Tp-Link T2600G-28MPS V2 [773/1027] Pppoe id insertion

Don t disassemble the product or make repairs yourself you run the risk of electric shock and voiding the limited warranty if you need service please contact us 4

Explanation of the symbols on the product label 4

Please read and follow the above safety information when operating the device we cannot guarantee that no accidents or damage will occur due to improper use of the device please use this product with care and operate at your own risk 4

Safety information 4

When product has power button the power button is one of the way to shut off the product when there is no power button the only way to completely shut off power is to disconnect the product or the power adapter from the power source 4

About this guide 5

Accessing the switch 5

Command line interface access 11 5

Contents 5

Conventions 5

Intended readers 5

Managing system 5

More information 5

Overview 5

System 22 5

System info configurations 24 5

Web interface access 5

Access security configurations 58 6

System tools configurations 46 6

User management configurations 38 6

Appendix default parameters 76 7

Basic parameters configurations 81 7

Configuration examples 00 7

Loopback detection configuration 96 7

Managing physical interfaces 7

Physical interface 80 7

Port isolation configurations 93 7

Port mirror configuration 85 7

Port security configuration 89 7

Sdm template configuration 73 7

Appendix default parameters 08 8

Appendix default parameters 25 8

Appendix default parameters 31 8

Configuration example 21 8

Configuring lag 8

Lag 11 8

Lag configuration 12 8

Monitoring traffic 8

Traffic monitor 27 8

Address configurations 35 9

Appendix default parameters 52 9

Configuring ddm 9

Ddm configuration 55 9

Example for security configurations 49 9

Mac address table 33 9

Managing mac address table 9

Overview 54 9

Security configurations 43 9

Appendix default parameters 70 10

Appendix default parameters 81 10

Configuration example 78 10

Configuration example 91 10

Configuring 802 q vlan 10

Configuring l2pt 10

L2pt configuration 74 10

Overview 72 10

Overview 83 10

Q vlan configuration 84 10

Appendix default parameters 13 11

Appendix default parameters 97 11

Configuration example 05 11

Configuration example 22 11

Configuring mac vlan 11

Configuring protocol vlan 11

Mac vlan configuration 00 11

Overview 15 11

Overview 99 11

Protocol vlan configuration 16 11

Appendix default parameters 34 12

Appendix default parameters 54 12

Basic vlan vpn configuration 38 12

Configuration example 46 12

Configuration example 62 12

Configuring gvrp 12

Configuring vlan vpn 12

Flexible vlan vpn configuration 43 12

Gvrp configuration 57 12

Overview 56 12

Vlan vpn 36 12

Appendix default parameters 70 13

Appendix default parameters 88 13

Configuration example 82 13

Configuring private vlan 13

Configuring spanning tree 13

Overview 72 13

Private vlan configurations 74 13

Spanning tree 90 13

Stp rstp configurations 98 13

Appendix default parameters 51 14

Configuration example for mstp 32 14

Configuring oam 14

Ethernet oam 54 14

Ethernet oam configurations 58 14

Mstp configurations 08 14

Stp security configurations 28 14

Appendix default parameters 94 15

Configuration example 84 15

Configuring layer 2 multicast 15

Igmp snooping configurations 98 15

Layer 2 multicast 96 15

Viewing oam statistics 77 15

Configuring mld snooping 36 17

Appendix default parameters 03 19

Configuration examples 75 19

Viewing multicast snooping configurations 71 19

Appendix default parameter 33 20

Appendix default parameters 19 20

Configuring logical interfaces 20

Configuring static routing 20

Example for static routing 29 20

Ipv4 static routing configuration 22 20

Ipv6 static routing configuration 24 20

Logical interfaces configurations 08 20

Overview 07 20

Overview 21 20

Viewing routing table 26 20

Configuration examples 71 21

Configuring dhcp 21

Dhcp 35 21

Dhcp client configuration 51 21

Dhcp l2 relay configuration 66 21

Dhcp relay configuration 54 21

Dhcp server configuration 39 21

Appendix default parameters 79 22

Arp configurations 84 22

Bandwidth control configuration 13 22

Configuring arp 22

Configuring qos 22

Diffserv configuration 91 22

Overview 83 22

Qos 90 22

Appendix default parameters 37 23

Appendix default parameters 66 23

Configuration example 49 23

Configuration examples 20 23

Configuring poe 23

Configuring voice vlan 23

Overview 40 23

Poe 68 23

Poe power management configurations 69 23

Voice vlan configuration 42 23

Acl configuration 91 24

Appendix default parameters 88 24

Configuring acl 24

Example for poe configurations 84 24

Overview 90 24

Time range function configurations 77 24

Appendix default parameters 35 25

Configuration example for acl 27 25

Configuring network security 25

Dhcp snooping configuration 60 25

Ip mac binding configurations 45 25

Ipv6 mac binding configurations 51 25

Network security 38 25

Aaa configuration 00 26

Arp inspection configurations 68 26

Dhcpv6 snooping configuration 65 26

Dos defend configuration 80 26

Ip source guard configuration 77 26

Nd detection configuration 75 26

Pppoe id insertion configuration 97 26

X configuration 83 26

Configuration examples 27 27

Dhcp server filter configuration 20 27

Netbios filtering configuration 25 27

Appendix default parameters 54 28

Configuring lldp 28

Lldp 66 28

Lldp configurations 67 28

Lldp med configurations 75 28

Viewing lldp settings 82 28

Appendix default parameters 09 29

Configuration example 90 29

Configuring maintenance 29

Maintenance 11 29

Monitoring the system 12 29

Sflow configuration 15 29

System log configurations 20 29

Viewing lldp med settings 87 29

Appendix default parameters 42 30

Configuration examples 37 30

Configuring snmp rmon 30

Diagnosing the device 27 30

Diagnosing the network 29 30

Dldp configuration 33 30

Snmp configurations 46 30

Snmp overview 45 30

Appendix default parameters 93 31

Configuration example 81 31

Notification configurations 60 31

Rmon configurations 70 31

Rmon overview 69 31

About this guide 32

Conventions 32

Intended readers 32

More information 33

Accessing the switch 34

Chapters 34

Part 1 34

Overview 35

Web interface access 36

Save config function 37

Disable the web server 38

Http config disable the http server and click apply 38

You can shut down the http server or https server to block any access to the web interface 38

Configure the switch s ip address and default gateway 39

Check the routing table to verify the default gateway you configured the entry marked in red box displays the valid default gateway 41

Click save config to save the settings 41

Command line interface access 42

Console login only for switch with console port 42

Enter enable to enter the user exec mode to further configure the switch 43

Telnet login 44

Password authentication mode 45

Ssh login 45

Key authentication mode 46

After the keys are successfully generated click save public key to save the public key to a tftp server click save private key to save the private key to the host pc 47

After negotiation is completed enter the username to log in if you can log in without entering the password the key authentication completed successfully 49

Disable telnet login 49

Telnet config disable the telnet function and click apply 49

Using the gui 49

You can shut down the telnet function to block any telnet access to the cli interface 49

Copy running config startup config 50

Disable ssh login 50

Change the switch s ip address and default gateway 51

Chapters 52

Managing system 52

Part 2 52

Access security 53

Overview 53

Supported features 53

System 53

System info 53

System tools 53

User management 53

Sdm template 54

System info configurations 55

Using the gui 55

Viewing the system summary 55

Click a port to view the bandwidth utilization on this port 56

Move the cursor to the port to view the detailed information of the port 56

Setting the system time 57

Specifying the device description 57

Choose one method to set the system time and specify the information 58

In the time config section follow these steps to configure the system time 58

In the time info section view the current time information of the switch 58

Choose one method to set the daylight saving time of the switch and specify the information 59

Click apply 59

Daylight saving time to load the following page 59

Follow these steps to configure daylight saving time 59

In the dst config section select enable to enable the daylight saving time function 59

Setting the daylight saving time 59

Click apply 60

In the serial port settings section specify the baud rate and click apply 60

Serial port setting to load the following page 60

Specifying the serial port parameter 60

Using the cli 61

Viewing the system summary 61

Follow these steps to specify the device description 62

Running time 2 day 4 hour 55 min 36 sec 62

Serial number 62

Specifying the device description 62

Switch config contact info https www tp link com 62

Switch config hostname switch_a 62

Switch config location beijing 62

Switch config show system info 62

Switch configure 62

System description jetstream 48 port gigabit smart switch with 4 sfp slots 62

The following example shows how to set the device name as switch_a set the location as beijing and set the contact information as https www tp link com 62

Contact information https www tp link com 63

Follow these steps and choose one method to set the system time 63

Setting the system time 63

Switch config end 63

Switch copy running config startup config 63

System location beijing 63

System name switch_a 63

Backup ntp server 139 8 00 63 65

Follow these steps and choose one method to set the daylight saving time 65

Last successful ntp server 133 00 65

Prefered ntp server 133 00 65

Setting the daylight saving time 65

Switch config end 65

Switch config show system time ntp 65

Switch config system time ntp utc 08 00 133 00 139 8 00 63 11 65

Switch configure 65

Switch copy running config startup config 65

The following example shows how to set the system time by get time from ntp server and set the time zone as utc 08 00 set the ntp server as 133 00 set the backup ntp server as 139 8 00 63 and set the update rate as 11 65

Time zone utc 08 00 65

Update rate 11 hour s 65

Dst configuration is one off 67

Dst ends at 01 00 00 on sep 1 2016 67

Dst offset is 50 minutes 67

Dst starts at 01 00 00 on aug 1 2016 67

Follow these steps to specify the serial port parameter 67

Specifying the serial port parameter 67

Switch config end 67

Switch config show system time dst 67

Switch config system time dst date aug 1 01 00 2016 sep 1 01 00 2016 50 67

Switch configure 67

Switch copy running config startup config 67

The following example shows how to set the daylight saving time by date mode set the start time as 01 00 august 1st 2016 set the end time as 01 00 september 1st 2016 and set the offset as 50 67

Baud rate 9600 68

Data bits 8 68

Parity bits none 68

Serial port settings 68

Stop bits 1 68

Switch config 68

Switch config end 68

Switch config serial_port baud_rate 9600 68

Switch config show serial_port 68

Switch copy running config startup config 68

The following example shows how to set the baud rate as 9600 and view the serial port parameters 68

Creating admin accounts 69

User management configurations 69

Using the gui 69

Click create 70

Creating accounts of other types 70

Creating an account 70

Follow these steps to create an account of other types 70

In the user info section select the access level from the drop down list and specify the user name and password 70

User config to load the following page 70

You can create accounts with the access level of operator power user and user here you also need to go to the aaa section to create an enable password for these accounts the enable password is used to change the users access level to admin 70

Creating admin accounts 72

Follow these steps to create an admin account 72

Using the cli 72

Creating accounts of other types 73

Follow these steps to create an account of other type 73

You can create accounts with the access level of operator power user and user here you also need to go to the aaa section to create an enable password for these accounts the enable password is used to change the users access level to admin 73

The aaa function applies another method to manage the access users name and password for details refer to aaa configuration in configuring network security 75

The logged in users can enter the enable password on this page to get the administrative privileges 75

Configuring the boot file 77

System tools configurations 77

Using the gui 77

Click apply 78

Click import to import the configuration file 78

Config restore to load the following page 78

Follow these steps to restore the configuration of the switch 78

In the config restore section select one unit and one configuration file 78

Restoring the configuration of the switch 78

Backing up the configuration file 79

Upgrading the firmware 79

Auto install to load the following page 80

Configuring auto install function 80

In the auto install configuration section specify the parameters and click apply 80

Configuring the reboot schedule 81

Rebooting the switch 81

Configuring the boot file 82

Follow these steps to configure the boot file 82

In the system reset section select the desired unit and click reset 82

Reseting the switch 82

System reset to load the following page 82

Using the cli 82

Backup image image2 bin 83

Boot config 83

Current startup image image1 bin 83

Follow these steps to restore the configuration of the switch 83

Next startup image image1 bin 83

Restoring the configuration of the switch 83

Switch config boot application filename image1 startup 83

Switch config boot application filename image2 backup 83

Switch config end 83

Switch config show boot 83

Switch configure 83

Switch copy running config startup config 83

The following example shows how to set the next startup image as image 1 and set the backup image as image 2 83

Backing up the configuration file 84

Backup user config file ok 84

Enable 84

Follow these steps to back up the current configuration of the switch in a file 84

Follow these steps to upgrade the firmware 84

Operation ok now rebooting system 84

Start to backup user config file 84

Start to load user config file 84

Switch copy startup config tftp ip address 192 68 00 filename file2 84

Switch copy tftp startup config ip address 192 68 00 filename file1 84

The following example shows how to backup the configuration file named file2 from tftp server with ip address 192 68 00 84

The following example shows how to restore the configuration file named file1 from the tftp server with ip address 192 68 00 84

Upgrading the firmware 84

Configuring auto install function 85

Enable 85

Follow these steps to configure the auto install function 85

It will only upgrade the backup image continue y n y 85

Operation ok 85

Reboot with the backup image y n y 85

Switch firmware upgrade ip address 192 68 00 filename file3 bin 85

The following example shows how to upgrade the firmware using the configuration file named file3 bin the tftp server is 190 68 00 85

