Download Print this page

ZyXEL Communications MGS-3712/MES-3728 User Manual

ZyXEL Communications MGS-3712/MES-3728 User Manual

Layer 2+ metro ethernet switch

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

MES-3728

Layer 2+ Metro Ethernet Switch

Default Login Details

IP Address

http://192.168.0.1

http://192.168.1.1

(In-band ports)

User Name

Password

Firmware Version 3.90

www.zyxel.com

Edition 1, 10/2008

www.zyxel.com

(Out-of-band

MGMT port)

admin

1234

Copyright © 2008

ZyXEL Communications Corporation

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the MGS-3712/MES-3728 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications MGS-3712/MES-3728

Page 1 MES-3728 Layer 2+ Metro Ethernet Switch Default Login Details IP Address http://192.168.0.1 (Out-of-band MGMT port) http://192.168.1.1 (In-band ports) User Name admin Password 1234 Firmware Version 3.90 www.zyxel.com Edition 1, 10/2008 www.zyxel.com Copyright © 2008 ZyXEL Communications Corporation...
Page 3: About This User's Guide
Refer to the included CD for support documents. Documentation Feedback Send your comments, questions or suggestions to: techwriters@zyxel.com.tw Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 30099, Taiwan. Need More Help? More help is available at www.zyxel.com.
Page 4 About This User's Guide • Download Library Search for the latest product updates and documentation from this link. Read the Tech Doc Overview to find out how to efficiently use the User Guide, Quick Start Guide and Command Line Interface Reference Guide in order to better understand how to use your product.
Page 5: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 6 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The Switch icon is not an exact representation of your device. The Switch Computer Notebook computer Server DSLAM Router Telephone MES-3728 User’s Guide...
Page 7: Safety Warnings
Safety Warnings Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. •...
Page 8 Safety Warnings MES-3728 User’s Guide...
Page 9: Table Of Contents
Contents Overview Contents Overview Introduction and Hardware ....................21 Getting to Know Your Switch ..................... 23 Hardware Installation and Connection ..................29 Hardware Overview ........................33 Basic Configuration ....................... 45 The Web Configurator ....................... 47 Initial Setup Example ......................... 57 Tutorials .............................
Page 10 Contents Overview Differentiated Services ......................279 DHCP ............................287 Management ......................... 295 Maintenance ..........................297 Access Control ........................305 Diagnostic ..........................327 Syslog ............................329 Cluster Management ....................... 333 MAC Table ..........................341 ARP Table ..........................345 Configure Clone ........................347 Troubleshooting &...
Page 11: Table Of Contents
Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................5 Safety Warnings........................7 Contents Overview ........................9 Table of Contents........................11 Part I: Introduction and Hardware ............21 Chapter 1 Getting to Know Your Switch....................23 1.1 Introduction ..........................
Page 12 Table of Contents 3.1.4 Management Port ....................... 37 3.1.5 Power Connector ....................... 37 3.1.6 Signal Slot ........................39 3.2 Rear Panel ........................... 41 3.2.1 External Backup Power Supply Connector ..............41 3.3 LEDs ........................... 42 Part II: Basic Configuration..............45 Chapter 4 The Web Configurator ......................
Page 13 Table of Contents 7.2 Port Status Summary ...................... 74 7.2.1 Status: Port Details ....................75 Chapter 8 Basic Setting .......................... 79 8.1 Overview ..........................79 8.2 System Information ......................80 8.3 General Setup ......................... 82 8.4 Introduction to VLANs ......................84 8.5 Switch Setup Screen ......................
Page 14 Table of Contents 10.2 Configuring Static MAC Forwarding ................115 Chapter 11 Static Multicast Forward Setup.................... 119 11.1 Static Multicast Forwarding Overview ................119 11.2 Configuring Static Multicast Forwarding ................120 Chapter 12 Filtering..........................123 12.1 Configure a Filtering Rule ..................... 123 Chapter 13 Spanning Tree Protocol......................
Page 15 Table of Contents 17.1 Link Aggregation Overview ..................... 155 17.2 Dynamic Link Aggregation ....................155 17.2.1 Link Aggregation ID ....................156 17.3 Link Aggregation Status ....................157 17.4 Link Aggregation Setting ....................159 17.5 Link Aggregation Control Protocol ................161 17.6 Static Trunking Example ....................
Page 16 Table of Contents 22.1.2 Weighted Fair Queuing ..................193 22.1.3 Weighted Round Robin Scheduling (WRR) ............194 22.2 Configuring Queuing ......................195 Chapter 23 VLAN Stacking ........................197 23.1 VLAN Stacking Overview ....................197 23.1.1 VLAN Stacking Example ..................197 23.2 VLAN Stacking Port Roles ....................
Page 17 Table of Contents 25.2.4 Vendor Specific Attribute ..................230 25.3 Supported RADIUS Attributes ..................231 25.3.1 Attributes Used for Authentication ................232 25.3.2 Attributes Used for Accounting ................233 Chapter 26 IP Source Guard........................235 26.1 IP Source Guard Overview ....................235 26.1.1 DHCP Snooping Overview ..................
Page 18 Table of Contents Chapter 30 Static Route ........................... 275 30.1 Static Routing Overview ....................275 30.2 Configuring Static Routing ....................276 Chapter 31 Differentiated Services ......................279 31.1 DiffServ Overview ......................279 31.1.1 DSCP and Per-Hop Behavior ................279 31.1.2 DiffServ Network Example ..................280 31.2 Two Rate Three Color Marker Traffic Policing ..............
Page 19 Table of Contents 33.7 Backup a Configuration File ..................301 33.8 FTP Command Line ......................301 33.8.1 Filename Conventions ..................301 33.8.2 FTP Command Line Procedure ................303 33.8.3 GUI-based FTP Clients ..................303 33.8.4 FTP Restrictions ....................304 Chapter 34 Access Control........................
Page 20 Table of Contents 37.2 Cluster Management Status ................... 334 37.2.1 Cluster Member Switch Management ..............335 37.3 Clustering Management Configuration ................338 Chapter 38 MAC Table..........................341 38.1 MAC Table Overview ...................... 341 38.2 Viewing the MAC Table ....................342 Chapter 39 ARP Table ..........................
Page 21: Introduction And Hardware
Introduction and Hardware Getting to Know Your Switch (23) Hardware Installation and Connection (29) Hardware Overview (33)
Page 23: Getting To Know Your Switch
H A P T E R Getting to Know Your Switch This chapter introduces the main features and applications of the Switch. 1.1 Introduction The Switch is a layer-2 standalone Ethernet switch with additional layer-2, layer-3, and layer-4 features suitable for metro ethernets. The Switch has twenty-four 10/ 100 Mbps Ethernet ports and two mini-GBIC slots.
Page 24: Bridging Example
Chapter 1 Getting to Know Your Switch In this example, all computers can share high-speed applications on the server. To expand the network, simply add more networking devices such as switches, routers, computers, print servers etc. Figure 1 Backbone Application 1.1.2 Bridging Example In this example, the Switch connects different company departments (RD and Sales) to the corporate backbone.
Page 25: High Performance Switching Example
Chapter 1 Getting to Know Your Switch 1.1.3 High Performance Switching Example The Switch is ideal for connecting two networks that need high bandwidth. In the following example, use trunking to connect these two networks. Switching to higher-speed LANs such as ATM (Asynchronous Transmission Mode) is not feasible for most people due to the expense of replacing all existing Ethernet cables and adapter cards, restructuring your network and complex maintenance.
Page 26: Metro Ethernet
Chapter 1 Getting to Know Your Switch Shared resources such as a server can be used by all ports in the same VLAN as the server. In the following figure only ports that need access to the server need to be part of VLAN 1. Ports can belong to other VLAN groups too. Figure 4 Shared Server Using VLAN Example 1.1.5 Metro Ethernet The Switch is ideal for connecting users to an Ethernet network that spans a...
Page 27: Ways To Manage The Switch
Chapter 1 Getting to Know Your Switch possible. The Switch is connected to the backbone and the metropolitan servers over an optical network that provides higher bandwidth than copper. Figure 5 Metro Ethernet 1.2 Ways to Manage the Switch Use any of the following methods to manage the Switch. •...
Page 28: Good Habits For Managing The Switch
Chapter 1 Getting to Know Your Switch 1.3 Good Habits for Managing the Switch Do the following things regularly to make the Switch more secure and to manage the Switch more effectively. • Change the password. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.
Page 29: Hardware Installation And Connection
H A P T E R Hardware Installation and Connection This chapter shows you how to install and connect the Switch. 2.1 Installation Scenarios The Switch can be placed on a desktop or rack-mounted on a standard EIA rack. Use the rubber feet in a desktop installation and the brackets in a rack-mounted installation.
Page 30: Chapter 2 Hardware Installation And Connection
Chapter 2 Hardware Installation and Connection 2.3.1 Rack-mounted Installation Requirements • Two mounting brackets. • Eight M3 flat head screws and a #2 Philips screwdriver. • Four M5 flat head screws and a #2 Philips screwdriver. Failure to use the proper screws may damage the unit. 2.3.1.1 Precautions •...
Page 31: Mounting The Switch On A Rack
Chapter 2 Hardware Installation and Connection 2.3.3 Mounting the Switch on a Rack Position a mounting bracket (that is already attached to the Switch) on one side of the rack, lining up the two screw holes on the bracket with the screw holes on the side of the rack.
Page 32 Chapter 2 Hardware Installation and Connection MES-3728 User’s Guide...
Page 33: Hardware Overview
H A P T E R Hardware Overview This chapter describes the front panel and rear panel of the Switch and shows you how to make the hardware connections. 3.1 Front Panel The following figure shows the front panel of the Switch. Figure 8 Front Panel: AC/DC Model Mini-GBIC slots Console Port...
Page 34: Console Port
Chapter 3 Hardware Overview Table 1 Front Panel Connections (continued) LABEL DESCRIPTION Two Dual Each interface has one 1000BASE-T RJ-45 port and one Small Form-Factor Personality Pluggable (SFP) slot (also called a mini-GBIC slot), with one port or Interfaces transceiver active at a time. •...
Page 35: Mini-Gbic Slots
Chapter 3 Hardware Overview An auto-crossover (auto-MDI/MDI-X) port automatically works with a straight- through or crossover Ethernet cable. Two of the 1000Base-T Ethernet ports are paired with a mini-GBIC slot to create a dual personality interface. The Switch uses up to one connection for each mini- GBIC and 1000Base-T Ethernet pair.
Page 36: Transceiver Installation
Chapter 3 Hardware Overview To avoid possible eye injury, do not look into an operating fiber- optic module’s connectors. • Type: SFP connection interface • Connection speed: 1 Gigabit per second (Gbps) 3.1.3.1 Transceiver Installation Use the following steps to install a mini-GBIC transceiver (SFP module). Insert the transceiver into the slot with the exposed section of PCB board facing down.
Page 37: Management Port
Chapter 3 Hardware Overview Pull the transceiver out of the slot. Figure 11 Removing the Fiber Optic Cables Figure 12 Opening the Transceiver’s Latch Example Figure 13 Transceiver Removal Example 3.1.4 Management Port The MGMT (management) port is used for local management. Connect directly to this port using an Ethernet cable.
Page 38: Ac Power Connection
Chapter 3 Hardware Overview Use only power wires of the required diameter for connecting the Switch to a power supply. 3.1.5.1 AC Power Connection Connect the female end of the power cord to the power socket of your Switch. Connect the other end of the cord to a power outlet. 3.1.5.2 DC Power Connection The Switch uses a single ETB series terminal block plug with four pins which allows you to connect up to two separate power supplies.
Page 39: Signal Slot
Chapter 3 Hardware Overview 3.1.6 Signal Slot The Signal slot (fitted with the signal connector) allows you to connect devices to the Switch, such as sensors or other ZyXEL switches which support the external alarm feature. This feature is in addition to the system alarm, which detects abnormal temperatures, voltage levels and fan speeds on the Switch.
Page 40 Chapter 3 Hardware Overview Insert the alarm connector into the Signal slot. Figure 14 Connecting a Sensor to the Signal Slot Door Open Spring Sensor Clip Signal Connector 11 10 Signal Input Pins Signal (Dry contact, Output normal open only) Pins To connect an output devicel, repeat the previous steps but this time connect to either pins (1,2) or (2,3) on the Signal connector.
Page 41: Rear Panel
Chapter 3 Hardware Overview When daisy-chaining further Switches ensure that the signal output pins you use are the same as those you used when connecting to the first switch, as shown in the diagram below. Figure 15 Daisy-chaining an External Alarm Sensor to Other Switches of the Same Model ..
Page 42: Leds
Chapter 3 Hardware Overview 3.3 LEDs After you connect the power to the Switch, view the LEDs to ensure proper functioning of the Switch and as an aid in troubleshooting. Table 2 LED Descriptions COLOR STATUS DESCRIPTION Green The backup power supply is connected and active. Blinking The system is receiving power from the backup power supply.
Page 43 Chapter 3 Hardware Overview Table 2 LED Descriptions (continued) COLOR STATUS DESCRIPTION Amber The Gigabit port is negotiating in full-duplex mode. The Gigabit port is negotiating in half-duplex mode. MGMT Green Blinking The system is transmitting/receiving to/from an Ethernet device. The port is connected at 10 Mbps.
Page 44 Chapter 3 Hardware Overview MES-3728 User’s Guide...
Page 45: Basic Configuration
Basic Configuration The Web Configurator (47) Initial Setup Example (57) System Status and Port Statistics (73) Basic Setting (79)
Page 47: The Web Configurator
H A P T E R The Web Configurator This section introduces the configuration and functions of the web configurator. 4.1 Introduction The web configurator is an HTML-based management interface that allows easy Switch setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions.
