Package Contents The following items should be found in your box: One switch One Power Cord One Console Cable One USB Cable One Power Supply Module Slot Cover Two mounting brackets and other fittings Installation Guide ...
Chapter 1 About This Guide This User Guide contains information for setup and management of T3700G-28TQ/ T3700G-52TQ switch. Please read this guide carefully before operation. 1.1 Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies.
The Installation Guide (IG) can be found where you find this guide or inside the package of the switch. http://www.tp-link.com. Specifications can be found on the product page at A Technical Support Forum is provided for you to discuss our products at ...
Page 15
Chapter Introduction Chapter 7 VLAN This module is used to configure VLANs to control broadcast in LANs. Here mainly introduces: 802.1Q VLAN: Configure port-based VLAN. MAC VLAN: Configure MAC-based VLAN without changing the 802.1Q VLAN configuration. Protocol VLAN: Create VLANs in application layer to make ...
Page 16
Chapter Introduction Chapter 10 Routing The module is used to configure several IPv4 unicast routing protocols. Here mainly introduces: Interface: Configure and view different types of interfaces: VLAN, loopback and routed port. Routing table: Displays the routing information summary. ...
Page 17
Chapter Introduction Chapter 13 ACL This module is used to configure match rules and process policies of packets to filter packets in order to control the access of the illegal users to the network. Here mainly introduces: Time-Range: Configure the effective time for ACL rules. ...
Page 18
Chapter Introduction Chapter 17 Maintenance This module is used to assemble the commonly used system tools to manage the switch. Here mainly introduces: System Monitor: Monitor the memory and CPU of the switch. Log: View and configure the system log function. ...
T3700G-28TQ/T3700G-52TQ is an L3 managed switch that features advanced L3 routing, 10Gbps wire-speed, physical stacking and removable power supply module and fan module, designed to meet the needs of convergence layer. T3700G-28TQ/T3700G-52TQ is ideal for large businesses, campuses or SMB networks requiring an outstanding, reliable and affordable 10 Gigabit solution.
Page 20
Console Off: No data being transmitted or received for more than 6 minutes. Green On: Running at 1000Mbps, but no activity. For T3700G-28TQ: Green Flashing: Running at 1000Mbps and is transmitting or receiving data. Link/Act (Port 1-24, MGMT) Yellow On: Running at 10/100Mbps, but no activity.
(TX432 of TP-Link for example). If TX432 is installed, you get another two 10Gbps SFP+ ports. Console Port (USB/RJ-45): Designed to connect with the USB port of a computer for monitoring and configuring the switch.
Page 22
By default, the micro-USB connector takes precedence over the RJ-45 connector. Power Supply Module 1/2: One AC Power Supply Module PSM150-AC has been installed in the switch. The malfunctioned PSM150-AC can be replaced with a TP-Link power supply module of the same model. Its input voltage is 100-240V~ 50/60Hz.
Chapter 3 Login to the Switch 3.1 Login 1) To access the configuration utility, open a web-browser and type in the default address http://192.168.0.1 in the address field of the browser, then press the Enter key. Figure 3-1 Web-browser Tips: To log in to the switch, the IP address of your PC should be set in the same subnet addresses of the switch.
Page 24
Figure 3-3 Main Setup-Menu Note: Clicking Apply can only make the new configurations effective before the switch is rebooted. If you want to keep the configurations effective even the switch is rebooted, please click Save Config. You are suggested to click Save Config before cutting off the power or rebooting the switch to avoid losing the new configurations.
Chapter 4 System The System module is mainly for system configuration of the switch, including five submenus: System Info, User Management, System Tools, Access Security and SDM Template. 4.1 System Info The System Info, mainly for basic properties configuration, can be implemented on System Summary, Device Description, System Time, Daylight Saving Time, System IPv6, Management Port IPv4 and Management Port IPv6 pages.
Page 26
Choose the menu System → System Info → System Summary to load the following page. Figure 4-1 System Summary Port Status UNIT: Select the unit ID of the desired member in the stack. Indicates the 1000Mbps port is not connected to a device. Indicates the 1000Mbps port is at the speed of 1000Mbps.
When the cursor moves on the port, the detailed information of the port will be displayed. Figure 4-2 Port Information Port Info Port: Displays the port number of the switch. Type: Displays the type of the port. Rate: Displays the maximum transmission rate of the port. Status: Displays the connection status of the port.
Figure 4-4 Device Description The following entries are displayed on this screen: Device Description Device Name: Enter the name of the switch. Device Location: Enter the location of the switch. System Contact: Enter your contact information. 4.1.3 System Time System Time is the time displayed while the switch is running.
Current Time Source: Displays the current time source of the switch. Time Config Manual: When this option is selected, you can set the date and time manually. Get Time from NTP When this option is selected, you can configure the time zone Server: and the IP Address for the NTP Server.
The following entries are displayed on this screen: DST Config DST Status: Enable or disable DST. Predefined Mode: Select a predefined DST configuration: USA: Second Sunday in March, 02:00 ~ First Sunday in November, 02:00. Europe: Last Sunday in March, 01:00 ~ Last Sunday in ...
Page 31
Choose the menu System → System Info → System IPv6 to load the following page. Figure 4-7 System IPv6 The following entries are displayed on this screen: Gobal Config IPv6: Enable or disable IPv6 function globally on the switch. Interface: Choose the interface ID to set IPv6 function.
Page 32
Link-local Address Config Config Mode: Select the link-local address configuration mode. Manual: When this option is selected, you should assign a link-local address manually. Auto: When this option is selected, the switch will generate a link-local address automatically. Link-local Address: Enter a link-local address.
Global Address Table Select: Select the desired entry to delete or modify the corresponding global address. Global Address: Modify the global address. Prefix Length: Modify the prefix length of the global address. Type: Displays the configuration mode of the global address. Manual: Indicates that the corresponding address is ...
The following entries are displayed on this screen: IPv4 Protocol Configuration IPv4 Protocol: Specify IPv4 Address allocate mode of the management port. None: Setup manually. DHCP: Allocated through DHCP. DHCP Client-ID: The DHCP Client-ID (Option 61) is used by DHCP clients to specify their unique identifier.
Page 35
Figure 4-9 Management Port IPv6 The following entries are displayed on this screen: IPv6 Configuration IPv6: Enable or disable IPv6 function globally on the management port. IPv6 Protocol: Specify IPv6 network information allocate mode of the management port. None: Setup manually. ...
IPV6 Address: When selecting the mode of EUI-64, please input the address prefix here, otherwise, please input an intact IPv6 address here. IPv6 Gateway Configuration IPv6 Gateway: Choose whether to set the IPv6 Gateway Address. IPv6 Gateway Please input the IPv6 gateway address here. Address: IPv6 Address List ...
Choose the menu System → User Management → User Config to load the following page. Figure 4-11 User Config The following entries are displayed on this screen: User Info User Name: Create a name for users’ login. Access Level: Select the access level to login.
4.3.1 Boot Config On this page you can configure the boot file and the configuration file of the switch. When the switch is powered on, it will start up with the startup image. If the startup fails, the switch will try to start up with the backup image.
Software Version: The software version of the image. 4.3.2 Config Restore On this page you can upload a backup configuration file to restore your switch to this previous configuration. Choose the menu System → System Tools → Config Restore to load the following page. Figure 4-13 Config Restore The following entries are displayed on this screen: Config Restore...
4.3.4 Firmware Upgrade The switch system can be upgraded via the Web management page. To upgrade the system is to get more functions and better performance. Go to http://www.tp-link.com to download the updated firmware. Choose the menu System → System Tools → Firmware Upgrade to load the following page.
Choose the menu System → System Tools → System Reboot to load the following page. Figure 4-16 System Reboot Note: To avoid damage, please don't turn off the device while rebooting. 4.3.6 System Reset On this page you can reset the specified unit in the stack to the default. All the settings will be cleared after the switch is reset.
Choose the menu System → Access Security → Access Control to load the following page. Figure 4-18 Access Control The following entries are displayed on this screen: Access Control Config Control Mode: Select the control mode for users to log on to the Web management page.
Choose the menu System → Access Security → HTTP Config to load the following page. Figure 4-19 HTTP Config The following entries are displayed on this screen Global Config HTTP: Enable or disable the HTTP function on the switch. Session Config ...
Page 44
trusted certificate authority” or “Certificate Errors”. Please add this certificate to trusted certificates or continue to this website. The switch also supports HTTPS connection for IPv6. After configuring an IPv6 address (for example, 3001::1) for the switch, you can log on to the switch’s Web management page via https://[3001::1].
Page 45
SSL Version 3: Enable or disable Secure Sockets Layer Version 3.0. By default, it’s enabled. TLS Version 1: Enable or disable Transport Layer Security Version 1.0. By default, it’s enabled. CipherSuite Config RSA_WITH_RC4_128_MD5: Key exchange with RC4 128-bit encryption and MD5 for message digest.
To establish a secured connection using https, please enter https:// into the URL field of the browser. It may take more time for https connection than that for http connection, because https connection involves authentication, encryption and decryption etc. 4.4.4 SSH Config As stipulated by IETF (Internet Engineering Task Force), SSH (Secure Shell) is a security protocol established on application and transport layers.
Page 47
Choose the menu System → Access Security → SSH Config to load the following page. Figure 4-21 SSH Config The following entries are displayed on this screen Global Config SSH: Enable or disable SSH function. Protocol V1: Enable or disable SSH V1 to be the supported protocol. Protocol V2: Enable or disable SSH V2 to be the supported protocol.
Page 48
Encryption Algorithm Configure SSH encryption algorithms. AES128-CBC: Select the checkbox to enable the AES128-CBC algorithm of SSH. AES192-CBC: Select the checkbox to enable the AES192-CBC algorithm of SSH. AES256-CBC: Select the checkbox to enable the AES256-CBC algorithm of SSH. Blowfish-CBC: Select the checkbox to enable the Blowfish-CBC algorithm of SSH.
Page 49
Note: It will take a long time to download the key file. Please wait without any operation. After the Key File is downloaded, the user's original key of the same type will be replaced. Application Example for SSH: Network Requirements ...
2. Click the Open button in the above figure to log on to the switch. Enter the login user name and password, and then you can continue to configure the switch. 4.4.5 Telnet Config On this page you can enable or disable Telnet function globally on the switch. Choose the menu System →...
Page 51
Choose the menu System → SDM Template → SDM Template Config to load the following page. Figure 4-23 SDM Template Config Select Options Current Template Displays the SDM template currently in use. Next Template ID: Displays the SDM template that will become active after a reboot.
Chapter 5 Stack The stack technology is to connect multiple stackable devices through their stack ports, forming a stack which works as a unified system and presents as a single entity to the network in Layer 2 and Layer 3 protocols. It enables multiple devices to collaborate and be managed as a whole, which improves the performance and simplifies the management of the devices efficiently.
Page 53
Figure 5-1 Distributed LACP In a ring connected stack, it can still operate normally by transforming into a daisy chained stack when link failure occurs, which further ensures the normal operation of load distribution and backup across devices and links as Figure 5-2 shows. Figure 5-2 Load Distribution and Backup across Devices 3.
Page 54
Application Diagram Figure 5-3 Application Diagram Stack Introduction 1. Stack Elements 1) Stack Role Each device in the stack system is called stack member. Each stack member processes services packets and plays a role which is either master or member in the stack system. The differences between master and member are described as below: Master: Indicates the device is responsible for managing the entire stack system.
Page 55
When stack merge occurs, the previous masters compete to be the new master. The stack members of the defeated stack will join the winner stack as a member to form a new stack. Master will assign Unit Number to the newly joined members and compare their configuration files.
Page 56
While in a ring connected stack, the system is able to operate normally with a new daisy chained topology. Note: Establish a stack of ring or daisy chain topology with eight T3700G-28TQ/T3700G-52TQ switches at most. 2) Topology Collection Each member in the stack collects the topology of the whole stack by exchanging stack discovery packets with its neighbors.
Page 57
The switch is non-preemptible when it joins the stack in cold-start mode, and the process is illustrated as bellow: the switch has no stack role at its start, and it sends out discovery messages to collect the topology of the current stack system. After the topology collection, the switch obtains its role according to the rules above.
Physical Port Number: The physical port number on the switch which can be obtained through the front panel of the switch. For instance: Port number 2/0/3 indicates the physical port3 on the switch whose unit number is 2. Configuration Files Application Rules: It includes global configuration and interface •...
The stack management can be implemented on Stack Info, Stack Config and Auto Copy Software pages. 5.1.1 Stack Info On this page you can view the basic parameters of the stack function. Choose the menu Stack → Stack Management → Stack Info to load the following page. Figure 5-7 Stack Info Configuration Procedure: View the basic parameters of the stack function.
SNMP Trap status: Displays the SNMP trap status of the Auto Copy Software function. Allow Downgrade: Displays the status of allowing downgrade of the new members in the Auto Copy Software function. Stack Member Info UNIT: Displays the unit number of the switch. Role: Displays the stack role of the switch in the stack.
Page 61
Choose the menu Stack → Stack Management → Stack Config to load the following page. Figure 5-8 Stack Config Configuration Procedure: Set the role of a specified switch in the stack. Configure the provisioned member switch. Configure the Unit ID and Priority for the Stack Member. Configure the SFP+ port’s stacking feature.
Standby Status: Displays the standby status of the switch. New Unit ID: Configure a new unit number of the switch. Priority: Configure the priority used in master election. Large first. The priority change will not take effect until next election. Preconfigured Displays the switch type of the provisioned switch.
SNMP Trap status: Enable or disable SNMP trap of the Auto Copy Software function. Allow Downgrade: Enable or disable downgrade of the new members in the Auto Copy Software function. If you choose enable, the member’s software version is allowed to downgrade when copying software from the master.
Chapter 6 Switching Switching module is used to configure the basic functions of the switch, including four submenus: Port, LAG, Traffic Monitor and MAC Address. 6.1 Port The Port function, allowing you to configure the basic features for the port, is implemented on the Port Config, Port Mirror, Port Security, Protected Ports and Loopback Detection pages.
Description: Give a port description for identification. Status: With this option enabled, the port forwards packets normally. Otherwise, the port discards all the received packets. By default, it is enabled. Speed: Select the appropriate speed mode for the port. When Auto is selected, the port autonegotiates speed mode with the connected device.
Page 66
Choose the menu Switching→Port→Port Mirror to load the following page. Figure 6-2 Mirror Session List The above page displays a mirror session, and no more session can be created. Click Edit to configure the mirror session on the following page.
Page 67
Figure 6-3 Port Mirror Config Configuration Procedure: In the Destination Port section, specify a monitoring port for the mirror session, and click Apply. In the Source Port section, select one or multiple monitored ports for configuration. The set the parameters and click Apply to make the settings effective. Entry Description: Session: Displays session number.