Auto insatll mode stop 86

Auto insatll persistent mode enabled 86

Auto insatll retry count 86

Auto insatll sate stopped 86

Auto reboot mode enabled 86

Auto save mode enabled 86

Follow these steps to reboot the switch 86

Rebooting the switch 86

Switch config boot autoinstall auto reboot 86

Switch config boot autoinstall auto save 86

Switch config boot autoinstall persistent mode 86

Switch config boot autoinstall retry count 2 86

Switch config show boot autoinstall 86

Switch configure 86

The following example shows how to configure the auto install function 86

Configuring the reboot schedule 87

Follow these steps and choose one type to configure the reboot schedule 87

Reboot schedule at 2016 01 15 12 00 in 17007 minutes 87

Reboot schedule settings 87

Reboot system at 15 01 2016 12 00 continue y n y 87

Switch config reboot schedule at 12 00 15 01 2016 save_before_reboot 87

Switch configure 87

The following example shows how to set the switch to reboot at 12 00 on 15 01 2016 87

Follow these steps to reset the switch 88

Reseting the switch 88

Save before reboot yes 88

Switch config end 88

Switch copy running config startup config 88

Access security configurations 89

Configuring the access control feature 89

Using the gui 89

Click apply 90

When the ip based mode is selected the following section will display 90

When the port based mode is selected the following section will display 90

Configuring the http function 91

Configuring the https function 92

In the access user number section select enable and specify the parameters click apply 93

In the certificate download and key download section download the certificate and key 93

In the ciphersuite config section select the algorithm to be enabled and click apply 93

In the session config section specify the session timeout and click apply 93

Configuring the ssh feature 94

In the global config section select enable to enable ssh function and specify other parameters 94

Ssh config to load the following page 94

Configuring the access control 95

Enabling the telnet function 95

Using the cli 95

Switch config show user configuration 96

Switch config user access control ip based 192 68 00 255 55 55 snmp telnet http https 96

Switch configure 96

The following example shows how to set the type of access control as ip based set the ip address as 192 68 00 set the subnet mask as 255 55 55 and make the switch support snmp telnet http and https 96

68 24 snmp telnet http https 97

Configuring the http function 97

Follow these steps to configure the http function 97

Index ip address access interface 97

Switch config end 97

Switch config ip http server 97

Switch configure 97

Switch copy running config startup config 97

The following example shows how to set the session timeout as 9 set the maximum admin number as 6 and set the maximum guest number as 5 97

User authentication mode ip based 97

Configuring the https function 98

Follow these steps to configure the https function 98

Http max admin users 6 98

Http max guest users 5 98

Http session timeout 9 98

Http status enabled 98

Http user limitation enabled 98

Switch config end 98

Switch config ip http max user 6 5 98

Switch config ip http session timeout 9 98

Switch config show ip http configuration 98

Switch copy running config startup config 98

Switch config ip http secure ciphersuite 3des ede cbc sha 99

Switch config ip http secure protocol ssl3 tls1 99

Switch config ip http secure server 99

Switch configure 99

The following example shows how to configure the https function enable ssl3 and tls1 protocol enable the ciphersuite of 3des ede cbc sha set the session timeout time as 15 the admin number as 1 and the guest number as 2 download the certificate named ca crt and the key named ca key from the tftp server with the ip address 192 68 00 99

Configuring the ssh feature 100

Switch config ip ssh server 101

Switch config ip ssh version v1 101

The following example shows how to configure the ssh function set the version as ssh v1 and ssh v2 enable the aes128 cbc and cast128 cbc encryption algorithm enable the hmac md5 data integrity algorithm choose the key type as ssh 2 rsa dsa 101

Enabling the telnet function 103

Follow these steps enable the telnet function 103

Switch config end 103

Switch copy running config startup config 103

In select options section select one template and click apply the setting will be effective after the reboot 104

Sdm template configuration 104

Sdm template function is used to configure system resources in the switch to optimize support for specific features the switch provides three templates and the hardware resources allocation is different users can choose one according to how the switch is used in the network 104

Sdm template to load the following page 104

Using the gui 104

Follow these steps to configure the sdm template function 105

The template table displays the resources allocation of each template 105

Using the cli 105

Appendix default parameters 107

Default settings of system info are listed in the following tables 107

Default settings of system tools are listed in the following table 107

Default settings of user management are listed in the following table 107

Default settings of access security are listed in the following tables 108

Default settings of sdm template are listed in the following table 109

Chapters 110

Managing physical interfaces 110

Part 3 110

Basic parameters 111

Loopback detection 111

Overview 111

Physical interface 111

Port isolation 111

Port mirror 111

Port security 111

Supported features 111

Basic parameters configurations 112

Follow these steps to set basic parameters for ports 112

Port config to load the following page 112

Select and configure your desired ports or lags then click apply 112

Using the gui 112

Follow these steps to set basic parameters for the ports 113

Using the cli 113

Switch configure 114

The following example shows how to implement the basic configurations of port1 0 1 including setting a description for the port making the port autonegotiate speed and duplex with the neighboring port and enabling the flow control and jumbo feature 114

Port mirror configuration 116

Using the gui 116

Follow these steps to configure port mirror 117

In the destination port section specify a monitoring port for the mirror session and click apply 117

In the source port section select one or multiple monitored ports for configuration then set the parameters and click apply 117

Follow these steps to configure port mirror 118

Monitor session 1 118

Switch config monitor session 1 destination interface gigabitethernet 1 0 10 118

Switch config monitor session 1 source interface gigabitethernet 1 0 1 3 both 118

Switch config show monitor session 118

Switch configure 118

The following example shows how to copy the received and transmitted packets on port 1 0 1 2 3 to port 1 0 10 118

Using the cli 118

Follow these steps to configure port security 120

Port security configuration 120

Port security to load the following page 120

Select one or multiple ports for security configuration 120

Specify the maximum number of the mac addresses that can be learned on the port and then select the learn mode of the mac addresses 120

Using the gui 120

Click apply 121

Follow these steps to configure port security 121

Select the status of the port security feature 121

Using the cli 121

Gi1 0 1 30 0 permanent drop 122

Port max learn current learn mode status 122

Switch config if mac address table max mac count max number 30 mode permanent status drop 122

Switch config if show mac address table max mac count interface gigabitethernet 1 0 1 122

Switch config interface gigabitethernet 1 0 1 122

Switch configure 122

The following example shows how to set the maximum number of mac addresses that can be learned on port 1 0 1 as 30 and configure the mode as permanent and the status as drop 122

Switch config if end 123

Switch copy running config startup config 123

Port isolation configurations 124

Using the gui 124

Click apply 125

Follow these steps to configure port isolation 125

In the forward portlist section select the forward ports or lags which the isolated ports can only communicate with it is multi optional 125

In the port section select one or multiple ports to be isolated 125

Using the cli 125

Loopback detection configuration 127

Using the gui 127

In the port config section select one or multiple ports for configuration then set the parameters and click apply 128

View the loopback detection information on this page 128

Follow these steps to configure loopback detection 129

Using the cli 129

Configuration examples 131

Configuration scheme 131

Example for port mirror 131

Network requirements 131

Using the gui 131

As shown below three hosts and a server are connected to the switch and all belong to vlan 10 with the vlan configuration unchanged host a is not allowed to communicate with the other hosts except the server even if the mac address or ip address of host a is changed 133

Destination port gi1 0 1 133

Example for port isolation 133

Monitor session 1 133

Network requirements 133

Source ports egress gi1 0 2 5 133

Source ports ingress gi1 0 2 5 133

Switch config end 133

Switch config monitor session 1 destination interface gigabitethernet 1 0 1 133

Switch config monitor session 1 source interface gigabitethernet 1 0 2 5 both 133

Switch configure 133

Switch copy running config startup config 133

Switch show monitor session 1 133

Using the cli 133

Verify the configuration 133

Configuration scheme 134

Using the gui 134

Using the cli 135

Verify the configuration 135

Configuration scheme 136

Example for loopback detection 136

Network requirements 136

Using the gui 136

Using the cli 137

Verify the configuration 138

Appendix default parameters 139

Default settings of switching are listed in th following tables 139

Chapters 141

Configuring lag 141

Part 4 141

Overview 142

Static lag 142

Supported features 142

Configuration guidelines 143

Lag configuration 143

Configuring load balancing algorithm 144

In the global config section select the load balancing algorithm click apply 144

Lag table to load the following page 144

Load balancing algorithm is effective only for outgoing traffic if the data stream is not well shared by each link you can change the algorithm of the outgoing interface 144

Please properly choose the load balancing algorithm to avoid data stream transferring only on one physical link for example switch a receives packets from several hosts and forwards them to the server with the fixed mac address and ip address you can set the algorithm as src mac src ip to allow switch a to determine the forwarding port based on the source mac addresses and source ip addresses of the received packets 144

Using the gui 144

Configuring static lag or lacp 145

Configuring lacp 146

Follow these steps to configure lacp 146

Lacp to load the following page 146

Select member ports for the lag and configure the related parameters click apply 146

Specify the system priority for the switch and click apply 146

Configuring load balancing algorithm 147

Follow these steps to configure the load balancing algorithm 147

Using the cli 147

Configuring static lag 148

Configuring static lag or lacp 148

Etherchannel load balancing addresses used per protocol 148

Etherchannel load balancing configuration src dst mac 148

Follow these steps to configure static lag 148

Ipv4 source xor destination mac address 148

Ipv6 source xor destination mac address 148

Non ip source xor destination mac address 148

Switch config end 148

Switch config port channel load balance src dst mac 148

Switch config show etherchannel load balance 148

Switch configure 148

Switch copy running config startup config 148

The following example shows how to set the global load balancing mode as src dst mac 148

You can choose only one lag mode for a port static lag or lacp and make sure both ends of a link use the same lag mode 148

Configuration example 152

Configuration scheme 152

Network requirements 152

Using the gui 153

Using the cli 154

Verify the configuration 154

Appendix default parameters 156

Default settings of switching are listed in the following tables 156

Monitoring traffic 157

Traffic monitor 158

Using the gui 158

Viewing the traffic summary 158

Follow these steps to view the traffic statistics in detail 159

To get the real time traffic statistics enable auto refresh in the auto refresh section or click refresh at the bottom of the page 159

Traffic statistics to load the following page 159

Viewing the traffic statistics in detail 159

In port select select a port or lag and click select 160

In the statistics section view the detailed information of the selected port or lag 160

On privileged exec mode or any other configuration mode you can use the following command to view the traffic information of each port or lag 161

Using the cli 161

Appendix default parameters 162

Chapters 163

Managing mac address table 163

Part 6 163

Address configurations 164

Mac address table 164

Overview 164

Supported features 164

Security configurations 165

Adding static mac address entries 166

Address configurations 166

Using the gui 166

Click apply 168

Dynamic address to load the following page 168

Follow these steps to modify the aging time of dynamic address entries 168

In the aging config section enable auto aging and enter your desired length of time 168

Modifying the aging time of dynamic address entries 168

Adding mac filtering address entries 169

Viewing address table entries 169

Adding static mac address entries 170

Address table to load the following page 170

Follow these steps to add static mac address entries 170

Using the cli 170

Modifying the aging time of dynamic address entries 171

Adding mac filtering address entries 172

Aging time is 500 sec 172

Follow these steps to add mac filtering address entries 172

Switch config end 172

Switch config mac address table aging time 500 172

Switch config show mac address table aging time 172

Switch configure 172

Switch copy running config startup config 172

The following example shows how to modify the aging time to 500 seconds a dynamic entry remains in the mac address table for 500 seconds after the entry is used or updated 172

Configuring mac notification traps 174

Security configurations 174

Using the gui 174

Configure snmp and set a management host for detailed snmp configurations please refer to configuring snmp rmon 175

Follow these steps to configure mac notification traps 175

In the mac notification global config section enable this feature configure the relevant options and click apply 175

In the mac notification port config section select your desired port and enable its notification traps you can enable these three types learned mode change exceed max learned and new mac learned click apply 175

Choose the mode that the switch adopts when the maximum number of mac addresses in the specified vlan is exceeded 176

Click create 176

Enter the vlan id to limit the number of mac addresses that can be learned in the specified vlan 176

Enter your desired value in max learned mac to set a threshold 176

Follow these steps to limit the number of mac addresses in vlans 176

Limiting the number of mac addresses in vlans 176

Mac vlan security to load the following page 176

Configuring mac notification traps 177

Follow these steps to configure mac notification traps 177

Using the cli 177

Limiting the number of mac addresses in vlans 178

100 0 drop 179

Switch config end 179

Switch config mac address table security vid 10 max learn 100 drop 179

Switch config show mac address table security vid 10 179

Switch configure 179

Switch copy running config startup config 179

The following example shows how to limit the number of mac addresses to 100 in vlan 10 and configure the switch to drop packets of new source mac addresses when the limit is exceeded 179

