config)# vlan 20 Switch(config-vlan)#name RD Switch(config-vlan)#exit...
Page 443: Example For Option 82 In Dhcp Relay
Configuring DHCP Service Configuration Examples Verify the Configurations of the DHCP Relay Agent Switch#show ip dhcp relay Switch#show ip dhcp relay DHCP relay state: enabled DHCP relay default relay agent interface: Interface: VLAN 1 IP address: 192.168.0.1 DHCP vlan relay helper address is configured on the following vlan: vlan Helper address --------------------- -------------------------...
Page 444: Configuration Scheme
Configuring DHCP Service Configuration Examples Figure 4-10 Network Topology for Option 82 in DHCP Relay DHCP Server 192.168.0.59/24 VLAN 1 192.168.0.1/24 Gi1/0/1 Gi1/0/2 VLAN 2 VLAN 2 Switch A DHCP Relay 00:00:FF:FF:27:12 Group 1 Group 2 192.168.0.50-192.168.0.100 192.168.0.150-192.168.0.200 4.2.2 Configuration Scheme To meet the requirements, you can configure Option 82 in DHCP Relay on Switch A. With DHCP Relay enabled, the switch can forward DHCP requests and replies between clients and the server.
Page 445: Configuring The Dhcp Relay Switch
Configuring DHCP Service Configuration Examples 4.2.3 Configuring the DHCP Relay Switch Using the GUI Follow these steps to configure DHCP relay and enable Option 82 in DHCP Relay on Switch A: 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP Relay Config to load the following page.
Page 446 Configuring DHCP Service Configuration Examples management VLAN (by default, it is VLAN 1) as the default relay agent interface. Then click Apply. Figure 4-13 Configure the Management VLAN as the Default Relay Agent Interface 4) In the DHCP VLAN Relay Config section, click to load the configuration page.
Page 447 Configuring DHCP Service Configuration Examples Switch(config-if)#exit 3) Configure the management VLAN (by default, it is VLAN 1) as the default relay agent interface. Switch(config)#interface vlan 1 Switch(config-if)#ip dhcp relay default-interface Switch(config-if)#exit 4) Specify the DHCP server for the interface VLAN 2. Switch(config)#ip dhcp relay vlan 2 helper-address 192.168.0.59 Switch(config)#end Switch#copy running-config startup-config...
Page 448: Configuring The Dhcp Server
Configuring DHCP Service Configuration Examples Switch#show ip dhcp relay information interface Interface Option 82 Status Operation Strategy Format Circuit ID --------- ---------------- ------------------ ------- --------- Gi1/0/1 Enable Replace Normal Default:VLAN-PORT ... Gi1/0/2 Enable Replace Normal Default:VLAN-PORT ... 4.2.4 Configuring the DHCP Server Note: •...
Page 449: Example For Dhcp L2 Relay
Configuring DHCP Service Configuration Examples # Similarly, the offset of the agent remote ID is 2 and the length is 6. class “VLAN2Port1“ { match if substring (option agent.circuit-id, 2, 4) = 00:02:00:01 and substring (option agent.remote-id, 2, 6) = 00:00:ff:ff:27:12; class “VLAN2Port2“...
Page 450: Configuration Scheme
Configuring DHCP Service Configuration Examples Figure 4-15 Network Topology for DHCP L2 Relay DHCP Server 192.168.10.1/24 Gi1/0/1 Gi1/0/2 Switch A DHCP Relay 00:00:FF:FF:27:12 Group 1 Group 2 192.168.10.100-192.168.10.150 192.168.10.151-192.168.10.200 4.3.2 Configuration Scheme To meet the requirements, you can configure DHCP L2 Relay on Switch A to inform the DHCP server of the group information of each PC, so that the DHCP server can assign IP addresses of different address pools to the PCs in different groups.
Page 451: Configuring The Dhcp Relay Switch
Configuring DHCP Service Configuration Examples 4.3.3 Configuring the DHCP Relay Switch Using the GUI 1) Choose the menu L3 FEATURES > DHCP Service > DHCP L2 Relay > Global Config to load the following page. In the Global Config section, enable DHCP L2 Relay globally and click Apply.
Page 452 Configuring DHCP Service Configuration Examples 3) On the same page, select port 1/0/2, enable Option 82 Support and select Option 82 Policy as Replace. You can configure other parameters according to your needs. In this example, keep Format as Normal and Remote ID Customization as Disabled. Enable Circuit ID Customization and specify the Circuit ID as Group2.
Page 453: Configuring The Dhcp Server
Configuring DHCP Service Configuration Examples Normal and Remote ID Customization as Disabled. Enable Circuit ID Customization and specify the Circuit ID as Group2. Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#ip dhcp l2relay information Switch(config-if)#ip dhcp l2relay information strategy replace Switch(config-if)#ip dhcp l2relay information circuit-id Group2 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configurations...
Page 454 Configuring DHCP Service Configuration Examples On the DHCP server, you need to create two DHCP classes to identify the Option 82 payloads of DHCP request packets from Group 1 and Group 2, respectively. In this example, the DHCP relay agent uses the customized circuit ID and default remote ID in TLV format.
Page 455 Configuring DHCP Service Configuration Examples option domain-name “example.com“; default-lease-time 600; max-lease-time 7200; authoritative; pool { range 192.168.10.100 192.168.10.150; allow members of “Group1“; pool { range 192.168.10.151 192.168.10.200; allow members of “Group2“; User Guide Downloaded from ManualsNet.com search engine...
Page 456: Appendix: Default Parameters
Configuring DHCP Service Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Relay are listed in the following table. Table 5-1 Default Settings of DHCP Relay Parameter Default Setting DHCP Relay DHCP Relay Disabled DHCP Relay Hops DHCP Relay Time Threshold Option 82 Configuration Option 82 Support Disabled...
Page 457 Configuring DHCP Service Appendix: Default Parameters Parameter Default Setting VLAN Status Disabled Port Config Option 82 Support Disabled Option 82 Policy Keep Format Normal Circuit ID Customization Disabled Circuit ID None Remote ID Customization Disabled Remote ID None User Guide Downloaded from ManualsNet.com search engine...
Page 458: Configuring Qos
Part 14 Configuring QoS CHAPTERS 1. QoS 2. Class of Service Configuration 3. Bandwidth Control Configuration 4. Voice VLAN Configuration 5. Auto VoIP Configuration 6. Configuration Examples 7. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 459: Qos
Configuring QoS Overview With network scale expanding and applications developing, internet traffic is dramatically increased, thus resulting in network congestion, packet drops and long transmission delay. Typically, networks treat all traffic equally on FIFO (First In First Out) delivery basis, but nowadays many special applications like VoD, video conferences, VoIP, etc, require more bandwidth or shorter transmission delay to guarantee the performance.
Page 460 Configuring QoS can deteriorate a lot because of packet loss and delay. To ensure the high voice quality, you can configure Voice VLAN or Auto VoIP. These two features can be enabled on the ports that transmit voice traffic only or transmit both voice traffic and data traffic.
Page 461: Class Of Service Configuration
Configuring QoS Class of Service Configuration Class of Service Configuration With class of service configurations, you can: ■ Configure port priority ■ Configure 802.1p priority ■ Configure DSCP priority ■ Specify the scheduler settings Configuration Guidelines ■ Select the priority mode that the ports trust according to your network requirements. A port can use only one priority to classify the ingress packets.
Page 462: Using The Gui
Configuring QoS Class of Service Configuration Using the GUI 2.1.1 Configuring Port Priority ■ Configuring the Trust Mode and Port to 802.1p Mapping Choose the menu QoS > Class of Service > Port Priority to load the following page. Figure 2-1 Configuring the Trust Mode and Port to 802.1p Mapping Follow these steps to configure the parameters of the port priority: 1) Select the desired ports, specify the 802.1p priority and set the trust mode as Untrusted.
Page 463 Configuring QoS Class of Service Configuration ■ Configuring the 802.1p to Queue Mapping Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-2 Configuring the 802.1p to Queue Mapping In the 802.1p to Queue Mapping section, configure the mappings and click Apply. 802.1p Priority Displays the number of 802.1p priority.
Page 464: Configuring 802.1P Priority
Configuring QoS Class of Service Configuration 2.1.2 Configuring 802.1p Priority ■ Configuring the Trust Mode Choose the menu QoS > Class of Service > Port Priority to load the following page. Figure 2-3 Configuring the Trust Mode Follow these steps to configure the trust mode: 1) Select the desired ports and set the trust mode as Trust 802.1p.
Page 465 Configuring QoS Class of Service Configuration ■ Configuring the 802.1p to Queue Mapping and 802.1p Remap Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-4 Configuring the 802.1p to Queue Mapping and 802.1p Remap Follow these steps to configure the parameters of the 802.1p priority: 1) In the 802.1p to Queue Mapping section, configure the mappings and click Apply.
Page 466: Configuring Dscp Priority
Configuring QoS Class of Service Configuration Remap Select the number of 802.1p priority to which the original 802.1p priority will be remapped. 802.1p Remap is used to modify the 802.1p priority of the ingress packets. When the switch detects the packets with desired 802.1p priority, it will modify the value of 802.1p priority according to the map.
Page 467 Configuring QoS Class of Service Configuration ■ Configuring the 802.1p to Queue Mapping Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-6 Configuring the 802.1p to Queue Mapping In the 802.1p to Queue Mapping section, configure the mappings and click Apply. 802.1p Priority Displays the number of 802.1p priority.
Page 468 Configuring QoS Class of Service Configuration ■ Configuring the DSCP to 802.1p Mapping and the DSCP Remap Choose the menu QoS > Class of Service >DSCP Priority to load the following page. Figure 2-7 Configuring the DSCP to 802.1p Mapping and the DSCP Remap Follow these steps to configure the DSCP Priority: 1) In the DSCP Priority Config section, configure the DSCP to 802.1p mapping and the DSCP remap.
Page 469: Specifying The Scheduler Settings
Configuring QoS Class of Service Configuration 2.1.4 Specifying the Scheduler Settings Specify the scheduler settings to control the forwarding sequence of different TC queues when congestion occurs. Choose the menu QoS > Class of Service > Scheduler Settings to load the following page.
Page 470: Using Cli
Configuring QoS Class of Service Configuration Scheduler Type Select the type of scheduling used for corresponding queue. When the network congestion occurs, the egress queue will determine the forwarding sequence of the packets according to the type. Strict: In this mode, the egress queue will use SP (Strict Priority) to process the traffic in different queues.
Page 471 Configuring QoS Class of Service Configuration Step 4 qos port-priority { dot1p-priority } Specify the port to 802.1p priority mapping for the desired port. The ingress packets from one port are first mapped to 802.1p priority based on the port to 802.1p mapping, then to TC queues based on the 802.1p to queue mapping.
Page 472: Configuring 802.1P Priority
Configuring QoS Class of Service Configuration The following example shows how to configure the trust mode of port 1/0/1 as untrust, map the port 1/0/1 to 802.1p priority 1 and map 802.1p priority 1 to TC3: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#qos trust mode untrust Switch(config-if)#qos port-priority 1 Switch(config-if)#exit...
Page 473 Configuring QoS Class of Service Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 qos trust mode { untrust | dot1p | dscp } Select the trust mode for the port.
Page 474 Configuring QoS Class of Service Configuration Step 5 show qos dot1p-remap Verify the 802.1p to 802.1p mappings. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. Note: In Trust 802.1p mode, the untagged packets will be added an 802.1p priority based on the port to 802.1p mapping and will be forwarded according to the 802.1p to queue mapping.
Page 475: Configuring Dscp Priority
Configuring QoS Class of Service Configuration Dot1p Value ----- ----- ----- ----- ----- ----- ----- ----- ----- Dot1p Remap Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring DSCP Priority ■ Configuring the Trust Mode Follow these steps to configure the trust mode: Step 1 configure Enter global configuration mode...
Page 476 Configuring QoS Class of Service Configuration Step 2 qos cos-map { dot1p-priority } { tc-queue } Specify the 802.1p to queue mapping. The packets with the desired 802.1p priority will be put in the corresponding queues. By default, the 802.1p priority 0 to 7 is respectively mapped to TC-1, TC-0, TC-2, TC-3, TC-4, TC-5, TC-6, TC-7.
Page 477 Configuring QoS Class of Service Configuration Step 5 show qos dscp-remap Verify the DSCP to DSCP mappings. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. Note: In Trust DSCP mode, non-IP packets will be added an 802.1p priority based on the port to 802.1p mapping and will be forwarded according to the 802.1p to queue mapping.
Page 478 Configuring QoS Class of Service Configuration DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 10 11 12 13 14 15 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 17 18 19 20 21 22 23 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP:...
Page 479: Specifying The Scheduler Settings
Configuring QoS Class of Service Configuration DSCP remap value 8 10 11 12 13 14 15 ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 16 17 18 19 20 21 22 23 DSCP remap value 16 17 18 19 20 21 22 23 ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 24 25 26 27 28 29 30 31...
Page 480 Configuring QoS Class of Service Configuration Step 3 qos queue tc-queue mode {sp | wrr} [weight weight ] Specify the type of scheduling used for corresponding queue. When the network congestion occurs, the egress queue will determine the forwarding sequence of the packets according to the type.
Page 481 Configuring QoS Class of Service Configuration Strict Switch(config-if)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 482: Bandwidth Control Configuration
Configuring QoS Bandwidth Control Configuration Bandwidth Control Configuration With bandwidth control configurations, you can: ■ Configure rate limit ■ Configure storm control Using the GUI 3.1.1 Configuring Rate Limit Choose the menu QoS > Bandwidth Control > Rate Limit to load the following page. Figure 3-1 Configuring Rate Limit Follow these steps to configure the Rate Limit function: 1) Select the desired port and configure the upper rate limit to receive and send packets.
Page 483: Configuring Storm Control
Configuring QoS Bandwidth Control Configuration 3.1.2 Configuring Storm Control Choose the menu QoS > Bandwidth Control > Storm Control to load the following page. Figure 3-2 Configuring Storm Control Follow these steps to configure the Storm Control function: 1) Select the desired port and configure the upper rate limit for forwarding broadcast packets, multicast packets and UL-frames (Unknown unicast frames).
Page 484: Using The Cli
Configuring QoS Bandwidth Control Configuration UL-Frame Specify the upper rate limit for receiving unknown unicast frames. The valid Threshold (0- values differ among different rate modes. The value 0 means the unknown unicast 1,000,000) threshold is disabled. The traffic exceeding the limit will be processed according to the Action configurations.
Page 485: Configuring Storm Control
Configuring QoS Bandwidth Control Configuration Step 4 show bandwidth interface [fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the ingress/egress rate limit for forwarding packets on the port or LAG. If no port or LAG is specified, it displays the upper ingress/egress rate limit for all ports or LAGs.
Page 486 Configuring QoS Bandwidth Control Configuration Step 3 storm-control rate-mode {kbps | ratio} Specify the Rate Mode for the broadcast threshold, multicast threshold and UL-Frame threshold on the desired port. kbps: The switch will limit the maximum speed of the specific kinds of traffic in kilo-bits per second.
Page 487 Configuring QoS Bandwidth Control Configuration Step 9 show storm-control interface [fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the storm control configurations of the port or LAG. If no port or LAG is specified, it displays the storm control configuration for all ports or LAGs.
Page 488: Voice Vlan Configuration
Configuring QoS Voice VLAN Configuration Voice VLAN Configuration To complete the voice VLAN configurations, follow these steps: 1) Create a 802.1Q VLAN 2) Configure OUI addresses 3) Configure Voice VLAN globally 4) Add ports to Voice VLAN Configuration Guidelines ■ Before configuring voice VLAN, you need to create a 802.1Q VLAN for voice traffic. For details about 802.1Q VLAN Configuration, please refer to Configuring 802.1Q VLAN.
Page 489: Configuring Voice Vlan Globally
Configuring QoS Voice VLAN Configuration Figure 4-1 Configuring OUI Addresses Follow these steps to configure the OUI addresses: 1) Click to load the following page. Figure 4-2 Creating an OUI Entry 2) Specify the OUI and the Description. Enter the OUI address of your voice devices. The OUI address is used by the switch to determine whether a packet is a voice packet.
Page 490: Adding Ports To Voice Vlan
Configuring QoS Voice VLAN Configuration Figure 4-3 Configuring Voice VLAN Globally Follow these steps to configure voice VLAN globally: 1) Enable the voice VLAN feature and specify the parameters. VLAN ID Specify the 802.1Q VLAN ID to set the 802.1Q VLAN as the voice VLAN. Priority Select the priority that will be assigned to voice packets.
Page 491: Using The Cli
Configuring QoS Voice VLAN Configuration Optional Status Displays the state of the Voice VLAN on the corresponding port. Active: Indicates that Voive VLAN function is enabled on the port. Inactive: Indicates that Voive VLAN function is disabled on the port. 2) Click Apply.