Page 48: The Status Screen
Chapter 4 The Web Configurator The login screen appears. The default username is admin and associated default password is 1234. The date and time display as shown if you have not configured a time server nor manually entered a time and date in the General Setup screen. Figure 17 Web Configurator: Login Click OK to view the first web configurator screen.
Page 49 Chapter 4 The Web Configurator The following figure shows the navigating components of a web configurator screen. Figure 18 Web Configurator Home Screen (Status) B C D E A - Click the menu items to open submenu links, and then click on a submenu link to open the screen in the main window.
Page 50 Chapter 4 The Web Configurator In the navigation panel, click a main link to reveal a list of submenu links. Table 3 Navigation Panel Sub-links Overview ADVANCED BASIC SETTING IP APPLICATION MANAGEMENT APPLICATION The following table describes the links in the navigation panel. Table 4 Navigation Panel Links LINK DESCRIPTION...
Page 51 Chapter 4 The Web Configurator Table 4 Navigation Panel Links (continued) LINK DESCRIPTION VLAN This link takes you to screens where you can configure port-based or 802.1Q VLAN (depending on what you configured in the Switch Setup menu). You can also configure a protocol based VLAN or a subnet based VLAN in these screens.
Page 52 Chapter 4 The Web Configurator Table 4 Navigation Panel Links (continued) LINK DESCRIPTION Layer 2 This link takes you to a screen where you can configure L2PT (Layer 2 Protocol Protocol Tunneling) settings on the Switch. Tunneling IP Application Static Routing This link takes you to a screen where you can configure static routes.
Page 53: Change Your Password
Chapter 4 The Web Configurator 4.3.1 Change Your Password After you log in for the first time, it is recommended you change the default administrator password. Click Management > Access Control > Logins to display the next screen. Figure 19 Change Administrator Login Password 4.4 Saving Your Configuration When you are done modifying the settings in a screen, click Apply to save your changes back to the run-time memory.
Page 54: Switch Lockout
Chapter 4 The Web Configurator 4.5 Switch Lockout You could block yourself (and all others) from using in-band-management (managing through the data ports) if you do one of the following: Delete the management VLAN (default is VLAN 1). Delete all port-based VLANs with the CPU port as a member. The “CPU port” is the management port of the Switch.
Page 55 Chapter 4 The Web Configurator Disconnect and reconnect the Switch’s power to begin a session. When you reconnect the Switch’s power, you will see the initial screen. When you see the message “Press any key to enter Debug Mode within 3 seconds ...”...
Page 56: Logging Out Of The Web Configurator
Chapter 4 The Web Configurator 4.7 Logging Out of the Web Configurator Click Logout in a screen to exit the web configurator. You have to log in with your password again after you log out. This is recommended after you finish a management session for security reasons.
Page 57: Initial Setup Example
H A P T E R Initial Setup Example This chapter shows how to set up the Switch for an example network. 5.1 Overview The following lists the configuration steps for the initial setup: • Create a VLAN • Set port VLAN ID •...
Page 58 Chapter 5 Initial Setup Example Click Advanced Application > VLAN in the navigation panel and click the Static VLAN link. In the Static VLAN screen, select ACTIVE, enter a descriptive name in the Name field and enter 2 in the VLAN Group ID field for the VLAN2 network.
Page 59: Setting Port Vid
Chapter 5 Initial Setup Example 5.1.2 Setting Port VID Use PVID to add a tag to incoming untagged frames received on that port so that the frames are forwarded to the VLAN group that the tag defines. In the example network, configure 2 as the port VID on port 1 so that any untagged frames received on that port get sent to VLAN 2.
Page 60: Configuring Switch Management Ip Address
Chapter 5 Initial Setup Example 5.2 Configuring Switch Management IP Address The default management IP address of the Switch is 192.168.1.1. You can configure another IP address in a different subnet for management purposes. The following figure shows an example. Figure 24 Initial Setup Example: Management IP Address Connect your computer to any Ethernet port on the Switch.
Page 61 Chapter 5 Initial Setup Example Click Basic Setting > IP Setup in the navigation panel. Configure the related fields in the IP Setup screen. For the VLAN2 network, enter 192.168.2.1 as the IP address and 255.255.255.0 as the subnet mask. In the VID field, enter the ID of the VLAN group to which you want this management IP...
Page 62 Chapter 5 Initial Setup Example MES-3728 User’s Guide...
Page 63: Tutorials
H A P T E R Tutorials This chapter provides some examples of using the web configurator to set up and use the Switch. The tutorials include: • How to Use DHCP Snooping on the Switch • How to Use DHCP Relay on the Switch 6.1 How to Use DHCP Snooping on the Switch You only want DHCP server A connected to port 5 to assign IP addresses to all devices in VLAN network (V).
Page 64 Chapter 6 Tutorials Table 5 Tutorial: Settings in this Tutorial PORT DHCP SNOOPING HOST CONNECTED VLAN PVID PORT TRUSTED DHCP Client 1 and 100 DHCP Client 1 and 100 Access the Switch from the MGMT port through http://192.168.0.1 by default. Log into the Switch by entering the username (default: admin) and password (default: 1234).
Page 65 Chapter 6 Tutorials Go to Advanced Application > VLAN > VLAN Port Setting, and set the PVID of the ports 5, 6 and 7 to 100. This tags untagged incoming frames on ports 5, 6 and 7 with the tag 100. Figure 27 Tutorial: Tag Untagged Frames Go to Advanced Application >...
Page 66 Chapter 6 Tutorials The DHCP Snooping Port Configure screen appears. Select Trusted in the Server Trusted state field for port 5 because the DHCP server is connected to port 5. Keep ports 6 and 7 Untrusted because they are connected to DHCP clients.
Page 67: How To Use Dhcp Relay On The Switch
Chapter 6 Tutorials Connect your DHCP server to port 5 and a computer (as DHCP client) to either port 6 or 7. The computer should be able to get an IP address from the DHCP server. If you put the DHCP server on port 6 or 7, the computer will not able to get an IP address.
Page 68: Creating A Vlan
Chapter 6 Tutorials the system name, VLAN ID and port number in the DHCP request. Client A connects to the Switch’s port 2 in VLAN 102. Figure 32 Tutorial: DHCP Relay Scenario DHCP Server Port 2 192.168.2.3 PVID=102 VLAN 102 172.16.1.18 6.2.2 Creating a VLAN Follow the steps below to configure port 2 as a member of VLAN 102.
Page 69 Chapter 6 Tutorials Go to Basic Setting > Switch Setup and set the VLAN type to 802.1Q. Click Apply to save the settings to the run-time memory. Figure 33 Tutorial: Set VLAN Type to 802.1Q Click Advanced Application > VLAN > Static VLAN. In the Static VLAN screen, select ACTIVE, enter a descriptive name (VALN 102 for example) in the Name field and enter 102 in the VLAN Group ID field.
Page 70 Chapter 6 Tutorials Click Add to save the settings to the run-time memory. Settings in the run-time memory are lost when the Switch’s power is turned off. Figure 34 Tutorial: Create a Static VLAN Click the VLAN Status link in the Static VLAN screen and then the VLAN Port Setting link in the VLAN Status screen.
Page 71: Configuring Dhcp Relay
Chapter 6 Tutorials 10 Click Apply to save your changes back to the run-time memory. Figure 36 Tutorial: Add Tag for Frames Received on Port 2 11 Click the Save link in the upper right corner of the web configurator to save your configuration permanently.
Page 72: Troubleshooting
Chapter 6 Tutorials Click Apply to save your changes back to the run-time memory. Figure 37 Tutorial: Set DHCP Server and Relay Information Click the Save link in the upper right corner of the web configurator to save your configuration permanently. The DHCP server can then assign a specific IP address based on the DHCP request.
Page 73: System Status And Port Statistics
H A P T E R System Status and Port Statistics This chapter describes the system status (web configurator home page) and port details screens. 7.1 Overview The home screen of the web configurator displays a port statistical summary with links to each port showing statistical details.
Page 74: Chapter 7 System Status And Port Statistics
Chapter 7 System Status and Port Statistics 7.2 Port Status Summary To view the port statistics, click Status in all web configurator screens to display the Status screen as shown next. Figure 38 Status The following table describes the labels in this screen. Table 6 Status LABEL DESCRIPTION...
Page 75: Status: Port Details
Chapter 7 System Status and Port Statistics Table 6 Status (continued) LABEL DESCRIPTION Rx KB/s This field shows the number of kilobytes per second received on this port. Up Time This field shows the total amount of time in hours, minutes and seconds the port has been up.
Page 76 Chapter 7 System Status and Port Statistics The following table describes the labels in this screen. Table 7 Status: Port Details LABEL DESCRIPTION Port Info Port NO. This field displays the port number you are viewing. Name This field displays the name of the port. Link This field displays the speed (either 10M for 10Mbps, 100M for 100Mbps or 1000M for 1000Mbps) and the duplex (F for full duplex or H for half...
Page 77 Chapter 7 System Status and Port Statistics Table 7 Status: Port Details (continued) LABEL DESCRIPTION Single This is a count of successfully transmitted packets for which transmission is inhibited by exactly one collision. Multiple This is a count of successfully transmitted packets for which transmission was inhibited by more than one collision.
Page 78 Chapter 7 System Status and Port Statistics MES-3728 User’s Guide...
Page 79: Basic Setting
H A P T E R Basic Setting This chapter describes how to configure the System Info, General Setup, Switch Setup, IP Setup and Port Setup screens. 8.1 Overview The System Info screen displays general Switch information (such as firmware version number) and hardware polling information (such as fan speeds).
Page 80: System Information
Chapter 8 Basic Setting 8.2 System Information In the navigation panel, click Basic Setting > System Info to display the screen as shown. You can check the firmware version number and monitor the Switch temperature, fan speeds and voltage in this screen. Figure 40 Basic Setting >...
Page 81 Chapter 8 Basic Setting Table 8 Basic Setting > System Info (continued) LABEL DESCRIPTION Fan Speed A properly functioning fan is an essential component (along with a (RPM) sufficiently ventilated, cool operating environment) in order for the device to stay within the temperature threshold. Each fan has a sensor that is capable of detecting and reporting if the fan speed falls below the threshold shown.
Page 82: General Setup
Chapter 8 Basic Setting 8.3 General Setup Use this screen to configure general settings such as the system name and time. Click Basic Setting > General Setup in the navigation panel to display the screen as shown. Figure 41 Basic Setting > General Setup The following table describes the labels in this screen.
Page 83 Chapter 8 Basic Setting Table 9 Basic Setting > General Setup (continued) LABEL DESCRIPTION Use Time Enter the time service protocol that your timeserver uses. Not all time Server when servers support all protocols, so you may have to use trial and error to Bootup find a protocol that works.
Page 84: Introduction To Vlans
Chapter 8 Basic Setting Table 9 Basic Setting > General Setup (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Daylight Saving Time. The time field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the first Sunday of November.
Page 85: Switch Setup Screen
Chapter 8 Basic Setting 8.5 Switch Setup Screen Click Basic Setting > Switch Setup in the navigation panel to display the screen as shown. The VLAN setup screens change depending on whether you choose 802.1Q or Port Based in the VLAN Type field in this screen. Refer to the chapter on VLAN.
Page 86 Chapter 8 Basic Setting Table 10 Basic Setting > Switch Setup (continued) LABEL DESCRIPTION Join Timer Join Timer sets the duration of the Join Period timer for GVRP in milliseconds. Each port has a Join Period timer. The allowed Join Time range is between 100 and 65535 milliseconds;...
Page 87: Ip Setup
Chapter 8 Basic Setting 8.6 IP Setup Use the IP Setup screen to configure the Switch IP address, default gateway device, the default domain name server and the management VLAN ID. The default gateway specifies the IP address of the default gateway (next hop) for outgoing traffic.
Page 88 Chapter 8 Basic Setting The following table describes the labels in this screen. Table 11 Basic Setting > IP Setup LABEL DESCRIPTION Domain Name DNS (Domain Name System) is for mapping a domain name to its Server corresponding IP address and vice versa. Enter a domain name server IP address in order to be able to use a domain name instead of an IP address.
Page 89 Chapter 8 Basic Setting Table 11 Basic Setting > IP Setup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
Page 90: Port Setup
Chapter 8 Basic Setting 8.7 Port Setup Use this screen to configure Switch port settings. Click Basic Setting > Port Setup in the navigation panel to display the configuration screen. Figure 44 Basic Setting > Port Setup The following table describes the labels in this screen. Table 12 Basic Setting >...
Page 91 Chapter 8 Basic Setting Table 12 Basic Setting > Port Setup (continued) LABEL DESCRIPTION Speed/ Select the speed and the duplex mode of the Ethernet connection on this Duplex port. Choices are Auto, 10M/Half Duplex, 10M/Full Duplex, 100M/ Half Duplex, 100M/Full Duplex and 1000M/Full Duplex (Gigabit connections only).
Page 92 Chapter 8 Basic Setting MES-3728 User’s Guide...
Page 93: Advanced
Advanced VLAN (95) VLAN Mapping (265) Static MAC Forward Setup (115) Layer 2 Protocol Tunneling (269) Filtering (123) Spanning Tree Protocol (125) Bandwidth Control (147) Broadcast Storm Control (151) Mirroring (153) Link Aggregation (155) Port Authentication (165) Port Security (171) Classifier (177) Policy Rule (185) Queuing Method (193)
Page 95: Vlan
H A P T E R VLAN The type of screen you see here depends on the VLAN Type you selected in the Switch Setup screen. This chapter shows you how to configure 802.1Q tagged and port-based VLANs. 9.1 Introduction to IEEE 802.1Q Tagged VLANs A tagged VLAN uses an explicit tag (VLAN ID) in the MAC header to identify the VLAN membership of a frame across bridges - they are not confined to the switch on which they were created.
Page 96: Automatic Vlan Registration
Chapter 9 VLAN switch, the Switch first decides where to forward the frame and then strips off the VLAN tag. To forward a frame from an 802.1Q VLAN-unaware switch to an 802.1Q VLAN-aware switch, the Switch first decides where to forward the frame, and then inserts a VLAN tag reflecting the ingress port's default VID.
Page 97: Port Vlan Trunking
