Page 1 User Guide T1500 Series Switches T1500G-8T(TL-SG2008) / T1500G-10PS (TL-SG2210P) T1500G-10MPS 2.0 / T1500-28PCT (TL-SL2428P) 1910012393 REV3.0.0 April 2018...
Page 2: Table Of Contents
CONTENTS About This Guide Intended Readers ................................1 Conventions ................................... 1 More Information ................................. 2 Accessing the Switch Overview ....................................4 Web Interface Access ................................ 5 Login ..........................................5 Save Config Function ....................................6 Disable the Web Server ..................................7 Change the Switch's IP Address and Default Gateway ......................7 Command Line Interface Access ..........................
Page 3 Viewing the System Summary ............................33 Configuring the Device Description ..........................34 Configuring the System Time ............................35 Configuring the Daylight Saving Time ...........................38 Configuring the System IP ..............................40 Configuring System IPv6 Parameters ..........................41 User Management Configurations ..........................44 Using the GUI ......................................44 Creating Accounts ...................................44 Configuring Enable Password ............................45 Using the CLI ......................................46...
Page 4 Using the GUI ......................................76 Using the CLI ......................................77 Time Range Configuration ............................. 79 Using the GUI ......................................79 Adding Time Range Entries ..............................79 Configuring Holiday .................................81 Using the CLI ......................................82 Adding Time Range Entries ..............................82 Configuring Holiday .................................83 Example for PoE Configurations ..........................85 Network Requirements ..................................85 Configuring Scheme .....................................85 Using the GUI ......................................85...
Page 5 Configuration Scheme ................................109 Using the GUI ....................................110 Using the CLI ....................................111 Appendix: Default Parameters ...........................112 Configuring LAG LAG .......................................114 Overview ........................................114 Supported Features ...................................114 LAG Configuration ................................115 Using the GUI ......................................116 Configuring Load-balancing Algorithm ........................116 Configuring Static LAG or LACP............................117 Using the CLI ......................................119 Configuring Load-balancing Algorithm ........................119 Configuring Static LAG or LACP............................120...
Page 6 Appendix: Default Parameters ...........................139 Configuring 802.1Q VLAN Overview ...................................141 802.1Q VLAN Configuration ............................142 Using the GUI ......................................142 Configuring the PVID of the Port ...........................142 Configuring the VLAN ................................144 Using the CLI ......................................145 Creating a VLAN ..................................145 Configuring the Port ................................146 Adding the Port to the Specified VLAN ........................147 Configuration Example ..............................149 Network Requirements ..................................149...
Page 7 Configuring Protocol VLAN Overview ....................................175 Protocol VLAN Configuration.............................176 Using the GUI ......................................176 Configuring 802.1Q VLAN ..............................176 Creating Protocol Template ............................177 Configuring Protocol VLAN .............................178 Using the CLI ......................................179 Configuring 802.1Q VLAN ..............................179 Creating a Protocol Template ............................179 Configuring Protocol VLAN ..............................180 Configuration Example ..............................183 Network Requirements ..................................183 Configuration Scheme ..................................183...
Page 8 Configuring IGMP Snooping for VLANs ........................218 Configuring IGMP Snooping for Ports ........................222 Configuring Hosts to Statically Join a Group ......................222 Using the CLI ......................................223 Configuring IGMP Snooping Globally .........................223 Configuring IGMP Snooping for VLANs ........................225 Configuring IGMP Snooping for Ports ........................230 Configuring Hosts to Statically Join a Group ......................231 MLD Snooping Configuration .............................233 Using the GUI ......................................233...
Page 9 Using the GUI ......................................267 Viewing IPv4 Multicast Table ............................267 Viewing IPv4 Multicast Statistics on Each Port .....................268 Viewing IPv6 Multicast Table ............................269 Viewing IPv6 Multicast Statistics on Each Port .....................270 Using the CLI ......................................271 Viewing IPv4 Multicast Snooping Information .......................271 Viewing IPv6 Multicast Snooping Configurations ....................271 Configuration Examples ...............................272 Example for Configuring Basic IGMP Snooping .........................272...
Page 10 Configuring Spanning Tree Spanning Tree ..................................300 Overview ........................................300 Basic Concepts ....................................300 STP/RSTP Concepts ................................300 MSTP Concepts ..................................304 STP Security ......................................305 STP/RSTP Configurations ............................308 Using the GUI ......................................308 Configuring STP/RSTP Parameters on Ports ......................308 Configuring STP/RSTP Globally .............................310 Verifying the STP/RSTP Configurations ........................312 Using the CLI ......................................314 Configuring STP/RSTP Parameters on Ports ......................314 Configuring Global STP/RSTP Parameters ......................316...
Page 11 Configuring LLDP LLDP .....................................361 Overview ........................................361 Supported Features ...................................361 LLDP Configurations ..............................362 Using the GUI ......................................362 Configuring LLDP Globally ..............................362 Configuring LLDP For the Port ............................364 Using the CLI ......................................365 Global Config ....................................365 Port Config ....................................367 LLDP-MED Configurations ............................370 Using the GUI ......................................370 Configuring LLDP Globally ...............................370 Configuring LLDP-MED Globally ...........................370 Configuring LLDP-MED for Ports ..........................371...
Page 12 Overview ........................................397 Supported Features ...................................397 DHCP Relay Configuration ............................399 Using the GUI ......................................399 Enabling DHCP Relay and Configuring Option 82 ....................399 Configuring DHCP VLAN Relay ............................401 Using the CLI ......................................402 Enabling DHCP Relay ................................402 (Optional) Configuring Option 82 ..........................403 Configuring DHCP VLAN Relay ............................404 DHCP L2 Relay Configuration ............................406 Using the GUI ......................................406 Enabling DHCP L2 Relay ..............................406...
Page 13 Configuring DSCP Priority ..............................437 Specifying the Scheduler Settings ..........................441 Bandwidth Control Configuration ..........................444 Using the GUI ......................................444 Configuring Rate Limit .................................444 Configuring Storm Control ...............................445 Using the CLI ......................................446 Configuring Rate Limit .................................446 Configuring Storm Control ...............................447 Voice VLAN Configuration ............................450 Using the GUI ......................................450 Configuring OUI Addresses .............................450 Configuring Voice VLAN Globally ..........................451...
Page 14 Configuring Access Security Access Security ................................490 Overview ........................................490 Supported Features ...................................490 Access Security Configurations ..........................491 Using the GUI ......................................491 Configuring the Access Control Feature ........................491 Configuring the HTTP Function .............................494 Configuring the HTTPS Function ..........................496 Configuring the SSH Feature ............................499 Configuring the Telnet Function ............................500 Using the CLI ......................................501 Configuring the Access Control ............................501...
Page 15 Using the GUI ......................................532 Using the CLI ......................................534 Appendix: Default Parameters ...........................537 Configuring 802.1x Overview ....................................540 802.1x Configuration ..............................542 Using the GUI ......................................542 Configuring the RADIUS Server .............................542 Configuring 802.1x Globally .............................545 Configuring 802.1x on Ports ............................546 View the Authenticator State ............................548 Using the CLI ......................................549 Configuring the RADIUS Server .............................549 Configuring 802.1x Globally .............................551...
Page 16 Creating an ACL ..................................573 Configuring ACL Rules ................................574 Configuring MAC ACL Rule ..........................574 Configuring IP ACL Rule .............................578 Configuring Combined ACL Rule ........................582 Configuring the IPv6 ACL Rule ........................587 Configuring ACL Binding ..............................591 Using the CLI ......................................593 Configuring Time Range ..............................593 Configuring ACL ..................................593 Configuring Policy ..................................601 Configuring ACL Binding ..............................603...
Page 17 Enabling ARP Detection ..............................628 Configuring ARP Detection on Ports ..........................629 Viewing ARP Statistics ................................630 Using the CLI ......................................631 Adding IP-MAC Binding Entries .............................631 Enabling ARP Detection ..............................631 Configuring ARP Detection on Ports ..........................632 Viewing ARP Statistics ................................634 IPv4 Source Guard Configuration ..........................635 Using the GUI ......................................635 Adding IP-MAC Binding Entries .............................635 Configuring IPv4 Source Guard .............................635...
Page 18 Viewing the Binding Entries ..............................656 Using the CLI ......................................657 Binding Entries Manually ..............................657 Binding Entries via ND Snooping ...........................659 Binding Entries via DHCPv6 Snooping........................660 Viewing Binding Entries ..............................661 ND Detection Configuration ............................662 Using the GUI ......................................662 Adding IPv6-MAC Binding Entries ..........................662 Enabling ND Detection ................................662 Configuring ND Detection on Ports ..........................663 Viewing ND Statistics ................................664...
Page 19 Configuring DHCP Filter DHCP Filter ..................................682 Overview ........................................682 Supported Features ...................................682 DHCPv4 Filter Configuration ............................684 Using the GUI ......................................684 Configuring the Basic DHCPv4 Filter Parameters ....................684 Configuring Legal DHCPv4 Servers ..........................686 Using the CLI ......................................686 Configuring the Basic DHCPv4 Filter Parameters ....................686 Configuring Legal DHCPv4 Servers ..........................688 DHCPv6 Filter Configuration ............................690 Using the GUI ......................................690...
Page 20 Monitoring the System Overview ...................................712 Monitoring the CPU ...............................713 Using the GUI ......................................713 Using the CLI ......................................713 Monitoring the Memory ..............................715 Using the GUI ......................................715 Using the CLI ......................................715 Monitoring Traffic Traffic Monitor .................................718 Using the GUI ......................................718 Using the CLI ......................................722 Appendix: Default Parameters ...........................723 Mirroring Traffic Mirroring .....................................725...
Page 21 SNMP Configurations ..............................745 Using the GUI ......................................745 Enabling SNMP ..................................745 Creating an SNMP View..............................746 Creating SNMP Communities (For SNMP v1/v2c) ....................747 Creating an SNMP Group (For SNMP v3)........................748 Creating SNMP Users (For SNMP v3) .........................749 Using the CLI ......................................750 Enabling SNMP ..................................750 Creating an SNMP View..............................752 Creating SNMP Communities (For SNMP v1/v2c) ....................753 Creating an SNMP Group (For SNMPv3) ........................754...
Page 22 Diagnosing the Device & Network Diagnosing the Device ..............................800 Using the GUI ......................................800 Using the CLI ......................................801 Diagnosing the Network ...............................802 Using the GUI ......................................802 Troubleshooting with Ping Testing ..........................802 Troubleshooting with Tracert Testing ........................803 Using the CLI ......................................804 Configuring the Ping Test ..............................804 Configuring the Tracert Test ............................805 Appendix: Default Parameters ...........................806 Configuring System Logs...
Page 23: About This Guide
About This Guide Intended Readers About This Guide This Configuration Guide provides information for managing T1500 Series Switches. Please read this guide carefully before operation. Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies.
Page 24: More Information
 The Installation Guide (IG) can be found where you find this guide or inside the package of the switch.  Specifications can be found on the product page at https://www.tp-link.com.  A Technical Support Forum is provided for you to discuss our products at http://forum.tp-link.com.
Page 25: Accessing The Switch
Part 1 Accessing the Switch CHAPTERS 1. Overview 2. Web Interface Access 3. Command Line Interface Access...
Page 26: Overview
Accessing the Switch Overview Overview You can access and manage the switch using the GUI (Graphical User Interface, also called web interface in this text) or using the CLI (Command Line Interface). There are equivalent functions in the web interface and the command line interface, while web configuration is easier and more visual than the CLI configuration.
Page 27: Web Interface Access
Accessing the Switch Web Interface Access Web Interface Access You can access the switch’s web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication. The following example shows how to login via the HTTP server. Login To manage your switch through a web browser in the host PC: 1) Make sure that the route between the host PC and the switch is available.
Page 28: Save Config Function
Accessing the Switch Web Interface Access Figure 2-3 Web interface 2.2 Save Config Function The switch’s configuration files fall into two types: the running configuration file and the start-up configuration file. After you perform configurations on the sub-interfaces and click Apply, the modifications will be saved in the running configuration file.
Page 29: Disable The Web Server
Accessing the Switch Web Interface Access Disable the Web Server You can shut down the HTTP server or HTTPS server to block any access to the web interface. Go to SECURITY > Access Security > HTTP Config, disable the HTTP server and click Apply. Figure 2-5 Shut down HTTP server Go to SECURITY >...
Page 30 Accessing the Switch Web Interface Access Figure 2-7 Change the switch's IP address and default gateway 2) Enter the new IP address in the web browser to access the switch. 3) Click to save the settings. Configuration Guide...
Page 31: Command Line Interface Access
Accessing the Switch Command Line Interface Access Command Line Interface Access Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines. Console connection requires the host PC connecting to the switch’s console port directly, while Telnet and SSH connection support both local and remote access.
Page 32 Accessing the Switch Command Line Interface Access Figure 3-1 CLI Main Window 4) Enter enable to enter the User EXEC Mode to further configure the switch. Figure 3-2 User EXEC Mode Note: In Windows XP, go to Start > All Programs > Accessories > Communications > Hyper Terminal to open the Hyper Terminal and configure the above settings to log in to the switch.
Page 33: Telnet Login
Accessing the Switch Command Line Interface Access Telnet Login The switch supports Login Local Mode for authentication by default. Login Local Mode: Username and password are required, which are both admin by default. The following steps show how to manage the switch via the Login Local Mode: 1) Make sure the switch and the PC are in the same LAN (Local Area Network).
Page 34: Ssh Login
Accessing the Switch Command Line Interface Access Figure 3-6 Enter Privileged EXEC Mode Now you can manage your switch with CLI commands through Telnet connection. 3.3 SSH Login SSH login supports the following two modes: Password Authentication Mode and Key Authentication Mode. You can choose one according to your needs:  Password Authentication Mode: Username and password are required, which are both admin by default.
Page 35 Accessing the Switch Command Line Interface Access Figure 3-8 Configurations in PuTTY 2) Enter the login username and password to log in to the switch, and you can continue to configure the switch. Figure 3-9 Log In to the Switch Key Authentication Mode 1) Open the PuTTY Key Generator.
Page 36 Accessing the Switch Command Line Interface Access Figure 3-10 Generate a Public/Private Key Pair Note: The key length should be between 512 and 3072 bits. • You can accelerate the key generation process by moving the mouse quickly and randomly in •...
Page 37 Accessing the Switch Command Line Interface Access 3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure: Figure 3-12 Download the Public Key to the Switch Note: The key type should accord with the type of the key file. In the above CLI, v1 corresponds to •...
Page 38: Disable Telnet Login
Accessing the Switch Command Line Interface Access Figure 3-14 Download the Private Key to PuTTY 6) After negotiation is completed, enter the username to log in. If you can log in without entering the password, the key authentication completed successfully. Figure 3-15 Log In to the Switch 3.4 Disable Telnet Login You can shut down the Telnet function to block any Telnet access to the CLI interface.
Page 39: Disable Ssh Login
Accessing the Switch Command Line Interface Access Switch(config)#telnet disable Disable SSH Login You can shut down the SSH server to block any SSH access to the CLI interface.  Using the GUI: Go to SECURITY > Access Security > SSH Config, disable the SSH server and click Apply. Figure 3-17 Shut down SSH server  Using the CLI: Switch#configure...
Page 40 Accessing the Switch Command Line Interface Access switch. Only the computers in the management VLAN can access the management interface of the switch. By default, VLAN 1 owning all the ports is the management VLAN and you can access the switch via any port. By default, the system IP address is 192.168.0.1, and the switch has no default gateway.
Page 41: Managing System
Part 2 Managing System CHAPTERS 1. System 2. System Info Configurations 3. User Management Configurations 4. System Tools Configurations 5. EEE Configuration 6. PoE Configurations 7. SDM Template Configuration 8. Time Range Configuration 9. Example for PoE Configurations 10. Appendix: Default Parameters...
Page 42: System
Managing System System System 1.1 Overview In System module, you can view the system information and configure the system parameters and features of the switch. 1.2 Supported Features System Info You can view the switch’s port status and system information, and configure the device description, system time, daylight saving time, and system IP/IPv6 (Only for T1500/T1500G Series Switches).
Page 43 Powered device (PD) is a device receiving power from the PSE, for example, IP phones and access points. According to whether PDs comply with IEEE standard, they can be classified into standard PDs and non-standard PDs. Only standard PDs can be powered via TP-Link PoE switches.
Page 44: System Info Configurations
Managing System System Info Configurations System Info Configurations With system information configurations, you can:  View the System Summary  Configure the Device Description  Configure the System Time  Configure the Daylight Saving Time  Configure the System IP (Only for T1500&T1500G Series Switches)  Configure the System IPv6 (Only for T1500&T1500G Series Switches) 2.1 Using the GUI 2.1.1 Viewing the System Summary...
Page 45 Managing System System Info Configurations Indicates that the corresponding SFP port is not connected to a device. Indicates the SFP port is at the speed of 1000Mbps. Indicates the SFP port is at the speed of 100Mbps. You can move your cursor to a port to view the detailed information of the port. Figure 2-2 Port Information Port Information Indication...
Page 46 Managing System System Info Configurations Figure 2-3 Bnadwidth Utilization Displays the bandwidth utilization of receiving packets on this port. Displays the bandwidth utilization of sending packets on this port. Viewing the System Information In the System Info section, you can view the system information of the switch. Configuration Guide...
Page 47 Managing System System Info Configurations Figure 2-4 System Information System Displays the system description of the switch. Description Device Name Displays the name of the switch. You can edit it on the Device Description page. Device Location Displays the location of the switch. You can edit it on the Device Description page. Contact Displays the contact information of the switch.
Page 48: Configuring The Device Description
Managing System System Info Configurations Running Time Displays the running time of the switch. Serial Number Displays the serial number of the switch. Jumbo Frame Displays whether Jumbo Frame is enabled. You can click Settings to jump to the Jumbo Frame configuration page. SNTP Displays whether the switch gets system time from NTP Server.
Page 49: Configuring The System Time
Managing System System Info Configurations Device Location Enter the location of the switch. System Contact Enter the contact information. 2) Click Apply. 2.1.3 Configuring the System Time Choose the menu SYSTEM > System Info > System Time to load the following page. Figure 2-6 Configuring the System Time In the Time Info section, you can view the current time information of the switch.
Page 50: Configuring The Daylight Saving Time
Managing System System Info Configurations Get Time from Get the system time from an NTP server. Make sure the NTP server is accessible NTP Server on your network. If the NTP server is on the internet, connect the switch to the internet first.
Page 51: Configuring The System Ip
Managing System System Info Configurations Recurring Mode If you select Recurring Mode, specify a cycle time range for the Daylight Saving Time of the switch. This configuration will be used every year. Offset: Specify the time to set the clock forward by. Start Time: Specify the start time of Daylight Saving Time.
Page 52: Configuring The System Ipv6
Managing System System Info Configurations IP Address Mode Specify the IP address assignment mode of the interface. Static: Assign an IP address to the management interface. DHCP: Assign an IP address to the management interface through the DHCP server. BOOTP: Assign an IP address to the management interface through the BOOTP server.
Page 53 Managing System System Info Configurations Management Displays the Management VLAN ID. Only the computers in the management VLAN ID VLAN can access the management interface of the switch. By default, VLAN 1 owning all the ports is the management VLAN and you can access the switch via any port IPv6 Enable Enable the IPv6 feature of the management interface.
Page 54 Managing System System Info Configurations Address Format Select the global address format according to your needs. EUI-64: Indicates that you only need to specify an address prefix, then the system will create a global address automatically. Not EUI-64: Indicates that you have to specify an intact global address. Global Address When EUI-64 is selected, please input the address prefix here, otherwise, please input an intact IPv6 address here.
Page 55: Using The Cli
Managing System System Info Configurations Status Displays the status of the link-local address. An IPv6 address cannot be used before pass the DAD (Duplicate Address Detection), which is used to detect the address conflicts. In the DAD process, the IPv6 address may in three different status: Normal: Indicates that the global address passes the DAD and can be normally used.
Page 56: Configuring The Device Description
System Location - SHENZHEN Contact Information - www.tp-link.com Hardware Version T1500-28PCT Software Version - 3.0.0 Build 20171129 Rel.38400(s) Bootloader Version - TP-LINK BOOTUTIL(v1.0.0) Mac Address - 00-0A-EB-13-23-A0 Serial Number System Time - 2017-12-12 11:23:32 Running Time - 1 day - 2 hour - 33 min - 42 sec 2.2.2 Configuring the Device Description...
Page 57: Configuring The System Time
Managing System System Info Configurations The following example shows how to set the device name as Switch_A, set the location as BEIJING and set the contact information as http://www.tp-link.com. Switch#configure Switch(config)#hostname Switch_A Switch(config)#location BEIJING Switch(config)#contact-info http://www.tp-link.com Switch(config)#show system-info System Description - JetStream 24-Port Gigabit L2 Managed Switch with 4 SFP Slots...
Page 58 Managing System System Info Configurations Step 2 Use the following command to set the system time manually: system-time manual time Configure the system time manually. : Specify the date and time manually in the format of MM/DD/YYYY-HH:MM:SS. The valid time value of the year ranges from 2000 to 2037.
Page 59 Managing System System Info Configurations UTC+05:30 —— TimeZone for Chennai, Kolkata, Mumbai, New Delhi. UTC+05:45 —— TimeZone for Kathmandu. UTC+06:00 —— TimeZone for Dhaka,Astana, Ekaterinburg. UTC+06:30 —— TimeZone for Yangon (Rangoon). UTC+07:00 —— TimeZone for Novosibrisk, Bangkok, Hanoi, Jakarta. UTC+08:00 —— TimeZone for Beijing, Chongqing, Hong Kong, Urumqi, Singapore. UTC+09:00 ——...
Page 60: Configuring The Daylight Saving Time
Managing System System Info Configurations Update Rate: 11 hour(s) Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring the Daylight Saving Time Follow these steps to configure the Daylight Saving Time: Step 1 configure Enter global configuration mode. Step 2 Use the following command to select a predefined Daylight Saving Time configuration: system-time dst predefined [ USA | Australia | Europe | New-Zealand ] Specify the Daylight Saving Time using a predefined schedule.
Page 61 Managing System System Info Configurations Use the following command to set the Daylight Saving Time in date mode: system-time dst date { smonth } { sday } { stime } { syear } { emonth } { eday } { etime } { eyear } [ offset ] Specify the Daylight Saving Time in Date mode.
Page 62: Configuring The System Ip
Managing System System Info Configurations 2.2.5 Configuring the System IP Follow these steps to configure the System IP parameters. Step 1 configure Enter global configuration mode. Step 2 ip management-vlan { vlan-id } Configure the management VLAN of the switch. Only the computers in the management VLAN can access the management interface of the switch.
Page 63: Configuring System Ipv6 Parameters
Managing System System Info Configurations The connection will be interrupted and you should telnet to the switch's new IP address 192.168.0.10. C:\Users\Administrator>telnet 192.168.0.10 User:admin Password:admin Switch>enable Switch#show interface vlan 1 Switch#copy running-config startup-config 2.2.6 Configuring System IPv6 Parameters Follow these steps to configure the system IPv6 parameters. Step 1 configure Enter global configuration mode.
Page 64 Managing System System Info Configurations Step 6 Configure the IPv6 global address for the management interface: Automatically configure the interface’s global IPv6 address via RA message: ipv6 address ra Configure the interface’s global IPv6 address according to the address prefix and other configuration parameters from its received RA (Router Advertisement) message.
Page 65 Managing System System Info Configurations ICMP error messages limited to one every 1000 milliseconds ICMP redirects are enable MTU is 1500 bytes ND DAD is enable, number of DAD attempts: 1 ND retrans timer is 1000 milliseconds ND reachable time is 30000 milliseconds Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 66: User Management Configurations
Managing System User Management Configurations User Management Configurations With User Management, you can create and manage the user accounts for login to the switch. 3.1 Using the GUI There are four types of user accounts with different access levels: Admin, Operator, Power User and User.
Page 67: Configuring Enable Password
Managing System User Management Configurations Figure 3-2 Adding Account Follow these steps to create a new user account. 1) Configure the following parameters: Username Specify a username for the account. It contains 16 characters at most, composed of digits, English letters and underscore only. Access Level Select the access level.
Page 68: Using The Cli
Managing System User Management Configurations Follow these steps to configure Enable Password: 1) Select Set Password and specify the Enable Password in the Password field. 2) Click Apply. Tips: The logged-in users can enter the Enable Password on this page to get the administrative privileges.
Page 69 Managing System User Management Configurations Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege admin | operator | power_user | user } password { [ 0 ] password | 7 encrypted-password } : Enter a user name for users’...
Page 70: Configuring Enable Password
Managing System User Management Configurations Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. 3.2.2 Configuring Enable Password Follow these steps to create an account of other type: Step 1 configure Enter global configuration mode.
Page 71 Managing System User Management Configurations Step 3 Use the following command to create an enable password unencrypted or symmetric encrypted. enable admin password { [ 0 ] password | 7 encrypted-password } Create an Enable Password. It can change the users’ access level to Admin. By default, it is empty.
Page 72 Managing System User Management Configurations The following example shows how to create a uesr with the access level of Operator, set the username as user1 and password as 123, enable AAA function and set the enable password as abc123. Switch#configure Switch(config)#user name user1 privilege operator password 123 Switch(config)#aaa enable Switch(config)#enable admin password abc123...
Page 73: System Tools Configurations
Managing System System Tools Configurations System Tools Configurations With System Tools, you can:  Configure the boot file  Restore the configuration of the switch  Back up the configuration file  Upgrade the firmware  Reboot the switch  Reset the switch Using the GUI 4.1.1 Configuring the Boot File Choose the menu SYSTEM >...
Page 74: Restoring The Configuration Of The Switch
Managing System System Tools Configurations Follow these steps to configure the boot file: 1) In the Boot Table section, select one or more units and configure the relevant parameters. Unit Displays the number of the unit. Current Startup Displays the current startup image. Image Next Startup Select the next startup image.
Page 75: Backing Up The Configuration File
Managing System System Tools Configurations Figure 4-2 Restoring the Configuration of the Switch Follow these steps to restore the current configuration of the switch: 1) In the Restore Config section, select the unit to be restored. 2) Click Browse and select the desired configuration file to be imported. 3) Choose whether to reboot the switch after restoring is completed.
Page 76: Upgrading The Firmware
Managing System System Tools Configurations 4.1.4 Upgrading the Firmware Choose the menu SYSTEM > System Tools > Firmware Upgrade to load the following page. Figure 4-4 Upgrading the Firmware You can view the current firmware information on this page: Firmware Version Displays the current firmware version of the system.
Page 77: Rebooting The Switch
Managing System System Tools Configurations 4.1.5 Rebooting the switch There are two methods to reboot the switch: manually reboot the switch and configure reboot schedule to automatically reboot the switch. Manually Rebooting the Switch Choose the menu SYSTEM > System Tools > System Reboot > System Reboot to load the following page.
Page 78: Reseting The Switch
Managing System System Tools Configurations Special Time Specify the date and time for the switch to reboot. Month/Day/Year: Specify the date for the switch to reboot. Time (HH:MM): Specify the time for the switch to reboot, in the format of HH:MM. 2) Choose whether to save the current configuration before the reboot.
Page 79: Restoring The Configuration Of The Switch
Managing System System Tools Configurations Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the next startup image as image1, the backup image as image2, the next startup configuration file as config1 and the backup configuration file as config2.
Page 80: Backing Up The Configuration File
Managing System System Tools Configurations Note: It will take some time to restore the configuration. Please wait without any operation. The following example shows how to restore the configuration file named file1 from the TFTP server with IP address 192.168.0.100. Switch>enable Switch#copy tftp startup-config ip-address 192.168.0.100 filename file1 Start to load user config file..
Page 81: Rebooting The Switch
Managing System System Tools Configurations Step 2 firmware upgrade ip-address ip-addr filename name Upgrade the switch’s backup image via TFTP server. To boot up with the new firmware, you need to choose to reboot the switch with the backup image. : Specify the IP address of the TFTP server.
Page 82 Managing System System Tools Configurations Step 2 Use the following command to set the interval of reboot: reboot-schedule in interval [ save_before_reboot ] (Optional) Specify the reboot schedule. : Specify a period of time. The switch will reboot after this period. The valid values are interval from 1 to 43200 minutes.
Page 83: Reseting The Switch
Managing System System Tools Configurations 4.2.6 Reseting the Switch Follow these steps to reset the switch: Step 1 enable Enter privileged mode. Step 2 reset Reset the switch, and all configurations of the switch will be reset to the factory defaults. Configuration Guide...
Page 84: Eee Configuration
Managing System EEE Configuration EEE Configuration Choose the menu SYSTEM > EEE to load the following page. Figure 5-1 Configuring EEE Follow these steps to configure EEE: 1) In the EEE Config section, select one or more ports to be configured. 2) Enable or disable EEE on the selected port(s).
Page 85 Managing System EEE Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the EEE feature on port 1/0/1. Switch#config Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#eee Switch(config-if)#show interface eee Port...
Page 86: Poe Configurations
Managing System PoE Configurations PoE Configurations Note： Only T1500-28PCT, T1500G-10MPS and T1500G-10PS support the PoE feature. With the PoE feature, you can:  Configure the PoE parameters manually  Configure the PoE parameters using the profile You can configure the PoE parameters one by one via configuring the PoE parameters manually.
Page 87: Using The Gui
Managing System PoE Configurations Using the GUI 6.1.1 Configuring the PoE Parameters Manually Choose the menu SYSTEM > PoE > PoE Config to load the following page. Figure 6-1 Configuring PoE Parameters Manually Follow these steps to configure the basic PoE parameters: 1) In the PoE Config section, you can view the current PoE parameters.
Page 88 Managing System PoE Configurations Figure 6-2 Configuring System Power Limit Unit Displays the unit number. System Power Specify the maximum power the PoE switch can supply. Limit 2) In the Port Config section, select the port you want to configure and specify the parameters.
Page 89 Managing System PoE Configurations PoE Profile A quick configuration method for the corresponding ports. If one profile is selected, you will not be able to modify PoE status, PoE priority or power limit manually. For how to create a profile, refer to Configuring the PoE Parameters Using the Profile.
Page 90: Configuring The Poe Parameters Using The Profile
Managing System PoE Configurations 6.1.2 Configuring the PoE Parameters Using the Profile  Creating a PoE Profile Choose the menu SYSTEM > PoE > PoE Profile and click to load the following page. Figure 6-3 Creating a PoE Profile Follow these steps to create a PoE profile: 1) In the Create PoE Profile section, specify the desired configurations of the profile.
Page 91 Managing System PoE Configurations  Binding the Profile to the Corresponding Ports Choose the menu SYSTEM > PoE > PoE Config to load the following page. Figure 6-4 Binding the Profile to the Corresponding Ports Follow these steps to bind the profile to the corresponding ports: 1) In the PoE Config section, you can view the current PoE parameters.
Page 92 Managing System PoE Configurations Figure 6-5 Configuring System Power Limit Unit Displays the unit number. System Power Specify the maximum power the PoE switch can supply. Limit 2) In the Port Config section, select one or more ports and configure the following two parameters: Time Range and PoE Profile.
Page 93: Using The Cli
Managing System PoE Configurations Using the CLI 6.2.1 Configuring the PoE Parameters Manually Follow these steps to configure the basic PoE parameters: Step 1 configure Enter global configuration mode. Step 2 power inline consumption power-limit Specify the maximum power the PoE switch can supply globally. : Specify the maximum power the PoE switch can supply.
Page 94 Managing System PoE Configurations Step 9 show power inline configuration interface [ fastEthernet { port | port-list } | gigabitEthernet { port | port-list } | ten-gigabitEthernet { port | port-list }] Verify the PoE configuration of the corresponding port. : Specify the Ethernet port number, for example 1/0/1.
Page 95: Configuring The Poe Parameters Using The Profile
Managing System PoE Configurations Interface Power(w) Current(mA) Voltage(v) PD-Class Power-Status ---------- -------- ----------- ---------- ----------- ---------------- Gi1/0/5 1.3 53.5 Class 2 Switch(config-if)#end Switch#copy running-config startup-config 6.2.2 Configuring the PoE Parameters Using the Profile Follow these steps to configure the PoE profile: Step 1 configure Enter global configuration mode.
Page 96 Managing System PoE Configurations Step 5 power inline profile name Bind a PoE profile to the desired port. If one profile is selected, you will not be able to modify PoE status, PoE priority or power limit manually. : Specify the name of the PoE profile. If the name contains spaces, enclose the name in name double quotes.