Page 492 Configuring QoS Voice VLAN Configuration Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to show the OUI table, set VLAN 8 as voice VLAN, set the priority as 6 and enable voice VLAN feature on port 1/0/3: Switch#configure Switch(config)#show voice vlan oui-table...
Page 493 Configuring QoS Voice VLAN Configuration Gi1/0/3 enabled Gi1/0/4 disabled Down Gi1/0/5 disabled Down Switch(config-if)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 494: Auto Voip Configuration
Configuring QoS Auto VoIP Configuration Auto VoIP Configuration Configuration Guidelines ■ Before configuring Auto VoIP, you need to enable LLDP-MED on ports and configure the relevant parameters. For details about LLDP-MED configuration, please refer to Configuring LLDP. ■ Auto VoIP provide flexible solutions for optimizing the voice traffic. It can work with other features such as VLAN and Class of Service to process the voice packets with specific fields.
Page 495: Using The Cli
Configuring QoS Auto VoIP Configuration Interface Mode Select the interface mode for the port. Disable: Disable the Auto VoIP function on the corresponding port. None: Allow the voice devices to use its own configuration to send voice traffic. VLAN ID: The voice devices will send voice packets with desired VLAN tag. If this mode is selected, it is necessary to specify the VLAN ID in the Value field.
Page 496 Configuring QoS Auto VoIP Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 4 Select the interface mode for the port.
Page 497 Configuring QoS Auto VoIP Configuration Step 7 show auto-voip Verify the global state of Auto VoIP. Step 8 show auto-voip interface Verify the Auto VoIP configuration information of ports. Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file.
Page 498 Configuring QoS Auto VoIP Configuration Interface.Gi1/0/3 Auto-VoIP Interface Mode. Enabled Auto-VoIP Priority. Auto-VoIP COS Override. True Auto-VoIP DSCP Value. Auto-VoIP Port Status. Enabled Switch(config-if)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 499: Configuration Examples
Configuring QoS Configuration Examples Configuration Examples Example for Class of Service 6.1.1 Network Requirements As shown below, both RD department and Marketing department can access the internet. When congestion occurs, the traffic from two departments can both be forwarded and the traffic from the Marketing department should take precedence.
Page 500: Using The Gui
Configuring QoS Configuration Examples Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 6.1.3 Using the GUI 1) Choose the menu QoS > Class of Service > Port Priority to load the following page. Set the trust mode of port 1/0/1 and 1/0/2 as untrusted.
Page 501 Configuring QoS Configuration Examples Figure 6-3 Configuring the 802.1p to Queue Mappings 3) Choose the menu QoS > Class of Service > Scheduler Settings to load the following page. Select the port 1/0/3 and set the scheduler type of TC-0 and TC-1 as Weighted. Specify the queue weight of TC-0 as 1 and specify the queue weight of TC-1 as 5.
Page 502: Using The Cli
Configuring QoS Configuration Examples Figure 6-4 Configuring the Egress Queue 4) Click to save the settings. 6.1.4 Using the CLI 1) Set the trust mode of port 1/0/1 as untrusted and specify the 802.1p priority as 1. Switch_A#configure Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#qos trust mode untrust Switch_A(config-if)#qos port-priority 1 Switch_A(config-if)#exit...
Page 503 Configuring QoS Configuration Examples 4) Set the scheduler type of TC-0 and TC-1 as Weighted for egress port 1/0/3. Specify the queue weight of TC-0 as 1 and specify the queue weight of TC-1 as 5. Switch_A(config)#interface fastEthernet 1/0/3 Switch_A(config-if)#qos queue 0 mode wrr weight 1 Switch_A(config-if)#qos queue 1 mode wrr weight 5 Switch_A(config-if)#end Switch_A#copy running-config startup-config...
Page 504: Example For Voice Vlan
Configuring QoS Configuration Examples Verify the 802.1p to queue mappings: Switch_A#show qos cos-map ---------------+-----+-----+-----+-----+-----+-----+----+---- Dot1p Value |0 ---------------+-----+-----+-----+-----+-----+-----+----+---- |TC1 |TC0 |TC2 |TC4 |TC4 |TC5 |TC6 |TC7 ---------------+-----+-----+-----+-----+-----+-----+----+---- Verify the scheduler mode of the egress port: Switch _A#show qos queue interface fastEthernet 1/0/3 Fa1/0/3----LAG: N/A Queue Schedule Mode Weight -----...
Page 505: Configuration Scheme
Configuring QoS Configuration Examples Figure 6-5 Voice VLAN Application Topology Switch B Fa1/0/4 Switch A Fa1/0/1 Fa1/0/3 Fa1/0/2 VLAN 2 VLAN 3 IP Phone 1 IP Phone 2 PC 3 6.2.2 Configuration Scheme To implement this requirement, you can configure Voice VLAN to ensure that the voice traffic can be transmitted in the same VLAN and the data traffic is transmitted in another VLAN.
Page 506 Configuring QoS Configuration Examples Figure 6-6 Configuring VLAN 2 2) Click to load the following page. Create VLAN 3 and add untagged port 1/0/3 and port 1/0/4 to VLAN 3. Click Create. User Guide Downloaded from ManualsNet.com search engine...
Page 507 Configuring QoS Configuration Examples Figure 6-7 Configuring VLAN 3 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Disable the Ingress Checking feature on port 1/0/1 and port 1/0/2 and specify the PVID as 2. Click Apply. User Guide Downloaded from ManualsNet.com...
Page 508 Configuring QoS Configuration Examples Figure 6-8 Specifying the Parameters of the Ports 4) Choose the menu QoS > Voice VLAN > OUI Config to load the following page. Check the OUI table. Figure 6-9 Checking the OUI Table 5) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable Voice VLAN globally.
Page 509: Using The Cli
Configuring QoS Configuration Examples Figure 6-10 Configuring Voice VLAN Globally 6) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Enable Voice VLAN on port 1/0/1 and port 1/0/2. Click Apply. Figure 6-11 Enabling Voice VLAN on Ports 7) Click to save the settings.
Page 510 Configuring QoS Configuration Examples Switch_A(config-if)#switchport general allowed vlan 2 untagged Switch_A(config-if)#exit Switch_A(config)#interface fastEthernet 1/0/4 Switch_A(config-if)#switchport general allowed vlan 2 untagged Switch_A(config-if)#exit 2) Create VLAN 3 and add untagged port 1/0/3 and port 1/0/4 to VLAN 3. Switch_A(config)#vlan 3 Switch_A(config-vlan)#name VLAN3 Switch_A(config-vlan)#exit Switch_A(config)#interface fastEthernet 1/0/3 Switch_A(config-if)#switchport general allowed vlan 3 untagged...
Page 511 Configuring QoS Configuration Examples 00:60:B9 Default NITSUKO 00:D0:1E Default PINTEL 00:E0:75 Default VERILINK 00:E0:BB Default 3COM 00:04:0D Default AVAYA1 00:1B:4F Default AVAYA2 00:04:13 Default SNOM 5) Enable Voice VLAN globally. Specify the VLAN ID as 2 and set the priority as 7. Switch_A(config)#voice vlan 2 Switch_A(config)#voice vlan priority 7 6) Enable Voice VLAN on port 1/0/1 and port 1/0/2.
Page 512: Example For Auto Voip
Configuring QoS Configuration Examples VoiceVLAN active Fa1/0/1, Fa1/0/2, Fa1/0/4 VLAN3 active Fa1/0/3, Fa1/0/4 Verify the Voice VLAN configuration: Switch_A(config)#show voice vlan interface Voice VLAN ID Priority Interface Voice VLAN Mode Operational Status LAG --------- --------------- ------------------ Fa1/0/1 enabled Fa1/0/2 enabled Fa1/0/3 disabled Down...
Page 513: Configuration Scheme
Configuring QoS Configuration Examples Figure 6-12 Auto VoIP Application Topology Switch B Fa1/0/2 Fa1/0/1 Switch A PC 10 IP Phone 10 6.3.2 Configuration Scheme To optimize voice traffic, configure Auto VoIP and LLDP-MED to instruct IP Phones to send traffic with desired DSCP priority. Voice traffic is put in the desired queue and data traffic is put in other queues according to the Class of Service configurations.
Page 514 Configuring QoS Configuration Examples Figure 6-13 Configuring Auto VoIP 2) Choose the menu QoS > Class of Service > Port Priority to load the following page. Set the trust mode of port 1/0/1 as trust DSCP. Click Apply. Figure 6-14 Configuring Port Priority 3) Choose the menu QoS >...
Page 515 Configuring QoS Configuration Examples Figure 6-15 Specifying the 802.1p priority for DSCP priority 63 4) Specify the 802.1p priority as 5 for other DSCP priorities. Click Apply. Figure 6-16 Specifying the 802.1p priority for Other DSCP priorities 5) Choose the menu QoS > Class of Service > Scheduler Settings to load the following page.
Page 516 Configuring QoS Configuration Examples Figure 6-17 Configuring the TC-5 for the Port 6) Select port 1/0/2. Set the scheduler mode as weighted and specify the queue weight as 10 for TC-7. Click Apply. Figure 6-18 Configuring the TC-7 for the Port User Guide Downloaded from ManualsNet.com search engine...
Page 517 Configuring QoS Configuration Examples 7) Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config click Detail to of port1/0/1 to load the following page. Check the boxes of all the TLVs. Click Save. Figure 6-19 Configuring the TLVs 8) Choose the menu L2 FEATURES >...
Page 518: Using The Cli
Configuring QoS Configuration Examples 9) Click to save the settings. 6.3.4 Using the CLI 1) Enable Auto VoIP globally and specify the DSCP value of port 1/0/1 as 63. Switch_A#configure Switch_A(config)#auto-voip Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#auto-voip dscp 63 Switch_A(config-if)#exit 2) Set the trust mode of port 1/0/1 as trust DSCP. Specify the 802.1p priority as 7 for DSCP priority 63 and specify 802.1p priority as 5 for other DSCP priorities.
Page 519 Configuring QoS Configuration Examples Verify the configurations Verify the configuration of Auto VoIP: Switch_A(config)#show auto-voip Administrative Mode: Enabled Verify the Auto VoIP configuration of ports: Switch_A(config)#show auto-voip interface Interface.Fa1/0/1 Auto-VoIP Interface Mode. Disabled Auto-VoIP COS Override. False Auto-VoIP DSCP Value. Auto-VoIP Port Status.
Page 520 Configuring QoS Configuration Examples Switch_A(config)#show qos cos-map ---------------+-----+-----+-----+-----+-----+-----+----+---- Dot1p Value |0 ---------------+-----+-----+-----+-----+-----+-----+----+---- |TC1 |TC0 |TC2 |TC3 |TC4 |TC5 |TC6 |TC7 ---------------+-----+-----+-----+-----+-----+-----+----+---- Switch_A(config)#show qos dscp-map DSCP: DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 10 11 12 13 14 15 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP:...
Page 521 Configuring QoS Configuration Examples ---- ---- ---- ---- ---- ---- ---- --- Verify the configuration of LLDP-MED: Switch_A(config)#show lldp interface LLDP interface config: fastEthernet 1/0/1: Admin Status: TxRx SNMP Trap: Disabled Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic...
Page 522 Configuring QoS Configuration Examples Inventory Management User Guide Downloaded from ManualsNet.com search engine...
Page 523: Appendix: Default Parameters
Configuring QoS Appendix: Default Parameters Appendix: Default Parameters Default settings of Class of Service are listed in the following tables. Table 7-1 Default Settings of Port Priority Configuration Parameter Default Setting 802.1P Priority Trust Mode Untrusted Table 7-2 Default Settings of 802.1p to Queue Mapping 802.1p Priority Queues (8) Table 7-3...
Page 524 Configuring QoS Appendix: Default Parameters DSCP 802.1p Priority 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 Table 7-5 Default Settings of DSCP Remap Configuration Original New DSCP Original New DSCP Original New DSCP DSCP...
Page 525 Configuring QoS Appendix: Default Parameters Table 7-6 Default Settings of Scheduler Settings Configuration Parameter Default Setting Scheduler Type Weighted Queue Weight Management Taildrop Type Default settings of Class of Service are listed in the following tables. Table 7-7 Default Settings of Bandwidth Control Parameter Default Setting Ingress Rate (0-...
Page 526 Configuring QoS Appendix: Default Parameters Table 7-10 Default Settings of Port Configuration Parameter Default Setting Voice VLAN Disabled Table 7-11 Default Settings of OUI Table Status Description 00:01:E3 Default SIEMENS 00:03:6B Default CISCO1 00:12:43 Default CISCO2 00:0F:E2 Default 00:60:B9 Default NITSUKO 00:D0:1E Default...
Page 527: Configuring Access Security
Part 15 Configuring Access Security CHAPTERS 1. Access Security 2. Access Security Configurations 3. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 528: Access Security
Configuring Access Security Access Security Access Security Overview Access Security provides different security measures for accessing the switch remotely so as to enhance the configuration management security. Supported Features Access Control This function is used to control the users’ access to the switch based on IP address, MAC address or port.
Page 529: Access Security Configurations
Configuring Access Security Access Security Configurations Access Security Configurations With access security configurations, you can: ■ Configure the Access Control feature ■ Configure the HTTP feature ■ Configure the HTTPS feature ■ Configure the SSH feature ■ Configure the Telnet function Using the GUI 2.1.1 Configuring the Access Control Feature Choose the menu SECURITY >...
Page 530 Configuring Access Security Access Security Configurations 2) In the Entry Config section, click to add an Access Control entry. ■ When the IP-based mode is selected, the following window will pop up. Figure 2-2 Configuring Access Control Based on IP Range Access Select the interfaces where to apply the Access Control rule.
Page 531 Configuring Access Security Access Security Configurations Access Select the interfaces where to apply the Access Control rule. If an interface is Interface unselected, all users can access the switch via it. SNMP: A function to manage the network devices via NMS. Telnet: A connection type for users to remote login.
Page 532: Configuring The Http Function
Configuring Access Security Access Security Configurations Port Select one or more ports. Only the users who are connected to these ports can access the switch via the specified interfaces. 3) Click Create. Then you can view the created entries in the table. 2.1.2 Configuring the HTTP Function Choose the menu SECURITY >...
Page 533 Configuring Access Security Access Security Configurations Number Control Enable or disable Number Control. With this option enabled, you can control the number of the users logging on to the web management page at the same time. The total number of users should be no more than 16. Number of Specify the maximum number of users whose access level is Admin.
Page 534: Configuring The Https Function
Configuring Access Security Access Security Configurations 2.1.3 Configuring the HTTPS Function Choose the menu SECURITY > Access Security > HTTPS Config to load the following page. Figure 2-6 Configuring the HTTPS Function 1) In the Global Config section, enable HTTPS function, select the protocol version that the switch supports, and specify the port number for HTTPS.
Page 535 Configuring Access Security Access Security Configurations HTTPS Enable or disable the HTTPS function. HTTPS function is based on the SSL or TLS protocol. It provides a secure connection between the client and the switch. Protocol Select the protocol version for HTTPS. Make sure the protocol in use is Version compatible with that on your HTTPS client.
Page 536 Configuring Access Security Access Security Configurations 4) In the Number of Access Users section, enable Number Control function, specify the following parameters and click Apply. Number Control Enable or disable Number Control. With this option enabled, you can control the number of the users logging on to the web management page at the same time.
Page 537: Configuring The Ssh Feature
Configuring Access Security Access Security Configurations 2.1.4 Configuring the SSH Feature Choose the menu SECURITY > Access Security > SSH Config to load the following page. Figure 2-7 Configuring the SSH Feature 1) In the Global Config section, select Enable to enable SSH function and specify following parameters.
Page 538: Configuring The Telnet Function
Configuring Access Security Access Security Configurations Protocol V1 Select Enable to enable SSH version 1. Protocol V2 Select Enable to enable SSH version 2. Idle Timeout Specify the idle timeout time. The system will automatically release the connection when the time is up. Maximum Specify the maximum number of the connections to the SSH server.
Page 539: Using The Cli
Configuring Access Security Access Security Configurations Using the CLI 2.2.1 Configuring the Access Control Feature Follow these steps to configure the access control: Step 1 configure Enter global configuration mode. Step 2 ■ Use the following command to control the users’ access by limiting the IP address: user access-control ip-based enable Configure the control mode as IP-based.
Page 540: Configuring The Http Function
Configuring Access Security Access Security Configurations Step 3 show user configuration Verify the configuration of access control. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the type of access control as IP-based. Set the IP address as 192.168.0.100, set the subnet mask as 255.255.255.0, and select snmp, telnet, http and https to apply the Access Control rule.
