TP-Link T1600G-52TS User Manual
  1. Manuals
  2. Brands
  3. TP-Link Manuals
  4. Switch
  5. JetStream T1600G-52TS
  6. User manual
TP-Link T1600G-52TS User Manual

TP-Link T1600G-52TS User Manual

Jetstream smart switches
Hide thumbs Also See for T1600G-52TS:
1
Table Of Contents
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
Table of Contents

Advertisement

Quick Links

User Guide
Jetstream Smart Switches
T1600G-52TS (TL-SG2452) / T1600G-52PS (TL-SG2452P)
T1600G-18TS (TL-SG2216) / T1600G-28TS / TL-SG2428P
1910012764 REV4.3.0
March 2020

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the T1600G-52TS and is the answer not in the manual?

Questions and answers

Related Manuals for TP-Link T1600G-52TS

Summary of Contents for TP-Link T1600G-52TS

  • Page 1 User Guide Jetstream Smart Switches T1600G-52TS (TL-SG2452) / T1600G-52PS (TL-SG2452P) T1600G-18TS (TL-SG2216) / T1600G-28TS / TL-SG2428P 1910012764 REV4.3.0 March 2020...

  • Page 2: Table Of Contents

    CONTENTS About This Guide Intended Readers ................................1 Conventions ................................... 1 More Information ................................. 2 Accessing the Switch Determine the Management Method .......................... 4 Web Interface Access ................................ 5 Login ..........................................5 Save the Configuration File ..................................6 Disable the Web Server ..................................7 Configure the Switch's IP Address and Default Gateway ....................8 Command Line Interface Access ..........................
  • Page 3 Configuring the System Time ............................31 Configuring the Daylight Saving Time ...........................34 User Management Configurations ..........................36 Using the GUI ......................................36 Creating Accounts ...................................36 Configuring Enable Password ............................37 Using the CLI ......................................38 Creating Accounts ...................................38 Configuring Enable Password ............................39 System Tools Configurations ............................42 Using the GUI ......................................42 Configuring the Boot File ..............................42 Restoring the Configuration of the Switch .........................44...
  • Page 4 Adding Time Range Entries ..............................70 Configuring Holiday .................................72 Using the CLI ......................................73 Adding Time Range Entries ..............................73 Configuring Holiday .................................74 Example for PoE Configurations ..........................76 Network Requirements ..................................76 Configuring Scheme .....................................76 Using the GUI ......................................76 Using the CLI ......................................79 Appendix: Default Parameters .............................
  • Page 5 Configuring LAG LAG .......................................105 Overview ........................................105 Supported Features ...................................105 LAG Configuration ................................106 Using the GUI ......................................107 Configuring Load-balancing Algorithm ........................107 Configuring Static LAG or LACP............................108 Using the CLI ......................................110 Configuring Load-balancing Algorithm ........................110 Configuring Static LAG or LACP............................111 Configuration Examples ...............................115 Example for Static LAG ..................................115 Network Requirements ...............................115 Configuration Scheme ................................115...
  • Page 6 Adding MAC Filtering Address Entries........................132 Appendix: Default Parameters ...........................134 Configuring 802.1Q VLAN Overview ...................................136 802.1Q VLAN Configuration ............................137 Using the GUI ......................................138 Configuring the VLAN ................................138 Configuring Port Parameters for 802.1Q VLAN ....................139 Using the CLI ......................................140 Creating a VLAN ..................................140 Adding the Port to the Specified VLAN ........................141 Configuring the Port ................................142 Configuration Example ..............................144...
  • Page 7 Appendix: Default Parameters ...........................168 Configuring Protocol VLAN Overview ....................................170 Protocol VLAN Configuration.............................171 Using the GUI ......................................171 Configuring 802.1Q VLAN ..............................171 Creating Protocol Template ............................172 Configuring Protocol VLAN .............................173 Using the CLI ......................................174 Configuring 802.1Q VLAN ..............................174 Creating a Protocol Template ............................174 Configuring Protocol VLAN ..............................175 Configuration Example ..............................178 Network Requirements ..................................178...
  • Page 8 Using the GUI ......................................212 Configuring IGMP Snooping Globally .........................212 Configuring IGMP Snooping for VLANs ........................213 Configuring IGMP Snooping for Ports ........................217 Configuring Hosts to Statically Join a Group ......................217 Using the CLI ......................................218 Configuring IGMP Snooping Globally .........................218 Configuring IGMP Snooping for VLANs ........................220 Configuring IGMP Snooping for Ports ........................225 Configuring Hosts to Statically Join a Group ......................226 MLD Snooping Configuration .............................228...
  • Page 9 Binding the Profile to Ports ...............................258 Viewing Multicast Snooping Information .......................262 Using the GUI ......................................262 Viewing IPv4 Multicast Table ............................262 Viewing IPv4 Multicast Statistics on Each Port .....................263 Viewing IPv6 Multicast Table ............................264 Viewing IPv6 Multicast Statistics on Each Port .....................265 Using the CLI ......................................266 Viewing IPv4 Multicast Snooping Information .......................266 Viewing IPv6 Multicast Snooping Configurations ....................267...
  • Page 10 Configuring Spanning Tree Spanning Tree ..................................296 Overview ........................................296 Basic Concepts ....................................296 STP/RSTP Concepts ................................296 MSTP Concepts ..................................300 STP Security ......................................301 STP/RSTP Configurations ............................304 Using the GUI ......................................304 Configuring STP/RSTP Parameters on Ports ......................304 Configuring STP/RSTP Globally .............................306 Verifying the STP/RSTP Configurations ........................308 Using the CLI ......................................310 Configuring STP/RSTP Parameters on Ports ......................310 Configuring Global STP/RSTP Parameters ......................312...
  • Page 11 Configuring LLDP LLDP .....................................357 Overview ........................................357 Supported Features ...................................357 LLDP Configurations ..............................358 Using the GUI ......................................358 Configuring LLDP Globally ..............................358 Configuring LLDP For the Port ............................360 Using the CLI ......................................361 Global Config ....................................361 Port Config ....................................363 LLDP-MED Configurations ............................366 Using the GUI ......................................366 Configuring LLDP Globally ...............................366 Configuring LLDP-MED Globally ...........................366 Configuring LLDP-MED for Ports ..........................367...
  • Page 12 Using the GUI ....................................390 Using CLI .....................................393 Appendix: Default Parameters ...........................396 Configuring Layer 3 Interfaces Overview ....................................398 Layer 3 Interface Configurations ..........................399 Using the GUI ......................................399 Creating an Layer 3 Interface ............................399 Configuring IPv4 Parameters of the Interface .......................401 Configuring IPv6 Parameters of the Interface .......................402 Viewing Detail Information of the Interface ......................405 Using the CLI ......................................406 Creating an Layer 3 Interface ............................406...
  • Page 13 Viewing IPv6 Routing Table ..............................424 Example for Static Routing ............................425 Network Requirements ..................................425 Configuration Scheme ..................................425 Using the GUI ......................................425 Using the CLI ......................................427 Configuring DHCP Service DHCP ....................................431 Overview ........................................431 Supported Features ...................................431 DHCP Server Configuration ............................436 Using the GUI ......................................436 Enabling DHCP Server ................................436 Configuring DHCP Server Pool ............................438 Configuring Manual Binding .............................439...
  • Page 14 Configuration Examples ...............................466 Example for DHCP Server ................................466 Network Requirements ...............................466 Configuration Scheme ................................466 Using the GUI ....................................466 Using the CLI ....................................468 Example for DHCP Interface Relay ............................468 Network Requirements ...............................468 Configuration Scheme ................................469 Using the GUI ....................................470 Using the CLI ....................................476 Example for DHCP VLAN Relay ..............................478 Network Requirements ...............................478 Configuration Scheme ................................479...
  • Page 15 Configuring Local Proxy ARP ............................506 Using the CLI ......................................507 Configuring the ARP Entry ..............................507 Configuring the Gratuitous ARP ...........................509 Configuring Proxy ARP ..............................511 Appendix: Default Parameters ...........................514 Configuring QoS QoS .......................................516 Overview ........................................516 Supported Features ...................................516 Class of Service Configuration ..........................518 Using the GUI ......................................519 Configuring Port Priority ..............................519 Configuring 802.1p Priority ..............................521...
  • Page 16 Using the CLI ......................................552 Configuration Examples ...............................556 Example for Class of Service ................................556 Network Requirements ...............................556 Configuration Scheme ................................556 Using the GUI ....................................557 Using the CLI ....................................559 Example for Voice VLAN .................................561 Network Requirements ...............................561 Configuration Scheme ................................562 Using the GUI ....................................562 Using the CLI ....................................566 Example for Auto VoIP ..................................569 Network Requirements ...............................569...
  • Page 17 Configuring AAA Overview ....................................609 AAA Configuration ................................610 Using the GUI ......................................611 Adding Servers ..................................611 Configuring Server Groups ...............................613 Configuring the Method List ............................614 Configuring the AAA Application List .........................615 Configuring Login Account and Enable Password .....................616 Using the CLI ......................................617 Adding Servers ..................................617 Configuring Server Groups ...............................619 Configuring the Method List ............................620...
  • Page 18 Configuration Scheme ..................................652 Network Topology ....................................652 Using the GUI ......................................653 Using the CLI ......................................655 Appendix: Default Parameters ...........................658 Configuring Port Security Overview ....................................660 Port Security Configuration ............................661 Using the GUI ......................................661 Using the CLI ......................................662 Appendix: Default Parameters ...........................665 Configuring ACL Overview ....................................667 ACL Configuration ................................668 Using the GUI ......................................668...
  • Page 19 Configuration Example for IP ACL ..............................708 Network Requirements ...............................708 Configuration Scheme ................................709 Using the GUI ....................................709 Using the CLI ....................................715 Configuration Example for Combined ACL ...........................717 Network Requirements ...............................717 Configuration Scheme ................................717 Using the GUI ....................................718 Using the CLI ....................................723 Appendix: Default Parameters ...........................725 Configuring IPv4 IMPB IPv4 IMPB ...................................728...
  • Page 20 IPv4 Source Guard Configuration ..........................746 Using the GUI ......................................746 Adding IP-MAC Binding Entries .............................746 Configuring IPv4 Source Guard .............................746 Using the CLI ......................................747 Adding IP-MAC Binding Entries .............................747 Configuring IPv4 Source Guard .............................747 Configuration Examples ...............................749 Example for ARP Detection ................................749 Network Requirements ...............................749 Configuration Scheme ................................749 Using the GUI ....................................750...
  • Page 21 Adding IPv6-MAC Binding Entries ..........................774 Enabling ND Detection ................................774 Configuring ND Detection on Ports ..........................775 Viewing ND Statistics ................................775 Using the CLI ......................................776 Adding IPv6-MAC Binding Entries ..........................776 Enabling ND Detection ................................776 Configuring ND Detection on Ports ..........................777 Viewing ND Statistics ................................778 IPv6 Source Guard Configuration ..........................779 Using the GUI ......................................779 Adding IPv6-MAC Binding Entries ..........................779...
  • Page 22 Using the CLI ......................................797 Configuring the Basic DHCPv4 Filter Parameters ....................797 Configuring Legal DHCPv4 Servers ..........................799 DHCPv6 Filter Configuration ............................801 Using the GUI ......................................801 Configuring the Basic DHCPv6 Filter Parameters ....................801 Configuring Legal DHCPv6 Servers ..........................802 Using the CLI ......................................803 Configuring the Basic DHCPv6 Filter Parameters ....................803 Configuring Legal DHCPv6 Servers ..........................804 Configuration Examples ...............................806...
  • Page 23 Using the CLI ......................................826 Monitoring Traffic Traffic Monitor .................................829 Using the GUI ......................................829 Using the CLI ......................................833 Appendix: Default Parameters ...........................834 Mirroring Traffic Mirroring .....................................836 Using the GUI ......................................836 Using the CLI ......................................838 Configuration Examples ...............................840 Network Requirements ..................................840 Configuration Scheme ..................................840 Using the GUI ......................................840 Using the CLI ......................................841 Appendix: Default Parameters ...........................843...
  • Page 24 Using the CLI ......................................861 Enabling SNMP ..................................861 Creating an SNMP View..............................863 Creating SNMP Communities (For SNMP v1/v2c) ....................864 Creating an SNMP Group (For SNMPv3) ........................865 Creating SNMP Users (For SNMPv3) ..........................867 Notification Configurations ............................869 Using the GUI ......................................869 Configuring the Information of NMS Hosts ......................869 Enabling SNMP Traps ................................871 Using the CLI ......................................873 Configuring the NMS Host ..............................873...
  • Page 25 Using the GUI ......................................915 Troubleshooting with Ping Testing ..........................915 Troubleshooting with Tracert Testing ........................916 Using the CLI ......................................917 Configuring the Ping Test ..............................917 Configuring the Tracert Test ............................918 Appendix: Default Parameters ...........................919 Configuring System Logs Overview ....................................921 System Logs Configurations ............................922 Using the GUI ......................................923 Configuring the Local Logs ..............................923 Configuring the Remote Logs............................923...

  • Page 26: About This Guide

    Some models featured in this guide may be unavailable in your country or region. For local sales information, visit https://www.tp-link.com. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

  • Page 27: More Information

    ■ The Installation Guide (IG) can be found where you find this guide or inside the package of the switch. ■ Specifications can be found on the product page at https://www.tp-link.com. ■ To ask questions, find answers, and communicate with TP-Link users or engineers, please visit https://community.tp-link.com to join TP-Link Community.

  • Page 28: Accessing The Switch

    Part 1 Accessing the Switch CHAPTERS 1. Determine the Management Method 2. Web Interface Access 3. Command Line Interface Access...

  • Page 29: Determine The Management Method

    Omada Software Controller, Hardware Controller or Cloud-Based Controller, refer to the Omada SDN Controller User Guide. The guide can be found on the download center of our official website: https://www.tp-link.com/download-center.html. ■ Standalone Mode If you have a relatively small-sized network and only one or just a small number of devices need to be managed, Standalone Mode is recommended.

  • Page 30: Web Interface Access

    Accessing the Switch Web Interface Access Web Interface Access You can access the switch’s web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication. The following example shows how to login via the HTTP server. Login To manage your switch through a web browser in the host PC: 1) Make sure that the route between the host PC and the switch is available.

  • Page 31: Save The Configuration File

    Accessing the Switch Web Interface Access 5) The typical web interface displays below. You can view the switch’s running status and configure the switch on this interface. Figure 2-3 Web Interface Save the Configuration File The switch’s configuration files fall into two types: the running configuration file and the start-up configuration file.

  • Page 32: Disable The Web Server

    Accessing the Switch Web Interface Access Disable the Web Server You can shut down the HTTP server and HTTPS server to block any access to the web interface. Go to SECURITY > Access Security > HTTP Config , disable the HTTP server and click Apply . Figure 2-5 Shut Down HTTP Server Go to SECURITY >...

  • Page 33: Configure The Switch's Ip Address And Default Gateway

    Accessing the Switch Web Interface Access Configure the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.
  • Page 34 Accessing the Switch Web Interface Access 4) Click to save the settings. ■ Configure the Default Gateway The following example shows how to configure the switch’s gateway. By default, the switch has no default gateway. 1) Go to page L3 FEATURES > Static Routing > IPv4 Static Routing Config . Click load the following page and configure the parameters related to the switch’s gateway.

  • Page 35: Command Line Interface Access

    Accessing the Switch Command Line Interface Access Command Line Interface Access Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines. Console connection requires the host PC connecting to the switch’s console port directly, while Telnet and SSH connection support both local and remote access.
  • Page 36 Accessing the Switch Command Line Interface Access indicates that you have successfully logged in to the switch and you can use the CLI now. Figure 3-1 CLI Main Window Note: The first time you log in, change the password to better protect your network and devices. 4) Enter enable to enter the User EXEC Mode to further configure the switch.

  • Page 37: Telnet Login

    Accessing the Switch Command Line Interface Access Telnet Login The switch supports Login Local Mode for authentication by default. Login Local Mode: Username and password are required, which are both admin by default. The following steps show how to manage the switch via the Login Local Mode: 1) Make sure the switch and the PC are in the same LAN (Local Area Network).

  • Page 38: Ssh Login

    Accessing the Switch Command Line Interface Access SSH Login SSH login supports the following two modes: Password Authentication Mode and Key Authentication Mode. You can choose one according to your needs: ■ Password Authentication Mode: Username and password are required, which are both admin by default.
  • Page 39 Accessing the Switch Command Line Interface Access Figure 3-8 Configurations in PuTTY 2) Enter the login username and password to log in to the switch, and you can continue to configure the switch. Figure 3-9  Log In to the Switch Note: The first time you log in, change the password to better protect your network and devices.
  • Page 40 Accessing the Switch Command Line Interface Access Figure 3-10 Generate a Public/Private Key Pair Note: • The key length should be between 512 and 3072 bits. • You can accelerate the key generation process by moving the mouse quickly and randomly in the Key section.
  • Page 41 Accessing the Switch Command Line Interface Access 3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure: Figure 3-12 Download the Public Key to the Switch Note: • The key type should accord with the type of the key file. In the above CLI, v1 corresponds to SSH-1 (RSA), and v2 corresponds to SSH-2 RSA and SSH-2 DSA.

  • Page 42: Disable Telnet Login

    Accessing the Switch Command Line Interface Access Figure 3-14 Download the Private Key to PuTTY 6) After negotiation is completed, enter the username to log in. If you can log in without entering the password, the key authentication completed successfully. Figure 3-15  Log In to the Switch Note: The first time you log in, change the password to better protect your network and devices.

  • Page 43: Disable Ssh Login

    Accessing the Switch Command Line Interface Access Figure 3-16 Disable Telnet login ■ Using the CLI: Switch#configure Switch(config)#telnet disable Disable SSH login You can shut down the SSH server to block any SSH access to the CLI interface. ■ Using the GUI: Go to SECURITY >...

  • Page 44: Change The Switch's Ip Address And Default Gateway

    Accessing the Switch Command Line Interface Access If you need to keep the configurations after the switch reboots, please user the command copy running-config startup-config to save the configurations in the start-up configuration file. Switch(config)#end Switch#copy running-config startup-config Change the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.

  • Page 45: Managing System

    Part 2 Managing System CHAPTERS 1. System 2. System Info Configurations 3. User Management Configurations 4. System Tools Configurations 5. EEE Configuration 6. PoE Configurations (Only for Certain Devices) 7. SDM Template Configuration 8. Time Range Configuration 9. Example for PoE Configurations 10.

  • Page 46: System

    Managing System System System Overview In System module, you can view the system information and configure the system parameters and features of the switch. Supported Features System Info You can view the switch’s port status and system information, and configure the device description, system time, and daylight saving time.
  • Page 47 Powered device (PD) is a device receiving power from the PSE, for example, IP phones and access points. According to whether PDs comply with IEEE standard, they can be classified into standard PDs and non-standard PDs. Only standard PDs can be powered via TP-Link PoE switches.

  • Page 48: System Info Configurations

    Managing System System Info Configurations System Info Configurations With system information configurations, you can: ■ View the System Summary ■ Configure the Device Description ■ Configure the System Time ■ Configure the Daylight Saving Time Using the GUI 2.1.1 Viewing the System Summary Choose the menu SYSTEM >...
  • Page 49 Managing System System Info Configurations You can move your cursor to a port to view the detailed information of the port. Figure 2-2 Port Information Port Information Indication Port Displays the port number. Type Displays the type of the port. Speed Displays the maximum transmission rate and duplex mode of the port.
  • Page 50 Managing System System Info Configurations Viewing the System Information In the System Info section, you can view the system information of the switch. Figure 2-4 System Information System Displays the system description of the switch. Description Device Name Displays the name of the switch. You can edit it on the Device Description page. Device Location Displays the location of the switch.

  • Page 51: Configuring The Device Description

    Managing System System Info Configurations MAC Address Displays the MAC address of the switch. System Time Displays the system time of the switch. Running Time Displays the running time of the switch. Serial Number Displays the serial number of the switch. Jumbo Frame Displays whether Jumbo Frame is enabled.

  • Page 52: Configuring The System Time

    Managing System System Info Configurations 1) In the Device Description section, configure the following parameters. Device Name Specify a name for the switch. Device Location Enter the location of the switch. System Contact Enter the contact information. 2) Click Apply. 2.1.3 Configuring the System Time Choose the menu SYSTEM >...

  • Page 53: Configuring The Daylight Saving Time

    Managing System System Info Configurations Get Time from Get the system time from an NTP server. Make sure the NTP server is accessible NTP Server on your network. If the NTP server is on the internet, connect the switch to the internet first.

  • Page 54: Using The Cli

    Managing System System Info Configurations Recurring Mode If you select Recurring Mode, specify a cycle time range for the Daylight Saving Time of the switch. This configuration will be used every year. Offset: Specify the time to set the clock forward by. Start Time: Specify the start time of Daylight Saving Time.

  • Page 55: Configuring The Device Description

    System Location - SHENZHEN Contact Information - www.tp-link.com Hardware Version - T1600G-52TS 3.0 Software Version - 3.0.0 Build 20171129 Rel.38400(s) Bootloader Version - TP-LINK BOOTUTIL(v1.0.0) Mac Address - 00-0A-EB-13-23-A0 Serial Number System Time - 2017-12-12 10:10:37 Running Time - 1 day - 2 hour - 11 min - 30 sec 2.2.2 Configuring the Device Description...

  • Page 56: Configuring The System Time

    Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the device name as Switch_A, set the location as BEIJING and set the contact information as https://www.tp-link.com. Switch#configure Switch(config)#hostname Switch_A Switch(config)#location BEIJING Switch(config)#contact-info https://www.tp-link.com...
  • Page 57 Managing System System Info Configurations time : Specify the date and time manually in the format of MM/DD/YYYY-HH:MM:SS. The valid value of the year ranges from 2000 to 2037. Use the following command to set the system time by getting time from the NTP server. Ensure the NTP server is accessible.
  • Page 58 Managing System System Info Configurations UTC+11:00 —— TimeZone for Solomon Is., New Caledonia, Vladivostok. UTC+12:00 —— TimeZone for Fiji, Magadan, Auckland, Welington. UTC+13:00 —— TimeZone for Nuku’alofa, Samoa. ntp-server : Specify the IP address of the primary NTP server. backup-ntp-server : Specify the IP address of the backup NTP server.

  • Page 59: Configuring The Daylight Saving Time

    Managing System System Info Configurations 2.2.4 Configuring the Daylight Saving Time Follow these steps to configure the Daylight Saving Time: Step 1 configure Enter global configuration mode. Step 2 Use the following command to select a predefined Daylight Saving Time configuration: system-time dst predefined [ USA | Australia | Europe | New-Zealand ] Specify the Daylight Saving Time using a predefined schedule.
  • Page 60 Managing System System Info Configurations Use the following command to set the Daylight Saving Time in date mode: system-time dst date { smonth } { sday } { stime } { syear } { emonth } { eday } { etime } { eyear } [ offset ] Specify the Daylight Saving Time in Date mode.

  • Page 61: User Management Configurations

    Managing System User Management Configurations User Management Configurations With User Management, you can create and manage the user accounts for login to the switch. Using the GUI There are four types of user accounts with different access levels: Admin, Operator, Power User and User.

  • Page 62: Configuring Enable Password

    Managing System User Management Configurations You can create new user accounts. Click and the following window will pop up. Figure 3-2 Adding Account Follow these steps to create a new user account. 1) Configure the following parameters: Username Specify a username for the account. It contains 16 characters at most, composed of digits, English letters and symbols.

  • Page 63: Using The Cli

    Managing System User Management Configurations Follow these steps to configure Enable Password: 1) Select Set Password and specify the enable password in the Password field. It should be a string with 31 characters at most, which can contain only English letters (case- sensitive), digits and 17 kinds of special characters.

  • Page 64: Configuring Enable Password

    Managing System User Management Configurations 7: Specify the encryption type. 7 indicates that the password you entered is symmetric encrypted, and the password is saved to the configuration file symmetric encrypted. encrypted-password : Enter a symmetric encrypted password with fixed length, which you can copy from another switch’s configuration file.
  • Page 65 Managing System User Management Configurations Step 2 Use the following command to create an enable password unencrypted or symmetric encrypted. enable admin password { [ 0 ] password | 7 encrypted-password } Create an Enable Password. It can change the users’ access level to Admin. By default, it is empty.
  • Page 66 Managing System User Management Configurations Switch#configure Switch(config)#user name user1 privilege operator password 123 Switch(config)#enable admin password abc123 Switch(config)#show user account-list Index User-Name User-Type ----- --------- --------- user1 Operator admin Admin Switch(config)#end Switch#copy running-config startup-config User Guide...

  • Page 67: System Tools Configurations

    Managing System System Tools Configurations System Tools Configurations With System Tools, you can: ■ Configure the boot file ■ Restore the configuration of the switch ■ Back up the configuration file ■ Upgrade the firmware ■ Configure DHCP Auto Install ■...
  • Page 68 Managing System System Tools Configurations Follow these steps to configure the boot file: 1) In the Boot Table section, select one or more units and configure the relevant parameters. Unit Displays the number of the unit. Current Startup Displays the current startup image. Image Next Startup Select the next startup image.

  • Page 69: Restoring The Configuration Of The Switch

    Managing System System Tools Configurations 4.1.2 Restoring the Configuration of the Switch Choose the menu SYSTEM > System Tools > Restore Config to load the following page. Figure 4-2 Restoring the Configuration of the Switch Follow these steps to restore the current configuration of the switch: 1) In the Restore Config section, select the unit to be restored.

  • Page 70: Upgrading The Firmware

    Managing System System Tools Configurations 4.1.4 Upgrading the Firmware Choose the menu SYSTEM > System Tools > Firmware Upgrade to load the following page. Figure 4-4 Upgrading the Firmware You can view the current firmware information on this page: Firmware Version Displays the current firmware version of the system.

  • Page 71: Rebooting The Switch

    Managing System System Tools Configurations 4.1.5 Rebooting the switch There are two methods to reboot the switch: manually reboot the switch and configure reboot schedule to automatically reboot the switch. Manually Rebooting the Switch Choose the menu SYSTEM > System Tools > System Reboot > System Reboot to load the following page.

  • Page 72: Reseting The Switch

    Managing System System Tools Configurations Special Time Specify the date and time for the switch to reboot. Month/Day/Year: Specify the date for the switch to reboot. Time (HH:MM): Specify the time for the switch to reboot, in the format of HH:MM. 2) Choose whether to save the current configuration before the reboot.
  • Page 73 Managing System System Tools Configurations Step 2 boot application filename { image1 | image2 } { startup | backup } Specify the configuration of the boot file. By default, image1.bin is the startup image and image2.bin is the backup image. image1 | image2: Select the image file to be configured.

  • Page 74: Restoring The Configuration Of The Switch

    Managing System System Tools Configurations Switch#copy running-config startup-config 4.2.2 Restoring the Configuration of the Switch Follow these steps to restore the configuration of the switch: Step 1 enable Enter privileged mode. Step 2 copy tftp startup-config ip-address ip-addr filename name Download the configuration file to the switch from TFTP server.

  • Page 75: Upgrading The Firmware

    Managing System System Tools Configurations Start to backup user config file... Backup user config file OK. 4.2.4 Upgrading the Firmware Follow these steps to upgrade the firmware: Step 1 enable Enter privileged mode. Step 2 firmware upgrade tftp ip-address ip-addr filename name Upgrade the switch’s backup image via TFTP server.
  • Page 76 Managing System System Tools Configurations Step 1 configure Enter global configuration mode. Step 2 Use the following command to set the interval of reboot: reboot-schedule in interval [ save_before_reboot ] (Optional) Specify the reboot schedule. interval : Specify a period of time. The switch will reboot after this period. The valid values are from 1 to 43200 minutes.

  • Page 77: Reseting The Switch

    Managing System System Tools Configurations 4.2.6 Reseting the Switch Follow these steps to reset the switch: Step 1 enable Enter privileged mode. Step 2 reset [ except-ip ] Reset the switch, and all configurations of the switch will be reset to the factory defaults. except-ip: To maintain the IP address when resetting the switch, add this part to the command.

  • Page 78: Eee Configuration

    Managing System EEE Configuration EEE Configuration Choose the menu SYSTEM > EEE to load the following page. Figure 5-1 Configuring EEE Follow these steps to configure EEE: 1) In the EEE Config section, select one or more ports to be configured. 2) Enable or disable EEE on the selected port(s).
  • Page 79 Managing System EEE Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the EEE feature on port 1/0/1. Switch#config Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#eee Switch(config-if)#show interface eee Port...

  • Page 80: Poe Configurations (Only For Certain Devices)

    Managing System PoE Configurations (Only for Certain Devices) PoE Configurations (Only for Certain Devices) Note: Only T1600G-52PS and TL-SG2428P support PoE feature. With the PoE feature, you can: ■ Configure the PoE parameters manually ■ Configure the PoE parameters using the profile You can configure the PoE parameters one by one via configuring the PoE parameters manually.

  • Page 81: Using The Gui

    Managing System PoE Configurations (Only for Certain Devices) Using the GUI 6.1.1 Configuring the PoE Parameters Manually Choose the menu SYSTEM > PoE > PoE Config to load the following page. Figure 6-1 Configuring PoE Parameters Manually Follow these steps to configure the basic PoE parameters: 1) In the PoE Config section, you can view the current PoE parameters.
  • Page 82 Managing System PoE Configurations (Only for Certain Devices) Figure 6-2 Configuring System Power Limit Unit Displays the unit number. System Power Specify the maximum power the PoE switch can supply. Limit 2) In the Port Config section, select the port you want to configure and specify the parameters.
  • Page 83 Managing System PoE Configurations (Only for Certain Devices) PoE Profile A quick configuration method for the corresponding ports. If one profile is selected, you will not be able to modify PoE status, PoE priority or power limit manually. For how to create a profile, refer to Configuring the PoE Parameters Using the Profile.

  • Page 84: Configuring The Poe Parameters Using The Profile

    Managing System PoE Configurations (Only for Certain Devices) 6.1.2 Configuring the PoE Parameters Using the Profile ■ Creating a PoE Profile Choose the menu SYSTEM > PoE > PoE Profile and click to load the following page. Figure 6-3 Creating a PoE Profile Follow these steps to create a PoE profile: 1) In the Create PoE Profile section, specify the desired configurations of the profile.
  • Page 85 Managing System PoE Configurations (Only for Certain Devices) ■ Binding the Profile to the Corresponding Ports Choose the menu SYSTEM > PoE > PoE Config to load the following page. Figure 6-4 Binding the Profile to the Corresponding Ports Follow these steps to bind the profile to the corresponding ports: 1) In the PoE Config section, you can view the current PoE parameters.
  • Page 86 Managing System PoE Configurations (Only for Certain Devices) Figure 6-5 Configuring System Power Limit Unit Displays the unit number. System Power Specify the maximum power the PoE switch can supply. By default, it is 384 W for Limit T1600G-52PS and 250 W for TL-SG2428P. 2) In the Port Config section, select one or more ports and configure the following two parameters: Time Range and PoE Profile.

  • Page 87: Using The Cli

    Managing System PoE Configurations (Only for Certain Devices) Using the CLI 6.2.1 Configuring the PoE Parameters Manually Follow these steps to configure the basic PoE parameters: Step 1 configure Enter global configuration mode. Step 2 power inline consumption power-limit Specify the maximum power the PoE switch can supply globally. power-limit : Specify the maximum power the PoE switch can supply.
  • Page 88 Managing System PoE Configurations (Only for Certain Devices) Step 8 show power inline Verify the global PoE information of the system. Step 9 show power inline configuration interface [ fastEthernet { port | port-list } | gigabitEthernet { port | port-list } | ten-gigabitEthernet { port | port-list }] Verify the PoE configuration of the corresponding port.

  • Page 89: Configuring The Poe Parameters Using The Profile

    Managing System PoE Configurations (Only for Certain Devices) Switch(config-if)#show power inline information interface gigabitEthernet 1/0/5 Interface Power(w) Current(mA) Voltage(v) PD-Class Power-Status ---------- -------- ----------- ---------- ----------- ---------------- Gi1/0/5 1.3 53.5 Class 2 Switch(config-if)#end Switch#copy running-config startup-config 6.2.2 Configuring the PoE Parameters Using the Profile Follow these steps to configure the PoE profile: Step 1 configure...
  • Page 90 Managing System PoE Configurations (Only for Certain Devices) Step 5 power inline profile name Bind a PoE profile to the desired port. If one profile is selected, you will not be able to modify PoE status, PoE priority or power limit manually. name : Specify the name of the PoE profile.
  • Page 91 Managing System PoE Configurations (Only for Certain Devices) Switch(config-if)#power inline profile profile1 Switch(config-if)#show power inline configuration interface gigabitEthernet 1/0/6 Interface PoE-Status PoE-Prio Power-Limit(w) Time-Range PoE-Profile ---------- ---------- ---------- ------------ ------------- ---------------- Gi1/0/6 Enable Middle Class2 No Limit profile1 Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 92: Sdm Template Configuration

    Managing System SDM Template Configuration SDM Template Configuration Using the GUI Choose the menu SYSTEM > SDM Template to load the following page. Figure 7-1 Configuring SDM Template In SDM Template Config section, select one template and click Apply. The setting will be effective after the switch is rebooted.

  • Page 93: Using The Cli

    Managing System SDM Template Configuration MAC ACL Rules Displays the number of Layer 2 ACL Rules. Combined ACL Displays the number of combined ACL rules. Rules IPv6 ACL Rules Displays the number of IPv6 ACL rules. IPv4 Source Guard Displays the number of IPv4 source guard entries. Entries IPv6 Source Guard Displays the number of IPv6 source guard entries.
  • Page 94 Managing System SDM Template Configuration Switch(config)#show sdm prefer enterpriseV4 “enterpriseV4” template: number of IP ACL Rules : 120 number of MAC ACL Rules : 84 number of IPV6 ACL Rules number of IPV4 Source Guard Entries : 253 number of IPV6 Source Guard Entries : 0 Switch(config)#sdm prefer enterpriseV4 Switch to “enterpriseV4”...

  • Page 95: Time Range Configuration

    Managing System Time Range Configuration Time Range Configuration To complete Time Range configuration, follow these steps: 1) Add time range entries. 2) Configure Holiday time range. Using the GUI 8.1.1 Adding Time Range Entries Choose the menu SYSTEM > Time Range > Time Range Config and click to load the following page.
  • Page 96 Managing System Time Range Configuration Figure 8-2 Adding Period Time Configure the following parameters and click Create: Date Specify the start date and end date of this time range. Time Specify the start time and end time of a day. Day of Week Select days of a week as the period of this time range.

  • Page 97: Configuring Holiday

    Managing System Time Range Configuration Figure 8-3 View Configruation Result 8.1.2 Configuring Holiday Choose the menu SYSTEM > Time Range > Holiday Config and click to load the following page. Figure 8-1 Configuring Holiday Configure the following parameters and click Create to add a Holiday entry. Holiday Name Specify a name for the entry.

  • Page 98: Using The Cli

    Managing System Time Range Configuration Using the CLI 8.2.1 Adding Time Range Entries Follow these steps to add time range entries: Step 1 configure Enter global configuration mode. Step 2 time-range name Create a time-range entry. name : Specify a name for the entry. Step 3 holiday { exclude | include } Include or exclude the holiday in the time range.

  • Page 99: Configuring Holiday

    Managing System Time Range Configuration The following example shows how to create a time range entry and set the name as time1, holiday mode as exclude, absolute time as 10/01/2017 to 10/31/2017 and periodic time as 8:00 to 20:00 on every Monday and Tuesday: Switch#config Switch(config)#time-range time1 Switch(config-time-range)#holiday exclude...
  • Page 100 Managing System Time Range Configuration Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a holiday entry and set the entry name as holiday1 and set start date and end date as 07/01 and 09/01: Switch#config Switch(config)#holiday holiday1 start-date 07/01 end-date 09/01 Switch(config)#show holiday...

  • Page 101: Example For Poe Configurations

    Managing System Example for PoE Configurations Example for PoE Configurations Network Requirements The network topology of a company is shown as below. Camera1 and Camera2 work for the security of the company and cannot be power off all the time. AP1 and AP2 provide the internet service and only work in the office time.
  • Page 102 Managing System Example for PoE Configurations Figure 9-2 Creating Time Range 2) Click and the following window will pop up. Set Date, Time and Day of Week as the following figure shows. Click Create. Figure 9-3  Creating a Periodic Time 3) Specify a name for the time range. Click Create. User Guide...
  • Page 103 Managing System Example for PoE Configurations Figure 9-4 Configuring Time Range 4) Choose the menu SYSTEM > PoE > PoE Config to load the following page. Select port 1/0/3 and set the Time Range as OfficeTime. Click Apply. Figure 9-5  Configure the Port 5) Click to save the settings.

  • Page 104: Using The Cli

    Managing System Example for PoE Configurations Using the CLI The configurations of Port1/0/4 is similar with the configuration of port 1/0/3. Here we take port 1/0/3 for example. 1) Create a time-range. Switch_A#config Switch_A(config)#time-range office-time Switch_A(config-time-range)#holiday exclude Switch_A(config-time-range)#absolute from 01/01/2017 to 01/01/2018 Switch_A(config-time-range)#periodic start 08:30 end 18:00 day-of-the-week 1-5 Switch_A(config-time-range)#exit 2) Enable the PoE function on the port 1/0/3.
  • Page 105 Managing System Example for PoE Configurations Interface PoE-Status PoE-Prio Power-Limit(w) Time-Range PoE-Profile ---------- ---------- -------- -------------- ------------- ---------------- Gi1/0/3 Enable Class4 office-time None User Guide...

  • Page 106: Appendix: Default Parameters

    Parameter Default Setting Device Name The model name of the switch. Device Location SHENZHEN System Contact www.tp-link.com Table 10-2 Default Settings of System Time Configuration Parameter Default Setting Time Source Manual Table 10-3 Default Settings of Daylight Saving Time Configuration...
  • Page 107 Managing System Appendix: Default Parameters Parameter Default Setting Backup Config config2.cfg Default setting of EEE is listed in the following table. Table 10-6 Default Settings of EEE Configuration Parameter Default Setting Status Disabled (For T1600G-52PS/TL-SG2428P) Default settings of PoE is listed in the following table. Table 10-7 Default Settings of PoE Configuration Parameter...
  • Page 108 Managing System Appendix: Default Parameters Default settings of Time Range are listed in the following table. Table 10-9 Default Settings of Time Range Configuration Parameter Default Setting Holiday Include User Guide...

  • Page 109: Managing Physical Interfaces

    Part 3 Managing Physical Interfaces CHAPTERS 1. Physical Interface 2. Basic Parameters Configurations 3. Port Isolation Configurations 4. Loopback Detection Configuration 5. Configuration Examples 6. Appendix: Default Parameters...