LAG: Displays the LAG number which the port belongs to. Note: The member port of a LAG cannot be set as a monitoring port or monitored port. A port cannot be set as the monitoring port and monitored port at the same time. 6.1.3 Port Security You can use this feature to limit the number of MAC addresses that can be learned on each port, thus preventing the MAC address table from being exhausted by the attack packets.
Entry Description: Max Learned MAC: Specify the maximum number of MAC addresses that can be learned on the port. When the learned MAC address number reaches the limit, the port will stop learning. Learned Num: Displays the number of MAC addresses that have been learned on the port.
Configuration Procedure: Select and configure your desired ports or LAGs. Then click Apply to make the settings effective. Entry Description: Group: Displays the ID of the group for configuration. Group Name: Give a group name for identification. Protected Ports: Select member ports in this group. Protected ports in the same group cannot forward traffic to each other, even if they are in the same VLAN.
Page 71
Choose the menu Switching → Port → Loopback Detection to load the following page. Figure 6-6 Loopback Detection Config Configuration Procedure: In the Global Config section, enable loopback detection and configure the global parameters. Then click Apply to make the settings effective. In the Port Config section, select one or multiple ports for configuration.
Page 72
Automatic Set the recovery time globally, after which the blocked port in Recovery Time: Auto Recovery mode can automatically recover to normal status. It should be integral times of detection interval. The value ranges from 1-100 and is 3 by default Web Refresh With this option enabled, the switch refreshes the web timely.
For the functions like IGMP Snooping, 802.1Q VLAN, MAC VLAN, Protocol VLAN, VLAN-VPN, GVRP, Voice VLAN, STP, QoS, DHCP Snooping and Flow-Control, the member pot of a LAG follows the configuration of the LAG but not its own. The configurations of the port can take effect only after it leaves the LAG.
Page 75
Choose the menu Switching→LAG→LAG Table to load the following page. Figure 6-7 LAG Table Configuration Procedure: In the Global Config section, select the load-balancing algorithm. Click Apply to make the settings effective. In LAG Table, view the information of the current LAG. Entry Description: Hash Algorithm: Select the Hash Algorithm, based on which the switch...
Operation: Click Edit to modify the settings of the LAG. Click Detail to get the detailed information of the LAG. Click the Detail button for the detailed information of your selected LAG. Figure 6-8 Detail Information 6.2.2 Static LAG On this page, you can manually configure the LAG. The LACP feature is disabled for the member ports of the manually added Static LAG.
Member Port UNIT: Select the unit ID of the desired member in the stack. Member Port: Select the port as the LAG member. Clearing all the ports of the LAG will delete this LAG. Tips: Load-balancing algorithm is effective only for outgoing traffic. If the data stream is not well shared by each link, you can change the algorithm of the outgoing interface.
Page 78
Configuration Procedure: In the LAG Config section, select a LAG for configuration. In the Member Port section, select the member ports for the LAG. It is multi-optional. Click Apply. Entry Description: System Priority: Specify the system priority for the switch. A smaller value means a higher priority.
6.2.4 Default Settings Feature Default Settings Global Config Hash Algorithm: SRC MAC + DST MAC LACP System Priority: 32768 Admin Key: 0 Port Priority: 0 Mode: Passive Status: Disable 6.3 Traffic Monitor The Traffic Monitor function, monitoring the traffic of each port, is implemented on the Traffic Summary and Traffic Statistics pages.
Entry Description: Auto Refresh Auto Refresh: With this potion enabled, the switch refreshes the web timely. Refresh Rate: Specify the refresh interval in seconds. Traffic Summary Port: Displays the port number. Packets Rx: Displays the number of packets received on the port. Error packets are not counted in.
Page 81
Choose the menu Switching→Traffic Monitor→Traffic Statistics to load the following page. Figure 6-12 Traffic Statistics Configuration Procedure: To get the real-time traffic summary, enable auto refresh in the Auto Refresh section, or click Refresh at the bottom of the page. In the Traffic Summary section, click 1 to show the information of the physical ports, and click LAGS to show the information of the LAGs.
Unicast: Displays the number of good unicast packets received or sent on the port. Error frames are not counted in. Jumbo Displays the number of jumbo frames received or sent on the port. Alignment Errors: Displays the number of the received packets that have a bad Frame Check Sequence (FCS) with a non-integral octet (Alignment Error) and have a bad FCS with an integral octet (CRC Error).
The types and the features of the MAC Address Table are listed as the following: Being kept after reboot Relationship between the Configuration Aging Type bound MAC address and (if the configuration is the port saved) The bound MAC address Static Manually cannot be learned by the...
Page 84
Choose the menu Switching→MAC Address→Address Table to load the following page. Figure 6-13 Address Table The following entries are displayed on this screen: Search Option MAC Address: Enter the MAC address of your desired entry. VLAN ID: Enter the VLAN ID of your desired entry. Port: Select the corresponding port number or link-aggregation number of your desired entry.
Address Table UNIT: Select the unit ID of the desired member in the stack. MAC Address: Displays the MAC address learned by the switch. VLAN ID: Displays the corresponding VLAN ID of the MAC address. Port: Displays the corresponding port number or link-aggregation number of the MAC address.
Page 86
VLAN ID: Enter the corresponding VLAN ID of the MAC address. UNIT: Select the unit ID of the desired member in the stack. Port: Select a port to be bound. Search Option Search Option: Select a Search Option from the pull-down list and click the Search button to find your desired entry in the Static Address Table.
6.4.3 Dynamic Address The dynamic address can be generated by the auto-learning mechanism of the switch. The Dynamic Address Table can update automatically by auto-learning or the MAC address aging out mechanism. To fully utilize the MAC address table, which has a limited capacity, the switch adopts an aging mechanism for updating the table.
Search Option Search Option: Select a Search Option from the pull-down list and click the Search button to find your desired entry in the Dynamic Address Table. All: This option allows the Dynamic Address Table to display all • the dynamic address entries.
Page 89
Choose the menu Switching→MAC Address→Filtering Address to load the following page. Figure 6-16 Filtering Address The following entries are displayed on this screen: Create Filtering Address MAC Address: Enter the MAC Address to be filtered. VLAN ID: Enter the corresponding VLAN ID of the MAC address. Search Option ...
Chapter 7 VLAN The traditional Ethernet is a data network communication technology basing on CSMA/CD (Carrier Sense Multiple Access/Collision Detect) via shared communication medium. Through the traditional Ethernet, the overfull hosts in LAN will result in serious collision, flooding broadcasts, poor performance or even breakdown of the Internet. Though connecting the LANs through switches can avoid the serious collision, the flooding broadcasts cannot be prevented, which will occupy plenty of bandwidth resources, causing potential serious security problems.
A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN to be dispersed in a looser way. That is, hosts in a VLAN can belong to different physical network segment. This switch supports three ways, namely, 802.1Q VLAN, MAC VLAN and Protocol VLAN, to classify VLANs.
Page 92
Link Types of ports When creating the 802.1Q VLAN, you should set the link type for the port according to its connected device. The link types of port including the following three types: ACCESS: The ACCESS port can be added in a single VLAN, and the egress rule of the port is UNTAG.
Receiving Packets Port Type Forwarding Packets Untagged Packets Tagged Packets If the VID of packet is the same as the PVID of the port, the packet will be received. The packet will be forwarded Access after removing its VLAN tag. If the VID of packet is not the same as the PVID of the port, the packet will be dropped.
Page 94
The following entries are displayed on this screen: VLAN Table Select: Select the desired entry to delete the corresponding VLAN. It is multi-optional. VLAN ID: Displays the ID number of VLAN. Name: Displays the user-defined name of VLAN. Members: Displays the port members in the VLAN.
Tagged port: Displays the tagged port which is TRUNK or GENERAL. 7.1.2 Port Config Before creating the 802.1Q VLAN, please acquaint yourself with all the devices connected to the switch in order to configure the ports properly. Choose the menu VLAN→802.1Q VLAN→Port Config to load the following page. Figure 7-5 802.1Q VLAN –...
Page 96
Select the Link Type from the pull-down list for the port. Link Type: ACCESS: The ACCESS port can be added in a single VLAN, • and the egress rule of the port is UNTAG. The PVID is same as the current VLAN ID. If the current VLAN is deleted, the PVID will be set to 1 by default.
Step Operation Description Modify/View VLAN. Optional. On the VLAN→802.1Q VLAN→VLAN Config page, click the Edit/Detail button to modify/view the information of the corresponding VLAN. Delete VLAN Optional. On the VLAN→802.1Q VLAN→VLAN Config page, select the desired entry to delete the corresponding VLAN by clicking the Delete button.
Step Operation Description Create VLAN10 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 10, owning Port 2 and Port 3. Create VLAN20 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 20, owning Port 3 and Port 4. Configure switch B ...
Choose the menu VLAN→MAC VLAN to load the following page. Figure 7-7 Create and View MAC VLAN Configuration Procedure: Specify a MAC address and a VLAN ID. Then click Create to make the settings effective. Entry Description: MAC Address: Enter the MAC address. VLAN ID: Enter the ID number of the MAC VLAN.
Page 100
Network Diagram Configuration Procedure Configure switch A Step Operation Description Configure Required. On VLAN→802.1Q VLAN→Port Config page, configure the Link Type of the link type of Port 11 and Port 12 as GENERAL and TRUNK ports respectively. Create VLAN10 Required.
Step Operation Description Create VLAN10 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 10, owning Port 21 and Port 22, and configure the egress rule of Port 21 as Untag. Create VLAN20 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 20, owning Port 21 and Port 22, and configure the egress rule of Port 21 as Untag.
Protocol Type Type value 802.1X 0x888E Table 7-2 Protocol types in common use The packet in Protocol VLAN is processed in the following way: When receiving an untagged packet, the switch matches the packet with the current Protocol VLAN. If the packet is matched, the switch will add a corresponding Protocol VLAN tag to it.
Choose the menu VLAN→Protocol VLAN→Protocol Group to load the following page. Figure 7-9 Configure Protocol Group Configuration Procedure: Specify a Template ID and a VLAN ID. Add your desired ports into this protocol group. Click Apply to make the settings effective. Entry Description: Template Id: Specify a template ID for this group.
Enter the ethernet type filed of your desired protocol. Click Create to make the settings effective. Entry Description: Template Id: Give a template ID for the protocol template. Protocol Name: Give a name for the protocol template. Ether Type: Enter the Ethernet protocol type field in the protocol template. Note: The Protocol Template bound to VLAN cannot be deleted.
Configuration Procedure Configure switch A Step Operation Description Configure Required. On VLAN→802.1Q VLAN→Port Config page, configure the Link Type of the link type of Port 11 and Port 13 as ACCESS, and configure the link ports type of Port 12 as GENERAL. Create VLAN10 Required.
Service Provider. And these packets will be transmitted with double-tag across the public networks. The VLAN-VPN function provides you with the following benefits: Provides simple Layer 2 VPN solutions for small-sized LANs or intranets. Saves public network VLAN ID resource. You can have VLAN IDs of your own, which is independent of public network VLAN IDs.
Choose the menu VLAN→VLAN VPN→VPN Config to load the following page. Figure 7-11 VPN Global Config Configuration Procedure: In the Global Config section, configure the global TPID according to your need. In the VPN Up-Link Ports section, select your desired ports as the VPN up-link ports. Click Apply to make the settings effectivce.
Page 108
The information exchange between GARP entities is completed by messages. GARP defines the messages into three types: Join, Leave and LeaveAll. When a GARP entity expects other switches to register certain attribute Join Message: • information of its own, it sends out a Join message. And when receiving the Join message from the other entity or configuring some attributes statically, the device also sends out a Join message in order to be registered by the other GARP entities.
7.8.1 GVRP Config On this page, you can configure the GVRP feature. Choose the menu VLAN→GVRP→GVRP Config to load the following page. Figure 7-12 GVRP Config Configuration Procedure: Specify a MAC address and a VLAN ID. Then click Create to make the settings effective. Globally enable the GVRP feautre.
Status: Enable/Disable the GVRP feature for the port. The port type should be set to TRUNK before enabling the GVRP feature. LeaveAll Timer: Once the LeaveAll Timer is set, the port with GVRP enabled can send a LeaveAll message after the timer times out, so that other GARP ports can re-register all the attribute information.
Page 111
Private VLAN adopts Layer 2 VLAN structure. A Private VLAN consists of a Primary VLAN and a Secondary VLAN, providing a mechanism for achieving layer-2-separation between ports. For uplink devices, all the packets received from the downstream are without VLAN tags. Uplink devices need to identify Primary VLANs but not Secondary VLANs.
Private VLAN Implementation To hide Secondary VLANs from uplink devices and save VLAN resources, Private VLAN containing one Primary VLAN and one Secondary VLAN requires the following characteristics: Packets from different Secondary VLANs can be forwarded to the uplink device via ...
Primary VLAN ID: Enter the Primary VLAN ID number of the desired Private VLAN. Secondary VLAN ID: Enter the Secondary VLAN ID number of the desired Private VLAN. Private VLAN Table Select: Select the entry to delete. It is multi-optional. Primary VLAN: Displays the Primary VLAN ID number of the Private VLAN.
Primary VLAN: Specify the Primary VLAN the port belongs to. Secondary VLAN: Specify the Secondary VLAN the port belongs to. UNIT: Select the unit ID of the desired member in the stack. Private VLAN Port Table UNIT: Select the unit ID of the desired member in the stack. Port ID: Displays the port number.
Page 115
Network Diagram Configuration Procedure Configure Switch C Step Operation Description Create VLAN6 Required. On VLAN→802.1Q VLAN→VLAN Config page, create a VLAN with its VLAN ID as 6, owning Port 1/0/1. Configure switch A Step Operation Description Create Private Required.
Page 116
Configure switch B Step Operation Description Create Private Required. On the VLAN→Private VLAN→PVLAN Config page, VLANs. enter the Primary VLAN 6 and Secondary VLAN 5 and 8, select one type of secondary VLAN and then click the Create button. Required.
Chapter 8 Spanning Tree STP (Spanning Tree Protocol), subject to IEEE 802.1D standard, is to disbranch a ring network in the Data Link layer in a local network. Devices running STP discover loops in the network and block ports by exchanging information, in that way, a ring network can be disbranched to form a tree-topological ring-free network to prevent packets from being duplicated and forwarded endlessly in the network.
Page 118
Root Port: The port selected on non-root bridges to provide the lowest root path cost. There is only one root port in each non-root bridge. Designated Port: The port selected for each LAN segment to provide the lowest root path cost from that LAN segment to the root bridge.