Page 541 Configuring Access Security Access Security Configurations Step 4 ip http max-users admin-num operator-num poweruser-num user-num Specify the maximum number of users that are allowed to connect to the HTTP server. The total number of users should be no more than 16. admin-num : Enter the maximum number of users whose access level is Admin.
Page 542: Configuring The Https Function
Configuring Access Security Access Security Configurations Switch#copy running-config startup-config 2.2.3 Configuring the HTTPS Function Follow these steps to configure the HTTPS function: Step 1 configure Enter global configuration mode. Step 2 ip http secure-server Enable the HTTPS function. By default, it is enabled. Step 3 ip http secure-protocol { ssl3 | tls1 | tls11 | tls12 | all } Select the protocol version for HTTPS.
Page 543 Configuring Access Security Access Security Configurations Step 5 ip http secure-session timeout minutes Specify the Session Timeout time. The system will log out automatically if users do nothing within the Session Timeout time. minutes : Specify the timeout time, which ranges from 5 to 30 minutes. The default value is 10. Step 6 ip http secure-max-users admin-num operator-num poweruser-num user-num Specify the maximum number of users that are allowed to connect to the HTTPS server.
Page 544 Configuring Access Security Access Security Configurations number as 2. Download the certificate named ca.crt and the key named ca.key from the TFTP server with the IP address 192.168.0.100. Switch#configure Switch(config)#ip http secure-server Switch(config)#ip http secure-protocol all Switch(config)#ip http secure-ciphersuite 3des-ede-cbc-sha Switch(config)#ip http secure-session timeout 15 Switch(config)#ip http secure-max-users 2 2 2 2 Switch(config)#ip http secure-server download certificate ca.crt ip-address...
Page 545: Configuring The Ssh Feature
Configuring Access Security Access Security Configurations 2.2.4 Configuring the SSH Feature Follow these steps to configure the SSH function: Step 1 configure Enter global configuration mode. Step 2 ip ssh server Enable the SSH function. By default, it is disabled. Step 3 ip ssh version { v1 | v2 } Configure to make the switch support the corresponding protocol.
Page 546 Configuring Access Security Access Security Configurations Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: It will take a long time to download the key file. Please wait without any operation. The following example shows how to configure the SSH function.
Page 547: Configuring The Telnet Function
Configuring Access Security Access Security Configurations AES192-CBC: Disabled AES256-CBC: Disabled Blowfish-CBC: Disabled Cast128-CBC: Enabled 3DES-CBC: Disabled Data Integrity Algorithm: HMAC-SHA1: Disabled HMAC-MD5: Enabled Key Type: SSH-2 RSA/DSA Key File: ---- BEGIN SSH2 PUBLIC KEY ---- Comment: “dsa-key-20160711” Switch(config)#end Switch#copy running-config startup-config 2.2.5 Configuring the Telnet Function Follow these steps enable the Telnet function: Step 1...
Page 548: Appendix: Default Parameters
Configuring Access Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Access Security are listed in the following tables. Table 3-1 Default Settings of Access Control Configuration Parameter Default Setting Access Control Disabled Table 3-2 Default Settings of HTTP Configuration Parameter Default Setting HTTP...
Page 549 Configuring Access Security Appendix: Default Parameters Parameter Default Setting Idle Timeout 120 seconds Maximum Connections Port AES128-CBC Enabled AES192-CBC Enabled AES256-CBC Enabled Blowfish-CBC Enabled Cast128-CBC Enabled 3DES-CBC Enabled HMAC-SHA1 Enabled HMAC-MD5 Enabled Key Type: SSH-2 RSA/DSA Table 3-5 Default Settings of Telnet Configuration Parameter Default Setting Telnet...
Page 550: Configuring Aaa
Part 16 Configuring AAA CHAPTERS 1. Overview 2. AAA Configuration 3. Configuration Example 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 551: Overview
Overview Overview AAA stands for authentication, authorization and accounting. On TP-Link switches, this feature is mainly used to authenticate the users trying to log in to the switch or get administrative privileges. The administrator can create guest accounts and an Enable password for other users.
Page 552: Aaa Configuration
Configuring AAA AAA Configuration AAA Configuration In the AAA feature, the authentication can be processed locally on the switch or centrally on the RADIUS/TACACS+ server(s). To ensure the stability of the authentication system, you can configure multiple servers and authentication methods at the same time. This chapter introduces how to configure this kind of comprehensive authentication in AAA.
Page 553: Using The Gui
Configuring AAA AAA Configuration ■ AAA Application List The switch supports the following access applications: Telnet, SSH and HTTP. You can select the configured authentication method lists for each application. Using the GUI 2.1.1 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server that is first added to the group has the highest priority and authenticates the users trying to access the switch.
Page 554 Configuring AAA AAA Configuration Accounting Port Specify the UDP destination port on the RADIUS server for accounting requests. The default setting is 1813. Usually, it is used in the 802.1x feature. Retransmit Specify the number of times a request is resent to the server if the server does not respond.
Page 555: Configuring Server Groups
Configuring AAA AAA Configuration 2.1.2 Configuring Server Groups The switch has two built-in server groups, one for RADIUS servers and the other for TACACS+ servers. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. Choose the menu SECURITY >...
Page 556 Configuring AAA AAA Configuration Choose the menu SECURITY > AAA > Method List to load the following page. Figure 2-5 Method List There are two default methods respectively for the Login authentication and the Enable authentication. You can edit the default methods or follow these steps to add a new method: 1) Click in the Authentication Login Method List section or Authentication Enable Method List section to add corresponding type of method list.
Page 557: Configuring The Aaa Application List
Configuring AAA AAA Configuration Pri1- Pri4 Specify the authentication methods in order. The method with priority 1 authenticates a user first, the method with priority 2 is tried if the previous method does not respond, and so on. local: Use the local database in the switch for authentication. none: No authentication is used.
Page 558: Using The Cli
Configuring AAA AAA Configuration ■ On the Switch The local username and password for login can be configured in the User Management feature. For details, refer to Managing System. To configure the local Enable password for getting administrative privileges, choose the menu SECURITY >...
Page 559 Configuring AAA AAA Configuration trying to access the switch, and the others act as backup servers in case the first one breaks down. ■ Adding RADIUS Server Follow these steps to add RADIUS server on the switch: Step 1 configure Enter global configuration mode.
Page 560 Configuring AAA AAA Configuration Switch(config)#radius-server host 192.168.0.10 auth-port 1812 timeout 8 retransmit 3 key 123456 Switch(config)#show radius-server Server Ip Auth Port Acct Port Timeout Retransmit NAS Identifier Shared key 192.168.0.10 1812 1813 000AEB132397 123456 Switch(config)#end Switch#copy running-config startup-config ■ Adding TACACS+ Server Follow these steps to add TACACS+ server on the switch: Step 1 configure...
Page 561: Configuring Server Groups
Configuring AAA AAA Configuration Switch#configure Switch(config)#tacacs-server host 192.168.0.20 auth-port 49 timeout 8 key 123456 Switch(config)#show tacacs-server Server Ip Port Timeout Shared key 192.168.0.20 123456 Switch(config)#end Switch#copy running-config startup-config 2.2.2 Configuring Server Groups The switch has two built-in server groups, one for RADIUS and the other for TACACS+. The servers running the same protocol are automatically added to the default server group.
Page 562: Configuring The Method List
Configuring AAA AAA Configuration Switch(config)#aaa group radius RADIUS1 Switch(aaa-group)#server 192.168.0.10 Switch(aaa-group)#server 192.168.0.20 Switch(aaa-group)#show aaa group RADIUS1 192.168.0.10 192.168.0.20 Switch(aaa-group)#end Switch#copy running-config startup-config 2.2.3 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges.
Page 563: Configuring The Aaa Application List
Configuring AAA AAA Configuration Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a Login method list named Login1, and configure the method 1 as the default radius server group and the method 2 as local. Switch#configure Switch(config)##aaa authentication login Login1 radius local Switch(config)#show aaa authentication login...
Page 564 Configuring AAA AAA Configuration ■ Telnet Follow these steps to apply the Login and Enable method lists for the application Telnet: Step 1 configure Enter global configuration mode. Step 2 line telnet Enter line configuration mode. Step 3 login authentication { method-list } Apply the Login method list for the application Telnet.
Page 565 Configuring AAA AAA Configuration ■ SSH Follow these steps to apply the Login and Enable method lists for the application SSH: Step 1 configure Enter global configuration mode. Step 2 line ssh Enter line configuration mode. Step 3 login authentication { method-list } Apply the Login method list for the application SSH.
Page 566: Configuring Login Account And Enable Password
Configuring AAA AAA Configuration ■ HTTP Follow these steps to apply the Login and Enable method lists for the application HTTP: Step 1 configure Enter global configuration mode. Step 2 ip http login authentication { method-lis t } Apply the Login method list for the application HTTP. method-list Specify the name of the Login method list.
Page 567 Configuring AAA AAA Configuration ■ On the Switch The local username and password for login can be configured in the User Management feature. For details, refer to Managing System. To configure the local Enable password for getting administrative privileges, follow these steps: Step 1 configure...
Page 568 Configuring AAA AAA Configuration ■ For Login authentication configuration, more than one login account can be created on the server. Besides, both the user name and password can be customized. ■ For Enable password configuration: On RADIUS server, the user name should be set as $enable$, and the Enable password is customizable.
Page 569: Configuration Example
Configuring AAA Configuration Example Configuration Example Network Requirements As shown below, the switch needs to be managed remotely via Telnet. In addition, the senior administrator of the company wants to create an account for the less senior administrators, who can only view the configurations and some network information without the Enable password provided.
Page 570: Using The Gui
Configuring AAA Configuration Example Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. Using the GUI 1) Choose the menu SECURITY > AAA > RADIUS Config and click to load the following page.
Page 571 Configuring AAA Configuration Example 3) Choose the menu SECURITY > AAA > Server Group to load the following page. C lick . Specify the group name as RADIUS1 and the server type as RADIUS. Select 192.168.0.10 and 192.168.0.20 to from the drop-down list. Click Create to create the server group.
Page 572: Using The Cli
Configuring AAA Configuration Example Figure 3-6 Configure Enable Method List 6) Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application List section, select telnet and configure the Login List as Method- Login and Enable List as Method-Enable. Then click Apply. Figure 3-7 Configure AAA Application List 7) Click to save the settings.
Page 573 Configuring AAA Configuration Example 3) Create two method lists: Method-Login and Method-Enable, and configure the server group RADIUS1 as the authentication method for the two method lists. Switch(config)#aaa authentication login Method-Login RADIUS1 Switch(config)#aaa authentication enable Method-Enable RADIUS1 4) Configure Method-Login and Method-Enable as the authentication method for the Telnet application.
Page 574 Configuring AAA Configuration Example default none Method-Enable RADIUS1 Verify the status of the AAA feature and the configuration of the AAA application list: Switch#show aaa global Module Login List Enable List Telnet Method-Login Method-Enable default default Http default default User Guide Downloaded from ManualsNet.com search engine...
Page 575: Appendix: Default Parameters
Configuring AAA Appendix: Default Parameters Appendix: Default Parameters Default settings of AAA are listed in the following tables. Table 4-1 Parameter Default Setting Global Config AAA Feature Enabled RADIUS Config Server IP None Shared Key None Auth Port 1812 Acct Port 1813 Retransmit Timeout...
Page 576 Configuring AAA Appendix: Default Parameters Parameter Default Setting AAA Application List Login List: default telnet Enable List: default Login List: default Enable List: default Login List: default http Enable List: default User Guide Downloaded from ManualsNet.com search engine...
Page 577: Configuring 802.1X
Part 17 Configuring 802.1x CHAPTERS 1. Overview 2. 802.1x Configuration 3. Configuration Example 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 578: Overview
■ Client A client, usually a computer, is connected to the authenticator via a physical port. We recommend that you install TP-Link 802.1x authentication client software on the client hosts, enabling them to request 802.1x authentication to access the LAN.
Page 579: Configuration
Configuring 802.1x 802.1x Configuration 802.1x Configuration To complete the 802.1x configuration, follow these steps: 1) Configure the RADIUS server. 2) Configure 802.1x globally. 3) Configure 802.1x on ports. In addition, you can view the authenticator state. Configuration Guidelines 802.1x authentication and Port Security cannot be enabled at the same time. Before enabling 802.1x authentication, make sure that Port Security is disabled.
Page 580 Configuring 802.1x 802.1x Configuration 1) Configure the parameters of the RADIUS server. Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
Page 581 Configuring 802.1x 802.1x Configuration Figure 2-3 Editing Server Group If you click , the following window will pop up. Specify a name for the server group, select the server type as RADIUS and select the IP address of the RADIUS server. Click Save. Figure 2-4 Adding Server Group ■...
Page 582: Configuring 802.1X Globally
Handshake Enable or disable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1x Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP- Link 802.1x Client.
Page 583: Configuring 802.1X On Ports
Configuring 802.1x 802.1x Configuration VLAN Enable or disable the 802.1x VLAN assignment feature. 802.1x VLAN assignment is Assignment a technology allowing the RADIUS server to send the VLAN assignment to the port when the port is authenticated. If the assigned VLAN does not exist on the switch, the switch will create the related VLAN automatically, add the authenticated port to the VLAN and change the PVID based on the assigned VLAN.
Page 584 Configuring 802.1x 802.1x Configuration Select whether to enable the MAB (MAC-Based Authentication Bypass) feature for the port. With MAB feature enabled, the switch automatically sends the authentication server a RADIUS access request frame with the client’s MAC address as the username and password.
Page 585: View The Authenticator State
Configuring 802.1x 802.1x Configuration Note: If a port is in an LAG, its 802.1x authentication function cannot be enabled. Also, a port with 802.1x authentication enabled cannot be added to any LAG. 2.1.4 View the Authenticator State Choose the menu SECURITY > 802.1x > Authenticator State to load the following page. Figure 2-8 View Authenticator State On this page, you can view the authentication status of each port: Port...
Page 586: Using The Cli
Configuring 802.1x 802.1x Configuration Using the CLI 2.2.1 Configuring the RADIUS Server Follow these steps to configure RADIUS: Step 1 configure Enter global configuration mode. Step 2 radius-server host ip-address [ auth-port port-id ] [ acct-port port-id ] [ timeout time ] [ retransmit number ] [ nas-id nas-id ] key { [ 0 ] string | 7 encrypted-string } Add the RADIUS server and configure the related parameters as needed.
Page 587 Configuring 802.1x 802.1x Configuration Step 6 aaa authentication dot1x default { method } Select the RADIUS group for 802.1x authentication. method: Specify the RADIUS group for 802.1x authentication. aaa accounting dot1x default { method } Select the RADIUS group for 802.1x accounting. method: Specify the RADIUS group for 802.1x accounting.
Page 588: Configuring 802.1X Globally
Configuring 802.1x 802.1x Configuration Switch#configure Switch(config)#radius-server host 192.168.0.100 auth-port 1812 acct-port 1813 key 123456 Switch(config)#aaa group radius radius1 Switch(aaa-group)#server 192.168.0.100 Switch(aaa-group)#exit Switch(config)#aaa authentication dot1x default radius1 Switch(config)#aaa accounting dot1x default radius1 Switch(config)#show radius-server Server Ip Auth Port Acct Port Timeout Retransmit NAS Identifier Shared key 192.168.0.100 1812...
Page 589 (Optional) Enable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1x Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP-Link 802.1x Client. Step 6 dot1x vlan-assignment (Optional) Enable or disable the 802.1x VLAN assignment feature.
Page 590: Configuring 802.1X On Ports
Configuring 802.1x 802.1x Configuration Switch#configure Switch(config)#dot1x system-auth-control Switch(config)#dot1x auth-protocol pap Switch(config)#show dot1x global 802.1X State: Enabled Authentication Protocol: Handshake State: Enabled 802.1X Accounting State: Disabled 802.1X VLAN Assignment State: Disabled Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring 802.1x on Ports Follow these steps to configure the port: Step 1 configure Enter global configuration mode.
Page 591 Configuring 802.1x 802.1x Configuration Step 5 dot1x guest-vlan vid (Optional) Configure guest VLAN on the port. vid: Specify the ID of the VLAN to be configured as the guest VLAN. The valid values are from 0 to 4094. 0 means that Guest VLAN is disabled on the port. The configured VLAN must be an existing 802.1Q VLAN.
Page 592: Viewing Authenticator State
Configuring 802.1x 802.1x Configuration Step 12 Return to privileged EXEC mode. Step 13 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable 802.1x authentication on port 1/0/2, configure the control type as port-based, and keep other parameters as default: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#dot1x...
Page 593 Configuring 802.1x 802.1x Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. port: Enter the ID of the port to be configured. Step 4 dot1x auth-init [ mac mac-address ] Initialize the specific client.