  • Page 110: Physical Interface

    Managing Physical Interfaces Physical Interface Physical Interface Overview Interfaces are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into physical interfaces and layer 3 interfaces. ■ Physical interfaces are the ports on the switch panel. They forward packets based on MAC address table.

  • Page 111: Basic Parameters Configurations

    Managing Physical Interfaces Basic Parameters Configurations Basic Parameters Configurations Using the GUI Choose the menu L2 FEATURES > Switching > Port > Port Config to load the following page. Figure 2-1 Configuring Basic Parameters Follow these steps to configure basic parameters for the ports: 1) Configure the MTU size of jumbo frames for all the ports, then click Apply.

  • Page 112: Using The Cli

    Managing Physical Interfaces Basic Parameters Configurations Description (Optional) Enter a description for the port. Status With this option enabled, the port forwards packets normally. Otherwise, the port cannot work. By default, it is enabled. Speed Select the appropriate speed mode for the port. When Auto is selected, the port automatically negotiates speed mode with the neighbor device.
  • Page 113 Managing Physical Interfaces Basic Parameters Configurations Step 4 Configure basic parameters for the port: description string Give a port description for identification. string : Content of a port description, ranging from 1 to 16 characters. shutdown no shutdown Use shutdown to disable the port, and use no shutdown to enable the port. When the status is enabled, the port can forward packets normally, otherwise it will discard the received packets.
  • Page 114 Managing Physical Interfaces Basic Parameters Configurations Switch(config-if)#description router connection Switch(config-if)#speed auto Switch(config-if)#duplex auto Switch(config-if)#flow-control Switch(config-if)#show interface configuration gigabitEthernet 1/0/1 Port State Speed Duplex FlowCtrl Description -------- ----- -------- ------ -------- ----------- Gi1/0/1 Enable Auto Auto Enable router connection Switch(config-if)#show jumbo-size Global jumbo size : 9216 Switch(config-if)#end Switch#copy running-config startup-config...

  • Page 115: Port Isolation Configurations

    Managing Physical Interfaces Port Isolation Configurations Port Isolation Configurations Using the GUI Port Isolation is used to limit the data transmitted by a port. The isolated port can only send packets to the ports specified in its Forwarding Port List. Choose the menu L2 FEATURES >...

  • Page 116: Using The Cli

    Managing Physical Interfaces Port Isolation Configurations Figure 3-2 Port Isolation Follow these steps to configure Port Isolation: 1) In the Port section, select one or multiple ports to be isolated. 2) In the Forwarding Port List section, select the forwarding ports or LAGs which the isolated ports can only communicate with.
  • Page 117 Managing Physical Interfaces Port Isolation Configurations Step 3 port isolation { [fa-forward-list fa-forward-list ] [gi-forward-list gi-forward-list ] [te- forward-list te-forward-list ] [ po-forward-list po-forward-list ] } Add ports or LAGs to the forwarding port list of the isolated port. It is multi-optional. fa-forward-list / gi-forward-list / te-forward-list : Specify the forwarding Ethernet ports.

  • Page 118: Loopback Detection Configuration

    Managing Physical Interfaces Loopback Detection Configuration Loopback Detection Configuration Using the GUI To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the following page.
  • Page 119 Managing Physical Interfaces Loopback Detection Configuration Loopback Enable loopback detection globally. Detection Status Detection Set the interval of sending loopback detection packets in seconds. Interval The valid value ranges from 1 to 1000 and the default value is 30. Auto-recovery Set the recovery time globally.

  • Page 120: Using The Cli

    Managing Physical Interfaces Loopback Detection Configuration Using the CLI Follow these steps to configure loopback detection: Step 1 configure Enter global configuration mode. Step 2 loopback-detection Enable the loopback detection feature globally. By default, it is disabled. Step 3 loopback-detection interval interval-time Set the interval of sending loopback detection packets which is used to detect the loops in the network.
  • Page 121 Managing Physical Interfaces Loopback Detection Configuration Step 10 show loopback-detection interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel } Verify the Loopback Detection configuration of the specified port. Step 11 Return to privileged EXEC mode. Step 12 copy running-config startup-config Save the settings in the configuration file.

  • Page 122: Configuration Examples

    Managing Physical Interfaces Configuration Examples Configuration Examples Example for Port Isolation 5.1.1 Network Requirements As shown below, three hosts and a server are connected to the switch and all belong to VLAN 10. Without changing the VLAN configuration, Host A is not allowed to communicate with the other hosts except the server, even if the MAC address or IP address of Host A is changed.
  • Page 123 Managing Physical Interfaces Configuration Examples Figure 5-2 Port Isolation List 2) Click Edit on the above page to load the following page. Select port 1/0/1 as the port to be isolated, and select port 1/0/4 as the forwarding port. Click Apply. Figure 5-3 Port Isolation Configuration 3) Select port 1/0/4 as the port to be isolated, and select port 1/0/1 as the forwarding port.

  • Page 124: Using The Cli

    Managing Physical Interfaces Configuration Examples Figure 5-4 Port Isolation Configuration 4) Click to save the settings. 5.1.4 Using the CLI Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#port isolation gi-forward-list 1/0/4 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#port isolation gi-forward-list 1/0/1 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Switch#show port isolation interface Port Forward-List...

  • Page 125: Example For Loopback Detection

    Here we introduce how to configure loopback detection and monitor the detection result on the management interface of the switch. Demonstrated with T1600G-52TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. User Guide...

  • Page 126: Using The Gui

    Managing Physical Interfaces Configuration Examples 5.2.3 Using the GUI 1) Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the configuration page. 2) In the Loopback Detection section, enable loopback detection and web refresh globally. Keep the other parameters as default values and click Apply. Figure 5-6 Global Configuration 3) In the Port Config section, enable ports 1/0/1-3, select the operation mode as Port -Based so that the port will be blocked when a loop is detected, and keep the recovery...

  • Page 127: Using The Cli

    Managing Physical Interfaces Configuration Examples 5.2.4 Using the CLI 1) Enable loopback detection globally and configure the detection interval and recovery time. Switch#configure Switch(config)#loopback-detection Switch(config)#loopback-detection interval 30 Switch(config)#loopback-detection recovery-time 3 2) Enable loopback detection on ports 1/0/1-3 and set the process mode and recovery mode.

  • Page 128: Appendix: Default Parameters

    Managing Physical Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 6-1 Configurations for Ports Parameter Default Setting Port Config Jumbo 1518 bytes Copper (For RJ45 Ports) Type Fiber (For SFP Ports) Status Enabled Auto (For RJ45 Ports)

  • Page 129: Configuring Lag

    Part 4 Configuring LAG CHAPTERS 1. LAG 2. LAG Configuration 3. Configuration Examples 4. Appendix: Default Parameters...

  • Page 130: Lag

    Configuring LAG Overview With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface, increasing link bandwidth and providing backup ports to enhance the connection reliability. Supported Features You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol).

  • Page 131: Lag Configuration

    Configuring LAG LAG Configuration LAG Configuration To complete LAG configuration, follow these steps: 1) Configure the global load-balancing algorithm. 2) Configure Static LAG or LACP. Configuration Guidelines ■ Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should also be set as LACP mode.

  • Page 132: Using The Gui

    Configuring LAG LAG Configuration Using the GUI 2.1.1 Configuring Load-balancing Algorithm Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page. Figure 2-1 Global Config In the Global Config section, select the load-balancing algorithm (Hash Algorithm), then click Apply.

  • Page 133: Configuring Static Lag Or Lacp

    Configuring LAG LAG Configuration as “SRC MAC” to allow Switch A to determine the forwarding port based on the source MAC addresses of the received packets. Figure 2-2 Hash Algorithm Configuration Switch A Switch B Hosts Server 2.1.2 Configuring Static LAG or LACP For one port, you can choose only one LAG mode: Static LAG or LACP.
  • Page 134 Configuring LAG LAG Configuration 3) Click Apply. Note: Clearing all member ports will delete the LAG. ■ Configuring LACP Choose the menu L2 FEATURES > Switching > LAG > LACP to load the following page. Figure 2-4 LACP Config Follow these steps to configure LACP: 1) Specify the system priority for the switch and click Apply.

  • Page 135: Using The Cli

    Configuring LAG LAG Configuration Group ID Specify the group ID of the LAG. Note that the group ID of other static LAGs cannot be set as this value. The valid value of the Group ID is determined by the maximum number of LAGs supported by your switch.

  • Page 136: Configuring Static Lag Or Lacp

    Configuring LAG LAG Configuration Step 2 port-channel load-balance { src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip } Select the Hash Algorithm. The switch will choose the ports to transfer the packets based on the Hash Algorithm. In this way, different data flows are forwarded on different physical links to implement load balancing.
  • Page 137 Configuring LAG LAG Configuration ■ Configuring Static LAG Follow these steps to configure static LAG: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Enter interface configuration mode.
  • Page 138 Configuring LAG LAG Configuration ■ Configuring LACP Follow these steps to configure LACP: Step 1 configure Enter global configuration mode. Step 2 lacp system-priority pri Specify the system priority for the switch. To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device.
  • Page 139 Configuring LAG LAG Configuration Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to specify the system priority of the switch as 2: Switch#configure Switch(config)#lacp system-priority 2 Switch(config)#show lacp sys-id 2, 000a.eb13.2397 Switch(config)#end Switch#copy running-config startup-config The following example shows how to add ports 1/0/1-4 to LAG 6, set the mode as LACP,...

  • Page 140: Configuration Examples

    Configuring LAG Configuration Examples Configuration Examples Example for Static LAG 3.1.1 Network Requirements As shown below, hosts and servers are connected to switch A and switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches.

  • Page 141: Using The Cli

    Configuring LAG Configuration Examples Figure 3-2 Global Configuration 2) Choose the menu L2 FEATURES > Switching > LAG > Static LAG to load the following page. Select LAG 1 and add ports 1/0/1-8 to LAG 1. Figure 3-3 System Priority Configuration 3) Click to save the settings.

  • Page 142: Example For Lacp

    Configuring LAG Configuration Examples R - layer3 S - layer2 f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port Group Port-channel Protocol Ports ----- --------- ------- ------------------------------- Po2(S) Gi1/0/1(D) Gi1/0/2(D) Gi1/0/3(D) Gi1/0/4(D) Gi1/0/5(D) Gi1/0/6(D) Gi1/0/7(D) Gi1/0/8(D) Example for LACP...

  • Page 143: Using The Gui

    4) Specify a lower port priority for ports 1/0/9-10 to set them as the backup ports. When any of ports 1/0/1-8 is down, the backup ports will automatically be enabled to transmit data. Demonstrated with T1600G-52TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 3.2.3 Using the GUI The configurations of Switch A and Switch B are similar.

  • Page 144: Using The Cli

    Configuring LAG Configuration Examples Figure 3-4 LACP Configuration 4) Click to save the settings. 3.2.4 Using the CLI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Configure the load-balancing algorithm as “src-dst-mac”. Switch#configure Switch(config)#port-channel load-balance src-dst-mac 2) Specify the system priority of Switch A as 0.
  • Page 145 Configuring LAG Configuration Examples Switch(config-if)#lacp port-priority 1 Switch(config-if)#exit 5) Add port 1/0/10 to LAG 1 and set the mode as LACP. Then specify the port priority as 2 to set it as a backup port. The priority of this port is lower than port 1/0/9. Switch(config)#interface gigabitEthernet 1/0/10 Switch(config-if)#channel-group 1 mode active Switch(config-if)#lacp port-priority 2...
  • Page 146 Configuring LAG Configuration Examples Gi1/0/9 SA Down 0x45 Gi1/0/10 SA Down 0x45 User Guide...

  • Page 147: Appendix: Default Parameters

    Configuring LAG Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in the following tables. Table 4-1 Default Settings of LAG Parameter Default Setting LAG Table Hash Algorithm SRC MAC+DST MAC LACP Config System Priority 32768 Admin Key Port Priority 32768 Mode...

  • Page 148: Managing Mac Address Table

    Part 5 Managing MAC Address Table CHAPTERS 1. MAC Address Table 2. MAC Address Configurations 3. Appendix: Default Parameters...

  • Page 149: Mac Address Table

    Managing MAC Address Table MAC Address Table MAC Address Table Overview The MAC address table contains address information that the switch uses to forward packets. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports. These entries can be manually added or automatically learned by the switch. Based on the MAC-address-to-port mapping in the table, the switch can forward packets only to the associated port.
  • Page 150 Managing MAC Address Table MAC Address Table ■ Filtering address Filtering addresses are manually added and determine the packets with specific source or destination MAC addresses that will should dropped by the switch. User Guide...

  • Page 151: Mac Address Configurations

    Managing MAC Address Table MAC Address Configurations MAC Address Configurations With MAC address table, you can: ■ Add static MAC address entries ■ Change the MAC address aging time ■ Add filtering address entries ■ View address table entries Using the GUI 2.1.1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.
  • Page 152 Managing MAC Address Table MAC Address Configurations Follow these steps to add a static MAC address entry: 1) Enter the MAC address, VLAN ID and select a port to bind them together as an address entry. MAC Address Enter the static MAC address to be added to the static MAC address entry. VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received.

  • Page 153: Modifying The Aging Time Of Dynamic Address Entries

    Managing MAC Address Table MAC Address Configurations Note: • In the same VLAN, once an address is configured as a static address, it cannot be set as a filtering address, and vice versa. • Multicast or broadcast addresses cannot be set as static addresses. •...

  • Page 154: Adding Mac Filtering Address Entries

    Managing MAC Address Table MAC Address Configurations 2.1.3 Adding MAC Filtering Address Entries Choose the menu L2 FEATURES > Switching > MAC Address > Filtering Address and click to load the following page. Figure 2-4 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries: 1) Enter the MAC Address and VLAN ID.

  • Page 155: Using The Cli

    Managing MAC Address Table MAC Address Configurations Choose the menu L2 FEATURES > Switching > MAC Address > Address Table and click to load the following page. Figure 2-5 Viewing Address Table Entries Using the CLI 2.2.1 Adding Static MAC Address Entries Follow these steps to add static MAC address entries: Step 1 configure...

  • Page 156: Modifying The Aging Time Of Dynamic Address Entries

    Managing MAC Address Table MAC Address Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. Note: • In the same VLAN, once an address is configured as a static address, it cannot be set as a filtering address, and vice versa.

  • Page 157: Adding Mac Filtering Address Entries

    Managing MAC Address Table MAC Address Configurations Step 2 mac address-table aging-time aging-time Set your desired length of address aging time for dynamic address entries. aging-time: Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.
  • Page 158 Managing MAC Address Table MAC Address Configurations Note: • In the same VLAN, once an address is configured as a filtering address, it cannot be set as a static address, and vice versa. • Multicast or broadcast addresses cannot be set as filtering addresses . The following example shows how to add the MAC filtering address 00:1e:4b:04:01:5d to VLAN 10.

  • Page 159: Appendix: Default Parameters

    Managing MAC Address Table Appendix: Default Parameters Appendix: Default Parameters Default settings of the MAC Address Table are listed in the following tables. Table 3-1 Entries in the MAC Address Table Parameter Default Setting Static Address Entries None Dynamic Address Entries Auto-learning Filtering Address Entries None...

  • Page 160: Configuring 802.1Q Vlan

    Part 6 Configuring 802.1Q VLAN CHAPTERS 1. Overview 2. 802.1Q VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 161: Overview

    Configuring 802.1Q VLAN Overview Overview VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions: ■ To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN.

  • Page 162: Q Vlan Configuration

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration 802.1Q VLAN Configuration To complete 802.1Q VLAN configuration, follow these steps: 1) Configure the VLAN, including creating a VLAN and adding the desired ports to the VLAN. 2) Configure port parameters for 802.1Q VLAN. User Guide...

  • Page 163: Using The Gui

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration Using the GUI 2.1.1 Configuring the VLAN Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Figure 2-1 Configuring VLAN Follow these steps to configure VLAN: 1) Enter a VLAN ID and a description for identification to create a VLAN.

  • Page 164: Configuring Port Parameters For 802.1Q Vlan

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration Untagged port The selected ports will forward untagged packets in the target VLAN. Tagged port The selected ports will forward tagged packets in the target VLAN. 3) Click Apply. 2.1.2 Configuring Port Parameters for 802.1Q VLAN Choose the menu L2 FEATURES >...

  • Page 165: Using The Cli

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration Displays the LAG (Link Aggregation Group) which the port belongs to. Details Click the Details button to view the VLANs to which the port belongs. Using the CLI 2.2.1 Creating a VLAN Follow these steps to create a VLAN: Step 1 configure Enter global configuration mode.

  • Page 166: Adding The Port To The Specified Vlan

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration VLAN Name Status Ports ------- -------- --------- --------- active Switch(config-vlan)#end Switch#copy running-config startup-config 2.2.2 Adding the Port to the Specified VLAN Follow these steps to add the port to the specified VLAN: Step 1 configure Enter global configuration mode.

  • Page 167: Configuring The Port

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration Acceptable frame type: All Ingress Checking: Enable Member in LAG: N/A Link Type: General Member in VLAN: Vlan Name Egress-rule ---- ----------- ----------- System-VLAN Untagged Tagged Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Configuring the Port Follow these steps to configure the port: Step 1 configure...
  • Page 168 Configuring 802.1Q VLAN 802.1Q VLAN Configuration The following example shows how to configure the PVID of port 1/0/5 as 2, enable the ingress checking and set the acceptable frame type as all: Switch#configure Switch(config)#interface gigabitEthernet 1/0/5 Switch(config-if)#switchport pvid 2 Switch(config-if)#switchport check ingress Switch(config-if)#switchport acceptable frame all Switch(config-if)#show interface switchport gigabitEthernet 1/0/5 Port Gi1/0/5:...

  • Page 169: Configuration Example

    Configuring 802.1Q VLAN Configuration Example Configuration Example Network Requirements ■ Offices of Department A and Department B in the company are located in different places, and some computers in different offices connect to the same switch. ■ It is required that computers can communicate with each other in the same department but not with computers in the other department.

  • Page 170: Network Topology

    Configuring 802.1Q VLAN Configuration Example Network Topology The figure below shows the network topology. Host A1 and Host A2 are in Department A, while Host B1 and Host B2 are in Department B. Switch 1 and Switch 2 are located in two different places.
  • Page 171 Configuring 802.1Q VLAN Configuration Example Figure 3-2 Creating VLAN 10 for Department A 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20 with the description of Department_B.
  • Page 172 Configuring 802.1Q VLAN Configuration Example Figure 3-3 Creating VLAN 20 for Department B 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 as 10 and click Apply. Set the PVID of port 1/0/3 as 20 and click Apply.

  • Page 173: Using The Cli

    Configuring 802.1Q VLAN Configuration Example Figure 3-4 Specifying the PVID for the Ports 4) Click to save the settings. Using the CLI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Create VLAN 10 for Department A, and configure the description as Department-A.
  • Page 174 Configuring 802.1Q VLAN Configuration Example Switch_1(config)#interface gigabitEthernet 1/0/3 Switch_1(config-if)#switchport general allowed vlan 20 untagged Switch_1(config-if)#exit Switch_1(config)#interface gigabitEthernet 1/0/4 Switch_1(config-if)#switchport general allowed vlan 10 tagged Switch_1(config-if)#switchport general allowed vlan 20 tagged Switch_1(config-if)#exit 3) Set the PVID of port 1/0/2 as 10, and set the PVID of port 1/0/3 as 20. Switch_1(config)#interface gigabitEthernet 1/0/2 Switch_1(config-if)#switchport pvid 10 Switch_1(config-if)#exit...
  • Page 175 Configuring 802.1Q VLAN Configuration Example Primary Secondary Type Ports ------- --------- ---------- --------------------- Verify the VLAN configuration: Switch_1(config)#show interface switchport Port Type PVID Acceptable frame type Ingress Checking ------- ---- ---- --------------------- ---------------- Gi1/0/1 General Enable Gi1/0/2 General Enable Gi1/0/3 General Enable Gi1/0/4...

  • Page 176: Appendix: Default Parameters

    Configuring 802.1Q VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1Q VLAN are listed in the following table. Table 4-1 Default Settings of 802.1Q VLAN Parameter Default Setting VLAN ID PVID Ingress Checking Enabled Acceptable Frame Types Admit All User Guide...

  • Page 177: Configuring Mac Vlan

    Part 7 Configuring MAC VLAN CHAPTERS 1. Overview 2. MAC VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 178: Overview

    Configuring MAC VLAN Overview Overview VLAN is generally divided by ports. It is a common way of division but isn’t suitable for those networks that require frequent topology changes. With the popularity of mobile office, at different times a terminal device may access the network via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time.

  • Page 179: Mac Vlan Configuration

    Configuring MAC VLAN MAC VLAN Configuration MAC VLAN Configuration To complete MAC VLAN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Bind the MAC address to the VLAN. 3) Enable MAC VLAN for the port. Configuration Guidelines When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN.

  • Page 180: Enabling Mac Vlan For The Port

    Configuring MAC VLAN MAC VLAN Configuration Follow these steps to bind the MAC address to the 802.1Q VLAN: 1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN. MAC Address Enter the MAC address of the device in the format of 00-00-00-00-00-01.

  • Page 181: Using The Cli

    Configuring MAC VLAN MAC VLAN Configuration Using the CLI 2.2.1 Configuring 802.1Q VLAN Before configuring MAC VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN. 2.2.2 Binding the MAC Address to the VLAN Follow these steps to bind the MAC address to the VLAN: Step 1 configure...

  • Page 182: Enabling Mac Vlan For The Port

    Configuring MAC VLAN MAC VLAN Configuration Switch#copy running-config startup-config 2.2.3 Enabling MAC VLAN for the Port Follow these steps to enable MAC VLAN for the port: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode.

  • Page 183: Configuration Example

    Configuring MAC VLAN Configuration Example Configuration Example Network Requirements Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in.

  • Page 184: Using The Gui

    Configuring MAC VLAN Configuration Example egress rule as Untagged; for the ports connecting to other switch, set the egress rule as Tagged. 2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports. Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
  • Page 185 Configuring MAC VLAN Configuration Example Figure 3-2 Creating VLAN 10 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20, and add untagged port 1/0/1 and tagged port 1/0/2 to VLAN 20. Click Create. User Guide...
  • Page 186 Configuring MAC VLAN Configuration Example Figure 3-3 Creating VLAN 20 3) Choose the menu L2 FEATURES > VLAN > MAC VLAN and click to load the following page. Specify the corresponding parameters and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN Figure 3-4 Creating MAC VLAN 4) Choose the menu L2 FEATURES >...
  • Page 187 Configuring MAC VLAN Configuration Example Figure 3-5 Enabing MAC VLAN for the Port 5) Click to save the settings. ■ Configurations for Switch 3 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add untagged port 1/0/4 and tagged ports 1/0/2-3 to VLAN 10.
  • Page 188 Configuring MAC VLAN Configuration Example Figure 3-6 Creating VLAN 10 2) Click Create to load the following page. Create VLAN 20, and add untagged port 1/0/5 and tagged ports 1/0/2-3 to VLAN 20. Click Create. User Guide...

  • Page 189: Using The Cli

    Configuring MAC VLAN Configuration Example Figure 3-7 Creating VLAN 20 3) Click to save the settings. Using the CLI ■ Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example.
  • Page 190 Configuring MAC VLAN Configuration Example Switch_1(config)#vlan 20 Switch_1(config-vlan)#name deptB Switch_1(config-vlan)#exit 2) Add tagged port 1/0/2 and untagged port 1/0/1 to both VLAN 10 and VLAN 20. Then enable MAC VLAN on port 1/0/1. Switch_1(config)#interface gigabitEthernet 1/0/2 Switch_1(config-if)#switchport general allowed vlan 10,20 tagged Switch_1(config-if)#exit Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10,20 untagged...
  • Page 191 Configuring MAC VLAN Configuration Example Switch_3(config)#interface gigabitEthernet 1/0/3 Switch_3(config-if)#switchport general allowed vlan 10,20 tagged Switch_3(config-if)#exit 3) Add untagged port 1/0/4 to VLAN 10 and untagged port 1/0/5 to VLAN 20. Switch_3(config)#interface gigabitEthernet 1/0/4 Switch_3(config-if)#switchport general allowed vlan 10 untagged Switch_3(config-if)#exit Switch_3(config)#interface gigabitEthernet 1/0/5 Switch_3(config-if)#switchport general allowed vlan 20 untagged Switch_3(config-if)#end...
  • Page 192 Configuring MAC VLAN Configuration Example VLAN Name Status Ports -------- --------------- ------------- ------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8 DeptA active Gi1/0/2, Gi1/0/3, Gi1/0/4 DeptB active Gi1/0/2, Gi1/0/3, Gi1/0/5 User Guide...

  • Page 193: Appendix: Default Parameters

    Configuring MAC VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of MAC VLAN are listed in the following table. Table 4-1 Default Settings of MAC VLAN Parameter Default Setting MAC Address None Description None VLAN ID None Port Enable Disabled User Guide...

  • Page 194: Configuring Protocol Vlan

    Part 8 Configuring Protocol VLAN CHAPTERS 1. Overview 2. Protocol VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 195: Overview

    Configuring Protocol VLAN Overview Overview Protocol VLAN is a technology that divides VLANs based on the network layer protocol. With the protocol VLAN rule configured on the basis of the existing 802.1Q VLAN, the switch can analyze specific fields of received packets, encapsulate the packets in specific formats, and forward the packets with different protocols to the corresponding VLANs.

  • Page 196: Protocol Vlan Configuration

    3) Configure Protocol VLAN. Configuration Guidelines ■ You can use the IP, ARP, RARP, and other protocol templates provided by TP-Link switches, or create new protocol templates. ■ In a protocol VLAN, when a port receives an untagged data packet, the switch will first search for the protocol VLAN matching the protocol type value of the packet.

  • Page 197: Creating Protocol Template

    Configuring Protocol VLAN Protocol VLAN Configuration 2.1.2 Creating Protocol Template Choose the menu L2 FEATURES > VLAN > Protocol VLAN > Protocol Template to load the following page. Figure 2-1 Check the Protocol Template Follow these steps to create a protocol template: 1) Check whether your desired template already exists in the Protocol Template Config section.

  • Page 198: Configuring Protocol Vlan

    Configuring Protocol VLAN Protocol VLAN Configuration DSAP Enter the DSAP value for the protocol template. It is available when LLC is selected. It is the DSAP field in the frame and is used to identify the data type of the frame. SSAP Enter the SSAP value for the protocol template.

  • Page 199: Using The Cli

    Configuring Protocol VLAN Protocol VLAN Configuration 802.1p Priority Specify the 802.1p priority for the packets that belong to the protocol VLAN. The switch will determine the forwarding sequence according this value. The packets with larger value of 802.1p priority have the higher priority. 2) Select the desired ports.

  • Page 200: Configuring Protocol Vlan

    Configuring Protocol VLAN Protocol VLAN Configuration The following example shows how to create an IPv6 protocol template: Switch#configure Switch(config)#protocol-vlan template name IPv6 frame ether_2 ether-type 86dd Switch(config)#show protocol-vlan template Index Protocol Name Protocol Type ------- ----------------- -------------------------------- EthernetII ether-type 0800 EthernetII ether-type 0806 RARP EthernetII ether-type 8035...
  • Page 201 Configuring Protocol VLAN Protocol VLAN Configuration Step 5 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 6 protocol-vlan group entry-id Add the specified port to the protocol group.
  • Page 202 Configuring Protocol VLAN Protocol VLAN Configuration Index Protocol-Name VID Priority Member ------ ------------------ ------ -------- ------------ IPv6 Gi1/0/2 Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 203: Configuration Example

    Configuring Protocol VLAN Configuration Example Configuration Example Network Requirements A company uses both IPv4 and IPv6 hosts, and these hosts access the IPv4 network and IPv6 network respectively via different routers. It is required that IPv4 packets are forwarded to the IPv4 network, IPv6 packets are forwarded to the IPv6 network, and other packets are dropped.
  • Page 204 Configuring Protocol VLAN Configuration Example 1) Create VLAN 10 and VLAN 20 and add each port to the corresponding VLAN. 2) Use the IPv4 protocol template provided by the switch, and create the IPv6 protocol template. 3) Bind the protocol templates to the corresponding VLANs to form protocol groups, and add port 1/0/1 to the groups.

  • Page 205: Using The Gui

    Configuring Protocol VLAN Configuration Example Using the GUI ■ Configurations for Switch 1 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add untagged port 1/0/1 and untagged port 1/0/3 to VLAN 10.
  • Page 206 Configuring Protocol VLAN Configuration Example 2) Click to load the following page. Create VLAN 20, and add untagged ports 1/0/2-3 to VLAN 20. Click Create. Figure 3-3 Create VLAN 20 3) Click to save the settings. User Guide...
  • Page 207 Configuring Protocol VLAN Configuration Example ■ Configurations for Switch 2 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add tagged port 1/0/1 and untagged port 1/0/2 to VLAN 10.
  • Page 208 Configuring Protocol VLAN Configuration Example 2) Click to load the following page. Create VLAN 20, and add tagged port 1/0/1 and untagged port 1/0/3 to VLAN 20. Click Create. Figure 3-5 Create VLAN 20 User Guide...
  • Page 209 Configuring Protocol VLAN Configuration Example 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 and port 1/0/3 as 10 and 20 respectively . Click Apply. Figure 3-6 Port Configuration 4) Choose the menu L2 FEATURES >...
  • Page 210 Configuring Protocol VLAN Configuration Example Figure 3-8  Configure the IPv4 Protocol Group Figure 3-9 Configure the IPv6 Protocol Group 6) Click to save the settings. User Guide...

  • Page 211: Using The Cli

    Configuring Protocol VLAN Configuration Example Using the CLI ■ Configurations for Switch 1 1) Create VLAN 10 and VLAN 20. Switch_1#configure Switch_1(config)#vlan 10 Switch_1(config-vlan)#name IPv4 Switch_1(config-vlan)#exit Switch_1(config)#vlan 20 Switch_1(config-vlan)#name IPv6 Switch_1(config-vlan)#exit 2) Add untagged port 1/0/1 to VLAN 10. Add untagged port 1/0/2 to VLAN 20. Add untagged port 1/0/3 to both VLAN10 and VLAN 20.
  • Page 212 Configuring Protocol VLAN Configuration Example Switch_2(config-vlan)#name IPv6 Switch_2(config-vlan)#exit 2) Add tagged port 1/0/1 to both VLAN 10 and VLAN 20. Specify the PVID of untagged port 1/0/2 as 10 and add it to VLAN 10. Specify the PVID of untagged port 1/0/3 as 20 and add it to VLAN 20.
  • Page 213 Configuring Protocol VLAN Configuration Example 5) Add port 1/0/1 to the protocol groups. Switch_2(config)#show protocol-vlan vlan Index Protocol-Name Member ---- --------------- ---------- ------------- IPv6 Switch_2(config)#interface gigabitEthernet 1/0/1 Switch_2(config-if)#protocol-vlan group 1 Switch_2(config-if)#protocol-vlan group 2 Switch_2(config-if)#exit Switch_2(config)#end Switch_2#copy running-config startup-config Verify the Configurations ■...
  • Page 214 Configuring Protocol VLAN Configuration Example VLAN Name Status Ports ------- ------------- ---------- -------------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28 IPv4 active Gi1/0/1, Gi1/0/2 IPv6 active Gi1/0/1, Gi1/0/3 Verify protocol group configuration: Switch_2#show protocol-vlan vlan Index Protocol-Name Priority Member --------...

  • Page 215: Appendix: Default Parameters

    Configuring Protocol VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of Protocol VLAN are listed in the following table. Table 4-1 Default Settings of Protocol VLAN Parameter Default Setting Ethernet II ether-type 0800 Ethernet II ether-type 0806 Protocol Template Table RARP Ethernet II ether-type 8035 SNAP ether-type 8137...

  • Page 216: Configuring Gvrp

    Part 9 Configuring GVRP CHAPTERS 1. Overview 2. GVRP Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 217: Overview

    Configuring GVRP Overview Overview GVRP (GARP VLAN Registration Protocol) is a GARP (Generic Attribute Registration Protocol) application that allows registration and deregistration of VLAN attribute values and dynamic VLAN creation. Without GVRP operating, configuring the same VLAN on a network would require manual configuration on each device.

  • Page 218: Gvrp Configuration

    Configuring GVRP GVRP Configuration GVRP Configuration To complete GVRP configuration, follow these steps: 1) Create a VLAN. 2) Enable GVRP globally. 3) Enable GVRP on each port and configure the corresponding parameters. Configuration Guidelines To dynamically create a VLAN on all ports in a network link, you must configure the same static VLAN on both ends of the link.

  • Page 219: Using The Gui

    Configuring GVRP GVRP Configuration Using the GUI Choose the menu L2 FEATURES > VLAN > GVRP > GVRP Config to load the following page. Figure 2-1 GVRP Config Follow these steps to configure GVRP: 1) In the GVRP section, enable GVRP globally, then click Apply. 2) In the Port Config section, select one or more ports, set the status as Enable and configure the related parameters according to your needs.

  • Page 220: Using The Cli

    Configuring GVRP GVRP Configuration LeaveAll Timer When a GARP participant is enabled, the LeaveAll timer will be started. When (centisecond) the LeaveAll timer expires, the GARP participant will send LeaveAll messages to request other GARP participants to re-register all its attributes. After that, the participant restarts the LeaveAll timer.
  • Page 221 Configuring GVRP GVRP Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 4 gvrp Enable GVRP on the port.
  • Page 222 Configuring GVRP GVRP Configuration Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: • The member port of an LAG follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

  • Page 223: Configuration Example

    Configuring GVRP Configuration Example Configuration Example Network Requirements Department A and Department B of a company are connected using switches. Offices of one department are distributed on different floors. As shown in Figure 3-1, the network topology is complicated. Configuration of the same VLAN on different switches is required so that computers in the same department can communicate with each other.

  • Page 224: Using The Gui

    Configuring GVRP Configuration Example Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. Using the GUI GVRP configurations for Switch 3 are the same as Switch 1, and Switch 4 are the same as Switch 2.
  • Page 225 Configuring GVRP Configuration Example 2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. Figure 3-3 GVRP Configuration 3) Click to save the settings.
  • Page 226 Configuring GVRP Configuration Example Figure 3-4 Create VLAN 20 2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. User Guide...
  • Page 227 Configuring GVRP Configuration Example Figure 3-5 GVRP Configuration 3) Click to save the settings. ■ Configurations for Switch 5 1) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select ports 1/0/1-3, set Status as Enable, and keep the Registration Mode and the values of the timers as default.

  • Page 228: Using The Cli

    Configuring GVRP Configuration Example Figure 3-6 GVRP Configuration 2) Click to save the settings. Using the CLI GVRP configuration for Switch 3 is the same as Switch 1, and Switch 4 is the same as Switch 2. Other switches share similar configurations. The following configuration procedures take Switch 1, Switch 2 and Switch 5 as examples.
  • Page 229 Configuring GVRP Configuration Example Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10 tagged Switch_1(config-if)#gvrp Switch_1(config-if)#gvrp registration fixed Switch_1(config-if)#end Switch_1#copy running-config startup-config ■ Configurations for Switch 2 1) Enable GVRP globally. Switch_2#configure Switch_2(config)#gvrp 2) Create VLAN 20. Switch_2(config)#vlan 20 Switch_2(config-vlan)#name Department_B Switch_2(config-vlan)#exit 3) Add tagged port 1/0/1 to VLAN 20.
  • Page 230 Configuring GVRP Configuration Example Switch_5#copy running-config startup-config Verify the Configuration ■ Switch 1 Verify the global GVRP configuration: Switch_1#show gvrp global GVRP Global Status ------------------ Enabled Verify GVRP configuration for port 1/0/1: Switch_1#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------...
  • Page 231 Configuring GVRP Configuration Example Gi1/0/2 Disabled Normal 1000 ■ Switch 5 Verify global GVRP configuration: GVRP Global Status ------------------ Enabled Verify GVRP configuration for ports 1/0/1-3: Switch_5#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------ -------- ------- ------ ----- Gi1/0/1 Enabled...

  • Page 232: Appendix: Default Parameters

    Configuring GVRP Appendix: Default Parameters Appendix: Default Parameters Default settings of GVRP are listed in the following tables. Table 4-1 Default Settings of GVRP Parameter Default Setting Global Config GVRP Disabled Port Config Status Disabled Registration Mode Normal LeaveAll Timer 1000 centiseconds Join Timer 20 centiseconds...

  • Page 233: Configuring Layer 2 Multicast

    Part 10 Configuring Layer 2 Multicast CHAPTERS 1. Layer 2 Multicast 2. IGMP Snooping Configuration 3. MLD Snooping Configuration 4. MVR Configuration 5. Multicast Filtering Configuration 6. Viewing Multicast Snooping Information 7. Configuration Examples 8. Appendix: Default Parameters...

  • Page 234: Layer 2 Multicast

    Configuring Layer 2 Multicast Layer 2 Multicast Layer 2 Multicast Overview In a point-to-multipoint network, packets can be sent in three ways: unicast, broadcast and multicast. With unicast, many copies of the same information will be sent to all the receivers, occupying a large bandwidth.
  • Page 235 Configuring Layer 2 Multicast Layer 2 Multicast Demonstrated as below: Figure 1-1 IGMP Snooping Multicast packets transmission Multicast packets transmission without IGMP Snooping with IGMP Snooping IGMP Querier IGMP Querier Source Source Router Port Snooping Switch Non-Snooping Switch Member Port Member Port Host A Host B Host C...

  • Page 236: Supported Features

    Configuring Layer 2 Multicast Layer 2 Multicast Supported Features Layer 2 Multicast protocol for IPv4: IGMP Snooping On the Layer 2 device, IGMP Snooping transmits data on demand on data link layer by analyzing IGMP packets between the IGMP querier and the users, to build and maintain Layer 2 multicast forwarding table.

  • Page 237: Igmp Snooping Configuration

    Configuring Layer 2 Multicast IGMP Snooping Configuration IGMP Snooping Configuration To complete IGMP Snooping configuration, follow these steps: 1) Enable IGMP Snooping globally and configure the global parameters. 2) Configure IGMP Snooping for VLANs. 3) Configure IGMP Snooping for ports. 4) (Optional) Configure hosts to statically join a group.