Page 119
port begins to forward data after twice forward delay, which ensures the new configuration BPDUs are spread in the whole network. BPDU Comparing Principle in STP mode Assuming two BPDUs: BPDU X and BPDU Y If the root bridge ID of X is smaller than that of Y, X is superior to Y. If the root bridge ID of X equals that of Y, but the root path cost of X is smaller than that of Y, X is superior to Y.
Page 120
Selecting the designated bridge and designated port Here are the steps taken by switches in selecting the designated bridge and designated port for each LAN segment: Choose the switch with the lowest root path cost from the LAN segment to the root bridge as the designated bridge.
Page 121
MSTP is compatible with both STP and RSTP. MSTP Elements MST Region (Multiple Spanning Tree Region): An MST region consists of multiple interconnected switches. These switches have the same region name, the same revision level and the same VLAN-Instance mapping table. MSTI (Multiple Spanning Tree Instance): The MST instance is a spanning tree running in the MST region.
Page 122
In an MSTP, ports can be in the following four states: Forwarding: In this status the port can receive/forward data, receive/send BPDU packets as well as learn MAC address. Learning: In this status the port can receive/send BPDU packets and learn MAC address. ...
8.1 STP Config The STP Config function, for global configuration of spanning trees on the switch, can be implemented on STP Config and STP Summary pages. 8.1.1 STP Config Before configuring spanning trees, you should make clear the roles each switch plays in each spanning tree instance.
Page 124
Parameters Config CIST Priority: Specify the CIST priority of the switch. The valid values are from 0 to 61440, which are divisible by 4096.By default, it is 32768. The switch with the lower value has the higher priority. CIST priority is usually a parameter configured in MSTP, which means the priority of a switch in CIST.
8.1.2 STP Summary On this page you can view the related parameters for Spanning Tree function. Choose the menu Spanning Tree→STP Config→STP Summary to load the following page. Figure 8-5 STP Summary 8.2 Port Config On this page you can configure the parameters of the ports for CIST.
Page 126
Choose the menu Spanning Tree→Port Config→Port Config to load the following page. Figure 8-6 Port Config Configuration Procedure: Configure the parameters of the ports for CIST. Entry Description: Port Config UNIT: Select the desired unit or LAGs. Select: Select the desired port for STP configuration. It is multi-optional. Port: Displays the port number of the switch.
Page 127
Int-Path Cost: Enter the value of the internal path cost. The default setting is Auto, which means the port calculates the path cost automatically according to the port’s link speed. Internal path cost is the path cost of the port in IST. The port with the lowest internal root path cost will be elected as the root port in IST.
Port Role: Displays the role of the port played in the STP Instance. Root Port: Indicates the port that has the lowest root path cost from this bridge to the Root Bridge and forwards packets to the root. Designated Port: Indicates the port that forwards packets to a ...
8.3.1 Region Config On this page you can configure the name and revision of the MST region. Choose the menu Spanning Tree→MSTP Instance→Region Config to load the following page. Figure 8-7 Region Config Configuration Procedure: Set the name and revision level to specify an MSTP region. Entry Description: Region Config ...
Configuration Procedure: Enter the instance ID and the corresponding VLAN ID, and click Add. Configure the priority of the switch in the desired instance, and click Apply. Entry Description: VLAN-Instance Mapping Instance ID: Enter the corresponding instance ID. VLAN ID: Enter the desired VLAN ID.
Page 131
Choose the menu Spanning Tree→MSTP Instance→Instance Port Config to load the following page. Figure 8-9 Instance Port Config Configuration Procedure: Select the desired instance ID for its port configuration. Configure port parameters in the desired instance. Instance ID Select Instance ID: Select the desired instance ID for its port configuration.
Page 132
Priority: Enter the value of port priority from 0 to 240, which is divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in the desired instance.
Configure CIST parameters Required. Configure CIST parameters for ports on for ports Spanning Tree→Port Config→Port Config page. Configure the MST region Required. Create the MST region, VLAN-Instance mapping and the priority of the switch in the corresponding region on Spanning Tree→MSTP Instance→Region Config and Instance Config page.
Page 134
A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology). If a user maliciously sends a large number of TC-BPDUs to a switch in a short period, the switch will be busy with removing MAC address entries, which may decrease the performance and stability of the network.
Page 135
Choose the menu Spanning Tree→STP Security→Port Protect to load the following page. Figure 8-10 Port Protect Configuration Procedure: Configure the Port Protect features for the selected ports, and click Apply. Entry Description: Port Protect UNIT: Select the desired unit or LAGs. Select: Select the desired port for port protect configuration.
Root Protect: Enable or disable the Root Protect function. It is recommended to enable this function on the designated ports of the root bridge. Root Protect function is used to ensure that the desired root bridge will not lose its position. With root protect function enabled, the port will temporarily transit to blocking state when it receives higher-priority BDPUs.
Page 137
MSTP function for the port. Configure region On Spanning Tree→MSTP Instance→Region Config page, name and the revision of configure the region as TP-Link and keep the default revision MST region setting. Configure On Spanning Tree→MSTP Instance→Instance Config page, VLAN-Instance mapping configure VLAN-Instance mapping table.
Page 138
MSTP function for the port. Configure region On Spanning Tree→MSTP Instance→Region Config page, name and the revision of configure the region as TP-Link and keep the default revision MST region setting. Configure On Spanning Tree→MSTP Instance→Instance Config page, VLAN-Instance mapping configure VLAN-Instance mapping table.
Page 139
MSTP function for the port. Configure region On Spanning Tree→MSTP Instance→Region Config page, name and the revision of configure the region as TP-Link and keep the default revision MST region setting. Configure On Spanning Tree→MSTP Instance→Instance Config page, VLAN-Instance mapping configure VLAN-Instance mapping table.
Page 140
For Instance 2 (VLAN 102, 104 and 106), the blue paths in the following figure are connected links; the gray paths are the blocked links. Suggestion for Configuration Enable TC Protect function for all the ports of switches. ...
Chapter 9 Multicast Multicast Overview In the network, packets are sent in three modes: unicast, broadcast and multicast. In unicast, the source server sends separate copy information to each receiver. When a large number of users require this information, the server must send many pieces of information with the same content to the users.
Page 142
3. Each user can join and leave the multicast group at any time; 4. Real time is highly demanded and certain packets drop is allowed. Multicast Address 1. Multicast IP Address: As specified by IANA (Internet Assigned Numbers Authority), Class D IP addresses are used as destination addresses of multicast packets.
entry cannot be found in the table, the switch will broadcast the packet in the VLAN owning the receiving port. If the corresponding entry can be found in the table, it indicates that the destination address should be a group port list, so the switch will duplicate this multicast data and deliver each port one copy.
Page 144
is not a router port yet, it will be added to the router port list with its router port time specified; if the receiving port is already a router port, its router port time will be directly reset. When receiving IGMP group-specific-query message, the switch will send the group-specific query message to the members of the multicast group being queried.
9.1.1 Snooping Config To configure the IGMP Snooping on the switch, please firstly configure IGMP global configuration and related parameters on this page. If the multicast address of the received multicast data is not in the multicast address table, the switch will broadcast the data in the VLAN.
9.1.2 Port Config On this page you can configure the IGMP feature for ports of the switch. Choose the menu Multicast→IGMP Snooping→Port Config to load the following page. Figure 9-5 Port Config The following entries are displayed on this screen: Port Config ...
IGMP query message from the router port within the router port time. The switch will no longer consider this port as a router port and delete it from the router port table. The valid values are from 60 to 600 seconds. Max Response Enter the host’s maximum response time to general query Time:...
Page 148
The following entries are displayed on this screen: VLAN Config VLAN ID: Enter the VLAN ID to enable IGMP Snooping for the desired VLAN. Fast Leave: Enable or disable Fast Leave feature in this VLAN. If Fast Leave is enabled, the switch will immediately remove this port from the multicast group upon receiving IGMP leave messages.
Dynamic Router Displays the dynamic router ports of the VLAN. Ports: Configuration procedure: Step Operation Description Enable IGMP Snooping Required. Enable IGMP Snooping globally on the switch function Multicast→IGMP Snooping→Snooping Config page. Configure the multicast Optional. Configure the multicast parameters for VLANs parameters for VLANs on Multicast→IGMP Snooping→VLAN Config page.
Page 150
The following entries are displayed on this screen: IGMP Snooping Querier Config Querier Mode: Enter the Query mode which for the IGMP snooping querier on the device. When enabled, the IGMP snooping querier sends out periodic IGMP queries that trigger IGMP report messages from the switches that want to receive IP multicast traffic.
9.1.5 Profile Config On this page you can configure an IGMP profile. Choose the menu Multicast→Multicast Filter→Profile Config to load the following page. Figure 9-8 Profile Create The following entries are displayed on this screen: Profile Creation Profile ID: Specify the Profile ID you want to create, and it should be a number between 1 and 999.
Page 152
Operation: Click the Edit button to configure the mode or IP-range of the Profile. Figure 9-9 Profile Config Profile Mode Profile ID: Displays the Profile ID. Mode: Configure the filtering mode of the profile. Permit: Only permit the IP address within the IP range and ...
9.2 MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping is applied for efficient distribution of IPv6 multicast data to clients and routers in a Layer 2 network. With MLD snooping, IPv6 multicast data is selectively forwarded to a list of ports that want to receive the data, instead of being flooded to all ports in a VLAN.
MLD Snooping Process 1. General Query The MLD router regularly sends MLD general queries to query if the multicast groups contain any members. When receiving MLD general queries, the switch will forward them to all other ports in the VLAN. The receiving port will be processed: if the receiving port is not a router port yet, it will be added to the router port list with its router port aging time specified;...
Page 155
Chose the menu Multicast→MLD Snooping→Snooping Config to load the following page. Figure 9-10 MLD Snooping Config The following entries are displayed on this screen: Global Config MLD Snooping: Enable or disable MLD Snooping function globally. Unknown Multicast: Choose to forward or drop unknown multicast data. Unknown IPv6 multicast packets refer to those packets without corresponding forwarding entries in the IPv6 multicast table: When unknown multicast filter is enabled, the switch will...
9.2.2 Port Config On this page you can configure MLD Snooping function with each single port. Choose the menu Multicast→MLD Snooping→Port Config to load the following page. Figure 9-11 Port Config The following entries are displayed on this screen: Port Config ...
port time. The switch will no longer consider this port as a router port and delete it from the router port table. The valid values are from 60 to 600 seconds. Max Response Time: Enter the host’s maximum response time to general query messages in a range of 1 to 25 seconds.
Member Port Time: Specify the aging time of the member port. Within this time, if the switch doesn’t receive MLD report message from the member port, it will consider this port is not a member port any more. Router Port Time: Specify the aging time of the router port.
Page 159
Layer 2 network. MLD Snooping Querier can act as an MLD Router in Layer 2 network. It can help to create and maintain multicast forwarding table on the switch with the Query messages it generates. Choose the menu Multicast→MLD Snooping→Querier Config to load the following page. Figure 9-13 Packet Statistics The following entries are displayed on this screen: MLD Snooping Querier Config...
Querier VLAN Displays the General Query Message source IP address. Address: Operational State: Displays the Operational State. Last Querier Displays the Last Querier Address. Address: Operational Displays the Operational Version. Version: Operational Max Displays the value of Operational Max Response Time. Response Time: Last Querier Address Table ...
Page 161
Mode: The attributes of the profile. Permit: Only permit the IP address within the IP range and deny others. Deny: Only deny the IP address within the IP range and permit others. Search Option Profile ID: Enter the profile ID the desired entry must carry. MLD Profile Info ...
Deny: Only deny the IP address within the IP range and permit others. Add IP-range Start IP: Enter the start IP address of the IP range. End IP: Enter the end IP address of the IP range. IP-range Table ...
The following entries are displayed on this screen: MVR Config MVR: Before configuring functions related to MVR, click Enable to enable MVR function globally. MVR Mode: Select the MVR mode. Compatible: The switch working in Compatible mode does not learn multicast groups, which means the MVR switch does not forward IGMP reports from the hosts to the IGMP router.
Page 164
Choose the menu Multicast→MVR→Port Config to load the following page. Figure9-17 MVR Port Config The following entries are displayed on this screen: Interface Config UNIT: Select the unit ID of the desired member in the stack. Select: Select the desired port to configure MVR settings on the specific interface.
Status: Displays the port’s status. INACTIVE/InVLAN: The port is part of a VLAN but inactive. INACTIVE/NotInVLAN: The port is not part of any VLAN and inactive. ACTIVE/InVLAN: The port is part of a VLAN and active. Immediate Leave: Enable or disable the immediate leave function on this port. When immediate leave is enabled, the receiver port will be removed for the multicast group when an IGMP leave message is received on this port, without sending an IGMP query...
The following entries are displayed on this screen: Create MVR Group MVR Group IP: Configure an IP multicast address on the switch or use the MVR Group Count parameter to create a contiguous series of MVR group addresses. Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have required to receive data on that multicast address.
IGMP Leave: Displays the number of packets of IGMP Leave. IGMP Packet Displays the number of packets of IGMP Packet Failure. Failure: 9.4 Multicast Table You can view different types of multicast table in the follow pages. 9.4.1 Summary On this page you can view the summary of the multicast table and multicast entries. Choose the menu Multicast→Multicast Table→Summary to load the following page.
Source: Enter the source the desired entry must carry. Type: Enter the type the desired entry must carry. Forward Port: Enter the forward port number the desired entry must carry. Multicast MAC Address Table VLAN ID: Displays the VLAN ID of the multicast MAC entries. MAC Address: Displays the MAC address of the multicast MAC entries.
Page 169
The following entries are displayed on this screen: Create Static Multicast MAC Address: Enter the multicast MAC address to create multicast MAC entry. VLAN ID: Enter the VLAN ID to add multicast MAC entry for the desired VLAN. Forward Port: Select the forward port of multicast MAC entry.
9.4.3 IGMP Snooping In an MAC multicast environment, all receivers can join a multicast group. On this page you can view the information of the multicast groups for IGMP Snooping already on the switch. Choose the menu Multicast→Multicast Table→IGMP Snooping to load the following page. Figure 9-22 IGMP Multicast Table The following entries are displayed on this screen: Search Option...
Choose the menu Multicast→Multicast Table→Summary to load the following page. Figure 9-23 MLD Multicast Table The following entries are displayed on this screen: Search Option Search Option: Select the rules for displaying multicast MAC table to find the desired entries quickly. All: Displays all multicast MAC entries.
The following entries are displayed on this screen: Search Option Search Option: Select the rules for displaying source specific multicast table to find the desired entries quickly. All: Displays all source specific multicast entries. • VLAN ID: Enter the VLAN ID the desired entry must carry. •...