Vlanid max learn current learn status 179

Configuration scheme 180

Example for security configurations 180

Network requirements 180

Using the gui 181

Using the cli 182

Verify the configurations 182

Appendix default parameters 183

Default settings of the mac address table are listed in the following tables 183

Chapters 184

Configuring ddm 184

Part 7 184

Overview 185

Configuring ddm globally 186

Ddm configuration 186

Using the gui 186

Click apply 187

Configuring the temperature threshold 187

Configuring the voltage threshold 187

Follow these steps to configure ddm s temperature threshold 187

In the port config table configure temperature threshold of the sfp ports 187

Temperature threshold to load the following page 187

Voltage threshold to load the following page 187

Bias current threshold to load the following page 188

Click apply 188

Configuring the bias current threshold 188

Follow these steps to configure ddm s bias current threshold 188

Follow these steps to configure ddm s voltage threshold 188

In the port config table configure bias current threshold on the sfp ports 188

In the port config table configure voltage threshold on the sfp ports 188

Click apply 189

Configuring the tx power threshold 189

Follow these steps to configure ddm s tx power threshold 189

In the port config table configure tx power threshold on the sfp ports 189

Tx power threshold to load the following page 189

Click apply 190

Configuring the rx power threshold 190

Ddm status to load the following page 190

Follow these steps to configure ddm s rx power threshold 190

In the port config table configure rx power threshold on the sfp ports 190

Rx power threshold to load the following page 190

Viewing ddm status 190

Configure the shutdown condition 191

Configure the specified threshold for warning or alarm 191

Configuring ddm globally 191

Enable ddm on the sfp port 191

Follow these steps to enable ddm on specified sfp ports 191

In the port config table view the current operating parameters for the sfp modules inserted into the sfp ports 191

To complete ddm configuration follow these steps 191

Using the cli 191

Configuring ddm shutdown 192

Ddm status ddm status shutdown 192

Follow these steps to configure settings for shutting down sfp ports when the alarm threshold or warning threshold is exceeded 192

Gi1 0 17 enable none 192

Gi1 0 18 enable none 192

Switch config if ddm state enable 192

Switch config if end 192

Switch config if show ddm configuration state 192

Switch config interface gigabitethernet 1 0 17 192

Switch configure 192

Switch copy running config startup config 192

The following example shows how to enable ddm on sfp port 1 0 17 192

Configuring temperature threshold 193

Ddm status ddm status shutdown 193

Follow these steps to configure the threshold of the ddm temperature on the specified sfp port 193

Gi1 0 17 enable warning 193

Gi1 0 18 enable none 193

Switch config if ddm shutdown warning 193

Switch config if end 193

Switch config if show ddm configuration state 193

Switch config interface gigabitethernet 1 0 17 193

Switch configure 193

Switch copy running config startup config 193

The following example shows how to set sfp port 1 0 17 to shut down when the warning threshold is exceeded 193

Configuring voltage threshold 194

Follow these steps to configure the threshold of the ddm voltage on the specified sfp port 194

Gi1 0 17 110 00000 194

Gi1 0 18 194

High alarm high alarm low alarm high warning low warning 194

Switch config if ddm temperature_threshold high_alarm 110 194

Switch config if end 194

Switch config if show ddm configuration temperature 194

Switch config interface gigabitethernet 1 0 17 194

Switch configure 194

Switch copy running config startup config 194

Temperature threshold celsius 194

The following example shows how to set sfp port 1 0 17 s high alarm temperature threshold as 110 celsius 194

Configuring bias current threshold 195

Gi1 0 17 120 00000 196

Gi1 0 18 196

High alarm high alarm low alarm high warning low warning 196

Switch config if ddm vlotage_threshold high_alarm 120 196

Switch config if end 196

Switch config if show ddm configuration bias_current 196

Switch config interface gigabitethernet 1 0 17 196

Switch configure 196

Switch copy running config startup config 196

The following example shows how to set sfp port 1 0 17 s high alarm threshold bias current as 120 ma 196

Voltage threshold v 196

Configuring tx power threshold 197

Follow these steps to configure the threshold of the ddm tx power on the specified sfp port 197

Gi1 0 17 6 00000 197

Gi1 0 18 197

High alarm high alarm low alarm high warning low warning 197

Switch config if ddm tx_power_threshold high_alarm 6 197

Switch config if show ddm configuration tx_power 197

Switch config interface gigabitethernet 1 0 17 197

Switch configure 197

The following example shows how to set sfp port 1 0 17 s high alarm threshold tx power as 6 mw 197

Tx power threshold mw 197

Configuring rx power threshold 198

Follow these steps to configure the threshold of the ddm rx power on the specified sfp port 198

Switch config if ddm rx_power_threshold high_alarm 6 198

Switch config if end 198

Switch config if show ddm configuration rx_power 198

Switch config interface gigabitethernet 1 0 17 198

Switch configure 198

Switch copy running config startup config 198

The following example shows how to set sfp port 1 0 17 s high alarm threshold rx power as 6 mw 198

Viewing ddm configuration 199

Viewing ddm status 200

Appendix default parameters 201

Default settings of ddm are listed in the following table 201

Chapters 202

Configuring l2pt 202

Part 8 202

Overview 203

Follow these steps to configure l2pt 205

In the global config section enable l2pt globally and click apply 205

In the port config section configure the port that is connected to the customer network as a uni port and specify your desired protocols on the port in addition you can also set the threshold for packets per second to be processed on the uni port 205

L2pt config to load the following page 205

L2pt configuration 205

Using the gui 205

Click apply 206

Follow these steps to configure l2pt feature 206

In the port config section configure the port that is connected to the isp network as an nni port note that the protocols and threshold cannot be configured on the nni port 206

Using the cli 206

Configuration example 209

Configuration scheme 209

Network requirements 209

Using the gui 209

Using the cli 210

Verify the configuration 211

Appendix default parameters 212

Default settings of l2pt are listed in the following table 212

Chapters 213

Configuring 802 q vlan 213

Part 9 213

Overview 214

Configuring the pvid of the port 215

Q vlan configuration 215

Using the gui 215

Click apply 217

Configuring the vlan 217

Enter a vlan id and a description for identification to create a vlan 217

Follow these steps to configure vlan 217

Select the untagged port s and the tagged port s respectively to add to the created vlan based on the network topology 217

Vlan config and click create to load the following page 217

Creating a vlan 218

Follow these steps to create a vlan 218

Rd active 218

Switch config vlan 2 218

Switch config vlan end 218

Switch config vlan name rd 218

Switch config vlan show vlan id 2 218

Switch configure 218

The following example shows how to create vlan 2 and name it as rd 218

Using the cli 218

Vlan name status ports 218

Configuring the port 219

Follow these steps to configure the port 219

Link type trunk 219

Member in lag n a 219

Member in vlan 219

Port gi1 0 5 219

Pvid 2 219

Switch config if show interface switchport gigabitethernet 1 0 5 219

Switch config if switchport mode trunk 219

Switch config if switchport pvid 2 219

Switch config interface gigabitethernet 1 0 5 219

Switch configure 219

Switch copy running config startup config 219

The following example shows how to configure the link type of port 1 0 5 as trunk the pvid of port 1 0 5 as vlan 2 219

Adding the port to the specified vlan 220

Follow these steps to add the port to the specified vlan 220

Switch config if end 220

Switch config interface gigabitethernet 1 0 5 220

Switch configure 220

Switch copy running config startup config 220

System vlan tagged 220

The following example shows how to add the general port 1 0 5 to vlan 2 and specify its egress rule as tagged 220

Vlan name egress rule 220

Configuration example 222

Configuration scheme 222

Network requirements 222

Network topology 223

Using the gui 223

Using the cli 226

Verify the configurations 226

Appendix default parameters 228

Default settings of 802 q vlan are listed in the following table 228

Chapters 229

Configuring mac vlan 229

Part 10 229

Overview 230

Ptops department a uses server a and laptop a while department b uses server b and laptop b server a is in vlan 10 while server b is in vlan 20 it is required that laptop a can only access server a and laptop b can only access server b no matter which meeting room the laptops are being used in to meet this requirement simply bind the mac addresses of the laptops to the corresponding vlans respectively in this way the mac address rather than the access port determines the vlan each laptop joins each laptop can access only the server in the vlan it joins 230

The figure below shows a common application scenario of mac vlan 230

Two departments share all the meeting rooms in the company but use different servers and l 230

Vlan is generally divided by ports this way of division is simple but isn t suitable for those networks that require frequent topology changes with the popularity of mobile office a terminal device may access the switch via different ports for example a terminal device that accessed the switch via port 1 last time may change to port 2 this time if port 1 and port 2 belong to different vlans the user has to re configure the switch to access the original vlan using mac vlan can free the user from such a problem it divides vlans based on the mac addresses of terminal devices in this way terminal devices always belong to their original vlans even when their access ports change 230

Configuring 802 q vlan 231

Mac vlan configuration 231

Using the gui 231

Binding the mac address to the vlan 232

By default mac vlan is disabled on all ports you need to enable mac vlan for your desired ports manually 232

Click create to create the mac vlan 232

Enabling mac vlan for the port 232

Enter the mac address of the device give it a description and enter the vlan id to bind it to the vlan 232

Follow these steps to bind the mac address to the vlan 232

Mac vlan to load the following page 232

Before configuring mac vlan create an 802 q vlan and set the port type according to network requirements for details refer to configuring 802 q vlan 233

Binding the mac address to the vlan 233

Configuring 802 q vlan 233

Follow these steps to bind the mac address to the vlan 233

Follow these steps to enable mac vlan for the port 233

Port enable to load the following page 233

Select your desired ports to enable mac vlan and click apply 233

Using the cli 233

19 56 8a 4c 71 dept a 10 234

Enabling mac vlan for the port 234

Follow these steps to enable mac vlan for the port 234

Mac addr name vlan id 234

Switch config end 234

Switch config mac vlan mac address 00 19 56 8a 4c 71 vlan 10 description dept a 234

Switch config show mac vlan vlan 10 234

Switch configure 234

Switch copy running config startup config 234

The following example shows how to bind the mac address 00 19 56 8a 4c 71 to vlan 10 with the address description as dept a 234

Configuration example 236

Configuration scheme 236

Create vlan 10 and vlan 20 on each of the three switches set different port types and add the ports to the vlans based on the network topology note for the ports connecting the laptops set the link type as general and set the egress rule as 236

Network requirements 236

Two departments share all the meeting rooms in the company but use different servers and laptops department a uses server a and laptop a while department b uses server b and laptop b server a is in vlan 10 while server b is in vlan 20 it is required that laptop a can only access server a and laptop b can only access server b no matter which meeting room the laptops are being used in the figure below shows the network topology 236

You can configure mac vlan to meet this requirement on switch 1 and switch 2 bind the mac addresses of the laptops to the corresponding vlans respectively in this way each laptop can access only the server in the vlan it joins no matter which meeting room the laptops are being used in the overview of the configuration is as follows 236

Using the gui 237

Using the cli 241

Verify the configurations 243

Appendix default parameters 244

Default settings of mac vlan are listed in the following table 244

Chapters 245

Configuring protocol vlan 245

Part 11 245

Overview 246

Protocol vlan is a technology that divides vlans based on the network layer protocol with the protocol vlan rule configured on the basis of the existing 802 q vlan the switch can analyze special fields of received packets encapsulate the packets in specific formats and forward the packets of different protocols to the corresponding vlans since different applications and services use different protocols network administrators can use protocol vlan to manage the network based on specific applications and services of network users 246

The figure below shows a common application scenario of protocol vlan with protocol vlan configured switch 2 can forward ipv4 and ipv6 packets from different vlans to the ipv4 and ipv6 networks respectively 246

Configuring 802 q vlan 247

Protocol vlan configuration 247

Using the gui 247

Creating protocol template 248

Configuring 802 q vlan 249

Configuring protocol vlan 249

Using the cli 249

Arp ethernetii ether type 0806 250

At snap ether type 809b 250

Creating a protocol template 250

Follow these steps to create a protocol template 250

Index protocol name protocol type 250

Ip ethernetii ether type 0800 250

Ipv6 ethernetii ether type 86dd 250

Ipx snap ether type 8137 250

Rarp ethernetii ether type 8035 250

Switch config end 250

Switch config protocol vlan template name ipv6 frame ether_2 ether type 86dd 250

Switch config show protocol vlan template 250

Switch configure 250

The following example shows how to create an ipv6 protocol template 250

Configuring protocol vlan 251

Follow these steps to configure protocol vlan 251

Index protocol name protocol type 251

Ip ethernetii ether type 0800 251

Switch config show protocol vlan template 251

Switch configure 251

Switch copy running config startup config 251

The following example shows how to bind the ipv6 protocol template to vlan 10 251

A company uses both ipv4 and ipv6 hosts and these hosts access the ipv4 network and ipv6 network respectively via different routers it is required that ipv4 packets are forwarded to the ipv4 network ipv6 packets are forwarded to the ipv6 network and other packets are dropped 253

Configuration example 253

Configuration scheme 253

Network requirements 253

The figure below shows the network topology the ipv4 host belongs to vlan 10 the ipv6 host belongs to vlan 20 and these hosts access the network via switch 1 switch 2 is connected to two routers to access the ipv4 network and ipv6 network respectively the routers belong to vlan 10 and vlan 20 respectively 253

You can configure protocol vlan on port 1 0 1 of switch 2 to meet this requirement when this port receives packets switch 2 will forward them to the corresponding vlans according to their protocol types the overview of the configuration on switch 2 is as follows 253

Using the gui 254

Using the cli 260

Verify the configurations 263

Appendix default parameters 265

Default settings of protocol vlan are listed in the following table 265

Chapters 266

Configuring vlan vpn 266

Part 12 266

Overview 267

Vlan vpn 267

Basic vlan vpn 268

Flexible vlan vpn 268

Supported features 268

Basic vlan vpn configuration 269

Configuring 802 q vlan 269

Using the gui 269

Configuring global vlan vpn and up link ports 270

Configuring 802 q vlan 271

Configuring vpn ports 271

Using the cli 271

Configuring basic vlan vpn 272

Follow these steps to configure basic vlan vpn 272

Configuration guidelines 274

Flexible vlan vpn configuration 274

Using the gui 274

Follow these steps to configure flexible vlan vpn 275

In the vlan mapping config section choose a vpn port to enable vlan mapping enter customer network vlan id in the c vlan field enter isp network vlan id in the sp vlan field and enter a name to identify the entry then click create to add a mapping entry 275