Chapter 9 VLAN Table 13 IEEE 802.1Q VLAN Terminology (continued) VLAN TERM DESCRIPTION PARAMETER VLAN Registration Fixed Fixed registration ports are permanent VLAN Administrative members. Control Registration Ports with registration forbidden are forbidden to Forbidden join the specified VLAN. Normal Ports dynamically join a VLAN using GVRP.
Page 98: Select The Vlan Type
Chapter 9 VLAN VLAN group tags 1 and 2 (VLAN groups that are unknown to those switches) to pass through their VLAN trunking port(s). Figure 45 Port VLAN Trunking 9.4 Select the VLAN Type Select a VLAN type in the Basic Setting > Switch Setup screen. Figure 46 Switch Setup >...
Page 99: Vlan Status
Chapter 9 VLAN 9.5.1 VLAN Status Section 9.1 on page 95 for more information on Static VLAN. Click Advanced Application > VLAN from the navigation panel to display the VLAN Status screen as shown next. Figure 47 Advanced Application > VLAN: VLAN Status The following table describes the labels in this screen.
Page 100: Vlan Details
Chapter 9 VLAN Table 14 Advanced Application > VLAN: VLAN Status (continued) LABEL DESCRIPTION Status This field shows how this VLAN was added to the Switch. dynamic: using GVRP static: added as a permanent entry other: added in another way such as via Multicast VLAN Registration (MVR) Change Pages Click Previous or Next to show the previous/next screen if all status...
Page 101: Configure A Static Vlan
Chapter 9 VLAN 9.5.3 Configure a Static VLAN Use this screen to configure and view 802.1Q VLAN parameters for the Switch. Section 9.1 on page 95 for more information on static VLAN. To configure a static VLAN, click Static VLAN in the VLAN Status screen to display the screen as shown next.
Page 102 Chapter 9 VLAN Table 16 Advanced Application > VLAN > Static VLAN (continued) LABEL DESCRIPTION Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis.
Page 103: Configure Vlan Port Settings
Chapter 9 VLAN 9.5.4 Configure VLAN Port Settings Use the VLAN Port Setting screen to configure the static VLAN (IEEE 802.1Q) settings on a port. See Section 9.1 on page 95 for more information on static VLAN. Click the VLAN Port Setting link in the VLAN Status screen. Figure 50 Advanced Application >...
Page 104 Chapter 9 VLAN The following table describes the labels in this screen. Table 17 Advanced Application > VLAN > VLAN Port Setting LABEL DESCRIPTION GVRP GVRP (GARP VLAN Registration Protocol) is a registration protocol that defines a way for switches to register necessary VLAN members on ports across the network.
Page 105: Subnet Based Vlans
Chapter 9 VLAN 9.6 Subnet Based VLANs Subnet based VLANs allow you to group traffic into logical VLANs based on the source IP subnet you specify. When a frame is received on a port, the Switch checks if a tag is added already and the IP subnet it came from. The untagged packets from the same IP subnet are then placed in the same subnet based VLAN.
Page 106: Configuring Subnet Based Vlan
Chapter 9 VLAN 9.7 Configuring Subnet Based VLAN Click Subnet Based VLAN in the VLAN Port Setting screen to display the configuration screen as shown. Note: Subnet based VLAN applies to un-tagged packets and is applicable only when you use IEEE 802.1Q tagged VLAN. Figure 52 Advanced Application >...
Page 107: Protocol Based Vlans
Chapter 9 VLAN Table 18 Advanced Application > VLAN > VLAN Port Setting > Subnet Based VLAN Setup (continued) LABEL DESCRIPTION Enter the IP address of the subnet for which you want to configure this subnet based VLAN. Mask-Bits Enter the bit number of the subnet mask. To find the bit number, convert the subnet mask to binary format and add all the 1’s together.
Page 108: Configuring Protocol Based Vlan
Chapter 9 VLAN For example, port 1, 2, 3 and 4 belong to static VLAN 100, and port 4, 5, 6, 7 belong to static VLAN 120. You configure a protocol based VLAN A with priority 3 for ARP traffic received on port 1, 2 and 3. You also have a protocol based VLAN B with priority 2 for Apple Talk traffic received on port 6 and 7.
Page 109 Chapter 9 VLAN Note: Protocol-based VLAN applies to un-tagged packets and is applicable only when you use IEEE 802.1Q tagged VLAN. Figure 54 Advanced Application > VLAN > VLAN Port Setting > Protocol Based VLAN The following table describes the labels in this screen. Table 19 Advanced Application >...
Page 110: Create An Ip-Based Vlan Example
Chapter 9 VLAN Table 19 Advanced Application > VLAN > VLAN Port Setting > Protocol Based VLAN Setup (continued) LABEL DESCRIPTION Click Add to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non- volatile memory when you are done configuring.
Page 111: Port-Based Vlan Setup
Chapter 9 VLAN Leave the priority set to 0 and click Add. Figure 55 Protocol Based VLAN Configuration Example To add more ports to this protocol based VLAN. Click the index number of the protocol based VLAN entry. Click 1 Change the value in the Port field to the next port you want to add.
Page 112: Configure A Port-Based Vlan
Chapter 9 VLAN The port-based VLAN setup screen is shown next. The CPU management port forms a VLAN with all Ethernet ports. 9.11.1 Configure a Port-based VLAN Select Port Based as the VLAN Type in the Basic Setting > Switch Setup screen and then click Advanced Application >...
Page 113 Chapter 9 VLAN Figure 57 Port Based VLAN Setup (Port Isolation) MES-3728 User’s Guide...
Page 114 Chapter 9 VLAN The following table describes the labels in this screen. Table 20 Port Based VLAN Setup label Description Setting Choose All connected or Port isolation. Wizard All connected means all ports can communicate with each other, that is, there are no virtual LANs.
Page 115: Static Mac Forward Setup
H A P T E R Static MAC Forward Setup Use these screens to configure static MAC address forwarding. 10.1 Overview This chapter discusses how to configure forwarding rules based on MAC addresses of devices on your network. 10.2 Configuring Static MAC Forwarding A static MAC address is an address that has been manually entered in the MAC address table.
Page 116 Chapter 10 Static MAC Forward Setup Click Advanced Application > Static MAC Forwarding in the navigation panel to display the configuration screen as shown. Figure 58 Advanced Application > Static MAC Forwarding The following table describes the labels in this screen. Table 21 Advanced Application >...
Page 117 Chapter 10 Static MAC Forward Setup Table 21 Advanced Application > Static MAC Forwarding (continued) LABEL DESCRIPTION Port This field displays the port where the MAC address shown in the next field will be forwarded. Delete Click Delete to remove the selected entry from the summary table. Cancel Click Cancel to clear the Delete check boxes.
Page 118 Chapter 10 Static MAC Forward Setup MES-3728 User’s Guide...
Page 119: Static Multicast Forward Setup
H A P T E R Static Multicast Forward Setup Use these screens to configure static multicast address forwarding. 11.1 Static Multicast Forwarding Overview A multicast MAC address is the MAC address of a member of a multicast group. A static multicast address is a multicast MAC address that has been manually entered in the multicast table.
Page 120: Configuring Static Multicast Forwarding
Chapter 11 Static Multicast Forward Setup Figure 60 Static Multicast Forwarding to A Single Port Figure 61 Static Multicast Forwarding to Multiple Ports 11.2 Configuring Static Multicast Forwarding Use this screen to configure rules to forward specific multicast frames, such as streaming or control frames, to specific port(s).
Page 121 Chapter 11 Static Multicast Forward Setup The following table describes the labels in this screen. Table 22 Advanced Application > Static Multicast Forwarding LABEL DESCRIPTION Active Select this check box to activate your rule. You may temporarily deactivate a rule without deleting it by clearing this check box. Name Type a descriptive name (up to 32 printable ASCII characters) for this static multicast MAC address forwarding rule.
Page 122 Chapter 11 Static Multicast Forward Setup MES-3728 User’s Guide...
Page 123: Filtering
H A P T E R Filtering This chapter discusses MAC address port filtering. 12.1 Configure a Filtering Rule Filtering means sifting traffic going through the Switch based on the source and/or destination MAC addresses and VLAN group (ID). Click Advanced Application > Filtering in the navigation panel to display the screen as shown next.
Page 124 Chapter 12 Filtering Table 23 Advanced Application > Filtering (continued) LABEL DESCRIPTION Action Select Discard source to drop the frames from the source MAC address (specified in the MAC field). The Switch can still send frames to the MAC address. Select Discard destination to drop the frames to the destination MAC address (specified in the MAC address).
Page 125: Spanning Tree Protocol
H A P T E R Spanning Tree Protocol The Switch supports Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) as defined in the following standards. • IEEE 802.1D Spanning Tree Protocol • IEEE 802.1w Rapid Spanning Tree Protocol •...
Page 126: How Stp Works
Chapter 13 Spanning Tree Protocol Path cost is the cost of transmitting a frame onto a LAN through that port. The recommended cost is assigned according to the speed of the link to which a port is attached. The slower the media, the higher the cost. Table 24 STP Path Costs LINK RECOMMENDED...
Page 127: Stp Port States
Chapter 13 Spanning Tree Protocol 13.1.3 STP Port States STP assigns five port states to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops. Table 25 STP Port States PORT DESCRIPTION STATE...
Page 128: Multiple Stp
Chapter 13 Spanning Tree Protocol Note: Each port can belong to one STP tree only. Figure 64 MRSTP Network Example 13.1.5 Multiple STP Multiple Spanning Tree Protocol (IEEE 802.1s) is backward compatible with STP/ RSTP and addresses the limitations of existing spanning tree protocols (STP and RSTP) in networks to include the following features: •...
Page 129: Mst Region
Chapter 13 Spanning Tree Protocol blocked as STP and RSTP allow only one link in the network and block the redundant link. Figure 65 STP/RSTP Network Example VLAN 1 VLAN 2 With MSTP, VLANs 1 and 2 are mapped to different spanning trees in the network. Thus traffic from the two VLANs travel on different paths.
Page 130: Mst Instance
Chapter 13 Spanning Tree Protocol Devices that belong to the same MST region are configured to have the same MSTP configuration identification settings. These include the following parameters: • Name of the MST region • Revision level as the unique number for the MST region •...
Page 131: Spanning Tree Protocol Status Screen
Chapter 13 Spanning Tree Protocol and single spanning tree devices. A network may contain multiple MST regions and other network segments running RSTP. Figure 68 MSTP and Legacy RSTP Network Example 13.2 Spanning Tree Protocol Status Screen The Spanning Tree Protocol status screen changes depending on what standard you choose to implement on your network.
Page 132: Spanning Tree Configuration
Chapter 13 Spanning Tree Protocol 13.3 Spanning Tree Configuration Use the Spanning Tree Configuration screen to activate one of the STP modes on the Switch. Click Configuration in the Advanced Application > Spanning Tree Protocol. Figure 70 Advanced Application > Spanning Tree Protocol > Configuration The following table describes the labels in this screen.
Page 133: Configure Rapid Spanning Tree Protocol
Chapter 13 Spanning Tree Protocol 13.4 Configure Rapid Spanning Tree Protocol Use this screen to configure RSTP settings, see Section 13.1 on page 125 for more information on RSTP. Click RSTP in the Advanced Application > Spanning Tree Protocol screen. Figure 71 Advanced Application >...
Page 134 Chapter 13 Spanning Tree Protocol Table 27 Advanced Application > Spanning Tree Protocol > RSTP (continued) LABEL DESCRIPTION Bridge Priority Bridge priority is used in determining the root switch, root port and designated port. The switch with the highest priority (lowest numeric value) becomes the STP root switch.
Page 135: Rapid Spanning Tree Protocol Status
Chapter 13 Spanning Tree Protocol Table 27 Advanced Application > Spanning Tree Protocol > RSTP (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non- volatile memory when you are done configuring.
Page 136 Chapter 13 Spanning Tree Protocol Table 28 Advanced Application > Spanning Tree Protocol > Status: RSTP LABEL DESCRIPTION Max Age This is the maximum time (in seconds) the Switch can wait without (second) receiving a configuration message before attempting to reconfigure. Forwarding This is the time (in seconds) the root switch will wait before changing Delay (second)
Page 137: Configure Multiple Rapid Spanning Tree Protocol
Chapter 13 Spanning Tree Protocol 13.6 Configure Multiple Rapid Spanning Tree Protocol To configure MRSTP, click MRSTP in the Advanced Application > Spanning Tree Protocol screen. See Section 13.1 on page 125 for more information on MRSTP. Figure 73 Advanced Application > Spanning Tree Protocol > MRSTP The following table describes the labels in this screen.
Page 138 Chapter 13 Spanning Tree Protocol Table 29 Advanced Application > Spanning Tree Protocol > MRSTP (continued) LABEL DESCRIPTION Bridge Priority Bridge priority is used in determining the root switch, root port and designated port. The switch with the highest priority (lowest numeric value) becomes the STP root switch.
Page 139: Multiple Rapid Spanning Tree Protocol Status
Chapter 13 Spanning Tree Protocol Table 29 Advanced Application > Spanning Tree Protocol > MRSTP (continued) LABEL DESCRIPTION Tree Select which STP tree configuration this port should participate in. Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non- volatile memory when you are done configuring.
Page 140 Chapter 13 Spanning Tree Protocol Table 30 Advanced Application > Spanning Tree Protocol > Status: MRSTP LABEL DESCRIPTION Hello Time This is the time interval (in seconds) at which the root switch transmits (second) a configuration message. The root bridge determines Hello Time, Max Age and Forwarding Delay.
Page 141: Configure Multiple Spanning Tree Protocol
Chapter 13 Spanning Tree Protocol 13.8 Configure Multiple Spanning Tree Protocol To configure MSTP, click MSTP in the Advanced Application > Spanning Tree Protocol screen. See Section 13.1.5 on page 128 for more information on MSTP. Figure 75 Advanced Application > Spanning Tree Protocol > MSTP MES-3728 User’s Guide...
Page 142 Chapter 13 Spanning Tree Protocol The following table describes the labels in this screen. Table 31 Advanced Application > Spanning Tree Protocol > MSTP LABEL DESCRIPTION Status Click Status to display the MSTP Status screen (see Figure 76 on page 144).
Page 143 Chapter 13 Spanning Tree Protocol Table 31 Advanced Application > Spanning Tree Protocol > MSTP (continued) LABEL DESCRIPTION Bridge Priority Set the priority of the Switch for the specific spanning tree instance. The lower the number, the more likely the Switch will be chosen as the root bridge within the spanning tree instance.
Page 144: Multiple Spanning Tree Protocol Status
Chapter 13 Spanning Tree Protocol Table 31 Advanced Application > Spanning Tree Protocol > MSTP (continued) LABEL DESCRIPTION Delete Check the rule(s) that you want to remove in the Delete column and then click the Delete button. Cancel Click Cancel to begin configuring this screen afresh. 13.9 Multiple Spanning Tree Protocol Status Click Advanced Application >...