Page 97 Managing System PoE Configurations Switch(config-if)#power inline profile profile1 Switch(config-if)#show power inline configuration interface gigabitEthernet 1/0/6 Interface PoE-Status PoE-Prio Power-Limit(w) Time-Range PoE-Profile ---------- ---------- ---------- ------------ ------------- ---------------- Gi1/0/6 Enable Middle Class2 No Limit profile1 Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 98: Sdm Template Configuration
Managing System SDM Template Configuration SDM Template Configuration 7.1 Using the GUI Choose the menu SYSTEM > SDM Template to load the following page. Figure 7-1 Configuring SDM Template In SDM Template Config section, select one template and click Apply. The setting will be effective after the switch is rebooted.
Page 99: Using The Cli
Managing System SDM Template Configuration MAC ACL Rules Displays the number of Layer 2 ACL Rules. Combined ACL Displays the number of combined ACL rules. Rules IPv6 ACL Rules Displays the number of IPv6 ACL rules. IPv4 Source Displays the number of IPv4 source guard entries. Guard Entries IPv6 Source Displays the number of IPv6 source guard entries.
Page 100 Managing System SDM Template Configuration Switch(config)#show sdm prefer enterpriseV4 “enterpriseV4” template: number of IP ACL Rules : 120 number of MAC ACL Rules : 84 number of IPV6 ACL Rules number of IPV4 Source Guard Entries : 253 number of IPV6 Source Guard Entries : 0 Switch(config)#sdm prefer enterpriseV4 Switch to “enterpriseV4”...
Page 101: Time Range Configuration
Managing System Time Range Configuration Time Range Configuration To complete Time Range configuration, follow these steps: 1) Add time range entries. 2) Configure Holiday time range. Using the GUI 8.1.1 Adding Time Range Entries Choose the menu SYSTEM > Time Range > Time Range Config and click to load the following page.
Page 102 Managing System Time Range Configuration Figure 8-2 Adding Period Time Configure the following parameters and click Create: Date Specify the start date and end date of this time range. Time Specify the start time and end time of a day. Day of Week Select days of a week as the period of this time range.
Page 103: Configuring Holiday
Managing System Time Range Configuration Figure 8-3 View Configruation Result 8.1.2 Configuring Holiday Choose the menu SYSTEM > Time Range > Holiday Config and click to load the following page. Figure 8-1 Configuring Holiday Configure the following parameters and click Create to add a Holiday entry. Holiday Name Specify a name for the entry.
Page 104: Using The Cli
Managing System Time Range Configuration 8.2 Using the CLI 8.2.1 Adding Time Range Entries Follow these steps to add time range entries: Step 1 configure Enter global configuration mode. Step 2 time-range name Create a time-range entry. : Specify a name for the entry. name Step 3 holiday { exclude | include }...
Page 105: Configuring Holiday
Managing System Time Range Configuration The following example shows how to create a time range entry and set the name as time1, holiday mode as exclude, absolute time as 10/01/2017 to 10/31/2017 and periodic time as 8:00 to 20:00 on every Monday and Tuesday: Switch#config Switch(config)#time-range time1 Switch(config-time-range)#holiday exclude...
Page 106 Managing System Time Range Configuration Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a holiday entry and set the entry name as holiday1 and set start date and end date as 07/01 and 09/01: Switch#config Switch(config)#holiday holiday1 start-date 07/01 end-date 09/01 Switch(config)#show holiday...
Page 107: Example For Poe Configurations
Managing System Example for PoE Configurations Example for PoE Configurations Network Requirements The network topology of a company is shown as below. Camera1 and Camera2 work for the security of the company and cannot be power off all the time. AP1 and AP2 provide the internet service and only work in the office time.
Page 108 Managing System Example for PoE Configurations Figure 9-2 Creating Time Range 2) Click and the following window will pop up. Set Date, Time and Day of Week as the following figure shows. Click Create. Figure 9-3 Creating a Periodic Time 3) Specify a name for the time range. Click Create. Configuration Guide...
Page 109 Managing System Example for PoE Configurations Figure 9-4 Configuring Time Range 4) Choose the menu SYSTEM > PoE > PoE Config to load the following page. Select port 1/0/3 and set the Time Range as OfficeTime. Click Apply. Figure 9-5 Configure the Port 5) Click to save the settings.
Page 110: Using The Cli
Managing System Example for PoE Configurations 9.4 Using the CLI The configurations of Port1/0/4 is similar with the configuration of port 1/0/3. Here we take port 1/0/3 for example. 1) Create a time-range. Switch_A#config Switch_A(config)#time-range office-time Switch_A(config-time-range)#holiday exclude Switch_A(config-time-range)#absolute from 01/01/2017 to 01/01/2018 Switch_A(config-time-range)#periodic start 08:30 end 18:00 day-of-the-week 1-5 Switch_A(config-time-range)#exit 2) Enable the PoE function on the port 1/0/3.
Page 111 Managing System Example for PoE Configurations Interface PoE-Status PoE-Prio Power-Limit(w) Time-Range PoE-Profile ---------- ---------- -------- -------------- ------------- ---------------- Gi1/0/3 Enable Class4 office-time None Configuration Guide...
Page 112: Appendix: Default Parameters
Parameter Default Setting Device Name The model name of the switch. Device Location SHENZHEN System Contact www.tp-link.com Table 10-2 Default Settings of System Time Configuration Parameter Default Setting Time Source Manual Table 10-3 Default Settings of Daylight Saving Time Configuration...
Page 113: Port Config
Managing System Appendix: Default Parameters Parameter Default Setting Backup Config config2.cfg Default setting of EEE is listed in the following table. Table 10-6 Default Settings of EEE Configuration Parameter Default Setting Status Disabled Default settings of PoE is listed in the following table. Table 10-7 Default Settings of PoE Configuration Parameter...
Page 114 Managing System Appendix: Default Parameters Default settings of Time Range are listed in the following table. Table 10-9 Default Settings of Time Range Configuration Parameter Default Setting Holiday Include Configuration Guide...
Page 115: Managing Physical Interfaces
Part 3 Managing Physical Interfaces CHAPTERS 1. Physical Interface 2. Basic Parameters Configurations 3. Port Isolation Configurations 4. Loopback Detection Configuration 5. Configuration Examples 6. Appendix: Default Parameters...
Page 116: Physical Interface
Managing Physical Interfaces Physical Interface Physical Interface 1.1 Overview Interfaces are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into physical interfaces and layer 3 interfaces.  Physical interfaces are the ports on the switch panel. They forward packets based on MAC address table.
Page 117: Basic Parameters Configurations
Managing Physical Interfaces Basic Parameters Configurations Basic Parameters Configurations Using the GUI Choose the menu L2 FEATURES > Switching > Port > Port Config to load the following page. Figure 2-1 Configuring Basic Parameters Follow these steps to configure basic parameters for the ports: 1) Configure the MTU size of jumbo frames for all ports, then click Apply.
Page 118: Using The Cli
Managing Physical Interfaces Basic Parameters Configurations Description (Optional) Enter a description for the port. Status With this option enabled, the port forwards packets normally. Otherwise, the port cannot work. By default, it is enabled. Speed Select the appropriate speed mode for the port. When Auto is selected, the port automatically negotiates speed mode with the neighbor device.
Page 119 Managing Physical Interfaces Basic Parameters Configurations Step 4 Configure basic parameters for the port: description string Give a port description for identification. string : Content of a port description, ranging from 1 to 16 characters. shutdown no shutdown Use shutdown to disable the port, and use no shutdown to enable the port. When the status is enabled, the port can forward packets normally, otherwise it will discard the received packets.
Page 120 Managing Physical Interfaces Basic Parameters Configurations Switch(config-if)#description router connection Switch(config-if)#speed auto Switch(config-if)#duplex auto Switch(config-if)#flow-control Switch(config-if)#show interface configuration gigabitEthernet 1/0/1 Port State Speed Duplex FlowCtrl Jumbo Description -------- ----- -------- ------ -------- -------- ----------- Gi1/0/1 Enable Auto Auto Enable Disable router connection Switch(config-if)#show jumbo-size Global jumbo size : 9216 Switch(config-if)#end...
Page 121: Port Isolation Configurations
Managing Physical Interfaces Port Isolation Configurations Port Isolation Configurations Using the GUI Port Isolation is used to limit the data transmitted by a port. The isolated port can only send packets to the ports specified in its Forwarding Port List. Choose the menu L2 FEATURES >...
Page 122: Using The Cli
Managing Physical Interfaces Port Isolation Configurations Figure 3-2 Port Isolation Follow these steps to configure Port Isolation: 1) In the Port section, select one or multiple ports to be isolated. 2) In the Forwarding Port List section, select the forwarding ports or LAGs which the isolated ports can only communicate with.
Page 123 Managing Physical Interfaces Port Isolation Configurations Step 3 port isolation { [fa-forward-list fa-forward-list ] [gi-forward-list gi-forward-list ] [te-forward- list te-forward-list ] [ po-forward-list po-forward-list ] } Add ports or LAGs to the forwarding port list of the isolated port. It is multi-optional. : Specify the forwarding Ethernet ports.
Page 124: Loopback Detection Configuration
Managing Physical Interfaces Loopback Detection Configuration Loopback Detection Configuration 4.1 Using the GUI To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring QoS . Choose the menu L2 FEATURES >...
Page 125 Managing Physical Interfaces Loopback Detection Configuration Loopback Enable loopback detection globally. Detection Status Detection Set the interval of sending loopback detection packets in seconds. Interval The valid value ranges from 1 to 1000 and the default value is 30. Auto-recovery Set the recovery time globally.
Page 126: Using The Cli
Managing Physical Interfaces Loopback Detection Configuration 4.2 Using the CLI Follow these steps to configure loopback detection: Step 1 configure Enter global configuration mode. Step 2 loopback-detection Enable the loopback detection feature globally. By default, it is disabled. Step 3 loopback-detection interval interval-time Set the interval of sending loopback detection packets which is used to detect the loops in the network.
Page 127 Managing Physical Interfaces Loopback Detection Configuration Step 10 show loopback-detection interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel } Verify the Loopback Detection configuration of the specified port. Step 11 Return to privileged EXEC mode. Step 12 copy running-config startup-config Save the settings in the configuration file.
Page 128: Configuration Examples
Managing Physical Interfaces Configuration Examples Configuration Examples 5.1 Example for Port Isolation 5.1.1 Network Requirements As shown below, three hosts and a server are connected to the switch and all belong to VLAN 10. Without changing the VLAN configuration, Host A is not allowed to communicate with the other hosts except the server, even if the MAC address or IP address of Host A is changed.
Page 129 Managing Physical Interfaces Configuration Examples Figure 5-2 Port Isolation List 2) Click Edit on the above page to load the following page. Select port 1/0/1 as the port to be isolated, and select port 1/0/4 as the forwarding port. Click Apply. Figure 5-3 Port Isolation Configuration 3) Select port 1/0/4 as the port to be isolated, and select port 1/0/1 as the forwarding port.
Page 130: Using The Cli
Managing Physical Interfaces Configuration Examples Figure 5-4 Port Isolation Configuration 4) Click to save the settings. 5.1.4 Using the CLI Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#port isolation gi-forward-list 1/0/4 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#port isolation gi-forward-list 1/0/1 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Switch#show port isolation interface Port Forward-List...
Page 131: Example For Loopback Detection
Managing Physical Interfaces Configuration Examples Gi1/0/1 Gi1/0/4 Gi1/0/2 Gi1/0/1-28,Po1-14 Gi1/0/3 Gi1/0/1-28,Po1-14 Gi1/0/4 Gi1/0/1 ..Example for Loopback Detection 5.2.1 Network Requirements As shown below, Switch A is a convergence-layer switch connecting to several access- layer switches. Loops can be easily caused in case of misoperation on the access- layer switches.
Page 132: Using The Gui
Managing Physical Interfaces Configuration Examples 5.2.3 Using the GUI 1) Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the configuration page. 2) In the Loopback Detection section, enable loopback detection and web refresh globally. Keep the other parameters as default values and click Apply. Figure 5-6 Global Configuration 3) In the Port Config section, enable ports 1/0/1-3, select the operation mode as Port -Based so that the port will be blocked when a loop is detected, and keep the recovery...
Page 133: Using The Cli
Managing Physical Interfaces Configuration Examples 5.2.4 Using the CLI 1) Enable loopback detection globally and configure the detection interval and recovery time. Switch#configure Switch(config)#loopback-detection Switch(config)#loopback-detection interval 30 Switch(config)#loopback-detection recovery-time 3 2) Enable loopback detection on ports 1/0/1-3 and set the process mode and recovery mode.
Page 134: Appendix: Default Parameters
Managing Physical Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 6-1 Configurations for Ports Parameter Default Setting Port Config Jumbo 1518 bytes Copper (For RJ45 Ports) Type Fiber (For SFP Ports) Status Enabled Auto (For RJ45 Ports)
Page 135: Configuring Lag
Part 4 Configuring LAG CHAPTERS 1. LAG 2. LAG Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 136: Lag
Configuring LAG 1.1 Overview With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface, increasing link bandwidth and providing backup ports to enhance the connection reliability. 1.2 Supported Features You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol).
Page 137: Lag Configuration
Configuring LAG LAG Configuration LAG Configuration To complete LAG configuration, follow these steps: 1) Configure the global load-balancing algorithm. 2) Configure Static LAG or LACP. Configuration Guidelines  Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should also be set as LACP mode.
Page 138: Using The Gui
Configuring LAG LAG Configuration 2.1 Using the GUI 2.1.1 Configuring Load-balancing Algorithm Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page. Figure 2-1 Global Config In the Global Config section, select the load-balancing algorithm (Hash Algorithm), then click Apply.
Page 139: Configuring Static Lag Or Lacp
Configuring LAG LAG Configuration as “SRC MAC” to allow Switch A to determine the forwarding port based on the source MAC addresses of the received packets. Figure 2-2 Hash Algorithm Configuration Switch A Switch B Hosts Server 2.1.2 Configuring Static LAG or LACP For one port, you can choose only one LAG mode: Static LAG or LACP.
Page 140 Configuring LAG LAG Configuration Note: Clearing all member ports will delete the LAG.  Configuring LACP Choose the menu L2 FEATURES > Switching > LAG > LACP to load the following page. Figure 2-4 LACP Config Follow these steps to configure LACP: 1) Specify the system priority for the switch and click Apply.
Page 141: Using The Cli
Configuring LAG LAG Configuration Group ID Specify the group ID of the LAG. Note that the group ID of other static LAGs cannot be set as this value. The valid value of the Group ID is determined by the maximum number of LAGs supported by your switch.
Page 142: Configuring Static Lag Or Lacp
Configuring LAG LAG Configuration Step 2 port-channel load-balance { src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip } Select the Hash Algorithm. The switch will choose the ports to transfer the packets based on the Hash Algorithm. In this way, different data flows are forwarded on different physical links to implement load balancing.
Page 143 Configuring LAG LAG Configuration  Configuring Static LAG Follow these steps to configure static LAG: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Enter interface configuration mode.
Page 144 Configuring LAG LAG Configuration  Configuring LACP Follow these steps to configure LACP: Step 1 configure Enter global configuration mode. Step 2 lacp system-priority pri Specify the system priority for the switch. To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device.
Page 145 Configuring LAG LAG Configuration Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to specify the system priority of the switch as 2: Switch#configure Switch(config)#lacp system-priority 2 Switch(config)#show lacp sys-id 2, 000a.eb13.2397 Switch(config)#end Switch#copy running-config startup-config The following example shows how to add ports 1/0/1-4 to LAG 6, set the mode as LACP,...
Page 146: Configuration Example
Configuring LAG Configuration Example Configuration Example 3.1 Network Requirements As shown below, hosts and servers are connected to Switch A and Switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches.
Page 147: Using The Gui
Configuring LAG Configuration Example Using the GUI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page.
Page 148: Using The Cli
Configuring LAG Configuration Example 3.4 Using the CLI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Configure the load-balancing algorithm as “src-dst-mac”. Switch#configure Switch(config)#port-channel load-balance src-dst-mac 2) Specify the system priority of Switch A as 0. Remember to ensure that the system priority value of Switch B is bigger than 0.
Page 149 Configuring LAG Configuration Example 0, 000a.eb13.2397 Verify the LACP configuration: Switch#show lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in active mode P - Device is in passive mode Channel group 1 Port Flags State LACP Port Priority Admin Key Oper Key Port Number Port State...
Page 150: Appendix: Default Parameters
Configuring LAG Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in the following tables. Table 4-1 Default Settings of LAG Parameter Default Setting LAG Table Hash Algorithm SRC MAC+DST MAC LACP Config System Priority 32768 Admin Key Port Priority 32768 Mode...
Page 151: Managing Mac Address Table
Part 5 Managing MAC Address Table CHAPTERS 1. MAC Address Table 2. MAC Address Configurations 3. Appendix: Default Parameters...
Page 152: Mac Address Table
Managing MAC Address Table MAC Address Table MAC Address Table 1.1 Overview The MAC address table contains address information that the switch uses to forward packets. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports.
Page 153: Mac Address Configurations
Managing MAC Address Table MAC Address Configurations MAC Address Configurations With MAC address table, you can:  Add static MAC address entries  Change the MAC address aging time  Add filtering address entries  View address table entries Using the GUI 2.1.1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.
Page 154 Managing MAC Address Table MAC Address Configurations MAC Address Enter the static MAC address to be added to the static MAC address entry. VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received. Port Specify a port to which packets with the specific MAC address are forwarded.
Page 155: Modifying The Aging Time Of Dynamic Address Entries
Managing MAC Address Table MAC Address Configurations Note: In the same VLAN, once an address is configured as a static address, it cannot be set as a fil- • tering address, and vice versa. Multicast or broadcast addresses cannot be set as static addresses. •...
Page 156: Adding Mac Filtering Address Entries
Managing MAC Address Table MAC Address Configurations 2.1.3 Adding MAC Filtering Address Entries Choose the menu L2 FEATURES > Switching > MAC Address > Filtering Address and click to load the following page. Figure 2-4 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries: 1) Enter the MAC Address and VLAN ID.
Page 157: Using The Cli
Managing MAC Address Table MAC Address Configurations Choose the menu L2 FEATURES > Switching > MAC Address > Address Table and click to load the following page. Figure 2-5 Viewing Address Table Entries Using the CLI 2.2.1 Adding Static MAC Address Entries Follow these steps to add static MAC address entries: Step 1 configure...
Page 158: Modifying The Aging Time Of Dynamic Address Entries
Managing MAC Address Table MAC Address Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. Note: In the same VLAN, once an address is configured as a static address, it cannot be set as a filter- •...
Page 159: Adding Mac Filtering Address Entries
Managing MAC Address Table MAC Address Configurations Step 2 mac address-table aging-time aging-time Set your desired length of address aging time for dynamic address entries. Set the length of time that a dynamic entry remains in the MAC address table after aging-time: the entry is used or updated.
Page 160 Managing MAC Address Table MAC Address Configurations Note: In the same VLAN, once an address is configured as a filtering address, it cannot be set as a • static address, and vice versa. Multicast or broadcast addresses cannot be set as filtering addresses . •...
Page 161: Appendix: Default Parameters
Managing MAC Address Table Appendix: Default Parameters Appendix: Default Parameters Default settings of the MAC Address Table are listed in the following tables. Table 3-1 Entries in the MAC Address Table Parameter Default Setting Static Address Entries None Dynamic Address Entries Auto-learning Filtering Address Entries None...
Page 162: Configuring 802.1Q Vlan
Part 6 Configuring 802.1Q VLAN CHAPTERS 1. Overview 2. 802.1Q VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 163: Overview
Configuring 802.1Q VLAN Overview Overview VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions:  To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN.
Page 164: Q Vlan Configuration
Configuring 802.1Q VLAN 802.1Q VLAN Configuration 802.1Q VLAN Configuration To complete 802.1Q VLAN configuration, follow these steps: 1) Configure the port parameters; 2) Configure the VLAN, including creating a VLAN and adding the configured port to the VLAN. 2.1 Using the GUI 2.1.1 Configuring the PVID of the Port Choose the menu L2 FEATURES >...
Page 165 Configuring 802.1Q VLAN 802.1Q VLAN Configuration Ingress Checking Enable or disable Ingress Checking. With this function enabled, the port will accept the packet of which the VLAN ID is in the port’s VLAN list and discard others. With this function disabled, the port will forward the packet directly. Acceptable Frame Select the acceptable frame type for the port and the port will perform this Types...
Page 166: Configuring The Vlan
Configuring 802.1Q VLAN 802.1Q VLAN Configuration 2.1.2 Configuring the VLAN Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Figure 2-2 Configuring VLAN Follow these steps to configure VLAN: 1) Enter a VLAN ID and a description for identification to create a VLAN. VLAN ID Enter a VLAN ID for identification with the values between 2 and 4094.
Page 167: Using The Cli
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Tagged port The selected ports will forward tagged packets in the target VLAN. 3) Click Apply. Using the CLI 2.2.1 Creating a VLAN Follow these steps to create a VLAN: Step 1 configure Enter global configuration mode. Step 2 vlan vlan-list When you enter a new VLAN ID, the switch creates a new VLAN and enters VLAN...
Page 168: Configuring The Port
Configuring 802.1Q VLAN 802.1Q VLAN Configuration VLAN Name Status Ports ------- -------- --------- --------- active Switch(config-vlan)#end Switch#copy running-config startup-config 2.2.2 Configuring the Port Follow these steps to configure the port: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode.
Page 169: Adding The Port To The Specified Vlan
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Switch(config-if)#switchport check ingress Switch(config-if)#switchport acceptable frame all Switch(config-if)#show interface switchport gigabitEthernet 1/0/5 Port Gi1/0/5: PVID: 2 Acceptable frame type: All Ingress Checking: Enable Member in LAG: N/A Link Type: General Member in VLAN: Vlan Name Egress-rule ----...
Page 170 Configuring 802.1Q VLAN 802.1Q VLAN Configuration The following example shows how to add the port 1/0/5 to VLAN 2, and specify its egress rule as tagged: Switch#configure Switch(config)#interface gigabitEthernet 1/0/5 Switch(config-if)#switchport general allowed vlan 2 tagged Switch(config-if)#show interface switchport gigabitEthernet 1/0/5 Port Gi1/0/5: PVID: 2 Acceptable frame type: All...
Page 171: Configuration Example
Configuring 802.1Q VLAN Configuration Example Configuration Example Network Requirements  Offices of Department A and Department B in the company are located in different places, and some computers in different offices connect to the same switch.  It is required that computers can communicate with each other in the same department but not with computers in the other department.
Page 172: Network Topology
Configuring 802.1Q VLAN Configuration Example Network Topology The figure below shows the network topology. Host A1 and Host A2 are in Department A, while Host B1 and Host B2 are in Department B. Switch 1 and Switch 2 are located in two different places.
Page 173 Configuring 802.1Q VLAN Configuration Example Figure 3-2 Creating VLAN 10 for Department A 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20 with the description of Department_B.
Page 174 Configuring 802.1Q VLAN Configuration Example Figure 3-3 Creating VLAN 20 for Department B 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 as 10 and click Apply. Set the PVID of port 1/0/3 as 20 and click Apply.
Page 175: Using The Cli
Configuring 802.1Q VLAN Configuration Example Figure 3-4 Specifying the PVID for the ports 4) Click to save the settings. Using the CLI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Create VLAN 10 for Department A, and configure the description as Department-A.
Page 176 Configuring 802.1Q VLAN Configuration Example Switch_1(config)#interface fastEthernet 1/0/3 Switch_1(config-if)#switchport general allowed vlan 20 untagged Switch_1(config-if)#exit Switch_1(config)#interface fastEthernet 1/0/4 Switch_1(config-if)#switchport general allowed vlan 10 tagged Switch_1(config-if)#switchport general allowed vlan 20 tagged Switch_1(config-if)#exit 3) Set the PVID of port 1/0/2 as 10, and set the PVID of port 1/0/3 as 20. Switch_1(config)#interface fastEthernet 1/0/2 Switch_1(config-if)#switchport pvid 10 Switch_1(config-if)#exit...
Page 177 Configuring 802.1Q VLAN Configuration Example Verify the VLAN configuration: Switch_1(config)#show interface switchport Port Type PVID Acceptable frame type Ingress Checking ------- ---- ---- --------------------- ---------------- Fa1/0/1 General Enable Fa1/0/2 General Enable Fa1/0/3 General Enable Fa1/0/4 General Enable Fa1/0/5 General Enable ..
Page 178: Appendix: Default Parameters
Configuring 802.1Q VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1Q VLAN are listed in the following table. Table 4-1 Default Settings of 802.1Q VLAN Parameter Default Setting VLAN ID PVID Ingress Checking Enabled Acceptable Frame Types Admit All Configuration Guide...
Page 179: Configuring Mac Vlan
Part 7 Configuring MAC VLAN CHAPTERS 1. Overview 2. MAC VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 180: Overview
Configuring MAC VLAN Overview Overview VLAN is generally divided by ports. It is a common way of division but isn’t suitable for those networks that require frequent topology changes. With the popularity of mobile office, at different times a terminal device may access the network via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time.
Page 181: Mac Vlan Configuration
Configuring MAC VLAN MAC VLAN Configuration MAC VLAN Configuration To complete MAC VLAN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Bind the MAC address to the VLAN. 3) Enable MAC VLAN for the port. Configuration Guidelines When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN.
Page 182: Enabling Mac Vlan For The Port
Configuring MAC VLAN MAC VLAN Configuration 1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN. MAC Address Enter the MAC address of the device in the format of 00-00-00-00-00-01. Description Give a MAC address description for identification with up to 8 characters.
Page 183: Using The Cli
Configuring MAC VLAN MAC VLAN Configuration Using the CLI 2.2.1 Configuring 802.1Q VLAN Before configuring MAC VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN. 2.2.2 Binding the MAC Address to the VLAN Follow these steps to bind the MAC address to the VLAN: Step 1 configure...
Page 184: Enabling Mac Vlan For The Port
Configuring MAC VLAN MAC VLAN Configuration Switch#copy running-config startup-config 2.2.3 Enabling MAC VLAN for the Port Follow these steps to enable MAC VLAN for the port: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode.
Page 185: Configuration Example
Configuring MAC VLAN Configuration Example Configuration Example Network Requirements Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in.
Page 186: Using The Gui
Configuring MAC VLAN Configuration Example egress rule as Untagged; for the ports connecting to other switch, set the egress rule as Tagged. 2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports. Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 187 Configuring MAC VLAN Configuration Example Figure 3-2 Creating VLAN 10 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20, and add untagged port 1/0/1 and tagged port 1/0/2 to VLAN 20. Click Create. Configuration Guide...
Page 188 Configuring MAC VLAN Configuration Example Figure 3-3 Creating VLAN 20 3) Choose the menu L2 FEATURES > VLAN > MAC VLAN and click to load the following page. Specify the corresponding parameters and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN Figure 3-4 Creating MAC VLAN 4) Choose the menu L2 FEATURES >...
Page 189 Configuring MAC VLAN Configuration Example Figure 3-5 Enabing MAC VLAN for the Port 5) Click to save the settings.  Configurations for Switch 3 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add untagged port 1/0/4 and tagged ports 1/0/2-3 to VLAN 10.
Page 190 Configuring MAC VLAN Configuration Example Figure 3-6 Creating VLAN 10 2) Click Create to load the following page. Create VLAN 20, and add untagged port 1/0/5 and tagged ports 1/0/2-3 to VLAN 20. Click Create. Configuration Guide...
Page 191: Using The Cli
Configuring MAC VLAN Configuration Example Figure 3-7 Creating VLAN 20 3) Click to save the settings. Using the CLI  Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example.
Page 192 Configuring MAC VLAN Configuration Example Switch_1(config)#vlan 20 Switch_1(config-vlan)#name deptB Switch_1(config-vlan)#exit 2) Add tagged port 1/0/2 and untagged port 1/0/1 to both VLAN 10 and VLAN 20. Then enable MAC VLAN on port 1/0/1. Switch_1(config)#interface fastEthernet 1/0/2 Switch_1(config-if)#switchport general allowed vlan 10,20 tagged Switch_1(config-if)#exit Switch_1(config)#interface fastEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10,20 untagged...
Page 193 Configuring MAC VLAN Configuration Example Switch_3(config)#interface fastEthernet 1/0/3 Switch_3(config-if)#switchport general allowed vlan 10,20 tagged Switch_3(config-if)#exit 3) Add untagged port 1/0/4 to VLAN 10 and untagged port 1/0/5 to VLAN 20. Switch_3(config)#interface fastEthernet 1/0/4 Switch_3(config-if)#switchport general allowed vlan 10 untagged Switch_3(config-if)#exit Switch_3(config)#interface fastEthernet 1/0/5 Switch_3(config-if)#switchport general allowed vlan 20 untagged Switch_3(config-if)#end...
Page 194 Configuring MAC VLAN Configuration Example -------- --------------- ------------- ------------------------------------- System-VLAN active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8 DeptA active Fa1/0/2, Fa1/0/3, Fa1/0/4 DeptB active Fa1/0/2, Fa1/0/3, Fa1/0/5 Configuration Guide...
Page 195: Appendix: Default Parameters
Configuring MAC VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of MAC VLAN are listed in the following table. Table 4-1 Default Settings of MAC VLAN Parameter Default Setting MAC Address None Description None VLAN ID None Port Enable Disabled Configuration Guide...
Page 196: Configuring Protocol Vlan
Part 8 Configuring Protocol VLAN CHAPTERS 1. Overview 2. Protocol VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 197: Overview
Configuring Protocol VLAN Overview Overview Protocol VLAN is a technology that divides VLANs based on the network layer protocol. With the protocol VLAN rule configured on the basis of the existing 802.1Q VLAN, the switch can analyze specific fields of received packets, encapsulate the packets in specific formats, and forward the packets with different protocols to the corresponding VLANs.
Page 198: Protocol Vlan Configuration
3) Configure Protocol VLAN. Configuration Guidelines  You can use the IP, ARP, RARP, and other protocol templates provided by TP-Link switches, or create new protocol templates.  In a protocol VLAN, when a port receives an untagged data packet, the switch will first search for the protocol VLAN matching the protocol type value of the packet.
Page 199: Creating Protocol Template
Configuring Protocol VLAN Protocol VLAN Configuration 2.1.2 Creating Protocol Template Choose the menu L2 FEATURES > VLAN > Protocol VLAN > Protocol Template to load the following page. Figure 2-1 Check the Protocol Template Follow these steps to create a protocol template: 1) Check whether your desired template already exists in the Protocol Template Config section.
Page 200: Configuring Protocol Vlan
Configuring Protocol VLAN Protocol VLAN Configuration DSAP Enter the DSAP value for the protocol template. It is available when LLC is selected. It is the DSAP field in the frame and is used to identify the data type of the frame. SSAP Enter the SSAP value for the protocol template.
Page 201: Using The Cli
Configuring Protocol VLAN Protocol VLAN Configuration 802.1p Priority Specify the 802.1p priority for the packets that belong to the protocol VLAN. The switch will determine the forwarding sequence according this value. The packets with larger value of 802.1p priority have the higher priority. 2) Select the desired ports.
Page 202: Configuring Protocol Vlan
Configuring Protocol VLAN Protocol VLAN Configuration The following example shows how to create an IPv6 protocol template: Switch#configure Switch(config)#protocol-vlan template name IPv6 frame ether_2 ether-type 86dd Switch(config)#show protocol-vlan template Index Protocol Name Protocol Type ------- ----------------- -------------------------------- EthernetII ether-type 0800 EthernetII ether-type 0806 RARP EthernetII ether-type 8035...
Page 203 Configuring Protocol VLAN Protocol VLAN Configuration Step 5 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 6 protocol-vlan group entry-id Add the specified port to the protocol group.
Page 204 Configuring Protocol VLAN Protocol VLAN Configuration Index Protocol-Name VID Priority Member ------ ------------------ ------ -------- ------------ IPv6 Gi1/0/2 Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 205: Configuration Example
Configuring Protocol VLAN Configuration Example Configuration Example Network Requirements A company uses both IPv4 and IPv6 hosts, and these hosts access the IPv4 network and IPv6 network respectively via different routers. It is required that IPv4 packets are forwarded to the IPv4 network, IPv6 packets are forwarded to the IPv6 network, and other packets are dropped.
Page 206 Configuring Protocol VLAN Configuration Example 1) Create VLAN 10 and VLAN 20 and add each port to the corresponding VLAN. 2) Use the IPv4 protocol template provided by the switch, and create the IPv6 protocol template. 3) Bind the protocol templates to the corresponding VLANs to form protocol groups, and add port 1/0/1 to the groups.
Page 207: Using The Gui
Configuring Protocol VLAN Configuration Example Using the GUI  Configurations for Switch 1 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add untagged port 1/0/1 and untagged port 1/0/3 to VLAN 10.
Page 208 Configuring Protocol VLAN Configuration Example 2) Click to load the following page. Create VLAN 20, and add untagged ports 1/0/2-3 to VLAN 20. Click Create. Figure 3-3 Create VLAN 20 3) Click to save the settings. Configuration Guide...