  • Page 238: Configuring Igmp Snooping For Vlans

    Configuring Layer 2 Multicast IGMP Snooping Configuration IGMP Version Specify the IGMP version. v1: The switch works as an IGMPv1 Snooping switch. It can only process IGMPv1 messages from the host. Messages of other versions are ignored. v2: The switch works as an IGMPv2 Snooping switch. It can process both IGMPv1 and IGMPv2 messages from the host.
  • Page 239 Configuring Layer 2 Multicast IGMP Snooping Configuration Figure 2-2 Configure IGMP Snooping for VLAN Follow these steps to configure IGMP Snooping for a specific VLAN: 1) Enable IGMP Snooping for the VLAN, and configure the corresponding parameters. VLAN ID Displays the VLAN ID. IGMP Snooping Enable or disable IGMP Snooping for the VLAN.
  • Page 240 Configuring Layer 2 Multicast IGMP Snooping Configuration Fast Leave Enable or disable Fast Leave for the VLAN. IGMPv1 does not support Fast Leave. Without Fast Leave, after a receiver sends an IGMP leave message to leave a multicast group, the switch will forward the leave message to the Layer 3 device (the querier).
  • Page 241 Configuring Layer 2 Multicast IGMP Snooping Configuration Leave Time Specify the leave time for the VLAN. When the switch receives a leave message from a port to leave a multicast group, it will wait for a leave time before removing the port from the multicast group. During the period, if the switch receives any report messages from the port, the port will not be removed from the multicast group.

  • Page 242: Configuring Igmp Snooping For Ports

    Configuring Layer 2 Multicast IGMP Snooping Configuration 2.1.3 Configuring IGMP Snooping for Ports Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config � to load the following page. Figure 2-3 Configure IGMP Snooping for Ports Follow these steps to configure IGMP Snooping for ports: 1) Enable IGMP Snooping for the port and enable Fast Leave if there is only one receiver connected to the port.

  • Page 243: Using The Cli

    Configuring Layer 2 Multicast IGMP Snooping Configuration Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Static Group Config and click to load the following page. Figure 2-4 Configure Hosts to Statically Join a Group Follow these steps to configure hosts to statically join a group: 1) Specify the multicast IP address, VLAN ID.
  • Page 244 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 3 ip igmp snooping version {v1 | v2 | v3} Configure the IGMP version. v1:The switch works as an IGMPv1 Snooping switch. It can only process IGMPv1 report messages from the host. Report messages of other versions are ignored. v2: The switch works as an IGMPv2 Snooping switch.

  • Page 245: Configuring Igmp Snooping For Vlans

    Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping header-validation Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Unknown Multicast :Discard Header Validation :Enable Switch(config)#end Switch#copy running-config startup-config 2.2.2 Configuring IGMP Snooping for VLANs Before configuring IGMP Snooping for VLANs, set up the VLANs that the router ports and the member ports are in.
  • Page 246 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 3 ip igmp snooping vlan-config vlan-id-list rtime router-time Specify the router port aging time for the VLANs. vlan-id-list: Specify the ID or the ID list of the VLAN(s). router-time: Specify the aging time of the router ports in the specified VLANs. Valid values are from 60 to 600 seconds.
  • Page 247 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 6 ip igmp snooping vlan-config vlan-id-list immediate-leave (Optional) Enable the Fast Leave for the VLANs. By default, it is disabled. IGMPv1 does not support fast leave. Without Fast Leave, after a receiver sends an IGMP leave message to leave a multicast group, the switch will forward the leave message to the Layer 3 device (the querier).
  • Page 248 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 9 ip igmp snooping vlan-config vlan-id-list querier (Optional) Enable the IGMP Snooping Querier for the VLAN. By default, it is disabled. When enabled, the switch acts as an IGMP Snooping Querier for the hosts in this VLAN. A querier periodically sends a general query on the network to solicit membership information, and sends group-specific queries when it receives leave messages from hosts.
  • Page 249 Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping vlan-config 1 immediate-leave Switch(config)#ip igmp snooping vlan-config 1 report-suppression Switch(config)#show ip igmp snooping vlan 1 Vlan Id: 1 Vlan IGMP Snooping Status: Enable Fast Leave: Enable Report Suppression: Enable Router Time:320 Member Time: 300 Querier: Disable Switch(config)#end...

  • Page 250: Configuring Igmp Snooping For Ports

    Configuring Layer 2 Multicast IGMP Snooping Configuration Last Member Query Count: General Query Source IP: 192.168.0.5 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring IGMP Snooping for Ports Follow these steps to configure IGMP Snooping for ports: Step 1 configure Enter global configuration mode. interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range Step 2 gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list |...

  • Page 251: Configuring Hosts To Statically Join A Group

    Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config-if-range)#ip igmp snooping immediate-leave Switch(config-if-range)#show ip igmp snooping interface gigabitEthernet 1/0/1-3 Port IGMP-Snooping Fast-Leave ----------- ------------------- -------------- Gi1/0/1 enable enable Gi1/0/2 enable enable Gi1/0/3 enable enable Switch(config-if-range)#end Switch#copy running-config startup-config 2.2.4 Configuring Hosts to Statically Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also configure hosts to statically join a group.
  • Page 252 Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#show ip igmp snooping groups static Multicast-ip VLAN-id Addr-type Switch-port ------------ ------- --------- ----------- 239.1.2.3 static Gi1/0/1-3 Switch(config)#end Switch#copy running-config startup-config User Guide...

  • Page 253: Mld Snooping Configuration

    Configuring Layer 2 Multicast MLD Snooping Configuration MLD Snooping Configuration To complete MLD Snooping configuration, follow these steps: 1) Enable MLD Snooping globally and configure the global parameters. 2) Configure MLD Snooping for VLANs. 3) Configure MLD Snooping for ports. 4) (Optional) Configure hosts to statically join a group.

  • Page 254: Configuring Mld Snooping For Vlans

    Configuring Layer 2 Multicast MLD Snooping Configuration 2) Click Apply. 3.1.2 Configuring MLD Snooping for VLANs Before configuring MLD Snooping for VLANs, set up the VLANs that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN.
  • Page 255 Configuring Layer 2 Multicast MLD Snooping Configuration Fast Leave Enable or disable Fast Leave for the VLAN. Without Fast Leave, after a receiver sends an MLD done message (equivalent to an IGMP leave message) to leave a multicast group, the switch will forward the done message to the Layer 3 device (the querier).
  • Page 256 Configuring Layer 2 Multicast MLD Snooping Configuration Leave Time Specify the leave time for the VLAN. When the switch receives a leave message from a port to leave a multicast group, it will wait for a leave time before removing the port from the multicast group. During the period, if the switch receives any report messages from the port, the port will not be removed from the multicast group.

  • Page 257: Configuring Mld Snooping For Ports

    Configuring Layer 2 Multicast MLD Snooping Configuration 3.1.3 Configuring MLD Snooping for Ports Choose the menu L2 FEATURES > Multicast > MLD Snooping > Port Config to load the following page. Figure 3-3 Configure MLD Snooping for Ports Follow these steps to configure MLD Snooping for ports: 1) Enable MLD Snooping for the port and enable Fast Leave if there is only one receiver connected to the port.

  • Page 258: Using The Cli

    Configuring Layer 2 Multicast MLD Snooping Configuration Choose the menu L2 FEATURES > Multicast > MLD Snooping > Static Group Config and click to load the following page. Figure 3-4 Configure Hosts to Statically Join a Group Follow these steps to configure hosts to statically join a group: 1) Specify the multicast IP address, VLAN ID.

  • Page 259: Configuring Mld Snooping For Vlans

    Configuring Layer 2 Multicast MLD Snooping Configuration Step 3 ipv6 mld snooping drop-unknown (Optional) Configure the way how the switch processes multicast streams that are sent to unknown multicast groups as Discard. By default, it is Forward. Unknown multicast groups are multicast groups that do not match any of the groups announced in earlier IGMP membership reports, and thus cannot be found in the multicast forwarding table of the switch.
  • Page 260 Configuring Layer 2 Multicast MLD Snooping Configuration Follow these steps to configure MLD Snooping for VLANs: Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping vlan-config vlan-id-list mtime member-time Enable MLD Snooping for the specified VLANs, and specify the member port aging time for the VLANs.
  • Page 261 Configuring Layer 2 Multicast MLD Snooping Configuration Step 5 ipv6 mld snooping vlan-config vlan-id-list report-suppression (Optional) Enable Report Suppression for the VLANs. By default, it is disabled. When enabled, the switch will only forward the first MLD report message for each multicast group to the MLD querier and suppress subsequent MLD report messages for the same multicast group during one query interval.
  • Page 262 Configuring Layer 2 Multicast MLD Snooping Configuration Step 9 ipv6 mld snooping vlan-config vlan-id-list querier (Optional) Enable MLD Snooping Querier for the VLAN. By default, it is disabled. When enabled, the switch acts as an MLD Snooping Querier for the hosts in this VLAN. A querier periodically sends a general query on the network to solicit membership information, and sends group-specific queries when it receives done messages from hosts.
  • Page 263 Configuring Layer 2 Multicast MLD Snooping Configuration Switch(config)#show ipv6 mld snooping vlan 1 Vlan Id: 1 Vlan MLD Snooping Status: Enable Fast Leave: Enable Report Suppression: Enable Router Time: Enable Member Time: Enable Querier: Disable Switch(config)#end Switch#copy running-config startup-config The following example shows how to enable MLD Snooping querier for VLAN 1, and configure the query interval as 100 seconds, the maximum response time as 15 seconds, the last listener query interval as 2 seconds, the last listener query count as 3, and the general query source IP as 2000::1:2345:6789:ABCD:...

  • Page 264: Configuring Mld Snooping For Ports

    Configuring Layer 2 Multicast MLD Snooping Configuration General Query Source IP: 2000::1:2345:6789:abcd Switch(config)#end Switch#copy running-config startup-config 3.2.3 Configuring MLD Snooping for Ports Follow these steps to configure MLD Snooping for ports: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list }...

  • Page 265: Configuring Hosts To Statically Join A Group

    Configuring Layer 2 Multicast MLD Snooping Configuration Port MLD-Snooping Fast-Leave ----------- ------------------- -------------- Gi1/0/1 enable enable Gi1/0/2 enable enable Gi1/0/3 enable enable Switch(config-if-range)#end Switch#copy running-config startup-config 3.2.4 Configuring Hosts to Statically Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also configure hosts to statically join a group.
  • Page 266 Configuring Layer 2 Multicast MLD Snooping Configuration Multicast-ip VLAN-id Addr-type Switch-port ------------ ------- --------- ----------- ff80::1234:1 static Gi1/0/1-3 Switch(config)#end Switch#copy running-config startup-config User Guide...

  • Page 267: Mvr Configuration

    Configuring Layer 2 Multicast MVR Configuration MVR Configuration To complete MVR configuration, follow these steps: 1) Configure 802.1Q VLANs. 2) Configure MVR globally. 3) Add multicast groups to MVR. 4) Configure MVR for the ports. 5) (Optional) Statically add ports to MVR groups. Configuration Guidelines ■...

  • Page 268: Configuring Mvr Globally

    Configuring Layer 2 Multicast MVR Configuration 4.1.2 Configuring MVR Globally Choose the menu L2 FEATURES > Multicast > MVR > MVR Config to load the following page. Figure 4-1 Configure MVR Globally Follow these steps to configure MVR globally: 1) Enable MVR globally and configure the global parameters. Enable or disable MVR globally.

  • Page 269: Adding Multicast Groups To Mvr

    Configuring Layer 2 Multicast MVR Configuration 4.1.3 Adding Multicast Groups to MVR You need to manually add multicast groups to the MVR. Choose the menu L2 FEATURES > Multicast > MVR > MVR Group Config and click to load the following page. Figure 4-2 Add Multicast Groups to MVR Follow these steps to add multicast groups to MVR: 1) Specify the IP address of the multicast groups.

  • Page 270: Configuring Mvr For The Port

    Configuring Layer 2 Multicast MVR Configuration Status Displays the status of the MVR group. In compatible mode, all the MVR groups are added manually, so the status is always active. In dynamic mode, there are two status: Inactive: The MVR group is added successfully, but the source port has not received any query messages from this multicast group.

  • Page 271: Optional) Adding Ports To Mvr Groups Statically

    Configuring Layer 2 Multicast MVR Configuration Type Configure the port type. None: The port is a non-MVR port. If you attempt to configure a non-MVR port with MVR characteristics, the operation will be unsuccessful. Source: Configure the uplink ports that receive and send multicast data on the multicast VLAN as source ports.

  • Page 272: Using The Cli

    Configuring Layer 2 Multicast MVR Configuration Follow these steps to statically add ports to an MVR group: 1) Select the ports to add them to the MVR group. 2) Click Save. Using the CLI 4.2.1 Configuring 802.1Q VLANs Before configuring MVR, create an 802.1Q VLAN as the multicast VLAN. Add the all source ports to the multicast VLAN as tagged ports.
  • Page 273 Configuring Layer 2 Multicast MVR Configuration Step 6 mvr group ip-addr count Add multicast groups to the MVR. ip-addr: Specify the start IP address of the contiguous series of multicast groups. count: Specify the number of the multicast groups to be added to the MVR. The range is 1 to 511.

  • Page 274: Configuring Mvr For The Ports

    Configuring Layer 2 Multicast MVR Configuration MVR Group IP status Members ---------------- --------- ---------------- 239.1.2.3 active 239.1.2.4 active 239.1.2.5 active Switch(config)#end Switch#copy running-config startup-config 4.2.3 Configuring MVR for the Ports Follow these steps to configure MVR for the ports: Step 1 configure Enter global configuration mode.
  • Page 275 Configuring Layer 2 Multicast MVR Configuration Step 7 show mvr interface {fastEthernet [ port-list ] | gigabitEthernet [ port-list ] | ten- gigabitEthernet [ port-list ] } Show the MVR configuration of the specified interface(s). show mvr members Show the membership information of all MVR groups. Step 8 Return to privileged EXEC mode.
  • Page 276 Configuring Layer 2 Multicast MVR Configuration MVR Group IP status Members ---------------- --------- ---------------- 239.1.2.3 active Gi1/0/1-3, 1/0/7 Switch(config)#end Switch#copy running-config startup-config User Guide...

  • Page 277: Multicast Filtering Configuration

    Configuring Layer 2 Multicast Multicast Filtering Configuration Multicast Filtering Configuration To complete multicast filtering configuration, follow these steps: 1) Create the IGMP profile or MLD profile. 2) Configure multicast groups a port can join and the overflow action. Using the GUI 5.1.1 Creating the Multicast Profile You can create multicast profiles for both IPv4 and IPv6 network.
  • Page 278 Configuring Layer 2 Multicast Multicast Filtering Configuration Figure 5-1 Create IPv4 Profile Follow these steps to create a profile. 1) In the General Config section, specify the Profile ID and Mode. Profile ID Enter a profile ID between 1 and 999. Mode Select Permit or Deny as the filtering mode.

  • Page 279: Configure Multicast Filtering For Ports

    Configuring Layer 2 Multicast Multicast Filtering Configuration Figure 5-2 Configure Multicast Groups to Be Filtered 3) In the Bind Ports section, select your desired ports to be bound with the profile. 4) Click Save. 5.1.2 Configure Multicast Filtering for Ports You can modify the mapping relation between ports and profiles in batches, and configure the number of multicast groups a port can join and the overflow action.

  • Page 280: Using The Cli

    Configuring Layer 2 Multicast Multicast Filtering Configuration Follow these steps to bind the profile to ports and configure the corresponding parameters for the ports: 1) Select one or more ports to configure. 2) Specify the profile to be bound, and configure the maximum groups the port can join and the overflow action.
  • Page 281 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 3 Permit Configure the profile’s filtering mode as permit. Then the profile acts as a whitelist and only allows specific member ports to join specified multicast groups. deny Configure the profile’s filtering mode as deny. Then the profile acts as a blacklist and prevents specific member ports from joining specific multicast groups.
  • Page 282 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 2 ipv6 mld profile id Create a new profile and enter profile configuration mode. Step 3 Permit Configure the profile’s filtering mode as permit. It is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups.

  • Page 283: Binding The Profile To Ports

    Configuring Layer 2 Multicast Multicast Filtering Configuration 5.2.2 Binding the Profile to Ports You can bind the created IGMP profile or MLD profile to ports, and configure the number of multicast groups a port can join and the overflow action. Binding the IGMP Profile to Ports Step 1 configure...
  • Page 284 Configuring Layer 2 Multicast Multicast Filtering Configuration The following example shows how to bind the existing Profile 1 to port 1/0/2, and specify the maximum number of multicast groups that port 1/0/2 can join as 50 and the Overflow Action as Drop: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#ip igmp snooping...
  • Page 285 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 4 ipv6 mld snooping max-groups maxgroup Configure the maximum number of multicast groups the port can join. maxgroup : Specify the maximum number of multicast groups the port can join. The range is 0 to 1000.
  • Page 286 Configuring Layer 2 Multicast Multicast Filtering Configuration Gi1/0/2 Switch(config-if)#show ipv6 mld snooping interface gigabitEthernet 1/0/2 max-groups Port Max-Groups Overflow-Action ------------- --------------- --------------------- Gi1/0/2 Drops Switch(config)#end Switch#copy running-config startup-config User Guide...

  • Page 287: Viewing Multicast Snooping Information

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Viewing Multicast Snooping Information You can view the following multicast snooping information: ■ View IPv4 multicast table. ■ View IPv4 multicast statistics on each port. ■ View IPv6 multicast table. ■ View IPv6 multicast statistics on each port. Using the GUI 6.1.1 Viewing IPv4 Multicast Table Choose the menu L2 FEATURES >...

  • Page 288: Viewing Ipv4 Multicast Statistics On Each Port

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Type Displays how the multicast entry is generated. Dynamic: The entry is dynamically learned. All the member ports are dynamically added to the multicast group. Static: The entry is manually added. All the member ports are manually added to the multicast group.

  • Page 289: Viewing Ipv6 Multicast Table

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Refresh Interval After Auto Refresh is enabled, specify the time interval for the switch to refresh the multicast statistics. 2) In the Port Statistics section, view IPv4 multicast statistics on each port. Query Packets Displays the number of query packets received by the port.

  • Page 290: Viewing Ipv6 Multicast Statistics On Each Port

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Type Displays how the multicast entry is generated. Dynamic: The entry is dynamically learned. All the member ports are dynamically added to the multicast group. Static: The entry is manually added. All the member ports are manually added to the multicast group.

  • Page 291: Using The Cli

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Refresh Interval After Auto Refresh is enabled, specify the time interval for the switch to refresh the multicast statistics. 2) In the Port Statistics section, view IPv6 multicast statistics on each port. Query Packets Displays the number of query packets received by the port.

  • Page 292: Viewing Ipv6 Multicast Snooping Configurations

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information 6.2.2 Viewing IPv6 Multicast Snooping Configurations show ipv6 mld snooping groups [vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN. count displays the number of multicast groups.

  • Page 293: Configuration Examples

    Configuring Layer 2 Multicast Configuration Examples Configuration Examples Example for Configuring Basic IGMP Snooping 7.1.1 Network Requirements Host B, Host C and Host D are in the same VLAN of the switch. All of them want to receive multicast streams sent to multicast group 225.1.1.1. As shown in the following topology, Host B, Host C and Host D are connected to port 1/0/1, port 1/0/2 and port 1/0/3 respectively.

  • Page 294: Using The Gui

    Configuring Layer 2 Multicast Configuration Examples ■ Enable IGMP Snooping on the ports. Demonstrated with T1600G-28TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 7.1.3 Using the GUI 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page.
  • Page 295 Configuring Layer 2 Multicast Configuration Examples Figure 7-3 Configure PVID for the Ports 3) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Global Config to load the following page. In the Global Config section, enable IGMP Snooping globally. Configure the IGMP version as v3 so that the switch can process IGMP messages of all versions.

  • Page 296: Using The Cli

    Configuring Layer 2 Multicast Configuration Examples Figure 7-5 Enable IGMP Snooping for VLAN 10 5) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Enable IGMP Snooping for ports 1/0/1-4. Figure 7-6 Enable IGMP Snooping for the Ports 6) Click to save the settings.
  • Page 297 Configuring Layer 2 Multicast Configuration Examples 2) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged. Switch(config)#interface range gigabitEthernet 1/0/1-3 Switch(config-if-range)#switchport general allowed vlan 10 untagged Switch(config-if-range)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged...

  • Page 298: Example For Configuring Mvr

    Configuring Layer 2 Multicast Configuration Examples vlan10 active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 Show status of IGMP Snooping globally, on the ports and in the VLAN: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Header Validation :Disable Global Authentication Accounting :Disable Enable Port : Gi1/0/1-4 Enable VLAN:10...

  • Page 299: Configuration Scheme

    Configuring Layer 2 Multicast Configuration Examples Figure 7-7 Network Topoloy for Multicast VLAN Source Querier VLAN 40 Gi1/0/4 Gi1/0/1 Gi1/0/3 Gi1/0/2 Host D Host B Host C Receiver Receiver Receiver 7.2.3 Configuration Scheme As the hosts are in different VLANs, in IGMP Snooping, the Querier need to duplicate multicast streams for hosts in each VLAN.
  • Page 300 Configuring Layer 2 Multicast Configuration Examples Figure 7-8 VLAN Configurations for Port 1/0/1-3 Figure 7-9 PVID for Port 1/0/1-3 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 40 and add port 1/0/4 to the VLAN as Tagged port.
  • Page 301 Configuring Layer 2 Multicast Configuration Examples Figure 7-10 Create Multicast VLAN 3) Choose the menu L2 FEATURES > Multicast > MVR > MVR Config to load the following page. Enable MVR globally, and configure the MVR mode as Dynamic, multicast VLAN ID as 40.

  • Page 302: Using The Cli

    Configuring Layer 2 Multicast Configuration Examples Figure 7-12 Add Multicast Group to MVR 5) Choose the menu L2 FEATURES > Multicast > MVR > Port Config to load the following page. Enable MVR for port 1/0/1-4. Configure port 1/0/1-3 as Receiver ports and port 1/0/4 as Source port.
  • Page 303 Configuring Layer 2 Multicast Configuration Examples Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#switchport pvid 10 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#switchport general allowed vlan 20 untagged Switch(config-if)#switchport pvid 20 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#switchport general allowed vlan 30 untagged Switch(config-if)#switchport pvid 30 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 40 tagged...
  • Page 304 Configuring Layer 2 Multicast Configuration Examples 4) Enable MVR globally, and configure the MVR mode as Dynamic, multicast VLAN ID as 40. Add multicast group 225.1.1.1 to MVR. Switch(config)#mvr Switch(config)#mvr mode dynamic Switch(config)#mvr vlan 40 Switch(config)#mvr group 225.1.1.1 1 5) Enable MVR for port 1/0/1-4. Configure port 1/0/1-3 as Receiver ports and port 1/0/4 as Source port.

  • Page 305: Example For Configuring Unknown Multicast And Fast Leave

    Configuring Layer 2 Multicast Configuration Examples Show the brief information of MVR: Switch(config)#show mvr :Enable MVR Multicast Vlan MVR Max Multicast Groups :511 MVR Current Multicast Groups MVR Global Query Response Time :5 (tenths of sec) MVR Mode Type :Dynamic Show the membership of MVR groups: Switch(config)#show mvr members MVR Group IP...

  • Page 306: Configuration Scheme

    Host B only receives multicast data from the new channel and that the multicast network is unimpeded. Demonstrated with T1600G-52TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 7.3.3 Using the GUI 1) Create VLAN 10.
  • Page 307 Configuring Layer 2 Multicast Configuration Examples Figure 7-15 Configure IGMP Snooping Globally Note: IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to > enable MLD Snooping globally on the L2 FEATURES Multicast > MLD Snooping > Global Config page at the same time.

  • Page 308: Using The Cli

    Configuring Layer 2 Multicast Configuration Examples Figure 7-17 Configure IGMP Snooping on Ports 5) Click to save the settings. 7.3.4 Using the CLI 1) Enable IGMP Snooping and MLD Snooping globally. Switch#configure Switch(config)#ip igmp snooping Switch(config)#ipv6 mld snooping 2) Configure Unknown Multicast Groups as Discard globally. Switch(config)#ip igmp snooping drop-unknown 3) Enable IGMP Snooping on port 1/0/2 and enable Fast Leave.

  • Page 309: Example For Configuring Multicast Filtering

    Configuring Layer 2 Multicast Configuration Examples 5) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Unknown Multicast :Discard Enable Port: Gi1/0/1-28 Enable VLAN:10 Show settings of IGMP Snooping on port 1/0/2: Switch(config)#show ip igmp snooping interface gigabitEthernet 1/0/2 basic-config Port...

  • Page 310: Network Topology

    Configuring Layer 2 Multicast Configuration Examples 7.4.3 Network Topology As shown in the following network topology, Host B is connected to port 1/0/1, Host C is connected to port 1/0/2 and Host D is connected to port 1/0/3. They are all in VLAN 10. Figure 7-18 Network Topology for Multicast Filtering Source Querier...
  • Page 311 Configuring Layer 2 Multicast Configuration Examples Figure 7-19 Enable IGMP Snooping Globally 3) In the IGMP VLAN Config section, click in VLAN 10 to load the following page. Enable IGMP Snooping for VLAN 10. Figure 7-20 Enable IGMP Snooping for VLAN 10 User Guide...
  • Page 312 Configuring Layer 2 Multicast Configuration Examples 4) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Figure 7-21 Enable IGMP Snooping on the Port 5) Choose the menu L2 FEATURES > Multicast > Multicast Filtering > IPv4 Profile and click to load the following page.
  • Page 313 Configuring Layer 2 Multicast Configuration Examples Figure 7-22 Configure Filtering Profile for Host C and Host D 6) Click again to load the following page. Create Profile 2, specify the mode as Deny, bind the profile to port 1/0/1, and specify the filtering multicast IP address as 225.0.0.2.

  • Page 314: Using The Cli

    Configuring Layer 2 Multicast Configuration Examples Figure 7-23 Configure Filtering Profile for Host B 7) Click to save the settings. 7.4.5 Using the CLI 1) Create VLAN 10. Switch#configure Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 2) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged.
  • Page 315 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 3) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 4) Enable IGMP Snooping Globally. Switch(config)#ip igmp snooping 5) Enable IGMP Snooping in VLAN 10.
  • Page 316 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#ip igmp filter 2 Switch(config-if)#exit 11) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Enable Port:Gi1/0/1-4 Enable VLAN:10 Show all profile bindings:...

  • Page 317: Appendix: Default Parameters

    Configuring Layer 2 Multicast Appendix: Default Parameters Appendix: Default Parameters Default Parameters for IGMP Snooping Table 8-1 Default Parameters of IGMP Snooping Function Parameter Default Setting IGMP Snooping Disabled IGMP Version Global Settings of IGMP Snooping Unknown Multicast Groups Forward Header Validation Disabled IGMP Snooping...

  • Page 318: Default Parameters For Mld Snooping

    Configuring Layer 2 Multicast Appendix: Default Parameters Default Parameters for MLD Snooping Table 8-2 Default Parameters of MLD Snooping Function Parameter Default Setting MLD Snooping Disabled Global Settings of IGMP Snooping Unknown Multicast Groups Forward MLD Snooping Disabled Fast Leave Disabled Report Suppression Disabled...

  • Page 319: Default Parameters For Mvr

    Configuring Layer 2 Multicast Appendix: Default Parameters Default Parameters for MVR Table 8-3 Default Parameters of MVR Function Parameter Default Setting Disabled MVR Mode Compatible Global Settings of MVR Multicast VLAN ID Query Response Time 5 tenths of a second Maximum Multicast Groups MVR Group Settings MVR Group Entries...

  • Page 320: Configuring Spanning Tree

    Part 11 Configuring Spanning Tree CHAPTERS 1. Spanning Tree 2. STP/RSTP Configurations 3. MSTP Configurations 4. STP Security Configurations 5. Configuration Example for MSTP 6. Appendix: Default Parameters...

  • Page 321: Spanning Tree

    Configuring Spanning Tree Spanning Tree Spanning Tree Overview STP (Spanning Tree Protocol) is a layer 2 Protocol that prevents loops in the network. As is shown in Figure 1-1, STP helps to: ■ Block specific ports of the switches to build a loop-free topology. ■...
  • Page 322 Configuring Spanning Tree Spanning Tree Figure 1-2 STP/RSTP Topology Root bridge Designated port Designated port Root port Root port Designated port Designated port Root port Root port Designated port Backup port Alternate port Root Bridge The root bridge is the root of a spanning tree. The switch with te lowest bridge ID will be the root bridge, and there is only one root bridge in a spanning tree.
  • Page 323 Configuring Spanning Tree Spanning Tree In RSTP/MSTP, the alternate port is the backup for the root port. It is blocked when the root port works normally. Once the root port fails, the alternate port will become the new root port. In STP, the alternate port is always blocked.
  • Page 324 Spanning Tree Learning and Forwarding status correspond exactly to the Learning and Forwarding status specified in STP. In TP-Link switches, the port status includes: Blocking, Learning, Forwarding and Disconnected. ■ Blocking In this status, the port receives and sends BPDUs. The other packets are dropped.

  • Page 325: Mstp Concepts

    Configuring Spanning Tree Spanning Tree downstream switch. The value of the accumulated root path cost increases as the BPDU spreads further. BPDU BPDU is a kind of packet that is used to generate and maintain the spanning tree. The BPDUs (Bridge Protocol Data Unit) contain a lot of information, like bridge ID, root path cost, port priority and so on.

  • Page 326: Stp Security

    Configuring Spanning Tree Spanning Tree MST Instance The MST instance is a spanning tree running in the MST region. Multiple MST instances can be established in one MST region and they are independent of each other. As is shown in Figure 1-4, there are three instances in a region, and each instance has its own root bridge.
  • Page 327 Configuring Spanning Tree Spanning Tree » Loop Protect Loop Protect function is used to prevent loops caused by link congestions or link failures. It is recommended to enable this function on root ports and alternate ports. If the switch cannot receive BPDUs because of link congestions or link failures, the root port will become a designated port and the alternate port will transit to forwarding status, so loops will occur.
  • Page 328 Configuring Spanning Tree Spanning Tree » TC Protect TC Protect function is used to prevent the switch from frequently removing MAC address entries. It is recommended to enable this function on the ports of non-root switches. A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology).

  • Page 329: Stp/Rstp Configurations

    Configuring Spanning Tree STP/RSTP Configurations STP/RSTP Configurations To complete the STP/RSTP configuration, follow these steps: 1) Configure STP/RSTP parameters on ports. 2) Configure STP/RSTP globally. 3) Verify the STP/RSTP configurations. Configuration Guidelines ■ Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
  • Page 330 Configuring Spanning Tree STP/RSTP Configurations 1) In the Port Config section, configure STP/RSTP parameters on ports. UNIT Select the desired unit or LAGs. Status Enable or disable spanning tree function on the desired port. Priority Specify the Priority for the desired port. The value should be an integral multiple of 16, ranging from 0 to 240.

  • Page 331: Configuring Stp/Rstp Globally

    Configuring Spanning Tree STP/RSTP Configurations MCheck Select whether to perform MCheck operations on the port. If a port on an RSTP-enabled/MSTP-enabled device is connected to an STP-enabled device, the port will switch to STP compatible mode and send packets in STP format.
  • Page 332 Configuring Spanning Tree STP/RSTP Configurations Figure 2-2 Configuring STP/RSTP Globally Follow these steps to configure STP/RSTP globally: 1) In the Parameters Config section, configure the global parameters of STP/RSTP and click Apply. CIST Priority Specify the CIST priority for the switch. CIST priority is a parameter used to determine the root bridge for spanning tree.

  • Page 333: Verifying The Stp/Rstp Configurations

    Configuring Spanning Tree STP/RSTP Configurations Max Hops Specify the maximum BPDU counts that can be forwarded in a MST region. The default value is 20. A switch receives BPDU, then decrements the hop count by one and generates BPDUs with the new value. When the hop reaches zero, the switch will discard the BPDU.
  • Page 334 Configuring Spanning Tree STP/RSTP Configurations Figure 2-3 Verifying the STP/RSTP Configurations The STP Summary section shows the summary information of spanning tree : Spanning Tree Displays the status of the spanning tree function. Spanning Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local bridge.

  • Page 335: Using The Cli

    Configuring Spanning Tree STP/RSTP Configurations Designated Bridge Displays the bridge ID of the designated bridge. The designated bridge is the switch that has designated ports. Root Port Displays the root port of the current switch. Latest TC Time Displays the latest time when the topology is changed. TC Count Displays how many times the topology has changed.
  • Page 336 Configuring Spanning Tree STP/RSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure STP/RSTP parameters on the desired port . pri: Specify the Priority for the desired port.

  • Page 337: Configuring Global Stp/Rstp Parameters

    Configuring Spanning Tree STP/RSTP Configurations The following example shows how to enable spanning tree function on port 1/0/3 and configure the port priority as 32 : Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree common-config port-priority 32 Switch(config-if)#show spanning-tree interface gigabitEthernet 1/0/3 Interface State Prio...
  • Page 338 Configuring Spanning Tree STP/RSTP Configurations Step 3 spanning-tree timer {[ forward-time forward-time ] [hello-time hello-time ] [ max-age max- age ]} (Optional) Configure the Forward Delay, Hello Time and Max Age. forward-time: Specify the value of Forward Delay. It is the interval between the port state transition from listening to learning.

  • Page 339: Enabling Stp/Rstp Globally

    Configuring Spanning Tree STP/RSTP Configurations Switch#configure Switch(config)#spanning-tree priority 36864 Switch(config)#spanning-tree timer forward-time 12 Switch(config)#show spanning-tree bridge State Mode Priority Hello-Time Fwd-Time Max-Age Hold-Count Max-Hops ------- ----- -------- ------ -------- -------- --------- -------- Enable Rstp 36864 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Enabling STP/RSTP Globally Follow these steps to configure the spanning tree mode as STP/RSTP, and enable spanning tree function globally: Step 1...
  • Page 340 Configuring Spanning Tree STP/RSTP Configurations Switch(config)#show spanning-tree active Spanning tree is enabled Spanning-tree’s mode: RSTP (802.1w Rapid Spanning Tree Protocol) Latest topology change time: 2006-01-02 10:04:02 Root Bridge Priority : 32768 Address : 00-0a-eb-13-12-ba Local bridge is the root bridge Designated Bridge Priority : 32768...

  • Page 341: Mstp Configurations

    Configuring Spanning Tree MSTP Configurations MSTP Configurations To complete the MSTP configuration, follow these steps: 1) Configure parameters on ports in CIST. 2) Configure the MSTP region. 3) Configure the MSTP globally. 4) Verify the MSTP configurations. Configuration Guidelines ■ Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
  • Page 342 Configuring Spanning Tree MSTP Configurations Follow these steps to configure parameters on ports in CIST: 1) In the Port Config section, configure the parameters on ports. UNIT Select the desired unit or LAGs. Status Enable or disable spanning tree function on the desired port. Priority Specify the Priority for the desired port.
  • Page 343 Configuring Spanning Tree MSTP Configurations P2P Link Select the status of the P2P (Point-to-Point) link to which the ports are connected. During the regeneration of the spanning tree, if the port of P2P link is elected as the root port or the designated port, it can transit its state to forwarding directly.

  • Page 344: Configuring The Mstp Region

    Configuring Spanning Tree MSTP Configurations Port Status Displays the port status. Forwarding: The port receives and sends BPDUs, and forwards user data. Learning: The port receives and sends BPDUs. It also receives user traffic, but doesn’t forward the traffic. Blocking: The port only receives and sends BPDUs. Disconnected: The port has the spanning tree function enabled but is not connected to any device.
  • Page 345 Configuring Spanning Tree MSTP Configurations ■ Configuring the VLAN-Instance Mapping and Switch Priority Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config to load the following page. Figure 3-3 Configuring the VLAN-Instance Mapping Follow these steps to map VLANs to the corresponding instance, and configure the priority of the switch in the desired instance: 1) In the Instance Config section, click Add and enter the instance ID, Priority and corresponding VLAN ID.
  • Page 346 Configuring Spanning Tree MSTP Configurations ■ Configuring Parameters on Ports in the Instance Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Figure 3-5 Configuring Port Parameters in the Instance Follow these steps to configure port parameters in the instance: 1) In the Instance Port Config section, select the desired instance ID.
  • Page 347 Configuring Spanning Tree MSTP Configurations Port Role Displays the role that the port plays in the desired instance. Root Port: Indicates that the port is the root port in the desired instance. It has the lowest path cost from the root bridge to this switch and is used to communicate with the root bridge.

  • Page 348: Configuring Mstp Globally

    Configuring Spanning Tree MSTP Configurations 3.1.3 Configuring MSTP Globally Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page. Figure 3-6 Configure MSTP Function Globally Follow these steps to configure MSTP globally: 1) In the Parameters Config section, Configure the global parameters of MSTP and click Apply.
  • Page 349 Configuring Spanning Tree MSTP Configurations Forward Delay Specify the interval between the port state transition from listening to learning. The default value is 15. It is used to prevent the network from causing temporary loops during the regeneration of spanning tree. The interval between the port state transition from learning to forwarding is also the Forward Delay.

  • Page 350: Verifying The Mstp Configurations

    Configuring Spanning Tree MSTP Configurations 3.1.4 Verifying the MSTP Configurations Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 3-7 Verifying the MSTP Configurations The STP Summary section shows the summary information of CIST: Spanning Tree Displays the status of the spanning tree function.

  • Page 351: Using The Cli

    Configuring Spanning Tree MSTP Configurations Regional Root Bridge Displays the bridge ID of the root bridge in IST. Internal Path Cost Displays the internal path cost. It is the root path cost from the current switch to the root bridge in IST. Designated Bridge Displays the bridge ID of the designated bridge in CIST.
  • Page 352 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree Enable spanning tree function for the desired port. Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ int-cost int-cost ][ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure the parameters on ports in CIST.
  • Page 353 Configuring Spanning Tree MSTP Configurations Step 6 show spanning-tree interface [ fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel lagid ] [ edge | ext-cost | int-cost | mode | p2p | priority | role | state | status ] (Optional) View the information of all ports or a specified port.

  • Page 354: Configuring The Mstp Region

    Configuring Spanning Tree MSTP Configurations 3.2.2 Configuring the MSTP Region ■ Configuring the MST Region Follow these steps to configure the MST region and the priority of the switch in the instance: Step 1 configure Enter global configuration mode. Step 2 spanning-tree mst instance instance-id priority pri Configure the priority of the switch in the instance.
  • Page 355 Configuring Spanning Tree MSTP Configurations Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. This example shows how to create an MST region, of which the region name is R1, the revision level is 100 and VLAN 2-VLAN 6 are mapped to instance 5: Switch#configure Switch(config)#spanning-tree mst configuration...
  • Page 356 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree mst instance instance-id {[ port-priority pri ] | [ cost cost ]} Configure the priority and path cost of ports in the specified instance. instance-id: Specify the instance ID, the valid values ranges from 1 to 8. pri: Specify the Priority for the port in the corresponding instance.