Page 145 Chapter 13 Spanning Tree Protocol The following table describes the labels in this screen. Table 32 Advanced Application > Spanning Tree Protocol > Status: MSTP LABEL DESCRIPTION Configuration Click Configuration to specify which STP mode you want to activate. Click MSTP to edit MSTP settings on the Switch. This section describes the Common Spanning Tree settings.
Page 146 Chapter 13 Spanning Tree Protocol Table 32 Advanced Application > Spanning Tree Protocol > Status: MSTP LABEL DESCRIPTION Internal Cost This is the path cost from the root port in this MST instance to the regional root switch. Port ID This is the priority and number of the port on the Switch through which this Switch must communicate with the root of the MST instance.
Page 147: Bandwidth Control
H A P T E R Bandwidth Control This chapter shows you how you can cap the maximum bandwidth using the Bandwidth Control screen. 14.1 Bandwidth Control Overview Bandwidth control means defining a maximum allowable bandwidth for incoming and/or out-going traffic flows on a port. 14.1.1 CIR and PIR The Committed Information Rate (CIR) is the guaranteed bandwidth for the incoming traffic flow on a port.
Page 148: Bandwidth Control Setup
Chapter 14 Bandwidth Control 14.2 Bandwidth Control Setup Click Advanced Application > Bandwidth Control in the navigation panel to bring up the screen as shown next. Figure 77 Advanced Application > Bandwidth Control The following table describes the related labels in this screen. Table 33 Advanced Application >...
Page 149 Chapter 14 Bandwidth Control Table 33 Advanced Application > Bandwidth Control (continued) LABEL DESCRIPTION Active Select this check box to activate egress rate limits on this port. Egress Rate Specify the maximum bandwidth allowed in kilobits per second (Kbps) for the out-going traffic flow on a port.
Page 150 Chapter 14 Bandwidth Control MES-3728 User’s Guide...
Page 151: Broadcast Storm Control
H A P T E R Broadcast Storm Control This chapter introduces and shows you how to configure the broadcast storm control feature. 15.1 Broadcast Storm Control Setup Broadcast storm control limits the number of broadcast, multicast and destination lookup failure (DLF) packets the Switch receives per second on the ports. When the maximum number of allowable broadcast, multicast and/or DLF packets is reached per second, the subsequent packets are discarded.
Page 152 Chapter 15 Broadcast Storm Control The following table describes the labels in this screen. Table 34 Advanced Application > Broadcast Storm Control LABEL DESCRIPTION Active Select this check box to enable traffic storm control on the Switch. Clear this check box to disable this feature. Port This field displays the port number.
Page 153: Mirroring
H A P T E R Mirroring This chapter discusses port mirroring setup screens. 16.1 Port Mirroring Setup Port mirroring allows you to copy a traffic flow to a monitor port (the port you copy the traffic to) in order that you can examine the traffic from the monitor port without interference.
Page 154 Chapter 16 Mirroring The following table describes the labels in this screen. Table 35 Advanced Application > Mirroring LABEL DESCRIPTION Active Select this check box to activate port mirroring on the Switch. Clear this check box to disable the feature. Monitor The monitor port is the port you copy the traffic to in order to examine it in Port...
Page 155: Link Aggregation
H A P T E R Link Aggregation This chapter shows you how to logically aggregate physical links to form one logical, higher-bandwidth link. 17.1 Link Aggregation Overview Link aggregation (trunking) is the grouping of physical ports into one logical higher-capacity link.
Page 156: Link Aggregation Id
Chapter 17 Link Aggregation LACP also allows port redundancy, that is, if an operational port fails, then one of the “standby” ports become operational without user intervention. Please note that: • You must connect all ports point-to-point to the same Ethernet switch and configure the ports for LACP trunking.
Page 157: Link Aggregation Status
Chapter 17 Link Aggregation 17.3 Link Aggregation Status Click Advanced Application > Link Aggregation in the navigation panel. The Link Aggregation Status screen displays by default. See Section 17.1 on page for more information. Figure 80 Advanced Application > Link Aggregation Status The following table describes the labels in this screen.
Page 158 Chapter 17 Link Aggregation Table 38 Advanced Application > Link Aggregation Status (continued) LABEL DESCRIPTION Criteria This shows the outgoing traffic distribution algorithm used in this trunk group. Packets from the same source and/or to the same destination are sent over the same link within the trunk. src-mac means the Switch distributes traffic based on the packet’s source MAC address.
Page 159: Link Aggregation Setting
Chapter 17 Link Aggregation 17.4 Link Aggregation Setting Click Advanced Application > Link Aggregation > Link Aggregation Setting to display the screen shown next. See Section 17.1 on page 155 for more information on link aggregation. Figure 81 Advanced Application > Link Aggregation > Link Aggregation Setting The following table describes the labels in this screen.
Page 160 Chapter 17 Link Aggregation Table 39 Advanced Application > Link Aggregation > Link Aggregation Setting LABEL DESCRIPTION Criteria Select the outgoing traffic distribution type. Packets from the same source and/or to the same destination are sent over the same link within the trunk.
Page 161: Link Aggregation Control Protocol
Chapter 17 Link Aggregation 17.5 Link Aggregation Control Protocol Click Advanced Application > Link Aggregation > Link Aggregation Setting > LACP to display the screen shown next. See Section 17.2 on page 155 for more information on dynamic link aggregation. Figure 82 Advanced Application >...
Page 162: Static Trunking Example
Chapter 17 Link Aggregation Table 40 Advanced Application > Link Aggregation > Link Aggregation Setting > LACP (continued) LABEL DESCRIPTION System LACP system priority is a number between 1 and 65,535. The switch with Priority the lowest system priority (and lowest port number if system priority is the same) becomes the LACP “server”.
Page 163 Chapter 17 Link Aggregation Make your physical connections - make sure that the ports that you want to belong to the trunk group are connected to the same destination. The following figure shows ports 2-5 on switch A connected to switch B. Figure 83 Trunking Example - Physical Connections Configure static trunking - Click Advanced Application >...
Page 164 Chapter 17 Link Aggregation MES-3728 User’s Guide...
Page 165: Port Authentication
H A P T E R Port Authentication This chapter describes the IEEE 802.1x and MAC authentication methods. 18.1 Port Authentication Overview Port authentication is a way to validate access to ports on the Switch to clients based on an external server (authentication server). The Switch supports the following methods for port authentication: •...
Page 166: Mac Authentication
Chapter 18 Port Authentication request to a RADIUS server. The RADIUS server validates whether this client is allowed access to the port. Figure 85 IEEE 802.1x Authentication Process New Connection Login Info Request Login Credentials Authentication Request Authentication Reply Session Granted/Denied 18.1.2 MAC Authentication MAC authentication works in a very similar way to IEEE 802.1x authentication.
Page 167: Port Authentication Configuration
Chapter 18 Port Authentication client connecting to a port on the Switch along with a password configured specifically for MAC authentication on the Switch. Figure 86 MAC Authentication Process New Connection Authentication Request Authentication Reply Session Granted/Denied 18.2 Port Authentication Configuration To enable port authentication, first activate the port authentication method(s) you want to use (both on the Switch and the port(s)) then configure the RADIUS server settings in the Auth and Acct >...
Page 168: Activate Ieee 802.1X Security
Chapter 18 Port Authentication 18.2.1 Activate IEEE 802.1x Security Use this screen to activate IEEE 802.1x security. In the Port Authentication screen click 802.1x to display the configuration screen as shown. Figure 88 Advanced Application > Port Authentication > 802.1x The following table describes the labels in this screen.
Page 169: Activate Mac Authentication
Chapter 18 Port Authentication Table 41 Advanced Application > Port Authentication > 802.1x (continued) LABEL DESCRIPTION Reauthenticati Specify how often a client has to re-enter his or her username and on Timer password to stay connected to the port. Apply Click Apply to save your changes to the Switch’s run-time memory.
Page 170 Chapter 18 Port Authentication The following table describes the labels in this screen. Table 42 Advanced Application > Port Authentication > MAC Authentication LABEL DESCRIPTION Active Select this check box to permit MAC authentication on the Switch. Note: You must first enable MAC authentication on the Switch before configuring it on each port.
Page 171: Port Security
H A P T E R Port Security This chapter shows you how to set up port security. 19.1 About Port Security Port security allows only packets with dynamically learned MAC addresses and/or configured static MAC addresses to pass through a port on the Switch. The Switch can learn up to 16K MAC addresses in total with no limit on individual ports other than the sum cannot exceed 16K.
Page 172: Port Security Setup
Chapter 19 Port Security 19.2 Port Security Setup Click Advanced Application > Port Security in the navigation panel to display the screen as shown. Figure 90 Advanced Application > Port Security The following table describes the labels in this screen. Table 43 Advanced Application >...
Page 173 Chapter 19 Port Security Table 43 Advanced Application > Port Security (continued) LABEL DESCRIPTION Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis.
Page 174: Vlan Mac Address Limit
Chapter 19 Port Security 19.3 VLAN MAC Address Limit Use this screen to set the MAC address learning limit on per-port and per-VLAN basis. Click VLAN MAC Address Limit in the Advanced Application > Port Security screen to display the screen as shown. Figure 91 Advanced Application >...
Page 175 Chapter 19 Port Security Table 44 Advanced Application > Port Security > VLAN MAC Address Limit LABEL DESCRIPTION Limit Number This is the maximum number of MAC addresses which a port can learn in a VLAN. Delete Check the rule(s) that you want to remove in the Delete column and then click the Delete button.
Page 176 Chapter 19 Port Security MES-3728 User’s Guide...
Page 177: Classifier
H A P T E R Classifier This chapter introduces and shows you how to configure the packet classifier on the Switch. 20.1 About the Classifier and QoS Quality of Service (QoS) refers to both a network's ability to deliver data with minimum delay, and the networking methods used to control the use of bandwidth.
Page 178 Chapter 20 Classifier Click Advanced Application > Classifier in the navigation panel to display the configuration screen as shown. Figure 92 Advanced Application > Classifier The following table describes the labels in this screen. Table 45 Advanced Application > Classifier LABEL DESCRIPTION Active...
Page 179 Chapter 20 Classifier Table 45 Advanced Application > Classifier (continued) LABEL DESCRIPTION Packet Specify the format of the packet. Choices are All, 802.3 tagged, 802.3 Format untagged, Ethernet II tagged and Ethernet II untagged. A value of 802.3 indicates that the packets are formatted according to the IEEE 802.3 standards.
Page 180: Viewing And Editing Classifier Configuration
Chapter 20 Classifier Table 45 Advanced Application > Classifier (continued) LABEL DESCRIPTION Enter a source IP address in dotted decimal notation. Address/ Specify the address prefix by entering the number of ones in the subnet mask. Address Prefix A subnet mask can be represented in a 32-bit notation. For example, the subnet mask “255.255.255.0”...
Page 181 Chapter 20 Classifier Note: When two rules conflict with each other, a higher layer rule has priority over lower layer rule. Figure 93 Advanced Application > Classifier: Summary Table The following table describes the labels in this screen. Table 46 Classifier: Summary Table LABEL DESCRIPTION Index...
Page 182: Classifier Example
Chapter 20 Classifier corresponding protocol number. Refer to http://www.iana.org/assignments/ protocol-numbers for a complete list. Table 48 Common IP Protocol Types and Protocol Numbers PROTOCOL TYPE PROTOCOL NUMBER ICMP L2TP Some of the most common TCP and UDP port numbers are: Table 49 Common TCP and UDP Port Numbers PROTOCOL NAME TCP/UDP PORT NUMBER...
Page 183 Chapter 20 Classifier After you have configured a classifier, you can configure a policy (in the Policy screen) to define action(s) on the classified traffic flow. Figure 94 Classifier: Example MES-3728 User’s Guide...
Page 184 Chapter 20 Classifier MES-3728 User’s Guide...
Page 185: Policy Rule
H A P T E R Policy Rule This chapter shows you how to configure policy rules. 21.1 Policy Rules Overview A classifier distinguishes traffic into flows based on the configured criteria (refer to Chapter 20 on page 177 for more information). A policy rule ensures that a traffic flow gets the requested treatment in the network.
Page 186: Configuring Policy Rules
Chapter 21 Policy Rule The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.
Page 187 Chapter 21 Policy Rule Click Advanced Applications > Policy Rule in the navigation panel to display the screen as shown. Figure 95 Advanced Application > Policy Rule The following table describes the labels in this screen. Table 50 Advanced Application > Policy Rule LABEL DESCRIPTION Active...
Page 188 Chapter 21 Policy Rule Table 50 Advanced Application > Policy Rule (continued) LABEL DESCRIPTION Classifier(s) This field displays the active classifier(s) you configure in the Classifier screen. Select the classifier(s) to which this policy rule applies. To select more than one classifier, press [SHIFT] and select the choices at the same time. Parameters Set the fields below for this policy.
Page 189: Viewing And Editing Policy Configuration
Chapter 21 Policy Rule Table 50 Advanced Application > Policy Rule (continued) LABEL DESCRIPTION Outgoing Select Send the packet to the mirror port to send the packet to the mirror port. Select Send the packet to the egress port to send the packet to the egress port.
Page 190 Chapter 21 Policy Rule Table 51 Advanced Application > Policy Rule: Summary Table (continued) LABEL DESCRIPTION Name This field displays the name you have assigned to this policy. Classifier(s This field displays the name(s) of the classifier to which this policy applies. Delete Click Delete to remove the selected entry from the summary table.
Page 191: Policy Example
Chapter 21 Policy Rule 21.4 Policy Example The figure below shows an example Policy screen where you configure a policy to limit bandwidth and discard out-of-profile traffic on a traffic flow classified using the Example classifier (refer to Section 20.4 on page 182).