Page 209 Configuring Protocol VLAN Configuration Example  Configurations for Switch 2 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add tagged port 1/0/1 and untagged port 1/0/2 to VLAN 10.
Page 210 Configuring Protocol VLAN Configuration Example 2) Click to load the following page. Create VLAN 20, and add tagged port 1/0/1 and untagged port 1/0/3 to VLAN 20. Click Create. Figure 3-5 Create VLAN 20 Configuration Guide...
Page 211 Configuring Protocol VLAN Configuration Example 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 and port 1/0/3 as 10 and 20 respectively . Click Apply. Figure 3-6 Port Configuration 4) Choose the menu L2 FEATURES >...
Page 212: Using The Cli
Configuring Protocol VLAN Configuration Example Figure 3-8 Configure the IPv4 Protocol Group Figure 3-9 Configure the IPv6 Protocol Group 6) Click to save the settings. Using the CLI  Configurations for Switch 1 1) Create VLAN 10 and VLAN 20. Configuration Guide...
Page 213 Configuring Protocol VLAN Configuration Example Switch_1#configure Switch_1(config)#vlan 10 Switch_1(config-vlan)#name IPv4 Switch_1(config-vlan)#exit Switch_1(config)#vlan 20 Switch_1(config-vlan)#name IPv6 Switch_1(config-vlan)#exit 2) Add untagged port 1/0/1 to VLAN 10. Add untagged port 1/0/2 to VLAN 20. Add untagged port 1/0/3 to both VLAN10 and VLAN 20. Switch_1(config)#interface fastEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10 untagged Switch_1(config-if)#exit...
Page 214 Configuring Protocol VLAN Configuration Example Switch_2(config)#interface fastEthernet 1/0/1 Switch_2(config-if)#switchport general allowed vlan 10,20 tagged Switch_2(config-if)#exit Switch_2(config)#interface fastEthernet 1/0/2 Switch_2(config-if)#switchport pvid 10 Switch_2(config-if)#switchport general allowed vlan 10 untagged Switch_2(config-if)#exit Switch_2(config)#interface fastEthernet 1/0/3 Switch_2(config-if)#switchport mode general Switch_2(config-if)#switchport pvid 20 Switch_2(config-if)#switchport general allowed vlan 20 untagged Switch_2(config-if)#exit 3) Create the IPv6 protocol template.
Page 215 Configuring Protocol VLAN Configuration Example IPv6 Switch_2(config)#interface fastEthernet 1/0/1 Switch_2(config-if)#protocol-vlan group 1 Switch_2(config-if)#protocol-vlan group 2 Switch_2(config-if)#exit Switch_2(config)#end Switch_2#copy running-config startup-config Verify the Configurations  Switch 1 Verify 802.1Q VLAN configuration: Switch_1#show vlan VLAN Name Status Ports -------- ------------- --------- -------------------------------------------- System-VLAN active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4...
Page 216 Configuring Protocol VLAN Configuration Example Verify protocol group configuration: Switch_2#show protocol-vlan vlan Index Protocol-Name Priority Member -------- --------------------- ------ ------ ----------- Fa1/0/1 IPv6 Fa1/0/1 Configuration Guide...
Page 217: Appendix: Default Parameters
Configuring Protocol VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of Protocol VLAN are listed in the following table. Table 4-1 Default Settings of Protocol VLAN Parameter Default Setting Ethernet II ether-type 0800 Ethernet II ether-type 0806 Protocol Template Table RARP Ethernet II ether-type 8035 SNAP ether-type 8137...
Page 218: Configuring Gvrp
Part 9 Configuring GVRP CHAPTERS 1. Overview 2. GVRP Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 219: Overview
Configuring GVRP Overview Overview GVRP (GARP VLAN Registration Protocol) is a GARP (Generic Attribute Registration Protocol) application that allows registration and deregistration of VLAN attribute values and dynamic VLAN creation. Without GVRP operating, configuring the same VLAN on a network would require manual configuration on each device.
Page 220: Gvrp Configuration
Configuring GVRP GVRP Configuration GVRP Configuration To complete GVRP configuration, follow these steps: 1) Create a VLAN. 2) Enable GVRP globally. 3) Enable GVRP on each port and configure the corresponding parameters. Configuration Guidelines To dynamically create a VLAN on all ports in a network link, you must configure the same static VLAN on both ends of the link.
Page 221: Using The Gui
Configuring GVRP GVRP Configuration Using the GUI Choose the menu L2 FEATURES > VLAN > GVRP > GVRP Config to load the following page. Figure 2-1 GVRP Config Follow these steps to configure GVRP: 1) In the GVRP section, enable GVRP globally, then click Apply. 2) In the Port Config section, select one or more ports, set the status as Enable and configure the related parameters according to your needs.
Page 222: Using The Cli
Configuring GVRP GVRP Configuration LeaveAll Timer When a GARP participant is enabled, the LeaveAll timer will be started. When (centisecond) the LeaveAll timer expires, the GARP participant will send LeaveAll messages to request other GARP participants to re-register all its attributes. After that, the participant restarts the LeaveAll timer.
Page 223 Configuring GVRP GVRP Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 4 gvrp Enable GVRP on the port.
Page 224 Configuring GVRP GVRP Configuration Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: The member port of an LAG follows the configuration of the LAG and not its own. The •...
Page 225: Configuration Example
Configuring GVRP Configuration Example Configuration Example Network Requirements Department A and Department B of a company are connected using switches. Offices of one department are distributed on different floors. As shown in Figure 3-1, the network topology is complicated. Configuration of the same VLAN on different switches is required so that computers in the same department can communicate with each other.
Page 226: Using The Gui
Configuring GVRP Configuration Example Using the GUI GVRP configuration for Switch 3 is the same as Switch 1, and Switch 4 the same as Switch 2. Other switches share similar configurations. The following configuration procedures take Switch 1, Switch 2 and Switch 5 as example.  Configurations for Switch 1 1) Choose the menu L2 FEATURES >...
Page 227 Configuring GVRP Configuration Example Figure 3-3 GVRP Configuration 3) Click to save the settings.  Configurations for Switch 2 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20 and add tagged port 1/0/1 to it. Click Create.
Page 228 Configuring GVRP Configuration Example Figure 3-4 Create VLAN 20 2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. Configuration Guide...
Page 229 Configuring GVRP Configuration Example Figure 3-5 GVRP Configuration 3) Click to save the settings.  Configurations for Switch 5 1) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select ports 1/0/1-3, set Status as Enable, and keep the Registration Mode and the values of the timers as default.
Page 230: Using The Cli
Configuring GVRP Configuration Example Figure 3-6 GVRP Configuration 2) Click to save the settings. Using the CLI GVRP configuration for Switch 3 is the same as Switch 1, and Switch 4 the same as Switch 2. Other switches share similar configurations. The following configuration procedures take Switch 1, Switch 2 and Switch 5 as example.
Page 231 Configuring GVRP Configuration Example Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10 tagged Switch_1(config-if)#gvrp Switch_1(config-if)#gvrp registration fixed Switch_1(config-if)#end Switch_1#copy running-config startup-config  Configurations for Switch 2 1) Enable GVRP globally. Switch_2#configure Switch_2(config)#gvrp 2) Create VLAN 20. Switch_2(config)#vlan 20 Switch_2(config-vlan)#name Department B Switch_2(config-vlan)#exit 3) Add tagged port 1/0/1 to VLAN 20.
Page 232 Configuring GVRP Configuration Example Switch_5#copy running-config startup-config Verify the Configuration  Switch 1 Verify the global GVRP configuration: Switch_1#show gvrp global GVRP Global Status ------------------ Enabled Verify GVRP configuration for port 1/0/1: Switch_1#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------...
Page 233 Configuring GVRP Configuration Example .. Switch 5 Verify global GVRP configuration: GVRP Global Status ------------------ Enabled Verify GVRP configuration for ports 1/0/1-3: Switch_5#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------ -------- ------- ------ ----- Gi1/0/1 Enabled Normal 1000 Gi1/0/2 Enabled...
Page 234: Appendix: Default Parameters
Configuring GVRP Appendix: Default Parameters Appendix: Default Parameters Default settings of GVRP are listed in the following tables. Table 4-1 Default Settings of GVRP Parameter Default Setting Global Config GVRP Disabled Port Config Status Disabled Registration Mode Normal LeaveAll Timer 1000 centiseconds Join Timer 20 centiseconds...
Page 235: Configuring Layer 2 Multicast
Part 10 Configuring Layer 2 Multicast CHAPTERS 1. Layer 2 Multicast 2. IGMP Snooping Configuration 3. MLD Snooping Configuration 4. MVR Configuration 5. Multicast Filtering Configuration 6. Viewing Multicast Snooping Information 7. Configuration Examples 8. Appendix: Default Parameters...
Page 236: Layer 2 Multicast
Configuring Layer 2 Multicast Layer 2 Multicast Layer 2 Multicast 1.1 Overview In a point-to-multipoint network, packets can be sent in three ways: unicast, broadcast and multicast. With unicast, many copies of the same information will be sent to all the receivers, occupying a large bandwidth.
Page 237 Configuring Layer 2 Multicast Layer 2 Multicast Demonstrated as below: Figure 1-1 IGMP Snooping Multicast packets transmission Multicast packets transmission without IGMP Snooping with IGMP Snooping IGMP Querier IGMP Querier Source Source Router Port Snooping Switch Non-Snooping Switch Member Port Member Port Host A Host B Host C...
Page 238: Supported Features
Configuring Layer 2 Multicast Layer 2 Multicast 1.2 Supported Features Layer 2 Multicast protocol for IPv4: IGMP Snooping On the Layer 2 device, IGMP Snooping transmits data on demand on data link layer by analyzing IGMP packets between the IGMP querier and the users, to build and maintain Layer 2 multicast forwarding table.
Page 239: Igmp Snooping Configuration
Configuring Layer 2 Multicast IGMP Snooping Configuration IGMP Snooping Configuration To complete IGMP Snooping configuration, follow these steps: 1) Enable IGMP Snooping globally and configure the global parameters. 2) Configure IGMP Snooping for VLANs. 3) Configure IGMP Snooping for ports. 4) (Optional) Configure hosts to statically join a group.
Page 240: Configuring Igmp Snooping For Vlans
Configuring Layer 2 Multicast IGMP Snooping Configuration IGMP Version Specify the IGMP version. v1: The switch works as an IGMPv1 Snooping switch. It can only process IGMPv1 messages from the host. Messages of other versions are ignored. v2: The switch works as an IGMPv2 Snooping switch. It can process both IGMPv1 and IGMPv2 messages from the host.
Page 241 Configuring Layer 2 Multicast IGMP Snooping Configuration Figure 2-2 Configure IGMP Snooping for VLAN Follow these steps to configure IGMP Snooping for a specific VLAN: 1) Enable IGMP Snooping for the VLAN, and configure the corresponding parameters. VLAN ID Displays the VLAN ID. IGMP Snooping Enable or disable IGMP Snooping for the VLAN.
Page 242 Configuring Layer 2 Multicast IGMP Snooping Configuration Report Enable or disable Report Suppression for the VLAN. Suppression When enabled, the switch will only forward the first IGMP report message for each multicast group to the IGMP querier and suppress subsequent IGMP report messages for the same multicast group during one query interval.
Page 243 Configuring Layer 2 Multicast IGMP Snooping Configuration Query Interval With IGMP Snooping Querier enabled, specify the interval between general query messages sent by the switch. Maximum With IGMP Snooping Querier enabled, specify the host’s maximum response time Response Time to general query messages. Last Member With IGMP Snooping Querier enabled, when the switch receives an IGMP leave Query Interval...
Page 244: Configuring Igmp Snooping For Ports
Configuring Layer 2 Multicast IGMP Snooping Configuration 2.1.3 Configuring IGMP Snooping for Ports Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config � to load the following page. Figure 2-3 Configure IGMP Snooping for Ports Follow these steps to configure IGMP Snooping for ports: 1) Enable IGMP Snooping for the port and enable Fast Leave if there is only one receiver connected to the port.
Page 245: Using The Cli
Configuring Layer 2 Multicast IGMP Snooping Configuration Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Static Group Config and click to load the following page. Figure 2-4 Configure Hosts to Statically Join a Group Follow these steps to configure hosts to statically join a group: 1) Specify the multicast IP address, VLAN ID.
Page 246 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 3 ip igmp snooping version {v1 | v2 | v3} Configure the IGMP version. v1:The switch works as an IGMPv1 Snooping switch. It can only process IGMPv1 report messages from the host. Report messages of other versions are ignored. v2: The switch works as an IGMPv2 Snooping switch.
Page 247: Configuring Igmp Snooping For Vlans
Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping header-validation Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Unknown Multicast :Discard Header Validation :Enable Switch(config)#end Switch#copy running-config startup-config 2.2.2 Configuring IGMP Snooping for VLANs Before configuring IGMP Snooping for VLANs, set up the VLANs that the router ports and the member ports are in.
Page 248 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 3 ip igmp snooping vlan-config vlan-id-list rtime router-time Specify the router port aging time for the VLANs. Specify the ID or the ID list of the VLAN(s). vlan-id-list: Specify the aging time of the router ports in the specified VLANs. Valid values are router-time: from 60 to 600 seconds.
Page 249 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 6 ip igmp snooping vlan-config vlan-id-list immediate-leave (Optional) Enable the Fast Leave for the VLANs. By default, it is disabled. IGMPv1 does not support fast leave. Without Fast Leave, after a receiver sends an IGMP leave message to leave a multicast group, the switch will forward the leave message to the Layer 3 device (the querier).
Page 250 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 9 ip igmp snooping vlan-config vlan-id-list querier (Optional) Enable the IGMP Snooping Querier for the VLAN. By default, it is disabled. When enabled, the switch acts as an IGMP Snooping Querier for the hosts in this VLAN. A querier periodically sends a general query on the network to solicit membership information, and sends group-specific queries when it receives leave messages from hosts.
Page 251 Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping vlan-config 1 mtime 300 Switch(config)#ip igmp snooping vlan-config 1 rtime 320 Switch(config)#ip igmp snooping vlan-config 1 immediate-leave Switch(config)#ip igmp snooping vlan-config 1 report-suppression Switch(config)#show ip igmp snooping vlan 1 Vlan Id: 1 Vlan IGMP Snooping Status: Enable Fast Leave: Enable Report Suppression: Enable...
Page 252: Configuring Igmp Snooping For Ports
Configuring Layer 2 Multicast IGMP Snooping Configuration Query Interval: Last Member Query Interval: 2 Last Member Query Count: General Query Source IP: 192.168.0.5 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring IGMP Snooping for Ports Follow these steps to configure IGMP Snooping for ports: Step 1 configure Enter global configuration mode.
Page 253: Configuring Hosts To Statically Join A Group
Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#interface range fastEhternet 1/0/1-3 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#ip igmp snooping immediate-leave Switch(config-if-range)#show ip igmp snooping interface gigabitEthernet 1/0/1-3 Port IGMP-Snooping Fast-Leave ----------- ------------------- -------------- Gi1/0/1 enable enable Gi1/0/2 enable enable Gi1/0/3 enable enable Switch(config-if-range)#end Switch#copy running-config startup-config 2.2.4 Configuring Hosts to Statically Join a Group...
Page 254 Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping vlan-config 2 static 239.1.2.3 interface gigabitEthernet 1/0/1-3 Switch(config)#show ip igmp snooping groups static Multicast-ip VLAN-id Addr-type Switch-port ------------ ------- --------- ----------- 239.1.2.3 static Gi1/0/1-3 Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 255: Mld Snooping Configuration
Configuring Layer 2 Multicast MLD Snooping Configuration MLD Snooping Configuration To complete MLD Snooping configuration, follow these steps: 1) Enable MLD Snooping globally and configure the global parameters. 2) Configure MLD Snooping for VLANs. 3) Configure MLD Snooping for ports. 4) (Optional) Configure hosts to statically join a group.
Page 256: Configuring Mld Snooping For Vlans
Configuring Layer 2 Multicast MLD Snooping Configuration 2) Click Apply. 3.1.2 Configuring MLD Snooping for VLANs Before configuring MLD Snooping for VLANs, set up the VLANs that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN.
Page 257 Configuring Layer 2 Multicast MLD Snooping Configuration Fast Leave Enable or disable Fast Leave for the VLAN. Without Fast Leave, after a receiver sends an MLD done message (equivalent to an IGMP leave message) to leave a multicast group, the switch will forward the done message to the Layer 3 device (the querier).
Page 258 Configuring Layer 2 Multicast MLD Snooping Configuration Leave Time Specify the leave time for the VLAN. When the switch receives a leave message from a port to leave a multicast group, it will wait for a leave time before removing the port from the multicast group. During the period, if the switch receives any report messages from the port, the port will not be removed from the multicast group.
Page 259: Configuring Mld Snooping For Ports
Configuring Layer 2 Multicast MLD Snooping Configuration Forbidden Select the ports to forbid them from being router ports in the VLAN. Router Ports 2) Click Save. 3.1.3 Configuring MLD Snooping for Ports Choose the menu L2 FEATURES > Multicast > MLD Snooping > Port Config to load the following page.
Page 260: Configuring Hosts To Statically Join A Group
Configuring Layer 2 Multicast MLD Snooping Configuration 3.1.4 Configuring Hosts to Statically Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also configure hosts to statically join a group. Choose the menu L2 FEATURES > Multicast > MLD Snooping > Static Group Config and click to load the following page.
Page 261: Configuring Mld Snooping For Vlans
Configuring Layer 2 Multicast MLD Snooping Configuration Step 3 ipv6 mld snooping drop-unknown (Optional) Configure the way how the switch processes multicast streams that are sent to unknown multicast groups as Discard. By default, it is Forward. Unknown multicast groups are multicast groups that do not match any of the groups announced in earlier IGMP membership reports, and thus cannot be found in the multicast forwarding table of the switch.
Page 262 Configuring Layer 2 Multicast MLD Snooping Configuration Follow these steps to configure MLD Snooping for VLANs: Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping vlan-config vlan-id-list mtime member-time Enable MLD Snooping for the specified VLANs, and specify the member port aging time for the VLANs.
Page 263 Configuring Layer 2 Multicast MLD Snooping Configuration Step 5 ipv6 mld snooping vlan-config vlan-id-list report-suppression (Optional) Enable Report Suppression for the VLANs. By default, it is disabled. When enabled, the switch will only forward the first MLD report message for each multicast group to the MLD querier and suppress subsequent MLD report messages for the same multicast group during one query interval.
Page 264 Configuring Layer 2 Multicast MLD Snooping Configuration Step 9 ipv6 mld snooping vlan-config vlan-id-list querier (Optional) Enable MLD Snooping Querier for the VLAN. By default, it is disabled. When enabled, the switch acts as an MLD Snooping Querier for the hosts in this VLAN. A querier periodically sends a general query on the network to solicit membership information, and sends group-specific queries when it receives done messages from hosts.
Page 265 Configuring Layer 2 Multicast MLD Snooping Configuration Switch(config)#ipv6 mld snooping vlan-config 1 rtime 320 Switch(config)#ipv6 mld snooping vlan-config 1 immediate-leave Switch(config)#ipv6 mld snooping vlan-config 1 report-suppression Switch(config)#show ipv6 mld snooping vlan 1 Vlan Id: 1 Vlan MLD Snooping Status: Enable Fast Leave: Enable Report Suppression: Enable Router Time: Enable...
Page 266: Configuring Mld Snooping For Ports
Configuring Layer 2 Multicast MLD Snooping Configuration Last Member Query Interval: Last Member Query Count: General Query Source IP: fe80::1 Switch(config)#end Switch#copy running-config startup-config 3.2.3 Configuring MLD Snooping for Ports Follow these steps to configure MLD Snooping for ports: Step 1 configure Enter global configuration mode.
Page 267: Configuring Hosts To Statically Join A Group
Configuring Layer 2 Multicast MLD Snooping Configuration Switch(config-if-range)#ipv6 mld snooping immediate-leave Switch(config-if-range)#show ipv6 mld snooping interface gigabitEthernet 1/0/1-3 Port MLD-Snooping Fast-Leave ----------- ------------------- -------------- Gi1/0/1 enable enable Gi1/0/2 enable enable Gi1/0/3 enable enable Switch(config-if-range)#end Switch#copy running-config startup-config 3.2.4 Configuring Hosts to Statically Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also configure hosts to statically join a group.
Page 268 Configuring Layer 2 Multicast MLD Snooping Configuration Multicast-ip VLAN-id Addr-type Switch-port -------------- ------- --------- ----------- ff80::1234:01 static Gi1/0/1-3 Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 269: Mvr Configuration
Configuring Layer 2 Multicast MVR Configuration MVR Configuration To complete MVR configuration, follow these steps: 1) Configure 802.1Q VLANs. 2) Configure MVR globally. 3) Add multicast groups to MVR. 4) Configure MVR for the ports. 5) (Optional) Statically add ports to MVR groups. Configuration Guidelines  MVR does not support IGMPv3 messages.
Page 270: Configuring Mvr Globally
Configuring Layer 2 Multicast MVR Configuration 4.1.2 Configuring MVR Globally Choose the menu L2 FEATURES > Multicast > MVR > MVR Config to load the following page. Figure 4-1 Configure MVR Globally Follow these steps to configure MVR globally: 1) Enable MVR globally and configure the global parameters. Enable or disable MVR globally.
Page 271: Adding Multicast Groups To Mvr
Configuring Layer 2 Multicast MVR Configuration 4.1.3 Adding Multicast Groups to MVR You need to manually add multicast groups to the MVR. Choose the menu L2 FEATURES > Multicast > MVR > MVR Group Config and click to load the following page. Figure 4-2 Add Multicast Groups to MVR Follow these steps to add multicast groups to MVR: 1) Specify the IP address of the multicast groups.
Page 272: Configuring Mvr For The Port
Configuring Layer 2 Multicast MVR Configuration Status Displays the status of the MVR group. In compatible mode, all the MVR groups are added manually, so the status is always active. In dynamic mode, there are two status: Inactive: The MVR group is added successfully, but the source port has not received any query messages from this multicast group.
Page 273: Optional) Adding Ports To Mvr Groups Statically
Configuring Layer 2 Multicast MVR Configuration Type Configure the port type. None: The port is a non-MVR port. If you attempt to configure a non-MVR port with MVR characteristics, the operation will be unsuccessful. Source: Configure the uplink ports that receive and send multicast data on the multicast VLAN as source ports.
Page 274: Using The Cli
Configuring Layer 2 Multicast MVR Configuration 2) Click Save. 4.2 Using the CLI 4.2.1 Configuring 802.1Q VLANs Before configuring MVR, create an 802.1Q VLAN as the multicast VLAN. Add the all source ports to the multicast VLAN as tagged ports. Configure 802.1Q VLANs for the receiver ports according to network requirements.
Page 275 Configuring Layer 2 Multicast MVR Configuration Step 6 mvr group ip-addr count Add multicast groups to the MVR. Specify the start IP address of the contiguous series of multicast groups. ip-addr: Specify the number of the multicast groups to be added to the MVR. Valid values are count: from is 1 to 256.
Page 276: Configuring Mvr For The Ports
Configuring Layer 2 Multicast MVR Configuration MVR Group IP status Members ---------------- --------- ---------------- 239.1.2.3 active 239.1.2.4 active 239.1.2.5 active Switch(config)#end Switch#copy running-config startup-config 4.2.3 Configuring MVR for the Ports Follow these steps to configure MVR for the ports: Step 1 configure Enter global configuration mode.
Page 277 Configuring Layer 2 Multicast MVR Configuration Step 7 show mvr interface {fastEthernet [ port-list ] | gigabitEthernet [ port-list ] | ten-gigabitEthernet [ port-list ] } Show the MVR configuration of the specified interface(s). show mvr members Show the membership information of all MVR groups. Step 8 Return to privileged EXEC mode.
Page 278 Configuring Layer 2 Multicast MVR Configuration MVR Group IP status Members ---------------- --------- ---------------- 239.1.2.3 active Gi1/0/1-3, 1/0/7 Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 279: Multicast Filtering Configuration
Configuring Layer 2 Multicast Multicast Filtering Configuration Multicast Filtering Configuration To complete multicast filtering configuration, follow these steps: 1) Create the IGMP profile or MLD profile. 2) Configure multicast groups a port can join and the overflow action. Using the GUI 5.1.1 Creating the Multicast Profile You can create multicast profiles for both IPv4 and IPv6 network.
Page 280 Configuring Layer 2 Multicast Multicast Filtering Configuration Figure 5-1 Create IPv4 Profile Follow these steps to create a profile. 1) In the General Config section, specify the Profile ID and Mode. Profile ID Enter a profile ID between 1 and 999. Mode Select Permit or Deny as the filtering mode.
Page 281: Configure Multicast Filtering For Ports
Configuring Layer 2 Multicast Multicast Filtering Configuration Figure 5-2 Configure Multicast Groups to Be Filtered 3) In the Bind Ports section, select your desired ports to be bound with the profile. 4) Click Save. 5.1.2 Configure Multicast Filtering for Ports You can modify the mapping relation between ports and profiles in batches, and configure the number of multicast groups a port can join and the overflow action.
Page 282: Using The Cli
Configuring Layer 2 Multicast Multicast Filtering Configuration Follow these steps to bind the profile to ports and configure the corresponding parameters for the ports: 1) Select one or more ports to configure. 2) Specify the profile to be bound, and configure the maximum groups the port can join and the overflow action.
Page 283 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 3 Permit Configure the profile’s filtering mode as permit. Then the profile acts as a whitelist and only allows specific member ports to join specified multicast groups. deny Configure the profile’s filtering mode as deny. Then the profile acts as a blacklist and prevents specific member ports from joining specific multicast groups.
Page 284 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 2 ipv6 mld profile id Create a new profile and enter profile configuration mode. Step 3 Permit Configure the profile’s filtering mode as permit. It is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups.
Page 285: Binding The Profile To Ports
Configuring Layer 2 Multicast Multicast Filtering Configuration 5.2.2 Binding the Profile to Ports You can bind the created IGMP profile or MLD profile to ports, and configure the number of multicast groups a port can join and the overflow action. Binding the IGMP Profile to Ports Step 1 configure...
Page 286 Configuring Layer 2 Multicast Multicast Filtering Configuration The following example shows how to bind the existing Profile 1 to port 1/0/2, and specify the maximum number of multicast groups that port 1/0/2 can join as 50 and the Overflow Action as Drop: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#ip igmp snooping...
Page 287 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 4 ipv6 mld snooping max-groups maxgroup Configure the maximum number of multicast groups the port can join. : Specify the maximum number of multicast groups the port can join. Valid values maxgroup range from 1 to 511.
Page 288 Configuring Layer 2 Multicast Multicast Filtering Configuration Gi1/0/2 Switch(config-if)#show ipv6 mld snooping interface gigabitEthernet 1/0/2 max-groups Port Max-Groups Overflow-Action ------------- --------------- --------------------- Gi1/0/2 Drops Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 289: Viewing Multicast Snooping Information
Configuring Layer 2 Multicast Viewing Multicast Snooping Information Viewing Multicast Snooping Information You can view the following multicast snooping information:  View IPv4 multicast table.  View IPv4 multicast statistics on each port.  View IPv6 multicast table.  View IPv6 multicast statistics on each port. Using the GUI 6.1.1 Viewing IPv4 Multicast Table Choose the menu L2 FEATURES >...
Page 290: Viewing Ipv4 Multicast Statistics On Each Port
Configuring Layer 2 Multicast Viewing Multicast Snooping Information Forward Ports All ports in the multicast group, including router ports and member ports. 6.1.2 Viewing IPv4 Multicast Statistics on Each Port Choose the menu L2 FEATURES > Multicast > Multicast Info > IPv4 Multicast Statistics to load the following page: Figure 6-2 IPv4 Multicast Statistics Follow these steps to view IPv4 multicast statistics on each port:...
Page 291: Viewing Ipv6 Multicast Table
Configuring Layer 2 Multicast Viewing Multicast Snooping Information Report Packets Displays the number of IGMPv2 report packets received by the port. (v2) Report Packets Displays the number of IGMPv3 report packets received by the port. (v3) Leave Packets Displays the number of leave packets received by the port. Error Packets Displays the number of error packets received by the port.
Page 292: Viewing Ipv6 Multicast Statistics On Each Port
Configuring Layer 2 Multicast Viewing Multicast Snooping Information 6.1.4 Viewing IPv6 Multicast Statistics on Each Port Choose the menu L2 FEATURES > Multicast > Multicast Info > IPv6 Multicast Statistics to load the following page: Figure 6-4 IPv6 Multicast Statistics Follow these steps to view IPv6 multicast statistics on each port: 1) To get the real-time IPv6 multicast statistics, enable Auto Refresh, or click Refresh.
Page 293: Using The Cli
Configuring Layer 2 Multicast Viewing Multicast Snooping Information Done Packets Displays the number of done packets received by the port. Error Packets Displays the number of error packets received by the port. Using the CLI 6.2.1 Viewing IPv4 Multicast Snooping Information show ip igmp snooping groups [ vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN.
Page 294: Configuration Examples
Configuring Layer 2 Multicast Configuration Examples Configuration Examples 7.1 Example for Configuring Basic IGMP Snooping 7.1.1 Network Requirements Host B, Host C and Host D are in the same VLAN of the switch. All of them want to receive multicast streams sent to multicast group 225.1.1.1. As shown in the following topology, Host B, Host C and Host D are connected to port 1/0/1, port 1/0/2 and port 1/0/3 respectively.
Page 295: Using The Gui
Configuring Layer 2 Multicast Configuration Examples  Enable IGMP Snooping on the ports. Demonstrated with T1500-28PCT , this section provides configuration procedures in two ways: using the GUI and using the CLI. 7.1.3 Using the GUI 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page.
Page 296 Configuring Layer 2 Multicast Configuration Examples Figure 7-3 Configure PVID for the Ports 3) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Global Config to load the following page. In the Global Config section, enable IGMP Snooping globally. Configure the IGMP version as v3 so that the switch can process IGMP messages of all versions.
Page 297: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 7-5 Enable IGMP Snooping for VLAN 10 5) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Enable IGMP Snooping for ports 1/0/1-4. Figure 7-6 Enable IGMP Snooping for the Ports 6) Click to save the settings.
Page 298 Configuring Layer 2 Multicast Configuration Examples 2) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged. Switch(config)#interface range fastEthernet 1/0/1-3 Switch(config-if-range)#switchport general allowed vlan 10 untagged Switch(config-if-range)#exit Switch(config)#interface fastEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged...
Page 299: Example For Configuring Mvr
Configuring Layer 2 Multicast Configuration Examples vlan10 active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 Show status of IGMP Snooping globally, on the ports and in the VLAN: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Header Validation :Disable Global Authentication Accounting :Disable Enable Port : Gi1/0/1-4 Enable VLAN:10...
Page 300: Configuration Scheme
Configuring Layer 2 Multicast Configuration Examples Figure 7-7 Network Topoloy for Multicast VLAN Source Querier VLAN 40 Gi1/0/4 Gi1/0/1 Gi1/0/3 Gi1/0/2 Host D Host B Host C Receiver Receiver Receiver 7.2.3 Configuration Scheme As the hosts are in different VLANs, in IGMP Snooping, the Querier need to duplicate multicast streams for hosts in each VLAN.
Page 301 Configuring Layer 2 Multicast Configuration Examples Figure 7-8 VLAN Configurations for Port 1/0/1-3 Figure 7-9 PVID for Port 1/0/1-3 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 40 and add port 1/0/4 to the VLAN as Tagged port.
Page 302 Configuring Layer 2 Multicast Configuration Examples Figure 7-10 Create Multicast VLAN 3) Choose the menu L2 FEATURES > Multicast > MVR > MVR Config to load the following page. Enable MVR globally, and configure the MVR mode as Dynamic, multicast VLAN ID as 40.
Page 303: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 7-12 Add Multicast Group to MVR 5) Choose the menu L2 FEATURES > Multicast > MVR > Port Config to load the following page. Enable MVR for port 1/0/1-4. Configure port 1/0/1-3 as Receiver ports and port 1/0/4 as Source port.
Page 304 Configuring Layer 2 Multicast Configuration Examples Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#switchport pvid 10 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/2 Switch(config-if)#switchport general allowed vlan 20 untagged Switch(config-if)#switchport pvid 20 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/3 Switch(config-if)#switchport general allowed vlan 30 untagged Switch(config-if)#switchport pvid 30 Switch(config-if)#exit Switch(config)#interface fastEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 40 tagged...