Page 594: Configuration Example
Configuring 802.1x Configuration Example Configuration Example Network Requirements The network administrator wants to control access from the end users (clients) in the company. It is required that all clients need to be authenticated separately and only the authenticated clients can access the internet. Configuration Scheme ■...
Page 595: Using The Gui
Configuring 802.1x Configuration Example Figure 3-1 Network Topology Switch A Authenticator Fa1/0/3 Fa1/0/2 Fa1/0/1 RADIUS Server 192.168.0.10/24 Auth Port:1812 Client Client Client Demonstrated with T1500-28PCT acting as the authenticator, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. Using the GUI 1) Choose the menu SECURITY >...
Page 596 Configuring 802.1x Configuration Example 2) Choose the menu SECURITY > AAA > Server Group and click to load the following page. Specify the group name as RADIUS1, select the server type as RADIUS and server IP as 192.168.0.10. Click Create. Figure 3-3 Creating Server Group 3) Choose the menu SECURITY >...
Page 597: Using The Cli
Configuring 802.1x Configuration Example Figure 3-6 Configuring Port 6) Click to save the settings. Using the CLI 1) Configure the RADIUS parameters. Switch_A(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch_A(config)#aaa group radius RADIUS1 Switch_A(aaa-group)#server 192.168.0.10 Switch_A(aaa-group)#exit Switch_A(config)#aaa authentication dot1x default RADIUS1 2) Globally enable 802.1x authentication and set the authentication protocol.
Page 598 Configuring 802.1x Configuration Example Switch_A(config)#interface fastEthernet 1/0/3 Switch_A(config-if)#no dot1x Switch_A(config-if)#exit Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#dot1x Switch_A(config-if)#dot1x port-method mac-based Switch_A(config-if)#dot1x port-control auto Switch_A(config-if)#exit Verify the Configurations Verify the global configurations of 802.1x authentication: Switch_A#show dot1x global 802.1X State: Enabled Authentication Protocol: Handshake State: Enabled 802.1X Accounting State: Disabled...
Page 599 Configuring 802.1x Configuration Example unauthorized Verify the configurations of RADIUS : Switch_A#show aaa global Module Login List Enable List Telnet default default default default Http default default Switch_A#show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default RADIUS1 Switch_A#show aaa group RADIUS1 192.168.0.10 User Guide Downloaded from...
Page 600: Appendix: Default Parameters
Configuring 802.1x Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1x are listed in the following table. Table 4-1 Default Settings of 802.1x Parameter Default Setting Global Config 802.1x Authentication Disabled Authentication Method Handshake Enabled Accounting Disabled VLAN Assignment Disabled Port Config 802.1x Status...
Page 601: Configuring Port Security
Part 18 Configuring Port Security CHAPTERS 1. Overview 2. Port Security Configuration 3. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 602: Overview
Configuring Port Security Overview Overview You can use the Port Security feature to limit the number of MAC addresses that can be learned on each port, thus preventing the MAC address table from being exhausted by the attack packets. In addtion, the switch can send a notification if the number of learned MAC addresses on the port exceeds the limit.
Page 603: Port Security Configuration
Configuring Port Security Port Security Configuration Port Security Configuration Using the GUI Choose the menu SECURITY > Port Security to load the following page. Figure 2-1 Port Security Follow these steps to configure Port Security: 1) Select one or more ports and configure the following parameters. Port Displays the port number.
Page 604: Using The Cli
Configuring Port Security Port Security Configuration Learn Address Select the learn mode of the MAC addresses on the port. Three modes are Mode provided: Delete on Timeout: The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting. Delete on Reboot: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually.
Page 605 Configuring Port Security Port Security Configuration Step 3 mac address-table max-mac-count { [max-number num ] [exceed-max-learned enable | disable] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ]} Enable the port security feature of the port and configure the related parameters. num : The maximum number of MAC addresses that can be learned on the port.
Page 606 Configuring Port Security Port Security Configuration Switch(config-if)#mac address-table max-mac-count max-number 30 exceed-max- learned enable mode permanent status drop Switch(config-if)#show mac address-table max-mac-count interface gigabitEthernet 1/0/1 Port Max-learn Current-learn Exceed Max Limit Mode Status ---- --------- ----------- ---------- ------ -------- Gi1/0/1 disable permanent drop Switch(config-if)#end...
Page 607: Appendix: Default Parameters
Configuring Port Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Port Security are listed in the following table. Table 3-1 Default Parameters of Port Security Parameter Default Setting Max Learned Number of Current Learned Number Exceed Max Learned Trap Disabled Learn Address Mode Delete on Timeout...
Page 608: Configuring Acl
Part 19 Configuring ACL CHAPTERS 1. Overview 2. ACL Configuration 3. Configuration Example for ACL 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 609: Overview
Configuring ACL Overview Overview ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs. It accurately identifies and processes the packets based on the ACL rules. In this way, ACL helps to limit network traffic, manage network access behaviors, forward packets to specified ports and more.
Page 610: Acl Configuration
Configuring ACL ACL Configuration ACL Configuration Using the GUI 2.1.1 Configuring Time Range Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range configuration, please refer to Managing System.
Page 611: Configuring Acl Rules
Configuring ACL ACL Configuration Note: The supported ACL type and ID range varies on different switch models. Please refer to the on-screen information. 2.1.3 Configuring ACL Rules The created ACL will be displayed on the SECURITY > ACL > ACL Config page. Figure 2-2 Editing ACL Click Edit ACL in the Operation column.
Page 612 Configuring ACL ACL Configuration Figure 2-4 Configuring the MAC ACL Rule Follow these steps to configure the MAC ACL rule: 1) In the MAC ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
Page 613 Configuring ACL ACL Configuration EtherType Specify the EtherType to be matched using 4 hexadecimal numbers. User Priority Specify the User Priority to be matched. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM >...
Page 614 Configuring ACL ACL Configuration 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters. Figure 2-7 Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second.
Page 615: Configuring Ip Acl Rule
Configuring ACL ACL Configuration Configuring IP ACL Rule Click Edit ACL for an IP ACL entry to load the following page. Figure 2-9 Configuring the IP ACL Rule In ACL Rules Table section, click and the following page will appear. User Guide Downloaded from ManualsNet.com search engine...
Page 616 Configuring ACL ACL Configuration Figure 2-10 Configuring the IP ACL Rule Follow these steps to configure the IP ACL rule: 1) In the IP ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
Page 617 Configuring ACL ACL Configuration D-IP/Mask Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. IP Protocol Select a protocol type from the drop-down list. The default is No Limit, which indicates that packets of all protocols will be matched.
Page 618 Configuring ACL ACL Configuration Figure 2-11 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected. Figure 2-12 Configuring Redirect Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected.
Page 619: Configuring Combined Acl Rule
Configuring ACL ACL Configuration Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets.
Page 620 Configuring ACL ACL Configuration Figure 2-16 Configuring the Combined ACL Rule Follow these steps to configure the Combined ACL rule: 1) In the Combined ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
Page 621 Configuring ACL ACL Configuration Operation Select an action to be taken when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. S-MAC/Mask Enter the source MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.
Page 622 Configuring ACL ACL Configuration User Priority Specify the User Priority to be matched. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM >...
Page 623 Configuring ACL ACL Configuration Figure 2-19 Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally.
Page 624: Configuring The Ipv6 Acl Rule
Configuring ACL ACL Configuration Configuring the IPv6 ACL Rule Click Edit ACL for an IPv6 ACL entry to load the following page. Figure 2-21 Configuring the IPv6 ACL Rule In ACL Rules Table section, click and the following page will appear. Figure 2-22 Configuring the IPv6 ACL Rule User Guide Downloaded from...
Page 625 Configuring ACL ACL Configuration Follow these steps to configure the IPv6 ACL rule: 1) In the IPv6 ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5.
Page 626 Configuring ACL ACL Configuration 2) In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored. Figure 2-23 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected.
Page 627 Configuring ACL ACL Configuration Burst Size Specify the number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets.
Page 628: Configuring Acl Binding
Configuring ACL ACL Configuration Here you can view and edit the ACL rules. You can also click Resequence to resequence the rules by providing a Start Rule ID and Step value. 2.1.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules.
Page 629: Using The Cli
Configuring ACL ACL Configuration ■ Binding the ACL to a VLAN Choose the menu SECURITY > ACL > ACL Binding > VLAN Binding to load the following page. Figure 2-29 Binding the ACL to a VLAN Follow these steps to bind the ACL to a VLAN: 1) Choose ID or Name to be used for matching the ACL.
Page 630 Configuring ACL ACL Configuration Step 2 access-list create acl-id [name acl-name ] Create a MAC ACL. acl-id: Enter an ACL ID. The ID ranges from 0 to 499. acl-name: Enter a name to identify the ACL. Step 3 access-list mac acl-id-or-name rule { auto | rule-id } { deny | permit } logging {enable | disable} [ smac source-mac smask source-mac-mask ] [dmac destination-mac dmask destination- mac-mask ] [type ether-type] [pri dot1p-priority ] [vid vlan-id ] [tseg time-range-name ] Add a MAC ACL Rule.
Page 631 Configuring ACL ACL Configuration Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create MAC ACL 50 and configure Rule 5 to permit packets with source MAC address 00:34:A2:D4:34:B5: Switch#configure Switch(config)#access-list create 50 Switch(config-mac-acl)#access-list mac 50 rule 5 permit logging disable smac 00:34:A2:D4:34:B5 smask FF:FF:FF:FF:FF:FF Switch(config-mac-acl)#exit...
Page 632 Configuring ACL ACL Configuration Step 3 access-list ip acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [sip sip-address sip-mask sip-address-mask ] [ dip dip-address dip-mask dip-address- mask ] [dscp dscp-value ] [tos tos-value ] [pre pre-value ] [protocol protocol [s-port s-port- number s-port-mask s-port-mask ] [d-port d-port-number d-port-mask d-port-mask ] [tcpflag tcpflag ]] [tseg time-range-name ] Add rules to the ACL.
Page 633 Configuring ACL ACL Configuration Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create IP ACL 600, and configure Rule 1 to permit packets with source IP address 192.168.1.100: Switch#configure Switch(config)#access-list create 600 Switch(config)#access-list ip 600 rule 1 permit logging disable sip 192.168.1.100 sip- mask 255.255.255.255 Switch(config)#show access-list 600...
Page 634 Configuring ACL ACL Configuration Step 3 access-list combined acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [smac source-mac-address smask source-mac-mask ] [dmac dest-mac-address dmask dest-mac-mask ] [vid vlan-id ] [type ether-type ] [pri priority ] [sip sip-address sip-mask sip-address-mask ] [dip dip-address dip-mask dip-address-mask ] [dscp dscp-value ] [tos tos- value ] [pre pre-value ] [protocol protocol [s-port s-port-number s-port-mask s-port-mask ] [d-port d-port-number d-port-mask d-port-mask ] [tcpflag tcpflag ]] [tseg time-range-name ]...
Page 635 Configuring ACL ACL Configuration protocol: Specify a protocol number between 0 and 255. s-port-number: With TCP or UDP configured as the protocol, specify the source port number. s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4 hexadacimal numbers.
Page 636 Configuring ACL ACL Configuration Step 2 access-list create acl-id [name acl-name ] Create an IPv6 ACL. acl-id: Enter an ACL ID. The ID ranges from 1500 to 1999. acl-name: Enter a name to identify the ACL. Step 3 access-list ipv6 acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [class class-value ] [flow-label flow-label-value ] [sip source-ip-address sip-mask source- ip-mask ] [dip destination-ip-address dip-mask destination-ip-mask ] [s-port source-port- number ] [d-port destination-port-number ] [tseg time-range-name ]...
Page 637 Configuring ACL ACL Configuration The following example shows how to create IPv6 ACL 1600 and configure Rule 1 to deny packets with source IPv6 address CDCD:910A:2222:5498:8475:1111:3900:2020: Switch#configure Switch(config)#access-list create 1600 Switch(config)#access-list ipv6 1600 rule 1 deny logging disable sip CDCD:910A:2222:5498:8475:1111:3900:2020 sip-mask ffff:ffff:ffff:ffff Switch(config)#show access-list 1600 IPv6 access list 1600 name: ACL_1600 rule 1 deny logging disable sip cdcd:910a:2222:5498:8475:1111:3900:2020 sip-mask ffff:ff...
Page 638: Configuring Policy
Configuring ACL ACL Configuration rule 11 permit logging disable vid 18 rule 21 permit logging disable dmac aa:cc:ee:ff:dd:33 dmask ff:ff:ff:ff:ff:ff Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring Policy Policy allows you to further process the matched packets through operations such as mirroring, rate-limiting, redirecting, or changing priority.
Page 639 Configuring ACL ACL Configuration Step 3 redirect interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to redirect the matched packets to the desired port. port : The destination port to which the packets will be redirected. The default is All. s-mirror interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to mirror the matched packets to the desired port.
Page 640: Configuring Acl Binding
Configuring ACL ACL Configuration MAC access list 10 name: ACL_10 rule 5 permit logging disable action redirect Gi1/0/4 Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules.
Page 641: Viewing Acl Counting
Configuring ACL ACL Configuration ACL ID ACL NAME Interface/VID Direction Type ----- ---------- ------------- ------- ---- ACL_1 Gi1/0/3 Ingress Port ACL_1 Ingress VLAN Switch(config)#end Switch#copy running-config startup-config 2.2.5 Viewing ACL Counting You can use the following command to view the number of matched packets of each ACL in the privileged EXEC mode and any other configuration mode: show access-list acl-id-or-name counter View the number of matched packets of the specific ACL.
Page 642: Configuration Example For Acl
Configuring ACL Configuration Example for ACL Configuration Example for ACL Network Requirements As shown below, a company’s internal server group can provide different types of services. Computers in the Marketing department are connected to the switch via port 1/0/1, and the internal server group is connected to the switch via port 1/0/2.
Page 643: Using The Gui
Configuring ACL Configuration Example for ACL ■ Configure four permit rules to match the packets with source IP address 10.10.70.0/24, and destination ports TCP 80, TCP 443 and TCP/UDP 53. These allow the Marketing department to visit http and https websites on the internet. The switch matches the packets with the rules in order, starting with Rule 1.
Page 644 Configuring ACL Configuration Example for ACL Figure 3-4 Editing IP ACL 4) Configure rule 1 to permit packets with the source IP address 10.10.70.0/24 and destination IP address 10.10.80.0/24. Figure 3-5 Configuring Rule 1 5) In the same way, configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and TCP 443 (https service port).
Page 645 Configuring ACL Configuration Example for ACL Figure 3-6 Configuring Rule 2 User Guide Downloaded from ManualsNet.com search engine...
Page 646 Configuring ACL Configuration Example for ACL Figure 3-7 Configuring Rule 3 User Guide Downloaded from ManualsNet.com search engine...
Page 647 Configuring ACL Configuration Example for ACL 6) In the same way, configure rule 4 and rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port). Figure 3-8 Configuring Rule 4 User Guide Downloaded from ManualsNet.com...
Page 648 Configuring ACL Configuration Example for ACL Figure 3-9 Configuring Rule 5 7) In the same way, configure rule 6 to deny packets with source IP 10.10.70.0. Figure 3-10 Configuring Rule 6 User Guide Downloaded from ManualsNet.com search engine...
Page 649: Using The Cli
Configuring ACL Configuration Example for ACL 8) Choose the menu SECURITY > ACL > ACL Binding and click to load the following page. Bind Policy Market to port 1/0/1 to make it take effect. Figure 3-11 Binding the Policy to Port 1/0/1 9) Click to save the settings.
Page 650 Configuring ACL Configuration Example for ACL Switch(config)#access-list ip 500 rule 5 permit logging disable sip 10.10.70.0 sip-amask 255.255.255.0 protocol 17 d-port 53 d-port-mask ffff 5) Configure rule 6 to deny packets with source IP 10.10.70.0/24. Switch(config)#access-list ip 500 rule 2 deny logging disable sip 10.10.70.0 sip-mask 255.255.255.0 6) Bind ACL500 to port 1.
Page 651: Appendix: Default Parameters
Configuring ACL Appendix: Default Parameters Appendix: Default Parameters The default settings of ACL are listed in the following tables: Table 4-1 MAC ACL Parameter Default Setting Operation Permit User Priority No Limit Time-Range No Limit Table 4-2 IP ACL Parameter Default Setting Operation Permit...
Page 652 Configuring ACL Appendix: Default Parameters Table 4-5 Policy Parameter Default Setting Mirroring Disabled Redirect Disabled Rate Limit Disabled QoS Remark Disabled User Guide Downloaded from ManualsNet.com search engine...