Page 192 Chapter 21 Policy Rule MES-3728 User’s Guide...
Page 193: Queuing Method
H A P T E R Queuing Method This chapter introduces the queuing methods supported. 22.1 Queuing Method Overview Queuing is used to help solve performance degradation when there is network congestion. Use the Queuing Method screen to configure queuing algorithms for outgoing traffic.
Page 194: Weighted Round Robin Scheduling (Wrr)
Chapter 22 Queuing Method 22.1.3 Weighted Round Robin Scheduling (WRR) Round Robin Scheduling services queues on a rotating basis and is activated only when a port has more traffic than it can handle. A queue is a given an amount of bandwidth irrespective of the incoming traffic on that port.
Page 195: Configuring Queuing
Chapter 22 Queuing Method 22.2 Configuring Queuing Click Advanced Application > Queuing Method in the navigation panel. Figure 98 Advanced Application > Queuing Method MES-3728 User’s Guide...
Page 196 Chapter 22 Queuing Method The following table describes the labels in this screen. Table 52 Advanced Application > Queuing Method LABEL DESCRIPTION Method Select SPQ (Strictly Priority Queuing), WFQ (Weighted Fair Queuing) or WRR (Weighted Round Robin). Strictly Priority Queuing services queues based on priority only. When the highest priority queue empties, traffic on the next highest-priority queue begins.
Page 197: Vlan Stacking
H A P T E R VLAN Stacking This chapter shows you how to configure VLAN stacking on your Switch. See the chapter on VLANs for more background information on Virtual LAN. 23.1 VLAN Stacking Overview A service provider can use VLAN stacking (also known as Q-in-Q) to allow it to distinguish multiple customers VLANs, even those with the same (customer- assigned) VLAN ID, within its network.
Page 198: Vlan Stacking Port Roles
Chapter 23 VLAN Stacking distinguish customer A and tag 48 to distinguish customer B at edge device 1 and then stripping those tags at edge device 2 as the data frames leave the network. Figure 99 VLAN Stacking Example 23.2 VLAN Stacking Port Roles Each port can have three VLAN stacking “roles”, Normal, Access Port and Tunnel Port (the latter is for Gigabit ports only).
Page 199: Vlan Tag Format
Chapter 23 VLAN Stacking 23.3 VLAN Tag Format A VLAN tag (service provider VLAN stacking or customer IEEE 802.1Q) consists of the following three fields. Table 53 VLAN Tag Format TPID Priority TPID (Tag Protocol Identifier) is a standard Ethernet type code identifying the frame and indicates whether the frame carries IEEE 802.1Q tag information.
Page 200: Configuring Vlan Stacking
Chapter 23 VLAN Stacking Table 55 802.1Q Frame Destination Address Priority 802.1p Priority Source Address Len/ Length and type of Ethernet Etype frame Tunnel Tag Protocol IDentifier added on a Data Frame data TPID tunnel port VLAN ID Frame Check Sequence 23.4 Configuring VLAN Stacking Click Advanced Application >...
Page 201: Port-Based Q-In-Q
Chapter 23 VLAN Stacking The following table describes the labels in this screen. Table 56 Advanced Application > VLAN Stacking LABEL DESCRIPTION Active Select this to enable VLAN stacking on the Switch. Port The port number identifies the port you are configuring. Settings in this row apply to all ports.
Page 202: Selective Q-In-Q
Chapter 23 VLAN Stacking Click Port-based QinQ in the Advanced Application > VLAN Stacking screen to display the screen as shown. Figure 101 Advanced Application > VLAN Stacking > Port-based QinQ The following table describes the labels in this screen. Table 57 Advanced Application >...
Page 203 Chapter 23 VLAN Stacking Note: Selective Q-in-Q rules are only applied to single-tagged frames received on the access ports. If the incoming frames are untagged or single-tagged but received on a tunnel port or cannot match any selective Q-in-Q rules, the Switch applies the port-based Q-in-Q rules to them.
Page 204 Chapter 23 VLAN Stacking Table 58 Advanced Application > VLAN Stacking > Selective QinQ (continued) LABEL DESCRIPTION Index This is the number of the selective VLAN stacking rule. Active This shows whether this rule is activated or not. Name This is the descriptive name for this rule. Port This is the port number to which this rule is applied.
Page 205: Multicast
H A P T E R Multicast This chapter shows you how to configure various multicast features. 24.1 Multicast Overview Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender to 1 recipient) or Broadcast (1 sender to everybody on the network). Multicast delivers IP packets to just a group of hosts on the network.
Page 206: Igmp Snooping
Chapter 24 Multicast 24.1.3 IGMP Snooping A Switch can passively snoop on IGMP packets transferred between IP multicast routers/switches and IP multicast hosts to learn the IP multicast group membership. It checks IGMP packets passing through it, picks out the group registration information, and configures multicasting accordingly.
Page 207: Multicast Setting
Chapter 24 Multicast Table 59 Advanced Application > Multicast Status (continued) LABEL DESCRIPTION Port This field displays the port number that belongs to the multicast group. Multicast Group This field displays IP multicast group addresses. 24.3 Multicast Setting Click Advanced Applications > Multicast > Multicast Setting link to display the screen as shown.
Page 208 Chapter 24 Multicast The following table describes the labels in this screen. Table 60 Advanced Application > Multicast > Multicast Setting LABEL DESCRIPTION IGMP Snooping Use these settings to configure IGMP Snooping. Active Select Active to enable IGMP Snooping to forward group multicast traffic only to ports that are members of that group.
Page 209 Chapter 24 Multicast Table 60 Advanced Application > Multicast > Multicast Setting (continued) LABEL DESCRIPTION Normal Leave Enter an IGMP normal leave timeout value (from 200 to 6,348,800) in miliseconds. Select this option to have the Switch use this timeout to update the forwarding table for the port.
Page 210: Igmp Snooping Vlan
Chapter 24 Multicast 24.4 IGMP Snooping VLAN Click Advanced Applications > Multicast in the navigation panel. Click the Multicast Setting link and then the IGMP Snooping VLAN link to display the screen as shown. See Section 24.1.4 on page 206 for more information on IGMP Snooping VLAN.
Page 211: Igmp Filtering Profile
Chapter 24 Multicast Table 61 Advanced Application > Multicast > Multicast Setting > IGMP Snooping VLAN (continued) LABEL DESCRIPTION Cancel Click Cancel to begin configuring this screen afresh. VLAN Use this section of the screen to add VLANs upon which the Switch is to perform IGMP snooping.
Page 212 Chapter 24 Multicast Click Advanced Applications > Multicast > Multicast Setting > IGMP Filtering Profile link to display the screen as shown. Figure 106 Advanced Application > Multicast > Multicast Setting > IGMP Filtering Profile The following table describes the labels in this screen. Table 62 Advanced Application >...
Page 213: Mvr Overview
Chapter 24 Multicast Table 62 Advanced Application > Multicast > Multicast Setting > IGMP Filtering Profile (continued) LABEL DESCRIPTION Delete To delete the profile(s) and all the accompanying rules, select the profile(s) that you want to remove in the Delete Profile column, then click the Delete button.
Page 214: Mvr Modes
Chapter 24 Multicast Once configured, the Switch maintains a forwarding table that matches the multicast stream to the associated multicast group. 24.6.2 MVR Modes You can set your Switch to operate in either dynamic or compatible mode. In dynamic mode, the Switch sends IGMP leave and join reports to the other multicast devices (such as multicast routers or servers) in the multicast VLAN.
Page 215: General Mvr Configuration
Chapter 24 Multicast 24.7 General MVR Configuration Use the MVR screen to create multicast VLANs and select the receiver port(s) and a source port for each multicast VLAN. Click Advanced Applications > Multicast > Multicast Setting > MVR link to display the screen as shown next. Note: You can create up to five multicast VLANs and up to 256 multicast rules on the Switch.
Page 216 Chapter 24 Multicast Table 63 Advanced Application > Multicast > Multicast Setting > MVR (continued) LABEL DESCRIPTION 802.1p Priority Select a priority level (0-7) with which the Switch replaces the priority in outgoing IGMP control packets (belonging to this multicast VLAN). Mode Specify the MVR mode on the Switch.
Page 217: Mvr Group Configuration
Chapter 24 Multicast 24.8 MVR Group Configuration All source ports and receiver ports belonging to a multicast group can receive multicast data sent to this multicast group. Configure MVR IP multicast group address(es) in the Group Configuration screen. Click Group Configuration in the MVR screen. Note: A port can belong to more than one multicast VLAN.
Page 218: Mvr Configuration Example
Chapter 24 Multicast Table 64 Advanced Application > Multicast > Multicast Setting > MVR: Group Configuration LABEL DESCRIPTION Click Add to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non- volatile memory when you are done configuring.
Page 219 Chapter 24 Multicast To configure the MVR settings on the Switch, create a multicast group in the MVR screen and set the receiver and source ports. Figure 112 MVR Configuration Example To set the Switch to forward the multicast group traffic to the subscribers, configure multicast group settings in the Group Configuration screen.
Page 220 Chapter 24 Multicast following figure shows an example where two multicast groups (News and Movie) are configured for the multicast VLAN 200. Figure 113 MVR Group Configuration Example Figure 114 MVR Group Configuration Example MES-3728 User’s Guide...
Page 221: Aaa
H A P T E R This chapter describes how to configure authentication, authorization and accounting settings on the Switch. 25.1 Authentication, Authorization and Accounting (AAA) Authentication is the process of determining who a user is and validating access to the Switch.
Page 222: Local User Accounts
Chapter 25 AAA 25.1.2 on page 222) as external authentication, authorization and accounting servers. Figure 115 AAA Server Client AAA Server 25.1.1 Local User Accounts By storing user profiles locally on the Switch, your Switch is able to authenticate and authorize users without interacting with a network AAA server. However, there is a limit on the number of users you may authenticate in this way (See Chapter 33 on page...
Page 223: Radius Server Setup
Chapter 25 AAA Click Advanced Application > AAA in the navigation panel to display the screen as shown. Figure 116 Advanced Application > AAA 25.2.1 RADIUS Server Setup Use this screen to configure your RADIUS server settings. See Section 25.1.2 on page 222 for more information on RADIUS servers and Section 25.3 on page 231...
Page 224 Chapter 25 AAA The following table describes the labels in this screen. Table 66 Advanced Application > AAA > RADIUS Server Setup LABEL DESCRIPTION Authentication Use this section to configure your RADIUS authentication settings. Server Mode This field is only valid if you configure multiple RADIUS servers. Select index-priority and the Switch tries to authenticate with the first configured RADIUS server, if the RADIUS server does not respond then the Switch tries to authenticate with the second RADIUS server.
Page 225: Tacacs+ Server Setup
Chapter 25 AAA Table 66 Advanced Application > AAA > RADIUS Server Setup (continued) LABEL DESCRIPTION Shared Secret Specify a password (up to 32 alphanumeric characters) as the key to be shared between the external RADIUS accounting server and the Switch. This key is not sent over the network.
Page 226 Chapter 25 AAA The following table describes the labels in this screen. Table 67 Advanced Application > AAA > TACACS+ Server Setup LABEL DESCRIPTION Authentication Use this section to configure your TACACS+ authentication settings. Server Mode This field is only valid if you configure multiple TACACS+ servers. Select index-priority and the Switch tries to authenticate with the first configured TACACS+ server, if the TACACS+ server does not respond then the Switch tries to authenticate with the second TACACS+ server.
Page 227: Aaa Setup
Chapter 25 AAA Table 67 Advanced Application > AAA > TACACS+ Server Setup (continued) LABEL DESCRIPTION Shared Secret Specify a password (up to 32 alphanumeric characters) as the key to be shared between the external TACACS+ accounting server and the Switch.
Page 228 Chapter 25 AAA The following table describes the labels in this screen. Table 68 Advanced Application > AAA > AAA Setup LABEL DESCRIPTION Authentication Use this section to specify the methods used to authenticate users accessing the Switch. Privilege These fields specify which database the Switch should use (first, second Enable and third) to authenticate access privilege level for administrator accounts (users for Switch management).
Page 229 Chapter 25 AAA Table 68 Advanced Application > AAA > AAA Setup (continued) LABEL DESCRIPTION Active Select this to activate authorization for a specified event types. Method Select whether you want to use RADIUS or TACACS+ for authorization of specific types of events. RADIUS is the only method for IEEE 802.1x authorization.
Page 230: Vendor Specific Attribute
Chapter 25 AAA 25.2.4 Vendor Specific Attribute RFC 2865 standard specifies a method for sending vendor-specific information between a RADIUS server and a network access device (for example, the Switch). A company can create Vendor Specific Attributes (VSAs) to expand the functionality of a RADIUS server.
Page 231: Supported Radius Attributes
Chapter 25 AAA Table 69 Supported VSAs FUNCTION ATTRIBUTE Egress Bandwidth Vendor-Id = 890 Assignment Vendor-Type = 2 Vendor-data = egress rate (Kbps in decimal format) Privilege Vendor-ID = 890 Assignment Vendor-Type = 3 Vendor-Data = "shell:priv-lvl=N" (CISCO) Vendor-ID = 9 Vendor-Type = 1 (CISCO-AVPAIR) Vendor-Data = "shell:priv-lvl=N"...
Page 232: Attributes Used For Authentication
Chapter 25 AAA Refer to RFC 2865 for more information about RADIUS attributes used for authentication. Refer to RFC 2866 and RFC 2869 for RADIUS attributes used for accounting. This section lists the attributes used by authentication and accounting functions on the Switch.
Page 233: Attributes Used For Accounting
Chapter 25 AAA 25.3.2 Attributes Used for Accounting The following sections list the attributes sent from the Switch to the RADIUS server when performing authentication. 25.3.2.1 Attributes Used for Accounting System Events NAS-IP-Address NAS-Identifier Acct-Status-Type Acct-Session-ID - The format of Acct-Session-Id is date+time+8-digit sequential number, for example, 2007041917210300000001.
Page 234 Chapter 25 AAA Table 72 RADIUS Attributes - Exec Events via Telnet/SSH ATTRIBUTE START INTERIM-UPDATE STOP Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Terminate-Cause 25.3.2.3 Attributes Used for Accounting IEEE 802.1x Events The attributes are listed in the following table along with the time of the session they are sent: Table 73 RADIUS Attributes-Exec Events via 802.1x ATTRIBUTE...
Page 235: Ip Source Guard