Page 305 Configuring Layer 2 Multicast Configuration Examples 4) Enable MVR globally, and configure the MVR mode as Dynamic, multicast VLAN ID as 40. Add multicast group 225.1.1.1 to MVR. Switch(config)#mvr Switch(config)#mvr mode dynamic Switch(config)#mvr vlan 40 Switch(config)#mvr group 225.1.1.1 1 5) Enable MVR for port 1/0/1-4. Configure port 1/0/1-3 as Receiver ports and port 1/0/4 as Source port.
Page 306: Example For Configuring Unknown Multicast And Fast Leave
Configuring Layer 2 Multicast Configuration Examples Show the brief information of MVR: Switch(config)#show mvr :Enable MVR Multicast Vlan MVR Max Multicast Groups :256 MVR Current Multicast Groups MVR Global Query Response Time :5 (tenths of sec) MVR Mode Type :Dynamic Show the membership of MVR groups: Switch(config)#show mvr members MVR Group IP...
Page 307: Configuration Scheme
Configuring Layer 2 Multicast Configuration Examples Figure 7-14 Network Topology for Unknow Multicast and Fast Leave Source Querier Gi1/0/4 VLAN 10 Gi1/0/2 VLAN 10 Host B Receiver 7.3.2 Configuration Scheme After the channel is changed, the client (Host B) still receives irrelevant multicast data, the data from the previous channel and possibly other unknown multicast data, which increases the network load and results in network congestion.
Page 308 Configuring Layer 2 Multicast Configuration Examples Figure 7-15 Configure IGMP Snooping Globally Note: IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to > enable MLD Snooping globally on the L2 FEATURES Multicast > MLD Snooping > Global Config page at the same time.
Page 309: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 7-17 Configure IGMP Snooping on Ports 5) Click to save the settings. 7.3.4 Using the CLI 1) Enable IGMP Snooping and MLD Snooping globally. Switch#configure Switch(config)#ip igmp snooping Switch(config)#ipv6 mld snooping 2) Configure Unknown Multicast Groups as Discard globally. Switch(config)#ip igmp snooping drop-unknown 3) Enable IGMP Snooping on port 1/0/2 and enable Fast Leave.
Page 310: Example For Configuring Multicast Filtering
Configuring Layer 2 Multicast Configuration Examples 5) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Unknown Multicast :Discard Enable Port: Gi1/0/1-28 Enable VLAN:10 Show settings of IGMP Snooping on port 1/0/2: Switch(config)#show ip igmp snooping interface fastEthernet 1/0/2 basic-config Port...
Page 311: Network Topology
Configuring Layer 2 Multicast Configuration Examples 7.4.3 Network Topology As shown in the following network topology, Host B is connected to port 1/0/1, Host C is connected to port 1/0/2 and Host D is connected to port 1/0/3. They are all in VLAN 10. Figure 7-18 Network Topology for Multicast Filtering Source Querier...
Page 312 Configuring Layer 2 Multicast Configuration Examples Figure 7-19 Enable IGMP Snooping Globally 3) In the IGMP VLAN Config section, click in VLAN 10 to load the following page. Enable IGMP Snooping for VLAN 10. Figure 7-20 Enable IGMP Snooping for VLAN 10 Configuration Guide...
Page 313 Configuring Layer 2 Multicast Configuration Examples 4) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Figure 7-21 Enable IGMP Snooping on the Port 5) Choose the menu L2 FEATURES > Multicast > Multicast Filtering > IPv4 Profile and click to load the following page.
Page 314 Configuring Layer 2 Multicast Configuration Examples Figure 7-22 Configure Filtering Profile for Host C and Host D 6) Click again to load the following page. Create Profile 2, specify the mode as Deny, bind the profile to port 1/0/1, and specify the filtering multicast IP address as 225.0.0.2.
Page 315: Using The Cli
Configuring Layer 2 Multicast Configuration Examples Figure 7-23 Configure Filtering Profile for Host B 7) Click to save the settings. 7.4.5 Using the CLI 1) Create VLAN 10. Switch#configure Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 2) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged.
Page 316 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface fastEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 3) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range fastEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 4) Enable IGMP Snooping Globally. Switch(config)#ip igmp snooping 5) Enable IGMP Snooping in VLAN 10.
Page 317 Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#ip igmp filter 2 Switch(config-if)#exit 11) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Enable Port:Gi1/0/1-4 Enable VLAN:10 Show all profile bindings:...
Page 318: Appendix: Default Parameters
Configuring Layer 2 Multicast Appendix: Default Parameters Appendix: Default Parameters 8.1 Default Parameters for IGMP Snooping Table 8-1 Default Parameters of IGMP Snooping Function Parameter Default Setting IGMP Snooping Disabled IGMP Version Global Settings of IGMP Snooping Unknown Multicast Groups Forward Header Validation Disabled...
Page 319: Default Parameters For Mld Snooping
Configuring Layer 2 Multicast Appendix: Default Parameters Default Parameters for MLD Snooping Table 8-2 Default Parameters of MLD Snooping Function Parameter Default Setting MLD Snooping Disabled Global Settings of IGMP Snooping Unknown Multicast Groups Forward MLD Snooping Disabled Fast Leave Disabled Report Suppression Disabled...
Page 320: Default Parameters For Mvr
Configuring Layer 2 Multicast Appendix: Default Parameters 8.3 Default Parameters for MVR Table 8-3 Default Parameters of MVR Function Parameter Default Setting Disabled MVR Mode Compatible Global Settings of MVR Multicast VLAN ID Query Response Time 5 tenths of a second Maximum Multicast Groups MVR Group Settings MVR Group Entries...
Page 321: Configuring Spanning Tree
Part 11 Configuring Spanning Tree CHAPTERS 1. Spanning Tree 2. STP/RSTP Configurations 3. MSTP Configurations 4. STP Security Configurations 5. Configuration Example for MSTP 6. Appendix: Default Parameters...
Page 322: Spanning Tree
Configuring Spanning Tree Spanning Tree Spanning Tree Overview STP (Spanning Tree Protocol) is a layer 2 Protocol that prevents loops in the network. As is shown in Figure 1-1, STP helps to:  Block specific ports of the switches to build a loop-free topology.  Detect topology changes and automatically generate a new loop-free topology.
Page 323 Configuring Spanning Tree Spanning Tree Figure 1-2 STP/RSTP Topology Root bridge Designated port Designated port Root port Root port Designated port Designated port Root port Root port Designated port Backup port Alternate port Root Bridge The root bridge is the root of a spanning tree. The switch with te lowest bridge ID will be the root bridge, and there is only one root bridge in a spanning tree.
Page 324 Configuring Spanning Tree Spanning Tree In RSTP/MSTP, the alternate port is the backup for the root port. It is blocked when the root port works normally. Once the root port fails, the alternate port will become the new root port. In STP, the alternate port is always blocked.
Page 325 Spanning Tree Learning and Forwarding status correspond exactly to the Learning and Forwarding status specified in STP. In TP-Link switches, the port status includes: Blocking, Learning, Forwarding and Disconnected.  Blocking In this status, the port receives and sends BPDUs. The other packets are dropped.
Page 326: Mstp Concepts
Configuring Spanning Tree Spanning Tree downstream switch. The value of the accumulated root path cost increases as the BPDU spreads further. BPDU BPDU is a kind of packet that is used to generate and maintain the spanning tree. The BPDUs (Bridge Protocol Data Unit) contain a lot of information, like bridge ID, root path cost, port priority and so on.
Page 327: Stp Security
Configuring Spanning Tree Spanning Tree MST Instance The MST instance is a spanning tree running in the MST region. Multiple MST instances can be established in one MST region and they are independent of each other. As is shown in Figure 1-4, there are three instances in a region, and each instance has its own root bridge.
Page 328 Configuring Spanning Tree Spanning Tree Loop Protect » Loop Protect function is used to prevent loops caused by link congestions or link failures. It is recommended to enable this function on root ports and alternate ports. If the switch cannot receive BPDUs because of link congestions or link failures, the root port will become a designated port and the alternate port will transit to forwarding status, so loops will occur.
Page 329 Configuring Spanning Tree Spanning Tree TC Protect » TC Protect function is used to prevent the switch from frequently removing MAC address entries. It is recommended to enable this function on the ports of non-root switches. A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology).
Page 330: Stp/Rstp Configurations
Configuring Spanning Tree STP/RSTP Configurations STP/RSTP Configurations To complete the STP/RSTP configuration, follow these steps: 1) Configure STP/RSTP parameters on ports. 2) Configure STP/RSTP globally. 3) Verify the STP/RSTP configurations. Configuration Guidelines  Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
Page 331 Configuring Spanning Tree STP/RSTP Configurations 1) In the Port Config section, configure STP/RSTP parameters on ports. UNIT Select the desired unit or LAGs. Status Enable or disable spanning tree function on the desired port. Priority Specify the Priority for the desired port. The value should be an integral multiple of 16, ranging from 0 to 240.
Page 332: Configuring Stp/Rstp Globally
Configuring Spanning Tree STP/RSTP Configurations MCheck Select whether to perform MCheck operations on the port. If a port on an RSTP-enabled/MSTP-enabled device is connected to an STP-enabled device, the port will switch to STP compatible mode and send packets in STP format.
Page 333 Configuring Spanning Tree STP/RSTP Configurations Figure 2-2 Configuring STP/RSTP Globally Follow these steps to configure STP/RSTP globally: 1) In the Parameters Config section, configure the global parameters of STP/RSTP and click Apply. CIST Priority Specify the CIST priority for the switch. CIST priority is a parameter used to determine the root bridge for spanning tree.
Page 334: Verifying The Stp/Rstp Configurations
Configuring Spanning Tree STP/RSTP Configurations Max Hops Specify the maximum BPDU counts that can be forwarded in a MST region. The default value is 20. A switch receives BPDU, then decrements the hop count by one and generates BPDUs with the new value. When the hop reaches zero, the switch will discard the BPDU.
Page 335 Configuring Spanning Tree STP/RSTP Configurations Figure 2-3 Verifying the STP/RSTP Configurations The STP Summary section shows the summary information of spanning tree : Spanning Tree Displays the status of the spanning tree function. Spanning Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local bridge.
Page 336: Using The Cli
Configuring Spanning Tree STP/RSTP Configurations Designated Bridge Displays the bridge ID of the designated bridge. The designated bridge is the switch that has designated ports. Root Port Displays the root port of the current switch. Latest TC Time Displays the latest time when the topology is changed. TC Count Displays how many times the topology has changed.
Page 337 Configuring Spanning Tree STP/RSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure STP/RSTP parameters on the desired port . Specify the Priority for the desired port.
Page 338: Configuring Global Stp/Rstp Parameters
Configuring Spanning Tree STP/RSTP Configurations The following example shows how to enable spanning tree function on port 1/0/3 and configure the port priority as 32 : Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree common-config port-priority 32 Switch(config-if)#show spanning-tree interface gigabitEthernet 1/0/3 Interface State Prio...
Page 339 Configuring Spanning Tree STP/RSTP Configurations Step 3 spanning-tree timer {[ forward-time forward-time ] [hello-time hello-time ] [ max-age max-age ]} (Optional) Configure the Forward Delay, Hello Time and Max Age. Specify the value of Forward Delay. It is the interval between the port state forward-time: transition from listening to learning.
Page 340: Enabling Stp/Rstp Globally
Configuring Spanning Tree STP/RSTP Configurations Switch#configure Switch(config)#spanning-tree priority 36864 Switch(config)#spanning-tree timer forward-time 12 Switch(config)#show spanning-tree bridge State Mode Priority Hello-Time Fwd-Time Max-Age Hold-Count Max-Hops ------- ----- -------- ------ -------- -------- --------- -------- Enable Rstp 36864 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Enabling STP/RSTP Globally Follow these steps to configure the spanning tree mode as STP/RSTP, and enable spanning tree function globally: Step 1...
Page 341 Configuring Spanning Tree STP/RSTP Configurations Switch(config)#show spanning-tree active Spanning tree is enabled Spanning-tree’s mode: RSTP (802.1w Rapid Spanning Tree Protocol) Latest topology change time: 2006-01-02 10:04:02 Root Bridge Priority : 32768 Address : 00-0a-eb-13-12-ba Local bridge is the root bridge Designated Bridge Priority : 32768...
Page 342: Mstp Configurations
Configuring Spanning Tree MSTP Configurations MSTP Configurations To complete the MSTP configuration, follow these steps: 1) Configure parameters on ports in CIST. 2) Configure the MSTP region. 3) Configure the MSTP globally. 4) Verify the MSTP configurations. Configuration Guidelines  Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
Page 343 Configuring Spanning Tree MSTP Configurations Follow these steps to configure parameters on ports in CIST: 1) In the Port Config section, configure the parameters on ports. UNIT Select the desired unit or LAGs. Status Enable or disable spanning tree function on the desired port. Priority Specify the Priority for the desired port.
Page 344 Configuring Spanning Tree MSTP Configurations P2P Link Select the status of the P2P (Point-to-Point) link to which the ports are connected. During the regeneration of the spanning tree, if the port of P2P link is elected as the root port or the designated port, it can transit its state to forwarding directly.
Page 345: Configuring The Mstp Region
Configuring Spanning Tree MSTP Configurations Port Status Displays the port status. Forwarding: The port receives and sends BPDUs, and forwards user data. Learning: The port receives and sends BPDUs. It also receives user traffic, but doesn’t forward the traffic. Blocking: The port only receives and sends BPDUs. Disconnected: The port has the spanning tree function enabled but is not connected to any device.
Page 346 Configuring Spanning Tree MSTP Configurations  Configuring the VLAN-Instance Mapping and Switch Priority Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config to load the following page. Figure 3-3 Configuring the VLAN-Instance Mapping Follow these steps to map VLANs to the corresponding instance, and configure the priority of the switch in the desired instance: 1) In the Instance Config section, click Add and enter the instance ID, Priority and corresponding VLAN ID.
Page 347 Configuring Spanning Tree MSTP Configurations  Configuring Parameters on Ports in the Instance Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Figure 3-5 Configuring Port Parameters in the Instance Follow these steps to configure port parameters in the instance: 1) In the Instance Port Config section, select the desired instance ID.
Page 348 Configuring Spanning Tree MSTP Configurations Port Role Displays the role that the port plays in the desired instance. Root Port: Indicates that the port is the root port in the desired instance. It has the lowest path cost from the root bridge to this switch and is used to communicate with the root bridge.
Page 349: Configuring Mstp Globally
Configuring Spanning Tree MSTP Configurations 3.1.3 Configuring MSTP Globally Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page. Figure 3-6 Configure MSTP Function Globally Follow these steps to configure MSTP globally: 1) In the Parameters Config section, Configure the global parameters of MSTP and click Apply.
Page 350 Configuring Spanning Tree MSTP Configurations Forward Delay Specify the interval between the port state transition from listening to learning. The default value is 15. It is used to prevent the network from causing temporary loops during the regeneration of spanning tree. The interval between the port state transition from learning to forwarding is also the Forward Delay.
Page 351: Verifying The Mstp Configurations
Configuring Spanning Tree MSTP Configurations 3.1.4 Verifying the MSTP Configurations Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 3-7 Verifying the MSTP Configurations The STP Summary section shows the summary information of CIST: Spanning Tree Displays the status of the spanning tree function.
Page 352: Using The Cli
Configuring Spanning Tree MSTP Configurations Regional Root Bridge Displays the bridge ID of the root bridge in IST. Internal Path Cost Displays the internal path cost. It is the root path cost from the current switch to the root bridge in IST. Designated Bridge Displays the bridge ID of the designated bridge in CIST.
Page 353 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree Enable spanning tree function for the desired port. Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ int-cost int-cost ][ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure the parameters on ports in CIST.
Page 354: Configuring The Mstp Region
Configuring Spanning Tree MSTP Configurations Step 7 Return to privileged EXEC mode. Step 8 copy running-config startup-config Save the settings in the configuration file. This example shows how to enable spanning tree function for port 1/0/3 and configure the port priority as 32 : Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree...
Page 355 Configuring Spanning Tree MSTP Configurations Step 2 spanning-tree mst instance instance-id priority pri Configure the priority of the switch in the instance. : Specify the instance ID, the valid values ranges from 1 to 8. instance-id : Specify the priority for the switch in the corresponding instance. The value should be an integral multiple of 4096, ranging from 0 to 61440.
Page 356 Configuring Spanning Tree MSTP Configurations Switch(config)#spanning-tree mst configuration Switch(config-mst)#name R1 Switch(config-mst)#revision 100 Switch(config-mst)#instance 5 vlan 2-6 Switch(config-mst)#show spanning-tree mst configuration Region-Name : R1 Revision : 100 MST-Instance Vlans-Mapped ---------------- ------------------------------------------------------------ 1,7-4094 2-6, ---------------------------------------------------------------------------- Switch(config-mst)#end Switch#copy running-config startup-config  Configuring the Parameters on Ports in Instance Follow these steps to configure the priority and path cost of ports in the specified instance: Step 1 configure...
Page 357: Configuring Global Mstp Parameters
Configuring Spanning Tree MSTP Configurations Step 4 show spanning-tree mst { configuration [ digest ] | instance instance-id [ interface [ fastEthernet port | gigabitEthernet port | port-channel lagid | ten-gigabitEthernet port ] ] } (Optional) View the related information of MSTP Instance. Specify to display the digest calculated by instance-vlan map.
Page 358 Configuring Spanning Tree MSTP Configurations Step 2 spanning-tree priority pri Configure the priority of the switch for comparison in CIST. Specify the priority for the switch. The valid value is from 0 to 61440, which are divisible pri : by 4096. The priority is a parameter used to determine the root bridge for spanning tree. The switch with the lower value has the higher priority.
Page 359: Enabling Spanning Tree Globally
Configuring Spanning Tree MSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age •...
Page 360 Configuring Spanning Tree MSTP Configurations Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to configure the spanning tree mode as MSTP and enable spanning tree function globally : Switch#configure Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree...
Page 361 Configuring Spanning Tree MSTP Configurations Interface State Prio Ext-Cost Int-Cost Edge Mode Role Status ---------- ------- ---- -------- -------- ---- --------- ----- ----- ------- Gi/0/16 Enable 128 200000 200000 Yes(auto) Mstp Altn Gi/0/20 Enable 128 200000 200000 Yes(auto) Mstp Root MST-Instance 1 Root Bridge Priority...
Page 362: Stp Security Configurations
Configuring Spanning Tree STP Security Configurations STP Security Configurations Using the GUI Choose the menu L2 FEATURES > Spanning Tree > STP Security to load the following page. Figure 4-1 Configuring the Port Protect Configure the Port Protect features for the selected ports, and click Apply. UNIT Select the desired unit or LAGs for configuration.
Page 363: Using The Cli
Configuring Spanning Tree STP Security Configurations Root Protect Enable or disable Root Protect. It is recommended to enable this function on the designated ports of the root bridge. Switches with faulty configurations may produce a higher-priority BPDUs than the root bridge’s, and this situation will cause recalculation of the spanning tree.
Page 364 Configuring Spanning Tree STP Security Configurations Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port- channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 spanning-tree guard loop (Optional) Enable Loop Protect.
Page 365 Configuring Spanning Tree STP Security Configurations Step 8 spanning-tree bpduflood (Optional) Enable BPDU Forward. This function only takes effect when the spanning tree function is disabled globally. By default, it is enabled. With BPDU forward enabled, the port can still forward spanning tree BPDUs when the spanning tree function is disabled.
Page 366: Configuration Example For Mstp
Configuring Spanning Tree Configuration Example for MSTP Configuration Example for MSTP MSTP, backwards-compatible with STP and RSTP, can map VLANs to instances to implement load-balancing, thus providing a more flexible method in network management. Here we take the MSTP configuration as an example. Network Requirements As shown in figure 5-1, the network consists of three switches.
Page 367: Using The Gui
Configuring Spanning Tree Configuration Example for MSTP Figure 5-2 VLAN-Instance Mapping Switch A Gi1/0/1 Gi1/0/1 Gi1/0/1 Switch B Switch C Instance 1: VLAN 101 -VLAN 103 Instance 2: VLAN 104 -VLAN 106 Blocked Port The overview of configuration is as follows: 1) Enable the Spanning Tree function on the ports in each switch.
Page 368 Configuring Spanning Tree Configuration Example for MSTP Figure 5-3 Enable Spanning Tree Function on Ports 2) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Click Apply.
Page 369 Configuring Spanning Tree Configuration Example for MSTP Figure 5-6 Configure the Path Cost of Port 1/0/1 In Instance 1 5) Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings.
Page 370 Configuring Spanning Tree Configuration Example for MSTP Figure 5-8 Enable Spanning Tree Function on Ports 2) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Click Apply.
Page 371 Configuring Spanning Tree Configuration Example for MSTP Figure 5-11 Configure the Path Cost of Port 1/0/2 in Instance 2 5) Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally. Here we leave the values of the other global parameters as default settings.
Page 372 Configuring Spanning Tree Configuration Example for MSTP Figure 5-13 Enable Spanning Tree Function on Ports 2) Choose the menu Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Click Apply. Figure 5-14 Configuring the Region 3) Choose the menu L2 FEATURES >...
Page 373: Using The Cli
Configuring Spanning Tree Configuration Example for MSTP Figure 5-16 Configuring the MSTP Globally 5) Click to save the settings. Using the CLI  Configurations for Switch A 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/1 in instance 1 as 400000.
Page 374 Configuring Spanning Tree Configuration Example for MSTP Switch(config-mst)#instance 2 vlan 104-106 Switch(config-mst)#exit 3) Configure the spanning tree mode as MSTP, then enable spanning tree function globally. Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree Switch(config)#end Switch#copy running-config startup-config  Configurations for Switch B 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/2 in instance 2 as 400000.
Page 375 Configuring Spanning Tree Configuration Example for MSTP Switch(config)#spanning-tree Switch(config)#end Switch#copy running-config startup-config  Configurations for Switch C 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2. Switch#configure Switch(config)#interface range gigabitEthernet 1/0/1-2 Switch(config-if-range)#spanning-tree Switch(config-if-range)#exit 2) Configure the region name as 1, the revision number as 100; map VLAN101-VLAN103 to instance 1;...
Page 376 Configuring Spanning Tree Configuration Example for MSTP Priority Address : 00-0a-eb-13-12-ba Internal Cost : 400000 Root Port Designated Bridge Priority Address : 00-0a-eb-13-12-ba Local Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 Interface Prio Cost Role Status --------- ---- -------- ------ ----- ---- Gi1/0/1...
Page 377 Configuring Spanning Tree Configuration Example for MSTP Address : 00-0a-eb-13-23-97 Interface Prio Cost Role Status --------- ---- -------- ------- ------- ---- Gi1/0/1 200000 Desg Gi1/0/2 200000 Root  Switch B Verify the configurations of Switch B in instance 1: Switch(config)#show spanning-tree mst instance 1 MST-Instance 1 Root Bridge Priority...
Page 378 Configuring Spanning Tree Configuration Example for MSTP Internal Cost : 400000 Root Port Designated Bridge Priority Address : 3c-46-d8-9d-88-f7 Local Bridge Priority : 32768 Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status --------- ---- -------- ------- ------- Gi1/0/1 200000 Altn Gi1/0/2 200000 Root  Switch C...
Page 379 Configuring Spanning Tree Configuration Example for MSTP Gi1/0/2 200000 Root Verify the configurations of Switch C in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority Address : 3c-46-d8-9d-88-f7 Local bridge is the root bridge Designated Bridge Priority Address : 3c-46-d8-9d-88-f7...
Page 380: Appendix: Default Parameters
Configuring Spanning Tree Appendix: Default Parameters Appendix: Default Parameters Default settings of the Spanning Tree feature are listed in the following table. Table 6-1 Default Settings of the Global Parameters Parameter Default Setting Spanning-tree Disabled Mode CIST Priority 32768 Hello Time 2 seconds Max Age 20 seconds...
Page 381 Configuring Spanning Tree Appendix: Default Parameters Parameter Default Setting Priority 32768 Port Priority Path Cost Auto Table 6-4 Default Settings of the STP Security Parameter Default Setting Loop Protect Disabled Root Protect Disabled TC Guard Disabled BPDU Protect Disabled BPDU Filter Disabled BPDU Forward Enabled...
Page 382 Part 12 Configuring LLDP CHAPTERS 1. LLDP 2. LLDP Configurations 3. LLDP-MED Configurations 4. Viewing LLDP Settings 5. Viewing LLDP-MED Settings 6. Configuration Example 7. Appendix: Default Parameters...
Page 383 Configuring LLDP LLDP LLDP Overview LLDP (Link Layer Discovery Protocol) is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol is a standard IEEE 802.1ab defined protocol and runs over the Layer 2 (the data-link layer) , which allows for interoperability between network devices of different vendors.
Page 384 Configuring LLDP LLDP Configurations LLDP Configurations T configure LLDP function, follow the steps: 1) Configure the LLDP feature globally. 2) Configure the LLDP feature for the port. 2.1 Using the GUI 2.1.1 Configuring LLDP Globally Choose the L2 FEATURES > LLDP > LLDP Config > Global Config to load the following page.
Page 385 Configuring LLDP LLDP Configurations Follow these steps to configure the LLDP feature globally. 1) In the Global Config section, enable LLDP. You can also enable the switch to forward LLDP messages when LLDP function is disabled. Click Apply. LLDP Enable LLDP function globally. LLDP (Optional) Enable the switch to forward LLDP messages when LLDP function is Forwarding...
Page 386 Configuring LLDP LLDP Configurations 2.1.2 Configuring LLDP For the Port Choose th menu L2 FEATURES > LLDP > LLDP Config > Port Config to load the following page. Figure 2-2 Port Config Follow these steps to configure the LLDP feature for the interface. 1) Select one or more ports to configure.
Page 387 Configuring LLDP LLDP Configurations Included TLVs Configure the TLVs included in the outgoing LLDP packets. The switch supports the following TLVs: PD: Used to advertise the port description defined by the IEEE 802 LAN station. SC: Used to advertise the supported functions and whether or not these functions are enabled.
Page 388 Configuring LLDP LLDP Configurations Step 3 lldp forward_message (Optional) Enable the switch to forward LLDP messages when LLDP function is disabled. Step 4 lldp hold-multiplier multiplier (Optional) Specify the amount of time the neighbor device should hold the received information before discarding it. This parameter is a multiplier on the Transmit Interval that determines the actual TTL (Time To Live) value used in an LLDP packet.
Page 389 Configuring LLDP LLDP Configurations Switch(config)#lldp timer tx-delay 2 Switch(config)#lldp timer reinit-delay 3 Switch(config)#lldp timer notify-interval 5 Switch(config)#lldp timer fast-count 3 Switch(config)#show lldp LLDP Status: Enabled LLDP Forward Message: Disabled Tx Interval: 30 seconds TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3...
Page 390 Configuring LLDP LLDP Configurations Step 6 lldp tlv-select (Optional) Configure the TLVs included in the outgoing LLDP packets. By default, the outgoing LLDP packets include all TLVs. Step 7 show lldp interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Display LLDP configuration of the corresponding port.
Page 391 Configuring LLDP LLDP Configurations Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 392 Configuring LLDP LLDP-MED Configurations LLDP-MED Configurations To configure LLDP-MED function, follow the steps: 1) Enable LLDP feature globally and configure the LLDP parametres for the ports. 2) Configuring LLDP-MED fast repeat count globally. 3) Enable and configure the LLDP-MED feature on the port. Configuration Guidelines LLDP-MED is used together with Auto VoIP to implement VoIP access.
Page 393 Configuring LLDP LLDP-MED Configurations Device Class Display the current device class. LLDP-MED defines two device classes, Network Connectivity Device and Endpoint Device. The switch is a Network Connectivity device. 3.1.2 Configuring LLDP-MED for Ports Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config to load the following page.
Page 394 Configuring LLDP LLDP-MED Configurations Figure 3-3 LLDP-MED Port Config-Detail Network Policy Used to advertise VLAN configuration and the associated Layer 2 and Layer 3 attributes of the port to the endpoint devices. Location Used to assign the location identifier information to the Endpoint devices. Identification If this option is selected, you can configure the emergency number and the detailed address of the endpoint device in the Location Identification Parameters...
Page 395 Configuring LLDP LLDP-MED Configurations Civic Address Configure the address of the audio device in the IETF defined address format. What: Specify the role type of the local device, DHCP Server, Switch or LLDP-MED Endpoint. Country Code: Enter the country code defined by ISO 3166 , for example, CN, US. Language, Province/State etc.: Enter the regular details.
Page 396 Configuring LLDP LLDP-MED Configurations TTL Multiplier: Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: LLDP-MED Fast Start Repeat Count: Switch(config)#end Switch#copy running-config startup-config 3.2.2 Port Config Select the desired port, enable LLDP-MED and select the TLVs (Type/Length/Value) included in the outgoing LLDP packets according to your needs.
Page 397 Configuring LLDP LLDP-MED Configurations Step 6 Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable LLDP-MED on port 1/0/1, configure the LLDP- MED TLVs included in the outgoing LLDP packets. Switch(config)#lldp Switch(config)#lldp med-fast-count 4 Switch(config)#interface gigabitEthernet 1/0/1...
Page 398 Configuring LLDP LLDP-MED Configurations LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Location Identification Extended Power Via MDI Inventory Management Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 399 Configuring LLDP Viewing LLDP Settings Viewing LLDP Settings This chapter introduces how to view the LLDP settings on the local device. Using GUI 4.1.1 Viewing LLDP Device Info  Viewing the Local Info Choose the menu L2 FEATURES > LLDP > LLDP Config > Local Info to load the following page.
Page 400 Configuring LLDP Viewing LLDP Settings Follow these steps to view the local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Local Info section, select the desired port and view its associated local device information.
Page 401 Configuring LLDP Viewing LLDP Settings Port And Protocol Displays whether the local device supports port and protocol VLAN feature. Supported Port And Protocol Displays the status of the port and protocol VLAN feature. VLAN Enabled VLAN Name of Displays the VLAN name of VLAN 1 for the local device. VLAN 1 Protocol Identify Displays the particular protocol that the local device wants to advise.
Page 402 Configuring LLDP Viewing LLDP Settings  Viewing the Neighbor Info Choose the menu L2 FEATURES > LLDP > LLDP Config > Neighbor Info to load the following page. Figure 4-2 Neighbor Info Follow these steps to view the neighbor information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
Page 403 Configuring LLDP Viewing LLDP Settings 4.1.2 Viewing LLDP Statistics Choose the menu L2 FEATURES > LLDP > LLDP Config > Statistics Info to load the following page. Figure 4-3 Static Info Follow these steps to view LLDP statistics: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
Page 404 Configuring LLDP Viewing LLDP Settings Total Age-outs Displays the latest number of neighbors that have aged out on the local device. 3) In the Neighbors Statistics section, view the statistics of the corresponding port. Transmit Total Displays the total number of the LLDP packets sent via the port. Receive Total Displays the total number of the LLDP packets received via the port.
Page 405 Configuring LLDP Viewing LLDP-MED Settings Viewing LLDP-MED Settings Using GUI Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Local Info to load the following page.  Viewing the Local Info Figure 5-1 LLDP-MED Local Info Configuration Guide...
Page 406 Configuring LLDP Viewing LLDP-MED Settings Follow these steps to view LLDP-MED local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the LLDP-MED Local Info section, select the desired port and view the LLDP-MED settings.
Page 407 Configuring LLDP Viewing LLDP-MED Settings Serial Number Displays the serial number of the local device. Manufacturer Displays the manufacturer name of the local device. Name Model Name Displays the model name of the local device. Asset ID Displays the asset ID of the local device.  Viewing the Neighbor Info Choose the menu L2 FEATURES >...
Page 408 Configuring LLDP Viewing LLDP-MED Settings 5.2 Using CLI  Viewing the Local Info show lldp local-information interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } View the LLDP details of a specific port or all the ports on the local device.  Viewing the Neighbor Info show lldp neighbor-information interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port }...
Page 409 Configuring LLDP Configuration Example Configuration Example Network Requirements The network administrator needs view the information of the devices in the company network to know about the link situation and network topology so that he can troubleshoot the potential network faults in advance. Network Topology Exampled with the following situation: Port Fa1/0/1 on Switch A is directly connected to port Fa1/0/2 on Switch B.
Page 410 Configuring LLDP Configuration Example Figure 6-2 LLDP Global Config 2) Choose the menu L2 FEATURES > LLDP > LLDP Config > Port Config to load the following page. Set the Admin Status of port Fa1/0/1 as Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Figure 6-3 LLDP Port Config 6.5 Using CLI 1) Enable LLDP globally and configure the corresponding parameters.
Page 411 Configuring LLDP Configuration Example Switch_A(config)#lldp Switch_A(config)#lldp hold-multiplier 4 Switch_A(config)#lldp timer tx-interval 30 Switch_A(config)#lldp timer tx-delay 2 Switch_A(config)#lldp timer reinit-delay 3 Switch_A(config)#lldp timer notify-interval 5 Switch_A(config)#lldp timer fast-count 3 2) Set the Admin Status of port Fa1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets.