Page 653: Configuring Ipv4 Impb
Part 20 Configuring IPv4 IMPB CHAPTERS 1. IPv4 IMPB 2. IP-MAC Binding Configuration 3. ARP Detection Configuration 4. IPv4 Source Guard Configuration 5. Configuration Examples 6. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 654: Ipv4 Impb
Configuring IPv4 IMPB IPv4 IMPB IPv4 IMPB Overview IPv4 IMPB (IP-MAC-Port Binding) is used to bind the IP address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent the ARP cheating attacks with the ARP Detection feature and filter the packets that don’t match the binding entries with the IP Source Guard feature.
Page 655: Ip-Mac Binding Configuration
Configuring IPv4 IMPB IP-MAC Binding Configuration IP-MAC Binding Configuration You can add IP-MAC Binding entries in three ways: ■ Manual Binding ■ Via ARP Scanning ■ Via DHCP Snooping Additionally, you can view, search and edit the entries in the Binding Table. Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IP address, MAC address, VLAN ID and the Port number...
Page 656: Binding Entries Via Arp Scanning
Configuring IPv4 IMPB IP-MAC Binding Configuration 1) Enter the following information to specify a host. Host Name Enter the host name for identification. IP Address Enter the IP address. MAC Address Enter the MAC address. VLAN ID Enter the VLAN ID. 2) Select protect type for the entry.
Page 657 Configuring IPv4 IMPB IP-MAC Binding Configuration Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > ARP Scanning to load the following page. Figure 2-2 ARP Scanning Follow these steps to configure IP-MAC Binding via ARP scanning: 1) In the Scanning Option section, specify an IP address range and a VLAN ID. Then click Scan to scan the entries in the specified IP address range and VLAN.
Page 658: Binding Entries Via Dhcp Snooping
Configuring IPv4 IMPB IP-MAC Binding Configuration Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature. ARP Detection: This entry will be applied to the ARP Detection feature.
Page 659 Configuring IPv4 IMPB IP-MAC Binding Configuration Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > DHCP Snooping to load the following page. Figure 2-3 DHCP Snooping Follow these steps to configure IP-MAC Binding via DHCP Snooping: 1) In the Global Config section, globally enable DHCP Snooping. Click Apply. 2) In the VLAN Config section, enable DHCP Snooping on a VLAN or range of VLANs.
Page 660: Viewing The Binding Entries
Configuring IPv4 IMPB IP-MAC Binding Configuration Maximum Entries Configure the maximum number of binding entries a port can learn via DHCP snooping Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv4 IMPB >...
Page 661: Using The Cli
Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID Displays the VLAN ID. Port Displays the port number. Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature.
Page 662 Configuring IPv4 IMPB IP-MAC Binding Configuration Step 2 ip source binding hostname ip-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | arp-detection | ip-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.
Page 663: Binding Entries Via Dhcp Snooping
Configuring IPv4 IMPB IP-MAC Binding Configuration 2.2.2 Binding Entries via DHCP Snooping Follow these steps to bind entries via DHCP Snooping: Step 1 configure Enter global configuration mode. Step 2 ip dhcp snooping Globally enable DHCP Snooping. Step 3 ip dhcp snooping vlan vlan-range Enable DHCP Snooping on the specified VLAN.
Page 664: Viewing Binding Entries
Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID: 5 Switch(config-if)#show ip dhcp snooping interface gigabitEthernet 1/0/1 Interface max-entries LAG --------- ----------- Gi1/0/1 Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Viewing Binding Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries: show ip source binding View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port...
Page 665: Arp Detection Configuration
Configuring IPv4 IMPB ARP Detection Configuration ARP Detection Configuration To complete ARP Detection configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Enable ARP Detection. 3) Configure ARP Detection on ports. 4) View ARP statistics. Using the GUI 3.1.1 Adding IP-MAC Binding Entries In ARP Detection, the switch detects the ARP packets based on the binding entries in the IP-MAC Binding Table.
Page 666: Configuring Arp Detection On Ports
Configuring IPv4 IMPB ARP Detection Configuration ARP Detect Enable or disable ARP Detection globally. Validate Source Enable or disable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded.
Page 667: Viewing Arp Statistics
Configuring IPv4 IMPB ARP Detection Configuration Follow these steps to configure ARP Detection on ports: 1) Select one or more ports and configure the parameters. Trust Status Enable or disable this port to be a trusted port. On a trusted port, the ARP packets are forwarded directly without checked.
Page 668: Using The Cli
Configuring IPv4 IMPB ARP Detection Configuration In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed. In the Illegal ARP Packet section, you can view the number of illegal ARP packets in each VLAN.
Page 669: Configuring Arp Detection On Ports
Configuring IPv4 IMPB ARP Detection Configuration Step 5 ip arp inspection vlan vlan-list logging (Optional) Enable the Log feature to make the switch generate a log when an ARP packet is discarded. vlan-list : Enter the VLAN ID. The format is 1,5-9. Step 6 show ip arp inspection Verify the ARP Detection configuration.
Page 670 Configuring IPv4 IMPB ARP Detection Configuration Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. Step 3 ip arp inspection trust Configure the port as a trusted port, on which the ARP Detection function will not take...
Page 671: Viewing Arp Statistics
Configuring IPv4 IMPB ARP Detection Configuration Switch(config-if)#ip arp inspection burst-interval 2 Switch(config-if)#show ip arp inspection interface gigabitEthernet 1/0/2 Interface Trust state limit Rate(pps) Current speed(pps) Burst Interval Status LAG --------- ----------- --------------- ------------------ -------------- -------- --- Gi1/0/2 Enable Switch(config-if)#end Switch#copy running-config startup-config The following example shows how to restore the port 1/0/1 that is in Down status to Normal status: Switch#configure...
Page 672: Ipv4 Source Guard Configuration
Configuring IPv4 IMPB IPv4 Source Guard Configuration IPv4 Source Guard Configuration To complete IPv4 Source Guard configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Configure IPv4 Source Guard. Using the GUI 4.1.1 Adding IP-MAC Binding Entries In IPv4 Source Guard, the switch filters the packets that do not match the rules of IPv4- MAC Binding Table.
Page 673: Using The Cli
Configuring IPv4 IMPB IPv4 Source Guard Configuration Follow these steps to configure IPv4 Source Guard: 1) In the Global Config section, choose whether to enable the Log feature. Click Apply. Pv4 Source Enable or disable IPv4 Source Guard Log feature. With this feature enabled, the Guard Log switch generates a log when illegal packets are received.
Page 674 Configuring IPv4 IMPB IPv4 Source Guard Configuration Step 3 ip verify source { sip+mac | sip } Enable IP Source Guard for IPv4 packets. sip+mac : Only the packet with its source IP address, source MAC address and port number matching the IP-MAC binding rules can be processed, otherwise the packet will be discarded.
Page 675: Configuration Examples
Configuring IPv4 IMPB Configuration Examples Configuration Examples Example for ARP Detection 5.1.1 Network Requirements As shown below, User 1 and User 2 are legal users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN.
Page 676: Using The Gui
Configuring IPv4 IMPB Configuration Examples 3) Configure ARP Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. To prevent ARP flooding attacks, limit the speed of receiving the legal ARP packets on all ports. Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 677 Configuring IPv4 IMPB Configuration Examples Figure 5-3 Binding Entry for User 2 3) Choose the menu SECURITY > IPv4 IMBP > ARP Detection > Global Config to load the following page. Enable APP Detect, Validate Source MAC, Validate Destination MAC and Validate IP, and click Apply.
Page 678: Using The Cli
Configuring IPv4 IMPB Configuration Examples Figure 5-5 Port Config 5) Click to save the settings. 5.1.4 Using the CLI 1) Manually bind the entries for User 1 and User 2. Switch_A#configure Switch_A(config)#ip source binding User1 192.168.0.31 74:d3:45:32:b6:8d vlan 1 interface fastEthernet 1/0/1 arp-detection Switch_A(config)#ip source binding User1 192.168.0.32 88:a9:d4:54:fd:c3 vlan 1 interface fastEthernet 1/0/2 arp-detection 2) Enable ARP Detection globally and on VLAN 1.
Page 679 Configuring IPv4 IMPB Configuration Examples Verify the Configuration Verify the IP-MAC Binding entries: Switch_A#show ip source binding Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 192.168.0.31 74:d3:45:32:b6:8d Fa1/0/1 ARP-D Manual User2 192.168.0.33 88:a9:d4:54:fd:c3 Fa1/0/2 ARP-D Manual Notice: 1.Here, ‘ARP-D’...
Page 680: Example For Ip Source Guard
Configuring IPv4 IMPB Configuration Examples Interface Trust state limit Rate(pps) Current speed(pps) Burst Interval Status LAG --------- ----------- --------------- ------------------ -------------- ------- --- Fa1/0/1 Disable Fa1/0/2 Disable Fa1/0/3 Enable Example for IP Source Guard 5.2.1 Network Requirements As shown below, the legal host connects to the switch via port 1/0/1 and belongs to the default VLAN 1.
Page 681: Using The Gui
Configuring IPv4 IMPB Configuration Examples 5.2.3 Using the GUI 1) Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > Manual Binding and click to load the following page. Enter the host name, IP address, MAC address and VLAN ID of the legal host, select the protect type as , and select port 1/0/1 on the panel.
Page 682: Using The Cli
Configuring IPv4 IMPB Configuration Examples Figure 5-8 IPv4 Source Guard 3) Click to save the settings. 5.2.4 Using the CLI 1) Manually bind the IP address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IP Source Guard feature. Switch#configure Switch(config)#ip source binding legal-host 192.168.0.100 74:d3:45:32:b5:6d vlan 1 interface fastEthernet 1/0/1 ip-verify-source...
Page 683 Configuring IPv4 IMPB Configuration Examples Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 192.168.0.100 74:d3:45:32:b5:6d Fa1/0/1 IP-V-S Manual Notice: 1.Here, ‘ARP-D’ for ‘ARP-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’. Verify the configuration of IP Source Guard: Switch#show ip verify source IP Source Guard log: Enabled Port Security-Type...
Page 684: Appendix: Default Parameters
Configuring IPv4 IMPB Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Snooping are listed in the following table: Table 6-1 DHCP Snooping Parameter Default Setting Global Config DHCP Snooping Disabled VLAN Config Status Disabled Port Config Maximum Entry Default settings of ARP Detection are listed in the following table: Table 6-2 ARP Detection...
Page 685 Configuring IPv4 IMPB Appendix: Default Parameters Parameter Default Setting Burst Interval 1 second ARP Statistics Auto Refresh Disabled Refresh Interval 5 seconds Default settings of IPv4 Source Guard are listed in the following table: Table 6-3 ARP Detection Parameter Default Setting Global Config IPv4 Source Guard Log: Disabled...
Page 686: Configuring Ipv6 Impb
Part 21 Configuring IPv6 IMPB CHAPTERS 1. IPv6 IMPB 2. IPv6-MAC Binding Configuration 3. ND Detection Configuration 4. IPv6 Source Guard Configuration 5. Configuration Examples 6. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 687: Ipv6 Impb
Configuring IPv6 IMPB IPv6 IMPB IPv6 IMPB Overview IPv6 IMPB (IP-MAC-Port Binding) is used to bind the IPv6 address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent ND attacks with the ND Detection feature and filter the packets that don’t match the binding entries with the IPv6 Source Guard feature.
Page 688 Configuring IPv6 IMPB IPv6 IMPB Figure 1-1 Network Topology of ND Detection User A Trusted Untrusted Port Port Untrusted Port Switch Gateway Attacker IPv6 Source Guard IPv6 Source Guard is used to filter the IPv6 packets based on the IPv6-MAC Binding table. Only the packets that match the binding rules are forwarded.
Page 689: Ipv6-Mac Binding Configuration
Configuring IPv6 IMPB IPv6-MAC Binding Configuration IPv6-MAC Binding Configuration You can add IPv6-MAC Binding entries in three ways: ■ Manual Binding ■ Via ND Snooping ■ Via DHCPv6 Snooping Additionally, you can view, search and edit the entries in the Binding Table. Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IPv6 address, MAC address, VLAN ID and the Port number...
Page 690: Binding Entries Via Nd Snooping
Configuring IPv6 IMPB IPv6-MAC Binding Configuration 1) Enter the following information to specify a host. Host Name Enter the host name for identification. IPv6 Address Enter the IPv6 address. MAC Address Enter the MAC address. VLAN ID Enter the VLAN ID. 2) Select protect type for the entry.
Page 691 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > ND Snooping to load the following page. Figure 2-2 ND Snooping Follow these steps to configure IPv6-MAC Binding via ND Snooping: 1) In the ND Snooping section, enable ND Snooping and click Apply. 2) In the VLAN Config section, select one or more VLANs and enable ND Snooping.
Page 692: Binding Entries Via Dhcpv6 Snooping
Configuring IPv6 IMPB IPv6-MAC Binding Configuration Maximum Entries Configure the maximum number of binding entries a port can learn via ND snooping. Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv6 IMPB >...
Page 693: Viewing The Binding Entries
Configuring IPv6 IMPB IPv6-MAC Binding Configuration Follow these steps to configure IPv6-MAC Binding via DHCPv6 Snooping: 1) In the Global Config section, globally enable DHCPv6 Snooping. Click Apply. 2) In the VLAN Config section, enable DHCPv6 Snooping on a VLAN or range of VLANs. Click Apply.
Page 694: Using The Cli
Configuring IPv6 IMPB IPv6-MAC Binding Configuration Source Select the source of the entry and click Search. All: Displays the entries from all sources. Manual Binding: Displays the manually bound entries. ND Snooping: Displays the binding entries learned from ND Snooping. DHCPv6 Snooping: Displays the binding entries learned from DHCP Snooping.
Page 695 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Step 1 configure Enter global configuration mode. Step 2 ipv6 source binding hostname ipv6-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | nd-detection | ipv6-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.
Page 696: Binding Entries Via Nd Snooping
Configuring IPv6 IMPB IPv6-MAC Binding Configuration 2.2.2 Binding Entries via ND Snooping Follow these steps to bind entries via ND Snooping: Step 1 configure Enter global configuration mode. Step 2 ipv6 nd snooping Globally enable ND Snooping. Step 3 ipv6 nd snooping vlan vlan-range Enable ND Snooping on the specified VLAN.
Page 697: Binding Entries Via Dhcpv6 Snooping
Configuring IPv6 IMPB IPv6-MAC Binding Configuration Switch(config)#end Switch#copy running-config startup-config The following example shows how to configure the maximum number of entries that can be learned on port 1/0/1: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#ipv6 nd snooping max-entries 1000 Switch(config-if)#show ipv6 nd snooping interface gigabitEthernet 1/0/1 Interface max-entries --------- -----------...
Page 698: Viewing Binding Entries
Configuring IPv6 IMPB IPv6-MAC Binding Configuration Step 7 Return to privileged EXEC mode. Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCPv6 Snooping globally and on VLAN 5, and set the maximum number of binding entries port 1/0/1 can learn via DHCPv6 snooping as 100: Switch#configure Switch(config)#ipv6 dhcp snooping...
Page 699: Nd Detection Configuration
Configuring IPv6 IMPB ND Detection Configuration ND Detection Configuration To complete ND Detection configuration, follow these steps: 1) Add IPv6-MAC Binding entries. 2) Enable ND Detection. 3) Configure ND Detection on ports. 4) View ND statistics. Using the GUI 3.1.1 Adding IPv6-MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets.
Page 700: Configuring Nd Detection On Ports
Configuring IPv6 IMPB ND Detection Configuration VLAN ID Displays the VLAN ID. Status Enable or disable ND Detection on the VLAN. Log Status Enable or disable Log feature on the VLAN. With this feature enabled, the switch generates a log when an illegal ND packet is discarded. 3.1.3 Configuring ND Detection on Ports Choose the menu SECURITY >...
Page 701: Using The Cli
Configuring IPv6 IMPB ND Detection Configuration Choose the menu SECURITY > IPv6 IMPB > ND Detection > ND Statistics to load the following page. Figure 3-3 View ND Statistics In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed.
Page 702: Configuring Nd Detection On Ports
Configuring IPv6 IMPB ND Detection Configuration Step 3 ipv6 nd detection vlan vlan-range Enable ND Detection on the specified VLAN. vlan-range: Enter the vlan range in the format of 1-3, 5. ipv6 nd detection vlan vlan-range logging Step 4 (Optional) Enable the Log feature to make the switch generate a log when an ND packet is discarded.
Page 703: Viewing Nd Statistics
Configuring IPv6 IMPB ND Detection Configuration Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. Step 3 ipv6 nd detection trust Configure the port as a trusted port, on which the ND packets will not be checked.
Page 704: Ipv6 Source Guard Configuration
Configuring IPv6 IMPB IPv6 Source Guard Configuration IPv6 Source Guard Configuration To complete IPv6 Source Guard configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Configure IPv6 Source Guard. Using the GUI 4.1.1 Adding IPv6-MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets.