H A P T E R IP Source Guard Use IP source guard to filter unauthorized DHCP and ARP packets in your network. 26.1 IP Source Guard Overview IP source guard uses a binding table to distinguish between authorized and unauthorized DHCP and ARP packets in your network.
Page 236: Dhcp Snooping Overview
Chapter 26 IP Source Guard 26.1.1 DHCP Snooping Overview Use DHCP snooping to filter unauthorized DHCP packets on the network and to build the binding table dynamically. This can prevent clients from getting IP addresses from unauthorized DHCP servers. 26.1.1.1 Trusted vs. Untrusted Ports Every port is either a trusted port or an untrusted port for DHCP snooping.
Page 237: Configuring Dhcp Snooping
Chapter 26 IP Source Guard You can configure the name and location of the file on the external TFTP server. The file has the following format: Figure 120 DHCP Snooping Database File Format <initial-checksum> TYPE DHCP-SNOOPING VERSION 1 BEGIN <binding-1> <checksum-1> <binding-2>...
Page 238: Arp Inspection Overview
Chapter 26 IP Source Guard Configure trusted and untrusted ports, and specify the maximum number of DHCP packets that each port can receive per second. Configure static bindings. 26.1.2 ARP Inspection Overview Use ARP inspection to filter unauthorized ARP packets on the network. This can prevent many kinds of man-in-the-middle attacks, such as the one in the following example.
Page 239: Ip Source Guard
Chapter 26 IP Source Guard • They appear only in the ARP Inspection screens and commands, not in the MAC Address Filter screens and commands. 26.1.2.2 Trusted vs. Untrusted Ports Every port is either a trusted port or an untrusted port for ARP inspection. This setting is independent of the trusted/untrusted setting for DHCP snooping.
Page 240: Ip Source Guard Static Binding
Chapter 26 IP Source Guard the bindings by snooping DHCP packets (dynamic bindings) and from information provided manually by administrators (static bindings). To open this screen, click Advanced Application > IP Source Guard. Figure 122 IP Source Guard The following table describes the labels in this screen. Table 74 IP Source Guard LABEL DESCRIPTION...
Page 241 Chapter 26 IP Source Guard new static binding replaces the original one. To open this screen, click Advanced Application > IP Source Guard > Static Binding. Figure 123 IP Source Guard Static Binding The following table describes the labels in this screen. Table 75 IP Source Guard Static Binding LABEL DESCRIPTION...
Page 242 Chapter 26 IP Source Guard Table 75 IP Source Guard Static Binding (continued) LABEL DESCRIPTION Port This field displays the port number in the binding. If this field is blank, the binding applies to all ports. Delete Select this, and click Delete to remove the specified entry. Cancel Click this to clear the Delete check boxes above.
Page 243: Dhcp Snooping
Chapter 26 IP Source Guard 26.4 DHCP Snooping Use this screen to look at various statistics about the DHCP snooping database. To open this screen, click Advanced Application > IP Source Guard > DHCP Snooping. MES-3728 User’s Guide...
Page 244 Chapter 26 IP Source Guard Figure 124 DHCP Snooping MES-3728 User’s Guide...
Page 245 Chapter 26 IP Source Guard The following table describes the labels in this screen. Table 76 DHCP Snooping LABEL DESCRIPTION Database Status This section displays the current settings for the DHCP snooping database. You can configure them in the DHCP Snooping Configure screen.
Page 246 Chapter 26 IP Source Guard Table 76 DHCP Snooping (continued) LABEL DESCRIPTION Successful This field displays the number of times the Switch read bindings transfers from or updated the bindings in the DHCP snooping database successfully. Failed transfers This field displays the number of times the Switch was unable to read bindings from or update the bindings in the DHCP snooping database.
Page 247: Dhcp Snooping Configure
Chapter 26 IP Source Guard Table 76 DHCP Snooping (continued) LABEL DESCRIPTION Parse failures This field displays the number of bindings the Switch has ignored because the Switch was unable to understand the binding in the DHCP binding database. Expired leases This field displays the number of bindings the Switch has ignored because the lease time had already expired.
Page 248 Chapter 26 IP Source Guard The following table describes the labels in this screen. Table 77 DHCP Snooping Configure LABEL DESCRIPTION Active Select this to enable DHCP snooping on the Switch. You still have to enable DHCP snooping on specific VLAN and specify trusted ports.
Page 249: Dhcp Snooping Port Configure
Chapter 26 IP Source Guard Table 77 DHCP Snooping Configure (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
Page 250: Dhcp Snooping Vlan Configure
Chapter 26 IP Source Guard The following table describes the labels in this screen. Table 78 DHCP Snooping Port Configure LABEL DESCRIPTION Port This field displays the port number. If you configure the * port, the settings are applied to all of the ports. Server Trusted state Select whether this port is a trusted port (Trusted) or an untrusted port (Untrusted).
Page 251 Chapter 26 IP Source Guard open this screen, click Advanced Application > IP Source Guard > DHCP Snooping > Configure > VLAN. Figure 127 DHCP Snooping VLAN Configure The following table describes the labels in this screen. Table 79 DHCP Snooping VLAN Configure LABEL DESCRIPTION Show VLAN...
Page 252: Arp Inspection Status
Chapter 26 IP Source Guard 26.6 ARP Inspection Status Use this screen to look at the current list of MAC address filters that were created because the Switch identified an unauthorized ARP packet. When the Switch identifies an unauthorized ARP packet, it automatically creates a MAC address filter to block traffic from the source MAC address and source VLAN ID of the unauthorized ARP packet.
Page 253: Arp Inspection Vlan Status
Chapter 26 IP Source Guard Table 80 ARP Inspection Status (continued) LABEL DESCRIPTION Delete Select this, and click Delete to remove the specified entry. Cancel Click this to clear the Delete check boxes above. Change Pages Click Previous or Next to show the previous/next screen if all status information cannot be seen in one screen.
Page 254: Arp Inspection Log Status
Chapter 26 IP Source Guard Table 81 ARP Inspection VLAN Status LABEL DESCRIPTION Reply This field displays the total number of ARP Reply packets received from the VLAN since the Switch last restarted. Forwarded This field displays the total number of ARP packets the Switch forwarded for the VLAN since the Switch last restarted.
Page 255: Arp Inspection Configure
Chapter 26 IP Source Guard Table 82 ARP Inspection Log Status (continued) LABEL DESCRIPTION Num Pkts This field displays the number of ARP packets that were consolidated into this log message. The Switch consolidates identical log messages generated by ARP packets in the log consolidation interval into one log message.
Page 256 Chapter 26 IP Source Guard settings for the ARP inspection log. To open this screen, click Advanced Application > IP Source Guard > ARP Inspection > Configure. Figure 131 ARP Inspection Configure The following table describes the labels in this screen. Table 83 ARP Inspection Configure LABEL DESCRIPTION...
Page 257: Arp Inspection Port Configure
Chapter 26 IP Source Guard Table 83 ARP Inspection Configure (continued) LABEL DESCRIPTION Log buffer size Enter the maximum number (1~1024) of log messages that were generated by ARP packets and have not been sent to the syslog server yet. Make sure this number is appropriate for the specified Syslog rate and Log interval.
Page 258 Chapter 26 IP Source Guard ARP packets on each untrusted port. To open this screen, click Advanced Application > IP Source Guard > ARP Inspection > Configure > Port. Figure 132 ARP Inspection Port Configure The following table describes the labels in this screen. Table 84 ARP Inspection Port Configure LABEL DESCRIPTION...
Page 259: Arp Inspection Vlan Configure
Chapter 26 IP Source Guard Table 84 ARP Inspection Port Configure (continued) LABEL DESCRIPTION Burst interval The burst interval is the length of time over which the rate of ARP (seconds) packets is monitored for each port. For example, if the Rate is 15 pps and the burst interval is 1 second, then the Switch accepts a maximum of 15 ARP packets in every one-second interval.
Page 260 Chapter 26 IP Source Guard Table 85 ARP Inspection VLAN Configure (continued) LABEL DESCRIPTION End VID Enter the highest VLAN ID you want to manage in the section below. Apply Click this to display the specified range of VLANs in the section below.
Page 261: Loop Guard
H A P T E R Loop Guard This chapter shows you how to configure the Switch to guard against loops on the edge of your network. 27.1 Loop Guard Overview Loop guard allows you to configure the Switch to shut down a port if it detects that packets sent out on that port loop back to the Switch.
Page 262 Chapter 27 Loop Guard • It will receive its own broadcast messages that it sends out as they loop back. It will then re-broadcast those messages again. The following figure shows port N on switch A connected to switch B. Switch B is in loop state.
Page 263: Loop Guard Setup
Chapter 27 Loop Guard port N. The Switch will shut down port N if it detects that the probe packet has returned to the Switch. Figure 137 Loop Guard - Network Loop Note: After resolving the loop problem on your network you can re-activate the disabled port via the web configurator (see Section 8.7 on page 90) or via...
Page 264 Chapter 27 Loop Guard The following table describes the labels in this screen. Table 86 Advanced Application > Loop Guard LABEL DESCRIPTION Active Select this option to enable loop guard on the Switch. The Switch generates syslog, internal log messages as well as SNMP traps when it shuts down a port via the loop guard feature.
Page 265: Vlan Mapping
H A P T E R VLAN Mapping This chapter shows you how to configure VLAN mapping on the Switch. 28.1 VLAN Mapping Overview With VLAN mapping enabled, the Switch can map the VLAN ID and priority level of packets received from a private network to those used in the service provider’s network.
Page 266: Enabling Vlan Mapping
Chapter 28 VLAN Mapping 28.2 Enabling VLAN Mapping Click Advanced Application and then VLAN Mapping in the navigation panel to display the screen as shown. Figure 140 VLAN Mapping The following table describes the labels in this screen. Table 87 VLAN Mapping LABEL DESCRIPTION Active...
Page 267: Configuring Vlan Mapping
Chapter 28 VLAN Mapping 28.3 Configuring VLAN Mapping Click the VLAN Mapping Configure link in the VLAN Mapping screen to display the screen as shown. Use this screen to enable and edit the VLAN mapping rule(s). Figure 141 VLAN Mapping Configuration The following table describes the labels in this screen.
Page 268 Chapter 28 VLAN Mapping Table 88 VLAN Mapping Configuration (continued) LABEL DESCRIPTION Active This shows whether this entry is activated or not. Name This is the descriptive name for this rule. Port This is the port number to which this rule is applied. This is the customer VLAN ID in the incoming packets.
Page 269: Layer 2 Protocol Tunneling
H A P T E R Layer 2 Protocol Tunneling This chapter shows you how to configure layer 2 protocol tunneling on the Switch. 29.1 Layer 2 Protocol Tunneling Overview Layer 2 protocol tunneling (L2PT) is used on the service provider's edge devices. L2PT allows edge switches (1 and 2 in the following figure) to tunnel layer 2 STP (Spanning Tree Protocol), CDP (Cisco Discovery Protocol) and VTP (VLAN Trunking Protocol) packets between customer switches (A, B and C in the following figure)
Page 270: Layer 2 Protocol Tunneling Mode
Chapter 29 Layer 2 Protocol Tunneling 2 for PAgP (Port Aggregation Protocol), LACP or UDLD (UniDirectional Link Detection). Figure 143 L2PT Network Example Service Provider's Network 29.1.1 Layer 2 Protocol Tunneling Mode Each port can have two layer 2 protocol tunneling modes, Access and Tunnel. •...
Page 271: Configuring Layer 2 Protocol Tunneling
Chapter 29 Layer 2 Protocol Tunneling 29.2 Configuring Layer 2 Protocol Tunneling Click Advanced Application > Layer 2 Protocol Tunneling in the navigation panel to display the screen as shown. Figure 144 Advanced Application > Layer 2 Protocol Tunneling The following table describes the labels in this screen. Table 89 Advanced Application >...
Page 272 Chapter 29 Layer 2 Protocol Tunneling Table 89 Advanced Application > Layer 2 Protocol Tunneling (continued) LABEL DESCRIPTION Use this row to make the setting the same for all ports. Use this row first and then make adjustments on a port-by-port basis. Note: Changes in this row are copied to all the ports as soon as you make them.
Page 273: Ip Application
IP Application Static Route (275) Differentiated Services (279) DHCP (287)
Page 275: Static Route
H A P T E R Static Route This chapter shows you how to configure static routes. 30.1 Static Routing Overview The Switch uses IP for communication with management computers, for example using HTTP, Telnet, SSH, or SNMP. Use IP static routes to have the Switch respond to remote management stations that are not reachable through the default gateway.
Page 276: Configuring Static Routing
Chapter 30 Static Route 30.2 Configuring Static Routing Click IP Application > Static Routing in the navigation panel to display the screen as shown. Figure 146 IP Application > Static Routing The following table describes the related labels you use to create a static route. Table 90 IP Application >...
Page 277 Chapter 30 Static Route Table 90 IP Application > Static Routing (continued) LABEL DESCRIPTION Index This field displays the index number of the route. Click a number to edit the static route entry. Active This field displays Yes when the static route is activated and NO when it is deactivated.
Page 278 Chapter 30 Static Route MES-3728 User’s Guide...
Page 279: Differentiated Services
H A P T E R Differentiated Services This chapter shows you how to configure Differentiated Services (DiffServ) on the Switch. 31.1 DiffServ Overview Quality of Service (QoS) is used to prioritize source-to-destination traffic flows. All packets in the flow are given the same priority. You can use CoS (class of service) to give different priorities to different packet types.
Page 280: Diffserv Network Example
Chapter 31 Differentiated Services kinds of traffic can be marked for different priorities of forwarding. Resources can then be allocated according to the DSCP values and the configured policies. 31.1.2 DiffServ Network Example The following figure depicts a DiffServ network consisting of a group of directly connected DiffServ-compliant network devices.
Page 281: Trtcm-Color-Blind Mode
Chapter 31 Differentiated Services specifies the average rate at which packets are admitted to the network. The PIR is greater than or equal to the CIR. CIR and PIR values are based on the guaranteed and maximum bandwidth respectively as negotiated between a service provider and client.
Page 282: Activating Diffserv
Chapter 31 Differentiated Services decrease it. Packets that have been previously marked red or yellow can only be marked with an equal or higher packet loss priority. Packets marked red (high packet loss priority) continue to be red without evaluation against the PIR or CIR. Packets marked yellow can only be marked red or remain yellow so they are only evaluated against the PIR.