Using the cli 275

Configuration example 277

Configuration scheme 277

Configure 802 q vlan before vlan vpn configuration create isp network vlan 1050 on the switch and add port1 0 1 tagged and port 1 0 2 untagged to the vlan create client network vlan 100 and vlan 200 and add port 1 0 2 tagged to both the vlans set the pvid of port 1 0 1 and port 1 0 2 as 1050 277

Demonstrated with t2600g 28ts this chapter provides configuration procedures in two ways using the gui and using the cli 277

Enable the vpn feature globally and set global tpid as 0x9100 277

Figure 4 1 shows the network topology switches of the two divisions are connected to customer networks vlan 100 and vlan 200 respectively and they communicate across isp network vlan 1050 devices in the isp network adopt tpid value 0x9100 277

Network requirements 277

Set port 1 0 1 as the vpn up link port and port 1 0 2 as the vpn port 277

Two divisions of the company are located in different areas and have to communicate across an isp network a normal communication is required 277

Users can configure vlan vpn on switch 1 and switch 2 to allow packets sent with double vlan tags and thus ensure the communication between them the general configuration procedure is as follows 277

Using the gui 278

Using the cli 282

Verify the configurations 283

Appendix default parameters 285

Default settings of vlan vpn are listed in the following table 285

Chapters 286

Configuring gvrp 286

Part 13 286

Gvrp garp vlan registration protocol is a garp generic attribute registration protocol application that allows registration and deregistration of vlan attribute values and dynamic vlan creation 287

Overview 287

The configuration may seem easy in this situation however for a larger or more complex network such manual configuration would be time costing and fallible gvrp can be applied to implement dynamic vlan configuration with gvrp the switch can exchange vlan configuration information with the adjacent gvrp switches and dynamically create and manage the vlans this reduces vlan configuration workload and ensures correct vlan configuration 287

Without gvrp operating configuring the same vlan on a network would require manual configuration on each device as shown in figure 1 1 switch a b and c are connected through trunk ports vlan 10 is configured on switch a and vlan 1 is configured on switch b and switch c switch c can receive messages sent from switch a in vlan 10 only when the network administrator has manually created vlan 10 on switch b and switch c 287

Configuration guidelines 288

Gvrp configuration 288

Using the gui 288

Click apply 290

Gvrp requires vlan creation first and you need to set the link type of the ports as trunk for gvrp can be enabled only on trunk interfaces for details refer to configuring 802 q vlan 290

Using the cli 290

Enabled 292

Gi1 0 1 enabled fixed 1000 20 60 n a 292

Gvrp global status 292

Port status reg mode leaveall joinin leave lag 292

Switch config gvrp 292

Switch config if end 292

Switch config if gvrp 292

Switch config if gvrp registration fixed 292

Switch config if show gvrp global 292

Switch config if show gvrp interface gigabitethernet 1 0 1 292

Switch config interface gigabitethernet 1 0 1 292

Switch configure 292

Switch copy running config startup config 292

The following example shows how to enable gvrp globally and on trunk port 1 0 1 configure the gvrp registration mode as fixed and keep the values of timers as default 292

Before enabling gvrp set the link type for all ports in the link as trunk 293

Configuration example 293

Configuration scheme 293

Demonstrated with t2600g 28ts the following sections provide configuration procedure in two ways using the gui and using the cli 293

Department a and department b of a company are connected using switches offices of one department are distributed on different floors as shown in figure 3 1 the network topology is complicated configuration of the same vlan on different switches is required so that computers in the same department can communicate with each other 293

Network requirements 293

The two departments are in separate vlans to make sure the switches only dynamically create vlan of their own department you need to set the registration mode for ports on switch 1 to switch 4 as fixed to prevents dynamic registration and deregistration of vlans and allow the port to transmit only the static vlan registration information 293

To configure dynamic vlan creation on other switches set the registration mode of the corresponding ports as normal to allow dynamic registration and de registration of vlans 293

To reduce manual configuration and maintenance workload gvrp can be enabled to implement dynamic vlan registration and update on the switches 293

When configuring gvrp please note the following 293

Using the gui 294

Using the cli 297

Verify the configuration 299

Appendix default parameters 301

Default settings of gvrp are listed in the following tables 301

Chapters 302

Configuring private vlan 302

Part 14 302

Overview 303

If private vlan is configured on switch b switch a only needs to recognize primary vlan vlan5 and end users can be isolated by secondary vlans vlan2 vlan3 and vlan4 saving vlan resources for switch a 304

Creating private vlan 305

Private vlan configurations 305

Using the gui 305

Click create 306

Configuring the up link port 306

In the port config section select the port to be configured set the port type as promiscuous and enter the ids of primary vlan and secondary vlan 306

Port config to load the following page 306

The switch requires that only access port can be added to a private vlan 306

Click apply 307

Configuring the down link port 307

In the port config section select the port to be configured set the port type as host and enter the ids of primary vlan and secondary vlan 307

Port config to load the following page 307

The switch requires that only access port can be added to a private vlan 307

Click apply 308

Creating private vlan 308

Using the cli 308

Community 309

Primary secondary type ports 309

Switch config end 309

Switch config show vlan private vlan 309

Switch config vlan 5 309

Switch config vlan 6 309

Switch config vlan exit 309

Switch config vlan private vlan association 5 309

Switch config vlan private vlan community 309

Switch config vlan private vlan primary 309

Switch configure 309

Switch copy running config startup config 309

The following example shows how to create primary vlan 6 and secondary vlan 5 set the secondary vlan type as community and pair primary vlan 6 with secondary vlan 5 as a private vlan 309

Configuring the up link port 310

Switch config interface gigabitethernet 1 0 2 310

Switch configure 310

The following example shows how to configure the port type of port 1 0 2 as promiscuous and add it to the private vlan composed of primary vlan 6 and secondary vlan 5 310

The switch requires that only access port can be added to a private vlan 310

Community gi1 0 2 311

Configuring the down link port 311

Gi1 0 2 promiscuous 311

Port type 311

Primary secondary type ports 311

Switch config end 311

Switch config if exit 311

Switch config if switchport private vlan promiscuous 311

Switch config show vlan private vlan 311

Switch config show vlan private vlan interface gigabitethernet 1 0 2 311

Switch copy running config startup config 311

Swtich config if switchport private vlan mapping 6 5 311

The switch requires that only access port can be added to a private vlan 311

Community gi1 0 3 312

Gi1 0 3 host 312

Port type 312

Primary secondary type ports 312

Switch config end 312

Switch config if exit 312

Switch config if switchport private vlan host 312

Switch config interface gigabitethernet 1 0 3 312

Switch config show vlan private vlan 312

Switch config show vlan private vlan interface gigabitethernet 1 0 3 312

Switch configure 312

Switch copy running config startup config 312

Swtich config if switchport private vlan host association 6 5 community 312

The following example shows how to configure the port type of port 1 0 3 as host and add it to the private vlan composed of primary vlan 6 and secondary vlan 5 312

Configuration example 313

Configuration scheme 313

Network requirements 313

Network topology 313

Configurations for switch a 314

Creating private vlan 314

Pvlan config to load the following page create primary vlan 6 and secondary vlan 5 select community as the secondary vlan type click create and primary vlan 6 is paired with secondary vlan 5 similarly create primary vlan 6 and secondary vlan 7 select community as the secondary vlan type click create and primary vlan 6 is paired with secondary vlan 7 314

Using the gui 314

Using the cli 316

Verify the configurations 318

Appendix default parameters 319

Default settings of private vlan are listed in the following tables 319

Chapters 320

Configuring spanning tree 320

Part 15 320

Basic concepts 321

Overview 321

Spanning tree 321

Stp rstp concepts 321

Bridge id 322

Port role 322

Root bridge 322

Port status 323

Path cost 324

Root path cost 324

Mst instance 325

Mst region 325

Mstp concepts 325

Stp security 326

Vlan instance mapping 326

Configuring stp rstp parameters on ports 329

Stp rstp configurations 329

Using the gui 329

Click apply 331

Configuring stp rstp globally 331

Stp config to load the following page 331

Follow these steps to configure stp rstp globally 332

In the global config section enable spanning tree function choose the stp mode as stp rstp and click apply 332

In the parameters config section configure the global parameters of stp rstp and click apply 332

Stp summary to load the following page 333

The stp summary section shows the summary information of spanning tree 333

Verify the stp rstp information of your switch after all the configurations are finished 333

Verifying the stp rstp configurations 333

Configuring stp rstp parameters on ports 334

Follow these steps to configure stp rstp parameters on ports 334

Using the cli 334

Switch config if show spanning tree interface gigabitethernet 1 0 3 335

Switch config if spanning tree 335

Switch config if spanning tree common config port priority 32 335

Switch config interface gigabitethernet 1 0 3 335

Switch configure 335

The following example shows how to enable spanning tree function on port 1 0 3 and configure the port priority as 32 335

Configuring global stp rstp parameters 336

Follow these steps to configure global stp rstp parameters of the switch 336

Gi1 0 3 enable 32 auto auto no no auto n a n a lnkdwn 336

Interface state prio ext cost int cost edge p2p mode role status 336

Switch config if end 336

Switch copy running config startup config 336

Enable rstp 36864 2 12 20 5 20 337

Enabling stp rstp globally 337

Follow these steps to configure the spanning tree mode as stp rstp and enable spanning tree function globally 337

State mode priority hello time fwd time max age hold count max hops 337

Switch config end 337

Switch config show spanning tree bridge 337

Switch config spanning tree priority 36864 337

Switch config spanning tree timer forward time 12 337

Switch configure 337

Switch copy running config startup config 337

This example shows how to configure the priority of the switch as 36864 the forward delay as 12 seconds 337

Configuring parameters on ports in cist 339

Mstp configurations 339

Using the gui 339

Besides configure the priority of the switch the priority and path cost of ports in the desired instance 341

Click apply 341

Configure the region name revision level vlan instance mapping of the switch the switches with the same region name the same revision level and the same vlan instance mapping are considered as in the same region 341

Configuring the mstp region 341

Configuring the region name and revision level 341

Region config to load the following page 341

Configuring mstp globally 346

Follow these steps to configure mstp globally 346

In the parameters config section configure the global parameters of mstp and click apply 346

Stp config to load the following page 346

In the global config section enable spanning tree function and choose the stp mode as mstp and click apply 347

Stp summary to load the following page 348

The stp summary section shows the summary information of cist 348

Verifying the mstp configurations 348

Configuring parameters on ports in cist 349

Follow these steps to configure the parameters of the port in cist 349

The mstp summary section shows the information in mst instances 349

Using the cli 349

Switch configure 350

This example shows how to enable spanning tree function for port 1 0 3 and configure the port priority as 32 350

Configuring the mst region 351

Configuring the mstp region 351

Follow these steps to configure the mst region and the priority of the switch in the instance 351

Gi1 0 3 144 200 n a lnkdwn 351

Gi1 0 3 enable 32 auto auto no no auto n a n a lnkdwn 351

Interface prio cost role status 351

Interface state prio ext cost int cost edge p2p mode role status 351

Mst instance 0 cist 351

Mst instance 5 351

Switch config if end 351

Switch config if show spanning tree interface gigabitethernet 1 0 3 351

Switch config if spanning tree 351

Switch config if spanning tree common config port priority 32 351

Switch config interface gigabitethernet 1 0 3 351

Switch copy running config startup config 351

Region name r1 352

Revision 100 352

Switch config mst instance 5 vlan 2 6 352

Switch config mst name r1 352

Switch config mst revision 100 352

Switch config mst show spanning tree mst configuration 352

Switch config spanning tree mst configuration 352

Switch configure 352

This example shows how to create an mst region of which the region name is r1 the revision level is 100 and vlan 2 vlan 6 are mapped to instance 5 352

7 4094 353

Configuring the parameters on ports in instance 353

Follow these steps to configure the priority and path cost of ports in the specified instance 353

Mst instance vlans mapped 353

Switch config mst end 353

Switch copy running config startup config 353

Configuring global mstp parameters 354

Switch config if spanning tree timer forward time 12 355

Switch config spanning tree priority 36864 355

Switch configure 355

This example shows how to configure the cist priority as 36864 the forward delay as 12 seconds the hold count as 8 and the max hop as 25 355

Enable mstp 36864 2 12 20 8 25 356

Enabling spanning tree globally 356

Follow these steps to configure the spanning tree mode as mstp and enable spanning tree function globally 356

Spanning tree is enabled 356

State mode priority hello time fwd time max age hold count max hops 356

Switch config if end 356

Switch config if show spanning tree bridge 356

Switch config if spanning tree hold count 8 356

Switch config if spanning tree max hops 25 356

Switch config show spanning tree active 356

Switch config spanning tree 356

Switch config spanning tree mode mstp 356

Switch configure 356

Switch copy running config startup config 356

This example shows how to configure the spanning tree mode as mstp and enable spanning tree function globally 356

Stp security configurations 359

Using the gui 359

Follow these steps to configure the root protect feature bpdu protect feature and bpdu filter feature for ports 360