  • Page 357: Configuring Global Mstp Parameters

    Configuring Spanning Tree MSTP Configurations Interface Prio Cost Role Status ----------- ------ ------ -------- --------- ------- Gi1/0/3 144 200 LnkDwn N/A Switch(config-if)#end Switch#copy running-config startup-config 3.2.3 Configuring Global MSTP Parameters Follow these steps to configure the global MSTP parameters of the switch: Step 1 configure Enter global configuration mode.
  • Page 358 Configuring Spanning Tree MSTP Configurations Step 5 spanning-tree max-hops value (Optional) Specify the maximum BPDU hop counts that can be forwarded in a MST region. A switch receives BPDU, then decrements the hop count by one and generates BPDUs with the new value.

  • Page 359: Enabling Spanning Tree Globally

    Configuring Spanning Tree MSTP Configurations 3.2.4 Enabling Spanning Tree Globally Follow these steps to configure the spanning tree mode as MSTP and enable spanning tree function globally: Step 1 configure Enter global configuration mode. Step 2 spanning-tree mode mstp Configure the spanning tree mode as MSTP. mstp: Specify the spanning tree mode as MSTP.
  • Page 360 Configuring Spanning Tree MSTP Configurations Priority : 32768 Address : 00-0a-eb-13-23-97 Regional Root Bridge Priority : 36864 Address : 00-0a-eb-13-12-ba Local bridge is the regional root bridge Local Bridge Priority : 36864 Address : 00-0a-eb-13-12-ba Interface State Prio Ext-Cost Int-Cost Edge Mode Role Status...

  • Page 361: Stp Security Configurations

    Configuring Spanning Tree STP Security Configurations STP Security Configurations Using the GUI Choose the menu L2 FEATURES > Spanning Tree > STP Security to load the following page. Figure 4-1 Configuring the Port Protect Configure the Port Protect features for the selected ports, and click Apply. UNIT Select the desired unit or LAGs for configuration.

  • Page 362: Using The Cli

    Configuring Spanning Tree STP Security Configurations Root Protect Enable or disable Root Protect. It is recommended to enable this function on the designated ports of the root bridge. Switches with faulty configurations may produce a higher-priority BPDUs than the root bridge’s, and this situation will cause recalculation of the spanning tree.
  • Page 363 Configuring Spanning Tree STP Security Configurations Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 spanning-tree guard loop (Optional) Enable Loop Protect.
  • Page 364 Configuring Spanning Tree STP Security Configurations Step 8 spanning-tree bpduflood (Optional) Enable BPDU Forward. This function only takes effect when the spanning tree function is disabled globally. By default, it is enabled. With BPDU forward enabled, the port can still forward spanning tree BPDUs when the spanning tree function is disabled.

  • Page 365: Configuration Example For Mstp

    Configuring Spanning Tree Configuration Example for MSTP Configuration Example for MSTP MSTP, backwards-compatible with STP and RSTP, can map VLANs to instances to implement load-balancing, thus providing a more flexible method in network management. Here we take the MSTP configuration as an example. Network Requirements As shown in figure 5-1, the network consists of three switches.

  • Page 366: Using The Gui

    Configuring Spanning Tree Configuration Example for MSTP Figure 5-2 VLAN-Instance Mapping Switch A Gi1/0/1 Gi1/0/1 Gi1/0/1 Switch B Switch C Instance 1: VLAN 101 -VLAN 103 Instance 2: VLAN 104 -VLAN 106 Blocked Port The overview of configuration is as follows: 1) Enable MSTP function globally in all the switches.
  • Page 367 Configuring Spanning Tree Configuration Example for MSTP Figure 5-3 Configure the Global MSTP Parameters of the Switch 2) Choose the menu L2 FEATURES > Spanning Tree > STP Config > Port Config to load the following page. Enable spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings.
  • Page 368 Configuring Spanning Tree Configuration Example for MSTP Figure 5-5 Configuring the MST Region 4) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config. Click Add, map VLAN101-VLAN103 to instance 1 and set the priority as 32768; map VLAN104-VLAN106 to instance 2 and set the priority as 32768.
  • Page 369 Configuring Spanning Tree Configuration Example for MSTP ■ Configurations for Switch B 1) Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings.
  • Page 370 Configuring Spanning Tree Configuration Example for MSTP Figure 5-10 Configuring the Region 4) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config. Map VLAN101-VLAN103 to instance 1 and set the Priority as 0; map VLAN104- VLAN106 to instance 2 and set the priority as 32768. Click Create. Figure 5-11 Configuring the VLAN-Instance Mapping 5) Choose the menu L2 FEATURES >...
  • Page 371 Configuring Spanning Tree Configuration Example for MSTP ■ Configurations for Switch C 1) Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings.

  • Page 372: Using The Cli

    Configuring Spanning Tree Configuration Example for MSTP Figure 5-15 Configuring the Region 4) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config. Click Add, map VLAN101-VLAN103 to instance 1 and set the priority as 32768; map VLAN104-VLAN106 to instance 2 and set the priority as 0.
  • Page 373 Configuring Spanning Tree Configuration Example for MSTP 3) Configure the region name as 1, the revision number as 100; map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2: Switch(config)#spanning-tree mst configuration Switch(config-mst)#name 1 Switch(config-mst)#revision 100 Switch(config-mst)#instance 1 vlan 101-103 Switch(config-mst)#instance 2 vlan 104-106 Switch(config-mst)#end Switch#copy running-config startup-config...
  • Page 374 Configuring Spanning Tree Configuration Example for MSTP Switch(config-mst)#exit Switch(config)#spanning-tree mst instance 1 priority 0 Switch(config)#end Switch#copy running-config startup-config ■ Configurations for Switch C 1) Configure the spanning tree mode as MSTP, then enable spanning tree function globally. Switch#configure Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree 2) Enable the spanning tree function on port 1/0/1 and port 1/0/2.
  • Page 375 Configuring Spanning Tree Configuration Example for MSTP Root Bridge Priority Address : 00-0a-eb-13-12-ba Internal Cost : 400000 Root Port Designated Bridge Priority Address : 00-0a-eb-13-12-ba Local Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 Interface Prio Cost Role Status --------- ---- -------- ------ -----...
  • Page 376 Configuring Spanning Tree Configuration Example for MSTP Priority : 32768 Address : 00-0a-eb-13-23-97 Interface Prio Cost Role Status --------- ---- -------- ------- ------- ---- Gi1/0/1 200000 Desg Gi1/0/2 200000 Root ■ Switch B Verify the configurations of Switch B in instance 1: Switch(config)#show spanning-tree mst instance 1 MST-Instance 1 Root Bridge...
  • Page 377 Configuring Spanning Tree Configuration Example for MSTP Address : 3c-46-d8-9d-88-f7 Internal Cost : 400000 Root Port Designated Bridge Priority Address : 3c-46-d8-9d-88-f7 Local Bridge Priority : 32768 Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status --------- ---- -------- ------- ------- Gi1/0/1 200000 Altn Gi1/0/2...
  • Page 378 Configuring Spanning Tree Configuration Example for MSTP Gi1/0/1 200000 Desg Gi1/0/2 200000 Root Verify the configurations of Switch C in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority Address : 3c-46-d8-9d-88-f7 Local bridge is the root bridge Designated Bridge Priority Address...

  • Page 379: Appendix: Default Parameters

    Configuring Spanning Tree Appendix: Default Parameters Appendix: Default Parameters Default settings of the Spanning Tree feature are listed in the following table. Table 6-1 Default Settings of the Global Parameters Parameter Default Setting Spanning-tree Disabled Mode CIST Priority 32768 Hello Time 2 seconds Max Age 20 seconds...
  • Page 380 Configuring Spanning Tree Appendix: Default Parameters Parameter Default Setting Priority 32768 Port Priority Path Cost Auto Table 6-4 Default Settings of the STP Security Parameter Default Setting Loop Protect Disabled Root Protect Disabled TC Guard Disabled BPDU Protect Disabled BPDU Filter Disabled BPDU Forward Enabled...

  • Page 381: Configuring Lldp

    Part 12 Configuring LLDP CHAPTERS 1. LLDP 2. LLDP Configurations 3. LLDP-MED Configurations 4. Viewing LLDP Settings 5. Viewing LLDP-MED Settings 6. Configuration Example 7. Appendix: Default Parameters...

  • Page 382: Lldp

    Configuring LLDP LLDP LLDP Overview LLDP (Link Layer Discovery Protocol) is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol is a standard IEEE 802.1ab defined protocol and runs over the Layer 2 (the data-link layer) , which allows for interoperability between network devices of different vendors.

  • Page 383: Lldp Configurations

    Configuring LLDP LLDP Configurations LLDP Configurations T configure LLDP function, follow the steps: 1) Configure the LLDP feature globally. 2) Configure the LLDP feature for the port. Using the GUI 2.1.1 Configuring LLDP Globally Choose the L2 FEATURES > LLDP > LLDP Config > Global Config to load the following page.
  • Page 384 Configuring LLDP LLDP Configurations Follow these steps to configure the LLDP feature globally. 1) In the Global Config section, enable LLDP. You can also enable the switch to forward LLDP messages when LLDP function is disabled. Click Apply. LLDP Enable LLDP function globally. LLDP (Optional) Enable the switch to forward LLDP messages when LLDP function is Forwarding...

  • Page 385: Configuring Lldp For The Port

    Configuring LLDP LLDP Configurations 2.1.2 Configuring LLDP For the Port Choose th menu L2 FEATURES > LLDP > LLDP Config > Port Config to load the following page. Figure 2-2 Port Config Follow these steps to configure the LLDP feature for the interface. 1) Select one or more ports to configure.

  • Page 386: Using The Cli

    Configuring LLDP LLDP Configurations Included TLVs Configure the TLVs included in the outgoing LLDP packets. The switch supports the following TLVs: PD: Used to advertise the port description defined by the IEEE 802 LAN station. SC: Used to advertise the supported functions and whether or not these functions are enabled.
  • Page 387 Configuring LLDP LLDP Configurations Step 3 lldp forward_message (Optional) Enable the switch to forward LLDP messages when LLDP function is disabled. Step 4 lldp hold-multiplier multiplier (Optional) Specify the amount of time the neighbor device should hold the received information before discarding it. This parameter is a multiplier on the Transmit Interval that determines the actual TTL (Time To Live) value used in an LLDP packet.

  • Page 388: Port Config

    Configuring LLDP LLDP Configurations Switch(config)#lldp timer tx-interval 30 tx-delay 2 reinit-delay 3 notify-interval 5 fast- count 3 Switch(config)#show lldp LLDP Status: Enabled LLDP Forward Message: Disabled Tx Interval: 30 seconds TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3 LLDP-MED Fast Start Repeat Count: 4...
  • Page 389 Configuring LLDP LLDP Configurations Step 7 show lldp interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Display LLDP configuration of the corresponding port. Step 8 Return to Privileged EXEC Mode. Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the port 1/0/1.
  • Page 390 Configuring LLDP LLDP Configurations Link-Aggregation MAC-Physic Max-Frame-Size Power Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 391: Lldp-Med Configurations

    Configuring LLDP LLDP-MED Configurations LLDP-MED Configurations To configure LLDP-MED function, follow the steps: 1) Enable LLDP feature globally and configure the LLDP parametres for the ports. 2) Configuring LLDP-MED fast repeat count globally. 3) Enable and configure the LLDP-MED feature on the port. Configuration Guidelines LLDP-MED is used together with Auto VoIP to implement VoIP access.

  • Page 392: Configuring Lldp-Med For Ports

    Configuring LLDP LLDP-MED Configurations Device Class Display the current device class. LLDP-MED defines two device classes, Network Connectivity Device and Endpoint Device. The switch is a Network Connectivity device. 3.1.2 Configuring LLDP-MED for Ports Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config to load the following page.
  • Page 393 Configuring LLDP LLDP-MED Configurations Figure 3-3 LLDP-MED Port Config-Detail Network Policy Used to advertise VLAN configuration and the associated Layer 2 and Layer 3 attributes of the port to the endpoint devices. Location Used to assign the location identifier information to the Endpoint devices. Identification If this option is selected, you can configure the emergency number and the detailed address of the endpoint device in the Location Identification Parameters...

  • Page 394: Using The Cli

    Configuring LLDP LLDP-MED Configurations Civic Address Configure the address of the audio device in the IETF defined address format. What: Specify the role type of the local device, DHCP Server, Switch or LLDP-MED Endpoint. Country Code: Enter the country code defined by ISO 3166 , for example, CN, US. Language, Province/State etc.: Enter the regular details.

  • Page 395: Port Config

    Configuring LLDP LLDP-MED Configurations TTL Multiplier: Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: LLDP-MED Fast Start Repeat Count: Switch(config)#end Switch#copy running-config startup-config 3.2.2 Port Config Select the desired port, enable LLDP-MED and select the TLVs (Type/Length/Value) included in the outgoing LLDP packets according to your needs.
  • Page 396 Configuring LLDP LLDP-MED Configurations Step 6 Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable LLDP-MED on port 1/0/1, configure the LLDP- MED TLVs included in the outgoing LLDP packets. Switch(config)#lldp Switch(config)#lldp med-fast-count 4 Switch(config)#interface gigabitEthernet 1/0/1...
  • Page 397 Configuring LLDP LLDP-MED Configurations LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Location Identification Extended Power Via MDI Inventory Management Switch(config)#end Switch#copy running-config startup-config User Guide...

  • Page 398: Viewing Lldp Settings

    Configuring LLDP Viewing LLDP Settings Viewing LLDP Settings This chapter introduces how to view the LLDP settings on the local device. Using GUI 4.1.1 Viewing LLDP Device Info ■ Viewing the Local Info Choose the menu L2 FEATURES > LLDP > LLDP Config > Local Info to load the following page.
  • Page 399 Configuring LLDP Viewing LLDP Settings Follow these steps to view the local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Local Info section, select the desired port and view its associated local device information.
  • Page 400 Configuring LLDP Viewing LLDP Settings Port And Protocol Displays whether the local device supports port and protocol VLAN feature. Supported Port And Protocol Displays the status of the port and protocol VLAN feature. VLAN Enabled VLAN Name of Displays the VLAN name of VLAN 1 for the local device. VLAN 1 Protocol Identify Displays the particular protocol that the local device wants to advise.
  • Page 401 Configuring LLDP Viewing LLDP Settings ■ Viewing the Neighbor Info Choose the menu L2 FEATURES > LLDP > LLDP Config > Neighbor Info to load the following page. Figure 4-2 Neighbor Info Follow these steps to view the neighbor information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.

  • Page 402: Viewing Lldp Statistics

    Configuring LLDP Viewing LLDP Settings 4.1.2 Viewing LLDP Statistics Choose the menu L2 FEATURES > LLDP > LLDP Config > Statistics Info to load the following page. Figure 4-3 Static Info Follow these steps to view LLDP statistics: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.

  • Page 403: Using Cli

    Configuring LLDP Viewing LLDP Settings Total Ageouts Displays the latest number of neighbors that have aged out on the local device. 3) In the Neighbors Statistics section, view the statistics of the corresponding port. Transmit Total Displays the total number of the LLDP packets sent via the port. Receive Total Displays the total number of the LLDP packets received via the port.

  • Page 404: Viewing Lldp-Med Settings

    Configuring LLDP Viewing LLDP-MED Settings Viewing LLDP-MED Settings Using GUI Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Local Info to load the following page. ■ Viewing the Local Info Figure 5-1 LLDP-MED Local Info User Guide...
  • Page 405 Configuring LLDP Viewing LLDP-MED Settings Follow these steps to view LLDP-MED local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the LLDP-MED Local Info section, select the desired port and view the LLDP-MED settings.
  • Page 406 Configuring LLDP Viewing LLDP-MED Settings Serial Number Displays the serial number of the local device. Manufacturer Displays the manufacturer name of the local device. Name Model Name Displays the model name of the local device. Asset ID Displays the asset ID of the local device. ■...

  • Page 407: Using Cli

    Configuring LLDP Viewing LLDP-MED Settings Using CLI ■ Viewing the Local Info show lldp local-information interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port View the LLDP details of a specific port or all the ports on the local device. ■...

  • Page 408: Configuration Example

    Configuring Switch A and Switch B: The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. Demonstrated with T1600G-52TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.

  • Page 409: Using Cli

    Configuring LLDP Configuration Example Figure 6-2 LLDP Global Config 2) Choose the menu L2 FEATURES > LLDP > LLDP Config > Port Config to load the following page. Set the Admin Status of port Gi1/0/1 as Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Figure 6-3 LLDP Port Config 6.1.5 Using CLI 1) Enable LLDP globally and configure the corresponding parameters.
  • Page 410 Configuring LLDP Configuration Example Switch_A(config)#lldp hold-multiplier 4 Switch_A(config)#lldp timer tx-interval 30 tx-delay 2 reinit-delay 3 notify-interval 5 fast- count 3 2) Set the Admin Status of port Gi1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Switch_A#configure Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#lldp receive...
  • Page 411 Configuring LLDP Configuration Example Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power LLDP-MED Status: Disabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management View the Local Info Switch_A#show lldp local-information interface gigabitEthernet 1/0/1 LLDP local Information: gigabitEthernet 1/0/1: Chassis type:...
  • Page 412 Configuring LLDP Configuration Example TTL: System name: T1600G-52TS System description: JetStream 24-Port Gigabit L2 Managed Switch with 4 SFP Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.226 Management address interface type: IfIndex...
  • Page 413 Tagged: VLAN ID: Layer 2 Priority: DSCP: Location Data Format: Civic Address LCI - What: Switch - Country Code: Hardware Revision: T1600G-52TS 3.0 Firmware Revision: Reserved Software Revision: 3.0.0 Build 20170918 Rel.71414(s) Serial Number: Reserved Manufacturer Name: TP-Link Model Name: T1600G-52TS 3.0...
  • Page 414 Configuring LLDP Configuration Example System name: T1600G-52PS System description: JetStream 48-Port Gigabit Smart PoE Switch with 4 SFP Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.1 Management address interface type: IfIndex Management address interface ID: Management address OID:...

  • Page 415: Example For Lldp-Med

    Configuring LLDP Configuration Example Example for LLDP-MED 6.2.1 Network Requirements As the following figure shows, an IP phone and a PC are both connected to port 1/0/1 of the switch. It is required that the voice data stream is sent to VLAN2 and other untagged data stream is sent to the default VLAN1.
  • Page 416 Configuring LLDP Configuration Example Figure 6-2 VLAN Config 2) Choose the menu QoS > Auto VoIP to load the following page. Select port 1/0/1, configure the interface mode as VLAN ID and set the VLAN ID value as 2. Click Apply. User Guide...
  • Page 417 Configuring LLDP Configuration Example Figure 6-3 Auto VoIP Config 3) Choose the menu L2 FEATURES > LLDP > LLDP Config > Global Config to load the following page. Enable LLDP globally and click Apply. Figure 6-4 LLDP Global Config 4) Choose the menu L2 FEATURES > LLDP > LLDP Config >Global Config > Port Config to load the following page.

  • Page 418: Using Cli

    Configuring LLDP Configuration Example Figure 6-5 LLDP-MED Config 5) Click to save the settings. 6.2.4 Using CLI 1) Create VLAN2 and add untagged port 1/0/1 to VLAN2. Switch#configure Switch(config)#vlan 2 Switch(config-vlan)#name voice_vlan Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#switch general allowed vlan 2 untagged Switch(config-if)#exit 2) Enable Auto VoIP globally.
  • Page 419 Configuring LLDP Configuration Example 5) Enable LLDP-MED on port 1/0/1. Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#lldp med-status Switch(config-if)#end Switch#copy running-config startup-config Verify the Configurations View VLAN settings: Switch#show vlan VLAN Name Status Ports ----- -------------------- --------- ---------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16,...
  • Page 420 Configuring LLDP Configuration Example View global LLDP settings: Switch_A#show lldp LLDP Status: Enabled LLDP Forward Message: Disabled View LLDP-MED settings on port 1/0/1: Switch_A#show lldp interface gigabitEthernet 1/0/1 LLDP interface config: gigabitEthernet 1/0/1: LLDP-MED Status: Enabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management...

  • Page 421: Appendix: Default Parameters

    Configuring LLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of LLDP are listed in the following tables. Default LLDP Settings Table 7-1 Default LLDP Settings Parameter Default Setting LLDP Disabled LLDP Forward Message Disabled Transmit Interval 30 seconds Hold Multiplier Transmit Delay 2 seconds Reinitialization Delay...
  • Page 422 Part 13 Configuring Layer 3 Interfaces CHAPTERS 1. Overview 2. Layer 3 Interface Configurations 4. Appendix: Default Parameters...

  • Page 423: Configuring Layer 3 Interfaces

    Configuring Layer 3 Interfaces Overview Overview Interfaces are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into Layer 2 interfaces and Layer 3 interfaces. ■ Layer 2 interfaces are the physical ports on the switch panel. They forward packets based on MAC address table.

  • Page 424: Layer 3 Interface Configurations

    Configuring Layer 3 Interfaces Layer 3 Interface Configurations Layer 3 Interface Configurations To complete IPv4 interface configuration, follow these steps: 1) Create an Layer 3 interface 2) Configure IPv4 parameters of the created interface 3) View detailed information of the created interface To complete IPv6 interface configuration, follow these steps: 1) Create an Layer 3 interface 2) Configure IPv6 parameters of the created interface...
  • Page 425 Configuring Layer 3 Interfaces Layer 3 Interface Configurations IPv6 Routing (Optional) Enable IPv6 routing function globally for all Layer 3 interfaces. It is disabled by default. 2) In the Interface List section, click to load the following page, and configure the corresponding parameters for the Layer 3 interface.

  • Page 426: Configuring Ipv4 Parameters Of The Interface

    Configuring Layer 3 Interfaces Layer 3 Interface Configurations 2.1.2 Configuring IPv4 Parameters of the Interface In Figure 2-1 you can view the corresponding interface you have created in the Interface List section. On the corresponding interface entry, click Edit IPv4 to load the following page and edit the IPv4 parameters of the interface.

  • Page 427: Configuring Ipv6 Parameters Of The Interface

    Configuring Layer 3 Interfaces Layer 3 Interface Configurations DHCP Option 12 If you select DHCP as the IP Address Mode, configure the Option 12 here. DHCP Option 12 is used to specify the client’s name. 2) In the Secondary IP List section, click to add a secondary IP for the specified interface which allows you to have two logical subnets.
  • Page 428 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Figure 2-3 Configuring the IPv6 Parameters 1) In the Modify IPv6 Interface section, enable IPv6 feature for the interface and configure the corresponding parameters . Then click Apply. Interface ID Displays the interface ID. Admin Status Enable the Layer 3 capabilities for the interface.
  • Page 429 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Status Displays the status of the link-local address. An IPv6 address cannot be used before pass the DAD (Duplicate Address Detection), which is used to detect the address conflicts. In the DAD process, the IPv6 address may in three different status: Normal: Indicates that the link-local address passes the DAD and can be used normally.

  • Page 430: Viewing Detail Information Of The Interface

    Configuring Layer 3 Interfaces Layer 3 Interface Configurations Prefix Length Configure the prefix length of the global address. 3) View the global address entry in the Global Address Table. Global Address View or modify the global address. Prefix Length View or modify the prefix length of the global address. Type Displays the configuration mode of the global address.

  • Page 431: Using The Cli

    Configuring Layer 3 Interfaces Layer 3 Interface Configurations Figure 2-4 Viewing the detail information of the interface Using the CLI 2.2.1 Creating an Layer 3 Interface Follow these steps to create an Layer 3 interface. You can create a VLAN interface, a loopback interface, a routed port or a port-channel interface according to your needs.
  • Page 432 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Step 2 Create a VLAN interface: interface vlan vlan-id vlan-id : Specify an IEEE 802.1Q VLAN ID that already exists, ranging from 1 to 4094. Create a loopback interface: interface loopback { id } Specify the ID of the loopback interface, ranging from 1 to 64.

  • Page 433: Configuring Ipv4 Parameters Of The Interface

    Configuring Layer 3 Interfaces Layer 3 Interface Configurations Switch#copy running-config startup-config 2.2.2 Configuring IPv4 Parameters of the Interface Follow these steps to configure the IPv4 parameters of the interface. Step 1 configure Enter global configuration mode. Step 2 interface { interface-type } { interface-id } Enter Layer 3 interface configuration mode.

  • Page 434: Configuring Ipv6 Parameters Of The Interface

    Configuring Layer 3 Interfaces Layer 3 Interface Configurations Switch(config-if)#show ip interface brief Interface IP-Address Method Status Protocol Shutdown --------- ---------- ------ ------ -------- -------- Gi1/0/1 192.168.0.100/24 Static Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Configuring IPv6 Parameters of the Interface Follow these steps to configure the IPv6 parameters of the interface. Step 1 configure Enter global configuration mode.
  • Page 435 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Step 5 Configure the IPv6 global address for the specified interface: Automatically configure the interface’s global IPv6 address via RA message: ipv6 address ra Configure the interface’s global IPv6 address according to the address prefix and other configuration parameters from its received RA (Router Advertisement) message.
  • Page 436 Configuring Layer 3 Interfaces Layer 3 Interface Configurations ICMP error messages limited to one every 1000 milliseconds ICMP redirects are enable MTU is 1500 bytes ND DAD is enable, number of DAD attempts: 1 ND retrans timer is 1000 milliseconds ND reachable time is 30000 milliseconds Switch(config-if)#end Switch#copy running-config startup-config...

  • Page 437: Configuration Example

    Configuring Layer 3 Interfaces Configuration Example Configuration Example Network Requirement The administrator need to allow the hosts in VLANs can access the internet. The topology is shown as below. Figure 3-1 Network Topology Router Gi 1/0/2 Gi 1/0/10 Switch VLAN 2 VLAN 10 Configuration Scheme For the hosts in VLANs are seperated at layer 2.

  • Page 438: Using The Cli

    Configuring Layer 3 Interfaces Configuration Example 1) Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 2. Add port 1/0/2 to VLAN 2 with its egress rule as Untagged. Table 3-2 Create VLAN 2 2) Go to L3 FEATURES > Interface to enable IPv4 routing (enabled by default), then click to create VLAN interface 2.
  • Page 439 Configuring Layer 3 Interfaces Configuration Example Switch(config)#vlan 2 Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#switchport general allowed vlan 2 untagged Switch(config-if)#exit 2) Create VLAN interface 2 for VLAN 2. Configure the IP address of VLAN interface 2 as 192.168.2.1. Switch(config)#interface vlan 2 Switch(config-if)#ip address 192.168.2.1 255.255.255.0 Switch(config-if)#end Switch#copy running-config startup-config...

  • Page 440: Appendix: Default Parameters

    Configuring Layer 3 Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of interface are listed in the following tables. Table 4-1 Default Settings of Routing Config Parameter Default Setting IPv4 Routing Enabled IPv6 Routing Disabled Table 4-2 Configuring the IPv4 Parameters of the Interface Parameter Default Setting Interface ID...

  • Page 441: Configuring Routing

    Part 14 Configuring Routing CHAPTERS 1. Overview 2. IPv4 Static Routing Configuration 3. IPv6 Static Routing Configuration 4. Viewing Routing Table 5. Example for Static Routing...

  • Page 442: Overview

    Configuring Routing Overview Overview Routing table is used for a Layer 3 device (in this configuration guide, it means the switch) to forward packets to the correct destination. When the switch receives packets of which the source IP address and destination IP address are in different subnets, it will check the routing table, find the correct outgoing interface then forward the packets.

  • Page 443: Ipv4 Static Routing Configuration

    Configuring Routing IPv4 Static Routing Configuration IPv4 Static Routing Configuration Using the GUI Choose the menu L3 FEATURES > Static Routing > IPv4 Static Routing and click to load the following page. Figure 2-1 Configuring the IPv4 Static Routing Configure the corresponding parameters to add an IPv4 static routing entry. Then click Create.

  • Page 444: Using The Cli

    Configuring Routing IPv4 Static Routing Configuration Using the CLI Follow these steps to create an IPv4 static route. Step 1 configure Enter global configuration mode. Step 2 ip route { dest-address } { mask } { next-hop-address } [ distance ] Add an IPv4 static route.

  • Page 445: Ipv6 Static Routing Configuration

    Configuring Routing IPv6 Static Routing Configuration IPv6 Static Routing Configuration Using the GUI Choose the menu L3 FEATURES > Static Routing > IPv6 Static Routing > IPv6 Static Routing Table and click to load the following page. Figure 3-1 Configuring the IPv6 Static Routing Configure the corresponding parameters to add an IPv6 static routing entry.
  • Page 446 Configuring Routing IPv6 Static Routing Configuration Step 1 configure Enter global configuration mode. Step 2 ipv6 routing Enable the IPv6 routing function on the specified Layer 3 interface. Step 3 ipv6 route { ipv6-dest-address } { next-hop-address } [ distance ] Add an IPv6 static route.

  • Page 447: Viewing Routing Table

    Configuring Routing Viewing Routing Table Viewing Routing Table You can view the routing tables to learn about the network topology. The switch supports IPv4 routing table and IPv6 routing table. Using the GUI 4.1.1 Viewing IPv4 Routing Table Choose the menu L3 FEATURES > Routing Table > IPv4 Routing Table > IPv4 Routing Information Summary to load the following page.

  • Page 448: Viewing Ipv6 Routing Table

    Configuring Routing Viewing Routing Table 4.1.2 Viewing IPv6 Routing Table Choose the menu L3 FEATURES> Routing Table > IPv6 Routing Table > IPv6 Routing Information Summary to load the following page. Figure 4-2 Viewing IPv6 Routing Table View the IPv6 routing entries. Protocol Displays the type of the routing entry.

  • Page 449: Viewing Ipv6 Routing Table

    Configuring Routing Viewing Routing Table 4.2.2 Viewing IPv6 Routing Table On privileged EXEC mode or any other configuration mode, you can use the following command to view IPv6 routing table: show ipv6 route [ static | connected ] View the IPv6 route entries of the specified type. If not specified, all types of route entries will be displayed.

  • Page 450: Example For Static Routing

    Configuring Routing Example for Static Routing Example for Static Routing Network Requirements As shown below, Host A and Host B are on different network segments. To meet business needs, Host A and Host B need to establish a connection without using dynamic routing protocols to ensure stable connectivity.
  • Page 451 Configuring Routing Example for Static Routing Figure 5-2 Create a Routed Port Gi1/0/1 for Switch A Figure 5-3 Create a Routed Port Gi1/0/2 for Switch A 2) Choose the menu L3 FEATURES > Static Routing > IPv4 Static Routing to load the following page.

  • Page 452: Using The Cli

    Configuring Routing Example for Static Routing mask as 255.255.255.0 and the next hop as 10.1.10.2. For switch B, add a static route entry with the destination as 10.1.1.0, the subnet mask as 255.255.255.0 and the next hop as 10.1.10.1. Figure 5-4 Add a Static Route for Switch A Using the CLI The configurations of Switch A and Switch B are similar.
  • Page 453 Configuring Routing Example for Static Routing Switch_A#configure Switch_A(config)#ip route 10.1.2.0 255.255.255.0 10.1.10.2 Switch_A(config)#end Switch_A#copy running-config startup-config Verify the Configurations ■ Switch A Verify the static routing configuration: Switch_A#show ip route Codes: C - connected, S - static * - candidate default 10.1.1.0/24 is directly connected, Vlan10 10.1.10.0/24 is directly connected, Vlan20 10.1.2.0/24 [1/0] via 10.1.10.2, Vlan20...
  • Page 454 Configuring Routing Example for Static Routing Ping statistics for 10.1.2.1: Packets: Sent = 4 , Received = 4 , Lost = 0 (0% loss) Approximate round trip times in milli-seconds: Minimum = 1ms , Maximum = 3ms , Average = 1ms User Guide...

  • Page 455: Configuring Dhcp Service

    Part 15 Configuring DHCP Service CHAPTERS 1. DHCP 2. DHCP Server Configuration 3. DHCP Relay Configuration 4. DHCP L2 Relay Configuration 5. Configuration Examples 6. Appendix: Default Parameters...

  • Page 456: Dhcp

    Configuring DHCP Service DHCP DHCP Overview DHCP (Dynamic Host Configuration Protocol) is widely used to automatically assign IP addresses and other network configuration parameters to network devices, enhancing the utilization of IP address. Supported Features The supported DHCP features of the switch include DHCP Server, DHCP Relay and DHCP L2 Relay.
  • Page 457 DHCP class on the DHCP server to identify the Option 82 payload. TP-Link switches preset a default circuit ID and remote ID in TLV (Type, Length, and Value) format. You can also configure the format to include Value only and customize the Value.
  • Page 458 Configuring DHCP Service DHCP *Format Indicates the packet format of the sub-option field. Two options are available: ■ Normal: Indicates the field consists of three parts: Type, Length, and Value (TLV). ■ Private: Indicates the field consists of the value only. *Type A one-byte field indicating whether the Value field is customized or not.
  • Page 459 Configuring DHCP Service DHCP can assign IP addresses that are in the same subnet with the Relay Agent IP Address to the clients. The switch supports specifying a DHCP server for multiple Layer 3 interfaces, which makes it possible to assign IP addresses to clients in different subnets from the same DHCP server.
  • Page 460 Configuring DHCP Service DHCP Figure 1-3 Application Scenario of DHCP VLAN Relay DHCP Server DHCP Relay DHCP Clients DHCP Clients Default Agent Interface: VLAN 20 VLAN 10 192.168.2.1/24 192.168.2.0/24 192.168.2.0/24 Note: • If the VLAN already has an IP address, the switch will use the IP address of the VLAN as the relay agent IP address.

  • Page 461: Dhcp Server Configuration

    Configuring DHCP Service DHCP Server Configuration DHCP Server Configuration To complete DHCP server configuration, follow these steps: 1) Enable the DHCP Server feature on the switch. 2) Configure DHCP Server Pool. 3) (Optional) Manually assign static IP addresses for some clients. Using the GUI 2.1.1 Enabling DHCP Server Choose the menu L3 FEATURES >...
  • Page 462 Configuring DHCP Service DHCP Server Configuration Option 60 (Optional) Specify the Option 60 for device identification. Mostly it is used for the scenarios that the APs (Access Points) apply for different IP addresses from different servers according to the needs. If an AP requests Option 60, the server will respond a packet containing the Option 60 configured here.

  • Page 463: Configuring Dhcp Server Pool

    Configuring DHCP Service DHCP Server Configuration Starting IP Specify the starting IP address and ending IP address of the excluded IP Address/ Ending IP address range. If the starting IP address and ending IP address are the same, Address the server excludes only one IP address. When configuring DHCP Server, you need to reserve certain IP addresses for each subnet, such as the default gateway address, broadcast address and DNS server address.

  • Page 464: Configuring Manual Binding

    Configuring DHCP Service DHCP Server Configuration Default Gateway (Optional) Configure the default gateway of the DHCP server pool. You can create up to 8 default gateways for each DHCP server pool. If you leave this field blank, the DHCP server will not assign this parameter to clients. In general, you can configure the IP address of the VLAN interface as the default gateway address.

  • Page 465: Using The Cli

    Configuring DHCP Service DHCP Server Configuration Choose the menu L3 FEATURES > DHCP Service >DHCP Server > Manual Binding and click to load the following page. Figure 2-4 Manual Binding Select a pool name and enter the IP address to be bound. Select a binding mode and finish the configuration accordingly.
  • Page 466 Configuring DHCP Service DHCP Server Configuration Step 3 ip dhcp server extend-option vendor-class-id vendor (Optional) Specify the Option 60 for server identification. If a client requests Option 60, the server will respond a packet containing the Option 60 configured here. And then the client will compare the received Option 60 with its own.
  • Page 467 Configuring DHCP Service DHCP Server Configuration Step 10 show ip dhcp server excluded-address Verify the configuration of the excluded IP address. Step 11 Return to Privileged EXEC Mode. Step 12 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCP Server globally on the switch, configure the number of ping packets as 2 and configure the timeout period for ping tests as 200 ms: Switch#configure...

  • Page 468: Configuring Dhcp Server Pool

    Configuring DHCP Service DHCP Server Configuration The following example shows how to configure the 192.168.1.1 as the default gateway address and excluded IP address: Switch#configure Switch(config)#ip dhcp server excluded-address 192.168.1.1 192.168.1.1 Switch(config)#show ip dhcp server excluded-address Start IP Address End IP Address ------------- -------------- 192.168.1.1...
  • Page 469 Configuring DHCP Service DHCP Server Configuration Step 6 dns-server dns-server-list (Optional) Specify the DNS server of the DHCP server pool. In general, you can configure the IP address of the VLAN interface as the DNS server address. dns-server-list : Specify the IP address of the DNS server. You can specify up to 8 DNS servers for each DHCP server pool.
  • Page 470 Configuring DHCP Service DHCP Server Configuration Step 14 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a DHCP server pool with the parameters shown in Table 2-1. Table 2-1 Parameters for the DHCP Server Pool Parameter Value Pool Name...

  • Page 471: Configuring Manual Binding

    Configuring DHCP Service DHCP Server Configuration Switch(dhcp-config)#show ip dhcp server pool Pool Name: pool1 Network Address: 192.168.1.0 Subenet Mask: 255.255.255.0 Lease Time: 180 Default Gateway: 192.168.1.1 DNS Server: 192.168.1.4 Netbios Server: 192.168.1.19 Netbios Node Type: b-node Next Server Address: 192.168.1.30 Domain Name: Bootfile Name: bootfile...
  • Page 472 Configuring DHCP Service DHCP Server Configuration Step 3 Bind an IP address to a client: address ip-address client-identifier client-id Bind the specified IP address to the client with a specific hexadecimal client ID. ip-address: Specify the IP address to be bound. client-id: Specify the client ID in hexadecimal format.
  • Page 473 Configuring DHCP Service DHCP Server Configuration Switch(dhcp-config)#end Switch#copy running-config startup-config User Guide...

  • Page 474: Dhcp Relay Configuration

    Configuring DHCP Service DHCP Relay Configuration DHCP Relay Configuration To complete DHCP Relay configuration, follow these steps: 1) Enable DHCP Relay. Configure Option 82 if needed. 2) Specify DHCP server for the Interface or VLAN. Using the GUI 3.1.1 Enabling DHCP Relay and Configuring Option 82 Choose the menu L3 FEATURES >...
  • Page 475 Configuring DHCP Service DHCP Relay Configuration DHCP Relay Enable DHCP Relay globally. DHCP Relay Specify the DHCP relay hops. Hops DHCP Relay Hops defines the maximum number of hops (DHCP Relay agent) that the DHCP packets can be relayed. If a packet’s hop count is more than the value you set here, the packet will be dropped.