Page 283: Configuring 2-Rate 3 Color Marker Settings
Chapter 31 Differentiated Services The following table describes the labels in this screen. Table 91 IP Application > DiffServ LABEL DESCRIPTION Active Select this option to enable DiffServ on the Switch. Port This field displays the index number of a port on the Switch. Settings in this row apply to all ports.
Page 284: Dscp-To-Ieee 802.1P Priority Settings
Chapter 31 Differentiated Services The following table describes the labels in this screen. Table 92 IP Application > DiffServ > 2-rate 3 Color Marker LABEL DESCRIPTION Active Select this to activate TRTCM (Two Rate Three Color Marker) on the Switch. The Switch evaluates and marks the packets based on the TRTCM settings.
Page 285: Configuring Dscp Settings
Chapter 31 Differentiated Services The following table shows the default DSCP-to-IEEE802.1p mapping. Table 93 Default DSCP-IEEE 802.1p Mapping DSCP VALUE 0 – 7 8 – 15 16 – 23 24 – 31 32 – 39 40 – 47 48 – 55 56 – 63 IEEE 802.1p 31.4.1 Configuring DSCP Settings To change the DSCP-IEEE 802.1p mapping click the DSCP Setting link in the...
Page 286 Chapter 31 Differentiated Services MES-3728 User’s Guide...
Page 287: Dhcp
H A P T E R DHCP This chapter shows you how to configure the DHCP feature. 32.1 DHCP Overview DHCP (Dynamic Host Configuration Protocol RFC 2131 and RFC 2132) allows individual computers to obtain TCP/IP configuration at start-up from a server. You can configure the Switch as a DHCP server or a DHCP relay agent.
Page 288: Dhcp Status
Chapter 32 DHCP 32.2 DHCP Status Click IP Application > DHCP in the navigation panel. The DHCP Status screen displays. Figure 154 IP Application > DHCP Status The following table describes the labels in this screen. Table 95 IP Application > DHCP LABEL DESCRIPTION Relay Mode...
Page 289: Configuring Dhcp Global Relay
Chapter 32 DHCP The DHCP Relay Agent Information feature adds an Agent Information field to the Option 82 field. The Option 82 field is in the DHCP headers of client DHCP request frames that the Switch relays to a DHCP server. Relay Agent Information can include the System Name of the Switch if you select this option.
Page 290: Global Dhcp Relay Configuration Example
Chapter 32 DHCP The following table describes the labels in this screen. Table 97 IP Application > DHCP > Global LABEL DESCRIPTION Active Select this check box to enable DHCP relay. Remote Enter the IP address of a DHCP server in dotted decimal notation. DHCP Server 1 ..
Page 291: Configuring Dhcp Vlan Settings
Chapter 32 DHCP together with the DHCP requests to the DHCP server. This allows the DHCP server to assign the appropriate IP address according to the VLAN ID. Figure 157 DHCP Relay Configuration Example 32.4 Configuring DHCP VLAN Settings Use this screen to configure your DHCP settings based on the VLAN domain of the DHCP clients.
Page 292 Chapter 32 DHCP Section 8.6 on page 87 for information on how to set up management IP addresses for VLANs. Figure 158 IP Application > DHCP > VLAN The following table describes the labels in this screen. Table 98 IP Application > DHCP > VLAN LABEL DESCRIPTION Enter the ID number of the VLAN to which these DHCP settings apply.
Page 293: Example: Dhcp Relay For Two Vlans
Chapter 32 DHCP Table 98 IP Application > DHCP > VLAN (continued) LABEL DESCRIPTION Delete Select the configuration entries you want to remove and click Delete to remove them. Cancel Click Cancel to clear the Delete check boxes. 32.4.1 Example: DHCP Relay for Two VLANs The following example displays two VLANs (VIDs 1 and 2) for a campus network.
Page 294 Chapter 32 DHCP MES-3728 User’s Guide...
Page 295: Management
Management Maintenance (297) Access Control (305) Diagnostic (327) Syslog (329) Cluster Management (333) MAC Table (341) ARP Table (345) Configure Clone (347)
Page 297: Maintenance
H A P T E R Maintenance This chapter explains how to configure the screens that let you maintain the firmware and configuration files. 33.1 The Maintenance Screen Use this screen to manage firmware and your configuration files. Click Management > Maintenance in the navigation panel to open the following screen.
Page 298: Load Factory Default
Chapter 33 Maintenance Table 99 Management > Maintenance (continued) LABEL DESCRIPTION Save Click Config 1 to save the current configuration settings to Configuration Configuratio 1 on the Switch. Click Config 2 to save the current configuration settings to Configuration 2 on the Switch. Reboot Click Config 1 to reboot the system and load Configuration 1 on the System...
Page 299: Reboot System
Chapter 33 Maintenance Click Config 2 to save the current configuration settings to Configuration 2 on the Switch. Alternatively, click Save on the top right-hand corner in any screen to save the configuration changes to the current configuration. Note: Clicking the Apply or Add button does NOT save the changes permanently. All unsaved changes are erased after you reboot the Switch.
Page 300: Restore A Configuration File
Chapter 33 Maintenance Click Management > Maintenance > Firmware Upgrade to view the screen as shown next. Figure 164 Management > Maintenance > Firmware Upgrade Type the path and file name of the firmware file you wish to upload to the Switch in the File Path text box or click Browse to locate it.
Page 301: Backup A Configuration File
Chapter 33 Maintenance 33.7 Backup a Configuration File Backing up your Switch configurations allows you to create various “snap shots” of your device from which you may restore at a later date. Back up your current Switch configuration to a computer using the Backup Configuration screen.
Page 302: Example Ftp Commands
Chapter 33 Maintenance ZyNOS (ZyXEL Network Operating System sometimes referred to as the “ras” file) is the system firmware and has a “bin” filename extension. Table 100 Filename Conventions INTERNA EXTERNA FILE TYPE DESCRIPTION L NAME L NAME Configuration config *.cfg This is the configuration filename on the File...
Page 303: Ftp Command Line Procedure
Chapter 33 Maintenance 33.8.2 FTP Command Line Procedure Launch the FTP client on your computer. Enter open, followed by a space and the IP address of your Switch. Press [ENTER] when prompted for a username. Enter your password as requested (the default is “1234”). Enter bin to set transfer mode to binary.
Page 304: Ftp Restrictions
Chapter 33 Maintenance 33.8.4 FTP Restrictions FTP will not work when: • FTP service is disabled in the Service Access Control screen. • The IP address(es) in the Remote Management screen does not match the client IP address. If it does not match, the Switch will disconnect the FTP session immediately.
Page 305: Access Control
H A P T E R Access Control This chapter describes how to control access to the Switch. 34.1 Access Control Overview A console port and FTP are allowed one session each, Telnet and SSH share nine sessions, up to five Web sessions (five different user names and passwords) and/ or limitless SNMP access control sessions are allowed.
Page 306: About Snmp
Chapter 34 Access Control 34.3 About SNMP Simple Network Management Protocol (SNMP) is an application layer protocol used to manage and monitor TCP/IP-based devices. SNMP is used to exchange management information between the network management system (NMS) and a network element (NE). A manager station can manage and monitor the Switch through the network via SNMP version one (SNMPv1), SNMP version 2c or SNMP version 3.
Page 307: Snmp V3 And Security
Chapter 34 Access Control SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: Table 102 SNMP Commands COMMAND DESCRIPTION Allows the manager to retrieve an object variable from the agent. GetNext Allows the manager to retrieve the next object variable from a table or list within an agent.
Page 308: Snmp Traps
Chapter 34 Access Control 34.3.3 SNMP Traps The Switch sends traps to an SNMP manager when an event occurs. The following tables outline the SNMP traps by category. An OID (Object ID) that begins with “1.3.6.1.4.1.890.1.5.8” is defined in private MIBs.
Page 309 Chapter 34 Access Control Table 103 SNMP System Traps (continued) OPTION OBJECT LABEL OBJECT ID DESCRIPTION intrusionlo IntrusionLockEventOn 1.3.6.1.4.1.890.1.5.8.45.2 This trap is sent when intrusion 7.2.1 lock occurs on a port. loopguard LoopguardEventOn 1.3.6.1.4.1.890.1.5.8.45.2 This trap is sent when 7.2.2 loopguard shuts down a port.
Page 310 Chapter 34 Access Control Table 105 AAA Traps OPTION OBJECT LABEL OBJECT ID DESCRIPTION authenticati authenticationFailure 1.3.6.1.6.3.1.1.5.5 This trap is sent when authentication fails due to incorrect user name and/or password. AuthenticationFailureEven 1.3.6.1.4.1.890.1.5.8.45.2 This trap is sent when 7.2.1 authentication fails due to incorrect user name and/or password.
Page 311 Chapter 34 Access Control Table 107 SNMP Switch Traps OPTION OBJECT LABEL OBJECT ID DESCRIPTION STPNewRoot 1.3.6.1.2.1.17.0.1 This trap is sent when the STP root switch changes. MRSTPNewRoot 1.3.6.1.4.1.890.1.5.8.45.36. This trap is sent when the MRSTP root switch changes. MSTPNewRoot 1.3.6.1.4.1.890.1.5.8.45.10 This trap is sent when the 7.70.1...
Page 312: Configuring Snmp
Chapter 34 Access Control 34.3.4 Configuring SNMP Click Management > Access Control > SNMP to view the screen as shown. Use this screen to configure your SNMP settings. Figure 169 Management > Access Control > SNMP The following table describes the labels in this screen. Table 108 Management >...
Page 313 Chapter 34 Access Control Table 108 Management > Access Control > SNMP (continued) LABEL DESCRIPTION Set Community Enter the Set Community, which is the password for incoming Set- requests from the management station. The Set Community string is only used by SNMP managers using SNMP version 2c or lower.
Page 314: Configuring Snmp Trap Group
Chapter 34 Access Control Table 108 Management > Access Control > SNMP (continued) LABEL DESCRIPTION Privacy Specify the encryption method for SNMP communication from this user. You can choose one of the following: • DES - Data Encryption Standard is a widely used (but breakable) method of data encryption.
Page 315: Setting Up Login Accounts
Chapter 34 Access Control The following table describes the labels in this screen. Table 109 Management > Access Control > SNMP > Trap Group LABEL DESCRIPTION Trap Select one of your configured trap destination IP addresses. These are Destination IP the IP addresses of the SNMP managers.
Page 316 Chapter 34 Access Control Click Management > Access Control > Logins to view the screen as shown next. Figure 171 Management > Access Control > Logins The following table describes the labels in this screen. Table 110 Management > Access Control > Logins LABEL DESCRIPTION Administrator...
Page 317: Ssh Overview
Chapter 34 Access Control Table 110 Management > Access Control > Logins (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
Page 318: How Ssh Works
Chapter 34 Access Control 34.5 How SSH works The following table summarizes how a secure connection is established between two remote hosts. Figure 173 How SSH Works Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key.
Page 319: Ssh Implementation On The Switch
Chapter 34 Access Control Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.
Page 320: Https Example
Chapter 34 Access Control HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the Switch’s WS (web server). HTTP connection requests from a web browser go to port 80 (by default) on the Switch’s WS (web server). Figure 174 HTTPS Implementation Note: If you disable HTTP in the Service Access Control screen, then the Switch blocks all HTTP connection attempts.
Page 321: Netscape Navigator Warning Messages
Chapter 34 Access Control You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the web configurator login screen; if you select No, then web configurator access is blocked. Figure 175 Security Alert Dialog Box (Internet Explorer) example 34.8.2 Netscape Navigator Warning Messages When you attempt to access the Switch HTTPS server, a Website Certified by an...
Page 322 Chapter 34 Access Control Select Accept this certificate permanently to import the Switch’s certificate into the SSL client. Figure 176 Security Certificate 1 (Netscape) example example example Figure 177 Security Certificate 2 (Netscape) example MES-3728 User’s Guide...
Page 323: The Main Screen
Chapter 34 Access Control 34.8.3 The Main Screen After you accept the certificate and enter the login username and password, the Switch main screen appears. The lock displayed in the bottom right of the browser status bar denotes a secure connection. Figure 178 Example: Lock Denoting a Secure Connection example 34.9 Service Port Access Control...
Page 324: Remote Management
Chapter 34 Access Control later). Click Management > Access Control > Service Access Control to view the screen as shown. Figure 179 Management > Access Control > Service Access Control The following table describes the fields in this screen. Table 111 Management > Access Control > Service Access Control LABEL DESCRIPTION Services...
Page 325 Chapter 34 Access Control You can specify a group of one or more “trusted computers” from which an administrator may use a service to manage the Switch. Click Access Control to return to the Access Control screen. Figure 180 Management > Access Control > Remote Management The following table describes the labels in this screen.
Page 326 Chapter 34 Access Control MES-3728 User’s Guide...
Page 327: Diagnostic
H A P T E R Diagnostic This chapter explains the Diagnostic screen. 35.1 Diagnostic Click Management > Diagnostic in the navigation panel to open this screen. Use this screen to check system logs, ping IP addresses or perform port tests. Figure 181 Management >...
Page 328 Chapter 35 Diagnostic The following table describes the labels in this screen. Table 113 Management > Diagnostic LABEL DESCRIPTION System Log Click Display to display a log of events in the multi-line text box. Click Clear to empty the text box and reset the syslog entry. IP Ping Type the IP address of a device that you want to ping in order to test a connection.
Page 329: Syslog
H A P T E R Syslog This chapter explains the syslog screens. 36.1 Syslog Overview The syslog protocol allows devices to send event notification messages across an IP network to syslog servers that collect the event messages. A syslog-enabled device can generate a syslog message and send it to a syslog server.
Page 330: Syslog Setup
Chapter 36 Syslog 36.2 Syslog Setup Click Management > Syslog in the navigation panel to display this screen. The syslog feature sends logs to an external syslog server. Use this screen to configure the device’s system logging settings. Figure 182 Management > Syslog The following table describes the labels in this screen.
Page 331: Syslog Server Setup
Chapter 36 Syslog 36.3 Syslog Server Setup Click Management > Syslog > Syslog Server Setup to view the screen as shown next. Use this screen to configure a list of external syslog servers. Figure 183 Management > Syslog > Syslog Server Setup The following table describes the labels in this screen.