The following entries are displayed on this screen: Search Option Search Option: Select the rules for displaying source specific multicast table to find the desired entries quickly. • All: Displays all source specific multicast entries. • VLAN ID: Enter the VLAN ID the desired entry must carry. •...
Page 174
The following entries are displayed on this screen: IGMP Snooping Total Entries: Displays the Max MFDB Table Entries. Most SSM FDB Displays the Most SSM FDB Entries Ever Used of source Entries Ever Used: specific multicast. Current Entries: Displays the Current Entries of source specific multicast. MLD Snooping ...
Chapter 10 Routing Routing is the method by which the host or gateway decides where to send the datagram. Routing is the task of finding a path from a sender to a desired destination. It may be able to send the datagram directly to the destination, if that destination is on one of the networks that are directly connected to the host or gateway.
Page 176
IP Address Mode: Specify the IP address assignment mode of the interface. None: without ip. Static: setup manually. DHCP: allocated through DHCP. IP Address: Specify the IP address of the interface. Subnet Mask: Specify the subnet mask of the interface's IP address. Admin Status: Enable or disable the interface’s Layer 3 capabilities.
Page 177
Configuration Procedure: In the Modify Interface section, specify an interface ID and configure relevant parameters for the interface according to your actual needs. Then click Apply. In the Secondary IP Create section, configure the secondary IP for the specified interface which allows you to have two logical subnets using one physical subnet.
IP Address Mode: Displays the IP address allocation mode. None: Without IP address. Static: Setup manually. DHCP: Allocated through DHCP. IP Address: Displays the IP address and subnet mask of the interface. Secondary IP: Displays the secondary IP address and subnet mask of the interface.
10.3 Static Routing Static routes are special routes manually configured by the administrator and cannot change automatically with the network topology accordingly. Hence, static routes are commonly used in a relative simple and stable network. Proper configuration of static routes can greatly improve network performance.
Destination Displays the destination IP address of the packets. Address: Subnet Mask: Displays the subnet mask of the destination IP address. Next Hop: Displays the IP address to which the packet should be sent next. Distance: Specify the administrative distance which is a rating of the trustworthiness of a routing information.
Steps Operation Note Add interface Required. On page Routing→Interface→Interface Config, add VLAN 20 interface VLAN 20 with the mode as static, the IP address as 192.168.1.1, the mask as 255.255.255.0 and the interface name as VLAN20. Add static route Required. On page Routing→Static Routing→Static Routing entry Config, add a static route entry with the destination as 192.168.2.0, the subnet mask as 255.255.255.0 and the next hop...
Page 182
local network resources to each client represents one such difficulty. In most environments, delegating such responsibility to the user is not plausible and, indeed, the solution is to define the resources in uniform terms, and to automate their assignment. The DHCP dealt with the issue of assigning an internet address to a client, as well as some other resources.
Page 183
igure 10-7 The Process of DHCP DHCP discover: the client broadcasts messages on the physical subnet to discover available DHCP servers in the LAN. Network administrators can configure a local router (e.g. a relay agent) to forward DHCP-DISCOVER messages to a DHCP server in a different subnet.
Page 184
Figure 10-8 The Format of DHCP Message op:Message type, ‘1’ = BOOT-REQUEST, ‘2’ = BOOT-REPLY. htype:Hardware address type, '1' for ethernet. hlen:Hardware address length, '6' for ethernet. hops: Clients set this field to zero and broadcast the DHCP-REQUEST message , optionally used by relay-agents when booting via a relay-agent.
Page 185
14) file:Boot file name, null terminated string, "generic" name or null in DHCPDISCOVER, fully qualified directory-path name in DHCPOFFER. 15) options:Optional parameters field. See the options documents (RFC 2132) for a list of defined options. We will introduce some familiar options in the next section. DHCP Option ...
Page 186
option 54:Server Identifier option. DHCP servers include option 54 in the DHCP-OFFER message in order to allow the client to distinguish between lease offers. DHCP clients use the option in a DHCP-REQUEST message to indicate which lease offers is being accepted. option 55:Parameter Request List option.
Create different IP pool for every VLAN. The device in different VLAN can get the IP address in different subnet. When receiving a DHCP-DISCOVER packet from the client, the switch judges the VLAN which the ingress port belong to, and chooses the IP in the same subnet with the VLAN interface to assign to the client.
Page 188
Choose the menu Routing→DHCP Server→DHCP Server to load the following page. Figure10-11 DHCP Server Configuration Procedure: In the Global Config section, enable or disable DHCP Server and DHCP Conflict-logging. Then click Apply. In the Ping Time Config section, configure Ping Packets for ping tests. Click Apply. In the Excluded IP Address section, enter the Start IP Address and End IP Address to specify the range of reserved IP addresses.
Ping Time Config Ping Packets: The number of packets to be sent. Excluded IP Address Start IP Address: The first one of the IP addresses that should not be assigned. End IP Address: The last one of the IP addresses that should not be assigned. 10.4.2 Pool Setting This page shows you how to configure the IP pool in which the IP address can be assigned to the clients in the network.
Page 190
Pool Type: Specify the pool type. IP Address: Specify the IP address to be bound. Subnet Mask: Specify the corresponding subnet mask of the IP address in the pool. Binding Mode: Select a binding mode: Client Id: Bind the IP address to the client ID. Client Id in ASCii: Bind the IP address to the client ID in ASCII format.
Specify the Netbios type for the clients, which is the way of Netbios Node Type: inquiring IP address resolution. The following options are provided: b-node Broadcast: The client sends query message via broadcast. p-node Peer-to-Peer: The client sends query message via unicast.
Figure 10-13 Manual Binding Configuration Procedure: Select a DHCP server pool from the drop-down list. Configure the extend option in the pool according to your actual needs. Click Create. Entry Description: Pool Name: Select the IP Pool containing the IP address to be bound. Option Code: Specify the extend option code.
Type: Displays the type of this binding entry. Lease Time Left(s): Displays the lease time of the client left. 10.4.5 Packet Statistics Choose the menu Routing→DHCP Server→Packet Statistics to load the following page. Figure10-15 Statistics Configuration Procedure: View the DHCP packets the switch received or sent. Entry Description: Binds ...
DHCPREQUEST: Displays the Request packet received. DHCPDECLINE: Displays the Decline packet received. DHCPRELEASE: Displays the Release packet received. DHCPINFORM: Displays the Inform packet received. Packets Sent BOOTREPLY: Displays the Bootp Reply packet sent. DHCPOFFER: Displays the Offer packet sent. DHCPACK: Displays the Ack packet sent.
Page 195
Network Diagram Use T3700G-52TQ as the central switch and enable its DHCP server function to allocate IP addresses to clients in the network. Enable the DHCP relay function on each access switch in VLAN 10, 20 and 30. For details about DHCP relay, please refer to 10.5 DHCP Relay.
Step Operation Note Configure the Required. On page Routing→DHCP Server→DHCP Server, under reserved the Excluded IP Address, configure reserved IP addresses for the addresses fixed computers in each VLAN. Configure Access Switch Step Operation Note Enable DHCP Required. On the Routing→DHCP Server→Global Config page, Relay.
Page 197
Figure 10-16 DHCP Relay Application To allow all clients in different VLAN request IP address from one server successfully, the DHCP Relay function can transmit the DHCP packet between clients and server in different VLANs, and all clients in different VLANs can share one DHCP Server. When receiving DHCP-DISCOVER and DHCP-REQUEST packets, the switch will fill the ...
Specify the DHCP Server which assigns IP addresses actually. Option 82 On this switch, Option 82 is used to record the location of the DHCP Client, the ethernet port and the VLAN, etc. Upon receiving the DHCP-REQUEST packet, the switch adds the Option 82 field to the packet and then transmits the packet to DHCP Server.
Page 199
Choose the menu Routing→DHCP Relay→Global Config to load the following page. Figure 10-19 Global Config Configuration Procedure: In the Global Config section, enable DHCP Relay. (Optional) In the Option 82 Configuration section, configure Option 82. Click Apply. Entry Description: DHCP Relay: Enable or disable DHCP Relay.
Remote ID: Enter the customized remote ID, which contains up to 32 characters. The remote ID configurations of the switch and the DHCP server should be compatible with each other. 10.5.2 DHCP Server This page enables you to configure DHCP Servers on the specified interface. Choose the menu Routing→DHCP Relay→DHCP Server to load the following page.
Step Operation Description Configure DHCP Server. Required. On the Routing→DHCP Relay→DHCP Server page, specify the DHCP Server with IP address. 10.6 Proxy ARP Proxy ARP functions to realize the Layer 3 connectivity between the hosts within the same network segment but isolated at Layer 2. When an ARP request of a host is to be forwarded to another host in the same network segment but isolated at Layer 2, to realize the connectivity, the device connecting the two virtual networks should be able to respond to this request.
Choose the menu Routing→Proxy ARP→Proxy ARP to load the following page. Figure 10-23 Proxy ARP Configuration Procedure: Enable Proxy ARP for the VLAN interface or routed port. Entry Description: IP Address/ Subnet Displays the IP Address and Subnet Mask of the VLAN Mask: interface or routed port.
10.6.3 Application Example for Proxy ARP Network Requirements PC A and PC B are in the same network segment but belong to VLAN2 and VLAN3 respectively. The IP address of PC A is 192.168.2.10/16 and the IP address of PC B is 192.168.3.11/16. PC A and PC B can interconnect with each other by using Proxy ARP function.
Figure 10-25 ARP Table Configuration Procedure: View all the dynamic and static ARP entries. Entry Description: Interface: Displays the network interface of an ARP entry. IP Address: Displays the IP address of an ARP entry. MAC Address: Displays the MAC address of an ARP entry. Type: Displays the type of an ARP entry.
Entry Description: ARP Config IP Address: Specify the IP address of an ARP entry. MAC Address: Specify the MAC address of an ARP entry. ARP Table Select: Specify the static ARP entries to modify. IP Address: Displays the IP address of an ARP entry. MAC Address: Displays the MAC address of an ARP entry.
Page 206
RIP timers RIP employs three timers: update, timeout and garbage-collect. Update timer: defines the interval between routing updates. Timeout timer: defines the route aging time. If no update for a route is received within the aging time, the metric of the route is set to 16 in the routing table. Garbage-collect: timer defines the interval from when the metric of a route becomes ...
Page 207
RIPv2 is a classless routing protocol. Compared with RIPv1, RIPv2 has the following advantages. Supporting route tags. Route tags are used in routing policies to flexibly control routes. Supporting masks, route summarization and Classless Inter-Domain Routing (CIDR). Supporting designated next hops to select the best next hops on broadcast networks. ...
Page 208
Figure 10-28 RIPv2 Message Format The detailed explanations of each field are stated as following: Version: Version of RIP. For RIPv2 the value is 0x02. Route Tag: Route Tag. IP Address: Destination IP address. It can be a natural network address, subnet ...
10.8.1 Basic Config RIP (Routing Information Protocol) is a dynamic router protocol with Distance Vector Algorithms. You could configure the protocol below to active as you like. Choose the menu Routing→RIP→Basic Config to load the following page. Figure 10-30 RIP Basic Config The following entries are displayed on this screen: RIP Enable ...
Page 210
Global Config RIP Version: Choose the global RIP version. Default: send with RIP version 1 and receive with both RIP version 1 and 2. RIPv1: send and receive RIP version 1 formatted packets via broadcast. RIPv2: send and receive RIP version 2 packets using ...
10.8.2 Interface Config On this page, you can configure advanced parameters for the RIP. Choose the menu Routing→RIP→Interface Config to load the following page. Figure 10-31 RIP Interface Config The following entries are displayed on this screen: Interface Config Select: Select the interface for which data is to be configured.
Key ID: Enter the RIP Authentication Key ID for the specified interface. If you choose not to use authentication or to use 'simple' you will not be prompted to enter the key ID. Key: Enter the RIP Authentication Key for the specified interface. If you do not choose to use authentication you will not be prompted to enter a key.
10.9 OSPF OSPF (Open Shortest Path First) is a routing protocol based on link state and also an internal gateway protocol, which is developed and recommended by IETF. The OSPF protocol standard in current use for IPv4 network is OSPF Version 2, which is defined specifically in RFC2328 and will be introduced generally in this Guide.
Page 214
Figure 10-32 Common Scenario for OSPF routing protocol The network topology is more prone to changes in an autonomous system of larger size. The network adjustment of any one router could destabilize the whole network and cause massive OSPF packets to be forward repeatedly, and all the routers need to recalculate the routes, which would waste lots of network resources.
Page 215
address as the router ID which is thus always invariant outward. To ensure the uniqueness of the router ID, it is recommended to manually configure the router ID or the loopback interface. In the automatic election, the router would in the first place select the highest loopback interface as the router ID.
Page 216
BDR are determined in a network, unless they become invalid, any new routers joining or exiting would not cause re-election. As shown below, on a network of five routers, ten adjacency relations need to be established if one between every two routers, but only seven adjacencies are required if DR and BDR are introduced.
Page 217
After DR and BDR are determined, the master and slave one will be elected between the DR/BDR and the other routers on the network, and then the link state database synchronization will start. On the network the routers and DR/BDR will mutually unicast the link state data to advertise LSA, until all the routers establish an identical link state database.
Page 218
Figure 10-34 Steps to Establish a Complete Adjacency Relation Flooding As Figure 10-32 shows, two random routers will synchronize the link state database via LSA request, LSA update and LSA acknowledgement packets. But in the actual module of router network, how do the routers flood the change of local network to the entire network through LSA update packets? Figure 10-33 will introduce in details the flooding of the LSA update packets on the broadcast network.
Page 219
Figure 10-35 Flooding of the LSA DROthers multicast the LSA update of its directly-connected network to DR and BDR. After receiving the LSA update, DR floods it to all the adjacent routers. After receiving the LSA update from DR, the adjacent routers flood it to the other OSPF interfaces in their own areas.
Page 220
As shown above, a large-scale network is divided into three areas: Area 0, Area 1 and Area 2. Area 1 and Area 2 exchange the routing information via Backbone Area, which has to maintain its network connectivity at all time. The non-backbone Area 1 and Area 2 cannot communicate directly with each other, but they can exchange routing information through the backbone Area 0.
Page 221
Router Features Responsibility Name ASBR Connect with the Maintain independent routing tables for different routing routers outside the protocols, import the routing information learned by other OSPF AS by other routing protocol to OSPF domain through a certain routing protocol standard, and then establish a uniform routing table.
Page 222
Type-2 external route: It has low credibility, so OSPF considers the cost from the ASBR to the destination of the Type-2 external route is much bigger than the cost from the ASBR to an OSPF internal router. Therefore, the cost from the internal router to the destination of the Type-2 external route equals to that from the ASBR to the destination of the Type-2 external route.