  • Page 476: Configuring Dhcp Interface Relay

    Configuring DHCP Service DHCP Relay Configuration Remote ID Enable or disable Remote ID Customization. Enable it if you want to manually Customization configure the remote ID. Otherwise, the switch uses its own MAC address as the remote ID. Remote ID Enter the customized remote ID with up to 64 characters.
  • Page 477 Configuring DHCP Service DHCP Relay Configuration Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP VLAN Relay to load the following page. Figure 3-3 Configure DHCP VLAN Relay Follow these steps to specify DHCP Server for the specific VLAN: 1) In the Default Relay Agent Interface section, specify a Layer 3 interface as the default relay agent interface.

  • Page 478: Using The Cli

    Configuring DHCP Service DHCP Relay Configuration VLAN ID Specify the VLAN in which the clients can get IP addresses from the DHCP server. Server Address Enter the IP address of the DHCP server. Using the CLI 3.2.1 Enabling DHCP Relay Follow these steps to enable DHCP Relay and configure the corresponding parameters: Step 1 configure...

  • Page 479: (Optional) Configuring Option 82

    Configuring DHCP Service DHCP Relay Configuration Switch(config)#service dhcp relay Switch(config)#show ip dhcp relay Switch(config)#ip dhcp relay hops 5 Switch(config)#ip dhcp relay time 10 DHCP relay state: enabled DHCP relay hops: 5 DHCP relay Time Threshold: 10 seconds Switch(config)#end Switch#copy running-config startup-config 3.2.2 (Optional) Configuring Option 82 Follow these steps to configure Option 82: Step 1...
  • Page 480 Configuring DHCP Service DHCP Relay Configuration Step 6 ip dhcp relay information circuit-id string (Optional) A default circuit ID is preset on the switch, and you can also run this command to customize the circuit ID. The circuit ID configurations of the switch and the DHCP server should be compatible with each other.

  • Page 481: Configuring Dhcp Interface Relay

    Configuring DHCP Service DHCP Relay Configuration Switch(config-if)#end Switch#copy running-config startup-config 3.2.3 Configuring DHCP Interface Relay You can specify a DHCP server for a Layer 3 interface or for a VLAN. The following introduces how to configure DHCP Interface Relay and DHCP VLAN Relay, respectively. Follow these steps to DHCP Interface Relay: Step 1 configure...

  • Page 482: Configuring Dhcp Vlan Relay

    Configuring DHCP Service DHCP Relay Configuration The following example shows how to configure the DHCP server address as 192.168.1.7 on VLAN interface 66: Switch#configure Switch(config)#interface vlan 66 Switch(config-if)#ip helper-address 192.168.1.7 Switch(config-if)#show ip dhcp relay DHCP relay helper address is configured on the following interfaces: Interface Helper address ----------...
  • Page 483 Configuring DHCP Service DHCP Relay Configuration Step 2 Enter Layer 3 Interface Configuration Mode: Enter VLAN Interface Configuration Mode: interface vlan vlan-id vlan-id : Specify an IEEE 802.1Q VLAN ID that already exists, ranging from 1 to 4094. Enter Routed Port Configuration Mode: interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Enter Interface Configuration Mode.
  • Page 484 Configuring DHCP Service DHCP Relay Configuration The following example shows how to set the routed port 1/0/2 as the default relay agent interface and configure the DHCP server address as 192.168.1.8 on VLAN 10: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#no switchport Switch(config-if)# ip dhcp relay default-interface Switch(config-if)#exit Switch(config)#ip dhcp relay vlan 10 helper-address 192.168.1.8...

  • Page 485: Dhcp L2 Relay Configuration

    Configuring DHCP Service DHCP L2 Relay Configuration DHCP L2 Relay Configuration To complete DHCP L2 Relay configuration, follow these steps: 1) Enable DHCP L2 Relay. 2) Configure Option 82 for ports. Using the GUI 4.1.1 Enabling DHCP L2 Relay Choose the menu L3 FEATURES > DHCP Service > DHCP L2 Relay > Global Config to load the following page.

  • Page 486: Configuring Option 82 For Ports

    Configuring DHCP Service DHCP L2 Relay Configuration 4.1.2 Configuring Option 82 for Ports Choose the menu L3 FEATURES > DHCP Service > DHCP L2 Relay > Port Config to load the following page. Figure 4-2 Configure Option 82 for Ports Follow these steps to enable DHCP Relay and configure Option 82: 1) Select one or more ports to configure Option 82.

  • Page 487: Using The Cli

    Configuring DHCP Service DHCP L2 Relay Configuration Format Specify the packet format for the sub-option fields of Option 82. Normal: Indicates the fields consist of three parts: Type, Length, and Value (TLV). Private: Indicates the fields consist of the value only. Circuit ID Enable or disable Circuit ID Customization.

  • Page 488: Configuring Option 82 For Ports

    Configuring DHCP Service DHCP L2 Relay Configuration Step 6 Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCP L2 Relay globally and for VLAN 2: Switch#configure Switch(config)#ip dhcp l2relay Switch(config)#ip dhcp l2relay vlan 2...
  • Page 489 Configuring DHCP Service DHCP L2 Relay Configuration Step 5 ip dhcp l2relay information format { normal | private } Specify the packet format for the sub-option fields of Option 82. normal: Indicates the fields consist of three parts: Type, Length, and Value (TLV). private: Indicates the fields consist of the value only.
  • Page 490 Configuring DHCP Service DHCP L2 Relay Configuration Switch(config-if)#show ip dhcp l2relay information interface gigabitEthernet 1/0/7 Interface Option 82 Status Operation Strategy Format Circuit ID Remote ID --------- ---------------- ------------------ ------- --------- -------- ----- Gi1/0/7 Enable Replace Normal VLAN20 Host1 Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 491: Configuration Examples

    Configuring DHCP Service Configuration Examples Configuration Examples Example for DHCP Server 5.1.1 Network Requirements As the network topology shows, the administrator uses the switch as the DHCP server to assign IP addresses to all the connected devices. The office computers need to obtain IP addresses dynamically, while the FTP server needs a fixed IP address.
  • Page 492 Configuring DHCP Service Configuration Examples Subnet Mask, Lease Time, Default Gateway and DNS Server as shown below. Click Create. Figure 5-3 Configuring DHCP Server Pool 3) Choose the menu L3 FEATURES > DHCP Service > DHCP Server > Manual Binding and click to load the following page.

  • Page 493: Using The Cli

    Configuring DHCP Service Configuration Examples 5.1.4 Using the CLI 1) Enable DHCP Server. Switch#configure Switch(config)#service dhcp server 2) Specify the Pool Name, Network Address, Subnet Mask and Lease Time. Switch(config)#ip dhcp server pool pool Switch(dhcp-config)#network 192.168.0.0 255.255.255.0 Switch(dhcp-config)#lease 120 Switch(dhcp-config)#exit 3) Bind the specified IP address to the MAC address of the FTP server.

  • Page 494: Configuration Scheme

    4) Configure DHCP Interface Relay on the DHCP relay agent. Enable DHCP Relay globally, and specify the DHCP server address for each VLAN. In this example, the DHCP server is demonstrated with T1600G-52TS and the DHCP relay agent is demonstrated with T1600G-28TS. This section provides configuration procedures in two ways: using the GUI and using the CLI.

  • Page 495: Using The Gui

    Configuring DHCP Service Configuration Examples 5.2.3 Using the GUI ■ Configuring the DHCP Server 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Server > DHCP Server to load the following page. In the Global Config section, enable DHCP Server globally. Figure 5-6 Configuring DHCP Server 2) Choose the menu L3 FEATURES >...
  • Page 496 Configuring DHCP Service Configuration Examples Figure 5-8 Configuring DHCP Pool 2 for VLAN 20 3) Choose the menu L3 FEATURES > Static Routing > IPv4 Static Routing and click to load the following page. Create two static routing entries for the DHCP server to make sure that the DHCP server can reach the clients in the two VLANs.
  • Page 497 Configuring DHCP Service Configuration Examples Figure 5-10 Creating the Static Routing Entry for VLAN 20 ■ Configuring the VLANs on the Relay Agent 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10 for the Marketing department and add port 1/0/1 as an untagged port to the VLAN.
  • Page 498 Configuring DHCP Service Configuration Examples 2) On the same page, click again to create VLAN 20 for the R&D department and add port 1/0/2 as an untagged port to the VLAN. Figure 5-12 Creating VLAN 20 User Guide...
  • Page 499 Configuring DHCP Service Configuration Examples ■ Configuring the VLAN Interface and Routed Port on the Relay Agent 1) Choose the menu L3 FEATURES > Interface and click to load the following page. Create VLAN interface 10 and VLAN interface 20. Configure port 1/0/5 as the routed port.
  • Page 500 Configuring DHCP Service Configuration Examples Figure 5-15 Configuring the Routed Port ■ Configuring DHCP Interface Relay on the Relay Agent 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP Relay Config to load the following page. In the Global Config section, enable DHCP Relay, and click Apply.

  • Page 501: Using The Cli

    Configuring DHCP Service Configuration Examples Figure 5-18 Specify DHCP Server for Interface VLAN 20 3) Click to save the settings. 5.2.4 Using the CLI ■ Configurting the DHCP Server 1) Enable DHCP service globally. Switch#configure Switch(config)#service dhcp server 2) Create DHCP pool 1 and configure its network address as 192.168.2.0, subnet mask as 255.255.255.0, lease time as 120 minutes, default gateway as 192.168.2.1;...
  • Page 502 Configuring DHCP Service Configuration Examples Switch#copy running-config startup-config ■ Configuring the VLAN on the Relay Agent Switch(config)# vlan 10 Switch(config-vlan)#name Marketing Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#exit Switch(config)# vlan 20 Switch(config-vlan)#name RD Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#switchport general allowed vlan 20 untagged Switch(config-if)#exit ■...

  • Page 503: Example For Dhcp Vlan Relay

    Configuring DHCP Service Configuration Examples 2) Specify the DHCP server for the interface VLAN 10. Switch(config)#interface vlan 10 Switch(config-if)#ip helper-address 192.168.0.59 Switch(config-if)#exit 3) Specify the DHCP server for interface VLAN 20 Switch(config)#interface vlan 20 Switch(config-if)#ip helper-address 192.168.0.59 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configurations of the DHCP Relay Agent Switch#show ip dhcp relay DHCP relay is enabled...

  • Page 504: Configuration Scheme

    VLAN interface 1 (the default management VLAN interface) as the default relay agent interface, and specify the DHCP server address for VLAN 10 and VLAN 20. In this example, the DHCP server is demonstrated with T1600G-52TS and the DHCP relay agent is demonstrated with T1600G-28TS. The following sections provide configuration procedures in two ways: using the GUI and using the CLI.

  • Page 505: Using The Gui

    Configuring DHCP Service Configuration Examples 5.3.3 Using the GUI ■ Configuring the DHCP Server 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Server > DHCP Server to load the following page. In the Global Config section, enable DHCP Server globally. Figure 5-20 Configuring DHCP Server 2) Choose the menu L3 FEATURES >...
  • Page 506 Configuring DHCP Service Configuration Examples ■ Configuring the VLANs on the Relay Agent 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10 for the Marketing department and add port 1/0/1 as untagged port to the VLAN.
  • Page 507 Configuring DHCP Service Configuration Examples 2) On the same page, click again to create VLAN 20 for the R&D department and add port 1/0/2 as untagged port to the VLAN. Figure 5-23 Creating VLAN 20 ■ Configuring DHCP VLAN Relay on the Relay Agent 1) Choose the menu L3 FEATURES >...

  • Page 508: Using The Cli

    Configuring DHCP Service Configuration Examples VLAN interface 1 (the default management VLAN interface) as the default relay-agent interface. Click Apply. Figure 5-25 Specify the Default Relay Agent Interface 3) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP VLAN Relay and click to load the following page.
  • Page 509 Configuring DHCP Service Configuration Examples Switch(dhcp-config)#lease 120 Switch(dhcp-config)#default-gateway 192.168.0.1 Switch(dhcp-config)#dns-server 192.168.0.2 Switch(dhcp-config)#end Switch#copy running-config startup-config ■ Configuring the VLAN on the Relay Agent Switch#configure Switch(config)# vlan 10 Switch(config-vlan)#name Marketing Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#exit Switch(config)# vlan 20 Switch(config-vlan)#name RD Switch(config-vlan)#exit...

  • Page 510: Example For Option 82 In Dhcp Relay

    Configuring DHCP Service Configuration Examples Verify the Configurations of the DHCP Relay Agent Switch#show ip dhcp relay Switch#show ip dhcp relay DHCP relay state: enabled DHCP relay default relay agent interface: Interface: VLAN 1 IP address: 192.168.0.1 DHCP vlan relay helper address is configured on the following vlan: vlan Helper address --------------------- -------------------------...

  • Page 511: Configuration Scheme

    Configuring DHCP Service Configuration Examples Figure 5-28 Network Topology for Option 82 in DHCP Relay DHCP Server 192.168.0.59/24 Gi1/0/1 Gi1/0/2 VLAN 2 VLAN 2 192.168.2.1/24 192.168.2.1/24 Switch A DHCP Relay 00:00:FF:FF:27:12 Group 1 Group 2 192.168.2.50-192.168.2.100 192.168.2.150-192.168.2.200 5.4.2 Configuration Scheme To meet the requirements, you can configure Option  82 in DHCP Relay on Switch A. With DHCP Relay enabled, the switch can forward DHCP requests and replies between clients and the server.

  • Page 512: Configuring The Dhcp Relay Switch

    Configuring DHCP Service Configuration Examples 5.4.3 Configuring the DHCP Relay Switch Using the GUI Follow these steps to configure DHCP relay and enable Option  82 in DHCP Relay on Switch A: 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP Relay Config to load the following page.
  • Page 513 Configuring DHCP Service Configuration Examples 3) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP Interface Relay and click to load the following page. Specify the DHCP server address to assign IP addresses for clients in VLAN 2. Click Create. Figure 5-31 Specify DHCP Server for Interface VLAN 2 4) Click to save the settings.

  • Page 514: Configuring The Dhcp Server

    Configuring DHCP Service Configuration Examples DHCP relay state: enabled DHCP relay helper address is configured on the following interfaces: Interface Helper address ------------ ------------------- VLAN2 192.168.0.59 View port settings: Switch#show ip dhcp relay information interface Interface Option 82 Status Operation Strategy Format Circuit ID --------- ---------------- ------------------ -------...
  • Page 515 Configuring DHCP Service Configuration Examples Group Sub-option Type (Hex) Length (Hex) Value (Hex) Circuit ID 00:02:00:02 Remote ID 00:00:FF:FF:27:12 The configuration file /etc/dhcpd.conf of the Linux ISC DHCP Server is: ddns-update-style interim; ignore client-updates; # Create two classes to match the pattern of Option 82 in DHCP request packets from # Group 1 and Group 2, respectively.

  • Page 516: Example For Dhcp L2 Relay

    Configuring DHCP Service Configuration Examples Example for DHCP L2 Relay 5.5.1 Network Requirements As the following figure shows, two groups of computers are connected to Switch A, and Switch A is connected to the DHCP server. All devices on the network are in the default VLAN 1.

  • Page 517: Configuring The Dhcp Relay Switch

    Configuring DHCP Service Configuration Examples 2) Configuring the DHCP Server The detailed configurations on the DHCP server may be different among different devices. You can refer to the related document that is for the DHCP server you use. Demonstrated with a Linux ISC DHCP Server, 5.5.4 Configuring the DHCP Server provides information about how to set its DHCP configuration file.
  • Page 518 Configuring DHCP Service Configuration Examples Figure 5-34 Configuring Port 1/0/1 3) On the same page, select port 1/0/2, enable Option 82 Support and select Option 82 Policy as Replace. You can configure other parameters according to your needs. In this example, keep Format as Normal and Remote ID Customization as Disabled. Enable Circuit ID Customization and specify the Circuit ID as Group2.
  • Page 519 Configuring DHCP Service Configuration Examples Switch(config)#ip dhcp l2relay Switch(config)#ip dhcp l2relay vlan 1 2) On port 1/0/1, enable Option  82 and select Option  82 Policy as Replace. You can configure other parameters according to your needs. In this example, keep Format as Normal and Remote ID Customization as Disabled.

  • Page 520: Configuring The Dhcp Server

    Configuring DHCP Service Configuration Examples Switch#show ip dhcp l2relay information interface gigabitEthernet 1/0/1 Interface Option 82 Status Operation Strategy Format Circuit ID ... --------- ---------------- ------------------ ------- --------- Gi1/0/2 Enable Replace Normal Group2 5.5.4 Configuring the DHCP Server Note: • Make sure the DHCP server supports Option 82 and more than one DHCP address pool.
  • Page 521 Configuring DHCP Service Configuration Examples # Similarly, the offset of the agent remote ID is 2 and the length is 6. class “Group1“ { match if substring (option agent.circuit-id, 2, 6) = “Group1” and substring (option agent.remote-id, 2, 6) = 00:00:ff:ff:27:12; class “Group2“...

  • Page 522: Appendix: Default Parameters

    Configuring DHCP Service Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Server are listed in the following table. Table 6-1 Default Settings of DHCP Server Parameter Default Setting Global Config DHCP Server Disabled Option 60 None Option 138 None Ping Time Config Ping Packets...
  • Page 523 Configuring DHCP Service Appendix: Default Parameters Parameter Default Setting Manual Binding Pool Name None IP Address None Binding Mode Client ID Client Id None Hardware Address None Hardware Type Ethernet Default settings of DHCP Relay are listed in the following table. Table 6-2 Default Settings of DHCP Relay Parameter...
  • Page 524 Configuring DHCP Service Appendix: Default Parameters Parameter Default Setting DHCP VLAN Relay Interface ID None VLAN ID None Server Address None Default settings of DHCP L2 Relay are listed in the following table. Table 6-3 Default Settings of DHCP L2 Relay Parameter Default Setting Global Config...

  • Page 525: Configuring Arp

    Part 16 Configuring ARP CHAPTERS 1. Overview 2. ARP Configurations 3. Appendix: Default Parameters...

  • Page 526: Overview

    Configuring ARP Overview Overview ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. Taking an IP address as input, ARP learns the associated MAC address, and stores the IP-MAC address association in an ARP entry for rapid retrieval. Supported Features ARP Table The ARP table displays all the ARP entries, including dynamic entries and static entries.
  • Page 527 Configuring ARP Overview Figure 1-1 Proxy ARP Application VLAN Interfacce 3 VLAN Interfacce 2 192.168.2.1/24 192.168.3.1/24 192.168.2.10/16 192.168.3.20/16 Local Proxy ARP Local Proxy ARP is similar with Proxy ARP. As shown below, two hosts are in the same VLAN and connected to VLAN interface 1, but port 1/0/1 and port 1/0/2 are isolated on Layer 2. In this case, both of the hosts cannot receive each other’s ARP request.

  • Page 528: Arp Configurations

    Configuring ARP ARP Configurations ARP Configurations With ARP configurations, you can: ■ View dynamic and static ARP entries. ■ Add or delete static ARP entries. To configure the Gratuitous ARP feature: ■ Configure the Gratuitous ARP globally and set the Gratuitous ARP sending interval To configure the Proxy ARP feature: ■...

  • Page 529: Adding Static Arp Entries Manually

    Configuring ARP ARP Configurations Type Displays the type of an ARP entry. Static: The entry is added manually and will always remain the same. Dynamic: The entry that will be deleted after the aging time leased. The default aging time value is 600 seconds. If you want to change the aging time, you can use the CLI to configure it.

  • Page 530: Configuring Proxy Arp

    Configuring ARP ARP Configurations Figure 2-3 Configuring Gratuitous ARP Follow these steps to configure the Gratuitous feature for the interface. 1) In the Gratuitous ARP Global Settings section, configure the global parameters for gratuitous ARP. Then click Apply. Send on IP With this option enabled, the interface will send gratuitous ARP request packets Interface Status when its status becomes up.

  • Page 531: Configuring Local Proxy Arp

    Configuring ARP ARP Configurations Figure 2-4 Configuring Proxy ARP Select the desired interface and enable proxy ARP. Then click Apply. IP Address Displays the IP address of the Layer 3 interface Subnet Mask Displays the subnet mask of the IP address. Status Enable proxy ARP feature on the interface.

  • Page 532: Using The Cli

    Configuring ARP ARP Configurations Using the CLI 2.2.1 Configuring the ARP Entry ■ Adding Static ARP Entries Follow these steps to add static ARP entries: Step 1 configure Enter global configuration mode. arp ip mac type Step 2 Add a static ARP entry. : Enter the IP address of the static ARP entry.
  • Page 533 Configuring ARP ARP Configurations Step 1 configure Enter global configuration mode. Step 2 arp timeout timeout Configure the ARP aging time of the VLAN interface or routed port . timeout: Specify the value of aging time, which ranges from 1 to 3000 in seconds. The default value is 1200 seconds.

  • Page 534: Configuring The Gratuitous Arp

    Configuring ARP ARP Configurations ■ Viewing ARP Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view ARP entries: show arp [ ip ] [ mac ] Specify the IP address of your desired ARP entry. mac: Specify the MAC address of your desired ARP entry.
  • Page 535 Configuring ARP ARP Configurations Switch#configure Switch(config)#gratuitous-arp dup-ip-detected enable Switch(config)#gratuitous-arp intf-status-up enable Switch(config)#gratuitous-arp learning enable Switch(config)#show gratuitous-arp Send on IP interface Status up : Enabled Send on Duplicate IP Detected : Enabled Gratuitous ARP Learning : Enabled Interface Gratuitous ARP Periodical Send Interval --------- ------------------------------------------ Gi1/0/18...

  • Page 536: Configuring Proxy Arp

    Configuring ARP ARP Configurations Step 4 show gratuitous-arp Show the gratuitous ARP configuration. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to configure the interval of sending gratuitous ARP packets for VLAN interface 1 as 10 seconds: Switch#configure Switch(config)#interface vlan 1...
  • Page 537 Configuring ARP ARP Configurations There are three types of Layer 3 interface can be enabled with Proxy ARP: routed port, port- channel and VLAN interface. interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | ten-range gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list |} no switch port Step 2...
  • Page 538 Configuring ARP ARP Configurations There are three types of Layer 3 interface can be enabled with Local Proxy ARP: routed port, port-channel and VLAN interface. interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | ten-range gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list |} no switch port Step 2...

  • Page 539: Appendix: Default Parameters

    Configuring ARP Appendix: Default Parameters Appendix: Default Parameters Default ARP settings are listed in the following tables. Table 3-1 Default Gratuitous Settings Parameter Default Setting Send on IP Interface Status Up Enabled Send on Duplicate IP Detected Disabled Gratuitous ARP Learning Disabled Gratuitous ARP Periodical Send Interval 0 second...

  • Page 540: Configuring Qos

    Part 17 Configuring QoS CHAPTERS 1. QoS 2. Class of Service Configuration 3. Bandwidth Control Configuration 4. Voice VLAN Configuration 5. Auto VoIP Configuration 6. Configuration Examples 7. Appendix: Default Parameters...

  • Page 541: Qos

    Configuring QoS Overview With network scale expanding and applications developing, internet traffic is dramatically increased, thus resulting in network congestion, packet drops and long transmission delay. Typically, networks treat all traffic equally on FIFO (First In First Out) delivery basis, but nowadays many special applications like VoD, video conferences, VoIP, etc, require more bandwidth or shorter transmission delay to guarantee the performance.
  • Page 542 Configuring QoS can deteriorate a lot because of packet loss and delay. To ensure the high voice quality, you can configure Voice VLAN or Auto VoIP. These two features can be enabled on the ports that transmit voice traffic only or transmit both voice traffic and data traffic.

  • Page 543: Class Of Service Configuration

    Configuring QoS Class of Service Configuration Class of Service Configuration With class of service configurations, you can: ■ Configure port priority ■ Configure 802.1p priority ■ Configure DSCP priority ■ Specify the scheduler settings Configuration Guidelines ■ Select the priority mode that the ports trust according to your network requirements. A port can use only one priority to classify the ingress packets.

  • Page 544: Using The Gui

    Configuring QoS Class of Service Configuration Using the GUI 2.1.1 Configuring Port Priority ■ Configuring the Trust Mode and Port to 802.1p Mapping Choose the menu QoS > Class of Service > Port Priority to load the following page. Figure 2-1 Configuring the Trust Mode and Port to 802.1p Mapping Follow these steps to configure the parameters of the port priority: 1) Select the desired ports, specify the 802.1p priority and set the trust mode as Untrusted.
  • Page 545 Configuring QoS Class of Service Configuration ■ Configuring the 802.1p to Queue Mapping Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-2 Configuring the 802.1p to Queue Mapping In the 802.1p to Queue Mapping section, configure the mappings and click Apply. 802.1p Priority Displays the number of 802.1p priority.

  • Page 546: Configuring 802.1P Priority

    Configuring QoS Class of Service Configuration 2.1.2 Configuring 802.1p Priority ■ Configuring the Trust Mode Choose the menu QoS > Class of Service > Port Priority to load the following page. Figure 2-3 Configuring the Trust Mode Follow these steps to configure the trust mode: 1) Select the desired ports and set the trust mode as Trust 802.1p.
  • Page 547 Configuring QoS Class of Service Configuration ■ Configuring the 802.1p to Queue Mapping and 802.1p Remap Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-4 Configuring the 802.1p to Queue Mapping and 802.1p Remap Follow these steps to configure the parameters of the 802.1p priority: 1) In the 802.1p to Queue Mapping section, configure the mappings and click Apply.

  • Page 548: Configuring Dscp Priority

    Configuring QoS Class of Service Configuration Remap Select the number of 802.1p priority to which the original 802.1p priority will be remapped. 802.1p Remap is used to modify the 802.1p priority of the ingress packets. When the switch detects the packets with desired 802.1p priority, it will modify the value of 802.1p priority according to the map.
  • Page 549 Configuring QoS Class of Service Configuration ■ Configuring the 802.1p to Queue Mapping Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-6 Configuring the 802.1p to Queue Mapping In the 802.1p to Queue Mapping section, configure the mappings and click Apply. 802.1p Priority Displays the number of 802.1p priority.
  • Page 550 Configuring QoS Class of Service Configuration ■ Configuring the DSCP to 802.1p Mapping and the DSCP Remap Choose the menu QoS > Class of Service >DSCP Priority to load the following page. Figure 2-7 Configuring the DSCP to 802.1p Mapping and the DSCP Remap Follow these steps to configure the DSCP Priority: 1) In the DSCP Priority Config section, configure the DSCP to 802.1p mapping and the DSCP remap.

  • Page 551: Specifying The Scheduler Settings

    Configuring QoS Class of Service Configuration 2.1.4 Specifying the Scheduler Settings Specify the scheduler settings to control the forwarding sequence of different TC queues when congestion occurs. Choose the menu QoS > Class of Service > Scheduler Settings to load the following page.

  • Page 552: Using Cli

    Configuring QoS Class of Service Configuration Scheduler Type Select the type of scheduling used for corresponding queue. When the network congestion occurs, the egress queue will determine the forwarding sequence of the packets according to the type. Strict: In this mode, the egress queue will use SP (Strict Priority) to process the traffic in different queues.
  • Page 553 Configuring QoS Class of Service Configuration Step 4 qos port-priority { dot1p-priority } Specify the port to 802.1p priority mapping for the desired port. The ingress packets from one port are first mapped to 802.1p priority based on the port to 802.1p mapping, then to TC queues based on the 802.1p to queue mapping.

  • Page 554: Configuring 802.1P Priority

    Configuring QoS Class of Service Configuration The following example shows how to configure the trust mode of port 1/0/1 as untrust, map the port 1/0/1 to 802.1p priority 1 and map 802.1p priority 1 to TC3: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#qos trust mode untrust Switch(config-if)#qos port-priority 1 Switch(config-if)#exit...
  • Page 555 Configuring QoS Class of Service Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 qos trust mode { untrust | dot1p | dscp } Select the trust mode for the port.
  • Page 556 Configuring QoS Class of Service Configuration Step 5 show qos dot1p-remap Verify the 802.1p to 802.1p mappings. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. Note: In Trust 802.1p mode, the untagged packets will be added an 802.1p priority based on the port to 802.1p mapping and will be forwarded according to the 802.1p to queue mapping.

  • Page 557: Configuring Dscp Priority

    Configuring QoS Class of Service Configuration Dot1p Remap Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring DSCP Priority ■ Configuring the Trust Mode Follow these steps to configure the trust mode: Step 1 configure Enter global configuration mode Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode.
  • Page 558 Configuring QoS Class of Service Configuration Step 2 qos cos-map { dot1p-priority } { tc-queue } Specify the 802.1p to queue mapping. The packets with the desired 802.1p priority will be put in the corresponding queues. By default, the 802.1p priority 0 to 7 is respectively mapped to TC-1, TC-0, TC-2, TC-3, TC-4, TC-5, TC-6, TC-7.
  • Page 559 Configuring QoS Class of Service Configuration Step 5 show qos dscp-remap Verify the DSCP to DSCP mappings. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. Note: In Trust DSCP mode, non-IP packets will be added an 802.1p priority based on the port to 802.1p mapping and will be forwarded according to the 802.1p to queue mapping.
  • Page 560 Configuring QoS Class of Service Configuration DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 10 11 12 13 14 15 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 17 18 19 20 21 22 23 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP:...

  • Page 561: Specifying The Scheduler Settings

    Configuring QoS Class of Service Configuration DSCP: 16 17 18 19 20 21 22 23 DSCP remap value 16 17 18 19 20 21 22 23 ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 24 25 26 27 28 29 30 31 DSCP remap value 24 25 26 27 28 29 30 31 ---- ---- ---- ---- ---- ---- ---- ---- DSCP:...
  • Page 562 Configuring QoS Class of Service Configuration Step 3 qos queue tc-queue mode {sp | wrr} [weight weight ] Specify the type of scheduling used for corresponding queue. When the network congestion occurs, the egress queue will determine the forwarding sequence of the packets according to the type.
  • Page 563 Configuring QoS Class of Service Configuration Strict Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 564: Bandwidth Control Configuration

    Configuring QoS Bandwidth Control Configuration Bandwidth Control Configuration With bandwidth control configurations, you can: ■ Configure rate limit ■ Configure storm control Using the GUI 3.1.1 Configuring Rate Limit Choose the menu QoS > Bandwidth Control > Rate Limit to load the following page. Figure 3-1 Configuring Rate Limit Follow these steps to configure the Rate Limit function: 1) Select the desired port and configure the upper rate limit to receive and send packets.

  • Page 565: Configuring Storm Control

    Configuring QoS Bandwidth Control Configuration 3.1.2 Configuring Storm Control Choose the menu QoS > Bandwidth Control > Storm Control to load the following page. Figure 3-2 Configuring Storm Control Follow these steps to configure the Storm Control function: 1) Select the desired port and configure the upper rate limit for forwarding broadcast packets, multicast packets and UL-frames (Unknown unicast frames).

  • Page 566: Using The Cli

    Configuring QoS Bandwidth Control Configuration UL-Frame Specify the upper rate limit for receiving unknown unicast frames. The valid Threshold (0- values differ among different rate modes. The value 0 means the unknown unicast 1,000,000) threshold is disabled. The traffic exceeding the limit will be processed according to the Action configurations.

  • Page 567: Configuring Storm Control

    Configuring QoS Bandwidth Control Configuration Step 4 show bandwidth interface [fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the ingress/egress rate limit for forwarding packets on the port or LAG. If no port or LAG is specified, it displays the upper ingress/egress rate limit for all ports or LAGs.
  • Page 568 Configuring QoS Bandwidth Control Configuration Step 3 storm-control rate-mode {kbps | ratio} Specify the Rate Mode for the broadcast threshold, multicast threshold and UL-Frame threshold on the desired port. kbps: The switch will limit the maximum speed of the specific kinds of traffic in kilo-bits per second.
  • Page 569 Configuring QoS Bandwidth Control Configuration Step 9 show storm-control interface [fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the storm control configurations of the port or LAG. If no port or LAG is specified, it displays the storm control configuration for all ports or LAGs.

  • Page 570: Voice Vlan Configuration

    Configuring QoS Voice VLAN Configuration Voice VLAN Configuration To complete the voice VLAN configurations, follow these steps: 1) Create a 802.1Q VLAN 2) Configure OUI addresses 3) Configure Voice VLAN globally 4) Add ports to Voice VLAN Configuration Guidelines ■ Before configuring voice VLAN, you need to create a 802.1Q VLAN for voice traffic. For details about 802.1Q VLAN Configuration, please refer to Configuring 802.1Q VLAN.

  • Page 571: Configuring Voice Vlan Globally

    Configuring QoS Voice VLAN Configuration Figure 4-1 Configuring OUI Addresses Follow these steps to configure the OUI addresses: 1) Click to load the following page. Figure 4-2 Creating an OUI Entry 2) Specify the OUI and the Description. Enter the OUI address of your voice devices. The OUI address is used by the switch to determine whether a packet is a voice packet.

  • Page 572: Adding Ports To Voice Vlan

    Configuring QoS Voice VLAN Configuration Figure 4-3 Configuring Voice VLAN Globally Follow these steps to configure voice VLAN globally: 1) Enable the voice VLAN feature and specify the parameters. VLAN ID Specify the 802.1Q VLAN ID to set the 802.1Q VLAN as the voice VLAN. Priority Select the priority that will be assigned to voice packets.

  • Page 573: Using The Cli

    Configuring QoS Voice VLAN Configuration Optional Status Displays the state of the Voice VLAN on the corresponding port. Active: Indicates that Voive VLAN function is enabled on the port. Inactive: Indicates that Voive VLAN function is disabled on the port. 2) Click Apply.
  • Page 574 Configuring QoS Voice VLAN Configuration Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to show the OUI table, set VLAN 8 as voice VLAN, set the priority as 6 and enable voice VLAN feature on port 1/0/3: Switch#configure Switch(config)#show voice vlan oui-table...
  • Page 575 Configuring QoS Voice VLAN Configuration Gi1/0/3 enabled Gi1/0/4 disabled Down Gi1/0/5 disabled Down Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 576: Auto Voip Configuration

    Configuring QoS Auto VoIP Configuration Auto VoIP Configuration Configuration Guidelines ■ Before configuring Auto VoIP, you need to enable LLDP-MED on ports and configure the relevant parameters. For details about LLDP-MED configuration, please refer to Configuring LLDP. ■ Auto VoIP provide flexible solutions for optimizing the voice traffic. It can work with other features such as VLAN and Class of Service to process the voice packets with specific fields.

  • Page 577: Using The Cli

    Configuring QoS Auto VoIP Configuration Interface Mode Select the interface mode for the port. Disable: Disable the Auto VoIP function on the corresponding port. None: Allow the voice devices to use its own configuration to send voice traffic. VLAN ID: The voice devices will send voice packets with desired VLAN tag. If this mode is selected, it is necessary to specify the VLAN ID in the Value field.
  • Page 578 Configuring QoS Auto VoIP Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 4 Select the interface mode for the port.
  • Page 579 Configuring QoS Auto VoIP Configuration Step 7 show auto-voip Verify the global state of Auto VoIP. Step 8 show auto-voip interface Verify the Auto VoIP configuration information of ports. Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file.
  • Page 580 Configuring QoS Auto VoIP Configuration Interface.Gi1/0/3 Auto-VoIP Interface Mode. Enabled Auto-VoIP Priority. Auto-VoIP COS Override. True Auto-VoIP DSCP Value. Auto-VoIP Port Status. Enabled Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 581: Configuration Examples

    Configuring QoS Configuration Examples Configuration Examples Example for Class of Service 6.1.1 Network Requirements As shown below, both RD department and Marketing department can access the internet. When congestion occurs, the traffic from two departments can both be forwarded and the traffic from the Marketing department should take precedence.

  • Page 582: Using The Gui

    Configuring QoS Configuration Examples Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 6.1.3 Using the GUI 1) Choose the menu QoS > Class of Service > Port Priority to load the following page. Set the trust mode of port 1/0/1 and 1/0/2 as untrusted.
  • Page 583 Configuring QoS Configuration Examples Figure 6-3 Configuring the 802.1p to Queue Mappings 3) Choose the menu QoS > Class of Service > Scheduler Settings to load the following page. Select the port 1/0/3 and set the scheduler type of TC-0 and TC-1 as Weighted. Specify the queue weight of TC-0 as 1 and specify the queue weight of TC-1 as 5.

  • Page 584: Using The Cli

    Configuring QoS Configuration Examples Figure 6-4 Configuring the Egress Queue 4) Click to save the settings. 6.1.4 Using the CLI 1) Set the trust mode of port 1/0/1 as untrusted and specify the 802.1p priority as 1. Switch_A#configure Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#qos trust mode untrust Switch_A(config-if)#qos port-priority 1 Switch_A(config-if)#exit...
  • Page 585 Configuring QoS Configuration Examples 4) Set the scheduler type of TC-0 and TC-1 as Weighted for egress port 1/0/3. Specify the queue weight of TC-0 as 1 and specify the queue weight of TC-1 as 5. Switch_A(config)#interface gigabitEthernet 1/0/3 Switch_A(config-if)#qos queue 0 mode wrr weight 1 Switch_A(config-if)#qos queue 1 mode wrr weight 5 Switch_A(config-if)#end Switch_A#copy running-config startup-config...

  • Page 586: Example For Voice Vlan

    Configuring QoS Configuration Examples Switch_A#show qos cos-map ---------------+-----+-----+-----+-----+-----+-----+----+---- Dot1p Value |0 ---------------+-----+-----+-----+-----+-----+-----+----+---- |TC1 |TC0 |TC2 |TC4 |TC4 |TC5 |TC6 |TC7 ---------------+-----+-----+-----+-----+-----+-----+----+---- Verify the scheduler mode of the egress port: Switch _A#show qos queue interface gigabitEthernet 1/0/3 Gi1/0/3----LAG: N/A Queue Schedule Mode Weight ----- ---------- -----...

  • Page 587: Configuration Scheme

    Configuring QoS Configuration Examples Figure 6-5 Voice VLAN Application Topology Switch B Gi1/0/4 Switch A Gi1/0/1 Gi1/0/3 Gi1/0/2 VLAN 2 VLAN 3 IP Phone 1 IP Phone 2 PC 3 6.2.2 Configuration Scheme To implement this requirement, you can configure Voice VLAN to ensure that the voice traffic can be transmitted in the same VLAN and the data traffic is transmitted in another VLAN.
  • Page 588 Configuring QoS Configuration Examples Figure 6-6 Configuring VLAN 2 2) Click to load the following page. Create VLAN 3 and add untagged port 1/0/3 and port 1/0/4 to VLAN 3. Click Create. User Guide...
  • Page 589 Configuring QoS Configuration Examples Figure 6-7 Configuring VLAN 3 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Disable the Ingress Checking feature on port 1/0/1 and port 1/0/2 and specify the PVID as 2. Click Apply. User Guide...
  • Page 590 Configuring QoS Configuration Examples Figure 6-8 Specifying the Parameters of the Ports 4) Choose the menu QoS > Voice VLAN > OUI Config to load the following page. Check the OUI table. Figure 6-9 Checking the OUI Table 5) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable Voice VLAN globally.