Using the cli 360

Featur 361

Switch config interface gigabitethernet 1 0 3 361

Switch configure 361

This example shows how to enable loop protect root protect bpdu filter and bpdu protect functions on port 1 0 3 361

As shown in figure 5 1 the network consists of three switches traffic in vlan 101 vlan 106 is transmitted in this network the link speed between the switches is 100mb s the default path cost of the port is 200000 363

Configuration example for mstp 363

Configuration scheme 363

Here we configure two instances to meet the requirement as is shown below 363

It is required that traffic in vlan 101 vlan 103 and traffic in vlan 104 vlan 106 should be transmitted along different paths 363

Mstp backwards compatible with stp and rstp can map vlans to instances to enable load balancing thus providing a more flexible method in network management here we take the mstp configuration as an example 363

Network requirements 363

To meet this requirement you are suggested to configure mstp function on the switches map the vlans to different instances to ensure traffic can be transmitted along the respective instance 363

Using the gui 364

Instance port config to load the following page set the path cost of port 1 0 1 in instance 1 as 400000 366

Instance port config to load the following page set the path cost of port 1 0 2 in instance 2 as 400000 370

Using the cli 375

Verify the configurations 377

Appendix default parameters 382

Default settings of the spanning tree feature are listed in the following table 382

Chapters 384

Configuring oam 384

Part 16 384

Ethernet oam 385

Oam connection 385

Oam entity 385

Oampdus 385

Overview 385

As the above figure shows the oam entity on switch a is in active mode and that on switch b is in passive mode switch a initiates an oam connection by sending an information oampdu switch b compares the oam information in the received oampdu with its own and sends back an information oampdu to switch a if the oam information of the two entities matches an oam connection will be established after that the two oam entities will exchange information oampdus periodically to keep the oam connection valid 386

Link monitoring 386

Link monitoring is for monitoring link performance under various circumstances when problems are detected on the link the oam entity will send its remote peer the event notification oampdus to report link events 386

Supported features 386

The link events are described as follows 386

The switch supports the following oam features link monitoring remote failure indication rfi and remote loopback 386

As the above figure shows the oam connection has been established between the two entities the oam entity on switch a is in active mode and that on switch b is in passive mode 387

Critical event unspecified critical event occurs 387

Dying gasp an unrecoverable fault such as power failure occurs 387

Remote failure indication 387

Remote loopback 387

With remote failure indication an oam entity can send the failure conditions of the link such as disruption in traffic because of the device failure to its peer through information oampdus so the network administrator can get informed of the link faults and take action in time the switch supports two kinds of failure conditions 387

With remote loopback administrators can test the link performance like delay jitter and frame loss rate during installation or for troubleshooting 387

Enabling oam and configuring oam mode 389

Ethernet oam configurations 389

Using the gui 389

Click apply 390

Configuring link monitoring 390

Follow these steps to complete the basic oam configuration 390

Link monitoring to load the following page 390

Select one or more ports configure the oam mode and enable oam 390

Click apply 391

Follow these steps to configure link monitoring 391

In the current link event section select a link event type to be configured 391

In the link monitoring config section select one or more ports and configure the threshold and period for the selected link event 391

Click apply 392

Configuring rfi 392

Follow these steps to configure remote failure indication 392

Remote failure indication config to load the following page 392

Select one or more ports and configure the dying gasp notify and critical event notify features 392

Click apply 393

Configuring remote loopback 393

Follow these steps to configure remote loopback 393

Remote loopback to load the following page 393

Select one or more ports and configure the relevant options 393

Discovery info to load the following page 394

Select a port to view whether the oam connection is established with the peer additionally you can view the oam information of the local and the remote entities 394

The oam information of the local entity is as follows 394

Viewing oam status 394

The oam information of the remote entity is as follows 395

Enabling oam and configuring oam mode 396

Follow these steps to enable oam and configure oam mode on the port 396

Using the cli 396

Configuring link monitoring 397

Gi1 0 1 398

Notify state enabled 398

Switch config if end 398

Switch config if ethernet oam link monitor symbol period threshold 1 window 10 notify enable 398

Switch config if show ethernet oam configuration interface gigabitethernet 1 0 1 398

Switch config interface gigabitethernet 1 0 1 398

Switch configure 398

Symbol period error 398

The following example shows how to enable frame error notifying and configure the threshold as 1 and the window as 1000 ms 10 100 ms on port 1 0 1 398

Threshold 1 error symbol 398

Window 1000 milliseconds 398

Configuring frame error 399

Follow these steps to configure frame error 399

Switch config if ethernet oam link monitor frame threshold 1 window 20 notify enable 399

Switch config if show ethernet oam configuration interface gigabitethernet 1 0 1 399

Switch config interface gigabitethernet 1 0 1 399

Switch configure 399

Switch copy running config startup config 399

The following example shows how to enable frame error notifying and configure the threshold as 1 and the window as 2000 ms 20 100 ms on port 1 0 1 399

With frame error enabled a frame error event occurs if the number of frame errors exceeds the defined threshold within a specific period of time 399

Configuring frame period error 400

Follow these steps to configure frame period error 400

Frame error 400

Gi1 0 1 400

Notify state enabled 400

Switch config if end 400

Switch copy running config startup config 400

Threshold 1 error frame 400

Window 2000 milliseconds 400

With frame period error enabled a frame period error event occurs if the number of frame errors in specific number of received frames exceeds the defined threshold 400

Frame seconds error 402

Gi1 0 1 402

Notify state enabled 402

Switch config if end 402

Switch config if ethernet oam link monitor frame seconds threshold 1 window 800 notify enable 402

Switch config if show ethernet oam configuration interface gigabitethernet 1 0 1 402

Switch config interface gigabitethernet 1 0 1 402

Switch configure 402

The following example shows how to enable frame seconds error notifying and configure the threshold as 1 and the window as 80000 ms 800 100 ms on port 1 0 1 402

Threshold 1 error seconds 402

Window 80000 milliseconds 402

Configuring remote failure indication 403

Follow these steps to configure remote failure indication 403

Switch config if ethernet oam dying gasp notify enable 403

Switch config if ethernet oam remote failure notify enable 403

Switch config if show ethernet oam configuration interface gigabitethernet 1 0 1 403

Switch config interface gigabitethernet 1 0 1 403

Switch configure 403

Switch copy running config startup config 403

The following example shows how to enable dying gasp and critical event on port 1 0 1 403

Configuring remote loopback 404

Critical event enabled 404

Dying gasp enabled 404

Follow these steps to configure remote loopback 404

Gi1 0 1 404

Switch config if end 404

Switch config interface gigabitethernet 1 0 1 404

Switch configure 404

Switch copy running config startup config 404

The following example shows how to start the oam remote loopback mode of the peer on port 1 0 1 404

On privileged exec mode or any other configuration mode you can use the following command to view whether the oam connection is established with the peer additionally you can view the oam information of the local entity and the remote entity 405

Switch config if ethernet oam remote loopback start 405

Verifying oam connection 405

Gi1 0 1 406

Local client 406

Max oampdu 1518 bytes 406

Mode active 406

Oam enabled 406

Remote loopback supported 406

Switch config show ethernet oam status interface gigabitethernet 1 0 1 406

The following example shows how to view the oam status of port 1 0 1 406

Unidirection not supported 406

Using the gui 408

Viewing oam statistics 408

Viewing oampdus 408

Event log to load the following page 410

Select a port and view the local and remote event logs on this port in the event log statistics section 410

Viewing event logs 410

Additionally you can view the detailed information of the event logs in the event log table section 411

Gi1 0 1 411

Information oampdu rx 28 411

Information oampdu tx 28 411

On privileged exec mode or any other configuration mode you can use the following command to view the number of oampdus received and sent on the specified port 411

Switch show ethernet oam statistics interface gigabitethernet 1 0 1 411

The following example shows how to view the transmitted and received oamdpus on port 1 0 1 411

Unique event notification oampdu rx 0 411

Unique event notification oampdu tx 0 411

Using the cli 411

Viewing oampdus 411

Critical event remote 2016 01 01 08 08 00 413

Event listing 413

Gi1 0 1 413

Local event statistics 413

On privileged exec mode or any other configuration mode you can use the following command to view the local and remote event logs on the specified port 413

Switch show ethernet oam event log interface gigabitethernet 1 0 1 413

The following example shows how to view the event logs on port 1 0 1 413

Type location time stamp 413

Viewing event logs 413

Configuration example 415

Configuration scheme 415

Network requirements 415

Using the gui 415

Using the cli 420

Verify the configuration 421

Critical event 1 424

Appendix default parameters 425

Default settings of ethernet oam are listed in the following tables 425

Chapters 426

Configuring layer 2 multicast 426

Part 17 426

Layer 2 multicast 427

Overview 427

Configuration guide 397 428

Configuring layer 2 multicast layer 2 multicast 428

Demonstrated as below 428

Figure 1 1 igmp snooping 428

Layer 2 multicast protocol for ipv4 igmp snooping 428

Layer 2 multicast protocol for ipv6 mld snooping 428

On the layer 2 device igmp snooping transmits data on demand on data link layer by analyzing igmp packets between layer 3 devices and users to build and maintain layer 2 multicast forwarding table 428

On the layer 2 device mld snooping multicast listener discovery snooping transmits data on demand on data link layer by analyzing igmp packets between layer 3 devices and users to build and maintain layer 2 multicast forwarding table 428

Supported layer 2 multicast protocols 428

Configuring igmp snooping globally 429

Igmp snooping configurations 429

Using the gui 429

Click apply 430

Configure unknown multicast as forward or discard 430

Configuring router port time and member port time 430

Enable or disable report message suppression globally 430

Enabling report message suppression can reduce the number of packets in the network 430

Follow these steps to configure report message suppression 430

Follow these steps to configure the aging time of the router ports and the member ports 430

Follow these steps to configure unknown multicast 430

Optional configuring report message suppression 430

Snooping config page at the same time 430

Specify the aging time of the member ports 430

Specify the aging time of the router ports 430

Click apply 431

Configure the last listener query interval and last listener query count when the switch receives an igmp leave message if specified count of multicast address specific queries masqs are sent and no report message is received the switch will delete the multicast address from the multicast forwarding table 431

Configuring igmp snooping last listener query 431

Follow these steps to configure last listener query interval and last listener query count in the global config section 431

Igmp snooping status table displays vlans and ports with igmp snooping enabled 431

Specify the interval between masqs 431

Specify the number of masqs to be sent 431

Verifying igmp snooping status 431

Configuring the port s basic igmp snooping features 432

Enabling igmp snooping on the port 432

Optional configuring fast leave 432

Configuring igmp snooping globally in the vlan 433

Configuring igmp snooping in the vlan 433

Click create 434

Configure the forbidden router ports in the designate vlan 434

Configure the router ports in the designate vlan 434

Configuring the multicast vlan 434

Follow these steps to configure static router ports in the designate vlan 434

Follow these steps to forbid the selected ports to be the router ports in the designate vlan 434

In old multicast transmission mode when users in different vlans apply for data from the same multicast group the layer 3 device will duplicate this multicast data and deliver copies to the layer 2 devices 434

Optional configuring the forbidden router ports in the vlan 434

Optional configuring the static router ports in the vlan 434

With multicast vlan configured all multicast group members will be added to a vlan layer 3 device only need to send one piece of multicast data to a layer 2 device and the layer 2 device will send the data to all member ports of the vlan in this way multicast vlan saves bandwidth and reduces network load of layer 3 devices 434

Creating multicast vlan and configuring basic settings 435

Enable multicast vlan configure the specific vlan to be the multicast vlan and configure the router port time and member port time 435

In the multicast vlan section follow these steps to enable multicast vlan and to finish the basic settings 435

Multicast vlan to load the following page 435

Set up the vlan that the router ports and the member ports are in for details please refer to configuring 802 q vlan 435

Click apply 436

Configure the new multicast source ip 436

Configure the router ports in the designate vlan 436

Configure the router ports in the multicast vlan 436

Follow these steps to configure static router ports in the multicast vlan 436

Follow these steps to forbid the selected ports to be the router ports in the multicast vlan 436

Optional configuring the forbidden router ports 436

Optional configuring the static router ports 436

Optional creating replace source ip 436

This function allows you to use a new ip instead of the source ip to send data to multicast group members in the multicast vlan section follow these steps to configure replace source ip 436

This table displays all the dynamic router ports in the multicast vlan 436

Viewing dynamic router ports in the multicast vlan 436

Click add 437

Configuring the querier 437

Follow these steps to configure the querier 437

Optional configuring the querier 437

Querier config to load the following page 437

Specify a vlan and configure the querier on this vlan 437

The igmp snooping querier table displays all the related settings of the igmp querier 437

Viewing settings of igmp querier 437

You can edit the settings in the igmp snooping querier table 437

Click create 438

Configuring igmp profile 438

Create a profile and configure its filtering mode 438

Creating profile 438

Enter the search condition in the search option field to search the profile in the igmp profile info table 438

Follow these steps to create a profile and configure its filtering mode 438

Profile config to load the following page 438

Searching profile 438

Binding profile and member ports 439

Click edit in the igmp profile info table edit its ip range and click add to save the settings 439

Click submit to save the settings click back to go back to the previous page 439

Editing ip range of the profile 439

Follow these steps to edit profile mode and its ip range 439

In the ip range table you can select an ip range and click delete to delete an ip range 439

Profile binding to load the following page 439

Binding profile and member ports 440

Click apply 440

Configuring max groups a port can join 440

Follow these steps to bind the profile to the port 440

Follow these steps to configure the maximum groups a port can join and overflow action 440