Page 412 Configuring LLDP Configuration Example Switch_A#show lldp interface fastEthernet 1/0/1 LLDP interface config: fastEthernet 1/0/1: Admin Status: TxRx SNMP Trap: Enabled Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power LLDP-MED Status: Disabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management...
Page 413 Configuring LLDP Configuration Example Chassis type: MAC address Chassis ID: 00:0A:EB:13:A2:11 Port ID type: Interface name Port ID: FastEthernet1/0/1 Port description: FastEthernet1/0/1 Interface TTL: System name: T1500-28PCT System description: JetStream 24-Port 10/100Mbps + 4 -Port Gigabit Smart PoE+ Switch System capabilities supported: Bridge System capabilities enabled: Bridge...
Page 414 Power Type: PSE Device Power Source: Primary Power Priority: Power Value: 30.0w Hardware Revision: T15000-28PCT 3.0 Firmware Revision: Reserved Software Revision: 3.0.0 Build 20180309 Rel.34341(s) Serial Number: Reserved Manufacturer Name: TP-Link Model Name: T1500-28PCT 3.0 Asset ID: unknown Configuration Guide...
Page 415 Configuring LLDP Configuration Example View the Neighbor Info Switch_A#show lldp neighbor-information interface fastEthernet 1/0/1 LLDP Neighbor Information: fastEthernet 1/0/1: Neighbor index 1: Chassis type: MAC address Chassis ID: 00:0A:EB:13:18:2D Port ID type: Interface name Port ID: GigabitEthernet1/0/2 Port description: GigabitEthernet1/0/2 Interface TTL: System name: T1500-28PCT...
Page 416 Configuring LLDP Configuration Example Link aggregation supported: Link aggregation enabled: Aggregation port ID: Power port class: PSE power supported: PSE power enabled: PSE pairs control ability: Maximum frame size: 1518 Configuration Guide...
Page 417 Configuring LLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of LLDP are listed in the following tables. Default LLDP Settings Table 7-1 Default LLDP Settings Parameter Default Setting LLDP Disable LLDP Forward Message Disable Transmit Interval 30 seconds Hold Multiplier Transmit Delay 2 seconds Reinitialization Delay...
Page 418 Part 13 Configuring DHCP Service CHAPTERS 1. DHCP 2. DHCP Relay Configuration 3. DHCP L2 Relay Configuration 4. Example for DHCP VLAN Relay 5. Appendix: Default Parameters...
Page 419 Configuring DHCP Service DHCP DHCP Overview DHCP (Dynamic Host Configuration Protocol) is widely used to automatically assign IP addresses and other network configuration parameters to network devices, enhancing the utilization of IP address. Supported Features The supported DHCP features of the switch include DHCP Relay and DHCP L2 Relay. DHCP Relay DHCP Relay is used to process and forward DHCP packets between different subnets or VLANs.
Page 420 192.168.2.0/24 192.168.0.0/24 Note: For T1500 series switches, only the management VLAN interface can be specified as the default relay agent interface. DHCP L2 Relay Unlike DHCP relay, DHCP L2 Relay is used in the situation that the DHCP server and client are in the same VLAN.
Page 421 Configuring DHCP Service DHCP Relay Configuration DHCP Relay Configuration To complete DHCP Relay configuration, follow these steps: 1) Enable DHCP Relay. Configure Option 82 if needed. 2) Specify DHCP server for the Interface or VLAN. Using the GUI 2.1.1 Enabling DHCP Relay and Configuring Option 82 Choose the menu L3 FEATURES >...
Page 422 Configuring DHCP Service DHCP Relay Configuration DHCP Relay Enable DHCP Relay globally. DHCP Relay Specify the DHCP relay hops. Hops DHCP Relay Hops defines the maximum number of hops (DHCP Relay agent) that the DHCP packets can be relayed. If a packet’s hop count is more than the value you set here, the packet will be dropped.
Page 423 Configuring DHCP Service DHCP Relay Configuration Remote ID Enter the customized remote ID, which contains up to 64 characters. The remote ID configurations of the switch and the DHCP server should be compatible with each other. 3) Click Apply. 2.1.2 Configuring DHCP VLAN Relay DHCP VLAN Relay is used for the clients in VLANs but do not have a layer 3 interface as the gateway to obtain IP addresses from the DHCP server, which is not in the same subnet as the clients.
Page 424 Configuring DHCP Service DHCP Relay Configuration Specify the VLAN that the clients belong to and the IP address of the DHCP server. Click Create. VLAN ID Specify the VLAN, in which the clients can get IP addresses from the DHCP server.
Page 425 Configuring DHCP Service DHCP Relay Configuration Switch(config)#show ip dhcp relay DHCP relay state: enabled ..Switch(config)#end Switch#copy running-config startup-config 2.2.2 (Optional) Configuring Option 82 Follow these steps to configure Option 82: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode.
Page 426 Configuring DHCP Service DHCP Relay Configuration Step 7 ip dhcp relay information remote-id string Configure the remote ID. The remote ID configurations of the switch and the DHCP server should be compatible with each other. Enter the remote ID, which contains up to 64 characters. string: Step 8 show ip dhcp relay information interface { fastEthernet port | gigabitEthernet port | ten-...
Page 427 Configuring DHCP Service DHCP Relay Configuration Step 2 Enter VLAN interface configuration mode: interface vlan vlan-id : Specify a VLAN interface. Only VLAN 1 (the management VLAN) is supported. vlan-id Step 3 ip dhcp relay default-interface Set the management VLAN interface as the default relay agent interface. Step 4 ip dhcp relay vlan vid helper-address ip-address Specify the VLAN ID and the DHCP server.
Page 428 Configuring DHCP Service DHCP L2 Relay Configuration DHCP L2 Relay Configuration To complete DHCP L2 Relay configuration, follow these steps: 1) Enable DHCP L2 Relay. 2) Configure Option 82 for ports. 3.1 Using the GUI 3.1.1 Enabling DHCP L2 Relay Choose the menu L3 FEATURES >...
Page 429 Configuring DHCP Service DHCP L2 Relay Configuration 3.1.1 Configuring Option 82 for Ports Choose the menu L3 FEATURES > DHCP Service > DHCP L2 Relay > Port Config to load the following page. Figure 3-1 Configure Option 82 for Ports Follow these steps to enable DHCP Relay and configure Option 82: 1) Select one or more ports to configure Option 82.
Page 430 Configuring DHCP Service DHCP L2 Relay Configuration Circuit ID Enable or disable Customization of Option 82. If enabled, you need to configure Customization Option 82 information manually; If disabled, the switch will automatically configure the VLAN ID and the ID of the port that receives the DHCP packets as the circuit Circuit ID Enter the customized circuit ID, which contains up to 64 characters.
Page 431 Configuring DHCP Service DHCP L2 Relay Configuration Switch(config)#ip dhcp l2relay vlan 2 Switch(config)#show ip dhcp l2relay Global Status: Enable VLAN ID: 2 Switch(config)#end Switch#copy running-config startup-config 3.2.2 Configuring Option 82 for Ports Follow these steps to configure Option 82: Step 1 configure Enter global configuration mode.
Page 432 Configuring DHCP Service DHCP L2 Relay Configuration Step 7 ip dhcp l2relay information remote-id string Configure the remote ID. The remote ID configurations of the switch and the DHCP server should be compatible with each other. Enter the remote ID, which contains up to 64 characters. string: Step 8 show ip dhcp l2relay information interface { fastEthernet port | gigabitEthernet port |...
Page 433 Configuring DHCP Service Example for DHCP VLAN Relay Example for DHCP VLAN Relay Network Requirements The Marketing department and the R&D department respectively belong to two VLANs. Both of the VLANs have no Layer 3 gateways. The administrator deploys one DHCP server on the network, and wants the server to assign IP addresses to the two departments.
Page 434 Configuring DHCP Service Example for DHCP VLAN Relay In this example, the DHCP server is demonstrated with T1500G-10PS and the DHCP relay agent is demonstrated with T1500G-28PCT. This chapter provides configuration procedures in two ways: using the GUI and using the CLI. 4.3 Using the GUI  Configuring the DHCP Server 1) Choose the menu L3 FEATURES >...
Page 435 Configuring DHCP Service Example for DHCP VLAN Relay department and R&D department respectively. Add port 1/0/1 to VLAN 10 and port 1/0/2 to VLAN 20. Figure 4-4 Creating VLAN 10 Configuration Guide...
Page 436 Configuring DHCP Service Example for DHCP VLAN Relay Figure 4-5 Creating VLAN 20  Configuring DHCP VLAN Relay on the Relay Agent 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP Relay Config to load the following page. In the Global Config section, enable DHCP Relay, and click Apply.
Page 437 Configuring DHCP Service Example for DHCP VLAN Relay Figure 4-7 Specify the Default Relay Agent Interface 3) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP VLAN Relay and click to load the following page. Specify the DHCP server address for the clients in VLAN 10 and VLAN 20.
Page 438 Configuring DHCP Service Example for DHCP VLAN Relay Switch(dhcp-config)#default-gateway 192.168.0.1 Switch(dhcp-config)#dns-server 192.168.0.2 Switch(dhcp-config)#end Switch#copy running-config startup-config  Configuring the VLAN on the Relay Agent Switch#configure Switch(config)# vlan 10 Switch(config-vlan)#name Marketing Switch(config-vlan)#exit Switch(config)#interface fastEthernet 1/0/1 Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#exit Switch(config)# vlan 20 Switch(config-vlan)#name RD...
Page 439 Configuring DHCP Service Example for DHCP VLAN Relay Verify the Configurations of the DHCP Relay Agent Switch#show ip dhcp relay Switch#show ip dhcp relay DHCP relay state: enabled DHCP relay default relay agent interface: Interface: VLAN 1 IP address: 192.168.0.1 DHCP vlan relay helper address is configured on the following vlan: vlan Helper address...
Page 440 Configuring DHCP Service Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Relay are listed in the following table. Table 5-1 Default Settings of DHCP Relay Parameter Default Setting DHCP Relay DHCP Relay Disable DHCP Relay Hops DHCP Relay Time Threshold Option 82 Configuration Option 82 Support Disabled...
Page 441 Configuring DHCP Service Appendix: Default Parameters Parameter Default Setting Format Normal Circuit ID Customization Disable Circuit ID None Remote ID Customization Disabled Remote ID None Configuration Guide...
Page 442 Part 14 Configuring QoS CHAPTERS 1. QoS 2. Class of Service Configuration 3. Bandwidth Control Configuration 4. Voice VLAN Configuration 5. Auto VoIP Configuration 6. Configuration Examples 7. Appendix: Default Parameters...
Page 443 Configuring QoS Overview With network scale expanding and applications developing, internet traffic is dramatically increased, thus resulting in network congestion, packet drops and long transmission delay. Typically, networks treat all traffic equally on FIFO (First In First Out) delivery basis, but nowadays many special applications like VoD, video conferences, VoIP, etc, require more bandwidth or shorter transmission delay to guarantee the performance.
Page 444 Configuring QoS can deteriorate a lot because of packet loss and delay. To ensure the high voice quality, you can configure Voice VLAN or Auto VoIP. These two features can be enabled on the ports that transmit voice traffic only or transmit both voice traffic and data traffic.
Page 445 Configuring QoS Class of Service Configuration Class of Service Configuration With class of service configurations, you can:  Configure port priority  Configure 802.1p priority  Configure DSCP priority  Specify the scheduler settings Configuration Guidelines  Select the priority mode that the ports trust according to your network requirements. A port can use only one priority to classify the ingress packets.
Page 446 Configuring QoS Class of Service Configuration Using the GUI 2.1.1 Configuring Port Priority  Configuring the Trust Mode and Port to 802.1p Mapping Choose the menu QoS > Class of Service > Port Priority to load the following page. Figure 2-1 Configuring the Trust Mode and Port to 802.1p Mapping Follow these steps to configure the parameters of the port priority: 1) Select the desired ports, specify the 802.1p priority and set the trust mode as Untrusted.
Page 447 Configuring QoS Class of Service Configuration  Configuring the 802.1p to Queue Mapping Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-2 Configuring the 802.1p to Queue Mapping In the 802.1p to Queue Mapping section, configure the mappings and click Apply. 802.1p Priority Displays the number of 802.1p priority.
Page 448 Configuring QoS Class of Service Configuration 2.1.2 Configuring 802.1p Priority  Configuring the Trust Mode Choose the menu QoS > Class of Service > Port Priority to load the following page. Figure 2-3 Configuring the Trust Mode Follow these steps to configure the trust mode: 1) Select the desired ports and set the trust mode as Trust 802.1p.
Page 449 Configuring QoS Class of Service Configuration  Configuring the 802.1p to Queue Mapping and 802.1p Remap Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-4 Configuring the 802.1p to Queue Mapping and 802.1p Remap Follow these steps to configure the parameters of the 802.1p priority: 1) In the 802.1p to Queue Mapping section, configure the mappings and click Apply.
Page 450 Configuring QoS Class of Service Configuration Remap Select the number of 802.1p priority to which the original 802.1p priority will be remapped. 802.1p Remap is used to modify the 802.1p priority of the ingress packets. When the switch detects the packets with desired 802.1p priority, it will modify the value of 802.1p priority according to the map.
Page 451 Configuring QoS Class of Service Configuration  Configuring the 802.1p to Queue Mapping Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-6 Configuring the 802.1p to Queue Mapping In the 802.1p to Queue Mapping section, configure the mappings and click Apply. 802.1p Priority Displays the number of 802.1p priority.
Page 452 Configuring QoS Class of Service Configuration  Configuring the DSCP to 802.1p Mapping and the DSCP Remap Choose the menu QoS > Class of Service >DSCP Priority to load the following page. Figure 2-7 Configuring the DSCP to 802.1p Mapping and the DSCP Remap Follow these steps to configure the DSCP Priority: 1) In the DSCP Priority Config section, configure the DSCP to 802.1p mapping and the DSCP remap.
Page 453 Configuring QoS Class of Service Configuration 2.1.4 Specifying the Scheduler Settings Specify the scheduler settings to control the forwarding sequence of different TC queues when congestion occurs. Choose the menu QoS > Class of Service > Scheduler Settings to load the following page.
Page 454 Configuring QoS Class of Service Configuration Scheduler Type Select the type of scheduling used for corresponding queue. When the network congestion occurs, the egress queue will determine the forwarding sequence of the packets according to the type. Strict: In this mode, the egress queue will use SP (Strict Priority) to process the traffic in different queues.
Page 455 Configuring QoS Class of Service Configuration Step 4 qos port-priority { dot1p-priority } Specify the port to 802.1p priority mapping for the desired port. The ingress packets from one port are first mapped to 802.1p priority based on the port to 802.1p mapping, then to TC queues based on the 802.1p to queue mapping.
Page 456 Configuring QoS Class of Service Configuration The following example shows how to configure the trust mode of port 1/0/1 as untrust, map the port 1/0/1 to 802.1p priority 1 and map 802.1p priority 1 to TC3: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#qos trust mode untrust Switch(config-if)#qos port-priority 1 Switch(config-if)#exit...
Page 457 Configuring QoS Class of Service Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port- channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 qos trust mode { untrust | dot1p | dscp } Select the trust mode for the port.
Page 458 Configuring QoS Class of Service Configuration Step 5 show qos dot1p-remap Verify the 802.1p to 802.1p mappings. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. Note: In Trust 802.1p mode, the untagged packets will be added an 802.1p priority based on the port to 802.1p mapping and will be forwarded according to the 802.1p to queue mapping.
Page 459 Configuring QoS Class of Service Configuration Dot1p Remap Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring DSCP Priority  Configuring the Trust Mode Follow these steps to configure the trust mode: Step 1 configure Enter global configuration mode Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port- channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode.
Page 460 Configuring QoS Class of Service Configuration Step 2 qos cos-map { dot1p-priority } { tc-queue } Specify the 802.1p to queue mapping. The packets with the desired 802.1p priority will be put in the corresponding queues. By default, the 802.1p priority 0 to 7 is respectively mapped to TC-1, TC-0, TC-2, TC-3, TC-4, TC-5, TC-6, TC-7.
Page 461 Configuring QoS Class of Service Configuration Step 5 show qos dscp-remap Verify the DSCP to DSCP mappings. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file. Note: In Trust DSCP mode, non-IP packets will be added an 802.1p priority based on the port to 802.1p mapping and will be forwarded according to the 802.1p to queue mapping.
Page 462 Configuring QoS Class of Service Configuration DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 10 11 12 13 14 15 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 17 18 19 20 21 22 23 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP:...
Page 463 Configuring QoS Class of Service Configuration DSCP: 16 17 18 19 20 21 22 23 DSCP remap value 16 17 18 19 20 21 22 23 ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 24 25 26 27 28 29 30 31 DSCP remap value 24 25 26 27 28 29 30 31 ---- ---- ---- ---- ---- ---- ---- ---- DSCP:...
Page 464 Configuring QoS Class of Service Configuration Step 3 qos queue tc-queue mode {sp | wrr} [weight weight ] Specify the type of scheduling used for corresponding queue. When the network congestion occurs, the egress queue will determine the forwarding sequence of the packets according to the type.
Page 465 Configuring QoS Class of Service Configuration Strict Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 466 Configuring QoS Bandwidth Control Configuration Bandwidth Control Configuration With bandwidth control configurations, you can:  Configure rate limit  Configure storm control Using the GUI 3.1.1 Configuring Rate Limit Choose the menu QoS > Bandwidth Control > Rate Limit to load the following page. Figure 3-1 Configuring Rate Limit Follow these steps to configure the Rate Limit function: 1) Select the desired port and configure the upper rate limit to receive and send packets.
Page 467 Configuring QoS Bandwidth Control Configuration 3.1.2 Configuring Storm Control Choose the menu QoS > Bandwidth Control > Storm Control to load the following page. Figure 3-2 Configuring Storm Control Follow these steps to configure the Storm Control function: 1) Select the desired port and configure the upper rate limit for forwarding broadcast packets, multicast packets and UL-frames (Unknown unicast frames).
Page 468 Configuring QoS Bandwidth Control Configuration UL-Frame Specify the upper rate limit for receiving unknown unicast frames. The valid Threshold (0- values differ among different rate modes. The value 0 means the unknown unicast 1,000,000) threshold is disabled. The traffic exceeding the limit will be processed according to the Action configurations.
Page 469 Configuring QoS Bandwidth Control Configuration Step 4 show bandwidth interface [fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the ingress/egress rate limit for forwarding packets on the port or LAG. If no port or LAG is specified, it displays the upper ingress/egress rate limit for all ports or LAGs.
Page 470 Configuring QoS Bandwidth Control Configuration Step 3 storm-control rate-mode {kbps | ratio} Specify the Rate Mode for the broadcast threshold, multicast threshold and UL-Frame threshold on the desired port. kbps: The switch will limit the maximum speed of the specific kinds of traffic in kilo-bits per second.
Page 471 Configuring QoS Bandwidth Control Configuration Step 9 show storm-control interface [fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the storm control configurations of the port or LAG. If no port or LAG is specified, it displays the storm control configuration for all ports or LAGs.
Page 472 Configuring QoS Voice VLAN Configuration Voice VLAN Configuration To complete the voice VLAN configurations, follow these steps: 1) Create a 802.1Q VLAN 2) Configure OUI addresses 3) Configure Voice VLAN globally 4) Add ports to Voice VLAN Configuration Guidelines  Before configuring voice VLAN, you need to create a 802.1Q VLAN for voice traffic. For details about 802.1Q VLAN Configuration, please refer to Configuring 802.1Q VLAN.
Page 473 Configuring QoS Voice VLAN Configuration Figure 4-1 Configuring OUI Addresses Follow these steps to configure the OUI addresses: 1) Click to load the following page. Figure 4-2 Creating an OUI Entry 2) Specify the OUI and the Description. Enter the OUI address of your voice devices. The OUI address is used by the switch to determine whether a packet is a voice packet.
Page 474 Configuring QoS Voice VLAN Configuration Figure 4-3 Configuring Voice VLAN Globally Follow these steps to configure voice VLAN globally: 1) Enable the voice VLAN feature and specify the parameters. VLAN ID Specify the 802.1Q VLAN ID to set the 802.1Q VLAN as the voice VLAN. Priority Select the priority that will be assigned to voice packets.
Page 475 Configuring QoS Voice VLAN Configuration Optional Status Displays the state of the Voice VLAN on the corresponding port. Active: Indicates that Voive VLAN function is enabled on the port. Inactive: Indicates that Voive VLAN function is disabled on the port. 2) Click Apply.
Page 476 Configuring QoS Voice VLAN Configuration Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to show the OUI table, set VLAN 8 as voice VLAN, set the priority as 6 and enable voice VLAN feature on port 1/0/3: Switch#configure Switch(config)#show voice vlan oui-table...
Page 477 Configuring QoS Voice VLAN Configuration Gi1/0/3 enabled Gi1/0/4 disabled Down Gi1/0/5 disabled Down ..Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 478 Configuring QoS Auto VoIP Configuration Auto VoIP Configuration Configuration Guidelines  Before configuring Auto VoIP, you need to enable LLDP-MED on ports and configure the relevant parameters. For details about LLDP-MED configuration, please refer to Configuring LLDP.  Auto VoIP provide flexible solutions for optimizing the voice traffic. It can work with other features such as VLAN and Class of Service to process the voice packets with specific fields.
Page 479 Configuring QoS Auto VoIP Configuration Interface Mode Select the interface mode for the port. Disable: Disable the Auto VoIP function on the corresponding port. None: Allow the voice devices to use its own configuration to send voice traffic. VLAN ID: The voice devices will send voice packets with desired VLAN tag. If this mode is selected, it is necessary to specify the VLAN ID in the Value field.
Page 480 Configuring QoS Auto VoIP Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port- channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 4 Select the interface mode for the port.
Page 481 Configuring QoS Auto VoIP Configuration Step 7 show auto-voip Verify the global state of Auto VoIP. Step 8 show auto-voip interface Verify the Auto VoIP configuration information of ports. Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file.
Page 482 Configuring QoS Auto VoIP Configuration Interface.Gi1/0/3 Auto-VoIP Interface Mode. Enabled Auto-VoIP Priority. Auto-VoIP COS Override. True Auto-VoIP DSCP Value. Auto-VoIP Port Status. Enabled ..Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 483 Configuring QoS Configuration Examples Configuration Examples Example for Class of Service 6.1.1 Network Requirements As shown below, both RD department and Marketing department can access the internet. When congestion occurs, the traffic from two departments can both be forwarded and the traffic from the Marketing department should take precedence.
Page 484 Configuring QoS Configuration Examples Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 6.1.3 Using the GUI 1) Choose the menu QoS > Class of Service > Port Priority to load the following page. Set the trust mode of port 1/0/1 and 1/0/2 as untrusted.
Page 485 Configuring QoS Configuration Examples Figure 6-3 Configuring the 802.1p to Queue Mappings 3) Choose the menu QoS > Class of Service > Scheduler Settings to load the following page. Select the port 1/0/3 and set the scheduler type of TC-0 and TC-1 as Weighted. Specify the queue weight of TC-0 as 1 and specify the queue weight of TC-1 as 5.
Page 486 Configuring QoS Configuration Examples Figure 6-4 Configuring the Egress Queue 4) Click to save the settings. 6.1.4 Using the CLI 1) Set the trust mode of port 1/0/1 as untrusted and specify the 802.1p priority as 1. Switch_A#configure Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#qos trust mode untrust Switch_A(config-if)#qos port-priority 1 Switch_A(config-if)#exit...
Page 487 Configuring QoS Configuration Examples 4) Set the scheduler type of TC-0 and TC-1 as Weighted for egress port 1/0/3. Specify the queue weight of TC-0 as 1 and specify the queue weight of TC-1 as 5. Switch_A(config)#interface fastEthernet 1/0/3 Switch_A(config-if)#qos queue 0 mode wrr weight 1 Switch_A(config-if)#qos queue 1 mode wrr weight 5 Switch_A(config-if)#end Switch_A#copy running-config startup-config...
Page 488 Configuring QoS Configuration Examples Verify the 802.1p to queue mappings: Switch_A#show qos cos-map ---------------+-----+-----+-----+-----+-----+-----+----+---- Dot1p Value |0 ---------------+-----+-----+-----+-----+-----+-----+----+---- |TC1 |TC0 |TC2 |TC4 |TC4 |TC5 |TC6 |TC7 ---------------+-----+-----+-----+-----+-----+-----+----+---- Verify the scheduler mode of the egress port: Switch _A#show qos queue interface fastEthernet 1/0/3 Fa1/0/3----LAG: N/A Queue Schedule Mode Weight -----...
Page 489 Configuring QoS Configuration Examples Figure 6-5 Voice VLAN Application Topology Switch B Fa1/0/4 Switch A Fa1/0/1 Fa1/0/3 Fa1/0/2 VLAN 2 VLAN 3 IP Phone 1 IP Phone 2 PC 3 6.2.2 Configuration Scheme To implement this requirement, you can configure Voice VLAN to ensure that the voice traffic can be transmitted in the same VLAN and the data traffic is transmitted in another VLAN.
Page 490 Configuring QoS Configuration Examples Figure 6-6 Configuring VLAN 2 2) Click to load the following page. Create VLAN 3 and add untagged port 1/0/3 and port 1/0/4 to VLAN 3. Click Create. Configuration Guide...
Page 491 Configuring QoS Configuration Examples Figure 6-7 Configuring VLAN 3 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Disable the Ingress Checking feature on port 1/0/1 and port 1/0/2 and specify the PVID as 2. Click Apply. Configuration Guide...
Page 492 Configuring QoS Configuration Examples Figure 6-8 Specifying the Parameters of the Ports 4) Choose the menu QoS > Voice VLAN > OUI Config to load the following page. Check the OUI table. Figure 6-9 Checking the OUI Table 5) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable Voice VLAN globally.
Page 493 Configuring QoS Configuration Examples Figure 6-10 Configuring Voice VLAN Globally 6) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Enable Voice VLAN on port 1/0/1 and port 1/0/2. Click Apply. Figure 6-11 Enabling Voice VLAN on Ports 7) Click to save the settings.
Page 494 Configuring QoS Configuration Examples Switch_A(config-if)#switchport general allowed vlan 2 untagged Switch_A(config-if)#exit Switch_A(config)#interface fastEthernet 1/0/4 Switch_A(config-if)#switchport general allowed vlan 2 untagged Switch_A(config-if)#exit 2) Create VLAN 3 and add untagged port 1/0/3 and port 1/0/4 to VLAN 3. Switch_A(config)#vlan 3 Switch_A(config-vlan)#name VLAN3 Switch_A(config-vlan)#exit Switch_A(config)#interface fastEthernet 1/0/3 Switch_A(config-if)#switchport general allowed vlan 3 untagged...
Page 495 Configuring QoS Configuration Examples 00:60:B9 Default NITSUKO 00:D0:1E Default PINTEL 00:E0:75 Default VERILINK 00:E0:BB Default 3COM 00:04:0D Default AVAYA1 00:1B:4F Default AVAYA2 00:04:13 Default SNOM 5) Enable Voice VLAN globally. Specify the VLAN ID as 2 and set the priority as 7. Switch_A(config)#voice vlan 2 Switch_A(config)#voice vlan priority 7 6) Enable Voice VLAN on port 1/0/1 and port 1/0/2.
Page 496 Configuring QoS Configuration Examples VoiceVLAN active Fa1/0/1, Fa1/0/2, Fa1/0/4 VLAN3 active Fa1/0/3, Fa1/0/4 Verify the Voice VLAN configuration: Switch_A(config)#show voice vlan interface Voice VLAN ID Priority Interface Voice VLAN Mode Operational Status LAG --------- --------------- ------------------ Fa1/0/1 enabled Fa1/0/2 enabled Fa1/0/3 disabled Down...
Page 497 Configuring QoS Configuration Examples Figure 6-12 Auto VoIP Application Topology Switch B Fa1/0/2 Fa1/0/1 Switch A PC 10 IP Phone 10 ..6.3.2 Configuration Scheme To optimize voice traffic, configure Auto VoIP and LLDP-MED to instruct IP Phones to send traffic with desired DSCP priority. Voice traffic is put in the desired queue and data traffic is put in other queues according to the Class of Service configurations.
Page 498 Configuring QoS Configuration Examples Figure 6-13 Configuring Auto VoIP 2) Choose the menu QoS > Class of Service > Port Priority to load the following page. Set the trust mode of port 1/0/1 as trust DSCP. Click Apply. Figure 6-14 Configuring Port Priority 3) Choose the menu QoS >...
Page 499 Configuring QoS Configuration Examples Figure 6-15 Specifying the 802.1p priority for DSCP priority 63 4) Specify the 802.1p priority as 5 for other DSCP priorities. Click Apply. Figure 6-16 Specifying the 802.1p priority for Other DSCP priorities 5) Choose the menu QoS > Class of Service > Scheduler Settings to load the following page.
Page 500 Configuring QoS Configuration Examples Figure 6-17 Configuring the TC-5 for the Port 6) Select port 1/0/2. Set the scheduler mode as weighted and specify the queue weight as 10 for TC-7. Click Apply. Figure 6-18 Configuring the TC-7 for the Port Configuration Guide...
Page 501 Configuring QoS Configuration Examples 7) Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config click Detail to of port1/0/1 to load the following page. Check the boxes of all the TLVs. Click Save. Figure 6-19 Configuring the TLVs 8) Choose the menu L2 FEATURES >...
Page 502 Configuring QoS Configuration Examples 9) Click to save the settings. 6.3.4 Using the CLI 1) Enable Auto VoIP globally and specify the DSCP value of port 1/0/1 as 63. Switch_A#configure Switch_A(config)#auto-voip Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#auto-voip dscp 63 Switch_A(config-if)#exit 2) Set the trust mode of port 1/0/1 as trust DSCP. Specify the 802.1p priority as 7 for DSCP priority 63 and specify 802.1p priority as 5 for other DSCP priorities.
Page 503 Configuring QoS Configuration Examples Verify the configurations Verify the configuration of Auto VoIP: Switch_A(config)#show auto-voip Administrative Mode: Enabled Verify the Auto VoIP configuration of ports: Switch_A(config)#show auto-voip interface Interface.Fa1/0/1 Auto-VoIP Interface Mode. Disabled Auto-VoIP COS Override. False Auto-VoIP DSCP Value. Auto-VoIP Port Status.
Page 504 Configuring QoS Configuration Examples Switch_A(config)#show qos cos-map ---------------+-----+-----+-----+-----+-----+-----+----+---- Dot1p Value |0 ---------------+-----+-----+-----+-----+-----+-----+----+---- |TC1 |TC0 |TC2 |TC3 |TC4 |TC5 |TC6 |TC7 ---------------+-----+-----+-----+-----+-----+-----+----+---- Switch_A(config)#show qos dscp-map DSCP: DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 10 11 12 13 14 15 DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP:...
Page 505 Configuring QoS Configuration Examples DSCP: 57 58 59 60 61 62 63 DSCP to 802.1P 5 ---- ---- ---- ---- ---- ---- ---- --- Verify the configuration of LLDP-MED: Switch_A(config)#show lldp interface LLDP interface config: fastEthernet 1/0/1: Admin Status: TxRx SNMP Trap: Disabled Status...
Page 506 Configuring QoS Configuration Examples Location Identification Extended Power Via MDI Inventory Management Configuration Guide...
Page 507 Configuring QoS Appendix: Default Parameters Appendix: Default Parameters Default settings of Class of Service are listed in the following tables. Table 7-1 Default Settings of Port Priority Configuration Parameter Default Setting 802.1P Priority Trust Mode Untrusted Table 7-2 Default Settings of 802.1p to Queue Mapping 802.1p Priority Queues (8) Table 7-3...
Page 508 Configuring QoS Appendix: Default Parameters DSCP 802.1p Priority 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 Table 7-5 Default Settings of DSCP Remap Configuration Original New DSCP Original New DSCP Original New DSCP DSCP...
Page 509 Configuring QoS Appendix: Default Parameters Table 7-6 Default Settings of Scheduler Settings Configuration Parameter Default Setting Scheduler Type Weighted Queue Weight Management Taildrop Type Default settings of Class of Service are listed in the following tables. Table 7-7 Default Settings of Bandwidth Control Parameter Default Setting Ingress Rate (0-...
Page 510 Configuring QoS Appendix: Default Parameters Table 7-10 Default Settings of Port Configuration Parameter Default Setting Voice VLAN Disabled Table 7-11 Default Settings of OUI Table Status Description 00:01:E3 Default SIEMENS 00:03:6B Default CISCO1 00:12:43 Default CISCO2 00:0F:E2 Default 00:60:B9 Default NITSUKO 00:D0:1E Default...