Page 223
Type-7 LSA in the specified address range will also be summarized. Following a similar principle with ABR route summarization, ASBR summarizes routes of different type. Figure 10-39 ABR Route Summarization Figure 10-40 Discontinuous Network Segment Link State Database When the routers in the network completely synchronize the link state database through LSA exchanges, they can calculate the shortest path tree by basing themselves as the root node.
Page 224
while the other types of LSA describe the route to a certain destination in other areas or external AS. When all the routers in the network completely synchronize their LSDB, each OSPF router will calculate a loop-free topology by SPF algorithm to describe the shortest path to every destination in the network as it knows.
Page 225
Link State Acknowledgement Packet Table 10-3 OSPF Packet Type Router ID: ID of the router sending this packet. Area ID:ID of the area that the router interface sending this packet belongs to. Authentication Type: The authentication type applied by this packet. The segment marked with * in the rear is regarded as essential information of authentication, as shown in the table below.
Page 226
Figure 10-42 HELLO Packet Netmask: Netmask of the router interface forwarding Hello packet. Only when the netmask of the forwarding interface and that of the receiving interface coincide, can these two routers be neighbors. Hello Interval: Interval of a sequence of Hello packets sending by the forwarding interface. Only the routers with the same Hello interval can become neighbors.
Page 227
I: The Initial bit. During the synchronization of link state database between two routers, it may require multiple DD packets to be forwarded, among which the first DD packet will set its initial bit to 1, while the others 0. M: The More bit.
Page 228
interface IP address of the DR; and that of Network Summarization LSA stands for the IP address of the network or subnet advertised; and etc. Advertising Router: Router ID of the router advertising this LSA. LSU Packet When one router receives an LSR, it would send an LSU packet to inform the other the complete LSA information.
Page 229
Type: The type of LSA. Table 10-5 enumerates several common features of LSA. Link State ID: It has different meanings for different types of LSA. For details please refer to the RFC documentation. Advertising Router: ID of the router advertising this LSA. Sequence Number: It indicates the uniqueness of a certain LSA, whose update would be flooded to the network by adding 1 to the sequence number.
Page 230
Area Partition – The switch can divide an autonomous system into different areas according to the user-specified principle. The routers in the same area only need to synchronize LSA with the other routers in its area, which can save routing resources and lower routing performance requirements, thus to reduce networking cost.
10.9.1 Process Choose the menu Routing→OSPF→Process to load the following page. Figure10-47 OSPF Process Configuration Procedure: Specify a Process ID. Configure the router ID. Click Apply. Entry Description: OSPF Process Config Process ID: The 16 bit integer that uniquely identifies the OSPF process, ranging from 1 to 65535.
10.9.2 Basic Choose the menu Routing→OSPF→Basic to load the following page. Figure 10-48 OSPF Base Configuration Procedure: Select a process to configure. Configure the relevant parameters and functions. Click Apply. Entry Description: Select Current Process Current Process: Select the desired OSPF process for configuration. Default Route Advertise Config ...
Page 233
Always: If Originate is Enable, but the Always option is DISABLE, OSPF will only originate a default route if the router already has a default route in its routing table. Set Always to ENABLE to force OSPF to originate a default route regardless of whether the router has a default route.
LSAs Received: The number of LSAs received from other routers in OSPF domain. Default Metric: Set a default for the metric of redistributed routes. The valid value ranges from 1 to 16777214. Maximum Paths: Set the number of paths that OSPF can report for a given destination.
Entry Description: Network Config Process ID: Select the desired OSPF process for configuration. IP Address: The IP address of the network. Wildcard Mask: The wildcard mask of the network. Normal subnet mask is also supported. Area ID: The 32 bit unsigned integer that uniquely identifies the area to which a router interface connects.
Page 236
Retransmit Interval: The retransmit interval for the specified interface. This is the number of seconds between link-state advertisements for adjacencies belonging to this router interface. This value is also used when retransmitting database descriptions and link-state request packets. The valid value ranges from 1 to 65535 seconds and the default is 5 seconds.
Page 237
State: Displays the current state of the selected router interface. One of the following: Down: This is the initial interface state. In this state, the lower-level protocols have indicated that the interface is unusable. In this state, interface parameters will be set to their initial values.
Page 238
Backup Designated The identity of the Backup Designated Router for this Router: network, in the view of the advertising router. The Backup Designated Router is identified here by its router ID. Set to 0.0.0.0 if there is no Backup Designated Router. Number of Events: This is the number of times the specified OSPF interface has changed its state.
Page 239
Retransmit Interval: The retransmit interval for the specified interface. This is the number of seconds between link-state advertisements for adjacencies belonging to this router interface. This value is also used when retransmitting database descriptions and link-state request packets. The valid value ranges from 1 to 65535 seconds and the default is 5 seconds.
10.9.5 Area Choose the menu Routing→OSPF→Area to load the following page. Figure10-52 OSPF Area Configuration Procedure: Select a process, and configure the OSPF parameters of the area. Also you can selelct an entry in the Area Table, and change the configuration of the area. Click Apply.
Page 241
Area Table Process: Select one OSPF Process to display its area list. Select: Select the desired item for configuration. It is multi-optional. Area ID: Displays the configured area. Area Type: Displays the type of the area and it can be modified. Summary: Displays the Summary parameter and it can be modified.
10.9.6 Area Aggregation You can configure address ranges for an area on this page. The address range is used to consolidate or summarize routes for an area at an area boundary. The result is that a single summary route is advertised to other areas by the ABR. Routing information is condensed at area boundaries, a single route is advertised for each address range.
Area Aggregation Table Process: Select one OSPF Process to display its address range list. Area ID: Displays the area to which the address range belongs. Select: Select the desired item for configuration. It is multi-optional. IP Address: Displays the IP address of the address range. Subnet Mask: Displays the subnet mask of the address range.
Page 244
Transit Area ID: Displays the transit area ID of the virtual link. Neighbor Router ID: Displays the neighbor router ID of the virtual link. Retransmit Interval: The retransmit interval for the specified interface. This is the number of seconds between link-state advertisements for adjacencies belonging to this router interface.
State: Displays the current state of the selected router interface. One of: Down: This is the initial interface state. In this state, the lower-level protocols have indicated that the interface is unusable. In this state, interface parameters will be set to their initial values.
Metric Type: Set the OSPF metric type of redistributed routes. The default is External Type 2. Tag: Set the tag field in routes redistributed. The valid value ranges from 0 to 4294967295 and the default is 0. 10.9.9 Neighbor Table Choose the menu Routing→OSPF→Neighbor Table to load the following page.
Page 247
State: The state of the neighbor: Down: This is the initial state of a neighbor conversation. It indicates that there has been no recent information received from the neighbor. On NBMA networks, Hello packets may still be sent to 'Down' neighbors, although at a reduced frequency.
Retransmission An integer representing the current length of the Queue length: retransmission queue of the specified neighbor router ID of the specified interface. Dead Time: The amount of time, in seconds, to wait before the router assumes the neighbor is unreachable. Link State Database 10.9.10 Choose the menu Routing→OSPF→Link State Database to load the following page.
Application Example for OSPF 10.9.11 Network Requirements The AS is divided into three areas and all switches in the AS run OSPF. Switch A and Switch B act as ABRs to forward routing information between areas. Each switch can learn routing information to all the network segments in the AS after the configuration.
Create OSPF Required. On page Routing→OSPF→Process, Create OPSF process process 1 and configure the Router ID as 2.2.2.2. Create Required. On page Routing→OSPF→Network, configure network networks in the 1.10.1.0/24 in area 0 and configure network 1.30.1.0/24 in area 2. area Configure area Optional.
Page 251
VRRP is developed to solve the problem mentioned above and designed for LAN with multicast or broadcast function, such as Ethernet. Virtual router acts as a backup group which consists of one master router and several backup routers. The virtual router (also a backup group) has its own IP address. This IP address can be the same as the interface address of any router in the backup group.
Page 252
router is assigned as the default gateway for the hosts within the LAN. Communication with external network can be realized via the virtual router. Master router is selected from the physical routers in the virtual router group according to VRRP priority. The elected master router provides routing service to the hosts in LAN, and sends VRRP messages periodically to publicize its configuration information like priority and operating condition to other routers in backup group.
Page 253
dead and initiate an election process by transitioning to the Master state and forwarding VRRP packets. To avoid frequent Master-Backup state transition among routers in the backup group and provide enough time for backup routers to collect necessary information, backup router would not preempt to be master as soon as it receives packets with lower priority value.
Load balancing means multiple routers undertake workloads simultaneously. Therefore, two or more backup groups are needed to realize load balancing. Each backup group consists of one master router and several backup routers. Master router can vary from one backup group to the others. Figure 10-59 VRRP Load Balancing A router owns different priority in different backup groups when it participates in multiple VRRP backup groups simultaneously.
Page 255
forward packets sent to this IP address. This will allow any Virtual Router IP address on the LAN to be used as the default first hop router by end hosts. Choose the menu Routing → VRRP → Basic Config to load the following page. Figure10-60 VRRP Basic Config Configuration Procedure: Enter the VRID to identify the VRRP group.
Page 256
Virtual IP: Displays the primary Virtual IP associated with the VRRP group. Priority: Displays the priority associated with the VRRP group. Status: Displays the status associated with the VRRP group. Other: Displays more information about the VRRP group. All: Select all the VRRP items. Delete: Delete the selected items.
Running Priority: Displays the running priority associated with the VRRP group. It ranges from 1 to 255. Advertise Timer: Displays the advertise timer associated with the VRRP group. It ranges from 1 to 255. Preempt Delay Displays the preempt delay timer associated with the VRRP Timer: group.
VRID: Displays the VRID associated with the VRRP group. Interface: Displays the Interface ID associated with the VRRP group. Description: Give a description for the VRRP group. It can contain up to 8 characters. Only numbers, letters, and underlines are allowed.
Page 259
Choose the menu Routing → VRRP → Virtual IP Config to load the following page. Figure10-63 Virtual IP Config Configuration Procedure: Select the interface and VRID associated with your desired VRRP group and add one or more virtual IP addresses for the VRRP group. Then Click Create. Entry Description: Add Virtual IP ...
Track Config 10.10.4 You can configure track information for virtual routers. When the uplink interface of the master router is down, service will be interrupted since VRRP cannot detect the status change of interfaces outside the VRRP group. You can configure interface tracking to track the uplink interface.
Interface: Displays the Interface ID associated with your desired VRRP group. Tracked Interface: Displays the Interface ID tracked by the VRRP group. Reduced Priority: Displays the reduced priority associated with the interface tracked by the VRRP group. Link State: Displays the status of the interface tracked by the VRRP group.
Page 262
VRID: Displays the VRID associated with your desired VRRP group. Interface: Displays the Interface ID associated with your desired VRRP group. Checksum Errors: Displays the number of VRRP packets received with an invalid VRRP checksum value. Version Errors: Displays the number of VRRP packets received with an unknown or unsupported version number.
Configuration Procedure: Steps Operation Note Configure Required. On page Routing → Interface → Interface Config, create interface and a routing interface (either interface VLAN or routed port) and specify its IP address. its IP address and subnet mask. Add port to the Required.
Page 264
Network Diagram Configuration Procedure Configure Switch A Steps Operation Note Configure the On page Routing → Interface → Interface Config, create the interface and interface VLAN2, and configure its IP address as 192.168.1.1 and its IP address. Subnet Mask as 255.255.255.0.
Chapter 11 Multicast Routing Overview of Multicast Routing Protocols Note: The router and router icon mentioned in this chapter represent the router in general or the switch that runs the layer 3 multicast routing protocols. The multicast routing protocols run in layer 3 multicast devices and they create and maintain multicast routes to forward the multicast packets correctly and efficiently.
Multicast Router(or the Layer 3 Multicast Device): The router or switch that supports the layer 3 multicast functions, which contains the multicast routing function and the management function of the multicast group members. The multicast model divides into two types depending on whether there is an exact multicast source: ASM (Any-Source Multicast) and SSM (Source-Specific Multicast).
Protocol Mode: Select PIM DM or PIM SM from the radio button to set the administrative status in the router. The default is disable. Protocol State: The multicast routing protocol presently activated and operational state of the multicast forwarding module. Table Maximum The maximum number of entries in the IP Multicast routing Entry Count:...
Protocol: The multicast routing protocol which created this entry. The possibilities are PIM DM and PIM SM. Flags: The value displayed in this field is valid if the multicast routing protocol running is PIM SM. The possible values are RPT or SPT. For other protocols an "------" is displayed. Detail: Displays the detailed information of the mroute entries.
Page 269
Figure 11-3 IGMP Query-and-Response As shown in Figure 11-3, Suppose Host B and Host C expect to receive the multicast traffic sending to multicast group G1, and Host A expects to receive the multicast traffic sending to multicast group G2. The basic process of the host joining the multicast group and the IGMP querier (Router B) maintaining the multicast group membership is as below: (1) Instead of waiting for the IGMP query message from the IGMP querier, the host will actively send IGMP membership report message to the multicast group it wants to join in.
Page 270
IGMPv1 doesn’t specially define the leave group message. When a host running IGMPv1 leaves one multicast group, it wouldn’t send the report message to this multicast group. If no member exists in the multicast group, the IGMP router will not receive any report message to this multicast group, thus it will delete this multicast group’s corresponding multicast forwarding entries after a period of time.
Page 271
IGMPv3 Work Process Compatible of and Inherited from IGMPv1 and IGMPv2, IGMPv3 further enhances the control capacity of the hosts and broaden the functions of the query and report messages. 1. Enhancement of the Hosts IGMPv3 adds the filtering mode (INCLUDE/EXCLUDE) for the multicast source basing on the group-specific query.
(1) Query message carrying source address IGMPv3 supports source-specific query as well as the general query in IGMPv1 and the group-specific query in IGMPv2: The general query message carries neither group address nor source address; The group-specific query message carries the group address without the source address. ...
Figure 11-5 IGMP Global Config The following entries are displayed on this screen: Multicast Global Config Admin Mode: Select Enable/Disable IGMP function globally on the Switch. Header Validation: Select Enable/Disable the validation of igmp header field Router Alert options. The fields validated for IGMPv2 and IGMPv3 only.
Version: There are three versions for IGMP protocol. IGMPv1: the interface is now an IGMPv1 Router. IGMPv2: the interface is now an IGMPv2 Router. IGMPv3: the interface is now an IGMPv3 Router. Robustness: Specify the robustness of the selected interface, ranging from 1 to 255.