Page 332 Chapter 36 Syslog MES-3728 User’s Guide...
Page 333: Cluster Management
H A P T E R Cluster Management This chapter introduces cluster management. 37.1 Cluster Management Status Overview Cluster Management allows you to manage switches through one Switch, called the cluster manager. The switches must be directly connected and be in the same VLAN group so as to be able to communicate with one another.
Page 334: Cluster Management Status
Chapter 37 Cluster Management In the following example, switch A in the basement is the cluster manager and the other switches on the upper floors of the building are cluster members. Figure 184 Clustering Application Example 37.2 Cluster Management Status Click Management >...
Page 335: Cluster Member Switch Management
Chapter 37 Cluster Management The following table describes the labels in this screen. Table 118 Management > Cluster Management: Status LABEL DESCRIPTION Status This field displays the role of this Switch within the cluster. Manager Member (you see this if you access this screen in the cluster member switch directly and not via the cluster manager) None (neither a manager nor a member of a cluster) Manager...
Page 336: Uploading Firmware To A Cluster Member Switch
Chapter 37 Cluster Management configurator home page and the home page that you'd see if you accessed it directly are different. Figure 186 Cluster Management: Cluster Member Web Configurator Screen example example 37.2.1.1 Uploading Firmware to a Cluster Member Switch You can use FTP to upload firmware to a cluster member switch through the cluster manager switch as shown in the following example.
Page 337 Chapter 37 Cluster Management The following table explains some of the FTP parameters. Table 119 FTP Upload to Cluster Member Example FTP PARAMETER DESCRIPTION Enter “admin”. User The web configurator password default is 1234. Password Enter this command to list the name of cluster member switch’s firmware and configuration file.
Page 338: Clustering Management Configuration
Chapter 37 Cluster Management 37.3 Clustering Management Configuration Use this screen to configure clustering management. Click Management > Cluster Management > Configuration to display the next screen. Figure 188 Management > Cluster Management > Configuration The following table describes the labels in this screen. Table 120 Management >...
Page 339 Chapter 37 Cluster Management Table 120 Management > Cluster Management > Configuration (continued) LABEL DESCRIPTION Name Type a name to identify the Clustering Manager. You may use up to 32 printable characters (spaces are allowed). This is the VLAN ID and is only applicable if the Switch is set to 802.1Q VLAN.
Page 340 Chapter 37 Cluster Management MES-3728 User’s Guide...
Page 341: Mac Table
H A P T E R MAC Table This chapter introduces the MAC Table screen. 38.1 MAC Table Overview The MAC Table screen (a MAC table is also known as a filtering database) shows how frames are forwarded or filtered across the Switch’s ports. It shows what device MAC address, belonging to what VLAN group (if any) is forwarded to which port(s) and whether the MAC address is dynamic (learned by the Switch) or static (manually entered in the Static MAC Forwarding screen).
Page 342: Viewing The Mac Table
Chapter 38 MAC Table • If the Switch has already learned the port for this MAC address, but the destination port is the same as the port it came in on, then it filters the frame. Figure 189 MAC Table Flowchart 38.2 Viewing the MAC Table Click Management >...
Page 343 Chapter 38 MAC Table The following table describes the labels in this screen. Table 121 Management > MAC Table LABEL DESCRIPTION Condition Select one of the buttons and click Search to only display the data which matches the criteria you specified. Select All to display any entry in the MAC table of the Switch.
Page 344 Chapter 38 MAC Table MES-3728 User’s Guide...
Page 345: Arp Table
H A P T E R ARP Table This chapter introduces ARP Table. 39.1 ARP Table Overview Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network.
Page 346: Viewing The Arp Table
Chapter 39 ARP Table 39.2 Viewing the ARP Table Click Management > ARP Table in the navigation panel to open the following screen. Use the ARP table to view IP-to-MAC address mapping(s). Figure 191 Management > ARP Table The following table describes the labels in this screen. Table 122 Management >...
Page 347: Configure Clone
H A P T E R Configure Clone This chapter shows you how you can copy the settings of one port onto other ports. MES-3728 User’s Guide...
Page 348: Configure Clone
Chapter 40 Configure Clone 40.1 Configure Clone Cloning allows you to copy the basic and advanced settings from a source port to a destination port or ports. Click Management > Configure Clone to open the following screen. Figure 192 Management > Configure Clone MES-3728 User’s Guide...
Page 349 Chapter 40 Configure Clone The following table describes the labels in this screen. Table 123 Management > Configure Clone LABEL DESCRIPTION Source/ Enter the source port under the Source label. This port’s attributes are Destination copied. Port Enter the destination port or ports under the Destination label. These are the ports which are going to have the same attributes as the source port.
Page 350 Chapter 40 Configure Clone MES-3728 User’s Guide...
Page 351: Troubleshooting & Product Specifications
Troubleshooting & Product Specifications Troubleshooting (353) Product Specifications (359)
Page 353: Troubleshooting
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • Switch Access and Login • Switch Configuration 41.1 Power, Hardware Connections, and LEDs The Switch does not turn on.
Page 354: Switch Access And Login
Chapter 41 Troubleshooting Turn the Switch off and on (in DC models or if the DC power supply is connected in AC/DC models). Disconnect and re-connect the power adaptor or cord to the Switch (in AC models or if the AC power supply is connected in AC/DC models). If the problem continues, contact the vendor.
Page 355 Chapter 41 Troubleshooting I forgot the username and/or password. The default username is admin and the default password is 1234. If this does not work, you have to reset the device to its factory defaults. See Section 4.6 on page I cannot see or access the Login screen in the web configurator.
Page 356 Chapter 41 Troubleshooting Make sure you have entered the user name and password correctly. The default user name is admin, and the default password is 1234. These fields are case- sensitive, so make sure [Caps Lock] is not on. You may have exceeded the maximum number of concurrent Telnet sessions. Close other Telnet session(s) or try connecting again later.
Page 357: Switch Configuration
Chapter 41 Troubleshooting 41.3 Switch Configuration I lost my configuration settings after I restart the Switch. Make sure you save your configuration into the Switch’s nonvolatile memory each time you make changes. Click Save at the top right corner of the web configurator to save the configuration permanently.
Page 358 Chapter 41 Troubleshooting MES-3728 User’s Guide...
Page 359: Product Specifications
H A P T E R Product Specifications The following tables summarize the Switch’s hardware and firmware features. Table 124 Hardware Specifications SPECIFICATION DESCRIPTION Dimensions Standard 19” rack mountable 438 mm (W) x 215 mm (D) x 44.45 mm (H) Weight 3.4 kg Power Specification...
Page 360 Chapter 42 Product Specifications Table 124 Hardware Specifications LEDs Per switch: BPS, PWR, SYS, ALM Per Fast Ethernet RJ-45 10/100 port: LNK/ACT Per mini-GBIC slot: LNK, ACT Per 1000BASE-T RJ-45 port (in dual personality interface): LNK/ ACT, FDX Per Management port: 10, 100 Operating Temperature: 0ºC ~ 65ºC (32ºF ~ 149ºF) Environment...
Page 361 Chapter 42 Product Specifications Table 125 Firmware Specifications FEATURE DESCRIPTION VLAN A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Devices on a logical network belong to one group. A device can belong to more than one group.
Page 362 Chapter 42 Product Specifications Table 125 Firmware Specifications FEATURE DESCRIPTION Static Route Static routes allow the Switch to communicate with management stations not reachable via the default gateway. Multicast VLAN Multicast VLAN Registration (MVR) is designed for applications Registration (MVR) (such as Media-on-Demand (MoD)) using multicast traffic across a network.
Page 363 Chapter 42 Product Specifications Table 125 Firmware Specifications FEATURE DESCRIPTION Configuration Backup & Make a copy of the Switch’s configuration and put it back on Restoration the Switch later if you decide you want to revert back to an earlier configuration. Cluster Management Cluster management (also known as iStacking) allows you to manage switches through one switch, called the cluster...
Page 364 Chapter 42 Product Specifications Table 126 Feature Specifications (continued) VLAN Port-based VLAN 802.1Q tag-based VLAN number of VLAN: 4K, 2000 static maximum GVRP for dynamic registration Double tagging for VLAN stacking Private VLAN for port isolation. Protocol-Based VLAN. IP subnet based VLAN VLAN mapping Port IEEE 802.3ad LACP...
Page 365 Chapter 42 Product Specifications Table 126 Feature Specifications (continued) Multicast IGMP snooping (IGMP v1/v2/v3, 16 VLAN maximum-user configurable) IGMP filtering IGMP timer Multicast reserve group Static multicast IGMP snooping fast-leave IGMP snooping statistics IGMP throttling Support RADIUS and TACACS+ Security Static MAC address filtering Static MAC address forwarding MAC Freeze...
Page 366 Chapter 42 Product Specifications Table 127 Standards Supported (continued) STANDARD DESCRIPTION RFC 1112 IGMP v1 RFC 1155 RFC 1157 SNMPv1: Simple Network Management Protocol version 1 RFC 1213 SNMP MIB II RFC 1305 Network Time Protocol (NTP version 3) RFC 1441 SNMPv2 Simple Network Management Protocol version 2 RFC 1493 Bridge MIBs...
Page 367 Chapter 42 Product Specifications Table 127 Standards Supported (continued) STANDARD DESCRIPTION Safety UL 60950-1 CSA 60950-1 EN 60950-1 IEC 60950-1 FCC Part 15 (Class A) CE EMC (Class A) MES-3728 User’s Guide...
Page 368 Chapter 42 Product Specifications MES-3728 User’s Guide...
Page 369: Appendices And Index
Appendices and Index Changing a Fuse (371) Common Services (373) Legal Information (377) Index (381)
Page 371: Appendix A Changing A Fuse
P P E N D I X Changing a Fuse This appendix shows you how to remove and install fuses for the Switch. If you use a fuse other than an included fuse, make sure it matches the fuse specifications in the chapter on product specifications.
Page 372 Appendix A Changing a Fuse MES-3728 User’s Guide...
Page 373: Appendix B Common Services
P P E N D I X Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/ code numbers and services, visit the IANA (Internet Assigned Number Authority) web site.
Page 374 Appendix B Common Services Table 128 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION User-Defined The IPSEC ESP (Encapsulation (IPSEC_TUNNEL) Security Protocol) tunneling protocol uses this service. FINGER Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
Page 375 Appendix B Common Services Table 128 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION POP3 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). PPTP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks.
Page 376 Appendix B Common Services Table 128 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION TELNET Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
Page 377: Appendix C Legal Information
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 378 Appendix C Legal Information • This device must accept any interference received, including interference that may cause undesired operations. FCC Warning This device has been tested and found to comply with the limits for a Class A digital switch, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment.
Page 379: Zyxel Limited Warranty
Appendix C Legal Information Viewing Certifications Go to http://www.zyxel.com. Select your product on the ZyXEL home page to go to that product's page. Select the certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
Page 380 Appendix C Legal Information MES-3728 User’s Guide...
Page 381: Index
Index Index Numerics automatic VLAN registration 802.1P priority back up, configuration file Backup Power Supply (BPS) bandwidth control 147, 363 egress rate AAA (Authentication, Authorization and Accounting) ingress rate setup access control basic settings limitations basic setup tutorial login account binding remote management binding table...
Page 382 Index cluster member 333, 339 DiffServ cluster member firmware upgrade activate network example and TRTCM setup DS field specification DSCP status network example switch models dimensions web configurator disclaimer cluster manager double-tagged frames cluster member DS (Differentiated Services) Committed Information Rate (CIR) DSCP Common and Internal Spanning Tree, See CIST service level...
Page 383 Index fuse mormal replacement IGMP snooping and VLANs setup IGMP throttling ingress port ingress rate, and bandwidth control GARP install GARP (Generic Attribute Registration Protocol) fuse GARP terminology installation GARP timer 85, 96 desktop general features precautions general setup rack-mounting getting help transceivers Gigabit ports...
Page 384 Index LEDs current configuration firmware limit MAC address learning main screen link aggregation restoring configuration dynamic Management Information Base (MIB) ID information setup 159, 161 management port 37, 114 status default IP address traffic distribution algorithm managing the device traffic distribution type good habits trunk group using FTP.
Page 385 Index Multiple Rapid Spanning Tree Protocol port redundancy Multiple RSTP port security limit MAC address learning Multiple Spanning Tree Protocol, See MSTP 125, 128 MAC address learning Multiple STP overview setup 172, 263, 271 configuration port setup group configuration port status network example port VLAN ID, see PVID MVR (Multicast VLAN Registration)
Page 386 Index network components object variables protocol operations rack-mounting security RADIUS 221, 222 setup 312, 314 advantages version 3 and port authentication versions supported and tunnel protocol attribute SNMP traps Network example setup server supported 308, 309, 311 settings Spanning Tree Protocol, See STP. setup SPQ (Strict Priority Queuing) Rapid Spanning Tree Protocol, See RSTP.
Page 387 Index vs. loop guard color-blind mode setup subnet based VLAN and DHCP VLAN trunk group priority trunking 155, 363 setup example subnet based VLANs trusted ports switch lockout ARP inspection DHCP snooping switch reset tunnel protocol attribute, and RADIUS switch setup tutorials switching DHCP snooping...
Page 388 Index trunking 97, 104 type 85, 98 VLAN (Virtual Local Area Network) VLAN ID VLAN mapping activating configuration example priority level tagged traffic flow untagged VLAN ID VLAN stacking configuration example frame format port roles 198, 201 port-based Q-in-Q priority selective Q-in-Q TPID Tunnel TPID...

This manual is also suitable for:

Mes-3728