  • Page 591: Using The Cli

    Configuring QoS Configuration Examples Figure 6-10 Configuring Voice VLAN Globally 6) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Enable Voice VLAN on port 1/0/1 and port 1/0/2. Click Apply. Figure 6-11 Enabling Voice VLAN on Ports 7) Click to save the settings.
  • Page 592 Configuring QoS Configuration Examples Switch_A(config-if)#switchport general allowed vlan 2 untagged Switch_A(config-if)#exit Switch_A(config)#interface gigabitEthernet 1/0/4 Switch_A(config-if)#switchport general allowed vlan 2 untagged Switch_A(config-if)#exit 2) Create VLAN 3 and add untagged port 1/0/3 and port 1/0/4 to VLAN 3. Switch_A(config)#vlan 3 Switch_A(config-vlan)#name VLAN3 Switch_A(config-vlan)#exit Switch_A(config)#interface gigabitEthernet 1/0/3 Switch_A(config-if)#switchport general allowed vlan 3 untagged...
  • Page 593 Configuring QoS Configuration Examples 00:60:B9 Default NITSUKO 00:D0:1E Default PINTEL 00:E0:75 Default VERILINK 00:E0:BB Default 3COM 00:04:0D Default AVAYA1 00:1B:4F Default AVAYA2 00:04:13 Default SNOM 5) Enable Voice VLAN globally. Specify the VLAN ID as 2 and set the priority as 7. Switch_A(config)#voice vlan 2 Switch_A(config)#voice vlan priority 7 6) Enable Voice VLAN on port 1/0/1 and port 1/0/2.

  • Page 594: Example For Auto Voip

    Configuring QoS Configuration Examples VoiceVLAN active Gi1/0/1, Gi1/0/2, Gi1/0/4 VLAN3 active Gi1/0/3, Gi1/0/4 Verify the Voice VLAN configuration: Switch_A(config)#show voice vlan interface Voice VLAN ID Priority Interface Voice VLAN Mode Operational Status LAG --------- --------------- ------------------ Gi1/0/1 enabled Gi1/0/2 enabled Gi1/0/3 disabled Down...

  • Page 595: Configuration Scheme

    Configuring QoS Configuration Examples Figure 6-12 Auto VoIP Application Topology Switch B Gi1/0/2 Gi1/0/1 Switch A PC 10 IP Phone 10 6.3.2 Configuration Scheme To optimize voice traffic, configure Auto VoIP and LLDP-MED to instruct IP Phones to send traffic with desired DSCP priority. Voice traffic is put in the desired queue and data traffic is put in other queues according to the Class of Service configurations.
  • Page 596 Configuring QoS Configuration Examples Figure 6-13 Configuring Auto VoIP 2) Choose the menu QoS > Class of Service > Port Priority to load the following page. Set the trust mode of port 1/0/1 as trust DSCP. Click Apply. Figure 6-14 Configuring Port Priority 3) Choose the menu QoS >...
  • Page 597 Configuring QoS Configuration Examples Figure 6-15 Specifying the 802.1p priority for DSCP priority 63 4) Specify the 802.1p priority as 5 for other DSCP priorities. Click Apply. Figure 6-16 Specifying the 802.1p priority for Other DSCP priorities 5) Choose the menu QoS > Class of Service > Scheduler Settings to load the following page.
  • Page 598 Configuring QoS Configuration Examples Figure 6-17 Configuring the TC-5 for the Port 6) Select port 1/0/2. Set the scheduler mode as weighted and specify the queue weight as 10 for TC-7. Click Apply. Figure 6-18 Configuring the TC-7 for the Port User Guide...
  • Page 599 Configuring QoS Configuration Examples 7) Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config click Detail to of port1/0/1 to load the following page. Check the boxes of all the TLVs. Click Save. Figure 6-19 Configuring the TLVs 8) Choose the menu L2 FEATURES >...

  • Page 600: Using The Cli

    Configuring QoS Configuration Examples 9) Click to save the settings. 6.3.4 Using the CLI 1) Enable Auto VoIP globally and specify the DSCP value of port 1/0/1 as 63. Switch_A#configure Switch_A(config)#auto-voip Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#auto-voip dscp 63 Switch_A(config-if)#exit 2) Set the trust mode of port 1/0/1 as trust DSCP. Specify the 802.1p priority as 7 for DSCP priority 63 and specify 802.1p priority as 5 for other DSCP priorities.
  • Page 601 Configuring QoS Configuration Examples Verify the configurations Verify the configuration of Auto VoIP: Switch_A(config)#show auto-voip Administrative Mode: Enabled Verify the Auto VoIP configuration of ports: Switch_A(config)#show auto-voip interface Interface.Gi1/0/1 Auto-VoIP Interface Mode. Disabled Auto-VoIP COS Override. False Auto-VoIP DSCP Value. Auto-VoIP Port Status.
  • Page 602 Configuring QoS Configuration Examples Switch_A(config)#show qos cos-map ---------------+-----+-----+-----+-----+-----+-----+----+---- Dot1p Value |0 ---------------+-----+-----+-----+-----+-----+-----+----+---- |TC1 |TC0 |TC2 |TC3 |TC4 |TC5 |TC6 |TC7 ---------------+-----+-----+-----+-----+-----+-----+----+---- Switch_A(config)#show qos dscp-map DSCP: DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 10 11 12 13 14 15 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP:...
  • Page 603 Configuring QoS Configuration Examples DSCP to 802.1P 5 ---- ---- ---- ---- ---- ---- ---- --- Verify the configuration of LLDP-MED: Switch_A(config)#show lldp interface LLDP interface config: gigabitEthernet 1/0/1: Admin Status: TxRx SNMP Trap: Disabled Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID...
  • Page 604 Configuring QoS Configuration Examples Location Identification Extended Power Via MDI Inventory Management User Guide...

  • Page 605: Appendix: Default Parameters

    Configuring QoS Appendix: Default Parameters Appendix: Default Parameters Default settings of Class of Service are listed in the following tables. Table 7-1 Default Settings of Port Priority Configuration Parameter Default Setting 802.1P Priority Trust Mode Untrusted Table 7-2 Default Settings of 802.1p to Queue Mapping 802.1p Priority Queues (8) Table 7-3...
  • Page 606 Configuring QoS Appendix: Default Parameters DSCP 802.1p Priority 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 Table 7-5 Default Settings of DSCP Remap Configuration Original New DSCP Original New DSCP Original New DSCP DSCP...
  • Page 607 Configuring QoS Appendix: Default Parameters Table 7-6 Default Settings of Scheduler Settings Configuration Parameter Default Setting Scheduler Type Weighted Queue Weight Management Taildrop Type Default settings of Class of Service are listed in the following tables. Table 7-7 Default Settings of Bandwidth Control Parameter Default Setting Ingress Rate (0-...
  • Page 608 Configuring QoS Appendix: Default Parameters Table 7-10 Default Settings of Port Configuration Parameter Default Setting Voice VLAN Disabled Table 7-11 Default Settings of OUI Table Status Description 00:01:E3 Default SIEMENS 00:03:6B Default CISCO1 00:12:43 Default CISCO2 00:0F:E2 Default 00:60:B9 Default NITSUKO 00:D0:1E Default...

  • Page 609: Configuring Access Security

    Part 18 Configuring Access Security CHAPTERS 1. Access Security 2. Access Security Configurations 3. Appendix: Default Parameters...

  • Page 610: Access Security

    Configuring Access Security Access Security Access Security Overview Access Security provides different security measures for accessing the switch remotely so as to enhance the configuration management security. Supported Features Access Control This function is used to control the users’ access to the switch based on IP address, MAC address or port.

  • Page 611: Access Security Configurations

    Configuring Access Security Access Security Configurations Access Security Configurations With access security configurations, you can: ■ Configure the Access Control feature ■ Configure the HTTP feature ■ Configure the HTTPS feature ■ Configure the SSH feature ■ Configure the Telnet function Using the GUI 2.1.1 Configuring the Access Control Feature Choose the menu SECURITY >...
  • Page 612 Configuring Access Security Access Security Configurations 2) In the Entry Table section, click to add an Access Control entry. ■ When the IP-based mode is selected, the following window will pop up. Figure 2-2 Configuring Access Control Based on IP Range Access Select the interfaces where to apply the Access Control rule.
  • Page 613 Configuring Access Security Access Security Configurations Access Select the interfaces where to apply the Access Control rule. If an interface is Interface unselected, all users can access the switch via it. SNMP: A function to manage the network devices via NMS. Telnet: A connection type for users to remote login.

  • Page 614: Configuring The Http Function

    Configuring Access Security Access Security Configurations Port Select one or more ports. Only the users who are connected to these ports can access the switch via the specified interfaces. 3) Click Create. Then you can view the created entries in the table. 2.1.2 Configuring the HTTP Function Choose the menu SECURITY >...
  • Page 615 Configuring Access Security Access Security Configurations Number Control Enable or disable Number Control. With this option enabled, you can control the number of the users logging on to the web management page at the same time. The total number of users should be no more than 16. Number of Specify the maximum number of users whose access level is Admin.

  • Page 616: Configuring The Https Function

    Configuring Access Security Access Security Configurations 2.1.3 Configuring the HTTPS Function Choose the menu SECURITY > Access Security > HTTPS Config to load the following page. Figure 2-6 Configuring the HTTPS Function 1) In the Global Config section, enable HTTPS function, select the protocol version that the switch supports and specify the port using for HTTPS.
  • Page 617 Configuring Access Security Access Security Configurations HTTPS Enable or disable the HTTPS function. HTTPS function is based on the SSL or TLS protocol. It provides a secure connection between the client and the switch. Protocol Select the protocol version for HTTPS. Make sure the protocol in use is Version compatible with that on your HTTPS client.
  • Page 618 Configuring Access Security Access Security Configurations 4) In the Number of Access Users section, enable Number Control function, specify the following parameters and click Apply. Number Control Enable or disable Number Control. With this option enabled, you can control the number of the users logging on to the web management page at the same time.

  • Page 619: Configuring The Ssh Feature

    Configuring Access Security Access Security Configurations 2.1.4 Configuring the SSH Feature Choose the menu SECURITY > Access Security > SSH Config to load the following page. Figure 2-7 Configuring the SSH Feature 1) In the Global Config section, select Enable to enable SSH function and specify following parameters.

  • Page 620: Configuring The Telnet Function

    Configuring Access Security Access Security Configurations Protocol V1 Select Enable to enable SSH version 1. Protocol V2 Select Enable to enable SSH version 2. Idle Timeout Specify the idle timeout time. The system will automatically release the connection when the time is up. Maximum Specify the maximum number of the connections to the SSH server.

  • Page 621: Using The Cli

    Configuring Access Security Access Security Configurations Using the CLI 2.2.1 Configuring the Access Control Feature Follow these steps to configure the access control: Step 1 configure Enter global configuration mode. Step 2 ■ Use the following command to control the users’ access by limiting the IP address: user access-control ip-based enable Configure the control mode as IP-based.

  • Page 622: Configuring The Http Function

    Configuring Access Security Access Security Configurations Step 3 show user configuration Verify the security configuration information of the user authentication information and the access interface. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the type of access control as IP-based.
  • Page 623 Configuring Access Security Access Security Configurations Step 4 ip http max-users admin-num operator-num poweruser-num user-num Specify the maximum number of users that are allowed to connect to the HTTP server. The total number of users should be no more than 16. admin-num : Enter the maximum number of users whose access level is Admin.

  • Page 624: Configuring The Https Function

    Configuring Access Security Access Security Configurations Switch#copy running-config startup-config 2.2.3 Configuring the HTTPS Function Follow these steps to configure the HTTPS function: Step 1 configure Enter global configuration mode. Step 2 ip http secure-server Enable the HTTPS function. By default, it is enabled. Step 3 ip http secure-protocol { ssl3 | tls1 | tls11 | tls12 | all } Select the protocol version for HTTPS.
  • Page 625 Configuring Access Security Access Security Configurations Step 5 ip http secure-session timeout minutes Specify the Session Timeout time. The system will log out automatically if users do nothing within the Session Timeout time. minutes : Specify the timeout time, which ranges from 5 to 30 minutes. The default value is 10. Step 6 ip http secure-max-users admin-num operator-num poweruser-num user-num Specify the maximum number of users that are allowed to connect to the HTTPS server.
  • Page 626 Configuring Access Security Access Security Configurations number as 2. Download the certificate named ca.crt and the key named ca.key from the TFTP server with the IP address 192.168.0.100. Switch#configure Switch(config)#ip http secure-server Switch(config)#ip http secure-protocol all Switch(config)#ip http secure-ciphersuite 3des-ede-cbc-sha Switch(config)#ip http secure-session timeout 15 Switch(config)#ip http secure-max-users 2 2 2 2 Switch(config)#ip http secure-server download certificate ca.crt ip-address...

  • Page 627: Configuring The Ssh Feature

    Configuring Access Security Access Security Configurations 2.2.4 Configuring the SSH Feature Follow these steps to configure the SSH function: Step 1 configure Enter global configuration mode. Step 2 ip ssh server Enable the SSH function. By default, it is disabled. Step 3 ip ssh version { v1 | v2 } Configure to make the switch support the corresponding protocol.
  • Page 628 Configuring Access Security Access Security Configurations Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: It will take a long time to download the key file. Please wait without any operation. The following example shows how to configure the SSH function.

  • Page 629: Configuring The Telnet Function

    Configuring Access Security Access Security Configurations AES192-CBC: Disabled AES256-CBC: Disabled Blowfish-CBC: Disabled Cast128-CBC: Enabled 3DES-CBC: Disabled Data Integrity Algorithm: HMAC-SHA1: Disabled HMAC-MD5: Enabled Key Type: SSH-2 RSA/DSA Key File: ---- BEGIN SSH2 PUBLIC KEY ---- Comment: “dsa-key-20160711” Switch(config)#end Switch#copy running-config startup-config 2.2.5 Configuring the Telnet Function Follow these steps enable the Telnet function: Step 1...

  • Page 630: Appendix: Default Parameters

    Configuring Access Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Access Security are listed in the following tables. Table 3-1 Default Settings of Access Control Configuration Parameter Default Setting Access Control Disabled Table 3-2 Default Settings of HTTP Configuration Parameter Default Setting HTTP...
  • Page 631 Configuring Access Security Appendix: Default Parameters Parameter Default Setting Idle Timeout 120 seconds Maximum Connections Port AES128-CBC Enabled AES192-CBC Enabled AES256-CBC Enabled Blowfish-CBC Enabled Cast128-CBC Enabled 3DES-CBC Enabled HMAC-SHA1 Enabled HMAC-MD5 Enabled Key Type: SSH-2 RSA/DSA Table 3-5 Default Settings of Telnet Configuration Parameter Default Setting Telnet...
  • Page 632 Configuring Access Security User Guide...

  • Page 633: Configuring Aaa

    Part 19 Configuring AAA CHAPTERS 1. Overview 2. AAA Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 634: Overview

    Overview Overview AAA stands for authentication, authorization and accounting. On TP-Link switches, this feature is mainly used to authenticate the users trying to log in to the switch or get administrative privileges. The administrator can create guest accounts and an Enable password for other users.

  • Page 635: Aaa Configuration

    Configuring AAA AAA Configuration AAA Configuration In the AAA feature, the authentication can be processed locally on the switch or centrally on the RADIUS/TACACS+ server(s). To ensure the stability of the authentication system, you can configure multiple servers and authentication methods at the same time. This chapter introduces how to configure this kind of comprehensive authentication in AAA.

  • Page 636: Using The Gui

    Configuring AAA AAA Configuration ■ AAA Application List The switch supports the following access applications: Telnet, SSH and HTTP. You can select the configured authentication method lists for each application. Using the GUI 2.1.1 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server that is first added to the group has the highest priority and authenticates the users trying to access the switch.
  • Page 637 Configuring AAA AAA Configuration Accounting Port Specify the UDP destination port on the RADIUS server for accounting requests. The default setting is 1813. Usually, it is used in the 802.1x feature. Retransmit Specify the number of times a request is resent to the server if the server does not respond.

  • Page 638: Configuring Server Groups

    Configuring AAA AAA Configuration 2.1.2 Configuring Server Groups The switch has two built-in server groups, one for RADIUS servers and the other for TACACS+ servers. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. Choose the menu SECURITY >...

  • Page 639: Configuring The Method List

    Configuring AAA AAA Configuration 2.1.3 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges. Choose the menu SECURITY >...

  • Page 640: Configuring The Aaa Application List

    Configuring AAA AAA Configuration Method List Name Specify a name for the method. Pri1- Pri4 Specify the authentication methods in order. The method with priority 1 authenticates a user first, the method with priority 2 is tried if the previous method does not respond, and so on.

  • Page 641: Configuring Login Account And Enable Password

    Configuring AAA AAA Configuration 2.1.5 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s). ■ On the Switch The local username and password for login can be configured in the User Management feature.

  • Page 642: Using The Cli

    Configuring AAA AAA Configuration Using the CLI 2.2.1 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server with the highest priority authenticates the users trying to access the switch, and the others act as backup servers in case the first one breaks down.
  • Page 643 Configuring AAA AAA Configuration Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add a RADIUS server on the switch. Set the IP address of the server as 192.168.0.10, the authentication port as 1812, the shared key as 123456, the timeout as 8 seconds and the retransmit number as 3.

  • Page 644: Configuring Server Groups

    Configuring AAA AAA Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add a TACACS+server on the switch. Set the IP address of the server as 192.168.0.20, the authentication port as 49, the shared key as 123456, and the timeout as 8 seconds.

  • Page 645: Configuring The Method List

    Configuring AAA AAA Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a RADIUS server group named RADIUS1 and add the existing two RADIUS servers whose IP address is 192.168.0.10 and 192.168.0.20 to the group.
  • Page 646 Configuring AAA AAA Configuration Step 3 aaa authentication enable { method-list } { method1 } [ method2 ] [ method3 ] [ method4 ] Configure an Enable password method list. method-list Specify a name for the method list. method1/method2/method3/method4 Specify the authentication methods in order. The default methods include radius, tacacs, local and none.

  • Page 647: Configuring The Aaa Application List

    Configuring AAA AAA Configuration Switch#copy running-config startup-config 2.2.4 Configuring the AAA Application List You can configure authentication method lists on the following access applications: Telnet, SSH and HTTP. ■ Telnet Follow these steps to apply the Login and Enable method lists for the application Telnet: Step 1 configure Enter global configuration mode.
  • Page 648 Configuring AAA AAA Configuration Telnet Login1 Enable1 default default Http default default Switch(config-line)#end Switch#copy running-config startup-config ■ SSH Follow these steps to apply the Login and Enable method lists for the application SSH: Step 1 configure Enter global configuration mode. Step 2 line ssh Enter line configuration mode.
  • Page 649 Configuring AAA AAA Configuration Telnet default default Login1 Enable1 Http default default Switch(config-line)#end Switch#copy running-config startup-config ■ HTTP Follow these steps to apply the Login and Enable method lists for the application HTTP: Step 1 configure Enter global configuration mode. Step 2 ip http login authentication { method-lis t } Apply the Login method list for the application HTTP.

  • Page 650: Configuring Login Account And Enable Password

    Configuring AAA AAA Configuration Switch(config)#end Switch#copy running-config startup-config 2.2.5 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s). ■ On the Switch The local username and password for login can be configured in the User Management feature.
  • Page 651 Configuring AAA AAA Configuration ■ On the Server The accounts created by the RADIUS/TACACS+ server can only view the configurations and some network information without the Enable password. Some configuration principles on the server are as follows: ■ For Login authentication configuration, more than one login account can be created on the server.

  • Page 652: Configuration Example

    Configuring AAA Configuration Example Configuration Example Network Requirements As shown below, the switch needs to be managed remotely via Telnet. In addition, the senior administrator of the company wants to create an account for the less senior administrators, who can only view the configurations and some network information without the Enable password provided.

  • Page 653: Using The Gui

    Configuring AAA Configuration Example Demonstrated with T1600G-52TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. Using the GUI 1) Choose the menu SECURITY > AAA > RADIUS Config and click to load the following page.
  • Page 654 Configuring AAA Configuration Example 3) Choose the menu SECURITY > AAA > Server Group to load the following page. C lick . Specify the group name as RADIUS1 and the server type as RADIUS. Select 192.168.0.10 and 192.168.0.20 to from the drop-down list. Click Create to create the server group.

  • Page 655: Using The Cli

    Configuring AAA Configuration Example Figure 3-6 Configure Enable Method List 6) Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application List section, select telnet and configure the Login List as Method- Login and Enable List as Method-Enable. Then click Apply. Figure 3-7 Configure AAA Application List 7) Click to save the settings.
  • Page 656 Configuring AAA Configuration Example 3) Create two method lists: Method-Login and Method-Enable, and configure the server group RADIUS1 as the authentication method for the two method lists. Switch(config)#aaa authentication login Method-Login RADIUS1 Switch(config)#aaa authentication enable Method-Enable RADIUS1 4) Configure Method-Login and Method-Enable as the authentication method for the Telnet application.
  • Page 657 Configuring AAA Configuration Example default none Method-Enable RADIUS1 Verify the status of the AAA feature and the configuration of the AAA application list: Switch#show aaa global Module Login List Enable List Telnet Method-Login Method-Enable default default Http default default User Guide...

  • Page 658: Appendix: Default Parameters

    Configuring AAA Appendix: Default Parameters Appendix: Default Parameters Default settings of AAA are listed in the following tables. Table 4-1 Parameter Default Setting Global Config AAA Feature Enabled RADIUS Config Server IP None Shared Key None Auth Port 1812 Acct Port 1813 Retransmit Timeout...
  • Page 659 Configuring AAA Appendix: Default Parameters Parameter Default Setting AAA Application List Login List: default telnet Enable List: default Login List: default Enable List: default Login List: default http Enable List: default User Guide...

  • Page 660: Configuring 802.1X

    Part 20 Configuring 802.1x CHAPTERS 1. Overview 2. 802.1x Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 661: Overview

    ■ Client A client, usually a computer, is connected to the authenticator via a physical port. We recommend that you install TP-Link 802.1x authentication client software on the client hosts, enabling them to request 802.1x authentication to access the LAN.

  • Page 662: Configuration

    Configuring 802.1x 802.1x Configuration 802.1x Configuration To complete the 802.1x configuration, follow these steps: 1) Configure the RADIUS server. 2) Configure 802.1x globally. 3) Configure 802.1x on ports. In addition, you can view the authenticator state. Configuration Guidelines 802.1x authentication and Port Security cannot be enabled at the same time. Before enabling 802.1x authentication, make sure that Port Security is disabled.
  • Page 663 Configuring 802.1x 802.1x Configuration 1) Configure the parameters of the RADIUS server. Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
  • Page 664 Configuring 802.1x 802.1x Configuration Figure 2-3 Editing Server Group If you click , the following window will pop up. Specify a name for the server group, select the server type as RADIUS and select the IP address of the RADIUS server. Click Save. Figure 2-4 Adding Server Group ■...

  • Page 665: Configuring 802.1X Globally

    Handshake Enable or disable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1x Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP- Link 802.1x Client.

  • Page 666: Configuring 802.1X On Ports

    Configuring 802.1x 802.1x Configuration VLAN Enable or disable the 802.1x VLAN assignment feature. 802.1x VLAN assignment is Assignment a technology allowing the RADIUS server to send the VLAN assignment to the port when the port is authenticated. If the assigned VLAN does not exist on the switch, the switch will create the related VLAN automatically, add the authenticated port to the VLAN and change the PVID based on the assigned VLAN.
  • Page 667 Configuring 802.1x 802.1x Configuration Select whether to enable the MAB (MAC-Based Authentication Bypass) feature for the port. With MAB feature enabled, the switch automatically sends the authentication server a RADIUS access request frame with the client’s MAC address as the username and password.

  • Page 668: View The Authenticator State

    Configuring 802.1x 802.1x Configuration Note: If a port is in an LAG, its 802.1x authentication function cannot be enabled. Also, a port with 802.1x authentication enabled cannot be added to any LAG. 2.1.4 View the Authenticator State Choose the menu SECURITY > 802.1x > Authenticator State to load the following page. Figure 2-8 View Authenticator State On this page, you can view the authentication status of each port: Port...

  • Page 669: Using The Cli

    Configuring 802.1x 802.1x Configuration Using the CLI 2.2.1 Configuring the RADIUS Server Follow these steps to configure RADIUS: Step 1 configure Enter global configuration mode. Step 2 radius-server host ip-address [ auth-port port-id ] [ acct-port port-id ] [ timeout time ] [ retransmit number ] [ nas-id nas-id ] key { [ 0 ] string | 7 encrypted-string } Add the RADIUS server and configure the related parameters as needed.
  • Page 670 Configuring 802.1x 802.1x Configuration Step 6 aaa authentication dot1x default { method } Select the RADIUS group for 802.1x authentication. method: Specify the RADIUS group for 802.1x authentication. aaa accounting dot1x default { method } Select the RADIUS group for 802.1x accounting. method: Specify the RADIUS group for 802.1x accounting.

  • Page 671: Configuring 802.1X Globally

    Configuring 802.1x 802.1x Configuration Switch#configure Switch(config)#radius-server host 192.168.0.100 auth-port 1812 acct-port 1813 key 123456 Switch(config)#aaa group radius radius1 Switch(aaa-group)#server 192.168.0.100 Switch(aaa-group)#exit Switch(config)#aaa authentication dot1x default radius1 Switch(config)#aaa accounting dot1x default radius1 Switch(config)#show radius-server Server Ip Auth Port Acct Port Timeout Retransmit NAS Identifier Shared key 192.168.0.100 1812...
  • Page 672 (Optional) Enable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1x Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP-Link 802.1x Client. Step 6 dot1x vlan-assignment (Optional) Enable or disable the 802.1x VLAN assignment feature.

  • Page 673: Configuring 802.1X On Ports

    Configuring 802.1x 802.1x Configuration Switch#configure Switch(config)#dot1x system-auth-control Switch(config)#dot1x auth-protocol pap Switch(config)#show dot1x global 802.1X State: Enabled Authentication Protocol: Handshake State: Enabled 802.1X Accounting State: Disabled 802.1X VLAN Assignment State: Disabled Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring 802.1x on Ports Follow these steps to configure the port: Step 1 configure Enter global configuration mode.
  • Page 674 Configuring 802.1x 802.1x Configuration Step 5 dot1x guest-vlan vid (Optional) Configure guest VLAN on the port. vid: Specify the ID of the VLAN to be configured as the guest VLAN. The valid values are from 0 to 4094. 0 means that Guest VLAN is disabled on the port. The configured VLAN must be an existing 802.1Q VLAN.

  • Page 675: Viewing Authenticator State

    Configuring 802.1x 802.1x Configuration Step 12 Return to privileged EXEC mode. Step 13 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable 802.1x authentication on port 1/0/2, configure the control type as port-based, and keep other parameters as default: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#dot1x...
  • Page 676 Configuring 802.1x 802.1x Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. port: Enter the ID of the port to be configured. Step 4 dot1x auth-init [ mac mac-address ] Initialize the specific client.

  • Page 677: Configuration Example

    Configuring 802.1x Configuration Example Configuration Example Network Requirements The network administrator wants to control access from the end users (clients) in the company. It is required that all clients need to be authenticated separately and only the authenticated clients can access the internet. Configuration Scheme ■...

  • Page 678: Using The Gui

    Client Client Client Demonstrated with T1600G-52TS acting as the authenticator, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. Using the GUI 1) Choose the menu SECURITY > AAA > RADIUS Config and click to load the following page.
  • Page 679 Configuring 802.1x Configuration Example 2) Choose the menu SECURITY > AAA > Server Group and click to load the following page. Specify the group name as RADIUS1, select the server type as RADIUS and server IP as 192.168.0.10. Click Create. Figure 3-3 Creating Server Group 3) Choose the menu SECURITY >...

  • Page 680: Using The Cli

    Configuring 802.1x Configuration Example Figure 3-6 Configuring Port 6) Click to save the settings. Using the CLI 1) Configure the RADIUS parameters. Switch_A(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch_A(config)#aaa group radius RADIUS1 Switch_A(aaa-group)#server 192.168.0.10 Switch_A(aaa-group)#exit Switch_A(config)#aaa authentication dot1x default RADIUS1 2) Globally enable 802.1x authentication and set the authentication protocol.
  • Page 681 Configuring 802.1x Configuration Example Switch_A(config)#interface gigabitEthernet 1/0/3 Switch_A(config-if)#no dot1x Switch_A(config-if)#exit Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#dot1x Switch_A(config-if)#dot1x port-method mac-based Switch_A(config-if)#dot1x port-control auto Switch_A(config-if)#exit Verify the Configurations Verify the global configurations of 802.1x authentication: Switch_A#show dot1x global 802.1X State: Enabled Authentication Protocol: Handshake State: Enabled 802.1X Accounting State: Disabled...
  • Page 682 Configuring 802.1x Configuration Example unauthorized Verify the configurations of RADIUS : Switch_A#show aaa global Module Login List Enable List Telnet default default default default Http default default Switch_A#show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default RADIUS1 Switch_A#show aaa group RADIUS1 192.168.0.10 User Guide...

  • Page 683: Appendix: Default Parameters

    Configuring 802.1x Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1x are listed in the following table. Table 4-1 Default Settings of 802.1x Parameter Default Setting Global Config 802.1x Authentication Disabled Authentication Method Handshake Enabled Accounting Disabled VLAN Assignment Disabled Port Config 802.1x Status...

  • Page 684: Configuring Port Security

    Part 21 Configuring Port Security CHAPTERS 1. Overview 2. Port Security Configuration 3. Appendix: Default Parameters...

  • Page 685: Overview

    Configuring Port Security Overview Overview You can use the Port Security feature to limit the number of MAC addresses that can be learned on each port, thus preventing the MAC address table from being exhausted by the attack packets. In addtion, the switch can send a notification if the number of learned MAC addresses on the port exceeds the limit.

  • Page 686: Port Security Configuration

    Configuring Port Security Port Security Configuration Port Security Configuration Using the GUI Choose the menu SECURITY > Port Security to load the following page. Figure 2-1 Port Security Follow these steps to configure Port Security: 1) Select one or more ports and configure the following parameters. Port Displays the port number.

  • Page 687: Using The Cli

    Configuring Port Security Port Security Configuration Learn Address Select the learn mode of the MAC addresses on the port. Three modes are Mode provided: Delete on Timeout: The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting. Delete on Reboot: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually.
  • Page 688 Configuring Port Security Port Security Configuration Step 3 mac address-table max-mac-count { [max-number num ] [exceed-max-learned enable | disable] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ]} Enable the port security feature of the port and configure the related parameters. num : The maximum number of MAC addresses that can be learned on the port.
  • Page 689 Configuring Port Security Port Security Configuration Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#mac address-table max-mac-count max-number 30 exceed-max- learned enable mode permanent status drop Switch(config-if)#show mac address-table max-mac-count interface gigabitEthernet 1/0/1 Port Max-learn Current-learn Exceed Max Limit Mode Status ---- --------- ----------- ---------- ------ --------...

  • Page 690: Appendix: Default Parameters

    Configuring Port Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Port Security are listed in the following table. Table 3-1 Default Parameters of Port Security Parameter Default Setting Max Learned Number of Current Learned Number Exceed Max Learned Trap Disabled Learn Address Mode Delete on Timeout...

  • Page 691: Configuring Acl

    Part 22 Configuring ACL CHAPTERS 1. Overview 2. ACL Configuration 3. Configuration Example for ACL 4. Appendix: Default Parameters...

  • Page 692: Overview

    Configuring ACL Overview Overview ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs. It accurately identifies and processes the packets based on the ACL rules. In this way, ACL helps to limit network traffic, manage network access behaviors, forward packets to specified ports and more.

  • Page 693: Acl Configuration

    Configuring ACL ACL Configuration ACL Configuration Using the GUI 2.1.1 Configuring Time Range Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range configuration, please refer to Managing System 2.1.2 Creating an ACL...

  • Page 694: Configuring Acl Rules

    Configuring ACL ACL Configuration Note: The supported ACL type and ID range varies on different switch models. Please refer to the on-screen information. 2.1.3 Configuring ACL Rules Note: Every ACL has an implicit deny all rule at the end of an ACL rule list. That is, if an ACL is applied to a packet and none of the explicit rules match, then the final implicit deny all rule takes effect and the packet is dropped.
  • Page 695 Configuring ACL ACL Configuration Figure 2-4 Configuring the MAC ACL Rule Follow these steps to configure the MAC ACL rule: 1) In the MAC ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
  • Page 696 Configuring ACL ACL Configuration D-MAC/Mask Enter the destination MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. VLAN ID Enter the ID number of the VLAN with which packets will match. The valid range is 1-4094.
  • Page 697 Configuring ACL ACL Configuration Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port. 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets.

  • Page 698: Configuring Ip Acl Rule

    Configuring ACL ACL Configuration Configuring IP ACL Rule Click Edit ACL for an IP ACL entry to load the following page. Figure 2-9 Configuring the IP ACL Rule In ACL Rules Table section, click and the following page will appear. Figure 2-10 Configuring the IP ACL Rule User Guide...
  • Page 699 Configuring ACL ACL Configuration Follow these steps to configure the IP ACL rule: 1) In the IP ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. For the convenience of inserting new rules to an ACL, you should set the appropriate interval between rule IDs.
  • Page 700 Configuring ACL ACL Configuration IP Pre Specify an IP Precedence value to be matched to be matched between 0 and 7. The default is No Limit. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect.

  • Page 701: Configuring Combined Acl Rule

    Configuring ACL ACL Configuration Figure 2-13 Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally.
  • Page 702 Configuring ACL ACL Configuration Figure 2-15 Configuring the Combined ACL Rule In ACL Rules Table section, click and the following page will appear. User Guide...
  • Page 703 Configuring ACL ACL Configuration Figure 2-16 Configuring the Combined ACL Rule Follow these steps to configure the Combined ACL rule: 1) In the Combined ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
  • Page 704 Configuring ACL ACL Configuration Operation Select an action to be taken when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. S-MAC/Mask Enter the source MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.
  • Page 705 Configuring ACL ACL Configuration IP Pre Specify an IP Precedence value to be matched to be matched between 0 and 7. The default is No Limit. User Priority Specify the User Priority to be matched. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect.

  • Page 706: Configuring The Ipv6 Acl Rule

    Configuring ACL ACL Configuration 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters. Figure 2-19 Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second.
  • Page 707 Configuring ACL ACL Configuration Figure 2-21 Configuring the IPv6 ACL Rule In ACL Rules Table section, click and the following page will appear. Figure 2-22 Configuring the IPv6 ACL Rule Follow these steps to configure the IPv6 ACL rule: 1) In the IPv6 ACL Rule section, configure the following parameters: User Guide...
  • Page 708 Configuring ACL ACL Configuration Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. For the convenience of inserting new rules to an ACL, you should set the appropriate interval between rule IDs.
  • Page 709 Configuring ACL ACL Configuration Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page. 2) In the Policy section, enable or disable the Mirroring feature for the matched packets.
  • Page 710 Configuring ACL ACL Configuration Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally.

  • Page 711: Configuring Acl Binding

    Configuring ACL ACL Configuration Figure 2-27 Viewing ACL Rules Table Here you can view and edit the ACL rules. You can also click Resequence to resequence the rules by providing a Start Rule ID and Step value. 2.1.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN.
  • Page 712 Configuring ACL ACL Configuration Figure 2-28 Binding the ACL to a Port Follow these steps to bind the ACL to a Port: 1) Choose ID or Name to be used for matching the ACL. Then select an ACL from the drop-down list. 2) Specify the port to be bound.

  • Page 713: Using The Cli

    Configuring ACL ACL Configuration Using the CLI 2.2.1 Configuring Time Range Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range Configuration, please refer to Managing System.
  • Page 714 Configuring ACL ACL Configuration Step 3 access-list mac acl-id-or-name rule { auto | rule-id } { deny | permit } logging {enable | disable} [ smac source-mac smask source-mac-mask ] [dmac destination-mac dmask destination- mac-mask ] [type ether-type] [pri dot1p-priority ] [vid vlan-id ] [tseg time-range-name ] Add a MAC ACL Rule.
  • Page 715 Configuring ACL ACL Configuration Switch(config)#access-list create 50 Switch(config-mac-acl)#access-list mac 50 rule 5 permit logging disable smac 00:34:A2:D4:34:B5 smask FF:FF:FF:FF:FF:FF Switch(config-mac-acl)#exit Switch(config)#show access-list 50 MAC access list 50 name: ACL_50 rule 5 permit logging disable smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff Switch(config)#end Switch#copy running-config startup-config IP ACL Follow these steps to configure IP ACL: Step 1...
  • Page 716 Configuring ACL ACL Configuration Step 3 access-list ip acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [sip sip-address sip-mask sip-address-mask ] [ dip dip-address dip-mask dip-address- mask ] [dscp dscp-value ] [tos tos-value ] [pre pre-value ] [protocol protocol [s-port s-port- number s-port-mask s-port-mask ] [d-port d-port-number d-port-mask d-port-mask ] [tcpflag tcpflag ]] [tseg time-range-name ] Add rules to the ACL.
  • Page 717 Configuring ACL ACL Configuration Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create IP ACL 600, and configure Rule 1 to permit packets with source IP address 192.168.1.100: Switch#configure Switch(config)#access-list create 600 Switch(config)#access-list ip 600 rule 1 permit logging disable sip 192.168.1.100 sip- mask 255.255.255.255 Switch(config)#show access-list 600...
  • Page 718 Configuring ACL ACL Configuration Step 3 access-list combined acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [smac source-mac-address smask source-mac-mask ] [dmac dest-mac-address dmask dest-mac-mask ] [vid vlan-id ] [type ether-type ] [pri priority ] [sip sip-address sip-mask sip-address-mask ] [dip dip-address dip-mask dip-address-mask ] [dscp dscp-value ] [tos tos- value ] [pre pre-value ] [protocol protocol [s-port s-port-number s-port-mask s-port-mask ] [d-port d-port-number d-port-mask d-port-mask ] [tcpflag tcpflag ]] [tseg time-range-name ]...
  • Page 719 Configuring ACL ACL Configuration protocol: Specify a protocol number between 0 and 255. s-port-number: With TCP or UDP configured as the protocol, specify the source port number. s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4 hexadacimal numbers.
  • Page 720 Configuring ACL ACL Configuration Step 2 access-list create acl-id [name acl-name ] Create an IPv6 ACL. acl-id: Enter an ACL ID. The ID ranges from 1500 to 1999. acl-name: Enter a name to identify the ACL. Step 3 access-list ipv6 acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [class class-value ] [flow-label flow-label-value ] [sip source-ip-address sip-mask source- ip-mask ] [dip destination-ip-address dip-mask destination-ip-mask ] [s-port source-port- number ] [d-port destination-port-number ] [tseg time-range-name ]...