Routed Port: Enter the routed port the desired entry must carry. Interface State Interface: The interface for which data is to be displayed or configured. Operational Status: The operational state of IGMP on the selected interface. Querier State: Indicates whether the selected interface is in querier or non-querier mode.
The following entries are displayed on this screen: Search Option Search Option: Select the rules for displaying multicast IP table to find the desired entries quickly. All: Displays all multicast IP entries. Multicast IP: Enter the multicast IP address the desired ...
Page 277
Network Diagram Configuration Procedure Configure the interface IP addresses and the unicast routing protocol. Configure the IP address and subnet mask of each interface as the diagram above. The detailed configuration steps are omitted here. Configure the switches to access each other through OSPF protocol. Ensure the network-layer intercommunication among Switch A, Switch B and Switch C.
Enable IGMP on On page Multicast Routing→ IGMP→ Interface Config, enable user-side IGMP (version 2) on interface VLAN 20. interface. Configure Switch C Steps Operation Note Enable IP On page Multicast Routing→ Global Config→ Global Config, multicast routing. enable the multicast routing function. Enable IGMP on On page Multicast Routing→...
Page 279
1. RPF Check The RPF check relies on unicast route or static multicast route. The unicast routing table aggregates the shortest paths to each destination network segments, and the static multicast routing table lists specified static RPF routing entries configured by the user manually. Instead of maintaining certain unicast routing independently, the multicast routing protocol relies on the current unicast routing information or static multicast routing in the network to establish multicast routing entries.
Page 280
If the check result shows that the RPF interface is the different from the input interface in the current (S, G) entry, which indicates that the (S, G) entry is invalid and the router will correct the input interface to the packet’s actual arriving interface, and forward this packet to all the output interfaces.
Page 281
Neighbor Discovering In PIM domain, routers periodically sends PIM Hello packets to all the PIM routers with the multicast address 224.0.0.13 to discover PIM neighbors, maintain the PIM neighboring relationships between the routers, thus to build and maintain the SPT. SPT Building ...
Page 282
Grafting When a new receiver on a previously pruned branch of the tree joins a multicast group, the PIM DM takes the Graft mechanism to actively resume this node’s function of forwarding multicast data, thus reducing the time it takes to resume to the forwarding state. The process is illustrated as below: (1) The branch that needs to receive the multicast data again will send a graft message to its upstream node up the distribution tree towards the source hop-by-hop, applying to rejoin...
priority and cost of the unicast route to the multicast source. The router to forward the multicast packets of (S, G) is elected based on the following rules and in the order listed: (1) The router with the unicast route of the higher priority to the multicast source; (2) The router with the unicast route of the smaller cost to the multicast source;...
Page 284
Choose the menu Multicast Routing→PIM DM→PIM DM neighbor to load the following page. Figure 11-12 PIM DM neighbor The following entries are displayed on this screen: Search Option The L3 interfaces can be configured as PIM DM mode by this page. Search Option: ALL: Displays all entries.
Step Operation Description Enable IGMP Required. Enable IGMP on the routing interfaces which connect to the receivers on Multicast Routing→IGMP→Interface Config page. 11.3.3 Application Example for PIM DM Network Requirements Receivers receive VOD data through multicast. The whole network runs PIM DM as multicast routing protocol.
Configuration Procedure Configure Switch A: Step Operation Description Configure interface. Configure IP addresses and subnet masks of VLAN interfaces 1, 2 and 3 on Routing→ Interface→Interface Config page. Configure routing Configure the routing entries via static route or dynamic routing protocol.
Page 287
The router connected to the receiver sends the join message to the RP of a certain multicast group. The path along which the join message is sent to the RP hop-by-hop forms a branch of RPT. When the multicast source is sending multicast data to a multicast group, the router directly ...
Page 288
The device working as DR should be enabled with the IGMP function; otherwise the receivers connected to it would be unable to join the multicast group via this DR. Figure 11-13 DR Elect As shown in Figure 11-15, the DR election process is illustrated below: (1) Routers in the shared network sends Hello message carrying DR-election priority to each other, and the router with the highest priority will be elected as the DR;...
Page 289
avoid business disruption. Similarly, several C-RPs can be configured in one PIM SM domain, and each multicast group’s corresponding RP can be calculated through the BSR mechanism. The location of RP and BSR in the network is shown below: Figure 11-14 The Locations of C-RP, C-BSR and BSR RPT Building ...
Page 290
When multicast data for multicast group G is sent to RP, it will travels along the constructed RPT to DR and finally arrives at the receivers. When a receiver is no longer interested in the multicast group data, its directly connected DR will send prune message up the RPT toward the group’s corresponding RP;...
Page 291
Switching from RPT to SPT Once receiver-side DR receives the multicast data from RP to multicast group G, the switching process from RPT to SPT will be triggered: (1) The receiver-side DR sends (S, G) join message to the multicast source S hop-by-hop, and the join message finally arrives at the source-side DR.
Features of BSR administrative domain: Divide the BSR administrative domains by setting BSR border Each BSR administrative domain has its own border, C-RP and BSR devices. These devices are only valid in their belonged domains, which means that the BSR mechanism and RP election are separated between their administrative domains.
11.4.2 PIM SM Neighbor PIM SM neighbor is automatically learned by sending and receiving Hello Packets when PIM SM is enabled. Choose the menu Multicast Routing→PIM SM→PIM SM Neighbor to load the following page. Figure 11-19 PIM SM neighbor The following entries are displayed on this screen: Search Option ...
Page 294
Choose the menu Multicast Routing→PIM SM→BSR to load the following page. Figure 11-20 BSR The following entries are displayed on this screen: PIM SM Candidate BSR Config Configure the candidate BSR of current device. Interface: Select the interface on this switch from which the BSR address is derived to make it a candidate.
Page 295
Next BSR message Displays the time of next BSR message sending if this is the time: elected BSR. Expire: Displays the expiry time of the elected BSR. PIM SM Candidate BSR Information Candidate Displays the Candidate BSR address. Address: Priority: Displays the priority of the Candidate BSR.
Page 296
PIM SM Static RP Config By default, no static RP address is configured. You could configure the IP address of RPs on all multilayer switches. RP Address: Specify the IP address of the static RP. Group: Group Address of the RP to be created or deleted. Group Mask: Group Mask of the RP to be created or deleted.
Next advertisement Displays the remaining time to send the next RP time: advertisement packet. 11.4.5 RP Mapping Choose the menu Multicast Routing→PIM SM→RP Mapping to load the following page. Figure 11-22 RP Mapping The following entries are displayed on this screen: Search Option ...
The following entries are displayed on this screen: Search Option Search Option: ALL: Select All to display all entries. Group: Select Group and enter the group IP address of desired entry. RP Information Group: Displays the group address. Displays the RP address.
Choose the menu Multicast Routing→PIM SM→PIM SSM to load the following page. Figure 11-24 PIM SSM Config The following entries are displayed on this screen: PIM SSM Config Group: Enter the source-specific multicast group ip-address. Group Mask: Enter the source-specific multicast group ip-address mask. PIM SSM Config Table ...
PIM SM Statistics Interface: The interface on which PIM SM is enabled. Stat: Rx: Packet Received in Protocol. Tx: Packet Sent from Protocol. Hello: Hello Format Packets Statistics. Register: Register Format Packets Statistics. Reg-Stop: Register-Stop Format Packets Statistics. Join/Pru: Join/Prune Format Packets Statistics.
Page 301
Network Diagram The IP addresses of VLAN interfaces in each switch are displayed below: Switch A: VLAN interface 1: 192.168.1.2/24 VLAN interface 2: 192.168.2.2/24 VLAN interface 3: 192.168.3.2/24 Switch B: VLAN interface 2: 192.168.2.100/24 VLAN interface 4: 192.168.4.100/24 Switch C: VLAN interface 3: 192.168.3.100/24 VLAN interface 5: 192.168.5.100/24 Configuration Procedure ...
Configure candidate Configure VLAN interface 1 as candidate BSR on Multicast BSR and candidate Routing→PIM SM→BSR page. Configure VLAN interface 1 as candidate RP on Multicast Routing→PIM SM→RP page. Configure Switch B and C: Step Operation Description Configure interface. Configure IP addresses and subnet masks of VLAN interfaces 2, 3, 4 and 5 on Routing→...
Figure 11-26 Static Multicast Routing As shown in Figure 11-26, when no static multicast routing entry is configured, the RPF neighbor of Router C to the multicast source is Router A. The multicast packets sent from Source will be transferred along the path Router A→Router C, which is the same as the unicast path.
The following entries are displayed on this screen: Static Mroute Config Source: Enter the IP address that identifies the multicast source of the entry you are creating. Source Mask: Enter the subnet mask to be applied to the Source. RPF Neighbor: Enter the IP address of the neighbor router on the path to the mroute source.
Page 305
Network Diagram Configuration Procedure Configure the interfaces and unicast routing protocol Configure the VLAN interfaces and their IP addresses of Switch A, Switch B and Switch C on the page Routing→ Interface→ Interface Config according to the topology, Configure the OSPF features on the switches in this PIM DM domain, making the switches accessible with each other at the network layer.
Page 306
Step Operation Note Enable IGMP Required. On page Multicast Routing→IGMP→Interface Config, enable the IGMP function on VLAN interface 100. Configure static Required. On page Multicast Routing→Static Mroute→Static multicast routing Mroute Config, configure a static multicast routing entry with the Source as 50.1.1.100, the Source Mask as 255.255.255.0 and the RPF Neighbor as 20.1.1.2.
Chapter 12 QoS QoS (Quality of Service) functions to provide different quality of service for various network applications and requirements and optimize the bandwidth resource distribution so as to provide a network service experience of a better quality. This switch classifies the ingress packets, maps the packets to different priority queues and then forwards the packets according to specified scheduling algorithms to implement QoS function.
Page 308
2. 802.1P Priority Figure 12-2 802.1Q frame As shown in the figure above, each 802.1Q Tag has a Pri field, comprising 3 bits. The 3-bit priority field is 802.1p priority in the range of 0 to 7. 802.1P priority determines the priority of the packets based on the Pri value.
Page 309
Figure 12-4 SP-Mode WRR-Mode: Weight Round Robin Mode. In this mode, packets in all the queues are sent in order based on the weight value for each queue and every queue can be assured of a certain service time. The weight value indicates the occupied proportion of the resource. WRR queue overcomes the disadvantage of SP queue that the packets in the queues with lower priority cannot get service for a long time.
12.1 Class of Service The Class of Service (CoS) queueing feature allows you configure certain aspects of switch queueing. It provides the desired QoS behavior for different types of network traffic when the complexities of DiffServ are not required. This switch classifies the ingress packets, maps the packets to different priority queues and then forwards the packets according to specified scheduling algorithms.
Page 311
Figure 12-7 Port Priority Config Configuration Procedure: Select the desired port or LAG to set its priority. Click Apply. Entry Description: UNIT:1/LAGS: Click 1 to configure the physical ports. Click LAGS to configure the link aggregation groups. Select: Select the desired port to configure its priority. It is multi-optional.
Configuration Procedure: Step Operation Description Enable the port Priority Required. On QoS→Class of Service→Trust Mode page, select untrusted mode. Select the port priority Required. On QoS→Class of Service→Port Priority page, configure the port priority. Configure the mapping Required. On QoS→Class of Service→802.1P/CoS relation between the CoS to Queue Mapping page, configure the mapping priority and TC...
Entry Description: CoS-id: CoS-id is a value for the switch to establish mapping relations between the priorities and TC queues. The valid values are from 0 to 7 and correspond to the 802.1P priority levels. Queue TC-id: Select a TC queue that you want the CoS-id to be mapped to. The switch supports 7 TC queues, from TC0 for the lowest priority to TC 6 for the highest priority.
Page 314
Choose the menu QoS→Class of Service→DSCP to Queue Mapping to load the following page. Figure 12-9 DSCP Priority Configuration Procedure: Configure the DSCP-TC mapping relations. Click Apply. Entry Description: DSCP: Select the desired DSCP priority. DSCP priority represents the DSCP field in the IP packet header. It comprises 6 bits and the valid values are from 0 to 63.
Select a schedule mode Required. On QoS→Class of Service→Schedule Mode page, select a schedule mode. 12.1.5 Schedule Mode On this page you can select a schedule mode for the switch. When the network is congested, the problem that many packets compete for resources must be solved, usually in the way of queue scheduling.
SP+WRR-Mode: Strict-Priority + Weight Round Robin Mode. In this mode, this switch provides two scheduling groups, SP group and WRR group. Queues in SP group and WRR group are scheduled strictly based on strict-priority mode while the queues inside WRR group follow the WRR mode. In SP+WRR mode, TC6 is in the SP group;...
Page 317
Choose the menu QoS→DiffServ→Global to load the following page. Figure 12-11 Global Config Configuration Procedure: Enable the DiffServ Admin Mode and click Apply. Entry Description: DiffServ Admin Enable or disable the administrative mode of DiffServ on the device. Mode: While disabled, the DiffServ configuration is retained and can be changed, but it is not active.
12.2.2 Class Summary On this page you can configure DiffServ classes and view summary information about the classes that exist on the device. Choose the menu QoS→DiffServ→Class Summary to load the following page. Figure 12-12 Class Summary Configuration Procedure: Specify the name, type and protocol of the DiffServ Class, then click Create. Entry Description: Name: Enter the class name.
12.2.3 Class Config Choose the menu QoS→DiffServ→Class Config to load the following page. Figure 12-13 Class Config Configuration Procedure: Select a class from the drop-down list. Define the criteria to associate with a DiffServ class, then click submit. Entry Description: Class: The name of the class.
Page 320
Reference Class: Select this option to reference another class for criteria. The match criteria defined in the referenced class is as match criteria in addition to the match criteria you define for the selected class. After selecting this option, the classes that can be referenced are displayed.
IP Protocol: Select this option to require a packet header's Layer 4 protocol to match the specified value. Flow Label: Select this option to require an IPv6 packet's flow label to match the configured value. 12.2.4 Policy Summary Choose the menu QoS→DiffServ→Policy Summary to load the following page. Figure 12-14 802.1P Priority Configuration Procedure: Create DiffServ policies and specify the traffic flow direction to which the policy is applied.
12.2.5 Policy Config Choose the menu QoS→DiffServ→Policy Config to load the following page. Figure 12-15 DSCP Priority Configuration Procedure: Add or remove a DiffServ policy-class association and configure the policy attributes. Entry Description: DiffServ Policy Config Policy: The name of the policy. To add a class to the policy, remove a class from the policy, or configure the policy attributes, you must first select its name from the menu.
Page 323
Class: The DiffServ class or classes associated with the policy. The policy is applied to a packet when a class match within that policy-class is found. Add: Click this button to show the avaliable class list menu. DiffServ Policy Attribute ...