Page 511 Part 15 Configuring Access Security CHAPTERS 1. Access Security 2. Access Security Configurations 3. Appendix: Default Parameters...
Page 512 Configuring Access Security Access Security Access Security 1.1 Overview Access Security provides different security measures for accessing the switch remotely so as to enhance the configuration management security. 1.2 Supported Features Access Control This function is used to control the users’ access to the switch based on IP address, MAC address or port.
Page 513 Configuring Access Security Access Security Configurations Access Security Configurations With access security configurations, you can:  Configure the Access Control feature  Configure the HTTP feature  Configure the HTTPS feature  Configure the SSH feature  Configure the Telnet function 2.1 Using the GUI 2.1.1 Configuring the Access Control Feature Choose the menu SECURITY >...
Page 514 Configuring Access Security Access Security Configurations 2) In the Entry Table section, click to add an Access Control entry. When the IP-based mode is selected, the following window will pop up. Figure 2-2 Configuring Access Control Entry-IP Based Access Select the interface to control the methods for users’ accessing. Interface SNMP: A function to manage the network devices via NMS.
Page 515 Configuring Access Security Access Security Configurations Access Select the interface to control the methods for users’ accessing. Interface SNMP: A function to manage the network devices via NMS. Telnet: A connection type for users to remote login. SSH: A connection type based on SSH protocol. HTTP: A connection type based on HTTP protocol.
Page 516 Configuring Access Security Access Security Configurations 2.1.2 Configuring the HTTP Function Choose the menu SECURITY > Access Security > HTTP Config to load the following page. Figure 2-5 Configuring the HTTP Function 1) In the Global Control section, enable HTTP function, specify the port using for HTTP, and click Apply to enable the HTTP function.
Page 517 Configuring Access Security Access Security Configurations Number of Specify the maximum number of users whose access level is Operator. Operators Number of Specify the maximum number of users whose access level is Power User. Power Users Number of Specify the maximum number of users whose access level is User. Users Configuration Guide...
Page 518 Configuring Access Security Access Security Configurations 2.1.3 Configuring the HTTPS Function Choose the menu SECURITY > Access Security > HTTPS Config to load the following page. Figure 2-6 Configuring the HTTPS Function 1) In the Global Config section, enable HTTPS function, select the protocol the switch supports and specify the port using for HTTPS.
Page 519 Configuring Access Security Access Security Configurations HTTPS Enable or disable the HTTPS function. HTTPS function is based on the SSL or TLS protocol. It provides a secure connection between the client and the switch. SSL Version 3 Enable or disable SSL Version 3 protocol on the switch. SSL is a transport protocol.
Page 520 Configuring Access Security Access Security Configurations 5) In the Load Certificate and Load Key section, download the certificate and key. Certificate File Select the desired certificate to download to the switch. The certificate must be BASE64 encoded. The SSL certificate and key downloaded must match each other, otherwise the HTTPS connection will not work.
Page 521 Configuring Access Security Access Security Configurations 2.1.4 Configuring the SSH Feature Choose the menu SECURITY > Access Security > SSH Config to load the following page. Figure 2-7 Configuring the SSH Feature 1) In the Global Config section, select Enable to enable SSH function and specify following parameters.
Page 522 Configuring Access Security Access Security Configurations Protocol V1 Select Enable to enable SSH version 1. Protocol V2 Select Enable to enable SSH version 2. Idle Timeout Specify the idle timeout time. The system will automatically release the connection when the time is up. Maximum Specify the maximum number of the connections to the SSH server.
Page 523 Configuring Access Security Access Security Configurations Using the CLI 2.2.1 Configuring the Access Control Follow these steps to configure the access control: Step 1 configure Enter global configuration mode. Step 2 Use the following command to control the users’ access by limiting the IP address: user access-control ip-based enable Configure the control mode as IP-based.
Page 524 Configuring Access Security Access Security Configurations Step 3 show user configuration Verify the security configuration information of the user authentication information and the access interface. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the type of access control as IP-based.
Page 525 Configuring Access Security Access Security Configurations Step 4 ip http max-users admin-num operator-num poweruser-num user-num Specify the maximum number of users that are allowed to connect to the HTTP server. The total number of users should be no more than 16. : Enter the maximum number of users whose access level is Admin.
Page 526 Configuring Access Security Access Security Configurations Switch#copy running-config startup-config 2.2.3 Configuring the HTTPS Function Follow these steps to configure the HTTPS function: Step 1 configure Enter global configuration mode. Step 2 ip http secure-server Enable the HTTPS function. By default, it is enabled. Step 3 ip http secure-protocol { [ ssl3 ] [ tls1 ] } Configure to make the switch support the corresponding protocol.
Page 527 Configuring Access Security Access Security Configurations Step 6 ip http secure-max-users admin-num operator-num poweruser-num user-num Specify the maximum number of users that are allowed to connect to the HTTPS server. The total number of users should be no more than 16. : Enter the maximum number of users whose access level is Admin.
Page 528 Configuring Access Security Access Security Configurations Switch(config)#ip http secure-ciphersuite 3des-ede-cbc-sha Switch(config)#ip http secure-session timeout 15 Switch(config)#ip http secure-max-users 2 2 2 2 Switch(config)#ip http secure-server download certificate ca.crt ip-address 192.168.0.100 Start to download SSL certificate..Download SSL certificate OK. Switch(config)#ip http secure-server download key ca.key ip-address 192.168.0.100 Start to download SSL key..
Page 529 Configuring Access Security Access Security Configurations Step 3 ip ssh version { v1 | v2 } Configure to make the switch support the corresponding protocol. By default, the switch supports SSHv1 and SSHv3. v1 | v2: Select to enable the corresponding protocol. Step 4 ip ssh timeout value Specify the idle timeout time.
Page 530 Configuring Access Security Access Security Configurations The following example shows how to configure the SSH function. Set the version as SSH V1 and SSH V2. Enable the AES128-CBC and Cast128-CBC encryption algorithm. Enable the HMAC-MD5 data integrity algorithm. Choose the key type as SSH-2 RSA/DSA. Switch(config)#ip ssh server Switch(config)#ip ssh version v1 Switch(config)#ip ssh version v2...
Page 531 Configuring Access Security Access Security Configurations HMAC-MD5: Enabled Key Type: SSH-2 RSA/DSA Key File: ---- BEGIN SSH2 PUBLIC KEY ---- Comment: “dsa-key-20160711” Switch(config)#end Switch#copy running-config startup-config 2.2.5 Configuring the Telnet Function Follow these steps enable the Telnet function: Step 1 configure Enter global configuration mode.
Page 532 Configuring Access Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Access Security are listed in the following tables. Table 3-1 Default Settings of Access Control Configuration Parameter Default Setting Access Control Disabled Table 3-2 Default Settings of HTTP Configuration Parameter Default Setting HTTP...
Page 533 Configuring Access Security Appendix: Default Parameters Parameter Default Setting Port AES128-CBC Enabled AES192-CBC Enabled AES256-CBC Enabled Blowfish-CBC Enabled Cast128-CBC Enabled 3DES-CBC Enabled HMAC-SHA1 Enabled HMAC-MD5 Enabled Key Type: SSH-2 RSA/DSA Table 3-5 Default Settings of Telnet Configuration Parameter Default Setting Telnet Enabled Port...
Page 534 Part 16 Configuring AAA CHAPTERS 1. Overview 2. AAA Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 535 Overview Overview AAA stands for authentication, authorization and accounting. On TP-Link switches, this feature is mainly used to authenticate the users trying to log in to the switch or get administrative privileges. The administrator can create guest accounts and an Enable password for other users.
Page 536 Configuring AAA AAA Configuration AAA Configuration In the AAA feature, the authentication can be processed locally on the switch or centrally on the RADIUS/TACACS+ server(s). To ensure the stability of the authentication system, you can configure multiple servers and authentication methods at the same time. This chapter introduces how to configure this kind of comprehensive authentication in AAA.
Page 537 Configuring AAA AAA Configuration  AAA Application List The switch supports the following access applications: Telnet, SSH and HTTP. You can select the configured authentication method lists for each application. Using the GUI 2.1.1 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server that is first added to the group has the highest priority and authenticates the users trying to access the switch.
Page 538 Configuring AAA AAA Configuration Accounting Port Specify the UDP destination port on the RADIUS server for accounting requests. The default setting is 1813. Usually, it is used in the 802.1x feature. Retransmit Specify the number of times a request is resent to the server if the server does not respond.
Page 539 Configuring AAA AAA Configuration 2.1.2 Configuring Server Groups The switch has two built-in server groups, one for RADIUS servers and the other for TACACS+ servers. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. Choose the menu SECURITY >...
Page 540 Configuring AAA AAA Configuration 2.1.3 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges. Choose the menu SECURITY >...
Page 541 Configuring AAA AAA Configuration Method List Name Specify a name for the method. Pri1- Pri4 Specify the authentication methods in order. The method with priority 1 authenticates a user first, the method with priority 2 is tried if the previous method does not respond, and so on.
Page 542 Configuring AAA AAA Configuration 2.1.5 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s).  On the Switch The local username and password for login can be configured in the User Management feature.
Page 543 Configuring AAA AAA Configuration Using the CLI 2.2.1 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server with the highest priority authenticates the users trying to access the switch, and the others act as backup servers in case the first one breaks down.
Page 544 Configuring AAA AAA Configuration Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add a RADIUS server on the switch. Set the IP address of the server as 192.168.0.10, the authentication port as 1812, the shared key as 123456, the timeout as 8 seconds and the retransmit number as 3.
Page 545 Configuring AAA AAA Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add a TACACS+server on the switch. Set the IP address of the server as 192.168.0.20, the authentication port as 49, the shared key as 123456, and the timeout as 8 seconds.
Page 546 Configuring AAA AAA Configuration Step 4 show aaa group [ group-name ] Verify the configuration of server group. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a RADIUS server group named RADIUS1 and add the existing two RADIUS servers whose IP address is 192.168.0.10 and 192.168.0.20 to the group.
Page 547 Configuring AAA AAA Configuration Step 2 aaa authentication login { method-list } { method1 } [ method2 ] [ method3 ] [ method4 ] Configure a login method list. Specify a name for the method list. method-list Specify the authentication methods in order. The first method1/method2/method3/method4 method authenticates a user first, the second method is tried if the previous method does not respond, and so on.
Page 548 Configuring AAA AAA Configuration Switch(config)##aaa authentication enable Enable1 radius local Switch(config)#show aaa authentication enable Methodlist pri1 pri2 pri3 pri4 default local Enable1 radius local Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring the AAA Application List You can configure authentication method lists on the following access applications: Telnet, SSH and HTTP.
Page 549 Configuring AAA AAA Configuration The following example shows how to apply the existing Login method list named Login1 and Enable method list named Enable1 for the application Telnet. Switch#configure Switch(config)#line telnet Switch(config-line)#login authentication Login1 Switch(config-line)#enable authentication Enable1 Switch(config-line)#show aaa global Module Login List Enable List...
Page 550 Configuring AAA AAA Configuration Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to apply the existing Login method list named Login1 and Enable method list named Enable1 for the application SSH. Switch#configure Switch(config)#line ssh Switch(config-line)#login authentication Login1...
Page 551 Configuring AAA AAA Configuration Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to apply the existing Login method list named Login1 and Enable method list named Enable1 for the application HTTP: Switch#configure Switch(config)#ip http login authentication Login1 Switch(config)#ip http enable authentication Enable1...
Page 552 Configuring AAA AAA Configuration Step 2 enable admin password { [ 0 ] password | 7 encrypted-password } Set the Enable password. This command uses symmetric encryption. 0 and 7 represent the encryption type. 0 indicates that an unencrypted key will follow. 7 indicates that a symmetric encrypted key with a fixed length will follow.
Page 553 Configuring AAA Configuration Example Configuration Example Network Requirements As shown below, the switch needs to be managed remotely via Telnet. In addition, the senior administrator of the company wants to create an account for the less senior administrators, who can only view the configurations and some network information without the Enable password provided.
Page 554 Configuring AAA Configuration Example Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. Using the GUI 1) Choose the menu SECURITY > AAA > RADIUS Config and click to load the following page.
Page 555 Configuring AAA Configuration Example 3) Choose the menu SECURITY > AAA > Server Group to load the following page. C lick . Specify the group name as RADIUS1 and the server type as RADIUS. Select 192.168.0.10 and 192.168.0.20 to from the drop-down list. Click Create to create the server group.
Page 556 Configuring AAA Configuration Example Figure 3-6 Configure Enable Method List 6) Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application List section, select telnet and configure the Login List as Method- Login and Enable List as Method-Enable. Then click Apply. Figure 3-7 Configure AAA Application List 7) Click to save the settings.
Page 557 Configuring AAA Configuration Example 3) Create two method lists: Method-Login and Method-Enable, and configure the server group RADIUS1 as the authentication method for the two method lists. Switch(config)#aaa authentication login Method-Login RADIUS1 Switch(config)#aaa authentication enable Method-Enable RADIUS1 4) Configure Method-Login and Method-Enable as the authentication method for the Telnet application.
Page 558 Configuring AAA Configuration Example Methodlist pri1 pri2 pri3 pri4 default none Method-Enable RADIUS1 Verify the status of the AAA feature and the configuration of the AAA application list: Switch#show aaa global Module Login List Enable List Telnet Method-Login Method-Enable default default Http default...
Page 559 Configuring AAA Appendix: Default Parameters Appendix: Default Parameters Default settings of AAA are listed in the following tables. Table 4-1 Parameter Default Setting Global Config AAA Feature Enable RADIUS Config Server IP None Shared Key None Auth Port 1812 Acct Port 1813 Retransmit Timeout...
Page 560 Configuring AAA Appendix: Default Parameters Parameter Default Setting AAA Application List Login List: default telnet Enable List: default Login List: default Enable List: default Login List: default http Enable List: default Configuration Guide...
Page 561 Part 17 Configuring 802.1x CHAPTERS 1. Overview 2. 802.1x Configuration 3. Configuration Example 4. Appendix: Default Parameters...
Page 562  Client A client, usually a computer, is connected to the authenticator via a physical port. We recommend that you install TP-Link 802.1x authentication client software on the client hosts, enabling them to request 802.1x authentication to access the LAN.
Page 563 Configuring 802.1x Overview  Authentication Server The authentication server is usually the host running the RADIUS server program. It stores information of clients, confirms whether a client is legal and informs the authenticator whether a client is authenticated. Configuration Guide...
Page 564 Configuring 802.1x 802.1x Configuration 802.1x Configuration To complete the 802.1x configuration, follow these steps: 1) Configure the RADIUS server. 2) Configure 802.1x globally. 3) Configure 802.1x on ports. In addition, you can view the authenticator state. Configuration Guidelines 802.1x authentication and Port Security cannot be enabled at the same time. Before enabling 802.1x authentication, make sure that Port Security is disabled.
Page 565 Configuring 802.1x 802.1x Configuration Follow these steps to add a RADIUS server: 1) Configure the parameters of the RADIUS server. Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
Page 566 Configuring 802.1x 802.1x Configuration Figure 2-3 Editing Server Group If you click , the following window will pop up. Specify a name for the server group, select the server type as RADIUS and select the IP address of the RADIUS server. Click Save. Figure 2-4 Adding Server Group  Configuring the Dot1x List Choose the menu SECURITY >...
Page 567 Handshake Enable or disable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1x Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP- Link 802.1x Client.
Page 568 Configuring 802.1x 802.1x Configuration VLAN Enable or disable the 802.1x VLAN assignment feature. 802.1x VLAN assignment is Assignment a technology allowing the RADIUS server to send the VLAN assignment to the port when the port is authenticated. If the assigned VLAN does not exist on the switch, the switch will create the related VLAN automatically, add the authenticated port to the VLAN and change the PVID based on the assigned VLAN.
Page 569 Configuring 802.1x 802.1x Configuration Select whether to enable the MAB (MAC-Based Authentication Bypass) feature for the port. With MAB feature enabled, the switch automatically sends the authentication server a RADIUS access request frame with the client’s MAC address as the username and password.
Page 570 Configuring 802.1x 802.1x Configuration Note: If a port is in an LAG, its 802.1x authentication function cannot be enabled. Also, a port with 802.1x authentication enabled cannot be added to any LAG. 2.1.4 View the Authenticator State Choose the menu SECURITY > 802.1x > Authenticator State to load the following page. Figure 2-8 View Authenticator State On this page, you can view the authentication status of each port: Port...
Page 571 Configuring 802.1x 802.1x Configuration Using the CLI 2.2.1 Configuring the RADIUS Server Follow these steps to configure RADIUS: Step 1 configure Enter global configuration mode. Step 2 radius-server host ip-address [ auth-port port-id ] [ acct-port port-id ] [ timeout time ] [ retransmit number ] [ nas-id nas-id ] key { [ 0 ] string | 7 encrypted-string } Add the RADIUS server and configure the related parameters as needed.
Page 572 Configuring 802.1x 802.1x Configuration Step 6 aaa authentication dot1x default { method } Select the RADIUS group for 802.1x authentication. Specify the RADIUS group for 802.1x authentication. method: aaa accounting dot1x default { method } Select the RADIUS group for 802.1x accounting. Specify the RADIUS group for 802.1x accounting.
Page 573 Configuring 802.1x 802.1x Configuration Switch#configure Switch(config)#radius-server host 192.168.0.100 auth-port 1812 acct-port 1813 key 123456 Switch(config)#aaa group radius radius1 Switch(aaa-group)#server 192.168.0.100 Switch(aaa-group)#exit Switch(config)#aaa authentication dot1x default radius1 Switch(config)#aaa accounting dot1x default radius1 Switch(config)#show radius-server Shared key Server Ip Auth Port Acct Port Timeout Retransmit NAS Identifier 192.168.0.100 1812 1813...
Page 574 (Optional) Enable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1x Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP-Link 802.1x Client. Step 6 dot1x vlan-assignment (Optional) Enable or disable the 802.1x VLAN assignment feature.
Page 575 Configuring 802.1x 802.1x Configuration Switch#configure Switch(config)#dot1x system-auth-control Switch(config)#dot1x auth-protocol pap Switch(config)#show dot1x global 802.1X State: Enabled Authentication Protocol: Handshake State: Enabled 802.1X Accounting State: Disabled 802.1X VLAN Assignment State: Disabled Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring 802.1x on Ports Follow these steps to configure the port: Step 1 configure Enter global configuration mode.
Page 576 Configuring 802.1x 802.1x Configuration Step 5 dot1x guest-vlan vid (Optional) Configure guest VLAN on the port. Specify the ID of the VLAN to be configured as the guest VLAN. The valid values are vid: from 0 to 4094. 0 means that Guest VLAN is disabled on the port. The configured VLAN must be an existing 802.1Q VLAN.
Page 577 Configuring 802.1x 802.1x Configuration Step 12 Return to privileged EXEC mode. Step 13 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable 802.1x authentication on port 1/0/2, configure the control type as port-based, and keep other parameters as default: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#dot1x...
Page 578 Configuring 802.1x 802.1x Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. Enter the ID of the port to be configured. port: Step 4 dot1x auth-init [ mac mac-address ]...
Page 579 Configuring 802.1x Configuration Example Configuration Example Network Requirements The network administrator wants to control access from the end users (clients) in the company. It is required that all clients need to be authenticated separately and only the authenticated clients can access the internet. Configuration Scheme  To authenticate clients separately, enable 802.1x authentication, configure the control mode as auto, and set the control type as MAC based.
Page 580 Configuring 802.1x Configuration Example Figure 3-1 Network Topology Switch A Authenticator Fa1/0/3 Fa1/0/2 Fa1/0/1 RADIUS Server 192.168.0.10/24 Auth Port:1812 Client Client Client Demonstrated with T1500-28PCT acting as the authenticator, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 3.4 Using the GUI 1) Choose the menu SECURITY >...
Page 581 Configuring 802.1x Configuration Example 2) Choose the menu SECURITY > AAA > Server Group and click to load the following page. Specify the group name as RADIUS1, select the server type as RADIUS and server IP as 192.168.0.10. Click Create. Figure 3-3 Creating Server Group 3) Choose the menu SECURITY >...
Page 582 Configuring 802.1x Configuration Example Figure 3-6 Configuring Port 6) Click to save the settings. 3.5 Using the CLI 1) Configure the RADIUS parameters. Switch_A(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch_A(config)#aaa group radius RADIUS1 Switch_A(aaa-group)#server 192.168.0.10 Switch_A(aaa-group)#exit Switch_A(config)#aaa authentication dot1x default RADIUS1 2) Globally enable 802.1x authentication and set the authentication protocol.
Page 583 Configuring 802.1x Configuration Example Switch_A(config)#interface fastEthernet 1/0/3 Switch_A(config-if)#no dot1x Switch_A(config-if)#exit Switch_A(config)#interface fastEthernet 1/0/1 Switch_A(config-if)#dot1x Switch_A(config-if)#dot1x port-method mac-based Switch_A(config-if)#dot1x port-control auto Switch_A(config-if)#exit Verify the Configurations Verify the global configurations of 802.1x authentication: Switch_A#show dot1x global 802.1X State: Enabled Authentication Protocol: Handshake State: Enabled 802.1X Accounting State: Disabled...
Page 584 Configuring 802.1x Configuration Example unauthorized unauthorized ..Verify the configurations of RADIUS : Switch_A#show aaa global Module Login List Enable List Telnet default default default default Http default default Switch_A#show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default RADIUS1 Switch_A#show aaa group RADIUS1 192.168.0.10 Configuration Guide...
Page 585 Configuring 802.1x Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1x are listed in the following table. Table 4-1 Default Settings of 802.1x Parameter Default Setting Global Config 802.1x Authentication Disable Authentication Method Handshake Enable Accounting Disable VLAN Assignment Disable Port Config 802.1x Status...
Page 586 Part 18 Configuring Port Security CHAPTERS 1. Overview 2. Port Security Configuration 3. Appendix: Default Parameters...
Page 587 Configuring Port Security Overview Overview You can use the Port Security feature to limit the number of MAC addresses that can be learned on each port, thus preventing the MAC address table from being exhausted by the attack packets. In addtion, the switch can send a notification if the number of learned MAC addresses on the port exceeds the limit.
Page 588 Configuring Port Security Port Security Configuration Port Security Configuration 2.1 Using the GUI Choose the menu SECURITY > Port Security to load the following page. Figure 2-1 Port Security Follow these steps to configure Port Security: 1) Select one or more ports and configure the following parameters. Port Displays the port number.
Page 589 Configuring Port Security Port Security Configuration Learn Address Select the learn mode of the MAC addresses on the port. Three modes are Mode provided: Delete on Timeout: The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting. Delete on Reboot: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually.
Page 590 Configuring Port Security Port Security Configuration Step 3 mac address-table max-mac-count { [max-number num ] [exceed-max-learned enable | disable] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ]} Enable the port security feature of the port and configure the related parameters. num : The maximum number of MAC addresses that can be learned on the port.
Page 591 Configuring Port Security Port Security Configuration Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#mac address-table max-mac-count max-number 30 exceed-max- learned enable mode permanent status drop Switch(config-if)#show mac address-table max-mac-count interface gigabitEthernet 1/0/1 Port Max-learn Current-learn Exceed Max Limit Mode Status ---- --------- ----------- ---------- ------ -------- Gi1/0/1...
Page 592 Configuring Port Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Port Security are listed in the following table. Table 3-1 Default Parameters of Port Security Parameter Default Setting Max Learned Number of Current Learned Number Exceed Max Learned Trap Disable Learn Address Mode Delete on Timeout...
Page 593 Part 19 Configuring ACL CHAPTERS 1. Overview 2. ACL Configuration 3. Configuration Example for ACL 4. Appendix: Default Parameters...
Page 594 Configuring ACL Overview Overview ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs. It accurately identifies and processes the packets based on the ACL rules. In this way, ACL helps to limit network traffic, manage network access behaviors, forward packets to specified ports and more.
Page 595 Configuring ACL ACL Configuration ACL Configuration Using the GUI 2.1.1 Configuring Time Range Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range configuration, please refer to Managing System.
Page 596 Configuring ACL ACL Configuration Note: The supported ACL type and ID range varies on different switch models. Please refer to the on-screen information. 2.1.3 Configuring ACL Rules The created ACL will be displayed on the SECURITY > ACL > ACL Config page. Figure 2-2 Editing ACL Click Edit ACL in the Operation column.
Page 597 Configuring ACL ACL Configuration Figure 2-4 Configuring the MAC ACL Rule Follow these steps to configure the MAC ACL rule: 1) In the MAC ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
Page 598 Configuring ACL ACL Configuration EtherType Specify the EtherType to be matched using 4 hexadecimal numbers. User Priority Specify the User Priority to be matched. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM >...
Page 599 Configuring ACL ACL Configuration 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters. Figure 2-7 Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second.
Page 600 Configuring ACL ACL Configuration Configuring IP ACL Rule Click Edit ACL for an IP ACL entry to load the following page. Figure 2-9 Configuring the IP ACL Rule In ACL Rules Table section, click and the following page will appear. Configuration Guide...
Page 601 Configuring ACL ACL Configuration Figure 2-10 Configuring the IP ACL Rule Follow these steps to configure the IP ACL rule: 1) In the IP ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
Page 602 Configuring ACL ACL Configuration S-IP/Mask Enter the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-IP/Mask Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.
Page 603 Configuring ACL ACL Configuration Figure 2-11 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected. Figure 2-12 Configuring Redirect Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected.
Page 604 Configuring ACL ACL Configuration Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets.
Page 605 Configuring ACL ACL Configuration Figure 2-16 Configuring the Combined ACL Rule Follow these steps to configure the Combined ACL rule: 1) In the Combined ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
Page 606 Configuring ACL ACL Configuration Operation Select an action to be taken when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. S-MAC/Mask Enter the source MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.
Page 607 Configuring ACL ACL Configuration User Priority Specify the User Priority to be matched. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM >...
Page 608 Configuring ACL ACL Configuration Figure 2-19 Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally.
Page 609 Configuring ACL ACL Configuration Configuring the IPv6 ACL Rule Click Edit ACL for an IPv6 ACL entry to load the following page. Figure 2-21 Configuring the IPv6 ACL Rule In ACL Rules Table section, click and the following page will appear. Figure 2-22 Configuring the IPv6 ACL Rule Configuration Guide...
Page 610 Configuring ACL ACL Configuration Follow these steps to configure the IPv6 ACL rule: 1) In the IPv6 ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5.
Page 611 Configuring ACL ACL Configuration 2) In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored. Figure 2-23 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected.
Page 612 Configuring ACL ACL Configuration Burst Size Specify the number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets.
Page 613 Configuring ACL ACL Configuration Here you can view and edit the ACL rules. You can also click Resequence to resequence the rules by providing a Start Rule ID and Step value. 2.1.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules.
Page 614 Configuring ACL ACL Configuration  Binding the ACL to a VLAN Choose the menu SECURITY > ACL > ACL Binding > VLAN Binding to load the following page. Figure 2-29 Binding the ACL to a VLAN Follow these steps to bind the ACL to a VLAN: 1) Choose ID or Name to be used for matching the ACL.
Page 615 Configuring ACL ACL Configuration Step 2 access-list create acl-id [name acl-name ] Create a MAC ACL. Enter an ACL ID. The ID ranges from 0 to 499. acl-id： Enter a name to identify the ACL. acl-name: Step 3 access-list mac acl-id-or-name rule { auto | rule-id } { deny | permit } logging {enable | disable} [ smac source-mac smask source-mac-mask ] [dmac destination-mac dmask destination-mac- mask ] [type ether-type] [pri dot1p-priority ] [vid vlan-id ] [tseg time-range-name ] Add a MAC ACL Rule.
Page 616 Configuring ACL ACL Configuration Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create MAC ACL 50 and configure Rule 5 to permit packets with source MAC address 00:34:A2:D4:34:B5: Switch#configure Switch(config)#access-list create 50 Switch(config-mac-acl)#access-list mac 50 rule 5 permit logging disable smac 00:34:A2:D4:34:B5 smask FF:FF:FF:FF:FF:FF Switch(config-mac-acl)#exit...
Page 617 Configuring ACL ACL Configuration Step 3 access-list ip acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [sip sip-address sip-mask sip-address-mask ] [ dip dip-address dip-mask dip-address-mask ] [dscp dscp-value ] [tos tos-value ] [pre pre-value ] [frag {enable | disable}] [protocol protocol [s-port s-port-number s-port-mask s-port-mask ] [d-port d-port-number d-port-mask d-port-mask ] [tcpflag tcpflag ]] [tseg time-range-name ] Add rules to the ACL.
Page 618 Configuring ACL ACL Configuration Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create IP ACL 600, and configure Rule 1 to permit packets with source IP address 192.168.1.100： Switch#configure Switch(config)#access-list create 600 Switch(config)#access-list ip 600 rule 1 permit logging disable sip 192.168.1.100 sip- mask 255.255.255.255 Switch(config)#show access-list 600...
Page 619 Configuring ACL ACL Configuration Step 3 access-list combined acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [smac source-mac-address smask source-mac-mask ] [dmac dest-mac-address dmask dest-mac-mask ] [vid vlan-id ] [type ether-type ] [pri priority ] [sip sip-address sip-mask sip- address-mask ] [dip dip-address dip-mask dip-address-mask ] [dscp dscp-value ] [tos tos-value ] [pre pre-value ] [protocol protocol [s-port s-port-number s-port-mask s-port-mask ] [d-port d-port-number d-port-mask d-port-mask ] [tcpflag tcpflag ]] [tseg time-range-name ]...
Page 620 Configuring ACL ACL Configuration Specify a protocol number between 0 and 255. protocol: With TCP or UDP configured as the protocol, specify the source port number. s-port-number: With TCP or UDP configured as the protocol, specify the source port mask with 4 s-port-mask: hexadacimal numbers.
Page 621 Configuring ACL ACL Configuration Step 2 access-list create acl-id [name acl-name ] Create an IPv6 ACL. Enter an ACL ID. The ID ranges from 1500 to 1999. acl-id： Enter a name to identify the ACL. acl-name: Step 3 access-list ipv6 acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [class class-value ] [flow-label flow-label-value ] [sip source-ip-address sip-mask source-ip-mask ] [dip destination-ip-address dip-mask destination-ip-mask ] [s-port source-port-number ] [d-port destination-port-number ] [tseg time-range-name ]...
Page 622 Configuring ACL ACL Configuration The following example shows how to create IPv6 ACL 1600 and configure Rule 1 to deny packets with source IPv6 address CDCD:910A:2222:5498:8475:1111:3900:2020: Switch#configure Switch(config)#access-list create 1600 Switch(config)#access-list ipv6 1600 rule 1 deny logging disable sip CDCD:910A:2222:5498:8475:1111:3900:2020 sip-mask ffff:ffff:ffff:ffff Switch(config)#show access-list 1600 IPv6 access list 1600 name: ACL_1600 rule 1 deny logging disable sip cdcd:910a:2222:5498:8475:1111:3900:2020 sip-mask ffff:ff...
Page 623 Configuring ACL ACL Configuration rule 11 permit logging disable vid 18 rule 21 permit logging disable dmac aa:cc:ee:ff:dd:33 dmask ff:ff:ff:ff:ff:ff Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring Policy Policy allows you to further process the matched packets through operations such as mirroring, rate-limiting, redirecting, or changing priority.
Page 624 Configuring ACL ACL Configuration Step 3 redirect interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to redirect the matched packets to the desired port. : The destination port to which the packets will be redirected. The default is All. port s-mirror interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to mirror the matched packets to the desired port.
Page 625 Configuring ACL ACL Configuration MAC access list 10 name: ACL_10 rule 5 permit logging disable action redirect Gi1/0/4 Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules.
Page 626 Configuring ACL ACL Configuration ACL ID ACL NAME Interface/VID Direction Type ----- ---------- ------------- ------- ---- ACL_1 Gi1/0/3 Ingress Port ACL_1 Ingress VLAN Switch(config)#end Switch#copy running-config startup-config 2.2.5 Viewing ACL Counting You can use the following command to view the number of matched packets of each ACL in the privileged EXEC mode and any other configuration mode: show access-list acl-id-or-name counter View the number of matched packets of the specific ACL.
Page 627 Configuring ACL Configuration Example for ACL Configuration Example for ACL Network Requirements As shown below, a company’s internal server group can provide different types of services. Computers in the Marketing department are connected to the switch via port 1/0/1, and the internal server group is connected to the switch via port 1/0/2.
Page 628 Configuring ACL Configuration Example for ACL  Configure four permit rules to match the packets with source IP address 10.10.70.0/24, and destination ports TCP 80, TCP 443 and TCP/UDP 53. These allow the Marketing department to visit http and https websites on the internet.  Configure a deny rule to match the packets with source IP address 10.10.70.0/24.