  • Page 721: Configuring Policy

    Configuring ACL ACL Configuration The following example shows how to create IPv6 ACL 1600 and configure Rule 1 to deny packets with source IPv6 address CDCD:910A:2222:5498:8475:1111:3900:2020: Switch#configure Switch(config)#access-list create 1600 Switch(config)#access-list ipv6 1600 rule 1 deny logging disable sip CDCD:910A:2222:5498:8475:1111:3900:2020 sip-mask ffff:ffff:ffff:ffff Switch(config)#show access-list 1600 IPv6 access list 1600 name: ACL_1600 rule 1 deny logging disable sip cdcd:910a:2222:5498:8475:1111:3900:2020 sip-mask ffff:ff...
  • Page 722 Configuring ACL ACL Configuration Step 3 redirect interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to redirect the matched packets to the desired port. port : The destination port to which the packets will be redirected. The default is All. s-mirror interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to mirror the matched packets to the desired port.

  • Page 723: Configuring Acl Binding

    Configuring ACL ACL Configuration rule 5 permit logging disable action redirect Gi1/0/4 Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules.

  • Page 724: Viewing Acl Counting

    Configuring ACL ACL Configuration ACL ID ACL NAME Interface/VID Direction Type ----- ---------- ------------- ------- ---- ACL_1 Gi1/0/3 Ingress Port ACL_1 Ingress VLAN Switch(config)#end Switch#copy running-config startup-config 2.2.5 Viewing ACL Counting You can use the following command to view the number of matched packets of each ACL in the privileged EXEC mode and any other configuration mode: show access-list acl-id-or-name counter View the number of matched packets of the specific ACL.

  • Page 725: Configuration Example For Acl

    Configuring ACL Configuration Example for ACL Configuration Example for ACL Configuration Example for MAC ACL 3.1.1 Network Requirements A company forbids the employees in the R&D department to visit the internal forum during work hours. While the manager of the R&D department can get access to the internal forum without limitation.

  • Page 726: Using The Gui

    Configuring ACL Configuration Example for ACL ■ ACL Configuration Create a MAC ACL and configure the following rules for it: ■ Configure a permit rule to match packets with source MAC address 8C-DC-D4- 40-A1-79 and destination MAC address 40-61-86-FC-71-56. This rule allows the manager of R&D department to visit internal forum at any time.
  • Page 727 Configuring ACL Configuration Example for ACL Figure 3-3 Adding Period Time 3) After adding the Period Time, click Create to save the time range entry. Figure 3-4 Creating Time Range 4) Choose the menu SECURITY > ACL > ACL Config and click to load the following page.
  • Page 728 Configuring ACL Configuration Example for ACL Figure 3-5 Creating a MAC ACL 5) Click Edit ACL in the Operation column. Figure 3-6 Editing the MAC ACL 6) On the ACL configuration page, click Figure 3-7 Editing the MAC ACL 7) Configure rule 5 to permit packets with the source MAC address 8C-DC-D4-40-A1-79 and destination MAC address 40-61-86-FC-71-56.
  • Page 729 Configuring ACL Configuration Example for ACL Figure 3-8 Configuring Rule 5 8) In the same way, configure rule 15 to deny packets with destination MAC address 40- 61-86-FC-71-56 and apply the time range of work hours. User Guide...
  • Page 730 Configuring ACL Configuration Example for ACL Figure 3-9 Configuring Rule 15 9) Configure rule 25 to permit all the packets that do not match neither of the above rules. User Guide...
  • Page 731 Configuring ACL Configuration Example for ACL Figure 3-10 Configuring Rule 25 10) Choose the menu SECURITY > ACL > ACL Binding and click to load the following page. Bind ACL 100 to port 1/0/2 to make it take effect. Figure 3-11 Binding the ACL to Port 1/0/2 User Guide...

  • Page 732: Using The Cli

    Configuring ACL Configuration Example for ACL 11) Click to save the settings. 3.1.4 Using the CLI 1) Create a time range entry . Switch#config Switch(config)#time-range Work_time Switch(config-time-range)#holiday include Switch(config-time-range)#absolute from 01/01/2018 to 01/01/2019 Switch(config-time-range)#periodic start 08:00 end 18:00 day-of-the-week 1,2,3,4,5 Switch(config-time-range)#end Switch#copy running-config startup-config 2) Create a MAC ACL.

  • Page 733: Configuration Example For Ip Acl

    Configuring ACL Configuration Example for ACL rule 5 permit logging disable smac 8c:dc:d4:40:a1:79 smask ff:ff:ff:ff:ff:ff dmac 40:61:86:fc:71:56 dmask ff:ff:ff:ff:ff:ff rule 15 deny logging disable dmac 40:61:86:fc:71:56 dmask ff:ff:ff:ff:ff:ff tseg “Work_time” rule 25 permit logging disable Switch#show access-list bind ACL ID ACL NAME Interface/VID Direction Type ------...

  • Page 734: Configuration Scheme

    Configuring ACL Configuration Example for ACL 3.2.2 Configuration Scheme To meet the requirements above, you can set up packet filtering by creating an IP ACL and configuring rules for it. ■ ACL Configuration Create an IP ACL and configure the following rules for it: ■...
  • Page 735 Configuring ACL Configuration Example for ACL Figure 3-14 Editing IP ACL 3) On the ACL configuration page, click Figure 3-15 Editing IP AC 4) Configure rule 1 to permit packets with the source IP address 10.10.70.0/24 and destination IP address 10.10.80.0/24. Figure 3-16 Configuring Rule 1 User Guide...
  • Page 736 Configuring ACL Configuration Example for ACL 5) In the same way, configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and TCP 443 (https service port). Figure 3-17 Configuring Rule 2 User Guide...
  • Page 737 Configuring ACL Configuration Example for ACL Figure 3-18 Configuring Rule 3 User Guide...
  • Page 738 Configuring ACL Configuration Example for ACL 6) In the same way, configure rule 4 and rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port). Figure 3-19 Configuring Rule 4 User Guide...
  • Page 739 Configuring ACL Configuration Example for ACL Figure 3-20 Configuring Rule 5 7) In the same way, configure rule 6 to deny packets with source IP 10.10.70.0. Figure 3-21 Configuring Rule 6 8) Choose the menu SECURITY > ACL > ACL Binding and click to load the following page.

  • Page 740: Using The Cli

    Configuring ACL Configuration Example for ACL Figure 3-22 Binding the ACL to Port 1/0/1 9) Click to save the settings. 3.2.4 Using the CLI 1) Create an IP ACL. Switch#configure Switch(config)#access-list create 500 name marketing 2) Configure rule 1 to permit packets with source IP 10.10.70.0/24 and destination IP 10.10.80.0/24.
  • Page 741 Configuring ACL Configuration Example for ACL Switch(config)#access-list ip 500 rule 2 deny logging disable sip 10.10.70.0 sip-mask 255.255.255.0 6) Bind ACL500 to port 1. Switch(config)#access-list bind 500 interface gigabitEthernet 1/0/1 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Verify the IP ACL 500: Switch#show access-list 500 rule 1 permit logging disable sip 10.10.70.0 smask 255.255.255.0 dip 10.10.80.0 dmask 255.255.255.0...

  • Page 742: Configuration Example For Combined Acl

    Configuring ACL Configuration Example for ACL Configuration Example for Combined ACL 3.3.1 Network Requirements To enhance network security, a company requires that only the network administrator can log in to the switch through Telnet connection. The computers are connected to the switch via port 1/0/2.

  • Page 743: Using The Gui

    Configuring ACL Configuration Example for ACL ■ Binding Configuration Bind the Combined ACL to port 1/0/2 so that the ACL rules will be applied to the computer of the network administrator and the devices which are restricted to Telnet connection. Demonstrated with T1600G-28TS, the following sections explain the configuration procedure in two ways: using the GUI and using the CLI.
  • Page 744 Configuring ACL Configuration Example for ACL Figure 3-26 Editing Combined ACL 4) Configure rule 5 to permit packets with the source MAC address 6C-62-6D-F5-BA-48 and destination port TCP 23 (Telnet service port). User Guide...
  • Page 745 Configuring ACL Configuration Example for ACL Figure 3-27 Configuring Rule 5 5) Configure rule 15 to deny all the packets except the packet with source MAC address 6C-62-6D-F5-BA-48, and destination port TCP 23 (Telnet service port). User Guide...
  • Page 746 Configuring ACL Configuration Example for ACL Figure 3-28 Configuring Rule 15 6) In the same way, configure rule 25 to permit all the packets. The rule makes sure that all devices can get other network services normally. User Guide...
  • Page 747 Configuring ACL Configuration Example for ACL Figure 3-29 Configuring Rule 25 7) Choose the menu SECURITY > ACL > ACL Binding and click to load the following page. Bind the Policy ACL_Telnet to port 1/0/2 to make it take effect. User Guide...

  • Page 748: Using The Cli

    Configuring ACL Configuration Example for ACL Figure 3-30 Binding the ACL to Port 1/0/2 8) Click to save the settings. 3.3.4 Using the CLI 1) Create a Combined ACL. Switch#configure Switch(config)#access-list create 1000 name ACL_Telnet 2) Configure rule 5 to permit packets with the source MAC address 6C-62-6D-F5-BA-48 and destination port TCP 23 (Telnet service port).
  • Page 749 Configuring ACL Configuration Example for ACL Verify the Configurations Verify the Combined ACL 1000: Switch#show access-list 1000 Combined access list 1000 name: “ACL_Telnet” rule 5 permit logging disable smac 6c:62:6d:f5:ba:48 smask ff:ff:ff:ff:ff:ff type 0800 protocol 6 d-port 23 rule 15 deny logging disable type 0800 protocol 6 d-port 23 rule 25 permit logging disable Switch#show access-list bind ACL ID ACL NAME...

  • Page 750: Appendix: Default Parameters

    Configuring ACL Appendix: Default Parameters Appendix: Default Parameters The default settings of ACL are listed in the following tables: Table 4-1 MAC ACL Parameter Default Setting Operation Permit User Priority No Limit Time-Range No Limit Table 4-2 IP ACL Parameter Default Setting Operation Permit...
  • Page 751 Configuring ACL Appendix: Default Parameters Table 4-5 Policy Parameter Default Setting Mirroring Disabled Redirect Disabled Rate Limit Disabled QoS Remark Disabled User Guide...
  • Page 752 Part 23 Configuring IPv4 IMPB CHAPTERS 1. IPv4 IMPB 2. IP-MAC Binding Configuration 3. ARP Detection Configuration 4. IPv4 Source Guard Configuration 5. Configuration Examples 6. Appendix: Default Parameters...

  • Page 753: Ipv4 Impb

    Configuring IPv4 IMPB IPv4 IMPB IPv4 IMPB Overview IPv4 IMPB (IP-MAC-Port Binding) is used to bind the IP address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent the ARP cheating attacks with the ARP Detection feature and filter the packets that don’t match the binding entries with the IP Source Guard feature.

  • Page 754: Ip-Mac Binding Configuration

    Configuring IPv4 IMPB IP-MAC Binding Configuration IP-MAC Binding Configuration You can add IP-MAC Binding entries in three ways: ■ Manual Binding ■ Via ARP Scanning ■ Via DHCP Snooping Additionally, you can view, search and edit the entries in the Binding Table. Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IP address, MAC address, VLAN ID and the Port number...
  • Page 755 Configuring IPv4 IMPB IP-MAC Binding Configuration Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > Manual Binding and click to load the following page. Figure 2-1 Manual Binding Follow these steps to manually create an IP-MAC Binding entry: 1) Enter the following information to specify a host. Host Name Enter the host name for identification.

  • Page 756: Binding Entries Via Arp Scanning

    Configuring IPv4 IMPB IP-MAC Binding Configuration 3) Enter or select the port that is connected to this host. 4) Click Apply. 2.1.2 Binding Entries via ARP Scanning With ARP Scanning, the switch sends the ARP request packets of the specified IP field to the hosts.

  • Page 757: Binding Entries Via Dhcp Snooping

    Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID Specify a VLAN ID. 2) In the Scanning Result section, select one or more entries and configure the relevant parameters. Then click Bind. Host Name Enter a host name for identification. IP Address Displays the IP address.
  • Page 758 Configuring IPv4 IMPB IP-MAC Binding Configuration Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > DHCP Snooping to load the following page. Figure 2-3 DHCP Snooping Follow these steps to configure IP-MAC Binding via DHCP Snooping: 1) In the Global Config section, globally enable DHCP Snooping. Click Apply. 2) In the VLAN Config section, enable DHCP Snooping on a VLAN or range of VLANs.

  • Page 759: Viewing The Binding Entries

    Configuring IPv4 IMPB IP-MAC Binding Configuration Maximum Entries Configure the maximum number of binding entries a port can learn via DHCP snooping Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv4 IMPB >...

  • Page 760: Using The Cli

    Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID Displays the VLAN ID. Port Displays the port number. Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature.
  • Page 761 Configuring IPv4 IMPB IP-MAC Binding Configuration Step 2 ip source binding hostname ip-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | arp-detection | ip-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.

  • Page 762: Binding Entries Via Dhcp Snooping

    Configuring IPv4 IMPB IP-MAC Binding Configuration 2.2.2 Binding Entries via DHCP Snooping Follow these steps to bind entries via DHCP Snooping: Step 1 configure Enter global configuration mode. Step 2 ip dhcp snooping Globally enable DHCP Snooping. ip dhcp snooping vlan vlan-range Step 3 Enable DHCP Snooping on the specified VLAN.

  • Page 763: Viewing Binding Entries

    Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID: 5 Switch(config-if)#show ip dhcp snooping interface gigabitEthernet 1/0/1 Interface max-entries LAG --------- ----------- Gi1/0/1 Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Viewing Binding Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries: show ip source binding View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port...

  • Page 764: Arp Detection Configuration

    Configuring IPv4 IMPB ARP Detection Configuration ARP Detection Configuration To complete ARP Detection configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Enable ARP Detection. 3) Configure ARP Detection on ports. 4) View ARP statistics. Using the GUI 3.1.1 Adding IP-MAC Binding Entries In ARP Detection, the switch detects the ARP packets based on the binding entries in the IP-MAC Binding Table.

  • Page 765: Configuring Arp Detection On Ports

    Configuring IPv4 IMPB ARP Detection Configuration ARP Detect Enable or disable ARP Detection globally. Validate Source Enable or disable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded.

  • Page 766: Viewing Arp Statistics

    Configuring IPv4 IMPB ARP Detection Configuration Follow these steps to configure ARP Detection on ports: 1) Select one or more ports and configure the parameters. Trust Status Enable or disable this port to be a trusted port. On a trusted port, the ARP packets are forwarded directly without checked.

  • Page 767: Using The Cli

    Configuring IPv4 IMPB ARP Detection Configuration In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed. In the Illegal ARP Packet section, you can view the number of illegal ARP packets in each VLAN.

  • Page 768: Configuring Arp Detection On Ports

    Configuring IPv4 IMPB ARP Detection Configuration Step 5 ip arp inspection vlan vlan-list logging (Optional) Enable the Log feature to make the switch generate a log when an ARP packet is discarded. vlan-list : Enter the VLAN ID. The format is 1,5-9. Step 6 show ip arp inspection Verify the ARP Detection configuration.
  • Page 769 Configuring IPv4 IMPB ARP Detection Configuration Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. Step 3 ip arp inspection trust Configure the port as a trusted port, on which the ARP Detection function will not take...

  • Page 770: Viewing Arp Statistics

    Configuring IPv4 IMPB ARP Detection Configuration Switch(config-if)#ip arp inspection burst-interval 2 Switch(config-if)#show ip arp inspection interface gigabitEthernet 1/0/2 Interface Trust state limit Rate(pps) Current speed(pps) Burst Interval Status LAG --------- ----------- --------------- ------------------ -------------- -------- --- Gi1/0/2 Enable Switch(config-if)#end Switch#copy running-config startup-config The following example shows how to restore the port 1/0/1 that is in Down status to Normal status: Switch#configure...

  • Page 771: Ipv4 Source Guard Configuration

    Configuring IPv4 IMPB IPv4 Source Guard Configuration IPv4 Source Guard Configuration To complete IPv4 Source Guard configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Configure IPv4 Source Guard. Using the GUI 4.1.1 Adding IP-MAC Binding Entries In IPv4 Source Guard, the switch filters the packets that do not match the rules of IPv4- MAC Binding Table.

  • Page 772: Using The Cli

    Configuring IPv4 IMPB IPv4 Source Guard Configuration Follow these steps to configure IPv4 Source Guard: 1) In the Global Config section, choose whether to enable the Log feature. Click Apply. IPv4 Source Enable or disable IPv4 Source Guard Log feature. With this feature enabled, the Guard Log switch generates a log when illegal packets are received.
  • Page 773 Configuring IPv4 IMPB IPv4 Source Guard Configuration Step 3 ip verify source { sip+mac | sip } Enable IP Source Guard for IPv4 packets. sip+mac : Only the packet with its source IP address, source MAC address and port number matching the IP-MAC binding rules can be processed, otherwise the packet will be discarded.

  • Page 774: Configuration Examples

    Configuring IPv4 IMPB Configuration Examples Configuration Examples Example for ARP Detection 5.1.1 Network Requirements As shown below, User 1 and User 2 are legal users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN.

  • Page 775: Using The Gui

    Configuring IPv4 IMPB Configuration Examples 3) Configure ARP Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. To prevent ARP flooding attacks, limit the speed of receiving the legal ARP packets on all ports. Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
  • Page 776 Configuring IPv4 IMPB Configuration Examples Figure 5-3 Binding Entry for User 2 3) Choose the menu SECURITY > IPv4 IMBP > ARP Detection > Global Config to load the following page. Enable APP Detect, Validate Source MAC, Validate Destination MAC and Validate IP, and click Apply.

  • Page 777: Using The Cli

    Configuring IPv4 IMPB Configuration Examples Figure 5-5 Port Config 5) Click to save the settings. 5.1.4 Using the CLI 1) Manually bind the entries for User 1 and User 2. Switch_A#configure Switch_A(config)#ip source binding User1 192.168.0.31 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 arp-detection Switch_A(config)#ip source binding User1 192.168.0.32 88:a9:d4:54:fd:c3 vlan 1 interface gigabitEthernet 1/0/2 arp-detection 2) Enable ARP Detection globally and on VLAN 1.
  • Page 778 Configuring IPv4 IMPB Configuration Examples Verify the Configuration Verify the IP-MAC Binding entries: Switch_A#show ip source binding Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 192.168.0.31 74:d3:45:32:b6:8d Gi1/0/1 ARP-D Manual User2 192.168.0.33 88:a9:d4:54:fd:c3 Gi1/0/2 ARP-D Manual Notice: 1.Here, ‘ARP-D’...

  • Page 779: Example For Ip Source Guard

    Configuring IPv4 IMPB Configuration Examples Example for IP Source Guard 5.2.1 Network Requirements As shown below, the legal host connects to the switch via port 1/0/1 and belongs to the default VLAN 1. It is required that only the legal host can access the network via port 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3.
  • Page 780 Configuring IPv4 IMPB Configuration Examples Figure 5-7 Manual Binding 2) Choose the menu SECURITY > IPv4 IMPB > IPv4 Source Guard to load the following page. Enable IPv4 Source Guard Logging to make the switch generate logs when receiving illegal packets, and click Apply. Select ports 1/0/1-3, configure the Security Type as SIP+MAC, and click Apply.

  • Page 781: Using The Cli

    Configuring IPv4 IMPB Configuration Examples Figure 5-8 IPv4 Source Guard 3) Click to save the settings. 5.2.4 Using the CLI 1) Manually bind the IP address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IP Source Guard feature. Switch#configure Switch(config)#ip source binding legal-host 192.168.0.100 74:d3:45:32:b5:6d vlan 1 interface gigabitEthernet 1/0/1 ip-verify-source...
  • Page 782 Configuring IPv4 IMPB Configuration Examples Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 192.168.0.100 74:d3:45:32:b5:6d Gi1/0/1 IP-V-S Manual Notice: 1.Here, ‘ARP-D’ for ‘ARP-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’. Verify the configuration of IP Source Guard: Switch#show ip verify source IP Source Guard log: Enabled Port Security-Type...

  • Page 783: Appendix: Default Parameters

    Configuring IPv4 IMPB Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Snooping are listed in the following table: Table 6-1 DHCP Snooping Parameter Default Setting Global Config DHCP Snooping Disabled VLAN Config Status Disabled Port Config Maximum Entry Default settings of ARP Detection are listed in the following table: Table 6-2 ARP Detection...
  • Page 784 Configuring IPv4 IMPB Appendix: Default Parameters Parameter Default Setting Burst Interval 1 second ARP Statistics Auto Refresh Disabled Refresh Interval 5 seconds Default settings of IPv4 Source Guard are listed in the following table: Table 6-3 ARP Detection Parameter Default Setting Global Config IPv4 Source Guard Log: Disabled...

  • Page 785: Configuring Ipv6 Impb

    Part 24 Configuring IPv6 IMPB CHAPTERS 1. IPv6 IMPB 2. IPv6-MAC Binding Configuration 3. ND Detection Configuration 4. IPv6 Source Guard Configuration 5. Configuration Examples 6. Appendix: Default Parameters...

  • Page 786: Ipv6 Impb

    Configuring IPv6 IMPB IPv6 IMPB IPv6 IMPB Overview IPv6 IMPB (IP-MAC-Port Binding) is used to bind the IPv6 address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent ND attacks with the ND Detection feature and filter the packets that don’t match the binding entries with the IPv6 Source Guard feature.
  • Page 787 Configuring IPv6 IMPB IPv6 IMPB Figure 1-1 Network Topology of ND Detection User A Trusted Untrusted Port Port Untrusted Port Switch Gateway Attacker IPv6 Source Guard IPv6 Source Guard is used to filter the IPv6 packets based on the IPv6-MAC Binding table. Only the packets that match the binding rules are forwarded.

  • Page 788: Ipv6-Mac Binding Configuration

    Configuring IPv6 IMPB IPv6-MAC Binding Configuration IPv6-MAC Binding Configuration You can add IPv6-MAC Binding entries in three ways: ■ Manual Binding ■ Via ND Snooping ■ Via DHCPv6 Snooping Additionally, you can view, search and edit the entries in the Binding Table. Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IPv6 address, MAC address, VLAN ID and the Port number...
  • Page 789 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Figure 2-1 Manual Binding Follow these steps to manually create an IPv6-MAC Binding entry: 1) Enter the following information to specify a host. Host Name Enter the host name for identification. IPv6 Address Enter the IPv6 address. MAC Address Enter the MAC address.

  • Page 790: Binding Entries Via Nd Snooping

    Configuring IPv6 IMPB IPv6-MAC Binding Configuration 2.1.2 Binding Entries via ND Snooping With ND Snooping, the switch monitors the ND packets, and records the IPv6 addresses, MAC addresses, VLAN IDs and the connected port numbers of the IPv6 hosts. You can bind these entries conveniently.

  • Page 791: Binding Entries Via Dhcpv6 Snooping

    Configuring IPv6 IMPB IPv6-MAC Binding Configuration 2) In the VLAN Config section, select one or more VLANs and enable ND Snooping. Click Apply. VLAN ID Displays the VLAN ID. Status Enable or disable ND Snooping on the VLAN. 3) In the Port Config section, configure the maximum number of entries a port can learn via ND snooping.
  • Page 792 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > DHCPv6 Snooping to load the following page. Figure 2-3 DHCPv6 Snooping Follow these steps to configure IPv6-MAC Binding via DHCPv6 Snooping: 1) In the Global Config section, globally enable DHCPv6 Snooping. Click Apply. 2) In the VLAN Config section, enable DHCPv6 Snooping on a VLAN or range of VLANs.

  • Page 793: Viewing The Binding Entries

    Configuring IPv6 IMPB IPv6-MAC Binding Configuration Maximum Entries Configure the maximum number of binding entries a port can learn via DHCPv6 snooping. Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv6 IMPB >...

  • Page 794: Using The Cli

    Configuring IPv6 IMPB IPv6-MAC Binding Configuration VLAN ID Displays the VLAN ID. Port Displays the port number. Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature.
  • Page 795 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Step 2 ipv6 source binding hostname ipv6-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | nd-detection | ipv6-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.

  • Page 796: Binding Entries Via Nd Snooping

    Configuring IPv6 IMPB IPv6-MAC Binding Configuration 2.2.2 Binding Entries via ND Snooping Follow these steps to bind entries via ND Snooping: Step 1 configure Enter global configuration mode. Step 2 ipv6 nd snooping Globally enable ND Snooping. ipv6 nd snooping vlan vlan-range Step 3 Enable ND Snooping on the specified VLAN.

  • Page 797: Binding Entries Via Dhcpv6 Snooping

    Configuring IPv6 IMPB IPv6-MAC Binding Configuration Switch(config)#end Switch#copy running-config startup-config The following example shows how to configure the maximum number of entries that can be learned on port 1/0/1: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#ipv6 nd snooping max-entries 1000 Switch(config-if)#show ipv6 nd snooping interface gigabitEthernet 1/0/1 Interface max-entries --------- -----------...

  • Page 798: Viewing Binding Entries

    Configuring IPv6 IMPB IPv6-MAC Binding Configuration Step 7 Return to privileged EXEC mode. Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCPv6 Snooping globally and on VLAN 5, and set the maximum number of binding entries port 1/0/1 can learn via DHCPv6 snooping as 100: Switch#configure Switch(config)#ipv6 dhcp snooping...

  • Page 799: Nd Detection Configuration

    Configuring IPv6 IMPB ND Detection Configuration ND Detection Configuration To complete ND Detection configuration, follow these steps: 1) Add IPv6-MAC Binding entries. 2) Enable ND Detection. 3) Configure ND Detection on ports. 4) View ND statistics. Using the GUI 3.1.1 Adding IPv6-MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets.

  • Page 800: Configuring Nd Detection On Ports

    Configuring IPv6 IMPB ND Detection Configuration VLAN ID Displays the VLAN ID. Status Enable or disable ND Detection on the VLAN. Log Status Enable or disable Log feature on the VLAN. With this feature enabled, the switch generates a log when an illegal ND packet is discarded. 3.1.3 Configuring ND Detection on Ports Choose the menu SECURITY >...

  • Page 801: Using The Cli

    Configuring IPv6 IMPB ND Detection Configuration Choose the menu SECURITY > IPv6 IMPB > ND Detection > ND Statistics to load the following page. Figure 3-3 View ND Statistics In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed.

  • Page 802: Configuring Nd Detection On Ports

    Configuring IPv6 IMPB ND Detection Configuration Step 3 ipv6 nd detection vlan vlan-range Enable ND Detection on the specified VLAN. vlan-range: Enter the vlan range in the format of 1-3, 5. Step 4 ipv6 nd detection vlan vlan-range logging (Optional) Enable the Log feature to make the switch generate a log when an ND packet is discarded.

  • Page 803: Viewing Nd Statistics

    Configuring IPv6 IMPB ND Detection Configuration Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. Step 3 ipv6 nd detection trust Configure the port as a trusted port, on which the ND packets will not be checked.

  • Page 804: Ipv6 Source Guard Configuration

    Configuring IPv6 IMPB IPv6 Source Guard Configuration IPv6 Source Guard Configuration To complete IPv6 Source Guard configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Configure IPv6 Source Guard. Using the GUI 4.1.1 Adding IPv6-MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets.

  • Page 805: Using The Cli

    Configuring IPv6 IMPB IPv6 Source Guard Configuration Port Displays the port number. Security Type Select Security Type on the port for IPv6 packets. The following options are provided: Disable: The IP Source Guard feature is disabled on the port. SIPv6+MAC: Only the packet with its source IPv6 address, source MAC address and port number matching the IPv6-MAC binding rules can be processed, otherwise the packet will be discarded.
  • Page 806 Configuring IPv6 IMPB IPv6 Source Guard Configuration Step 4 show ipv6 verify source [ interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel-id } ] Verify the IP Source Guard configuration for IPv6 packets. Step 5 Return to privileged EXEC mode.

  • Page 807: Configuration Examples

    Configuring IPv6 IMPB Configuration Examples Configuration Examples Example for ND Detection 5.1.1 Network Requirements As shown below, User 1 and User 2 are legal IPv6 users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN.

  • Page 808: Using The Gui

    Configuring IPv6 IMPB Configuration Examples 3) Configure ND Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 5.1.3 Using the GUI 1) Choose the menu SECURITY >...
  • Page 809 Configuring IPv6 IMPB Configuration Examples Figure 5-3 Binding Entry for User 2 3) Choose the menu SECURITY > IPv6 IMBP > ND Detection > Global Config to load the following page. Enable ND Detection and click Apply. Select VLAN 1, change Status as Enabled and click Apply.

  • Page 810: Using The Cli

    Configuring IPv6 IMPB Configuration Examples Figure 5-5 Port Config 5) Click to save the settings. 5.1.4 Using the CLI 1) Manually bind the entries for User 1 and User 2. Switch_A#configure Switch_A(config)#ipv6 source binding User1 2001::5 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 nd-detection Switch_A(config)#ip source binding User1 2001::6 88:a9:d4:54:fd:c3 vlan 1 interface gigabitEthernet 1/0/2 nd-detection 2) Enable ND Detection globally and on VLAN 1.

  • Page 811: Example For Ipv6 Source Guard

    Configuring IPv6 IMPB Configuration Examples Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 2001::5 74:d3:45:32:b6:8d Gi1/0/1 ND-D Manual User2 2001::6 88:a9:d4:54:fd:c3 Gi1/0/2 ND-D Manual Notice: 1.Here, ‘ND-D’ for ‘ND-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’. Verify the global configuration of ND Detection: Switch_A#show ipv6 nd detection Global Status: Enable Verify the ND Detection configuration on VLAN:...

  • Page 812: Configuration Scheme

    Configuring IPv6 IMPB Configuration Examples 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3. Figure 5-6 Network Topology Legal Host 2001::5 74-D3-45-32-B6-8D GI1/0/1 GI1/0/2 GI1/0/3 Unknown Host Switch Unknown Host 5.2.2 Configuration Scheme To implement this requirement, you can use IPv6-MAC Binding and IPv6 Source Guard to filter out the packets received from the unknown hosts.
  • Page 813 Configuring IPv6 IMPB Configuration Examples Figure 5-7 Manual Binding 2) Choose the menu SECURITY > IPv6 IMPB > IPv6 Source Guard to load the following page. Select ports 1/0/1-3, configure the Security Type as SIPv6+MAC, and click Apply. Figure 5-8 IPv6 Source Guard 3) Click to save the settings.

  • Page 814: Using The Cli

    Configuring IPv6 IMPB Configuration Examples 5.2.4 Using the CLI 1) Manually bind the IPv6 address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IPv6 Source Guard feature. Switch#configure Switch(config)#ipv6 source binding legal-host 2001::5 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 ipv6-verify-source 2) Enable IPv6 Source Guard on ports 1/0/1-3.

  • Page 815: Appendix: Default Parameters

    Configuring IPv6 IMPB Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Snooping are listed in the following table: Table 6-1 DHCPv6 Snooping Parameter Default Setting Global Config DHCPv6 Snooping Disabled VLAN Config Status Disabled Port Config Maximum Entry Default settings of ND Detection are listed in the following table: Table 6-2 ND Detection...
  • Page 816 Configuring IPv6 IMPB Appendix: Default Parameters Default settings of IPv6 Source Guard are listed in the following table: Table 6-3 ND Detection Parameter Default Setting Port Config Security Type Disabled User Guide...

  • Page 817: Configuring Dhcp Filter

    Part 25 Configuring DHCP Filter CHAPTERS 1. DHCP Filter 2. DHCPv4 Filter Configuration 3. DHCPv6 Filter Configuration 4. Configuration Examples 5. Appendix: Default Parameters...

  • Page 818: Dhcp Filter

    Configuring DHCP Filter DHCP Filter DHCP Filter Overview During the working process of DHCP, generally there is no authentication mechanism between the DHCP server and the clients. If there are several DHCP servers on the network, security problems and network interference will happen. DHCP Filter resolves this problem.
  • Page 819 Configuring DHCP Filter DHCP Filter DHCPv4 Filter DHCPv4 Filter is used for DHCPv4 servers and IPv4 clients. DHCPv6 Filter DHCPv6 Filter is used for DHCPv6 servers and IPv6 clients. User Guide...

  • Page 820: Dhcpv4 Filter Configuration

    Configuring DHCP Filter DHCPv4 Filter Configuration DHCPv4 Filter Configuration To complete DHCPv4 Filter configuration, follow these steps: 1) Configure the basic DHCPv4 Filter parameters. 2) Configure legal DHCPv4 servers. Using the GUI 2.1.1 Configuring the Basic DHCPv4 Filter Parameters Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page.
  • Page 821 Configuring DHCP Filter DHCPv4 Filter Configuration Port Displays the port number. Status Enable or disable DHCPv4 Filter feature on the port. MAC Verify Enable or disable the MAC Verify feature. There are two fields in the DHCPv4 packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCPv4 packet and discards the packet if the two fields are different.

  • Page 822: Configuring Legal Dhcpv4 Servers

    Configuring DHCP Filter DHCPv4 Filter Configuration 2.1.2 Configuring Legal DHCPv4 Servers Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Legal DHCPv4 Servers and click to load the following page. Figure 2-2 Adding Legal DHCPv4 Server Follow these steps to add a legal DHCPv4 server: 1) Configure the following parameters: Server IP Address Specify the IP address of the legal DHCPv4 server.
  • Page 823 Configuring DHCP Filter DHCPv4 Filter Configuration Step 2 ip dhcp filter Enable DHCPv4 Filter globally. Step 3 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list Enter interface configuration mode.

  • Page 824: Configuring Legal Dhcpv4 Servers

    Configuring DHCP Filter DHCPv4 Filter Configuration Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. The following example shows how to enable DHCPv4 Filter globally and how to enable DHCPv4 Filter, enable the MAC verify feature, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1:...
  • Page 825 Configuring DHCP Filter DHCPv4 Filter Configuration Step 2 ip dhcp filter server permit-entry server-ip ipAddr client-mac macAddr interface { fastEthernet port-list | gigabitEthernet port-list | ten-gigabitEthernet port-list | port- channel port-channel-id } Create an entry for the legal DHCPv4 server. ipAddr : Specify the IP address of the legal DHCPv4 server.

  • Page 826: Dhcpv6 Filter Configuration

    Configuring DHCP Filter DHCPv6 Filter Configuration DHCPv6 Filter Configuration To complete DHCPv6 Filter configuration, follow these steps: 1) Configure the basic DHCPv6 Filter parameters. 2) Configure legal DHCPv6 servers. Using the GUI 3.1.1 Configuring the Basic DHCPv6 Filter Parameters Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Basic Config to load the following page.

  • Page 827: Configuring Legal Dhcpv6 Servers

    Configuring DHCP Filter DHCPv6 Filter Configuration Status Enable or disable DHCPv6 Filter feature on the port. Rate Limit Select to enable the rate limit feature and specify the maximum number of DHCPv6 packets that can be forwarded on the port per second. The excessive DHCPv6 packets will be discarded.

  • Page 828: Using The Cli

    Configuring DHCP Filter DHCPv6 Filter Configuration Server Port Select the port that the legal DHCPv6 server is connected. 2) Click Create. Using the CLI 3.2.1 Configuring the Basic DHCPv6 Filter Parameters Follow these steps to complete the basic settings of DHCPv6 Filter: Step 1 configure Enter global configuration mode.

  • Page 829: Configuring Legal Dhcpv6 Servers

    Configuring DHCP Filter DHCPv6 Filter Configuration Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own.
  • Page 830 Configuring DHCP Filter DHCPv6 Filter Configuration Step 2 ipv6 dhcp filter server permit-entry server-ip ipAddr interface { fastEthernet port-list | gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id } Create an entry for the legal DHCPv6 server. ipAddr : Specify the IPv6 address of the legal DHCPv6 server. port-list | port-channel-id : Specify the port that the legal DHCPv6 server is connected to.

  • Page 831: Configuration Examples

    Configuring DHCP Filter Configuration Examples Configuration Examples Example for DHCPv4 Filter 4.1.1 Network Requirements As shown below, all the DHCPv4 clients get IP addresses from the legal DHCPv4 server, and any other DHCPv4 server in the LAN is regarded as illegal. Now it is required that only the legal DHCPv4 server is allowed to assign IP addresses to the clients.

  • Page 832: Using The Gui

    Configuring DHCP Filter Configuration Examples 4.1.3 Using the GUI 1) Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page. Enable DHCPv4 Filter globally and click Apply. Select all ports, change Status as Enable, and click Apply. Figure 4-2 Basic Config 2) Choose the menu SECURITY >...

  • Page 833: Using The Cli

    Configuring DHCP Filter Configuration Examples Figure 4-3 Create Entry for Legal DHCPv4 Server 3) Click to save the settings. 4.1.4 Using the CLI 1) Enable DHCPv4 Filter globally and on all pots: Switch_A#configure Switch_A(config)#ip dhcp filter Switch_A(config)#interface range gigabitEthernet 1/0/1-28 Switch_A(config-if-range)#ip dhcp filter Switch_A(config-if-range)#exit 2) Create an entry for the legal DHCPv4 server: Switch_A(config)#ip dhcp filter server permit-entry server-ip 192.168.0.200 client-mac...

  • Page 834: Example For Dhcpv6 Filter

    Configuring DHCP Filter Configuration Examples Verify the DHCPv4 Filter configuration on ports: Switch_A#show ip dhcp filter interface Interface state MAC-Verify Limit-Rate Dec-rate --------- ------- ---------- ---------- -------- Gi1/0/1 Enable Disable Disable Disable Gi1/0/2 Enable Disable Disable Disable Gi1/0/3 Enable Disable Disable Disable Gi1/0/4...

  • Page 835: Configuration Scheme

    Configuring DHCP Filter Configuration Examples Figure 4-1 Network Topology Legal DHCPv6 Server 2001::54 Gi1/0/1 Illegal DHCPv6 Switch A Server DHCPv6 Client DHCPv6 Client DHCPv6 Client 4.2.2 Configuration Scheme To meet the requirements, you can configure DHCPv6 Filter to filter the DHCPv6 packets from the illegal DHCPv6 server.
  • Page 836 Configuring DHCP Filter Configuration Examples Figure 4-2 Basic Config 2) Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Legal DHCPv6 Servers and click to load the following page. Specify the IP address and connected port number of the legal DHCPv6 server. Click Create. Figure 4-3 Create Entry for Legal DHCPv6 Server 3) Click to save the settings.