Page 705: Using The Cli
Configuring IPv6 IMPB IPv6 Source Guard Configuration Port Displays the port number. Security Type Select Security Type on the port for IPv6 packets. The following options are provided: Disable: The IP Source Guard feature is disabled on the port. SIPv6+MAC: Only the packet with its source IPv6 address, source MAC address and port number matching the IPv6-MAC binding rules can be processed, otherwise the packet will be discarded.
Page 706 Configuring IPv6 IMPB IPv6 Source Guard Configuration Step 4 show ipv6 verify source [ interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel-id } ] Verify the IP Source Guard configuration for IPv6 packets. Step 5 Return to privileged EXEC mode.
Page 707: Configuration Examples
Configuring IPv6 IMPB Configuration Examples Configuration Examples Example for ND Detection 5.1.1 Network Requirements As shown below, User 1 and User 2 are legal IPv6 users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN.
Page 708: Using The Gui
Configuring IPv6 IMPB Configuration Examples 3) Configure ND Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 5.1.3 Using the GUI 1) Choose the menu SECURITY >...
Page 709 Configuring IPv6 IMPB Configuration Examples Figure 5-3 Binding Entry for User 2 3) Choose the menu SECURITY > IPv6 IMBP > ND Detection > Global Config to load the following page. Enable ND Detection and click Apply. Select VLAN 1, change Status as Enabled and click Apply.
Page 710: Using The Cli
Configuring IPv6 IMPB Configuration Examples Figure 5-5 Port Config 5) Click to save the settings. 5.1.4 Using the CLI 1) Manually bind the entries for User 1 and User 2. Switch_A#configure Switch_A(config)#ipv6 source binding User1 2001::5 74:d3:45:32:b6:8d vlan 1 interface fastEthernet 1/0/1 nd-detection Switch_A(config)#ip source binding User1 2001::6 88:a9:d4:54:fd:c3 vlan 1 interface fastEthernet 1/0/2 nd-detection 2) Enable ND Detection globally and on VLAN 1.
Page 711: Example For Ipv6 Source Guard
Configuring IPv6 IMPB Configuration Examples Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 2001::5 74:d3:45:32:b6:8d Fa1/0/1 ND-D Manual User2 2001::6 88:a9:d4:54:fd:c3 Fa1/0/2 ND-D Manual Notice: 1.Here, ‘ND-D’ for ‘ND-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’. Verify the global configuration of ND Detection: Switch_A#show ipv6 nd detection Global Status: Enable Verify the ND Detection configuration on VLAN:...
Page 712: Configuration Scheme
Configuring IPv6 IMPB Configuration Examples 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3. Figure 5-6 Network Topology Legal Host 2001::5 74-D3-45-32-B6-8D Fa1/0/1 Fa1/0/2 Fa1/0/3 Unknown Host Switch Unknown Host 5.2.2 Configuration Scheme To implement this requirement, you can use IPv6-MAC Binding and IPv6 Source Guard to filter out the packets received from the unknown hosts.
Page 713 Configuring IPv6 IMPB Configuration Examples Figure 5-7 Manual Binding 2) Choose the menu SECURITY > IPv6 IMPB > IPv6 Source Guard to load the following page. Select ports 1/0/1-3, configure the Security Type as SIPv6+MAC, and click Apply. Figure 5-8 IPv6 Source Guard 3) Click to save the settings.
Page 714: Using The Cli
Configuring IPv6 IMPB Configuration Examples 5.2.4 Using the CLI 1) Manually bind the IPv6 address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IPv6 Source Guard feature. Switch#configure Switch(config)#ipv6 source binding legal-host 2001::5 74:d3:45:32:b6:8d vlan 1 interface fastEthernet 1/0/1 ipv6-verify-source 2) Enable IPv6 Source Guard on ports 1/0/1-3.
Page 715: Appendix: Default Parameters
Configuring IPv6 IMPB Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Snooping are listed in the following table: Table 6-1 DHCPv6 Snooping Parameter Default Setting Global Config DHCPv6 Snooping Disabled VLAN Config Status Disabled Port Config Maximum Entry Default settings of ND Detection are listed in the following table: Table 6-2 ND Detection...
Page 716 Configuring IPv6 IMPB Appendix: Default Parameters Default settings of IPv6 Source Guard are listed in the following table: Table 6-3 ND Detection Parameter Default Setting Port Config Security Type Disabled User Guide Downloaded from ManualsNet.com search engine...
Page 717: Configuring Dhcp Filter
Part 22 Configuring DHCP Filter CHAPTERS 1. DHCP Filter 2. DHCPv4 Filter Configuration 3. DHCPv6 Filter Configuration 4. Configuration Examples 5. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 718: Dhcp Filter
Configuring DHCP Filter DHCP Filter DHCP Filter Overview During the working process of DHCP, generally there is no authentication mechanism between the DHCP server and the clients. If there are several DHCP servers on the network, security problems and network interference will happen. DHCP Filter resolves this problem.
Page 719 Configuring DHCP Filter DHCP Filter DHCPv4 Filter DHCPv4 Filter is used for DHCPv4 servers and IPv4 clients. DHCPv6 Filter DHCPv6 Filter is used for DHCPv6 servers and IPv6 clients. User Guide Downloaded from ManualsNet.com search engine...
Page 720: Dhcpv4 Filter Configuration
Configuring DHCP Filter DHCPv4 Filter Configuration DHCPv4 Filter Configuration To complete DHCPv4 Filter configuration, follow these steps: 1) Configure the basic DHCPv4 Filter parameters. 2) Configure legal DHCPv4 servers. Using the GUI 2.1.1 Configuring the Basic DHCPv4 Filter Parameters Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page.
Page 721: Configuring Legal Dhcpv4 Servers
Configuring DHCP Filter DHCPv4 Filter Configuration Port Displays the port number. Status Enable or disable DHCPv4 Filter feature on the port. MAC Verify Enable or disable the MAC Verify feature. There are two fields in the DHCPv4 packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCPv4 packet and discards the packet if the two fields are different.
Page 722: Using The Cli
Configuring DHCP Filter DHCPv4 Filter Configuration Follow these steps to add a legal DHCPv4 server: 1) Configure the following parameters: Server IP Address Specify the IP address of the legal DHCPv4 server. Client MAC (Optional) Specify the MAC address of the DHCP Client. You can also keep this Address field empty, which represents for all DHCP clients.
Page 723 Configuring DHCP Filter DHCPv4 Filter Configuration Step 7 ip dhcp filter decline rate value Enable the decline protect feature and specify the maximum number of Decline packets can be forwarded per second on the port. The excessive Decline packets will be discarded. value: Specify the limit rate value of Decline packets.
Page 724: Configuring Legal Dhcpv4 Servers
Configuring DHCP Filter DHCPv4 Filter Configuration Interface state MAC-Verify Limit-Rate Dec-rate --------- ------- ---------- ---------- -------- Gi1/0/1 Enable Enable Switch(config-if)#end Switch#copy running-config startup-config 2.2.2 Configuring Legal DHCPv4 Servers Follow these steps configure legal DHCPv4 servers: Step 1 configure Enter global configuration mode. Step 2 ip dhcp filter server permit-entry server-ip ipAddr client-mac macAddr interface { fastEthernet port-list | gigabitEthernet port-list | ten-gigabitEthernet port-list | port-...
Page 725 Configuring DHCP Filter DHCPv4 Filter Configuration Switch(config)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com search engine...
Page 726: Dhcpv6 Filter Configuration
Configuring DHCP Filter DHCPv6 Filter Configuration DHCPv6 Filter Configuration To complete DHCPv6 Filter configuration, follow these steps: 1) Configure the basic DHCPv6 Filter parameters. 2) Configure legal DHCPv6 servers. Using the GUI 3.1.1 Configuring the Basic DHCPv6 Filter Parameters Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Basic Config to load the following page.
Page 727: Configuring Legal Dhcpv6 Servers
Configuring DHCP Filter DHCPv6 Filter Configuration Status Enable or disable DHCPv6 Filter feature on the port. Rate Limit Select to enable the rate limit feature and specify the maximum number of DHCPv6 packets that can be forwarded on the port per second. The excessive DHCPv6 packets will be discarded.
Page 728: Using The Cli
Configuring DHCP Filter DHCPv6 Filter Configuration Using the CLI 3.2.1 Configuring the Basic DHCPv6 Filter Parameters Follow these steps to complete the basic settings of DHCPv6 Filter: Step 1 configure Enter global configuration mode. Step 2 ipv6 dhcp filter Enable DHCPv6 Filter globally. Step 3 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list |...
Page 729: Configuring Legal Dhcpv6 Servers
Configuring DHCP Filter DHCPv6 Filter Configuration Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. The following example shows how to enable DHCPv6 Filter globally and how to enable DHCPv6 Filter, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1: Switch#configure...
Page 730 Configuring DHCP Filter DHCPv6 Filter Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create an entry for the legal DHCPv6 server whose IPv6 address is 2001::54 and connected port number is 1/0/1: Switch#configure Switch(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface...
Page 731: Configuration Examples
Configuring DHCP Filter Configuration Examples Configuration Examples Example for DHCPv4 Filter 4.1.1 Network Requirements As shown below, all the DHCPv4 clients get IP addresses from the legal DHCPv4 server, and any other DHCPv4 server in the LAN is regarded as illegal. Now it is required that only the legal DHCPv4 server is allowed to assign IP addresses to the clients.
Page 732: Using The Gui
Configuring DHCP Filter Configuration Examples 4.1.3 Using the GUI 1) Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page. Enable DHCPv4 Filter globally and click Apply. Select all ports, change Status as Enable, and click Apply. Figure 4-2 Basic Config 2) Choose the menu SECURITY >...
Page 733: Using The Cli
Configuring DHCP Filter Configuration Examples Figure 4-3 Create Entry for Legal DHCPv4 Server 3) Click to save the settings. 4.1.4 Using the CLI 1) Enable DHCPv4 Filter globally and on all pots: Switch_A#configure Switch_A(config)#ip dhcp filter Switch_A(config)#interface range fastEthernet 1/0/1-24 Switch_A(config-if-range)#ip dhcp filter Switch_A(config)#interface range gigabitEthernet 1/0/25-28 Switch_A(config-if-range)#ip dhcp filter Switch_A(config-if-range)#exit...
Page 734: Example For Dhcpv6 Filter
Configuring DHCP Filter Configuration Examples Global Status: Enable Verify the DHCPv4 Filter configuration on ports: Switch_A#show ip dhcp filter interface Interface state MAC-Verify Limit-Rate Dec-rate --------- ------- ---------- ---------- -------- Fa1/0/1 Enable Disable Disable Disable Fa1/0/2 Enable Disable Disable Disable Fa1/0/3 Enable Disable Disable...
Page 735: Configuration Scheme
Configuring DHCP Filter Configuration Examples Figure 4-1 Network Topology Legal DHCPv6 Server 2001::54 Fa1/0/1 Illegal DHCPv6 Switch A Server DHCPv6 Client DHCPv6 Client DHCPv6 Client 4.2.2 Configuration Scheme To meet the requirements, you can configure DHCPv6 Filter to filter the DHCPv6 packets from the illegal DHCPv6 server.
Page 736 Configuring DHCP Filter Configuration Examples Figure 4-2 Basic Config 2) Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Legal DHCPv6 Servers and click to load the following page. Specify the IP address and connected port number of the legal DHCPv6 server. Click Create. Figure 4-3 Create Entry for Legal DHCPv6 Server 3) Click to save the settings.
Page 737: Using The Cli
Configuring DHCP Filter Configuration Examples 4.2.4 Using the CLI 1) Enable DHCPv6 Filter globally and on all pots: Switch_A#configure Switch_A(config)#ipv6 dhcp filter Switch_A(config)#interface range fastEthernet 1/0/1-24 Switch_A(config-if-range)#ip dhcpv6 filter Switch_A(config)#interface range gigabitEthernet 1/0/25-28 Switch_A(config-if-range)#ip dhcpv6 filter Switch_A(config-if-range)#exit 2) Create an entry for the legal DHCPv6 server: Switch_A(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface fastEthernet 1/0/1 Switch_A(config)#end...
Page 738 Configuring DHCP Filter Configuration Examples Switch_A#show ipv6 dhcp filter server permit-entry Server IP Interface ---------------- ---------- 2001::54 Fa1/0/1 User Guide Downloaded from ManualsNet.com search engine...
Page 739: Appendix: Default Parameters
Configuring DHCP Filter Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCPv4 Filter are listed in the following table: Table 5-1 DHCPv4 Filter Parameter Default Setting Global Config DHCPv4 Filter Disabled Port Config Status Disabled MAC Verify Disabled Rate Limit Disabled Decline Protect Disabled...
Page 740: Configuring Dos Defend
Part 23 Configuring DoS Defend CHAPTERS 1. Overview 2. DoS Defend Configuration 3. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 741: Overview
Configuring DoS Defend Overview Overview The DoS (Denial of Service) defend feature provides protection against DoS attacks. DoS attacks occupy the network bandwidth maliciously by sending numerous service requests to the hosts. It results in an abnormal service or breakdown of the network. With DoS Defend feature, the switch can analyze the specific fields of the IP packets, distinguish the malicious DoS attack packets and discard them directly.
Page 742: Dos Defend Configuration
Configuring DoS Defend DoS Defend Configuration DoS Defend Configuration Using the GUI Choose the menu SECURITY > DoS Defend to load the following page. Figure 2-1 DoS Defend Follow these steps to configure DoS Defend: 1) In the DoS Defend section, enable DoS Protection and click Apply. 2) In the DoS Defend Config section, select one or more defend types according to your needs and click Apply.
Page 743: Using The Cli
Configuring DoS Defend DoS Defend Configuration NULL Scan The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. SYN sPort less The attacker sends the illegal packet with its TCP SYN field set to 1 and source 1024...
Page 744 Configuring DoS Defend DoS Defend Configuration Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping- flood | syn-flood | win-nuke | ping-of-death | smurf } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows.
Page 745 Configuring DoS Defend DoS Defend Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the DoS Defend type named land: Switch#configure Switch(config)#ip dos-prevent Switch(config)#ip dos-prevent type land Switch(config)#show ip dos-prevent DoS Prevention State:...
Page 746: Appendix: Default Parameters
Configuring DoS Defend Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Security are listed in the following tables. Table 3-1 DoS Defend Parameter Default Setting DoS Defend Disabled User Guide Downloaded from ManualsNet.com search engine...
Page 747: Monitoring The System
Part 24 Monitoring the System CHAPTERS 1. Overview 2. Monitoring the CPU 3. Monitoring the Memory Downloaded from ManualsNet.com search engine...
Page 748: Overview
Monitoring the System Overview Overview With System Monitor function, you can: ■ Monitor the CPU utilization of the switch. ■ Monitor the memory utilization of the switch. The CPU utilization should be always under 80%, and excessive use may result in switch malfunctions.
Page 749: Monitoring The Cpu
Monitoring the System Monitoring the CPU Monitoring the CPU Using the GUI Choose the menu MAINTENANCE > System Monitor > CPU Monitor to load the following page. Figure 2-1 Monitoring the CPU Click Monitor to enable the switch to monitor and display its CPU utilization rate every five seconds.
Page 750 Monitoring the System Monitoring the CPU The following example shows how to monitor the CPU: Switch#show cpu-utilization Unit | CPU Utilization Five-Seconds One-Minute Five-Minutes ------+------------------------------------------------- User Guide Downloaded from ManualsNet.com search engine...
Page 751: Monitoring The Memory
Monitoring the System Monitoring the Memory Monitoring the Memory Using the GUI Choose the menu MAINTENANCE > System Monitor > Memory Monitor to load the following page. Figure 3-1 Monitoing the Memory Click Monitor to enable the switch to monitor and display its memory utilization rate every five seconds.
Page 752 Monitoring the System Monitoring the Memory Unit | Current Memory Utilization ------+---------------------------- | 74% User Guide Downloaded from ManualsNet.com search engine...
Page 753: Monitoring Traffic
Part 25 Monitoring Traffic CHAPTERS 1. Traffic Monitor 2. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 754: Traffic Monitor
Monitoring Traffic Traffic Monitor Traffic Monitor With Traffic Monitor function, you can monitor each port’s traffic information, including the traffic summary and traffic statistics in detail. Using the GUI Choose the menu MAINTENANCE > Traffic Monitor to load the following page. Figure 1-1 Traffic Summary Follow these steps to view the traffic summary of each port: 1) To get the real-time traffic summary, enable Auto Refresh, or click Refresh.
Page 755 Monitoring Traffic Traffic Monitor Packets Tx: Displays the number of packets transmitted on the port. Error packets are not counted. Octets Rx: Displays the number of octets received on the port. Error octets are counted. Octets Tx: Displays the number of octets transmitted on the port. Error octets are counted . To view a port’s traffic statistics in detail, click Statistics on the right side of the entry.