Page 629 Configuring ACL Configuration Example for ACL Figure 3-4 Editing IP ACL 4) Configure rule 1 to permit packets with the source IP address 10.10.70.0/24 and destination IP address 10.10.80.0/24. Figure 3-5 Configuring Rule 1 5) In the same way, configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and TCP 443 (https service port).
Page 630 Configuring ACL Configuration Example for ACL Figure 3-6 Configuring Rule 2 Configuration Guide...
Page 631 Configuring ACL Configuration Example for ACL Figure 3-7 Configuring Rule 3 Configuration Guide...
Page 632 Configuring ACL Configuration Example for ACL 6) In the same way, configure rule 4 and rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port). Figure 3-8 Configuring Rule 4 Configuration Guide...
Page 633 Configuring ACL Configuration Example for ACL Figure 3-9 Configuring Rule 5 7) In the same way, configure rule 6 to deny packets with source IP 10.10.70.0. Figure 3-10 Configuring Rule 6 Configuration Guide...
Page 634 Configuring ACL Configuration Example for ACL 8) Choose the menu SECURITY > ACL > ACL Binding and click to load the following page. Bind Policy Market to port 1/0/1 to make it take effect. Figure 3-11 Binding the Policy to Port 1/0/1 9) Click to save the settings.
Page 635 Configuring ACL Configuration Example for ACL Switch(config)#access-list ip 500 rule 5 permit logging disable sip 10.10.70.0 sip-amask 255.255.255.0 protocol 17 d-port 53 d-port-mask ffff 5) Configure rule 6 to deny packets with source IP 10.10.70.0/24. Switch(config)#access-list ip 500 rule 2 deny logging disable sip 10.10.70.0 sip-mask 255.255.255.0 6) Bind ACL500 to port 1.
Page 636 Configuring ACL Appendix: Default Parameters Appendix: Default Parameters The default settings of ACL are listed in the following tables: Table 4-1 MAC ACL Parameter Default Setting Operation Permit User Priority No Limit Time-Range No Limit Table 4-2 IP ACL Parameter Default Setting Operation Permit...
Page 637 Configuring ACL Appendix: Default Parameters Table 4-5 Policy Parameter Default Setting Mirroring Disabled Redirect Disabled Rate Limit Disabled QoS Remark Disabled Configuration Guide...
Page 638 Part 20 Configuring IPv4 IMPB CHAPTERS 1. IPv4 IMPB 2. IP-MAC Binding Configuration 3. ARP Detection Configuration 4. IPv4 Source Guard Configuration 5. Configuration Examples 6. Appendix: Default Parameters...
Page 639 Configuring IPv4 IMPB IPv4 IMPB IPv4 IMPB Overview IPv4 IMPB (IP-MAC-Port Binding) is used to bind the IP address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent the ARP cheating attacks with the ARP Detection feature and filter the packets that don’t match the binding entries with the IP Source Guard feature.
Page 640 Configuring IPv4 IMPB IP-MAC Binding Configuration IP-MAC Binding Configuration You can add IP-MAC Binding entries in three ways:  Manual Binding  Via ARP Scanning  Via DHCP Snooping Additionally, you can view, search and edit the entries in the Binding Table. 2.1 Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IP address, MAC address, VLAN ID and the Port number...
Page 641 Configuring IPv4 IMPB IP-MAC Binding Configuration 1) Enter the following information to specify a host. Host Name Enter the host name for identification. IP Address Enter the IP address. MAC Address Enter the MAC address. VLAN ID Enter the VLAN ID. 2) Select protect type for the entry.
Page 642 Configuring IPv4 IMPB IP-MAC Binding Configuration Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > ARP Scanning to load the following page. Figure 2-2 ARP Scanning Follow these steps to configure IP-MAC Binding via ARP scanning: 1) In the Scanning Option section, specify an IP address range and a VLAN ID. Then click Scan to scan the entries in the specified IP address range and VLAN.
Page 643 Configuring IPv4 IMPB IP-MAC Binding Configuration Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature. ARP Detection: This entry will be applied to the ARP Detection feature.
Page 644 Configuring IPv4 IMPB IP-MAC Binding Configuration Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > DHCP Snooping to load the following page. Figure 2-3 DHCP Snooping Follow these steps to configure IP-MAC Binding via DHCP Snooping: 1) In the Global Config section, globally enable DHCP Snooping. Click Apply. 2) In the VLAN Config section, enable DHCP Snooping on a VLAN or range of VLANs.
Page 645 Configuring IPv4 IMPB IP-MAC Binding Configuration Maximum Entries Configure the maximum number of binding entries a port can learn via DHCP snooping Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv4 IMPB >...
Page 646 Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID Displays the VLAN ID. Port Displays the port number. Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature.
Page 647 Configuring IPv4 IMPB IP-MAC Binding Configuration Step 2 ip source binding hostname ip-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | arp- detection | ip-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.
Page 648 Configuring IPv4 IMPB IP-MAC Binding Configuration 2.2.2 Binding Entries via DHCP Snooping Follow these steps to bind entries via DHCP Snooping: Step 1 configure Enter global configuration mode. Step 2 ip dhcp snooping Globally enable DHCP Snooping. Step 3 ip dhcp snooping vlan vlan-range Enable DHCP Snooping on the specified VLAN.
Page 649 Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID: 5 Switch(config-if)#show ip dhcp snooping interface gigabitEthernet 1/0/1 Interface max-entries LAG --------- ----------- Gi1/0/1 Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Viewing Binding Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries: show ip source binding View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port...
Page 650 Configuring IPv4 IMPB ARP Detection Configuration ARP Detection Configuration To complete ARP Detection configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Enable ARP Detection. 3) Configure ARP Detection on ports. 4) View ARP statistics. 3.1 Using the GUI 3.1.1 Adding IP-MAC Binding Entries In ARP Detection, the switch detects the ARP packets based on the binding entries in the IP-MAC Binding Table.
Page 651 Configuring IPv4 IMPB ARP Detection Configuration ARP Detect Enable or disable ARP Detection globally. Validate Source Enable or disable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded.
Page 652 Configuring IPv4 IMPB ARP Detection Configuration Follow these steps to configure ARP Detection on ports: 1) Select one or more ports and configure the parameters. Trust Status Enable or disable this port to be a trusted port. On a trusted port, the ARP packets are forwarded directly without checked.
Page 653 Configuring IPv4 IMPB ARP Detection Configuration In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed. In the Illegal ARP Packet section, you can view the number of illegal ARP packets in each VLAN.
Page 654 Configuring IPv4 IMPB ARP Detection Configuration Step 5 ip arp inspection vlan vlan-list logging (Optional) Enable the Log feature to make the switch generate a log when an ARP packet is discarded. : Enter the VLAN ID. The format is 1,5-9. vlan-list Step 6 show ip arp inspection...
Page 655 Configuring IPv4 IMPB ARP Detection Configuration Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. Step 3 ip arp inspection trust Configure the port as a trusted port, on which the ARP Detection function will not take...
Page 656 Configuring IPv4 IMPB ARP Detection Configuration Switch(config-if)#ip arp inspection burst-interval 2 Switch(config-if)#show ip arp inspection interface gigabitEthernet 1/0/2 Interface Trust state limit Rate(pps) Current speed(pps) Burst Interval Status LAG --------- ----------- --------------- ------------------ -------------- -------- --- Gi1/0/2 Enable Switch(config-if)#end Switch#copy running-config startup-config The following example shows how to restore the port 1/0/1 that is in Down status to Normal status: Switch#configure...
Page 657 Configuring IPv4 IMPB IPv4 Source Guard Configuration IPv4 Source Guard Configuration To complete IPv4 Source Guard configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Configure IPv4 Source Guard. Using the GUI 4.1.1 Adding IP-MAC Binding Entries In IPv4 Source Guard, the switch filters the packets that do not match the rules of IPv4- MAC Binding Table.
Page 658 Configuring IPv4 IMPB IPv4 Source Guard Configuration Follow these steps to configure IPv4 Source Guard: 1) In the Global Config section, choose whether to enable the Log feature. Click Apply. Pv4 Source Enable or disable IPv4 Source Guard Log feature. With this feature enabled, the Guard Log switch generates a log when illegal packets are received.
Page 659 Configuring IPv4 IMPB IPv4 Source Guard Configuration Step 3 ip verify source { sip+mac | sip } Enable IP Source Guard for IPv4 packets. Only the packet with its source IP address, source MAC address and port sip+mac : number matching the IP-MAC binding rules can be processed, otherwise the packet will be discarded.
Page 660 Configuring IPv4 IMPB Configuration Examples Configuration Examples 5.1 Example for ARP Detection 5.1.1 Network Requirements As shown below, User 1 and User 2 are legal users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN.
Page 661 Configuring IPv4 IMPB Configuration Examples 3) Configure ARP Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. To prevent ARP flooding attacks, limit the speed of receiving the legal ARP packets on all ports. Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
Page 662 Configuring IPv4 IMPB Configuration Examples Figure 5-3 Binding Entry for User 2 3) Choose the menu SECURITY > IPv4 IMBP > ARP Detection > Global Config to load the following page. Enable APP Detect, Validate Source MAC, Validate Destination MAC and Validate IP, and click Apply.
Page 663 Configuring IPv4 IMPB Configuration Examples Figure 5-5 Port Config 5) Click to save the settings. 5.1.4 Using the CLI 1) Manually bind the entries for User 1 and User 2. Switch_A#configure Switch_A(config)#ip source binding User1 192.168.0.31 74:d3:45:32:b6:8d vlan 1 interface fastEthernet 1/0/1 arp-detection Switch_A(config)#ip source binding User1 192.168.0.32 88:a9:d4:54:fd:c3 vlan 1 interface fastEthernet 1/0/2 arp-detection 2) Enable ARP Detection globally and on VLAN 1.
Page 664 Configuring IPv4 IMPB Configuration Examples Verify the Configuration Verify the IP-MAC Binding entries: Switch_A#show ip source binding Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 192.168.0.31 74:d3:45:32:b6:8d Fa1/0/1 ARP-D Manual User2 192.168.0.33 88:a9:d4:54:fd:c3 Fa1/0/2 ARP-D Manual Notice: 1.Here, ‘ARP-D’...
Page 665 Configuring IPv4 IMPB Configuration Examples Example for IP Source Guard 5.2.1 Network Requirements As shown below, the legal host connects to the switch via port 1/0/1 and belongs to the default VLAN 1. It is required that only the legal host can access the network via port 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3.
Page 666 Configuring IPv4 IMPB Configuration Examples Figure 5-7 Manual Binding 2) Choose the menu SECURITY > IPv4 IMPB > IPv4 Source Guard to load the following page. Enable IPv4 Source Guard Logging to make the switch generate logs when receiving illegal packets, and click Apply. Select ports 1/0/1-3, configure the Security Type as SIP+MAC, and click Apply.
Page 667 Configuring IPv4 IMPB Configuration Examples 5.2.4 Using the CLI 1) Manually bind the IP address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IP Source Guard feature. Switch#configure Switch(config)#ip source binding legal-host 192.168.0.100 74:d3:45:32:b5:6d vlan 1 interface fastEthernet 1/0/1 ip-verify-source 2) Enable the log feature and IP Source Guard on ports 1/0/1-3.
Page 668 Configuring IPv4 IMPB Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Snooping are listed in the following table: Table 6-1 DHCP Snooping Parameter Default Setting Global Config DHCP Snooping Disable VLAN Config Status Disable Port Config Maximum Entry Default settings of ARP Detection are listed in the following table: Table 6-2 ARP Detection...
Page 669 Configuring IPv4 IMPB Appendix: Default Parameters Parameter Default Setting Burst Interval 1 second ARP Statistics Auto Refresh Disable Refresh Interval 5 seconds Default settings of IPv4 Source Guard are listed in the following table: Table 6-3 ARP Detection Parameter Default Setting Global Config IPv4 Source Guard Log: Disable...
Page 670 Part 21 Configuring IPv6 IMPB CHAPTERS 1. IPv6 IMPB 2. IPv6-MAC Binding Configuration 3. ND Detection Configuration 4. IPv6 Source Guard Configuration 5. Configuration Examples 6. Appendix: Default Parameters...
Page 671 Configuring IPv6 IMPB IPv6 IMPB IPv6 IMPB Overview IPv6 IMPB (IP-MAC-Port Binding) is used to bind the IPv6 address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent ND attacks with the ND Detection feature and filter the packets that don’t match the binding entries with the IPv6 Source Guard feature.
Page 672 Configuring IPv6 IMPB IPv6 IMPB Figure 1-1 Network Topology of ND Detection User A Trusted Untrusted Port Port Untrusted Port Switch Gateway Attacker IPv6 Source Guard IPv6 Source Guard is used to filter the IPv6 packets based on the IPv6-MAC Binding table. Only the packets that match the binding rules are forwarded.
Page 673 Configuring IPv6 IMPB IPv6-MAC Binding Configuration IPv6-MAC Binding Configuration You can add IPv6-MAC Binding entries in three ways:  Manual Binding  Via ND Snooping  Via DHCPv6 Snooping Additionally, you can view, search and edit the entries in the Binding Table. Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IPv6 address, MAC address, VLAN ID and the Port number...
Page 674 Configuring IPv6 IMPB IPv6-MAC Binding Configuration 1) Enter the following information to specify a host. Host Name Enter the host name for identification. IPv6 Address Enter the IPv6 address. MAC Address Enter the MAC address. VLAN ID Enter the VLAN ID. 2) Select protect type for the entry.
Page 675 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > ND Snooping to load the following page. Figure 2-2 ND Snooping Follow these steps to configure IPv6-MAC Binding via ND Snooping: 1) In the ND Snooping section, enable ND Snooping and click Apply. 2) In the VLAN Config section, select one or more VLANs and enable ND Snooping.
Page 676 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Port Displays the port number. Maximum Entries Configure the maximum number of binding entries a port can learn via ND snooping. Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv6 IMPB >...
Page 677 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > DHCPv6 Snooping to load the following page. Figure 2-3 DHCPv6 Snooping Follow these steps to configure IPv6-MAC Binding via DHCPv6 Snooping: 1) In the Global Config section, globally enable DHCPv6 Snooping. Click Apply. 2) In the VLAN Config section, enable DHCPv6 Snooping on a VLAN or range of VLANs.
Page 678 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Maximum Entries Configure the maximum number of binding entries a port can learn via DHCPv6 snooping. Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv6 IMPB >...
Page 679 Configuring IPv6 IMPB IPv6-MAC Binding Configuration MAC Address Displays the MAC address. VLAN ID Displays the VLAN ID. Port Displays the port number. Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature.
Page 680 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Step 2 ipv6 source binding hostname ipv6-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | nd-detection | ipv6-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.
Page 681 Configuring IPv6 IMPB IPv6-MAC Binding Configuration 2.2.2 Binding Entries via ND Snooping Follow these steps to bind entries via ND Snooping: Step 1 configure Enter global configuration mode. Step 2 ipv6 nd snooping Globally enable ND Snooping. Step 3 ipv6 nd snooping vlan vlan-range Enable ND Snooping on the specified VLAN.
Page 682 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Switch(config)#end Switch#copy running-config startup-config The following example shows how to configure the maximum number of entries that can be learned on port 1/0/1: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#ipv6 nd snooping max-entries 1000 Switch(config-if)#show ipv6 nd snooping interface gigabitEthernet 1/0/1 Interface max-entries --------- -----------...
Page 683 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Step 6 show ip dhcp snooping Verify global configuration of DHCPv6 Snooping. Step 7 Return to privileged EXEC mode. Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCPv6 Snooping globally and on VLAN 5, and set the maximum number of binding entries port 1/0/1 can learn via DHCPv6 snooping as 100: Switch#configure...
Page 684 Configuring IPv6 IMPB ND Detection Configuration ND Detection Configuration To complete ND Detection configuration, follow these steps: 1) Add IPv6-MAC Binding entries. 2) Enable ND Detection. 3) Configure ND Detection on ports. 4) View ND statistics. 3.1 Using the GUI 3.1.1 Adding IPv6-MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets.
Page 685 Configuring IPv6 IMPB ND Detection Configuration 2) In the VLAN Config section, enable ND Detection on the selected VLANs. Click Apply. VLAN ID Displays the VLAN ID. Status Enable or disable ND Detection on the VLAN. Log Status Enable or disable Log feature on the VLAN. With this feature enabled, the switch generates a log when an illegal ND packet is discarded.
Page 686 Configuring IPv6 IMPB ND Detection Configuration 3.1.4 Viewing ND Statistics You can view the number of the illegal ND packets received on each port, which facilitates you to locate the network malfunction and take the related protection measures. Choose the menu SECURITY > IPv6 IMPB > ND Detection > ND Statistics to load the following page.
Page 687 Configuring IPv6 IMPB ND Detection Configuration Step 1 configure Enter global configuration mode. Step 2 ipv6 nd detection Globally enable the ND Detection feature. Step 3 ipv6 nd detection vlan vlan-range Enable ND Detection on the specified VLAN. Enter the vlan range in the format of 1-3, 5. vlan-range: Step 4 ipv6 nd detection vlan vlan-range logging...
Page 688 Configuring IPv6 IMPB ND Detection Configuration 3.2.3 Configuring ND Detection on Ports Follow these steps to configure ND Detection on ports: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode.
Page 689 Configuring IPv6 IMPB ND Detection Configuration show ipv6 nd detection statistics View the ND statistics on each port, including the number of forwarded ND packets and the number of dropped ND packets. Configuration Guide...
Page 690 Configuring IPv6 IMPB IPv6 Source Guard Configuration IPv6 Source Guard Configuration To complete IPv6 Source Guard configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Configure IPv6 Source Guard. 4.1 Using the GUI 4.1.1 Adding IPv6-MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets.
Page 691 Configuring IPv6 IMPB IPv6 Source Guard Configuration Follow these steps to configure IPv6 Source Guard: 1) Select one or more ports and configure the protect type for ports. Port Displays the port number. Security Type Select Security Type on the port for IPv6 packets. The following options are provided: Disable: The IP Source Guard feature is disabled on the port.
Page 692 Configuring IPv6 IMPB IPv6 Source Guard Configuration Step 3 ipv6 verify source { sipv6+mac | sipv6 } Enable IPv6 Source Guard for IPv6 packets. Only the packet with its source IP address, source MAC address and port sipv6+mac : number matching the IPv6-MAC binding rules can be processed, otherwise the packet will be discarded.
Page 693 Configuring IPv6 IMPB Configuration Examples Configuration Examples Example for ND Detection 5.1.1 Network Requirements As shown below, User 1 and User 2 are legal IPv6 users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN.
Page 694 Configuring IPv6 IMPB Configuration Examples 3) Configure ND Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. Demonstrated with T1500-28PCT, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 5.1.3 Using the GUI 1) Choose the menu SECURITY >...
Page 695 Configuring IPv6 IMPB Configuration Examples Figure 5-3 Binding Entry for User 2 3) Choose the menu SECURITY > IPv6 IMBP > ND Detection > Global Config to load the following page. Enable ND Detection and click Apply. Select VLAN 1, change Status as Enabled and click Apply.
Page 696 Configuring IPv6 IMPB Configuration Examples Figure 5-5 Port Config 5) Click to save the settings. 5.1.4 Using the CLI 1) Manually bind the entries for User 1 and User 2. Switch_A#configure Switch_A(config)#ipv6 source binding User1 2001::5 74:d3:45:32:b6:8d vlan 1 interface fastEthernet 1/0/1 nd-detection Switch_A(config)#ip source binding User1 2001::6 88:a9:d4:54:fd:c3 vlan 1 interface fastEthernet 1/0/2 nd-detection 2) Enable ND Detection globally and on VLAN 1.
Page 697 Configuring IPv6 IMPB Configuration Examples Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 2001::5 74:d3:45:32:b6:8d Fa1/0/1 ND-D Manual User2 2001::6 88:a9:d4:54:fd:c3 Fa1/0/2 ND-D Manual Notice: 1.Here, ‘ND-D’ for ‘ND-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’. Verify the global configuration of ND Detection: Switch_A#show ipv6 nd detection Global Status: Enable Verify the ND Detection configuration on VLAN:...
Page 698 Configuring IPv6 IMPB Configuration Examples 5.2 Example for IPv6 Source Guard 5.2.1 Network Requirements As shown below, the legal IPv6 host connects to the switch via port 1/0/1 and belongs to the default VLAN 1. It is required that only the legal host can access the network via port 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3.
Page 699 Configuring IPv6 IMPB Configuration Examples Figure 5-7 Manual Binding 2) Choose the menu SECURITY > IPv6 IMPB > IPv6 Source Guard to load the following page. Select ports 1/0/1-3, configure the Security Type as SIP+MAC, and click Apply. Figure 5-8 IPv6 Source Guard 3) Click to save the settings.
Page 700 Configuring IPv6 IMPB Configuration Examples 5.2.4 Using the CLI 1) Manually bind the IPv6 address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IPv6 Source Guard feature. Switch#configure Switch(config)#ipv6 source binding legal-host 2001::5 74:d3:45:32:b6:8d vlan 1 interface fastEthernet 1/0/1 ipv6-verify-source 2) Enable IPv6 Source Guard on ports 1/0/1-3.
Page 701 Configuring IPv6 IMPB Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Snooping are listed in the following table: Table 6-1 DHCPv6 Snooping Parameter Default Setting Global Config DHCPv6 Snooping Disable VLAN Config Status Disable Port Config Maximum Entry Default settings of ND Detection are listed in the following table: Table 6-2 ND Detection...
Page 702 Configuring IPv6 IMPB Appendix: Default Parameters Default settings of IPv6 Source Guard are listed in the following table: Table 6-3 ND Detection Parameter Default Setting Port Config Security Type Disable Configuration Guide...
Page 703 Part 22 Configuring DHCP Filter CHAPTERS 1. DHCP Filter 2. DHCPv4 Filter Configuration 3. DHCPv6 Filter Configuration 4. Configuration Examples 5. Appendix: Default Parameters...
Page 704 Configuring DHCP Filter DHCP Filter DHCP Filter 1.1 Overview During the working process of DHCP, generally there is no authentication mechanism between the DHCP server and the clients. If there are several DHCP servers on the network, security problems and network interference will happen. DHCP Filter resolves this problem.
Page 705 Configuring DHCP Filter DHCP Filter DHCPv4 Filter DHCPv4 Filter is used for DHCPv4 servers and IPv4 clients. DHCPv6 Filter DHCPv6 Filter is used for DHCPv6 servers and IPv6 clients. Configuration Guide...
Page 706 Configuring DHCP Filter DHCPv4 Filter Configuration DHCPv4 Filter Configuration To complete DHCPv4 Filter configuration, follow these steps: 1) Configure the basic DHCPv4 Filter parameters. 2) Configure legal DHCPv4 servers. 2.1 Using the GUI 2.1.1 Configuring the Basic DHCPv4 Filter Parameters Choose the menu SECURITY >...
Page 707 Configuring DHCP Filter DHCPv4 Filter Configuration Port Displays the port number. Status Enable or disable DHCPv4 Filter feature on the port. MAC Verify Enable or disable the MAC Verify feature. There are two fields in the DHCPv4 packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCPv4 packet and discards the packet if the two fields are different.
Page 708 Configuring DHCP Filter DHCPv4 Filter Configuration 2.1.2 Configuring Legal DHCPv4 Servers Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Legal DHCPv4 Servers and click to load the following page. Figure 2-2 Adding Legal DHCPv4 Server Follow these steps to add a legal DHCPv4 server: 1) Configure the following parameters: Server IP Address Specify the IP address of the legal DHCPv4 server.
Page 709 Configuring DHCP Filter DHCPv4 Filter Configuration Step 3 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list } Enter interface configuration mode.
Page 710 Configuring DHCP Filter DHCPv4 Filter Configuration Switch#configure Switch(config)#ip dhcp filter Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#ip dhcp filter Switch(config-if)#ip dhcp filter mac-verify Switch(config-if)#ip dhcp filter limit rate 10 Switch(config-if)#ip dhcp filter decline rate 20 Switch(config-if)##show ip dhcp filter Global Status: Enable Switch(config-if)#show ip dhcp filter interface gigabitEthernet 1/0/1 Interface state MAC-Verify...
Page 711 Configuring DHCP Filter DHCPv4 Filter Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create an entry for the legal DHCPv4 server whose IP address is 192.168.0.100 and connected port number is 1/0/1 without client MAC address restricted: Switch#configure...
Page 712 Configuring DHCP Filter DHCPv6 Filter Configuration DHCPv6 Filter Configuration To complete DHCPv6 Filter configuration, follow these steps: 1) Configure the basic DHCPv6 Filter parameters. 2) Configure legal DHCPv6 servers. 3.1 Using the GUI 3.1.1 Configuring the Basic DHCPv6 Filter Parameters Choose the menu SECURITY >...
Page 713 Configuring DHCP Filter DHCPv6 Filter Configuration Port Displays the port number. Status Enable or disable DHCPv6 Filter feature on the port. Rate Limit Select to enable the rate limit feature and specify the maximum number of DHCPv6 packets that can be forwarded on the port per second. The excessive DHCPv6 packets will be discarded.
Page 714 Configuring DHCP Filter DHCPv6 Filter Configuration Server Port Select the port that the legal DHCPv6 server is connected. 2) Click Create. 3.2 Using the CLI 3.2.1 Configuring the Basic DHCPv6 Filter Parameters Follow these steps to complete the basic settings of DHCPv6 Filter: Step 1 configure Enter global configuration mode.
Page 715 Configuring DHCP Filter DHCPv6 Filter Configuration Step 10 copy running-config startup-config Save the settings in the configuration file. Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. The following example shows how to enable DHCPv6 Filter globally and how to enable DHCPv6 Filter, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1: Switch#configure...
Page 716 Configuring DHCP Filter DHCPv6 Filter Configuration Step 2 ipv6 dhcp filter server permit-entry server-ip ipAddr interface { fastEthernet port-list | gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id } Create an entry for the legal DHCPv6 server. : Specify the IPv6 address of the legal DHCPv6 server. ipAddr port-list | port-channel-id : Specify the port that the legal DHCPv6 server is connected to.
Page 717 Configuring DHCP Filter Configuration Examples Configuration Examples Example for DHCPv4 Filter 4.1.1 Network Requirements As shown below, all the DHCPv4 clients get IP addresses from the legal DHCPv4 server, and any other DHCPv4 server in the LAN is regarded as illegal. Now it is required that only the legal DHCPv4 server is allowed to assign IP addresses to the clients.
Page 718 Configuring DHCP Filter Configuration Examples 4.1.3 Using the GUI 1) Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page. Enable DHCPv4 Filter globally and click Apply. Select all ports, change Status as Enable, and click Apply. Figure 4-2 Basic Config 2) Choose the menu SECURITY >...
Page 719 Configuring DHCP Filter Configuration Examples Figure 4-3 Create Entry for Legal DHCPv4 Server 3) Click to save the settings. 4.1.4 Using the CLI 1) Enable DHCPv4 Filter globally and on all pots: Switch_A#configure Switch_A(config)#ip dhcp filter Switch_A(config)#interface range fastEthernet 1/0/1-24 Switch_A(config-if-range)#ip dhcp filter Switch_A(config)#interface range gigabitEthernet 1/0/25-28 Switch_A(config-if-range)#ip dhcp filter Switch_A(config-if-range)#exit...
Page 720 Configuring DHCP Filter Configuration Examples Verify the Configuration Verify the global DHCPv4 Filter configuration: Switch_A#show ip dhcp filter Global Status: Enable Verify the DHCPv4 Filter configuration on ports: Switch_A#show ip dhcp filter interface Interface state MAC-Verify Limit-Rate Dec-rate --------- ------- ---------- ---------- -------- Fa1/0/1...
Page 721 Configuring DHCP Filter Configuration Examples Figure 4-1 Network Topology Legal DHCPv6 Server 2001::54 Fa1/0/1 Illegal DHCPv6 Switch A Server DHCPv6 Client DHCPv6 Client DHCPv6 Client 4.2.2 Configuration Scheme To meet the requirements, you can configure DHCPv6 Filter to filter the DHCPv6 packets from the illegal DHCPv6 server.
Page 722 Configuring DHCP Filter Configuration Examples Figure 4-2 Basic Config 2) Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Legal DHCPv6 Servers and click to load the following page. Specify the IP address and connected port number of the legal DHCPv6 server. Click Create. Figure 4-3 Create Entry for Legal DHCPv6 Server 3) Click to save the settings.
Page 723 Configuring DHCP Filter Configuration Examples 4.2.4 Using the CLI 1) Enable DHCPv6 Filter globally and on all pots: Switch_A#configure Switch_A(config)#ipv6 dhcp filter Switch_A(config)#interface range fastEthernet 1/0/1-24 Switch_A(config-if-range)#ip dhcpv6 filter Switch_A(config)#interface range gigabitEthernet 1/0/25-28 Switch_A(config-if-range)#ip dhcpv6 filter Switch_A(config-if-range)#exit 2) Create an entry for the legal DHCPv6 server: Switch_A(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface fastEthernet 1/0/1 Switch_A(config)#end...
Page 724 Configuring DHCP Filter Configuration Examples Verify the legal DHCPv6 server configuration: Switch_A#show ipv6 dhcp filter server permit-entry Server IP Interface ---------------- ---------- 2001::54 Fa1/0/1 Configuration Guide...
Page 725 Configuring DHCP Filter Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCPv4 Filter are listed in the following table: Table 5-1 DHCPv4 Filter Parameter Default Setting Global Config DHCPv4 Filter Disable Port Config Status Disable MAC Verify Disable Rate Limit Disable Decline Protect Disable...
Page 726 Part 23 Configuring DoS Defend CHAPTERS 1. Overview 2. DoS Defend Configuration 3. Appendix: Default Parameters...
Page 727 Configuring DoS Defend Overview Overview The DoS (Denial of Service) defend feature provides protection against DoS attacks. DoS attacks occupy the network bandwidth maliciously by sending numerous service requests to the hosts. It results in an abnormal service or breakdown of the network. With DoS Defend feature, the switch can analyze the specific fields of the IP packets, distinguish the malicious DoS attack packets and discard them directly.
Page 728 Configuring DoS Defend DoS Defend Configuration DoS Defend Configuration 2.1 Using the GUI Choose the menu SECURITY > DoS Defend to load the following page. Figure 2-1 DoS Defend Follow these steps to configure DoS Defend: 1) In the DoS Defend section, enable DoS Protection and click Apply. 2) In the DoS Defend Config section, select one or more defend types according to your needs and click Apply.
Page 729 Configuring DoS Defend DoS Defend Configuration NULL Scan The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. SYN sPort less The attacker sends the illegal packet with its TCP SYN field set to 1 and source 1024...
Page 730 Configuring DoS Defend DoS Defend Configuration Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping- flood | syn-flood | win-nuke | ping-of-death | smurf } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows.
Page 731 Configuring DoS Defend DoS Defend Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the DoS Defend type named land: Switch#configure Switch(config)#ip dos-prevent Switch(config)#ip dos-prevent type land Switch(config)#show ip dos-prevent DoS Prevention State:...
Page 732 Configuring DoS Defend Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Security are listed in the following tables. Table 3-1 DoS Defend Parameter Default Setting DoS Defend Disabled Configuration Guide...
Page 733 Part 24 Monitoring the System CHAPTERS 1. Overview 2. Monitoring the CPU 3. Monitoring the Memory...
Page 734 Monitoring the System Overview Overview With System Monitor function, you can:  Monitor the CPU utilization of the switch.  Monitor the memory utilization of the switch. The CPU utilization should be always under 80%, and excessive use may result in switch malfunctions.
Page 735 Monitoring the System Monitoring the CPU Monitoring the CPU Using the GUI Choose the menu MAINTENANCE > System Monitor > CPU Monitor to load the following page. Figure 2-1 Monitoring the CPU Click Monitor to enable the switch to monitor and display its CPU utilization rate every five seconds.
Page 736 Monitoring the System Monitoring the CPU The following example shows how to monitor the CPU: Switch#show cpu-utilization Unit | CPU Utilization Five-Seconds One-Minute Five-Minutes ------+------------------------------------------------- Configuration Guide...
Page 737 Monitoring the System Monitoring the Memory Monitoring the Memory Using the GUI Choose the menu MAINTENANCE > System Monitor > Memory Monitor to load the following page. Figure 3-1 Monitoing the Memory Click Monitor to enable the switch to monitor and display its memory utilization rate every five seconds.
Page 738 Monitoring the System Monitoring the Memory Unit | Current Memory Utilization ------+---------------------------- | 74% Configuration Guide...
Page 739 Part 25 Monitoring Traffic CHAPTERS 1. Traffic Monitor 2. Appendix: Default Parameters...