Select a port to configure its max group and overflow action 440

Select the port to be bound and enter the profile id in the profile id column 440

Click apply 441

Configuring auto refresh 441

Enable or disable auto refresh 441

Follow these steps to configure auto refresh 441

Packet statistic to load the following page 441

Viewing igmp statistics on each port 441

Click apply 442

Enabling igmp accounting and authentication 442

Igmp authentication to load the following 442

The igmp statistics table displays all kinds of igmp statistics of all the ports 442

Viewing igmp statistics 442

Configuring igmp accounting globally 443

Configuring igmp authentication on the port 443

Configuring static member port 443

Click create 444

Configuring static member port 444

Enter the multicast ip and vlan id specify the static member port 444

Follow these steps to configure static member port 444

Static multicast ip table displays details of all igmp static multicast groups 444

Viewing igmp static multicast groups 444

You can search igmp static multicast entries by using multicast ip vlan id or forward port as the search option 444

Enabling igmp snooping globally 445

Enabling igmp snooping on the port 445

Switch config ip igmp snooping 445

Switch configure 445

The following example shows how to enable igmp snooping globally and enable igmp snooping on port 1 0 3 445

Using the cli 445

Configuring igmp snooping parameters globally 446

Configuring report message suppression 446

Enable port gi1 0 3 446

Enable vlan 446

Global authentication accounting disable 446

Global member age time 260 446

Global report suppression disable 446

Global router age time 300 446

Igmp snooping enable 446

Last query interval 1 446

Last query times 2 446

Switch config if end 446

Switch config if ip igmp snooping 446

Switch config if show ip igmp snooping 446

Switch config interface gigabitethernet 1 0 3 446

Switch copy running config startup config 446

Unknown multicast pass 446

Configuring unknown multicast 447

Enable port 447

Enable vlan 447

Global authentication accounting disable 447

Global member age time 260 447

Global report suppression enable 447

Global router age time 300 447

Igmp snooping enable 447

Last query interval 1 447

Last query times 2 447

Switch config if end 447

Switch config ip igmp snooping 447

Switch config ip igmp snooping report suppression 447

Switch config show ip igmp snooping 447

Switch configure 447

Switch copy running config startup config 447

The following example shows how to enable report message suppression 447

Unknown multicast pass 447

Configuring igmp snooping parameters on the port 448

Configuring router port time and member port time 448

Configuring fast leave 449

Enable port 449

Enable vlan 449

Global authentication accounting disable 449

Global member age time 200 449

Global report suppression disable 449

Global router age time 200 449

Igmp snooping enable 449

Last query interval 1 449

Last query times 2 449

Switch config if end 449

Switch config ip igmp snooping 449

Switch config ip igmp snooping mtime 200 449

Switch config ip igmp snooping rtime 200 449

Switch config show ip igmp snooping 449

Switch configure 449

Switch copy running config startup config 449

The following example shows how to configure the global router port time and member port time as 200 seconds 449

Unknown multicast pass 449

Configuring max group and overflow action on the port 450

Gi1 0 3 enable enable 450

Port igmp snooping fast leave 450

Switch config if end 450

Switch config if ip igmp snooping 450

Switch config if ip igmp snooping immediate leave 450

Switch config if show ip igmp snooping interface gigabitethernet 1 0 3 basic config 450

Switch config interface gigabiteternet 1 0 3 450

Switch config ip igmp snooping 450

Switch configure 450

Switch copy running config startup config 450

The following example shows how to enable fast leave on port 1 0 3 450

Configuring igmp snooping last listener query 451

Gi1 0 3 500 drop 451

Port max groups overflow action 451

Switch config if end 451

Switch config if ip igmp snooping 451

Switch config if ip igmp snooping max groups 500 451

Switch config if ip igmp snooping max groups action drop 451

Switch config if show ip igmp snooping interface gigabitethernet 1 0 3 max groups 451

Switch config interface gigabiteternet 1 0 3 451

Switch config ip igmp snooping 451

Switch configure 451

Switch copy running config startup config 451

The following example shows how to configure the max group as 500 and the overflow action as drop on port 1 0 3 451

Enable port 452

Enable vlan 452

Global authentication accounting disable 452

Global member age time 260 452

Global report suppression disable 452

Global router age time 300 452

Igmp snooping enable 452

Last query interval 5 452

Last query times 5 452

Switch config end 452

Switch config ip igmp snooping 452

Switch config ip igmp snooping last listener query count 5 452

Switch config ip igmp snooping last listener query interval 5 452

Switch config show ip igmp snooping 452

Switch configure 452

Switch copy running config startup config 452

The following example shows how to configure the last listener query count as 5 and the last listener query interval as 5 seconds 452

Unknown multicast pass 452

Configuring igmp snooping parameters in the vlan 453

Configuring router port time and member port time 453

Dynamic router port none 453

Forbidden router port none 453

Member time 400 453

Router time 500 453

Static router port none 453

Switch config ip igmp snooping 453

Switch config ip igmp snooping vlan config 2 3 mtime 400 453

Switch config ip igmp snooping vlan config 2 3 rtime 500 453

Switch config show ip igmp snooping vlan 2 453

Switch config show ip igmp snooping vlan 3 453

Switch configure 453

The following example shows how to enable igmp snooping in vlan 2 and vlan 3 configure the router port time as 500 seconds and the member port time as 400 seconds 453

Vlan id 2 453

Vlan id 3 453

Configuring static router port 454

Dynamic router port none 454

Forbidden router port none 454

Member time 0 454

Member time 400 454

Router time 0 454

Static router port gi1 0 2 454

Static router port none 454

Switch config end 454

Switch config ip igmp snooping 454

Switch config ip igmp snooping vlan config 2 rport interface gigabitethernet 1 0 2 454

Switch config show ip igmp snooping vlan 2 454

Switch configure 454

Switch copy running config startup config 454

The following example shows how to enable igmp snooping in vlan 2 and configure port 1 0 2 as the static router port 454

Vlan id 2 454

Configuring forbidden router port 455

Dynamic router port none 455

Forbidden router port gi1 0 4 6 455

Member time 0 455

Router time 0 455

Static router port none 455

Switch config end 455

Switch config ip igmp snooping 455

Switch config ip igmp snooping vlan config 2 router ports forbidden interface gigabitethernet 1 0 4 6 455

Switch config show ip igmp snooping vlan 2 455

Switch configure 455

Switch copy running config startup config 455

The following example shows how to enable igmp snooping in vlan 2 and forbid port 1 0 4 6 from becoming router ports port 1 0 4 6 will drop all multicast data from layer 3 devices 455

Vlan id 2 455

2 static gi1 0 9 10 456

Configuring igmp snooping parameters in the multicast vlan 456

Configuring router port time and member port time 456

Configuring static multicast multicast ip and forward port 456

Multicast ip vlan id addr type switch port 456

Switch config end 456

Switch config ip igmp snooping 456

Switch config ip igmp snooping vlan config 2 static 226 interface gigabitethernet 1 0 9 10 456

Switch config show ip igmp snooping groups static 456

Switch configure 456

Switch copy running config startup config 456

The following example shows how to configure 226 as the static multicast ip and specify port 1 0 9 10 as the forward ports 456

Configuring static router port 457

Dynamic router port none 457

Forbidden router port none 457

Member time 400 457

Multicast vlan enable 457

Replace source ip 0 457

Router time 500 457

Static router port none 457

Switch config end 457

Switch config ip igmp snooping 457

Switch config ip igmp snooping multi vlan config 5 mtime 400 457

Switch config ip igmp snooping multi vlan config 5 rtime 500 457

Switch config show ip igmp snooping multi vlan 457

Switch configure 457

Switch copy running config startup config 457

The following example shows how to configure vlan 5 as the multicast vlan set the router port time as 500 seconds and the member port time as 400 seconds 457

Vlan id 5 457

Configuring forbidden router port 458

Dynamic router port none 458

Forbidden router port none 458

Member time 260 458

Multicast vlan enable 458

Replace source ip 0 458

Router time 300 458

Static router port gi1 0 5 458

Switch config end 458

Switch config ip igmp snooping 458

Switch config ip igmp snooping multi vlan config 5 rport interface gigabitethernet 1 0 5 458

Switch config show ip igmp snooping multi vlan 458

Switch configure 458

Switch copy running config startup config 458

The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 5 as the static router port 458

Vlan id 5 458

Configuring replace source ip 459

Dynamic router port none 459

Forbidden router port gi1 0 6 459

Member time 260 459

Multicast vlan enable 459

Replace source ip 0 459

Router time 300 459

Static router port none 459

Switch config end 459

Switch config ip igmp snooping 459

Switch config ip igmp snooping multi vlan config 5 router ports forbidden interface gigabitethernet 1 0 6 459

Switch config show ip igmp snooping multi vlan 459

Switch configure 459

Switch copy running config startup config 459

The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 6 as the forbidden router port 459

Vlan id 5 459

Configuring the querier 460

Dynamic router port none 460

Enabling igmp querier 460

Forbidden router port none 460

Member time 260 460

Multicast vlan enable 460

Replace source ip 192 68 460

Router time 300 460

Static router port none 460

Switch config end 460

Switch config ip igmp snooping 460

Switch config ip igmp snooping multi vlan config 5 replace sourceip 192 68 460

Switch config show ip igmp snooping multi vlan 460

Switch configure 460

Switch copy running config startup config 460

The following example shows how to configure vlan 5 as the multicast vlan and replace the source ip in the igmp packets sent by the switch with 192 68 460

Vlan id 5 460

Configuring query interval max response time and general query source ip 461

General query source ip 192 68 461

Maximum response time 10 461

Query interval 60 461

Switch config end 461

Switch config ip igmp snooping 461

Switch config ip igmp snooping querier vlan 4 461

Switch config show ip igmp snooping querier 461

Switch configure 461

Switch copy running config startup config 461

The following example shows how to enable igmp snooping and igmp querier in vlan 4 461

Vlan 4 461

Configuring multicast filtering 462

Creating profile 462

Binding profile to the port 463

Igmp profile 1 463

Range 226 226 0 463

Switch config end 463

Switch config igmp profile deny 463

Switch config igmp profile range 226 226 0 463

Switch config igmp profile show ip igmp profile 463

Switch config ip igmp profile 1 463

Switch config ip igmp snooping 463

Switch configure 463

Switch copy running config startup config 463

The following example shows how to configure profile 1 so that the switch filters multicast data sent to 226 226 0 463

Binding port s 464

Gi1 0 2 464

Igmp profile 1 464

Range 226 226 0 464

Switch config end 464

Switch config if ip igmp filter 1 464

Switch config if ip igmp snooping 464

Switch config if show ip igmp profile 464

Switch config igmp profile deny 464

Switch config igmp profile exit 464

Switch config igmp profile range 226 226 0 464

Switch config interface gigabitethernet 1 0 2 464

Switch config ip igmp profile 1 464

Switch config ip igmp snooping 464

Switch configure 464

Switch copy running config startup config 464

The following example shows how to bind profile 1 to port 1 0 2 so that port 1 0 2 filters multicast data sent to 226 226 0 464

Enabling igmp accounting and authentication 465

Enabling igmp authentication on the port 465

Gi1 0 2 enable 465

Port igmp authentication 465

Switch config end 465

Switch config if ip igmp snooping 465

Switch config if ip igmp snooping authentication 465

Switch config if show ip igmp snooping interface gigabitethernet 1 0 2 authentication 465

Switch config interface gigabitethernet 1 0 2 465

Switch config ip igmp snooping 465

Switch configure 465

Switch copy running config startup config 465

The following example shows how to enable igmp authentication on port 1 0 2 465

Enabling igmp accounting globally 466

Configuring mld snooping 467

Configuring mld snooping globally 467

Using the gui 467

Click apply 468

Configure unknown multicast as forward or discard 468

Configuring router port time and member port time 468

Enable or disable report message suppression globally 468

Enabling report message suppression can reduce the number of packets in the network 468

Follow these steps to configure report message suppression 468

Follow these steps to configure the aging time of the router ports and the member ports 468

Follow these steps to configure unknown multicast 468

Optional configuring report message suppression 468

Snooping config page at the same time 468

Specify the aging time of the member ports 468

Specify the aging time of the router ports 468

Click apply 469

Configure the last listener query interval and last listener query count when the switch receives an mld leave message if specified count of multicast address specific queries masqs are sent and no report message is received the switch will delete the multicast address from the multicast forwarding table 469

Configuring mld snooping last listener query 469

Follow these steps to configure last listener query interval and last listener query count in the global config section 469

Mld snooping status table displays vlans and ports with mld snooping enabled 469

Specify the interval between masqs 469

Specify the number of masqs to be sent 469

Verifying mld snooping status 469

Configuring the port s basic mld snooping features 470

Enabling mld snooping on the port 470

Optional configuring fast leave 470

Configuring mld snooping globally in the vlan 471

Configuring mld snooping in the vlan 471

Click create 472

Configure the forbidden router ports in the designate vlan 472

Configure the router ports in the designate vlan 472

Configuring the multicast vlan 472

Follow these steps to configure static router ports in the designate vlan 472

Follow these steps to forbid the selected ports to be the router ports in the designate vlan 472

In old multicast transmission mode when users in different vlans apply for data from the same multicast group the layer 3 device will duplicate this multicast data and deliver copies to the layer 2 devices 472