Page 756 Monitoring Traffic Traffic Monitor Received: Displays the detailed information of received packets. Broadcast: Displays the number of valid broadcast packets received on the port. Error frames are not counted. Multicast: Displays the number of valid multicast packets received on the port. Error frames are not counted.
Page 757 Monitoring Traffic Traffic Monitor Sent: Displays the detailed information of sent packets. Broadcast: Displays the number of valid broadcast packets transmitted on the port. Error frames are not counted. Multicast: Displays the number of valid multicast packets transmitted on the port. Error frames are not counted.
Page 758: Using The Cli
Monitoring Traffic Traffic Monitor Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to view the traffic information of each port or LAG: show interface counters [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port- channel port-channel-id ] port-channel-id : The group number of the LAG.
Page 759: Appendix: Default Parameters
Monitoring Traffic Appendix: Default Parameters Appendix: Default Parameters Table 2-1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disabled Refresh Rate 10 seconds User Guide Downloaded from ManualsNet.com search engine...
Page 760: Mirroring Traffic
Part 26 Mirroring Traffic CHAPTERS 1. Mirroring 2. Configuration Examples 3. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 761: Mirroring
Mirroring Traffic Mirroring Mirroring You can analyze network traffic and troubleshoot network problems using Mirroring. Mirroring allows the switch to send a copy of the traffic that passes through specified sources (ports, LAGs or the CPU) to a destination port. It does not affect the switching of network traffic on source ports, LAGs or the CPU.
Page 762 Mirroring Traffic Mirroring Figure 1-2 Configure the Mirroring Session Follow these steps to configure the mirroring session: 1) In the Destination Port Config section, specify a destination port for the mirroring session, and click Apply. 2) In the Source Interfaces Config section, specify the source interfaces and click Apply. Traffic passing through the source interfaces will be mirrored to the destination port.
Page 763: Using The Cli
Mirroring Traffic Mirroring Note: • The member ports of an LAG cannot be set as a destination port or source port. • A port cannot be set as the destination port and source port at the same time. Using the CLI Follow these steps to configure Mirroring.
Page 764 Mirroring Traffic Mirroring Switch(config)#monitor session 1 source interface gigabitEthernet 1/0/1-3 both Switch(config)#monitor session 1 source cpu 1 both Switch(config)#show monitor session Monitor Session: Destination Port: Gi1/0/10 Source Ports(Ingress): Gi1/0/1-3 Source Ports(Egress): Gi1/0/1-3 Source CPU(Ingress): cpu1 Source CPU(Egress): cpu1 Switch(config-if)#end Switch#copy running-config startup-config User Guide Downloaded from ManualsNet.com...
Page 765: Configuration Examples
Mirroring Traffic Configuration Examples Configuration Examples Network Requirements As shown below, several hosts and a network analyzer are directly connected to the switch. For network security and troubleshooting, the network manager needs to use the network analyzer to monitor the data packets from the end hosts. Figure 2-1 Network Topology Fa1/0/2-5 Fa1/0/1...
Page 766: Using The Cli
Mirroring Traffic Configuration Examples 2) Click Edit on the above page to load the following page. In the Destination Port Config section, select port 1/0/1 as the destination port and click Apply. Figure 2-3 Destination Port Configuration 3) In the Source Interfaces Config section, select ports 1/0/2-5 as the source ports, and enable Ingress and Egress to allow the received and sent packets to be copied to the destination port.
Page 767 Mirroring Traffic Configuration Examples Verify the Configuration Switch#show monitor session 1 Monitor Session: Destination Port: Fa1/0/1 Source Ports(Ingress): Fa1/0/2-5 Source Ports(Egress): Fa1/0/2-5 User Guide Downloaded from ManualsNet.com search engine...
Page 768: Appendix: Default Parameters
Mirroring Traffic Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 3-1 Configurations for Ports Parameter Default Setting Ingress Disabled Egress Disabled User Guide Downloaded from ManualsNet.com search engine...
Page 769: Configuring Dldp
Part 27 Configuring DLDP CHAPTERS 1. Overview 2. DLDP Configuration 3. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 770: Overview
Configuring DLDP Overview Overview DLDP (Device Link Detection Protocol) is a Layer 2 protocol that enables devices connected through fiber or twisted-pair Ethernet cables to detect whether a unidirectional link exists. A unidirectional link occurs whenever traffic sent by a local device is received by its peer device but traffic from the peer device is not received by the local device.
Page 771: Dldp Configuration
Configuring DLDP DLDP Configuration DLDP Configuration Configuration Guidelines ■ A DLDP-capable port cannot detect a unidirectional link if it is connected to a DLDP- incapable port of another switch. ■ To detect unidirectional links, make sure DLDP is enabled on both sides of the links. Using the GUI Choose the menu MAINTENANCE >...
Page 772 Configuring DLDP DLDP Configuration DLDP State Enable or disable DLDP globally. Advertisement Configure the interval to send advertisement packets. Valid values are from 1 to Interval 30 seconds, and the default value is 5 seconds. Shut Mode Choose how to shut down the port when a unidirectional link is detected: Auto: When a unidirectional link is detected on a port, DLDP will generate logs and traps then shut down the port, and DLDP on this port will change to Disabled.
Page 773: Using The Cli
Configuring DLDP DLDP Configuration Using the CLI Follow these steps to configure DLDP: Step 1 configure Enter global configuration mode. Step 2 dldp Globally enable DLDP. Step 3 dldp interval interval-time Configure the interval of sending advertisement packets on ports that are in the advertisement state.
Page 774 Configuring DLDP DLDP Configuration Switch(config)#dldp Switch(config)#dldp interval 10 Switch(config)#dldp shut-mode auto Switch(config)#show dldp DLDP Global State: Enable DLDP Message Interval: 10 DLDP Shut Mode: Auto Switch(config)#end Switch#copy running-config startup-config The following example shows how to enable DLDP on port 1/0/1. Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#dldp...
Page 775: Appendix: Default Parameters
Configuring DLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of DLDP are listed in the following table. Table 3-1 Default Settings of DLDP Parameter Default Setting Global Config DLDP State Disabled Advertisement Interval 5 seconds Shut Mode Auto Auto Refresh Disabled Refresh Interval 3 seconds...
Page 776: Configuring Snmp & Rmon
Part 28 Configuring SNMP & RMON CHAPTERS 1. SNMP 2. SNMP Configurations 3. Notification Configurations 4. RMON 5. RMON Configurations 6. Configuration Example 7. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 777: Snmp
SNMP SNMP Overview SNMP (Simple Network Management Protocol) is a standard network management protocol, widely used on TCP/IP networks. It facilitates device management using NMS (Network Management System) applications. With SNMP, network managers can view or modify the information of network devices, and timely troubleshoot according to notifications sent by those devices.
Page 778 (1) mib-2 (1) tplink (11863) 1.3.6.1.4.1.11863 TP-Link switches provide private MIBs that can be identified by the OID 1.3.6.1.4.1.11863. The MIB file can be found on the provided CD or in the download center of our official https://www.tp-link.com/download-center.html website: Also, TP-Link switches support the following public MIBs: ■...
Page 779 SNMP RFC2620-RADIUS-Acc-Client.mib ■ RFC2674-pBridge.mib ■ RFC2674-qBridge.mib ■ RFC2863-pBridge.mib ■ RFC2925-Disman-Ping.mib ■ RFC2925-Disman-Traceroute.mib ■ Supported Public MIBs for TP- For detail information about the supported public MIBs, see Link Switches SNMP Entity An SNMP entity is a device running the SNMP protocol. Both the SNMP manager and SNMP agent are SNMP entities.
Page 780 SNMP Table 1-1 Features Supported by Different SNMP Versions Feature SNMPv1 SNMPv2c SNMPv3 Based on SNMP Based on SNMP Based on SNMP User, Group, Access Control Community and MIB View Community and MIB View and MIB View Supported authentication and privacy modes are as follows: Authentication Based on Community...
Page 781: Snmp Configurations
SNMP Configurations SNMP Configurations To complete the SNMP configuration, choose an SNMP version according to network requirements and supportability of the NMS application, and then follow these steps: ■ Choose SNMPv1 or SNMPv2c 1) Enable SNMP. 2) Create an SNMP view for managed objects. 3) Create a community, specify the accessible view and the corresponding access rights.
Page 782: Creating An Snmp View
A valid engine ID must contain an even number of characters. By default, the switch generates the engine ID using TP-Link’s enterprise number (80002e5703) and its own MAC address. The local engine ID is a unique alphanumeric string used to identify the SNMP engine.
Page 783: Creating Snmp Communities (For Snmp V1/V2C)
SNMP Configurations Figure 2-3 Creating an SNMP View View Name Set the view name with 1 to 16 characters. A complete view consists of all MIB objects that have the same view name. View Type Set the view to include or exclude the related MIB object. Include: The NMS can view or manage the function indicated by the object.
Page 784: Creating An Snmp Group (For Snmp V3)
SNMP Configurations Access Mode Specify the access right to the related view. Read Only: The NMS can view but not modify parameters of the specified view. Read & Write: The NMS can view and modify parameters of the specified view. MIB View Choose an SNMP view that allows the community to access.
Page 785: Creating Snmp Users (For Snmp V3)
SNMP Configurations Read View Choose a view to allow parameters to be viewed but not modified by the NMS. The view is necessary for any group. Write View Choose a view to allow parameters to be modified by the NMS. The view in Write View should also be added to Read View.
Page 786: Using The Cli
SNMP Configurations Security Level Set the security level. The security level from lowest to highest is: NoAuthNoPriv, AuthNoPriv, AuthPriv. The security level of the user should not be lower than the group it belongs to. NoAuthNoPriv: No authentication algorithm but a user name match is applied to check packets, and no privacy algorithm is applied to encrypt them.
Page 787 Enter the engine ID of the local SNMP agent (the switch) with 10 to 64 hexadecimal digits. A valid engine ID must contain an even number of characters. By default, the switch generates the engine ID using TP-Link’s enterprise number (80002e5703) and its own MAC address.
Page 788: Creating An Snmp View
SNMP Configurations 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors...
Page 789: Creating Snmp Communities (For Snmp V1/V2C)
SNMP Configurations snmp-server view name mib-oid {include | exclude} Step 2 Configure the view. name: Enter a view name with 1 to 16 characters. You can create multiple entries with each associated to a MIB object. A complete view consists of all MIB objects that have the same view name.
Page 790: Creating An Snmp Group (For Snmpv3)
SNMP Configurations Step 1 configure Enter Global Configuration Mode. Step 2 snmp-server community name { read-only | read-write } [ mib-view ] Configure the community. name: Enter a group name with 1 to 16 characters. read-only | read-write: Choose an access permissions for the community. Read-only indicates that the NMS can view but cannot modify parameters of the view, while read-write indicates that the NMS can both view and modify.
Page 791 SNMP Configurations snmp-server group name [ smode v3 ] [ slev {noAuthNoPriv | authNoPriv | authPriv}] [ read Step 2 read-view ] [ write write-view ] [ notify notify-view ] Create an SNMP group. name: Enter the group name with 1 to 16 characters. The identifier of a group consists of a group name, security model and security level.
Page 792: Creating Snmp Users (For Snmpv3)
SNMP Configurations 2.2.5 Creating SNMP Users (For SNMPv3) Create SNMP users and add them to the SNMP group. Users in the same group have the same access rights which are controlled by the read, write and notify views of the group. Step 1 configure Enter Global Configuration Mode.
Page 793 SNMP Configurations Step 3 show snmp-server user Displays the information of SNMP users. Step 4 Return to Privileged EXEC Mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a remote SNMP user named admin and add it Table 2-1 to group nms1.
Page 794: Notification Configurations
Notification Configurations Notification Configurations With Notification enabled, the switch can send notifications to the NMS about important events relating to the device’s operation. This facilitates the monitoring and management of the NMS. To configure SNMP notification, follow these steps: 1) Configure the information of NMS hosts. 2) Enable SNMP traps.
Page 795 Notification Configurations IP Mode Choose an IP mode for the NMS host. IP Address If you set IP Mode as IPv4, specify an IPv4 address for the NMS host. If you set IP Mode as IPv6, specify an IPv6 address for the NMS host. UDP Port Specify a UDP port on the NMS host to receive notifications.
Page 796: Enabling Snmp Traps
Notification Configurations 3.1.2 Enabling SNMP Traps Choose the menu MAINTENANCE > SNMP > Notification > Trap Config to load the following page. Figure 3-2 Enabling SNMP Traps Follow these steps to enable some or all of the supported traps: 1) Select the traps to be enabled according to your needs. With a trap enabled, the switch will send the corresponding trap message to the NMS when the trap is triggered.
Page 797 Notification Configurations CPU Utilization Triggered when the CPU utilization exceeds 80%. Memory Utilization Triggered when the memory utilization exceeds 80%. Flash Operation Triggered when flash is modified during operations such as backup, reset, firmware upgrade, and configuration import. VLAN Create/Delete Triggered when certain VLANs are created or deleted successfully.
Page 798: Using The Cli
Notification Configurations Only for products that support PoE. The trap includes the following sub-traps: Over-max-pwr-budget: Triggered when the total power required by the connected PDs exceeds the maximum power the PoE switch can supply. Port-pwr-change: Triggered when a port starts to supply power or stops supplying power.
Page 799 Notification Configurations snmp-server host ip udp-port user-name [smode { v1 | v2c | v3 }] [slev {noAuthNoPriv | Step 2 authNoPriv | authPriv }] [type { trap | inform}] [retries retries ] [timeout timeout ] Configure parameters of the NMS host and packet handling mechanism. Specify the IP address of the NMS host in IPv4 or IPv6.
Page 800: Enabling Snmp Traps
Notification Configurations The following example shows how to configure an NMS host with the parameters shown in Table 3-1 Table 3-1 Parameters for the NMS Hosts Parameter Value IP Address 172.16.1.222 UDP Port User Name admin Security Model Security Level authPriv Notification Type Inform...
Page 801 Notification Configurations Step 2 snmp-server traps snmp [ linkup | linkdown | warmstart | coldstart | auth-failure ] Enable the corresponding SNMP standard traps. The command without any parameter enables all SNMP standard traps. By default, all SNMP standard traps are enabled. linkup | linkdown: Enable Linkup Trap and Linkdown Trap globally.
Page 802 Notification Configurations Step 2 snmp-server traps { rate-limit | cpu | flash | lldp remtableschange | lldp topologychange | loopback-detection | storm-control | spanning-tree | memory } Enable the corresponding SNMP extended traps. By default, all SNMP extended traps are disabled.
Page 803 Notification Configurations ■ Enabling the VLAN Traps Globally Step 1 configure Enter Global Configuration Mode. Step 2 snmp-server traps vlan [ create | delete ] Enable the corresponding VLAN traps. The command without parameter enables all SNMP VLAN traps. By default, all VLAN traps are disabled. create: Triggered when certain VLANs are created successfully.
Page 804 Notification Configurations The following example shows how to configure the switch to enable DHCP filter trap: Switch#configure Switch(config)#snmp-server traps security dhcp-filter Switch(config)#end Switch#copy running-config startup-config ■ Enabling the ACL Trap Globally Step 1 configure Enter Global Configuration Mode. Step 2 snmp-server traps security acl Enable the ACL trap.
Page 805 Notification Configurations Step 3 Return to Privileged EXEC Mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to enable IP-Change trap: Switch#configure Switch(config)#snmp-server traps ip change Switch(config)#end Switch#copy running-config startup-config ■...
Page 806 Notification Configurations Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to enable all PoE traps: Switch#configure Switch(config)#snmp-server traps power Switch(config)#end Switch#copy running-config startup-config ■ Enabling the Link-status Trap for Ports Step 1 configure Enter Global Configuration Mode.
Page 807: Rmon
RMON RMON RMON (Remote Network Monitoring) together with the SNMP system allows the network manager to monitor remote network devices efficiently. RMON reduces traffic flow between the NMS and managed devices, which is convenient to manage large networks. RMON includes two parts: the NMS and the Agents running on every network device. The NMS is usually a host that runs the management software to manage Agents of network devices.
Page 808: Rmon Configurations
RMON Configurations RMON Configurations With RMON configurations, you can: ■ Configuring the Statistics group. ■ Configuring the History group. ■ Configuring the Event group. ■ Configuring the Alarm group. Configuration Guidelines To ensure that the NMS receives notifications normally, complete configurations of SNMP and SNMP Notification before configuring RMON.
Page 809: Configuring History Group
RMON Configurations Status Set the entry as Valid or Under Creation. By default, it is Valid. The switch start to collect Ethernet statistics for a Statistics entry since the entry status is configured as valid. Valid: The entry is created and valid. Under Creation: The entry is created but invalid.