Police Two Rate: Select this option to enable the two-rate traffic policing style for the policy-class. The two-rate form of the police attribute uses two data rates and two burst sizes. Only the smaller of the two data rates is intended to be guaranteed. Redirect Interface: Select this option to force a classified traffic stream to the specified egress port (physical port or LAG).
State: The status of the policy on the interface. A policy is Up if DiffServ globally enabled, interface administratively enabled and has a link. Otherwise, the status is Down. Policy: The DiffServ policy associated with the interface. 12.3 Bandwidth Control Bandwidth function, allowing you to control the traffic rate and broadcast flow on each port to ensure network in working order, can be implemented on Rate Limit and Storm Control pages.
Entry Description: UNIT:1/LAGS: Click 1 to configure the physical ports. Click LAGS to configure the link aggregation groups. Select: Select the desired port for Rate configuration. It is multi-optional. Port: Displays the port number of the switch. Egress Rate: Configure the bandwidth for sending packets on the port. LAG: Displays the LAG number which the port belongs to.
Entry Description: UNIT: Select the unit ID of the desired member in the stack. Select: Select the desired port for Storm Control configuration. It is multi-optional. Port: Displays the port number of the switch. Broadcast: Input the bandwidth for receiving broadcast packets on the port.
The Voice VLAN function can be implemented on Global Config, Port Config and OUI Config pages. 12.4.1 Global Config Choose the menu QoS→Voice VLAN→Global Config to load the following page. Figure 12-19 Global Configuration Configuration Procedure: Enable the voice VLAN feature, and enter a VLAN ID. Specify a priority for the voice VLAN, and click Apply.
12.4.2 Port Config Choose the menu QoS→Voice VLAN→Port Config to load the following page. Figure 12-20 Port Config Configuration Procedure: Select your desired ports/LAGs and enable the Voice VLAN mode for selected ports. Click Apply. Entry Description: Voice VLAN Mode: Enable or disable the administrative mode of OUI-based Voice VLAN on the interface.
Choose the menu QoS→Voice VLAN→OUI Config to load the following page. Figure 12-21 OUI Config Configuration Procedure: Enter an OUI address and give a description about the OUI address. Click Create to add an OUI address to the table. Entry Description: OUI: Enter the OUI address of your device.
Page 331
Choose the menu QoS > Auto VoIP > Auto VoIP Config to load the following page. Figure 12-22 Auto VoIP Config Configuration Procedure: Enable the Admin mode of Auto VoIP. Select your desired ports and choose the interface mode and enter corresponding interface value;...
Page 332
Interface Mode: Indicates how an IP phone connected to the port should send voice traffic • VLAN ID – Forward voice traffic in the specified Auto VoIP VLAN. If you choose VLAN ID, you need to configure LLDP-MED to instruct voice devices to send tagged voice traffic, and create a priority policy in DiffServ for voice traffic.
Chapter 13 ACL The fast growth of network size and traffic brings challenges to network security and bandwidth allocation. Packet filtering can prevent unauthorized access behaviors and improve bandwidth use. ACL (Access Control List), which is based on rule matching, is primarily used for packet filtering. ACL accurately identifies and controls packets on the network to manage network access behaviors, prevent network attacks, and improve bandwidth use efficiency.
Page 334
2) To edit the time range, click “Edit” in the Time-Range Table to load the following page. Then configure Absolute entry or Periodic entry according to your actual needs. Entry Description: Select: Select the desired entry to delete the corresponding time-range. Time-Range Name: Displays the name of the time-range.
Week: Select Week to configure week time-range. The ACL rule based on this time-range takes effect only when the system time is within the week time-range. Start Time: Configure values for the Start Time of Day. End Time: Configure values for the End Time of Day. Entry Type: The type of time range entry.
Figure 13-2 ACL Summary Configuration Procedure: Select an ACL ID from the drop-down list. You can view corresponding rules in the Rule Table. 13.2.2 ACL Create On this page you can create ACLs. Choose the menu ACL → ACL Config → ACL Create to load the following page. Figure 13-3 ACL Create Configuration Procedure: Enter an ID number in the ACL ID field, then click Apply.
Page 337
Choose the menu ACL → ACL Config → MAC ACL to load the following page. Create MAC Rule Figure 13-4 Configuration Procedure: Select an ACL ID from the drop-down list, enter a Rule ID, then specify the operation of the rule.
Time-Range: Select the time-range for the rule to take effect. S-Condition: Select S-Condition to limit the transmission rate of the data packets. Rate: The transmission rate of the data packets. Valid values are (1 to 1000000) in Kbps. Qos Remark: Select QoS Remark to forward the data packets based on the QoS settings.
Operation: Select the operation for the switch to process packets which match the rules. Permit: Forward packets. Deny: Discard Packets. S-IP: Enter the source IP address contained in the rule. Mask: Enter IP address mask. If it is set to 1, it must strictly match the address.
Page 340
Choose the menu ACL → ACL Config → Extend-IP ACL to load the following page. Figure 13-6 Create Extend-IP Rule Configuration Procedure 1) Select an ACL ID from the drop-down list, enter a Rule ID, then specify the operation of the rule.
Mask: Enter IP address mask. If it is set to 1, it must strictly match the address. Select ICMP: Configure the predefined ICMP type and code. ICMP Type: Configure the predefined ICMP type. Configure the predefined ICMP code. ICMP Code: IP Protocol: Select IP protocol contained in the rule.
13.3.1 Binding Table On this page view the policy bound to port/VLAN. Choose the menu ACL → ACL Binding → Binding Table to load the following page. Figure13-7 Binding Table Configuration Procedure In the ACL VLAN-Bind Table, you can view VLAN binding entries. In the ACL Port-Bind Table, you can view port binding entries.
ACL Port-Bind Table UNIT: Select the unit ID of the desired member in the stack. Select: Select the desired entry to delete the corresponding binding ACL. Index: Displays the index of the binding ACL. ACL ID: Displays the ID or name of the binding ACL. Interface: Displays the port number bound to the ACL.
ACL ID: Displays the ID or name of the binding ACL. Port: Displays the number of the port bound to the corresponding ACL. Direction: Displays the binding direction. 13.3.3 VLAN Binding On this page you can bind an ACL to a VLAN. Choose the menu ACL →...
Page 345
Step Operation Description Configure ACL rules Required. On ACL → ACL Config configuration pages, configure ACL rules to match packets. Bind the ACL to the Required. On ACL → ACL Binding configuration pages, port/VLAN bind the ACL to the port/VLAN to make the ACL effective on the corresponding port/VLAN.
Chapter 14 Network Security Network Security module is to provide the multiple protection measures for the network security, including five submenus: IP-MAC Binding, DHCP Snooping, ARP Inspection, IP Source Guard, DoS Defend and 802.1X. Please configure the functions appropriate to your need.
Entry Description: Source: Displays the Source of the entry. All: All the bound entries will be displayed. • Manual: Only the manually added entries will be • displayed. Snooping: Only the entries formed via DHCP Snooping • will be displayed. Click the Select button to quick-select the corresponding entry based on the IP address you entered.
Choose the menu Network Security→IP-MAC Binding→Manual Binding to load the following page. Figure 14-2 Manual Binding Configuration Procedure: Specify the IP address, MAC address, VLAN ID and port number, and click Bind. Entry Description: IP Address: Enter the IP Address of the Host. MAC Address: Enter the MAC Address of the Host.
Page 349
address for several Clients, which is illustrated in the following figure. For details about the DHCP Server function, please refer to 10.4 DHCP Server. Figure 14-3 Network diagram for DHCP-snooping implementation For different DHCP Clients, DHCP Server provides three IP address assigning methods: Manually assign the IP address: Allows the administrator to bind the static IP address to the specific Client (e.g.: WWW Server) via the DHCP Server.
Page 350
DHCP-DISCOVER Stage: The Client broadcasts the DHCP-DISCOVER packet to find the DHCP Server. DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet, the DHCP Server selects an IP address from the IP pool according to the assigning priority of the IP addresses and replies to the Client with DHCP-OFFER packet carrying the IP address and other information.
Page 351
Hacker exhausted the IP addresses of the normal DHCP server and then pretended to be a legal DHCP server to assign the IP addresses and the other parameters to Clients. For example, hacker used the pretended DHCP server to assign a modified DNS server address to users so as to induce the users to the evil financial website or electronic trading website and cheat the users of their accounts and passwords.
14.2.1 Global Config Choose the menu Network Security→DHCP Snooping→Global Config to load the following page. Figure 14-6 DHCP Snooping Note: If you want to enable the DHCP Snooping feature for the member port of LAG, please ensure the parameters of all the member ports are the same. Configuration Procedure: Enable DHCP Snooping globally and for the specified VLAN.
VLAN Configuration Displays the VLANs that have been enabled with DHCP Snooping. Display: Option 82 Config Option 82 Support: Enable/Disable the Option 82 feature. Existed Option 82 field: Select the operation for the Option 82 field of the DHCP request packets from the Host.
Port: Displays the port number. Trusted Port: Select Enable/Disable the port to be a Trusted Port. Only the Trusted Port can receive the DHCP packets from DHCP servers. Rate Limit: Select the value to specify the maximum amount of DHCP messages that can be forwarded by the switch of this port per second.
Page 355
encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication. Cheating Gateway The attacker sends the wrong IP address-to-MAC address mapping entries of Hosts to the Gateway, which causes that the Gateway cannot communicate with the legal terminal Hosts normally.
Page 356
Figure 14-10 ARP Attack – Cheating Terminal Hosts As the above figure shown, the attacker sends the fake ARP packets of Host A to Host B, and then Host B will automatically update its ARP table after receiving the ARP packets. When Host B tries to communicate with Host A, it will encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication.
First, the attacker sends the false ARP response packets. Upon receiving the ARP response packets, Host A and Host B updates the ARP table of their own. When Host A communicates with Host B, it will send the packets to the false destination MAC address, i.e.
Page 358
Choose the menu Network Security→ARP Inspection→ARP Detect to load the following page. Figure 14-12 ARP Detect Configuration Procedure: 1) In the Global Configuration section, enable or disable the following features. 2) In the Enable VLAN section, enable ARP Detect for the VLAN. Entry Description: Validate Source MAC: Enable or disable the switch to check whether the source...
14.3.2 ARP Defend With the ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood. Choose the menu Network Security→ARP Inspection→ARP Defend to load the following page.
LAG: Displays the LAG to which the port belongs to. Note: It’s not recommended to enable the ARP Defend feature for the LAG member port. 14.3.3 ARP Statistics ARP Statistics feature displays the number of the illegal ARP packets received on each port, which facilitates you to locate the network malfunction and take the related protection measures.
Page 361
Choose the menu Network Security→IP Source Guard to load the following page. Figure 14-15 IP Source Guard Configuration Procedure: Select one or more ports, configure security type, and click Apply. Entry Description: UNIT: Select the unit ID of the desired member in the stack. Select: Select your desired port for configuration.
14.5 DoS Defend DoS (Denial of Service) Attack is to occupy the network bandwidth maliciously by the network attackers or the evil programs sending a lot of service requests to the Host, which incurs an abnormal service or even breakdown of the network. With DoS Defend function enabled, the switch can analyze the specific fields of the IP packets and distinguish the malicious DoS attack packets.
DoS Attack Type Description SYN/SYN-ACK The attacker uses a fake IP address to send TCP request packets to Flooding the Server. Upon receiving the request packets, the Server responds with SYN-ACK packets. Since the IP address is fake, no response will be returned. The Server will keep on sending SYN-ACK packets.
Page 364
Authenticator System: The authenticator system is usually an 802.1X-supported network device, such as this TP-Link switch. It provides the physical or logical port for the supplicant system to access the LAN and authenticates the supplicant system. Authentication Server System: The authentication server system is an entity that provides authentication service to the authenticator system.
Page 365
802.1X client program to initiate an 802.1X authentication through the sending of an EAPOL-Start packet to the switch. This TP-Link switch can authenticate supplicant systems in EAP relay mode or EAP terminating mode. The following illustration of these two modes will take the 802.1X authentication procedure initiated by the supplicant system for example.
Page 366
(3) The 802.1X client program responds by sending an EAP-Response/Identity packet to the switch with the user name included. The switch then encapsulates the packet in a RADIUS Access-Request packet and forwards it to the RADIUS server. (4) Upon receiving the user name from the switch, the RADIUS server retrieves the user name, finds the corresponding password by matching the user name in its database, encrypts the password using a randomly-generated key, and sends the key to the switch through an RADIUS Access-Challenge packet.
Page 367
Figure 14-19 PAP Authentication Procedure In PAP mode, the switch encrypts the password and sends the user name, the randomly-generated key, and the supplicant system-encrypted password to the RADIUS server for further authentication. Whereas the randomly-generated key in EAP-MD5 relay mode is generated by the authentication server, and the switch is responsible to encapsulate the authentication packet and forward it to the RADIUS server.
14.6.1 Global Config On this page, you can enable the 802.1X authentication function globally and control the authentication process by specifying the Authentication Method, Guest VLAN and various Timers. Choose the menu Network Security→802.1X→Global Config to load the following page. Figure 14-20 Global Config Configuration Procedure: Enable or disable 802.1X and the Accounting feature globally and click Apply.
Page 369
Guest VLAN: Specify the VLAN ID needed to enable the Guest VLAN function, ranging from 0 to 4093. 0 indicates that the Guest VLAN function is disabled. The supplicants in the Guest VLAN can access the specified network sources. Port Control: Specify the Control Mode for the port.
Note: 1. The 802.1X function takes effect only when it is enabled globally on the switch and for the port. 2. The 802.1X function cannot be enabled for LAG member ports. That is, the port with 802.1X function enabled cannot be added to the LAG. 3.
Authentication Method List A method list describes the authentication methods and their sequence to authenticate a user. The switch supports Login List for users to gain access to the switch, and Enable List for normal users to gain administrative privileges. The administrator can set the authentication methods in a preferable order in the list.
Entry Description: Server IP: Enter the IP of the server running the RADIUS secure protocol. Shared Key: Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
Timeout: Specify the time interval that the switch waits for the server to reply before resending. Server Port: Specify the TCP port used on the TACACS+ server for AAA. 14.7.3 Authentication Method List Config Before you configure AAA authentication on a certain application, you should define an authentication method list first.
Specify the authentication type as Login or Enable. Configure the authencation method with priorities. View and delete the configured method priority list in the Authentication Login Method List and Authentication Enable Method List. Entry Description: Method List Define a method list name. Name: List Type: Specify the authentication type as Login or Enable.