Page 740 Monitoring Traffic Traffic Monitor Traffic Monitor With Traffic Monitor function, you can monitor each port’s traffic information, including the traffic summary and traffic statistics in detail. 1.1 Using the GUI Choose the menu MAINTENANCE > Traffic Monitor to load the following page. Figure 1-1 Traffic Summary Follow these steps to view the traffic summary of each port: 1) To get the real-time traffic summary, enable Auto Refresh, or click Refresh.
Page 741 Monitoring Traffic Traffic Monitor Packets Tx: Displays the number of packets transmitted on the port. Error packets are not counted. Octets Rx: Displays the number of octets received on the port. Error octets are counted. Octets Tx: Displays the number of octets transmitted on the port. Error octets are counted . To view a port’s traffic statistics in detail, click Statistics on the right side of the entry.
Page 742 Monitoring Traffic Traffic Monitor Received: Displays the detailed information of received packets. Broadcast: Displays the number of valid broadcast packets received on the port. Error frames are not counted. Multicast: Displays the number of valid multicast packets received on the port. Error frames are not counted.
Page 743 Monitoring Traffic Traffic Monitor Sent: Displays the detailed information of sent packets. Broadcast: Displays the number of valid broadcast packets transmitted on the port. Error frames are not counted. Multicast: Displays the number of valid multicast packets transmitted on the port. Error frames are not counted.
Page 744 Monitoring Traffic Traffic Monitor 1.2 Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to view the traffic information of each port or LAG: show interface counters [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port- channel port-channel-id ] The group number of the LAG.
Page 745 Monitoring Traffic Appendix: Default Parameters Appendix: Default Parameters Table 2-1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disable Refresh Rate 10 seconds Configuration Guide...
Page 746 Part 26 Mirroring Traffic CHAPTERS 1. Mirroring 2. Configuration Examples 3. Appendix: Default Parameters...
Page 747 Mirroring Traffic Mirroring Mirroring You can analyze network traffic and troubleshoot network problems using Mirroring. Mirroring allows the switch to send a copy of the traffic that passes through specified sources (ports, LAGs or the CPU) to a destination port. It does not affect the switching of network traffic on source ports, LAGs or the CPU.
Page 748 Mirroring Traffic Mirroring Figure 1-2 Configure the Mirroring Session Follow these steps to configure the mirroring session: 1) In the Destination Port Config section, specify a destination port for the mirroring session, and click Apply. 2) In the Source Interfaces Config section, specify the source interfaces and click Apply. Traffic passing through the source interfaces will be mirrored to the destination port.
Page 749 Mirroring Traffic Mirroring Note: The member ports of an LAG cannot be set as a destination port or source port. • A port cannot be set as the destination port and source port at the same time. • Using the CLI Follow these steps to configure Mirroring.
Page 750 Mirroring Traffic Mirroring Switch(config)#monitor session 1 source interface gigabitEthernet 1/0/1-3 both Switch(config)#monitor session 1 source cpu 1 both Switch(config)#show monitor session Monitor Session: Destination Port: Gi1/0/10 Source Ports(Ingress): Gi1/0/1-3 Source Ports(Egress): Gi1/0/1-3 Source CPU(Ingress): cpu1 Source CPU(Egress): cpu1 Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide...
Page 751 Mirroring Traffic Configuration Examples Configuration Examples Network Requirements As shown below, several hosts and a network analyzer are directly connected to the switch. For network security and troubleshooting, the network manager needs to use the network analyzer to monitor the data packets from the end hosts. Figure 2-1 Network Topology Fa1/0/2-5 Fa1/0/1...
Page 752 Mirroring Traffic Configuration Examples 2) Click Edit on the above page to load the following page. In the Destination Port Config section, select port 1/0/1 as the destination port and click Apply. Figure 2-3 Destination Port Configuration 3) In the Source Interfaces Config section, select ports 1/0/2-5 as the source ports, and enable Ingress and Egress to allow the received and sent packets to be copied to the destination port.
Page 753 Mirroring Traffic Configuration Examples Verify the Configuration Switch#show monitor session 1 Monitor Session: Destination Port: Fa1/0/1 Source Ports(Ingress): Fa1/0/2-5 Source Ports(Egress): Fa1/0/2-5 Configuration Guide...
Page 754 Mirroring Traffic Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 3-1 Configurations for Ports Parameter Default Setting Ingress Disabled Egress Disabled Configuration Guide...
Page 755 Part 27 Configuring DLDP CHAPTERS 1. Overview 2. DLDP Configuration 3. Appendix: Default Parameters...
Page 756 Configuring DLDP Overview Overview DLDP (Device Link Detection Protocol) is a Layer 2 protocol that enables devices connected through fiber or twisted-pair Ethernet cables to detect whether a unidirectional link exists. A unidirectional link occurs whenever traffic sent by a local device is received by its peer device but traffic from the peer device is not received by the local device.
Page 757 Configuring DLDP DLDP Configuration DLDP Configuration Configuration Guidelines  A DLDP-capable port cannot detect a unidirectional link if it is connected to a DLDP- incapable port of another switch.  To detect unidirectional links, make sure DLDP is enabled on both sides of the links. Using the GUI Choose the menu MAINTENANCE >...
Page 758 Configuring DLDP DLDP Configuration DLDP State Enable or disable DLDP globally. Advertisement Configure the interval to send advertisement packets. Valid values are from 1 to Interval 30 seconds, and the default value is 5 seconds. Shut Mode Choose how to shut down the port when a unidirectional link is detected: Auto: When a unidirectional link is detected on a port, DLDP will generate logs and traps then shut down the port, and DLDP on this port will change to Disabled.
Page 759 Configuring DLDP DLDP Configuration Using the CLI Follow these steps to configure DLDP: Step 1 configure Enter global configuration mode. Step 2 dldp Globally enable DLDP. Step 3 dldp interval interval-time Configure the interval of sending advertisement packets on ports that are in the advertisement state.
Page 760 Configuring DLDP DLDP Configuration Switch(config)#dldp Switch(config)#dldp interval 10 Switch(config)#dldp shut-mode auto Switch(config)#show dldp DLDP Global State: Enable DLDP Message Interval: 10 DLDP Shut Mode: Auto Switch(config)#end Switch#copy running-config startup-config The following example shows how to enable DLDP on port 1/0/1. Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#dldp...
Page 761 Configuring DLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of DLDP are listed in the following table. Table 3-1 Default Settings of DLDP Parameter Default Setting Global Config DLDP State Disable Advertisement Interval 5 seconds Shut Mode Auto Auto Refresh Disabled Refresh Interval 3 seconds...
Page 762 Part 28 Configuring SNMP & RMON CHAPTERS 1. SNMP 2. SNMP Configurations 3. Notification Configurations 4. RMON 5. RMON Configurations 6. Configuration Example 7. Appendix: Default Parameters...
Page 763 Configuring SNMP & RMON SNMP SNMP Overview SNMP (Simple Network Management Protocol) is a standard network management protocol, widely used on TCP/IP networks. It facilitates device management using NMS (Network Management System) software. With SNMP, network managers can view or modify network device information, and troubleshoot according to notifications sent by those devices in a timely manner.
Page 764 (1) tplink (11863) 1.3.6.1.4.1.11863 TP-Link switches provide private MIBs that can be identified by the OID 1.3.6.1.4.1.11863. The MIB file can be found on the provided CD or the download center of our official website: http://www.tp-link.com/en/download-center.html. Also, TP-Link switches support the following public MIBs:  LLDP.mib...
Page 765 For detail information about the supported public MIBs, see Supported Public MIBs for TP- Link Switches which can be found on the training center of our website: http://www.tp-link.com/en/configuration-guides.html SNMP Entity An SNMP entity is a device running the SNMP protocol. Both the SNMP manager and SNMP agent are SNMP entities.
Page 766 Configuring SNMP & RMON SNMP Table 1-2 Application Scenarios of Different Versions Version Application Scenario Applicable to small-scale networks with simple networking, low security requirements or SNMPv1 good stability (such as campus networks and small enterprise networks). Applicable to medium and large-scale networks with low security requirements and those with good security (such as VPNs), but with busy services in which the traffic congestion SNMPv2c may occur.
Page 767 Configuring SNMP & RMON SNMP Configurations SNMP Configurations To complete the SNMP configuration, choose an SNMP version according to network requirements and supportability of the NMS software, and then follow these steps:  Choose SNMPv1 or SNMPv2c 1) Enable SNMP. 2) Create an SNMP view for managed objects.
Page 768 Local Engine ID Set the engine ID of the local SNMP agent (the switch) with 10 to 64 hexadecimal digits. By default, the switch generates the engine ID using TP-Link’s enterprise number (80002e5703) and its own MAC address. The local engine ID is a unique alphanumeric string used to identify the SNMP engine.
Page 769 Configuring SNMP & RMON SNMP Configurations Figure 2-3 Creating an SNMP View View Name Set the view name with 1 to 16 characters. A complete view consists of all MIB objects that have the same view name. View Type Set the view to include or exclude the related MIB object. By default, it is include. Include: The NMS can view or manage the function indicated by the object.
Page 770 Configuring SNMP & RMON SNMP Configurations MIB View Choose an SNMP view that allows the community to access. The default view is viewDefault. 2) Click Create. 2.1.4 Creating an SNMP Group (For SNMP v3) Create an SNMP group and configure related parameters. Choose the menu MAINTENANCE >...
Page 771 Configuring SNMP & RMON SNMP Configurations Write View Choose a view to allow parameters to be modified but not viewed by the NMS. The default is none. The view in Write View should also be added to Read View. Notify View Choose a view to allow it to send notifications to the NMS.
Page 772 Configuring SNMP & RMON SNMP Configurations Security Level Set the security level. The security level from highest to lowest is: NoAuthNoPriv, AuthNoPriv, AuthPriv, and the default is NoAuthNoPriv. The security level of the user should not be lower than the group it belongs to. NoAuthNoPriv: Uses a username match for authentication, and no encryption is implemented.
Page 773 Enter the engine ID of the local SNMP agent (the switch) with 10 to 64 local-engineID: hexadecimal digits. By default, the switch generates the engine ID using TP-Link’s enterprise number (80002e5703) and its own MAC address. The local engine ID is a unique alphanumeric string used to identify the SNMP engine. As an SNMP agent contains only one SNMP engine, the local engine ID can uniquely identify the SNMP agent.
Page 774 Configuring SNMP & RMON SNMP Configurations 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors...
Page 775 Configuring SNMP & RMON SNMP Configurations Step 3 show snmp-server view Displays the view table. Step 4 Return to Privileged EXEC Mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set a view to allow the NMS to manage all function. Name the view as View: Switch#configure Switch(config)#snmp-server view View 1 include...
Page 776 Configuring SNMP & RMON SNMP Configurations Step 2 snmp-server community name { read-only | read-write } [ mib-view ] Configure the community. Enter a group name with 1 to 16 characters. name: Choose an access permissions for the community. Read-only read-only | read-write: indicates that the NMS can view but cannot modify parameters of the view, while read-write indicates that the NMS can both view and modify.
Page 777 Configuring SNMP & RMON SNMP Configurations Step 2 snmp-server group name [ smode v3 ] [ slev {noAuthNoPriv | authNoPriv | authPriv}] [ read read-view ] [ write write-view ] [ notify notify-view ] Create an SNMP group. Enter the group name with 1 to 16 characters. The identifier of a group consists of a name: group name, security model and security level.
Page 778 Configuring SNMP & RMON SNMP Configurations 2.2.5 Creating SNMP Users (For SNMPv3) Configure users of the SNMP group. Users belong to the group, and use the same security level and access rights as the group. Step 1 configure Enter global configuration mode. Step 2 snmp-server user name { local | remote } group-name [ smode v3 ] [ slev { noAuthNoPriv | authNoPriv | authPriv }] [ cmode { none | MD5 | SHA }] [ cpwd confirm-pwd ] [ emode { none |...
Page 779 Configuring SNMP & RMON SNMP Configurations The following example shows how to create an SNMP user and add it to group nms1. Name the user as admin, and set the user as a remote user, SNMPv3 as the security mode, authPriv as the security level, SHA as the authentication algorithm, 1234 as the authentication password, DES as the privacy algorithm and 1234 as the privacy password: Switch#configure Switch(config)#snmp-server user admin remote nms1 smode v3 slev authPriv cmode...
Page 780 Configuring SNMP & RMON Notification Configurations Notification Configurations With Notification enabled, the switch can send notifications to the NMS about important events relating to the device’s operation. This facilitates the monitoring and management of the NMS. To configure SNMP notification, follow these steps: 1) Configure the information of NMS hosts.
Page 781 Configuring SNMP & RMON Notification Configurations IP Mode Choose an IP mode for the NMS host. IP Address If you set the IP Mode as IPv4, specify an IPv4 address for the NMS host. If you set the IP Mode as IPv6, specify an IPv6 address for the NMS host. UDP Port Specify a UDP port on the NMS host to receive notifications.
Page 782 Configuring SNMP & RMON Notification Configurations 3.1.2 Enabling SNMP Traps Choose the menu MAINTENANCE > SNMP > Notification > Trap Config to load the following page. Figure 3-2 Enabling SNMP Traps The supported traps are listed on the page. Follow these steps to enable any or all of these traps: 1) Select the traps to enable according to your needs.
Page 783 Configuring SNMP & RMON Notification Configurations Rate Limit Monitors whether the bandwidth has reached the limit you have set. The trap can be triggered when the Rate Limit feature is enabled and packets are sent to the port with a rate higher than what you have set. LLDP Indicates LLDP topology changes.
Page 784 Configuring SNMP & RMON Notification Configurations 3.2 Using the CLI 3.2.1 Configuring the NMS Host Configure parameters of the NMS host and packet handling mechanism. Step 1 configure Enter global configuration mode. Step 2 snmp-server host ip udp-port user-name [smode { v1 | v2c | v3 }] [slev {noAuthNoPriv | authNoPriv | authPriv }] [type { trap | inform}] [retries retries ] [timeout timeout ] Configure parameters of the NMS host and packet handling mechanism.
Page 785 Configuring SNMP & RMON Notification Configurations Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the NMS host IP address as 192.30.1.222, UDP port as port 162, name used by the NMS host as admin, security model as SNMPv3, security level as authPriv, notification type as Inform, retry times as 3, and the timeout interval as 100 seconds:...
Page 786 Configuring SNMP & RMON Notification Configurations Step 2 snmp-server traps snmp [ linkup | linkdown | warmstart | coldstart | auth-failure ] Enable the corresponding SNMP standard traps. The command without parameter enables all SNMP standard traps. All SNMP standard traps are enabled by default. linkup: Indicates a port status changes from linkdown to linkup, and can be triggered when you connect a device to a port.
Page 787 Configuring SNMP & RMON Notification Configurations Step 2 snmp-server traps { rate-limit | cpu | flash | lldp remtableschange | lldp topologychange | loopback-detection | storm-control | spanning-tree | memory } Enable the corresponding SNMP extended traps. All SNMP extended traps are disabled by default.
Page 788 Configuring SNMP & RMON Notification Configurations  Enabling the VLAN Traps Globally Step 1 configure Enter global configuration mode. Step 2 snmp-server traps vlan [ create | delete ] Enable the corresponding VLAN traps. The command without parameter enables all SNMP VLAN traps.
Page 789 Configuring SNMP & RMON Notification Configurations The following example shows how to configure the switch to enable DHCP filter trap: Switch#configure Switch(config)#snmp-server traps security dhcp-filter Switch(config)#end Switch#copy running-config startup-config  Enabling the ACL Trap Globally Step 1 configure Enter global configuration mode. Step 2 snmp-server traps security acl Enable the ACL trap.
Page 790 Configuring SNMP & RMON Notification Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to enable IP-Change trap: Switch#configure Switch(config)#snmp-server traps ip change Switch(config)#end Switch#copy running-config startup-config  Enabling the SNMP PoE Traps Globally...
Page 791 Configuring SNMP & RMON Notification Configurations Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the switch to enable all PoE traps: Switch#configure Switch(config)#snmp-server traps power Switch(config)#end Switch#copy running-config startup-config  Enabling the Link-status Trap for Ports Step 1 configure...
Page 792 Configuring SNMP & RMON RMON RMON RMON (Remote Network Monitoring) together with the SNMP system allows the network manager to monitor remote network devices efficiently. RMON reduces traffic flow between the NMS and managed devices, which is convenient for management in large networks.
Page 793 Configuring SNMP & RMON RMON Configurations RMON Configurations With RMON configurations, you can:  Configuring the Statistics group.  Configuring the History group.  Configuring the Event group.  Configuring the Alarm group. Configuration Guidelines To ensure that the NMS receives notifications normally, please complete configurations of SNMP and SNMP Notification before RMON configurations.
Page 794 Configuring SNMP & RMON RMON Configurations Status Set the entry as Valid or Under Creation. By default, it is Valid. The switch start to collect Ethernet statistics for a Statistics entry since the entry status is configured as valid. Valid: The entry is created and valid. Under Creation: The entry is created but invalid.
Page 795 Configuring SNMP & RMON RMON Configurations 3) Enter the owner name, and set the status of the entry. Click Apply. Owner Enter the owner name of the entry with 1 to 16 characters. By default, it is monitor. Status Enable or disable the entry. By default, it is disabled. Enable: The entry is enabled.
Page 796 Configuring SNMP & RMON RMON Configurations Action Mode Specify the action for the switch to take when the event is triggered. None: No action. It is the default setting. Log: The switch records the event in the log, and the NMS should initiate requests to get notifications.
Page 797 Configuring SNMP & RMON RMON Configurations Follow these steps to configure the Alarm group: 1) Select an alarm entry, choose a variable to be monitored, and associate the entry with a statistics entry. Index Displays the index of Alarm entries. The switch supports up to 12 Alarm entries.
Page 798 Configuring SNMP & RMON RMON Configurations Falling Threshold Set the falling threshold of the variable. When the sampled value is below the threshold, the system will trigger the corresponding Falling Event. Valid values are from 1 to 2147483647 and the default is 100. Falling Event Specify the index of the Event entry that will be triggered when the sampled value is below the preset threshold.
Page 799 Configuring SNMP & RMON RMON Configurations Step 2 rmon statistics index interface interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port } [ owner owner-name ] [ status { underCreation | valid }] Configure RMON Statistic entries. Enter the ID of the statistics entry from 1 to 65535 in the format of 1-3 or 5. index: Enter the port number in 1/0/1 format to bind it to the entry.
Page 800 Configuring SNMP & RMON RMON Configurations 5.2.2 Configuring History Step 1 configure Enter global configuration mode. Step 2 rmon history index interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port } [ interval seconds ] [ owner owner-name ] [ buckets number ] Configuring RMON History entries.
Page 801 Configuring SNMP & RMON RMON Configurations Switch#copy running-config startup-config 5.2.3 Configuring Event Step 1 configure Enter global configuration mode. Step 2 rmon event index [ user user-name ] [ description description ] [ type { none | log | notify | log-notify }] [ owner owner-name ] Configuring RMON Event entries.
Page 802 Configuring SNMP & RMON RMON Configurations Switch(config)#show rmon event Index User Description Type Owner State ----- ---- ----------- ---- ----- ----- admin rising-notify Notify monitor Enable Switch(config)#end Switch#copy running-config startup-config 5.2.4 Configuring Alarm Step 1 configure Enter global configuration mode. Step 2 rmon alarm index stats-index sindex [ alarm-variable { revbyte | revpkt | bpkt | mpkt | crc- align | undersize | oversize | jabber | collision | 64 | 65-127 | 128-255 | 256-511 | 512-1023...
Page 803 Configuring SNMP & RMON RMON Configurations Enter the Event entry index from 1 to 12 to bind it to the falling threshold. The Event f-event: entry will be triggered when the sampling value goes below the preset threshold. The Event entry specified here should be enabled first.
Page 804 Configuring SNMP & RMON RMON Configurations Interval: Owner: monitor Switch(config)#end Switch#copy running-config startup-config Configuration Guide...
Page 805 Configuring SNMP & RMON Configuration Example Configuration Example Network Requirements The following figure shows the network topology of a company. The company has requirements as follows: 1) Monitor traffic flow of ports 1/0/1 and 1/0/2 on Switch A, and send notifications to the NMS when the actual rate of transmitting and receiving packets exceeds the preset threshold.
Page 806 Configuring SNMP & RMON Configuration Example 6.2 Configuration Scheme 1) Set a limit on the rate of the specified ports, and then enable SNMP on Switch A. Configure SNMP and Notification, and enable Trap notifications on the ports. Switch A can then send notifications to the NMS when the actual rate exceeds the preset threshold.
Page 807 Configuring SNMP & RMON Configuration Example Figure 6-3 Creating an SNMP View 3) Choose MAINTENANCE > SNMP > SNMP v3 > SNMP Group and click to load the following page. Create a group with the name of nms-monitor, enable authentication and privacy, and add View to Read View and Notify View. Click Create. Figure 6-4 Configuring an SNMP Group 4) Choose MAINTENANCE >...
Page 808 Configuring SNMP & RMON Configuration Example Figure 6-5 Creating an SNMP User 5) Choose MAINTENANCE > SNMP > Notification > Notification Config and click to load the following page. Choose the IP Mode as IPv4, and specify the IP address of the NMS host and the port of the host for transmitting notifications.
Page 809 Configuring SNMP & RMON Configuration Example Figure 6-7 Enabling Rate Limit Trap 7) Click to save the settings.  Configuring RMON 1) Choose MAINTENANCE > SNMP > RMON > Statistics and click to load the following page. Create two entries and bind them to ports 1/0/1 and 1/0/2 respectively. Set the owner of the entries as monitor and the status as valid.
Page 810 Configuring SNMP & RMON Configuration Example Figure 6-10 Configuring the History Entries 3) Choose the menu MAINTENANCE > SNMP > RMON > Event to load the following page. Configure entries 1 and 2. For entry 1, set the SNMP user name as admin, type as Notify, description as “rising_notify”, owner as monitor, and status as enable.
Page 811 Configuring SNMP & RMON Configuration Example Figure 6-12 Configuring the Alarm Entries 5) Click to save settings. Using the CLI  Configuring Rate Limit on ports Configure the rate limit on required ports of Switch A. For detailed configuration, please refer to Configuring QoS.
Page 812 Configuring SNMP & RMON Configuration Example Choose the type as Inform, and set the retry times as 3, and the timeout period as 100 seconds. Switch_A(config)#snmp-server host 192.168.1.222 162 admin smode v3 slev authPriv type inform retries 3 timeout 100  Enable Bandwith-control Trap Switch_A(config)#snmp-server traps bandwidth-control  Configuring RMON...
Page 813 Configuring SNMP & RMON Configuration Example Switch_A(config)#rmon alarm 2 stats-index 2 alarm-variable bpkt s-type absolute rising-threshold 3000 rising-event-index 1 falling-threshold 2000 falling-event-index 2 a-type all interval 10 owner monitor Verify the Configurations Verify global SNMP configurations: Switch_A(config)#show snmp-server SNMP agent is enabled. 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name...
Page 814 Configuring SNMP & RMON Configuration Example Verify SNMP view configurations: Switch_A(config)#show snmp-server view No. View Name Type MOID --- -------------- ------- ------------------- viewDefault include 1 viewDefault exclude 1.3.6.1.6.3.15 viewDefault exclude 1.3.6.1.6.3.16 viewDefault exclude 1.3.6.1.6.3.18 View include 1 Verify SNMP group configurations: Switch_A(config)#show snmp-server group No.
Page 815 Configuring SNMP & RMON Configuration Example Index Port Owner State ----- ---------- --------- ------- Gi1/0/1 monitor valid Gi1/0/2 monitor valid Verify RMON history configurations: Switch_A(config)#show rmon history Index Port Interval Buckets Owner State ----- --------- -------- --------- ---------- --------- Gi1/0/1 monitor Enable Gi1/0/2...
Page 816 Configuring SNMP & RMON Configuration Example Index-State: 2-Enabled Statistics index: 2 Alarm variable: BPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: Interval: Owner: monitor Configuration Guide...
Page 817 Configuring SNMP & RMON Appendix: Default Parameters Appendix: Default Parameters Default settings of SNMP are listed in the following tables. Table 7-1 Default Global Config Settings Parameter Default Setting SNMP Disable Local Engine ID Automatically Remote Engine ID None Table 7-2 Default SNMP View Table Settings View Name View Type...
Page 818 Configuring SNMP & RMON Appendix: Default Parameters Parameter Default Setting SNMP User User Entry No entries User Name None User Type Local User Group Name None Security Model Security Level noAuthNoPriv Authentication MD5 (when Security Level is configured as AuthNoPriv Mode or AuthPriv) Authentication...
Page 819 Configuring SNMP & RMON Appendix: Default Parameters Default settings of RMON are listed in the following tables. Table 7-6 Default Statistics Config Settings Parameter Default Setting Statistics Entry No entries None Port None Owner None IP Mode Valid Table 7-7 Default Settings for History Entries Parameter Default Setting...
Page 820 Configuring SNMP & RMON Appendix: Default Parameters Parameter Default Setting Interval 1800 seconds Owner monitor Status Disable Configuration Guide...
Page 821 Part 29 Diagnosing the Device & Network CHAPTERS 1. Diagnosing the Device 2. Diagnosing the Network 3. Appendix: Default Parameters...
Page 822 Diagnosing the Device & Network Diagnosing the Device Diagnosing the Device The device diagnostics feature provides cable testing, which allows you to troubleshoot based on the connection status, cable length and fault location. 1.1 Using the GUI Choose the menu MAINTENANCE > Device Diagnostics to load the following page. Figure 1-1 Diagnosing the Cable Follow these steps to diagnose the cable: 1) Select your desired port for the test and click Apply.
Page 823 Diagnosing the Device & Network Diagnosing the Device Status Displays the cable status. Test results include normal, closed, open and crosstalk. Normal : The cable is connected normally. Closed: A short circuit is being caused by abnormal contact of wires in the cable. Open: No device is connected to the other end or the connection is broken.
Page 824 Diagnosing the Device & Network Diagnosing the Network Diagnosing the Network The network diagnostics feature provides Ping testing and Tracert testing. You can test connectivity to remote hosts, or to the gateways from the switch to the destination. With Network Diagnostics, you can:  Troubleshoot with Ping testing.
Page 825 Diagnosing the Device & Network Diagnosing the Network Follow these steps to test the connectivity between the switch and another device in the network: 1) In the Ping Config section, enter the IP address of the destination device for Ping test, set Ping times, data size and interval according to your needs, and then click Ping to start the test.
Page 826 Diagnosing the Device & Network Diagnosing the Network 2) In the Tracert Result section, check the test results. 2.2 Using the CLI 2.2.1 Configuring the Ping Test On privileged EXEC mode, you can use the following command to test the connectivity between the switch and one node of the network.
Page 827 Diagnosing the Device & Network Diagnosing the Network 2.2.2 Configuring the Tracert Test On privileged EXEC mode, you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination: tracert [ ip | ipv6 ] ip_addr [ maxHops ] Test the connectivity of the gateways along the path from the source to the destination.
Page 828 Diagnosing the Device & Network Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Diagnostics are listed in the following tables. Table 3-1 Default Settings of Ping Config Parameter Default Setting Destination IP 192.168.0.1 Ping Times Data Size 64 bytes Interval 1000 milliseconds Table 3-2...
Page 829 Part 30 Configuring System Logs CHAPTERS 1. Overview 2. System Logs Configurations 3. Configuration Example 4. Appendix: Default Parameters...
Page 830 Configuring System Logs Overview Overview The switch generates messages in response to events, faults, or errors occurred, as well as changes in configuration or other occurrences. You can check system messages for debugging and network management. System logs can be saved in various destinations, such as the log buffer, log file or remote log servers, depending on your configuration.
Page 831 Configuring System Logs System Logs Configurations System Logs Configurations System logs configurations include:  Configure the local logs.  Configure the remote logs.  Backing up the logs.  Viewing the log table. Configuration Guidelines Logs are classified into the following eight levels. Messages of levels 0 to 4 mean the functionality of the switch is affected.
Page 832 Configuring System Logs System Logs Configurations 2.1 Using the GUI 2.1.1 Configuring the Local Logs Choose the menu MAINTENANCE > Logs > Local Logs to load the following page. Figure 2-1 Configuring the Local Logs Follow these steps to configure the local logs: 1) Select your desired channel and configure the corresponding severity and status.
Page 833 Configuring System Logs System Logs Configurations message is generated. To display the logs, the servers should run a log server software that complies with the syslog standard. Choose the menu MAINTENANCE > Logs > Remote Logs to load the following page. Figure 2-2 Configuring the Remote Logs Follow these steps to configure the information of remote log servers: 1) Select an entry to enable the server, and then set the server IP address and severity.
Page 834 Configuring System Logs System Logs Configurations 2.1.4 Viewing the Log Table Choose the menu MAINTENANCE > Logs > Log Table to load the following page. Figure 2-4 View the Log Table Select a module and a severity to view the corresponding log information. Time Displays the time the log event occurred.
Page 835 Configuring System Logs System Logs Configurations Using the CLI 2.2.1 Configuring the Local Logs Follow these steps to configure the local logs: Step 1 configure Enter global configuration mode. Step 2 logging buffer Configure the switch to save system messages in log buffer. Log buffer indicates the RAM for saving system logs.
Page 836 Configuring System Logs System Logs Configurations The following example shows how to configure the local logs on the switch. Save logs of levels 0 to 5 to the log buffer, and synchronize logs of levels 0 to 2 to the flash every 10 hours: Switch#configure Switch(config)#logging buffer...
Page 837 Configuring System Logs System Logs Configurations Step 2 logging host index idx host-ip level Configure a remote host to receive the switch’s system logs. The host is called Log Server. You can remotely monitor the settings and operation status of the switch through the log server.
Page 838 Configuring System Logs Configuration Example Configuration Example 3.1 Network Requirements The company network manager needs to monitor network of department A for troubleshooting. Figure 3-1 Network Topology Switch Department A IP: 1.1.0.2/16 IP: 1.1.0.1/16 3.2 Configuration Scheme The network manager can configure the PC as a log server to receive the switch’s system logs.
Page 839 Configuring System Logs Configuration Example Using the CLI Configure the remote log host. Switch#configure Switch(config)# logging host index 1 1.1.0.1 5 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Switch# show logging loghost Index Host-IP Severity Status ----- ------- -------- ------ 1.1.0.1 enable 0.0.0.0...
Page 840 Configuring System Logs Appendix: Default Parameters Appendix: Default Parameters Default settings of maintenance are listed in the following tables. Table 4-1 Default Settings of Local Logs Parameter Default Setting Status of Log Buffer Enabled Severity of Log Buffer Level_6 Sync-Periodic of Log Buffer Immediately Status of Log File Disabled...
Page 841 Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. We, TP-Link USA Corporation, has determined that the equipment shown as above has been shown to comply with the applicable technical standards, FCC part 15. There is no unauthorized change is made in the equipment and the equipment is properly maintained and operated.
Page 842 Korea Warning Statements 당해 무선설비는 운용중 전파혼신 가능성이 있음 . BSMI Notice 安全諮詢及注意事項 • 請使用原裝電源供應器或只能按照本產品注明的電源類型使用本產品。 • 清潔本產品之前請先拔掉電源線。請勿使用液體、噴霧清潔劑或濕布進行清潔。 • 注意防潮，請勿將水或其他液體潑灑到本產品上。 • 插槽與開口供通風使用，以確保本產品的操作可靠並防止過熱，請勿堵塞或覆蓋開口。 • 請勿將本產品置放於靠近熱源的地方。除非有正常的通風，否則不可放在密閉位置中。 • 請不要私自打開機殼，不要嘗試自行維修本產品，請由授權的專業人士進行此項工作。此為甲類資訊技術設備，于居住環境中使用時，可能會造成射頻擾動，在此種情況下，使用者會被要求採取某些適當的對策。限用物質含有情況標示聲明書限用物質及其化學符號產品元件名稱鉛鎘汞六價鉻多溴聯苯多溴二苯醚 CrVI PBDE ○ ○ ○...
Page 843 Safety Information  Keep the device away from water, fire, humidity or hot environments.  Do not attempt to disassemble, repair, or modify the device.  Do not use damaged charger or USB cable to charge the device. Please read and follow the above safety information when operating the device. We cannot guarantee that no accidents or damage will occur due to improper use of the device.
Page 844 Specifications are subject to change without notice. is a registered trademark of TP-Link Technologies Co., Ltd. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-Link Technologies Co., Ltd.

This manual is also suitable for:

T1500g-8t T1500g-10ps T1500g-10mps 2.0 T1500-28pct Tl-sg2008 Tl-sg2210p ... Show all

TP-Link T1500 Series User Manual

Quick Links

Related Manuals for TP-Link T1500 Series

Summary of Contents for TP-Link T1500 Series