Page 810: Configuring Event Group
RMON Configurations 3) Enter the owner name, and set the status of the entry. Click Apply. Owner Enter the owner name of the entry with 1 to 16 characters. By default, it is monitor. Status Enable or disable the entry. By default, it is disabled. Enable: The entry is enabled.
Page 811: Configuring Alarm Group
RMON Configurations Action Mode Specify the action for the switch to take when the event is triggered. None: No action. Log: The switch records the event in the log, and the NMS should initiate requests to get notifications. Notify: The switch sends notifications to the NMS. Log &...
Page 812 RMON Configurations Follow these steps to configure the Alarm group: 1) Select an alarm entry, choose a variable to be monitored, and associate the entry with a statistics entry. Index Displays the index of Alarm entries. The switch supports up to 12 Alarm entries.
Page 813: Using The Cli
RMON Configurations Falling Threshold Set the falling threshold of the variable. Valid values are from 1 to 2147483647. When the sampling value or the difference value is below the threshold, the system will trigger the corresponding Falling Event. Note: The falling threshold should be less than the rising threshold. Falling Event Specify the index of the Event entry that will be triggered when the sampling value or the difference value is below the preset threshold.
Page 814 RMON Configurations rmon statistics index interface { fastEthernet port | gigabitEthernet port | ten- Step 2 gigabitEthernet port } [ owner owner-name ] [ status { underCreation | valid }] Configure RMON Statistic entries. index: Specify the index of the Statistics entry, which ranges from 1 to 65535. To configure multiple indexes, enter a list of indexes separated by commas, or use a hyphen to indicates a range of indexes.
Page 815: Configuring History
RMON Configurations Switch#copy running-config startup-config 5.2.2 Configuring History Step 1 configure Enter Global Configuration Mode. Step 2 rmon history index interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port } [ interval seconds ] [ owner owner-name ] [ buckets number ] Configuring RMON History entries.
Page 816: Configuring Event
RMON Configurations Index Port Interval Buckets Owner State ----- --------- ----------- ----------- --------- ----- Gi1/0/1 monitor Enable Switch(config)#end Switch#copy running-config startup-config 5.2.3 Configuring Event Step 1 configure Enter Global Configuration Mode. Step 2 rmon event index [ user user-name ] [ description description ] [ type { none | log | notify | log-notify }] [ owner owner-name ] Configuring RMON Event entries.
Page 817: Configuring Alarm
RMON Configurations The following example shows how to create an Event entry on the switch. Set the user name as admin, the event type as Notify (set the switch to initiate notifications to the NMS), and the owner as monitor: Switch#configure Switch(config)#rmon event 1 user admin description rising-notify type notify owner monitor...
Page 818 RMON Configurations absolute | delta: Choose the sampling method of the specified variable. The default is absolute. In the absolute mode, the switch compares the sampling value against the preset threshold; in the delta mode, the switch obtains the difference between the sampling values of the current interval and the previous interval, and then compares the difference against the preset threshold.
Page 819 RMON Configurations Switch(config)#rmon alarm 1 stats-index 1 alarm-variable bpkt s-type absolute rising- threshold 3000 rising-event-index 1 falling-threshold 2000 falling-event-index 2 a-type all interval 10 owner monitor Switch(config)#show rmon alarm Index-State: 1-Enabled Statistics index: 1 Alarm variable: BPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent:...
Page 820: Configuration Example
Configuration Example Configuration Example Network Requirements The following figure shows the network topology of a company. The company has requirements as follows: 1) Monitor storm traffic of ports 1/0/1 and 1/0/2 on Switch A, and send notifications to the NMS when the actual rate of broadcast, multicast or unknown-unicast packets exceeds the preset threshold.
Page 821: Configuration Scheme
Configuration Example Configuration Scheme 1) On Switch A, set thresholds for broadcast, multicast and unknown-unicast packets on ports 1/0/1 and 1/0/2. Enable SNMP and configure the corresponding parameters. Enable Trap notifications on the ports. Switch A can then send notifications to the NMS when the rate of storm traffic exceeds the preset threshold.
Page 822 Configuration Example Figure 6-3 Creating an SNMP View 3) Choose MAINTENANCE > SNMP > SNMP v3 > SNMP Group and click to load the following page. Create a group named nms-monitor, enable authentication and privacy, and add View to Read View and Notify View. Click Create. Figure 6-4 Configuring an SNMP Group 4) Choose MAINTENANCE >...
Page 823 Configuration Example Figure 6-5 Creating an SNMP User 5) Choose MAINTENANCE > SNMP > Notification > Notification Config and click to load the following page. Choose the IP Mode as IPv4, and specify the IP address of the NMS host and the port of the host for transmitting notifications. Specify the User as admin and choose the type as Inform.
Page 824 Configuration Example Figure 6-7 Enabling Storm Control Trap 7) Click to save the settings. ■ Configuring RMON 1) Choose MAINTENANCE > SNMP > RMON > Statistics and click to load the following page. Create Statistics entries 1 and 2, and bind them to ports 1/0/1 and 1/0/2, respectively.
Page 825 Configuration Example Figure 6-10 Configuring the History Entries 3) Choose the menu MAINTENANCE > SNMP > RMON > Event to load the following page. Configure entries 1 and 2. For entry 1, set the SNMP user name as admin, type as Notify, description as “rising_notify”, owner as monitor, and status as enable.
Page 826: Using The Cli
Configuration Example Figure 6-12 Configuring the Alarm Entries 5) Click to save settings. Using the CLI ■ Configuring Storm Control on ports Configure the Storm Control on the required ports of Switch A. For detailed Configuring QoS configuration, refer to ■ Configuring SNMP 1) Enable SNMP and specify the remote engine ID.
Page 827 Configuration Example Choose the type as Inform, and set the retry times as 3, and the timeout period as 100 seconds. Switch_A(config)#snmp-server host 192.168.1.222 162 admin smode v3 slev authPriv type inform retries 3 timeout 100 ■ Enable storm-control Trap Switch_A(config)#snmp-server traps storm-control ■...
Page 828 Configuration Example Switch_A(config)#rmon alarm 2 stats-index 2 alarm-variable revpkt s-type absolute rising-threshold 3000 rising-event-index 1 falling-threshold 2000 falling-event-index 2 a-type all interval 10 owner monitor Verify the Configurations Verify global SNMP configurations: Switch_A(config)#show snmp-server SNMP agent is enabled. 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied...
Page 829 Configuration Example Verify SNMP view configurations: Switch_A(config)#show snmp-server view No. View Name Type MOID --- -------------- ------- ------------------- viewDefault include 1 viewDefault exclude 1.3.6.1.6.3.15 viewDefault exclude 1.3.6.1.6.3.16 viewDefault exclude 1.3.6.1.6.3.18 View include 1 Verify SNMP group configurations: Switch_A(config)#show snmp-server group No.
Page 830 Configuration Example Index Port Owner State ----- ---------- --------- ------- Gi1/0/1 monitor valid Gi1/0/2 monitor valid Verify RMON history configurations: Switch_A(config)#show rmon history Index Port Interval Buckets Owner State ----- --------- -------- --------- ---------- --------- Gi1/0/1 monitor Enable Gi1/0/2 monitor Enable Verify RMON event configurations: Switch_A(config)#show rmon event...
Page 831 Configuration Example Index-State: 2-Enabled Statistics index: 2 Alarm variable: RevPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: Interval: Owner: monitor User Guide Downloaded from ManualsNet.com search engine...
Page 832: Appendix: Default Parameters
Appendix: Default Parameters Appendix: Default Parameters Default settings of SNMP are listed in the following tables. Table 7-1 Default Global Config Settings Default Setting Parameter SNMP Disabled Local Engine ID Automatically Remote Engine ID None Table 7-2 Default SNMP View Table Settings View Type MIB Object ID View Name...
Page 833 Appendix: Default Parameters Parameter Default Setting SNMP User User Entry No entries User Name None User Type Local User Group Name None Security Model Security Level noAuthNoPriv Authentication MD5 (when Security Level is configured as AuthNoPriv Mode or AuthPriv) Authentication None Password Privacy Mode...
Page 834 Appendix: Default Parameters Default settings of RMON are listed in the following tables. Table 7-6 Default Statistics Config Settings Parameter Default Setting Statistics Entry No entries None Port None Owner None IP Mode Valid Table 7-7 Default Settings for History Entries Parameter Default Setting Port...
Page 835 Appendix: Default Parameters Parameter Default Setting Interval 1800 seconds Owner monitor Status Disabled User Guide Downloaded from ManualsNet.com search engine...
Page 836: Diagnosing The Device & Network
Part 29 Diagnosing the Device & Network CHAPTERS 1. Diagnosing the Device 2. Diagnosing the Network 3. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 837: Diagnosing The Device
Diagnosing the Device & Network Diagnosing the Device Diagnosing the Device The device diagnostics feature provides cable testing, which allows you to troubleshoot based on the connection status, cable length and fault location. Using the GUI Choose the menu MAINTENANCE > Device Diagnostics to load the following page. Figure 1-1 Diagnosing the Cable Follow these steps to diagnose the cable: 1) Select your desired port for the test and click Apply.
Page 838: Using The Cli
Diagnosing the Device & Network Diagnosing the Device Status Displays the cable status. Test results include normal, closed, open and crosstalk. Normal : The cable is connected normally. Closed: A short circuit is being caused by abnormal contact of wires in the cable. Open: No device is connected to the other end or the connection is broken.
Page 839: Diagnosing The Network
Diagnosing the Device & Network Diagnosing the Network Diagnosing the Network The network diagnostics feature provides Ping testing and Tracert testing. You can test connectivity to remote hosts, or to the gateways from the switch to the destination. With Network Diagnostics, you can: ■...
Page 840: Troubleshooting With Tracert Testing
Diagnosing the Device & Network Diagnosing the Network Follow these steps to test the connectivity between the switch and another device in the network: 1) In the Ping Config section, enter the IP address of the destination device for Ping test, set Ping times, data size and interval according to your needs, and then click Ping to start the test.
Page 841: Using The Cli
Diagnosing the Device & Network Diagnosing the Network 2) In the Tracert Result section, check the test results. Using the CLI 2.2.1 Configuring the Ping Test On privileged EXEC mode, you can use the following command to test the connectivity between the switch and one node of the network.
Page 842: Configuring The Tracert Test
Diagnosing the Device & Network Diagnosing the Network 2.2.2 Configuring the Tracert Test On privileged EXEC mode, you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination: tracert [ ip | ipv6 ] ip_addr [ maxHops ] Test the connectivity of the gateways along the path from the source to the destination.
Page 843: Appendix: Default Parameters
Diagnosing the Device & Network Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Diagnostics are listed in the following tables. Table 3-1 Default Settings of Ping Config Parameter Default Setting Destination IP 192.168.0.1 Ping Times Data Size 64 bytes Interval 1000 milliseconds Table 3-2...
Page 844: Configuring System Logs
Part 30 Configuring System Logs CHAPTERS 1. Overview 2. System Logs Configurations 3. Configuration Example 4. Appendix: Default Parameters Downloaded from ManualsNet.com search engine...
Page 845: Overview
Configuring System Logs Overview Overview The switch generates messages in response to events, faults, or errors occurred, as well as changes in configuration or other occurrences. You can check system messages for debugging and network management. System logs can be saved in various destinations, such as the log buffer, log file or remote log servers, depending on your configuration.
Page 846: System Logs Configurations
Configuring System Logs System Logs Configurations System Logs Configurations System logs configurations include: ■ Configure the local logs. ■ Configure the remote logs. ■ Backing up the logs. ■ Viewing the log table. Configuration Guidelines Logs are classified into the following eight levels. Messages of levels 0 to 4 mean the functionality of the switch is affected.
Page 847: Using The Gui
Configuring System Logs System Logs Configurations Using the GUI 2.1.1 Configuring the Local Logs Choose the menu MAINTENANCE > Logs > Local Logs to load the following page. Figure 2-1 Configuring the Local Logs Follow these steps to configure the local logs: 1) Select your desired channel and configure the corresponding severity and status.
Page 848: Backing Up The Logs
Configuring System Logs System Logs Configurations message is generated. To display the logs, the servers should run a log server software that complies with the syslog standard. Choose the menu MAINTENANCE > Logs > Remote Logs to load the following page. Figure 2-2 Configuring the Remote Logs Follow these steps to configure the information of remote log servers: 1) Select an entry to enable the server, and then set the server IP address and severity.
Page 849: Viewing The Log Table
Configuring System Logs System Logs Configurations 2.1.4 Viewing the Log Table Choose the menu MAINTENANCE > Logs > Log Table to load the following page. Figure 2-4 View the Log Table Select a module and a severity to view the corresponding log information. Time Displays the time the log event occurred.
Page 850: Using The Cli
Configuring System Logs System Logs Configurations Using the CLI 2.2.1 Configuring the Local Logs Follow these steps to configure the local logs: Step 1 configure Enter global configuration mode. Step 2 logging buffer Configure the switch to save system messages in log buffer. Log buffer indicates the RAM for saving system logs.
Page 851: Configuring The Remote Logs
Configuring System Logs System Logs Configurations The following example shows how to configure the local logs on the switch. Save logs of levels 0 to 5 to the log buffer, and synchronize logs of levels 0 to 2 to the flash every 10 hours: Switch#configure Switch(config)#logging buffer...
Page 852 Configuring System Logs System Logs Configurations Step 2 logging host index idx host-ip level Configure a remote host to receive the switch’s system logs. The host is called Log Server. You can remotely monitor the settings and operation status of the switch through the log server.
Page 853 Configuring System Logs Configuration Example Configuration Example Network Requirements The company network manager needs to monitor network of department A for troubleshooting. Figure 3-1 Network Topology Switch Department A IP: 1.1.0.2/16 IP: 1.1.0.1/16 Configuration Scheme The network manager can configure the PC as a log server to receive the switch’s system logs.
Page 854 Configuring System Logs Configuration Example Using the CLI Configure the remote log host. Switch#configure Switch(config)# logging host index 1 1.1.0.1 5 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Switch# show logging loghost Index Host-IP Severity Status ----- ------- -------- ------ 1.1.0.1 enable 0.0.0.0...
Page 855 Configuring System Logs Appendix: Default Parameters Appendix: Default Parameters Default settings of maintenance are listed in the following tables. Table 4-1 Default Settings of Local Logs Parameter Default Setting Status of Log Buffer Enabled Severity of Log Buffer Level_6 Sync-Periodic of Log Buffer Immediately Status of Log File Disabled...
Page 856 T535131-2-DT (For TL-SG2210P) Power Adapter T120100-2B1 (For T1500G-8T) Responsible party: TP-Link USA Corporation, d/b/a TP-Link North America, Inc. Address: 145 South State College Blvd. Suite 400, Brea, CA 92821 Website: https://www.tp-link.com/us/ Tel: +1 626 333 0234 Fax: +1 909 527 6803 E-mail: sales.usa@tp-link.com...
Page 857 Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. We, TP-Link USA Corporation, has determined that the equipment shown as above has been shown to comply with the applicable technical standards, FCC part 15. There is no unauthorized change is made in the equipment and the equipment is properly maintained and operated.
Page 858 EU declaration of conformity TP-Link hereby declares that the device is in compliance with the essential requirements and other relevant provisions of directives 2014/30/EU, 2014/35/EU, 2009/125/EC, 2011/65/EU and (EU)2015/863. The original EU declaration of conformity may be found at https://www.tp-link.com/en/ce...
Page 859 限用物質含有情況標示聲明書限用物質及其化學符號產品元件名稱鉛鎘汞■ 六價鉻■ 多溴聯苯多溴二苯醚 CrVI PBDE ○ ○ ○ ○ ○ ○ 外殼 ○ ○ ○ ○ ○ ○ 電源供應板 — ○ ○ ○ ○ ○ 電源供應器 — ○ ○ ○ ○ ○ 備考1.■"超出0.1■wt■%"■及■"超出0.01■wt■%"■系指限用物質之百分比含量超出百分比含量基準值. 備考2."○"系指該項限用物質之百分比含量未超出百分比含量基準值. 備考3."—"■系指該項限用物質為排除項目.
Page 860 Explanation of the symbols on the product label Symbol Explanation AC voltage DC voltage Indoor use only. Polarity of output terminals Energy efficiency marking (Level VI) RECYCLING This product bears the selective sorting symbol for Waste electrical and electronic equipment (WEEE). This means that this product must be handled pursuant to European directive 2012/19/EU in order to be recycled or dismantled to minimize its impact on the environment.
Page 861 Specifications are subject to change without notice. is a registered trademark of TP-Link Technologies Co., Ltd. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-Link Technologies Co., Ltd.

This manual is also suitable for:

Jetstream t1500-28pct Jetstream tl-sg2210mp Jetstream tl-sg2210p Jetstream tl-sg2008 Jetstream tl-sl2428p

Save PDF