Optional configuring the forbidden router ports in the vlan 472

Optional configuring the static router ports in the vlan 472

With multicast vlan configured all multicast group members will be added to a vlan layer 3 device only need to send one piece of multicast data to a layer 2 device and the layer 2 device will send the data to all member ports of the vlan in this way multicast vlan saves bandwidth and reduces network load of layer 3 devices 472

Creating multicast vlan and configuring basic settings 473

Enable multicast vlan configure the specific vlan to be the multicast vlan and configure the router port time and member port time 473

In the multicast vlan section follow these steps to enable multicast vlan and to finish the basic settings 473

Multicast vlan to load the following page 473

Set up the vlan that the router ports and the member ports are in for details please refer to configuring 802 q vlan 473

Click apply 474

Configure the new multicast source ip 474

Configure the router ports in the designate vlan 474

Configure the router ports in the multicast vlan 474

Follow these steps to configure static router ports in the multicast vlan 474

Follow these steps to forbid the selected ports to be the router ports in the multicast vlan 474

Optional configuring the forbidden router ports 474

Optional configuring the static router ports 474

Optional creating replace source ip 474

This function allows you to use a new ip instead of the source ip to send data to multicast group members in the multicast vlan section follow these steps to configure replace source ip 474

This table displays all the dynamic router ports in the multicast vlan 474

Viewing dynamic router ports in the multicast vlan 474

Click add 475

Configuring the querier 475

Follow these steps to configure the querier 475

Optional configuring the querier 475

Querier config to load the following page 475

Specify a vlan and configure the querier on this vlan 475

The mld snooping querier table displays all the related settings of the mld querier 475

Viewing settings of mld querier 475

You can edit the settings in the mld snooping querier table 475

Click create 476

Configuring mld profile 476

Create a profile and configure its filtering mode 476

Creating profile 476

Enter the search condition in the search option field to search the profile in the mld profile info table 476

Follow these steps to create a profile and configure its filtering mode 476

Profile config to load the following page 476

Searching profile 476

Editing ip range of the profile 477

Binding profile and member ports 478

Click apply 478

Follow these steps to bind the profile to the port 478

Profile binding to load the following page 478

Select the port to be bound and enter the profile id in the profile id column 478

Click apply 479

Configuring max groups a port can join 479

Follow these steps to configure the maximum groups a port can join and overflow action 479

Select a port to configure its max group and overflow action 479

Click apply 480

Configuring auto refresh 480

Enable or disable auto refresh 480

Follow these steps to configure auto refresh 480

Packet statistic to load the following page 480

The mld statistics table displays all kinds of mld statistics of all the ports 480

Viewing mld statistics 480

Viewing mld statistics on each port 480

Configuring static member port 481

Viewing mld static multicast groups 481

Enabling mld snooping globally 482

Enabling mld snooping on the port 482

Switch config interface gigabitethernet 1 0 3 482

Switch config ipv6 mld snooping 482

The following example shows how to enable mld snooping globally and enable mld snooping switch configure 482

Using the cli 482

Configuring mld snooping parameters globally 483

Configuring report message suppression 483

Enable port gi1 0 3 483

Enable vlan 483

Global member age time 260 483

Global report suppression disable 483

Global router age time 300 483

Last query interval 1 483

Last query times 2 483

Mld snooping enable 483

Switch config if end 483

Switch config if ipv6 mld snooping 483

Switch config if show ipv6 mld snooping 483

Switch config ipv6 mld snooping 483

Switch configure 483

Switch copy running config startup config 483

The following example shows how to enable report message suppression 483

Unknown multicast pass 483

Configuring unknown multicast 484

Enable port 484

Enable vlan 484

Global member age time 260 484

Global report suppression enable 484

Global router age time 300 484

Igmp snooping and mld snooping share the setting of unknown multicast so you have to enable igmp snooping globally at the same time 484

Last query interval 1 484

Last query times 2 484

Mld snooping enable 484

Switch config end 484

Switch config ipv6 mld snooping 484

Switch config ipv6 mld snooping report suppression 484

Switch config show ipv6 mld snooping 484

Switch configure 484

Switch copy running config startup config 484

The following example shows how to configure the switch to discard unknown multicast data 484

Unknown multicast pass 484

Configuring mld snooping parameters on the port 485

Configuring router port time and member port time 485

Enable port 485

Enable vlan 485

Global member age time 260 485

Global report suppression disable 485

Global router age time 300 485

Last query interval 1 485

Last query times 2 485

Mld snooping enable 485

Switch config end 485

Switch config ip igmp snooping 485

Switch config ipv6 mld snooping drop unknown 485

Switch config show ipv6 mld snooping 485

Switch configure 485

Switch copy running config startup config 485

The following example shows how to configure the global router port time and member port time as 200 seconds 485

Unknown multicast discard 485

Configuring fast leave 486

Enable port 486

Enable vlan 486

Global member age time 200 486

Global report suppression disable 486

Global router age time 200 486

Last query interval 1 486

Last query times 2 486

Mld snooping enable 486

Switch config end 486

Switch config ipv6 mld snooping 486

Switch config ipv6 mld snooping mtime 200 486

Switch config ipv6 mld snooping rtime 200 486

Switch config show ipv6 mld snooping 486

Switch copy running config startup config 486

Unknown multicast pass 486

Configuring max group and overflow action on the port 487

Gi1 0 3 enable enable 487

Port mld snooping fast leave 487

Switch config if end 487

Switch config if ipv6 mld snooping 487

Switch config if ipv6 mld snooping immediate leave 487

Switch config if show ipv6 mld snooping interface gigabitethernet 1 0 3 basic config 487

Switch config interface gigabiteternet 1 0 3 487

Switch config ipv6 mld snooping 487

Switch configure 487

Switch copy running config startup config 487

The following example shows how to enable fast leave on port 1 0 3 487

Configuring mld snooping last listener query 488

Gi1 0 3 500 drop 488

Port max groups overflow action 488

Switch config if end 488

Switch config if ipv6 mld snooping 488

Switch config if ipv6 mld snooping max groups 500 488

Switch config if ipv6 mld snooping max groups action drop 488

Switch config if show ipv6 mld snooping interface gigabitethernet 1 0 3 max groups 488

Switch config interface gigabiteternet 1 0 3 488

Switch config ipv6 mld snooping 488

Switch configure 488

Switch copy running config startup config 488

The following example shows how to configure the max group as 500 and the overflow action as drop on port 1 0 3 488

Configuring mld snooping parameters in the vlan 489

Configuring router port time and member port time 489

Enable port 489

Enable vlan 489

Global member age time 260 489

Global report suppression disable 489

Global router age time 300 489

Last query interval 5 489

Last query times 5 489

Mld snooping enable 489

Switch config end 489

Switch config ipv6 mld snooping 489

Switch config ipv6 mld snooping last listener query count 5 489

Switch config ipv6 mld snooping last listener query interval 5 489

Switch config show ipv6 mld snooping 489

Switch configure 489

Switch copy running config startup config 489

The following example shows how to configure the last listener query count as 5 and the last listener query interval as 5 seconds 489

Unknown multicast pass 489

Configuring static router port 490

Configuring forbidden router port 491

Dynamic router port none 491

Forbidden router port none 491

Member time 0 491

Router time 0 491

Static router port gi1 0 2 491

Switch config end 491

Switch config ipv6 mld snooping 491

Switch config ipv6 mld snooping vlan config 2 rport interface gigabitethernet 1 0 2 491

Switch config show ipv6 mld snooping vlan 2 491

Switch configure 491

Switch copy running config startup config 491

The following example shows how to enable mld snooping in vlan 2 and configure port 1 0 2 as the static router port 491

Vlan id 2 491

Configuring static multicast multicast ip and forward port 492

Dynamic router port none 492

Forbidden router port gi1 0 4 6 492

Member time 0 492

Router time 0 492

Static router port none 492

Switch config 492

Switch config end 492

Switch config ipv6 mld snooping 492

Switch config ipv6 mld snooping vlan config 2 router ports forbidden interface gigabitethernet 1 0 4 6 492

Switch config show ipv6 mld snooping vlan 2 492

Switch copy running config startup config 492

The following example shows how to enable mld snooping in vlan 2 and forbid port 1 0 4 6 from becoming router ports port 1 0 4 6 will drop all multicast data from layer 3 devices 492

Vlan id 2 492

Configuring mld snooping parameters in the multicast vlan 493

Configuring router port time and member port time 493

Ff01 1234 02 2 static gi1 0 9 10 493

Multicast ip vlan id addr type switch port 493

Switch config end 493

Switch config ipv6 mld snooping 493

Switch config ipv6 mld snooping vlan config 2 static ff01 1234 02 interface gigabitethernet 1 0 9 10 493

Switch config show ipv6 mld snooping groups static 493

Switch configure 493

Switch copy running config startup config 493

The following example shows how to configure ff01 1234 02 as the static multicast ip and specify port 1 0 9 10 as the forward ports 493

Configuring static router port 494

Dynamic router port none 494

Forbidden router port none 494

Member time 400 494

Multicast vlan enable 494

Replace source ip 494

Router time 500 494

Static router port none 494

Switch config end 494

Switch config ipv6 mld snooping 494

Switch config ipv6 mld snooping multi vlan config 5 mtime 400 494

Switch config ipv6 mld snooping multi vlan config 5 rtime 500 494

Switch config show ipv6 mld snooping multi vlan 494

Switch configure 494

Switch copy running config startup config 494

The following example shows how to configure vlan 5 as the multicast vlan set the router port time as 500 seconds and the member port time as 400 seconds 494

Vlan id 5 494

Configuring forbidden router port 495

Dynamic router port none 495

Forbidden router port none 495

Member time 260 495

Multicast vlan enable 495

Replace source ip 495

Router time 300 495

Static router port gi1 0 5 495

Switch config end 495

Switch config ipv6 mld snooping 495

Switch config ipv6 mld snooping multi vlan config 5 rport interface gigabitethernet 1 0 5 495

Switch config show ipv6 mld snooping multi vlan 495

Switch configure 495

Switch copy running config startup config 495

The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 5 as the static router port 495

Vlan id 5 495

Configuring replace source ip 496

Dynamic router port none 496

Forbidden router port gi1 0 6 496

Member time 260 496

Multicast vlan enable 496

Replace source ip 496

Router time 300 496

Static router port none 496

Switch config end 496

Switch config ipv6 mld snooping 496

Switch config ipv6 mld snooping multi vlan config 5 router ports forbidden interface gigabitethernet 1 0 6 496

Switch config show ipv6 mld snooping multi vlan 496

Switch configure 496

Switch copy running config startup config 496

The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 6 as the forbidden router port 496

Vlan id 5 496

Configuring the querier 497

Dynamic router port none 497

Enabling mld querier 497

Forbidden router port none 497

Member time 260 497

Multicast vlan enable 497

Replace source ip fe80 2ff ffff fe00 1 497

Router time 300 497

Static router port none 497

Switch config end 497

Switch config ipv6 mld snooping 497

Switch config ipv6 mld snooping multi vlan config 5 replace sourceip fe80 02ff ffff fe00 0001 497

Switch config show ipv6 mld snooping multi vlan 497

Switch configure 497

Switch copy running config startup config 497

The following example shows how to configure vlan 5 as the multicast vlan and replace the source ip in the mld packets sent by the switch with fe80 02ff ffff fe00 0001 497

Vlan id 5 497

Configuring query interval max response time and general query source ip 498

General query source ip fe80 2ff ffff fe00 1 498

Maximum response time 10 498

Query interval 60 498

Switch config end 498

Switch config ipv6 mld snooping 498

Switch config ipv6 mld snooping querier vlan 4 498

Switch config show ipv6 mld snooping querier 498

Switch configure 498

Switch copy running config startup config 498

The following example shows how to enable mld snooping and mld querier in vlan 4 498

The following example shows how to enable mld snooping and mld querier in vlan 4 set the query interval as 100 seconds the max response time as 20 seconds and the general query source ip as fe80 2ff ffff fe00 1 498

Vlan 4 498

Configuring multicast filtering 499

Creating profile 499

General query source ip fe80 2ff ffff fe00 1 499

Maximum response time 20 499

Query interval 100 499

Switch config end 499

Switch config ipv6 mld snooping 499

Switch config ipv6 mld snooping querier vlan 4 general query source ip fe80 2ff ffff fe00 1 499

Switch config ipv6 mld snooping querier vlan 4 max response time 20 499

Switch config ipv6 mld snooping querier vlan 4 query interval 100 499

Switch config show ipv6 mld snooping querier 499

Switch copy running config startup config 499

Vlan 4 499

Binding profile to the port 500

Mld profile 1 500

Range ff01 1234 5 ff01 1234 8 500

Switch config end 500

Switch config ipv6 mld profile 1 500

Switch config ipv6 mld snooping 500

Switch config mld profile deny 500

Switch config mld profile range ff01 1234 5 ff01 1234 8 500

Switch config mld profile show ipv6 mld profile 500

Switch configure 500

Switch copy running config startup config 500

The following example shows how to configure profile 1 so that the switch filters multicast data sent to ff01 1234 5 ff01 1234 8 500

Using the gui 502

Viewing ipv4 multicast snooping configurations 502

Viewing multicast snooping configurations 502

Ipv6 multicast table to view all valid multicast ip vlan port entries 503

Using the cli 503

Viewing ipv4 multicast snooping configurations 503

Viewing ipv6 multicast snooping configurations 503

Viewing ipv6 multicast snooping configurations 504

Configuration examples 506

Configuration scheme 506

Example for configuring basic igmp snooping 506

Network requirements 506

Using the gui 507

Vlan config to load the following page create vlan 10 and add untagged port 1 0 1 3 and tagged port 1 0 4 to vlan 10 508