Choose the menu Network Security→AAA→Global Config to load the following page. Figure 14-23 Application Authentication Settings Configuration Procedure: Select the application module. Configure the authentication method list from the Login List drop-down menu. This option defines the authentication method for users accessing the switch. Configure the authentication method list from the Enable List drop-down menu.
Configuration Procedure: Configure the 802.1X function globally and on the supplicant-connected port. Please refer to 802.1X for more details. Configure the 802.1X Aunthentication RADIUS server group in the Authentication Dot1x Method List Table. Configure the 802.1X Accounting RADIUS server group in the Accounting Dot1x Method List Table.
Chapter 15 SNMP SNMP Overview SNMP (Simple Network Management Protocol) has gained the most extensive application on the UDP/IP networks. SNMP provides a management frame to monitor and maintain the network devices. It is used for automatically managing the various network devices no matter the physical differences of the devices.
Page 378
SNMP Versions This switch supports SNMP v3, and is compatible with SNMP v1 and SNMP v2c. The SNMP versions adopted by SNMP Management Station and SNMP Agent should be the same. Otherwise, SNMP Management Station and SNMP Agent cannot communicate with each other normally.
SNMP Management Station by configuring its view type (included/excluded). The OID of managed object can be found on the SNMP client program running on the SNMP Management Station. 2. Create SNMP Group After creating the SNMP View, it’s required to create an SNMP Group. The Group Name, Security Model and Security Level compose the identifier of the SNMP Group.
Remote Engine Remote Engine ID: Specify the Remote Engine ID for Switch. The Engine ID is a unique alphanumeric string used to identify the SNMP engine on the remote device which receives informs from Switch. Note: The total hexadecimal characters of Engine ID should be even. Change the Local Engine ID could make local user and community invaild, please re-create new local users or community.
MIB Object ID: Enter the Object Identifier (OID) for the entry of view. View Type: Select the type for the view entry. Include: The view entry can be managed by the SNMP • management station. Exclude: The view entry cannot be managed by the •...
Page 382
These three items of the Users in one group should be the same. Security Model: Select the Security Model for the SNMP Group. v1: SNMPv1 is defined for the group. In this model, the • Community Name is used for authentication. SNMP v1 can be configured on the SNMP Community page directly.
Operation: Click the Edit button to modify the Views in the entry and click the Modify button to apply. Note: Every Group should contain a Read View. The default Read View is Default. 15.1.4 SNMP User The User in an SNMP Group can manage the switch via the management station software. The User and its Group have the same security level and access right.
Security Level: Select the Security Level for the SNMP v3 User. Auth Mode: Select the Authentication Mode for the SNMP v3 User. None: No authentication method is used. • MD5: The port authentication is performed via • HMAC-MD5 algorithm. SHA: The port authentication is performed via SHA •...
Page 385
Choose the menu SNMP → SNMP Config → SNMP Community to load the following page. Figure 15-7 SNMP Community Configuration Procedure: Set the community name, access rights and the related view. Click Create. Entry Description: Community Config Community Name: Enter the Community Name here.
Page 386
Note: The default MIB View of SNMP Community is Default. Configuration Procedure: If SNMPv3 is employed, please take the following steps: Step Operation Description Create SNMP View. Required. On the SNMP→SNMP Config→SNMP View page, create SNMP View of the management agent.
15.2 Notification With the Notification function enabled, the switch can initiatively report to the management station about the important events that occur on the Views (e.g., the managed device is rebooted), which allows the management station to monitor and process the events in time. The notification information includes the following two types: Trap:Trap is the information that the managed device initiatively sends to the Network management station without request.
Page 388
Entry Description: Host Config IP Address: If you set the IP Mode to IPv4, specify an IPv4 address for the host. If you set the IP Mode to IPv6, specify an IPv6 address for the host. UDP Port: Specify a UDP port on the host to send notifications. The default is port 162.
Page 389
Type: Choose a notification type for the NMS that uses SNMPv2c or SNMPv3; the default type is Trap. Trap: Set the switch to send Trap messages to the NMS. • When the NMS receives a trap message, it will not send a response to the switch.
15.2.2 Traps Config On this page, you can configure the traps of SNMP. Choose the menu SNMP → Notification → Traps Config to load the following page. Figure15-9 Traps Config Configuration Procedure: Configure traps you desire to send to the SNMP server. Click Apply.
Page 391
Entry Description: SNMP Traps Multiple User: Generates a trap when the same user ID is logged into the switch more than once at the same time. CPU Thresholds: Generates a trap when the CPU utilization is over 80%. Spanning Tree: Generates a trap when the status of STP changes.
If Auth Failure: Generates a trap when authentication failures occur on non-virtual interfaces. Virt If Auth Generates a trap when authentication failures occur on virtual Failure: interfaces. Rx Bad Packet: Generates a trap when packet parse failures occur on non-virtual interfaces. Virt If Rx Bad Generates a trap when packet parse failures occur on virtual Packet:...
RMON Group This switch supports the following four RMON Groups defined on the RMON standard (RFC1757): History Group, Event Group, Statistic Group and Alarm Group. RMON Group Function History Group After a history group is configured, the switch collects and records network statistics information periodically, based on which the management station can monitor network effectively.
Interval: Specify the interval to take samplings from the port, ranging from 10 to 3600 seconds. The default is 1800 seconds. Max Buckets Displays the maximum number of buckets desired for the RMON history group of statistics, ranging from 1 to 65535. The default is 50 buckets.
Owner: Enter the name of the device or user that defined the entry. Operation: Click “Edit” to edit the event group entry. 15.3.3 Alarm On this page, you can configure Statistic Group and Alarm Group for RMON. Choose the menu SNMP → RMON → Alarm to load the following page. Figure 15-12 Alarm Config Configuration Procedure: Specify the index number of the alarm group, choose a variable to be monitored, and...
Page 396
Alarm Type: Specify the type of the alarm. Rising: When the sampled value exceeds the Rising • Threshold, an alarm event is triggered. Falling: When the sampled value is under the Falling • Threshold, an alarm event is triggered. All: The alarm event will be triggered either the sampled •...
Chapter 16 LLDP LLDP (Link Layer Discovery Protocol) is a Layer 2 protocol that is used for network devices to advertise their own device information periodically to neighbors on the same IEEE 802 local area network. The advertised information, including details such as device identification, capabilities and configuration settings, is represented in TLV (Type/Length/Value) format according to the IEEE 802.1ab standard, and these TLVs are encapsulated in LLDPDU (Link Layer Discovery Protocol Data Unit).
Page 398
Tx&Rx: the port can both transmit and receive LLDPDUs. Rx_Only: the port can receive LLDPDUs only. Tx_Only: the port can transmit LLDPDUs only. Disable: the port cannot transmit or receive LLDPDUs. LLDPDU transmission mechanism If the ports are working in TxRx or Tx mode, they will advertise local information by ...
Page 399
TLV Type TLV Name Description Usage in LLDPDU End of LLDPDU Mark the end of the TLV sequence in LLDPDUs. Mandatory Any information following an End Of LLDPDU TLV shall be ignored. Chassis ID Identifies Chassis address Mandatory connected device. Port ID Identifies the specific port that transmitted the Mandatory...
Note: For detailed introduction of TLV, please refer to IEEE 802.1ab standard. In TP-Link switch, the following LLDP optional TLVs are supported. Port Description TLV The Port Description TLV allows network management to advertise the IEEE 802 LAN station's port description.
Choose the menu LLDP → Basic Config → Global Config to load the following page. Figure 16-1 Global Configuration Configuration Procedure: Configure the global parameters here. Then click Apply to make the settings effective. Entry Description: Transmit Interval: Indicates the interval at which LLDP frames are transmitted on behalf of this LLDP agent.
Page 402
Choose the menu LLDP → Basic Config → Port Config to load the following page. Figure 16-2 Port Configuration Configuration Procedure: Select your desired port and configure the relevant parameters here. Then click Apply to make the settings effective. Entry Description: UNIT: Select the unit ID of the desired member in the stack.
16.2 Device Info You can view the LLDP information of the local device and its neighbors on the Local Info and Neighbor Info pages respectively. 16.2.1 Local Info On this page you can view all ports' configuration and system information. Choose the menu LLDP →...
Local Interface: Displays the local port number. Indicates the basis for the chassis ID, and the default subtype Chassis ID Subtype: is MAC address. Chassis ID: Indicates the specific identifier for the particular chassis in local device. Port ID Subtype: Indicates the basis for the port ID, and the default subtype is interface name.
Choose the menu LLDP → Device Info → Neighbor Info to load the following page. Figure 16-4 Neighbor Information Configuration Procedure: Choose Enable or Disable Auto Refresh according to your needs. 2) Select the desired port to view the information of neighbor connected to the corresponding port.
Page 406
Figure 16-5 Device Statistics Configuration Procedure: Choose Enable or Disable Auto Refresh according to your needs. View Global Statistics and Neighbors Statistics in the corresponding table. Entry Description: Auto Refresh: Enable/Disable the auto refresh function. Refresh Rate: Configure the auto refresh rate. Last Update: Display latest update time of the statistics.
16.4 LLDP-MED LLDP-MED is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches. The LLDP-MED TLVs advertise information such as network policy and inventory management. Elements LLDP-MED Device: Refers to any device which implements this Standard. LLDP-MED Device Type: LLDP-MED devices are comprised of two primary device types: Network Connectivity Devices and Endpoint Devices.
16.4.1 Global Config On this page you can configure the LLDP-MED parameters of the device globally. Choose the menu LLDP → LLDP-MED → Global Config to load the following page. Figure 16-6 LLDP-MED Global Configuration Configuration Procedure: Configure the number of LLDP-MED frames which will be transmitted fast. View Device Class of the device.
16.4.2 Port Config On this page you can configure all ports' LLDP-MED parameters. Choose the menu LLDP → LLDP-MED → Port Config to load the following page. Figure 16-7 LLDP-MED Port Configuration Configuration Procedure: Select your desired port and enable LLDP-MED. Then click Apply to make the settings effective.
LLDP-MED Status: Configure the port's LLDP-MED status: Enable: Enable the port's LLDP-MED status, and the port's • Admin Status will be changed to Tx&Rx. Disable: Disable the port's LLDP-MED status. • Included TLVs: Select TLVs to be included in outgoing LLDPDU. Click the Detail button to display the included TLVs and select the desired TLVs.
Page 411
Entry Description: Auto Refresh: Enable/Disable the auto refresh function. Refresh Rate: Specify the auto refresh rate. Local Interface: Enable/Disable the auto refresh function. Device Type: Specify the auto refresh rate. Application Type: Application Type indicates the primary function of the applications defined for the network policy.
16.4.4 Neighbor Info On this page you can get the LLDP-MED information of the neighbors. Choose the menu LLDP → LLDP-MED → Neighbor Info to load the following page. Figure 16-10 LLDP-MED Neighbor Information Configuration Procedure: Choose Enable or Disable Auto Refresh according to your needs. 2) Select the desired port to view the information of neighbor connected to the corresponding port under the LLDP-MED Neighbor Info.
Chapter 17 Maintenance Maintenance module, assembling the commonly used system tools to manage the switch, provides the convenient method to locate and solve the network problem. System Monitor: Monitor the utilization status of the memory and the CPU of switch. Log: View the configuration parameters of the switch and find out the errors via the Logs.
UNIT: Select the unit ID of the desired member in the stack. Click the Monitor button to enable the switch to monitor and display its CPU utilization rate every four seconds. 17.1.2 Memory Monitor Choose the menu Maintenance → System Monitor → Memory Monitor to load the following page.
Level Description Severity Error conditions errors warnings Warnings conditions Normal but significant conditions notifications Informational messages informational debugging Debug-level messages Table 17-1 Log Level The Log function is implemented on the Log Table, Local Log, Remote Log and Backup Log pages.
Time: Displays the time when the log event occurs. The log can get the correct time after you configure on the System ->System Info-> System Time Web management page. Module: Displays the module which the log information belongs to. You can select a module from the drop-down list to display the corresponding log information.
Entry Description: Channel: Local log includes 2 channels: log buffer and log file. Log buffer indicates the RAM for saving system log. The channel is enabled by default. The information in the log buffer is displayed on the Maintenance > Log> Log Table page. It will be lost when the switch is restarted.
Configuration Procedure: Select an entry to enable the status, and then set the host IP address and severity. Click Apply to make the settings effective. Entry Description: Admin Mode: Enable or disable the log host. While enabled, syslog packets will be sent to the hosts. While disabled, no syslog packets will be sent to the hosts.
Entry Description: Backup Log: Click the Backup Log button to save the log as a file to your computer. Note: When a critical error results in the breakdown of the system, you can export the log file to get some related important information about the error for device diagnosis after the switch is restarted.
Length: If the connection status is normal, here displays the length range of the cable. Error: f the connection status is short, close or crosstalk, here displays the length from the port to the trouble spot. The value makes sense only when the cable is longer than 30m.
Choose the menu Maintenance → Network Diagnose → Ping to load the following page. Figure17-8 Ping Configuration Procedure: 1) In the Ping Config section, enter the IP address of the destination device for Ping test, set Ping times, data size and interval according to your needs, and then click Ping to start the test.
Page 422
Choose the menu Maintenance → Network Diagnose → Tracert to load the following page. Figure17-9 Tracert Configuration Procedure: 1) In the Tracert Config section, enter the IP address of the destination, set the max hop, and then click Tracert to start the test. In the Tracert Result section, check the test results.
Appendix A: Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 424
Generic Multicast Registration Protocol (GMRP) GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. Group Attribute Registration Protocol (GARP) See Generic Attribute Registration Protocol. IEEE 802.1d Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol.
Page 425
Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast group. Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses.
Page 426
Rapid Spanning Tree Protocol (RSTP) RSTP reduces the convergence time for network topology changes to about 10% of that required by the older IEEE 802.1D STP standard. Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch.
Page 427
Specifications are subject to change without notice. is a registered trademark of TP-Link Technologies Co., Ltd. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-Link Technologies Co., Ltd.
Page 428
We, TP-Link USA Corporation, has determined that the equipment shown as above has been shown to comply with the applicable technical standards, FCC part 15. There is no unauthorized change is made in the equipment and the equipment is properly maintained and operated.
Page 429
Please read and follow the above safety information when operating the device. We cannot guarantee that no accidents or damage will occur due to improper use of the device. Please use this product with care and operate at your own risk. 安全諮詢及注意事項...
Page 430
Explanation of the symbols on the product label Symbol Explanation AC voltage Indoor use only RECYCLING This product bears the selective sorting symbol for Waste electrical and electronic equipment (WEEE). This means that this product must be handled pursuant to European directive 2012/19/EU in order to be recycled or dismantled to minimize its impact on the environment.