  • Page 837: Using The Cli

    Configuring DHCP Filter Configuration Examples 4.2.4 Using the CLI 1) Enable DHCPv6 Filter globally and on all pots: Switch_A#configure Switch_A(config)#ipv6 dhcp filter Switch_A(config)#interface range gigabitEthernet 1/0/1-28 Switch_A(config-if-range)#ipv6 dhcp filter Switch_A(config-if-range)#exit 2) Create an entry for the legal DHCPv6 server: Switch_A(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface gigabitEthernet 1/0/1 Switch_A(config)#end Switch_A#copy running-config startup-config...
  • Page 838 Configuring DHCP Filter Configuration Examples Server IP Interface ---------------- ---------- 2001::54 Gi1/0/1 User Guide...

  • Page 839: Appendix: Default Parameters

    Configuring DHCP Filter Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCPv4 Filter are listed in the following table: Table 5-1 DHCPv4 Filter Parameter Default Setting Global Config DHCPv4 Filter Disabled Port Config Status Disabled MAC Verify Disabled Rate Limit Disabled Decline Protect Disabled...

  • Page 840: Configuring Dos Defend

    Part 26 Configuring DoS Defend CHAPTERS 1. Overview 2. DoS Defend Configuration 3. Appendix: Default Parameters...

  • Page 841: Overview

    Configuring DoS Defend Overview Overview The DoS (Denial of Service) defend feature provides protection against DoS attacks. DoS attacks occupy the network bandwidth maliciously by sending numerous service requests to the hosts. It results in an abnormal service or breakdown of the network. With DoS Defend feature, the switch can analyze the specific fields of the IP packets, distinguish the malicious DoS attack packets and discard them directly.

  • Page 842: Dos Defend Configuration

    Configuring DoS Defend DoS Defend Configuration DoS Defend Configuration Using the GUI Choose the menu SECURITY > DoS Defend to load the following page. Figure 2-1 DoS Defend Follow these steps to configure DoS Defend: 1) In the DoS Defend section, enable DoS Protection and click Apply. 2) In the DoS Defend Config section, select one or more defend types according to your needs and click Apply.

  • Page 843: Using The Cli

    Configuring DoS Defend DoS Defend Configuration NULL Scan The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. SYN sPort less The attacker sends the illegal packet with its TCP SYN field set to 1 and source 1024...
  • Page 844 Configuring DoS Defend DoS Defend Configuration Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping- flood | syn-flood | win-nuke | ping-of-death | smurf } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows.
  • Page 845 Configuring DoS Defend DoS Defend Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the DoS Defend type named land: Switch#configure Switch(config)#ip dos-prevent Switch(config)#ip dos-prevent type land Switch(config)#show ip dos-prevent DoS Prevention State:...

  • Page 846: Appendix: Default Parameters

    Configuring DoS Defend Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Security are listed in the following tables. Table 3-1 DoS Defend Parameter Default Setting DoS Defend Disabled User Guide...

  • Page 847: Monitoring The System

    Part 27 Monitoring the System CHAPTERS 1. Overview 2. Monitoring the CPU 3. Monitoring the Memory...

  • Page 848: Overview

    Monitoring the System Overview Overview With System Monitor function, you can: ■ Monitor the CPU utilization of the switch. ■ Monitor the memory utilization of the switch. The CPU utilization should be always under 80%, and excessive use may result in switch malfunctions.

  • Page 849: Monitoring The Cpu

    Monitoring the System Monitoring the CPU Monitoring the CPU Using the GUI Choose the menu MAINTENANCE > System Monitor > CPU Monitor to load the following page. Figure 2-1 Monitoring the CPU Click Monitor to enable the switch to monitor and display its CPU utilization rate every five seconds.
  • Page 850 Monitoring the System Monitoring the CPU The following example shows how to monitor the CPU: Switch#show cpu-utilization Unit | CPU Utilization Five-Seconds One-Minute Five-Minutes ------+------------------------------------------------- User Guide...

  • Page 851: Monitoring The Memory

    Monitoring the System Monitoring the Memory Monitoring the Memory Using the GUI Choose the menu MAINTENANCE > System Monitor > Memory Monitor to load the following page. Figure 3-1 Monitoing the Memory Click Monitor to enable the switch to monitor and display its memory utilization rate every five seconds.
  • Page 852 Monitoring the System Monitoring the Memory Unit | Current Memory Utilization ------+---------------------------- | 74% User Guide...

  • Page 853: Monitoring Traffic

    Part 28 Monitoring Traffic CHAPTERS 1. Traffic Monitor 2. Appendix: Default Parameters...

  • Page 854: Traffic Monitor

    Monitoring Traffic Traffic Monitor Traffic Monitor With Traffic Monitor function, you can monitor each port’s traffic information, including the traffic summary and traffic statistics in detail. Using the GUI Choose the menu MAINTENANCE > Traffic Monitor to load the following page. Figure 1-1 Traffic Summary Follow these steps to view the traffic summary of each port: 1) To get the real-time traffic summary, enable Auto Refresh, or click Refresh.
  • Page 855 Monitoring Traffic Traffic Monitor Packets Tx: Displays the number of packets transmitted on the port. Error packets are not counted. Octets Rx: Displays the number of octets received on the port. Error octets are counted. Octets Tx: Displays the number of octets transmitted on the port. Error octets are counted . To view a port’s traffic statistics in detail, click Statistics on the right side of the entry.
  • Page 856 Monitoring Traffic Traffic Monitor Received: Displays the detailed information of received packets. Broadcast: Displays the number of valid broadcast packets received on the port. Error frames are not counted. Multicast: Displays the number of valid multicast packets received on the port. Error frames are not counted.
  • Page 857 Monitoring Traffic Traffic Monitor Sent: Displays the detailed information of sent packets. Broadcast: Displays the number of valid broadcast packets transmitted on the port. Error frames are not counted. Multicast: Displays the number of valid multicast packets transmitted on the port. Error frames are not counted.

  • Page 858: Using The Cli

    Monitoring Traffic Traffic Monitor Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to view the traffic information of each port or LAG: show interface counters [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port- channel port-channel-id ] port : The port number.

  • Page 859: Appendix: Default Parameters

    Monitoring Traffic Appendix: Default Parameters Appendix: Default Parameters Table 2-1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disabled Refresh Rate 10 seconds User Guide...

  • Page 860: Mirroring Traffic

    Part 29 Mirroring Traffic CHAPTERS 1. Mirroring 2. Configuration Examples 3. Appendix: Default Parameters...

  • Page 861: Mirroring

    Mirroring Traffic Mirroring Mirroring You can analyze network traffic and troubleshoot network problems using Mirroring. Mirroring allows the switch to send a copy of the traffic that passes through specified sources (ports, LAGs or the CPU) to a destination port. It does not affect the switching of network traffic on source ports, LAGs or the CPU.
  • Page 862 Mirroring Traffic Mirroring Figure 1-2 Configure the Mirroring Session Follow these steps to configure the mirroring session: 1) In the Destination Port Config section, specify a destination port for the mirroring session, and click Apply. 2) In the Source Interfaces Config section, specify the source interfaces and click Apply. Traffic passing through the source interfaces will be mirrored to the destination port.

  • Page 863: Using The Cli

    Mirroring Traffic Mirroring Note: • The member ports of an LAG cannot be set as a destination port or source port. • A port cannot be set as the destination port and source port at the same time. Using the CLI Follow these steps to configure Mirroring.
  • Page 864 Mirroring Traffic Mirroring Switch(config)#monitor session 1 source interface gigabitEthernet 1/0/1-3 both Switch(config)#monitor session 1 source cpu 1 both Switch(config)#show monitor session Monitor Session: Destination Port: Gi1/0/10 Source Ports(Ingress): Gi1/0/1-3 Source Ports(Egress): Gi1/0/1-3 Source CPU(Ingress): cpu1 Source CPU(Egress): cpu1 Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 865: Configuration Examples

    Mirroring Traffic Configuration Examples Configuration Examples Network Requirements As shown below, several hosts and a network analyzer are directly connected to the switch. For network security and troubleshooting, the network manager needs to use the network analyzer to monitor the data packets from the end hosts. Figure 2-1 Network Topology Gi1/0/2-5 Gi1/0/1...

  • Page 866: Using The Cli

    Mirroring Traffic Configuration Examples 2) Click Edit on the above page to load the following page. In the Destination Port Config section, select port 1/0/1 as the destination port and click Apply. Figure 2-3 Destination Port Configuration 3) In the Source Interfaces Config section, select ports 1/0/2-5 as the source ports, and enable Ingress and Egress to allow the received and sent packets to be copied to the destination port.
  • Page 867 Mirroring Traffic Configuration Examples Verify the Configuration Switch#show monitor session 1 Monitor Session: Destination Port: Gi1/0/1 Source Ports(Ingress): Gi1/0/2-5 Source Ports(Egress): Gi1/0/2-5 User Guide...

  • Page 868: Appendix: Default Parameters

    Mirroring Traffic Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 3-1 Configurations for Ports Parameter Default Setting Ingress Disabled Egress Disabled User Guide...

  • Page 869: Configuring Dldp

    Part 30 Configuring DLDP CHAPTERS 1. Overview 2. DLDP Configuration 3. Appendix: Default Parameters...

  • Page 870: Overview

    Configuring DLDP Overview Overview DLDP (Device Link Detection Protocol) is a Layer 2 protocol that enables devices connected through fiber or twisted-pair Ethernet cables to detect whether a unidirectional link exists. A unidirectional link occurs whenever traffic sent by a local device is received by its peer device but traffic from the peer device is not received by the local device.

  • Page 871: Dldp Configuration

    Configuring DLDP DLDP Configuration DLDP Configuration Configuration Guidelines ■ A DLDP-capable port cannot detect a unidirectional link if it is connected to a DLDP- incapable port of another switch. ■ To detect unidirectional links, make sure DLDP is enabled on both sides of the links. Using the GUI Choose the menu MAINTENANCE >...
  • Page 872 Configuring DLDP DLDP Configuration DLDP State Enable or disable DLDP globally. Advertisement Configure the interval to send advertisement packets. Valid values are from 1 to Interval 30 seconds, and the default value is 5 seconds. Shut Mode Choose how to shut down the port when a unidirectional link is detected: Auto: When a unidirectional link is detected on a port, DLDP will generate logs and traps then shut down the port, and DLDP on this port will change to Disabled.

  • Page 873: Using The Cli

    Configuring DLDP DLDP Configuration Using the CLI Follow these steps to configure DLDP: Step 1 configure Enter global configuration mode. Step 2 dldp Globally enable DLDP. Step 3 dldp interval interval-time Configure the interval of sending advertisement packets on ports that are in the advertisement state.
  • Page 874 Configuring DLDP DLDP Configuration Switch(config)#dldp Switch(config)#dldp interval 10 Switch(config)#dldp shut-mode auto Switch(config)#show dldp DLDP Global State: Enable DLDP Message Interval: 10 DLDP Shut Mode: Auto Switch(config)#end Switch#copy running-config startup-config The following example shows how to enable DLDP on port 1/0/1. Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#dldp...

  • Page 875: Appendix: Default Parameters

    Configuring DLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of DLDP are listed in the following table. Table 3-1 Default Settings of DLDP Parameter Default Setting Global Config DLDP State Disabled Advertisement Interval 5 seconds Shut Mode Auto Auto Refresh Disabled Refresh Interval 3 seconds...

  • Page 876: Configuring Snmp & Rmon

    Part 31 Configuring SNMP & RMON CHAPTERS 1. SNMP 2. SNMP Configurations 3. Notification Configurations 4. RMON 5. RMON Configurations 6. Configuration Example 7. Appendix: Default Parameters...

  • Page 877: Snmp

    Configuring SNMP & RMON SNMP SNMP Overview SNMP (Simple Network Management Protocol) is a standard network management protocol, widely used on TCP/IP networks. It facilitates device management using NMS (Network Management System) applications. With SNMP, network managers can view or modify the information of network devices, and timely troubleshoot according to notifications sent by those devices.
  • Page 878 (1) tplink (11863) 1.3.6.1.4.1.11863 TP-Link switches provide private MIBs that can be identified by the OID 1.3.6.1.4.1.11863. The MIB file can be found on the provided CD or in the download center of our official website: https://www.tp-link.com/download-center.html. Also, TP-Link switches support the following public MIBs: ■...
  • Page 879 Configuring SNMP & RMON SNMP RFC2620-RADIUS-Acc-Client.mib ■ RFC2674-pBridge.mib ■ ■ RFC2674-qBridge.mib RFC2863-pBridge.mib ■ RFC2925-Disman-Ping.mib ■ ■ RFC2925-Disman-Traceroute.mib For detail information about the supported public MIBs, see Supported Public MIBs for TP- Link Switches. SNMP Entity An SNMP entity is a device running the SNMP protocol. Both the SNMP manager and SNMP agent are SNMP entities.
  • Page 880 Configuring SNMP & RMON SNMP Table 1-1 Features Supported by Different SNMP Versions Feature SNMPv1 SNMPv2c SNMPv3 Based on SNMP Based on SNMP Based on SNMP User, Group, Access Control Community and MIB View Community and MIB View and MIB View Supported authentication and privacy modes are as follows: Authentication...

  • Page 881: Snmp Configurations

    Configuring SNMP & RMON SNMP Configurations SNMP Configurations To complete the SNMP configuration, choose an SNMP version according to network requirements and supportability of the NMS application, and then follow these steps: ■ Choose SNMPv1 or SNMPv2c 1) Enable SNMP. 2) Create an SNMP view for managed objects.

  • Page 882: Creating An Snmp View

    A valid engine ID must contain an even number of characters. By default, the switch generates the engine ID using TP-Link’s enterprise number (80002e5703) and its own MAC address. The local engine ID is a unique alphanumeric string used to identify the SNMP engine.

  • Page 883: Creating Snmp Communities (For Snmp V1/V2C)

    Configuring SNMP & RMON SNMP Configurations Figure 2-3 Creating an SNMP View View Name Set the view name with 1 to 16 characters. A complete view consists of all MIB objects that have the same view name. View Type Set the view to include or exclude the related MIB object. Include: The NMS can view or manage the function indicated by the object.

  • Page 884: Creating An Snmp Group (For Snmp V3)

    Configuring SNMP & RMON SNMP Configurations Access Mode Specify the access right to the related view. Read Only: The NMS can view but not modify parameters of the specified view. Read & Write: The NMS can view and modify parameters of the specified view. MIB View Choose an SNMP view that allows the community to access.

  • Page 885: Creating Snmp Users (For Snmp V3)

    Configuring SNMP & RMON SNMP Configurations Read View Choose a view to allow parameters to be viewed but not modified by the NMS. The view is necessary for any group. Write View Choose a view to allow parameters to be modified by the NMS. The view in Write View should also be added to Read View.

  • Page 886: Using The Cli

    Configuring SNMP & RMON SNMP Configurations Security Level Set the security level. The security level from lowest to highest is: NoAuthNoPriv, AuthNoPriv, AuthPriv. The security level of the user should not be lower than the group it belongs to. NoAuthNoPriv: No authentication algorithm but a user name match is applied to check packets, and no privacy algorithm is applied to encrypt them.
  • Page 887 Enter the engine ID of the local SNMP agent (the switch) with 10 to 64 hexadecimal digits. A valid engine ID must contain an even number of characters. By default, the switch generates the engine ID using TP-Link’s enterprise number (80002e5703) and its own MAC address.

  • Page 888: Creating An Snmp View

    Configuring SNMP & RMON SNMP Configurations 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad value errors...

  • Page 889: Creating Snmp Communities (For Snmp V1/V2C)

    Configuring SNMP & RMON SNMP Configurations Step 2 snmp-server view name mib-oid {include | exclude} Configure the view. name: Enter a view name with 1 to 16 characters. You can create multiple entries with each associated to a MIB object. A complete view consists of all MIB objects that have the same view name.

  • Page 890: Creating An Snmp Group (For Snmpv3)

    Configuring SNMP & RMON SNMP Configurations Step 1 configure Enter Global Configuration Mode. snmp-server community name { read-only | read-write } [ mib-view ] Step 2 Configure the community. name: Enter a group name with 1 to 16 characters. read-only | read-write: Choose an access permissions for the community.
  • Page 891 Configuring SNMP & RMON SNMP Configurations Step 2 snmp-server group name [ smode v3 ] [ slev {noAuthNoPriv | authNoPriv | authPriv}] [ read read-view ] [ write write-view ] [ notify notify-view ] Create an SNMP group. name: Enter the group name with 1 to 16 characters. The identifier of a group consists of a group name, security model and security level.

  • Page 892: Creating Snmp Users (For Snmpv3)

    Configuring SNMP & RMON SNMP Configurations 2.2.5 Creating SNMP Users (For SNMPv3) Create SNMP users and add them to the SNMP group. Users in the same group have the same access rights which are controlled by the read, write and notify views of the group. Step 1 configure Enter Global Configuration Mode.
  • Page 893 Configuring SNMP & RMON SNMP Configurations Step 3 show snmp-server user Displays the information of SNMP users. Step 4 Return to Privileged EXEC Mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a remote SNMP user named admin and add it to group nms1.

  • Page 894: Notification Configurations

    Configuring SNMP & RMON Notification Configurations Notification Configurations With Notification enabled, the switch can send notifications to the NMS about important events relating to the device’s operation. This facilitates the monitoring and management of the NMS. To configure SNMP notification, follow these steps: 1) Configure the information of NMS hosts.
  • Page 895 Configuring SNMP & RMON Notification Configurations IP Mode Choose an IP mode for the NMS host. IP Address If you set IP Mode as IPv4, specify an IPv4 address for the NMS host. If you set IP Mode as IPv6, specify an IPv6 address for the NMS host. UDP Port Specify a UDP port on the NMS host to receive notifications.

  • Page 896: Enabling Snmp Traps

    Configuring SNMP & RMON Notification Configurations 3.1.2 Enabling SNMP Traps Choose the menu MAINTENANCE > SNMP > Notification > Trap Config to load the following page. Figure 3-2 Enabling SNMP Traps Follow these steps to enable some or all of the supported traps: 1) Select the traps to be enabled according to your needs.
  • Page 897 Configuring SNMP & RMON Notification Configurations CPU Utilization Triggered when the CPU utilization exceeds 80%. Memory Utilization Triggered when the memory utilization exceeds 80%. Flash Operation Triggered when flash is modified during operations such as backup, reset, firmware upgrade, and configuration import. VLAN Create/Delete Triggered when certain VLANs are created or deleted successfully.

  • Page 898: Using The Cli

    Configuring SNMP & RMON Notification Configurations Only for products that support PoE. The trap includes the following sub-traps: Over-max-pwr-budget: Triggered when the total power required by the connected PDs exceeds the maximum power the PoE switch can supply. Port-pwr-change: Triggered when a port starts to supply power or stops supplying power.
  • Page 899 Configuring SNMP & RMON Notification Configurations Step 2 snmp-server host ip udp-port user-name [smode { v1 | v2c | v3 }] [slev {noAuthNoPriv | authNoPriv | authPriv }] [type { trap | inform}] [retries retries ] [timeout timeout ] Configure parameters of the NMS host and packet handling mechanism. Specify the IP address of the NMS host in IPv4 or IPv6.

  • Page 900: Enabling Snmp Traps

    Configuring SNMP & RMON Notification Configurations The following example shows how to configure an NMS host with the parameters shown in Table 3-1. Table 3-1 Parameters for the NMS Hosts Parameter Value IP Address 172.16.1.222 UDP Port User Name admin Security Model Security Level authPriv...
  • Page 901 Configuring SNMP & RMON Notification Configurations Step 2 snmp-server traps snmp [ linkup | linkdown | warmstart | coldstart | auth-failure ] Enable the corresponding SNMP standard traps. The command without any parameter enables all SNMP standard traps. By default, all SNMP standard traps are enabled. linkup | linkdown: Enable Linkup Trap and Linkdown Trap globally.
  • Page 902 Configuring SNMP & RMON Notification Configurations Step 2 snmp-server traps { rate-limit | cpu | flash | lldp remtableschange | lldp topologychange | loopback-detection | storm-control | spanning-tree | memory } Enable the corresponding SNMP extended traps. By default, all SNMP extended traps are disabled.
  • Page 903 Configuring SNMP & RMON Notification Configurations ■ Enabling the VLAN Traps Globally Step 1 configure Enter Global Configuration Mode. Step 2 snmp-server traps vlan [ create | delete ] Enable the corresponding VLAN traps. The command without parameter enables all SNMP VLAN traps.
  • Page 904 Configuring SNMP & RMON Notification Configurations The following example shows how to configure the switch to enable DHCP filter trap: Switch#configure Switch(config)#snmp-server traps security dhcp-filter Switch(config)#end Switch#copy running-config startup-config ■ Enabling the ACL Trap Globally Step 1 configure Enter Global Configuration Mode. Step 2 snmp-server traps security acl Enable the ACL trap.
  • Page 905 Configuring SNMP & RMON Notification Configurations Step 3 Return to Privileged EXEC Mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to enable IP-Change trap: Switch#configure Switch(config)#snmp-server traps ip change Switch(config)#end Switch#copy running-config startup-config ■...
  • Page 906 Configuring SNMP & RMON Notification Configurations Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to enable all PoE traps: Switch#configure Switch(config)#snmp-server traps power Switch(config)#end Switch#copy running-config startup-config ■...
  • Page 907 Configuring SNMP & RMON Notification Configurations Switch#copy running-config startup-config User Guide...

  • Page 908: Rmon

    Configuring SNMP & RMON RMON RMON RMON (Remote Network Monitoring) together with the SNMP system allows the network manager to monitor remote network devices efficiently. RMON reduces traffic flow between the NMS and managed devices, which is convenient to manage large networks. RMON includes two parts: the NMS and the Agents running on every network device.

  • Page 909: Rmon Configurations

    Configuring SNMP & RMON RMON Configurations RMON Configurations With RMON configurations, you can: Configuring the Statistics group. ■ ■ Configuring the History group. Configuring the Event group. ■ Configuring the Alarm group. ■ Configuration Guidelines To ensure that the NMS receives notifications normally, complete configurations of SNMP and SNMP Notification before configuring RMON.

  • Page 910: Configuring History Group

    Configuring SNMP & RMON RMON Configurations Status Set the entry as Valid or Under Creation. By default, it is Valid. The switch start to collect Ethernet statistics for a Statistics entry since the entry status is configured as valid. Valid: The entry is created and valid. Under Creation: The entry is created but invalid.

  • Page 911: Configuring Event Group

    Configuring SNMP & RMON RMON Configurations 3) Enter the owner name, and set the status of the entry. Click Apply. Owner Enter the owner name of the entry with 1 to 16 characters. By default, it is monitor. Status Enable or disable the entry. By default, it is disabled. Enable: The entry is enabled.

  • Page 912: Configuring Alarm Group

    Configuring SNMP & RMON RMON Configurations Action Mode Specify the action for the switch to take when the event is triggered. None: No action. Log: The switch records the event in the log, and the NMS should initiate requests to get notifications. Notify: The switch sends notifications to the NMS.
  • Page 913 Configuring SNMP & RMON RMON Configurations Follow these steps to configure the Alarm group: 1) Select an alarm entry, choose a variable to be monitored, and associate the entry with a statistics entry. Index Displays the index of Alarm entries. The switch supports up to 12 Alarm entries.

  • Page 914: Using The Cli

    Configuring SNMP & RMON RMON Configurations Falling Threshold Set the falling threshold of the variable. Valid values are from 1 to 2147483647. When the sampling value or the difference value is below the threshold, the system will trigger the corresponding Falling Event. Note: The falling threshold should be less than the rising threshold.
  • Page 915 Configuring SNMP & RMON RMON Configurations Step 2 rmon statistics index interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port } [ owner owner-name ] [ status { underCreation | valid }] Configure RMON Statistic entries. index: Specify the index of the Statistics entry, which ranges from 1 to 65535. To configure multiple indexes, enter a list of indexes separated by commas, or use a hyphen to indicates a range of indexes.

  • Page 916: Configuring History

    Configuring SNMP & RMON RMON Configurations Switch#copy running-config startup-config 5.2.2 Configuring History Step 1 configure Enter Global Configuration Mode. Step 2 rmon history index interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port } [ interval seconds ] [ owner owner-name ] [ buckets number ] Configuring RMON History entries.

  • Page 917: Configuring Event

    Configuring SNMP & RMON RMON Configurations Index Port Interval Buckets Owner State ----- --------- ----------- ----------- --------- ----- Gi1/0/1 monitor Enable Switch(config)#end Switch#copy running-config startup-config 5.2.3 Configuring Event Step 1 configure Enter Global Configuration Mode. Step 2 rmon event index [ user user-name ] [ description description ] [ type { none | log | notify | log-notify }] [ owner owner-name ] Configuring RMON Event entries.

  • Page 918: Configuring Alarm

    Configuring SNMP & RMON RMON Configurations The following example shows how to create an Event entry on the switch. Set the user name as admin, the event type as Notify (set the switch to initiate notifications to the NMS), and the owner as monitor: Switch#configure Switch(config)#rmon event 1 user admin description rising-notify type notify owner monitor...
  • Page 919 Configuring SNMP & RMON RMON Configurations absolute | delta: Choose the sampling method of the specified variable. The default is absolute. In the absolute mode, the switch compares the sampling value against the preset threshold; in the delta mode, the switch obtains the difference between the sampling values of the current interval and the previous interval, and then compares the difference against the preset threshold.
  • Page 920 Configuring SNMP & RMON RMON Configurations Switch(config)#rmon alarm 1 stats-index 1 alarm-variable bpkt s-type absolute rising- threshold 3000 rising-event-index 1 falling-threshold 2000 falling-event-index 2 a-type all interval 10 owner monitor Switch(config)#show rmon alarm Index-State: 1-Enabled Statistics index: 1 Alarm variable: BPkt Sample Type: Absolute...

  • Page 921: Configuration Example

    Configuring SNMP & RMON Configuration Example Configuration Example Network Requirements The following figure shows the network topology of a company. The company has requirements as follows: 1) Monitor storm traffic of ports 1/0/1 and 1/0/2 on Switch A, and send notifications to the NMS when the actual rate of broadcast, multicast or unknown-unicast packets exceeds the preset threshold.

  • Page 922: Configuration Scheme

    Configure the rising event as the Notify event entry, and the falling event as the Log event entry. Demonstrated with T1600G-52TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI. Using the GUI ■...
  • Page 923 Configuring SNMP & RMON Configuration Example Figure 6-3 Creating an SNMP View 3) Choose MAINTENANCE > SNMP > SNMP v3 > SNMP Group and click to load the following page. Create a group named nms-monitor, enable authentication and privacy, and add View to Read View and Notify View. Click Create. Figure 6-4 Configuring an SNMP Group 4) Choose MAINTENANCE >...
  • Page 924 Configuring SNMP & RMON Configuration Example Figure 6-5 Creating an SNMP User 5) Choose MAINTENANCE > SNMP > Notification > Notification Config and click to load the following page. Choose the IP Mode as IPv4, and specify the IP address of the NMS host and the port of the host for transmitting notifications.
  • Page 925 Configuring SNMP & RMON Configuration Example Figure 6-7 Enabling Storm Control Trap 7) Click to save the settings. ■ Configuring RMON 1) Choose MAINTENANCE > SNMP > RMON > Statistics and click to load the following page. Create Statistics entries 1 and 2, and bind them to ports 1/0/1 and 1/0/2, respectively.
  • Page 926 Configuring SNMP & RMON Configuration Example Figure 6-10 Configuring the History Entries 3) Choose the menu MAINTENANCE > SNMP > RMON > Event to load the following page. Configure entries 1 and 2. For entry 1, set the SNMP user name as admin, type as Notify, description as “rising_notify”, owner as monitor, and status as enable.

  • Page 927: Using The Cli

    Configuring SNMP & RMON Configuration Example Figure 6-12 Configuring the Alarm Entries 5) Click to save settings. Using the CLI ■ Configuring Storm Control on ports Configure the Storm Control on the required ports of Switch A. For detailed configuration, refer to Configuring QoS.
  • Page 928 Configuring SNMP & RMON Configuration Example Choose the type as Inform, and set the retry times as 3, and the timeout period as 100 seconds. Switch_A(config)#snmp-server host 192.168.1.222 162 admin smode v3 slev authPriv type inform retries 3 timeout 100 ■...
  • Page 929 Configuring SNMP & RMON Configuration Example Switch_A(config)#rmon alarm 2 stats-index 2 alarm-variable revpkt s-type absolute rising-threshold 3000 rising-event-index 1 falling-threshold 2000 falling-event-index 2 a-type all interval 10 owner monitor Verify the Configurations Verify global SNMP configurations: Switch_A(config)#show snmp-server SNMP agent is enabled. 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name...
  • Page 930 Configuring SNMP & RMON Configuration Example Verify SNMP view configurations: Switch_A(config)#show snmp-server view No. View Name Type MOID --- -------------- ------- ------------------- viewDefault include 1 viewDefault exclude 1.3.6.1.6.3.15 viewDefault exclude 1.3.6.1.6.3.16 viewDefault exclude 1.3.6.1.6.3.18 View include 1 Verify SNMP group configurations: Switch_A(config)#show snmp-server group No.
  • Page 931 Configuring SNMP & RMON Configuration Example Index Port Owner State ----- ---------- --------- ------- Gi1/0/1 monitor valid Gi1/0/2 monitor valid Verify RMON history configurations: Switch_A(config)#show rmon history Index Port Interval Buckets Owner State ----- --------- -------- --------- ---------- --------- Gi1/0/1 monitor Enable Gi1/0/2...
  • Page 932 Configuring SNMP & RMON Configuration Example Index-State: 2-Enabled Statistics index: 2 Alarm variable: RevPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: Interval: Owner: monitor User Guide...

  • Page 933: Appendix: Default Parameters

    Configuring SNMP & RMON Appendix: Default Parameters Appendix: Default Parameters Default settings of SNMP are listed in the following tables. Table 7-1 Default Global Config Settings Parameter Default Setting SNMP Disabled Local Engine ID Automatically Remote Engine ID None Table 7-2 Default SNMP View Table Settings View Name View Type...
  • Page 934 Configuring SNMP & RMON Appendix: Default Parameters Parameter Default Setting SNMP User User Entry No entries User Name None User Type Local User Group Name None Security Model Security Level noAuthNoPriv Authentication MD5 (when Security Level is configured as AuthNoPriv Mode or AuthPriv) Authentication...
  • Page 935 Configuring SNMP & RMON Appendix: Default Parameters Default settings of RMON are listed in the following tables. Table 7-6 Default Statistics Config Settings Parameter Default Setting Statistics Entry No entries None Port None Owner None IP Mode Valid Table 7-7 Default Settings for History Entries Parameter Default Setting...
  • Page 936 Configuring SNMP & RMON Appendix: Default Parameters Parameter Default Setting Interval 1800 seconds Owner monitor Status Disabled User Guide...

  • Page 937: Diagnosing The Device & Network

    Part 32 Diagnosing the Device & Network CHAPTERS 1. Diagnosing the Device 2. Diagnosing the Network 3. Appendix: Default Parameters...

  • Page 938: Diagnosing The Device

    Diagnosing the Device & Network Diagnosing the Device Diagnosing the Device The device diagnostics feature provides cable testing, which allows you to troubleshoot based on the connection status, cable length and fault location. Using the GUI Choose the menu MAINTENANCE > Device Diagnostics to load the following page. Figure 1-1 Diagnosing the Cable Follow these steps to diagnose the cable: 1) Select your desired port for the test and click Apply.

  • Page 939: Using The Cli

    Diagnosing the Device & Network Diagnosing the Device Fault Location If the connection status is short, close or crosstalk, here displays the length from the port to the trouble spot. Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to check the connection status of the cable that is connected to the switch.

  • Page 940: Diagnosing The Network

    Diagnosing the Device & Network Diagnosing the Network Diagnosing the Network The network diagnostics feature provides Ping testing and Tracert testing. You can test connectivity to remote hosts, or to the gateways from the switch to the destination. With Network Diagnostics, you can: ■...

  • Page 941: Troubleshooting With Tracert Testing

    Diagnosing the Device & Network Diagnosing the Network Follow these steps to test the connectivity between the switch and another device in the network: 1) In the Ping Config section, enter the IP address of the destination device for Ping test, set Ping times, data size and interval according to your needs, and then click Ping to start the test.

  • Page 942: Using The Cli

    Diagnosing the Device & Network Diagnosing the Network 2) In the Tracert Result section, check the test results. Using the CLI 2.2.1 Configuring the Ping Test On privileged EXEC mode, you can use the following command to test the connectivity between the switch and one node of the network.

  • Page 943: Configuring The Tracert Test

    Diagnosing the Device & Network Diagnosing the Network 2.2.2 Configuring the Tracert Test On privileged EXEC mode, you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination: tracert [ ip | ipv6 ] ip_addr [ maxHops ] Test the connectivity of the gateways along the path from the source to the destination.

  • Page 944: Appendix: Default Parameters

    Diagnosing the Device & Network Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Diagnostics are listed in the following tables. Table 3-1 Default Settings of Ping Config Parameter Default Setting Destination IP 192.168.0.1 Ping Times Data Size 64 bytes Interval 1000 milliseconds Table 3-2...
  • Page 945 Part 33 Configuring System Logs CHAPTERS 1. Overview 2. System Logs Configurations 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 946: Overview

    Configuring System Logs Overview Overview The switch generates messages in response to events, faults, or errors occurred, as well as changes in configuration or other occurrences. You can check system messages for debugging and network management. System logs can be saved in various destinations, such as the log buffer, log file or remote log servers, depending on your configuration.

  • Page 947: System Logs Configurations

    Configuring System Logs System Logs Configurations System Logs Configurations System logs configurations include: ■ Configure the local logs. ■ Configure the remote logs. ■ Backing up the logs. ■ Viewing the log table. Configuration Guidelines Logs are classified into the following eight levels. Messages of levels 0 to 4 mean the functionality of the switch is affected.

  • Page 948: Using The Gui

    Configuring System Logs System Logs Configurations Using the GUI 2.1.1 Configuring the Local Logs Choose the menu MAINTENANCE > Logs > Local Logs to load the following page. Figure 2-1 Configuring the Local Logs Follow these steps to configure the local logs: 1) Select your desired channel and configure the corresponding severity and status.

  • Page 949: Backing Up The Logs

    Configuring System Logs System Logs Configurations message is generated. To display the logs, the servers should run a log server software that complies with the syslog standard. Choose the menu MAINTENANCE > Logs > Remote Logs to load the following page. Figure 2-2 Configuring the Remote Logs Follow these steps to configure the information of remote log servers: 1) Select an entry to enable the server, and then set the server IP address and severity.

  • Page 950: Viewing The Log Table

    Configuring System Logs System Logs Configurations 2.1.4 Viewing the Log Table Choose the menu MAINTENANCE > Logs > Log Table to load the following page. Figure 2-4 View the Log Table Select a module and a severity to view the corresponding log information. Time Displays the time the log event occurred.

  • Page 951: Using The Cli

    Configuring System Logs System Logs Configurations Using the CLI 2.2.1 Configuring the Local Logs Follow these steps to configure the local logs: Step 1 configure Enter global configuration mode. Step 2 logging buffer Configure the switch to save system messages in log buffer. Log buffer indicates the RAM for saving system logs.

  • Page 952: Configuring The Remote Logs

    Configuring System Logs System Logs Configurations The following example shows how to configure the local logs on the switch. Save logs of levels 0 to 5 to the log buffer, and synchronize logs of levels 0 to 2 to the flash every 10 hours: Switch#configure Switch(config)#logging buffer...
  • Page 953 Configuring System Logs System Logs Configurations Step 2 logging host index idx host-ip level Configure a remote host to receive the switch’s system logs. The host is called Log Server. You can remotely monitor the settings and operation status of the switch through the log server.

  • Page 954: Configuration Example

    Make sure the switch and the PC are reachable to each other; configure a log server that complies with the syslog standard on the PC and set the PC as the log server. Demonstrated with T1600G-52TS, this chapter provides configuration procedures in two ways: using the GUI and Using the CLI.

  • Page 955: Using The Cli

    Configuring System Logs Configuration Example Using the CLI Configure the remote log host. Switch#configure Switch(config)# logging host index 1 1.1.0.1 5 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Switch# show logging loghost Index Host-IP Severity Status ----- ------- -------- ------ 1.1.0.1 enable 0.0.0.0...

  • Page 956: Appendix: Default Parameters

    Configuring System Logs Appendix: Default Parameters Appendix: Default Parameters Default settings of maintenance are listed in the following tables. Table 4-1 Default Settings of Local Logs Parameter Default Setting Status of Log Buffer Enabled Severity of Log Buffer Level_6 Sync-Periodic of Log Buffer Immediately Status of Log File Disabled...
  • Page 957 We, TP-Link USA Corporation, has determined that the equipment shown as above has been shown to comply with the applicable technical standards, FCC part 15. There is no unauthorized change is made in the equipment and the equipment is properly maintained and operated.
  • Page 958 EU declaration of conformity TP-Link hereby declares that the device is in compliance with the essential requirements and other relevant provisions of directives 2014/30/EU, 2014/35/EU, 2009/125/EC, 2011/65/EU and (EU)2015/863. The original EU declaration of conformity may be found at https://www.tp-link.com/en/ce...
  • Page 959 限用物質含有情況標示聲明書 限用物質及其化學符號 產品元件名稱 鉛 鎘 汞 六價鉻 多溴聯苯 多溴二苯醚 CrVI PBDE ○ ○ ○ ○ ○ ○ 外殼 ○ ○ ○ ○ ○ ○ 電源供應板 — ○ ○ ○ ○ ○ 備考 1. “ 超出 0.1 wt %” 及 “ 超出 0.01 wt %” 系指限用物質之百分比含量超出百分比含量 基準值。...
  • Page 960 Explanation of the symbols on the product label Symbol Explanation AC voltage Indoor use only RECYCLING This product bears the selective sorting symbol for Waste electrical and electronic equipment (WEEE). This means that this product must be handled pursuant to European directive 2012/19/EU in order to be recycled or dismantled to minimize its impact on the environment.
  • Page 961 Specifications are subject to change without notice. is a registered trademark of TP-Link Technologies Co., Ltd. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-Link Technologies Co., Ltd.

This manual is also suitable for:

Tl-sg2452T1600g-52psTl-sg2452pT1600g-18tsTl-sg2216T1600g-28ts ... Show all

Table of Contents

Save PDF