Using the cli 510

Verify the configurations 511

Configuration scheme 512

Example for configuring multicast vlan 512

Network requirements 512

Network topology 512

Demonstrated with t2600g 28ts this section provides configuration procedures in two ways using the gui and using the cli 513

Internet 513

Snooping config to load the following page enable igmp snooping globally and keep the default values in the router port time and member port time fields 513

Using the gui 513

Snooping config to load the following page enable igmp snooping on port 1 0 1 4 514

Using the cli 516

Verify the configurations 517

Example for configuring unknown multicast and fast leave 518

Network requirement 518

Configuration scheme 519

Using the gui 519

Port config to load the following page enable igmp snooping on port 1 0 2 and port 1 0 4 and enable fast leave on port 1 0 2 520

Vlan config to load the following page enable igmp snooping in vlan 10 521

Using the cli 522

Verify the configurations 522

Configuration scheme 523

Example for configuring multicast filtering 523

Network requirements 523

Network topology 523

Demonstrated with t2600g 28ts this section provides configuration procedures in two ways using the gui and using the cli 524

Internet 524

Snooping config to load the following page enable igmp snooping globally and keep the default values in the router port time and member port time fields 524

Using the gui 524

Snooping config to load the following page 525

Using the cli 531

Verify the configurations 533

Appendix default parameters 534

Default parameters for igmp snooping 534

Default parameters for mld snooping 535

Chapters 537

Configuring logical interfaces 537

Part 18 537

Interfaces of a device are used to exchange data and interact with interfaces of other network devices interfaces are classified into physical interfaces and logical interfaces 538

Logical interfaces are manually configured and do not physically exist such as loopback interfaces and routing interfaces 538

Overview 538

Physical interfaces are the ports on the front panel or rear panel of the switch 538

This chapter introduces the configurations for logical interfaces the supported types of logical interfaces are shown as below 538

Creating a layer 3 interface 539

Logical interfaces configurations 539

Using the gui 539

Configuring ipv4 parameters of the interface 540

Figure 2 540

In the interface list section you can view the corresponding interface entry you create 540

In the modify interface section specify an interface id and configure relevant parameters for the interface according to your actual needs then click apply 540

List section on the corresponding interface entry click edit to load the following page and configure the ipv4 parameters of the interface 540

You can view the corresponding interface entry you create in the interface 540

Configuring ipv6 parameters of the interface 541

Figure 2 541

In the secondary ip create section configure the secondary ip for the specified interface which allows you to have two logical subnets using one physical subnet then click create 541

In the secondary ip list section you can view the corresponding secondary ip entry you create 541

List section on the corresponding interface entry click edit ipv6 to load the following page and configure the ipv6 parameters of the interface 541

You can view the corresponding interface entry you create in the interface 541

Configure the ipv6 link local address of the interface manually or automatically in the link local address config section then click apply 542

Enable ipv6 function on the interface of switch in the general config section then click apply 542

Configure one or more ipv6 global addresses of the interface via following three ways 543

Manually 543

Via dhcpv6 server 543

Via ra message 543

View the global address entry in the global address table 543

Creating a layer 3 interface 544

Figure 2 544

Follow these steps to create a layer 3 interface you can create a vlan interface a loopback interface a routed port or a port channel interface according to your needs 544

List section on the corresponding interface entry click detail to load the following page and view the detail information of the interface 544

Using the cli 544

Viewing detail information of the interface 544

You can view the corresponding interface entry you create in the interface 544

Switch config if description vlan 2 545

Switch config if end 545

Switch config interface vlan 2 545

Switch configure 545

Switch copy running config startup config 545

The following example shows how to create a vlan interface with a description of vlan 2 545

Configuring ipv4 parameters of the interface 546

Follow these steps to configure the ipv4 parameters of the interface 546

Switch config if ip address 192 68 00 255 55 55 546

Switch config if no switchport 546

Switch config if show ip interface brief 546

Switch config interface gigabitethernet 1 0 1 546

Switch configure 546

The following example shows how to configure the ipv4 parameters of a routed port including setting a static ip address for the port and enabling the layer 3 capabilities 546

Configuring ipv6 parameters of the interface 547

Follow these steps to configure the ipv6 parameters of the interface 547

Interface ip address method status protocol shutdown gi1 0 1 192 68 00 24 static up up no 547

Switch config if end 547

Switch copy running config startup config 547

Global address dhcpv6 enable 548

Global address ra disable 548

Global unicast address es ff02 1 ff13 237b 548

Ipv6 is enable link local address fe80 20a ebff fe13 237bnor 548

Joined group address es ff02 1 548

Switch config if ipv6 address autoconfig 548

Switch config if ipv6 address dhcp 548

Switch config if ipv6 enable 548

Switch config if show ipv6 interface 548

Switch config interface vlan 2 548

Switch configure 548

The following example shows how to enable the ipv6 function and configure the ipv6 parameters of a vlan interface 548

Vlan2 is up line protocol is up 548

Appendix default parameters 550

Default settings of interface are listed in the following tables 550

Chapters 551

Configuring static routing 551

Part 19 551

Overview 552

In the ipv4 static route table section you can view and modify the ipv4 static routing entries 553

In the ipv4 static routing config section configure the corresponding parameters to add an ipv4 static route then click create 553

Ipv4 static routing config to load the following page 553

Ipv4 static routing configuration 553

Using the gui 553

C 192 68 24 is directly connected vlan1 554

Candidate default 554

Codes c connected s static 554

Follow these steps to create an ipv4 static route 554

S 192 68 24 1 0 via 192 68 vlan1 554

Switch config end 554

Switch config ip route 192 68 255 55 55 192 68 554

Switch config show ip route 554

Switch configure 554

Switch copy running config startup config 554

The following example shows how to create an ipv4 static route with the destination ip address as 192 68 the subnet mask as 255 55 55 and the next hop address as 192 68 554

Using the cli 554

Ipv6 static routing configuration 555

Using the gui 555

C 3000 64 is directly connected vlan1 556

Candidate default 556

Codes c connected s static 556

Follow these steps to enable ipv6 routing function and create an ipv6 static route 556

S 3200 64 1 0 via 3100 1234 vlan2 556

Switch config end 556

Switch config ipv6 route 3200 64 3100 1234 556

Switch config show ipv6 route static 556

Switch configure 556

Switch copy running config startup config 556

The following example shows how to create an ipv6 static route with the destination ip address as 3200 64 and the next hop address as 3100 1234 556

Using the cli 556

Using the gui 557

Viewing ipv4 routing table 557

Viewing routing table 557

Ipv6 routing table to load the following page 558

On privileged exec mode or any other configuration mode you can use the following command to view ipv4 routing table 558

Using the cli 558

View the ipv6 routes in the ipv6 routing information summary section 558

Viewing ipv4 routing table 558

Viewing ipv6 routing table 558

On privileged exec mode or any other configuration mode you can use the following command to view ipv6 routing table 559

Viewing ipv6 routing table 559

Configuration scheme 560

Example for static routing 560

Network requirements 560

Using the gui 560

Using the cli 561

Verify the configurations 562

Appendix default parameter 564

Default setting of static routing is listed in the following table 564

Chapters 565

Configuring dhcp 565

Part 20 565

Dhcp client 566

Dhcp server 566

Overview 566

Supported features 566

Dhcp relay 567

As the following figure shows no ip addresses are assigned to vlan 10 and vlan 20 but a default relay agent interface is configured with the ip address 192 68 24 the switch uses ip address of the default agent interface 192 68 24 to apply for ip addresses for clients in both vlan 10 and vlan 20 as a result the dhcp server will assign ip addresses on 192 68 24 the same subnet with the ip address of the default agent interface to clients in both vlan 10 and vlan 20 568

Dhcp vlan relay 568

Dhcp vlan relay allows clients in different vlans to obtain ip addresses from the dhcp server using a single agent interface ip address 568

In dhcp interface relay to assign ip addresses to clients in different vlans you need to create a layer 3 interface for each vlan to ensure the reachability 568

In dhcp vlan relay you can simply specify a layer 3 interface as default agent interface for all vlans the swith will fill this default agent interface s ip address in the relay agent ip address field of the dhcp packets from all vlans 568

Dhcp l2 relay 569

Unlike dhcp relay dhcp l2 relay is used in the situation that the dhcp server and client are in the same vlan in dhcp l2 relay in addition to normally assigning ip addresses to clients from the dhcp server the switch can record the location information of the dhcp client using option 82 the switch can add option 82 to the dhcp request packet and then transmit the packet to the dhcp server the dhcp server which supports option 82 can set the distribution policy of ip addresses and the other parameters providing a more flexible address distribution way 569

Dhcp server configuration 570

Enabling dhcp server 570

Using the gui 570

In the excluded ip address section enter the start ip address and end ip address to specify the range of reserved ip addresses click create 571

In the ping time config section configure ping packets and ping timeout for ping tests click apply 571

Configuring dhcp server pool 572

Follow these steps to configure dhcp server pool 572

In the dhcp server pool section configure the relevant parameters 572

Pool setting to load the following page 572

Click create 573

Configuring manual binding 573

Some hosts www server for example requires a static ip address to satisfy this requirement you can manually bind the mac address or client id of the host to an ip address and the dhcp server will reserve the bound ip address to this host at all times 573

Click create 574

Follow these steps to configure manual binding 574

In the manual binding section select a pool name and enter the ip address to be bound select a binding mode and finish the configuration accordingly 574

Manual binding to load the following page 574

Enabling dhcp server 575

Follow these steps to enable dhcp server and to configure ping packets and ping timeout 575

Using the cli 575

Dhcp server is enable 576

Ping packet number 2 576

Ping packet timeout 200 milliseconds 576

Switch config end 576

Switch config ip dhcp server ping packets 2 576

Switch config ip dhcp server ping timeout 200 576

Switch config service dhcp server 576

Switch config show ip dhcp server status 576

Switch configure 576

Switch copy running config startup config 576

The following example shows how to enable dhcp server globally on switch configure the number of ping packets as 2 and configure the ping timeout period as 200 ms 576

Configuring dhcp server pool 577

Switch config ip dhcp server pool pool1 579

Switch configure 579

Switch dhcp config bootfile bootfile 579

Switch dhcp config default gateway 192 68 579

Switch dhcp config dns server 192 68 579

Switch dhcp config domain name com 579

Switch dhcp config lease 180 579

Switch dhcp config netbios name server 192 68 9 579

Switch dhcp config netbios node type b node 579

Switch dhcp config network 192 68 255 55 55 579

Switch dhcp config next server 192 68 0 579

The following example shows how to create a dhcp server pool and name it as pool1 and configure its network address as 192 68 subnet mask as 255 55 55 lease time as 180 minute default gateway as 192 68 dns server as 192 68 netbios server as 192 68 9 netbios type as broadcast tftp server as 192 68 0 domain name as com and bootfile name as bootfile 579

Configuring manual binding 580

Pool name client id hardware address ip address hardware type bind mode 581

Pool1 74 d4 68 22 3f 34 192 68 3 ethernet mac address 581

Switch config 581

Switch config ip dhcp server pool pool1 581

Switch copy running config startup config 581

Switch dhcp config address 192 68 3 hardware address 74 d4 68 22 3f 34 hardware type ethernet 581

Switch dhcp config end 581

Switch dhcp config show ip dhcp server manual binding 581

The following example shows how to bind the ip address 192 68 3 in pool1 on the subnet of 192 68 to the host with the mac address 74 d4 68 22 3f 34 581

Click create 582

Dhcp client configuration 582

Follow these steps to configure dhcp client 582

In the creating interface section select interface vlan or routed port as the interface type and enter the interface id select dhcp or bootp as the ip address mode set the admin status as enable and enter the interface name optional 582

Interface config to load the following page 582

Using the gui 582

Follow these steps to configure dhcp client 583

Switch configure 583

The following example shows how to configure port 1 0 5 as an layer 3 interface and to configure its ip address mode as dhcp 583

Using the cli 583

Dhcp relay configuration 585

Enabling dhcp relay globally and configuring option 82 585

Using the gui 585

Click apply 586

Click apply 587

Enabling dhcp relay for ports 587

Follow these steps to enable dhcp relay for ports 587

Port config to load the following page 587

Select and configure your desired ports 587

Specifying dhcp server for the interface or vlan 588

Follow these steps to specify dhcp server for the specific vlan 589

In the add dhcp server address section specify the vlan in which the clients needs ip addresses and the server address click add 589

In the default relay agent interface section specify the type and id of the interface that needs to be configured as the default relay agent interface then click apply 589

Dhcp relay is enabled 590

Enabling dhcp relay globally 590

Follow these steps to configure option 82 590

Follow these steps to enable dhcp relay globally 590

Optional configuring option 82 590

Switch config end 590

Switch config service dhcp relay 590

Switch config show ip dhcp relay 590

Switch configure 590

Switch copy running config startup config 590

The following example shows how to enable dhcp relay 590

Using the cli 590

Switch config ip dhcp relay information 591

Switch config ip dhcp relay information policy keep 591

Switch configure 591

The following example shows how to enable option 82 and configure the process of option 82 information as keep 591

After enabling dhcp relay globally you need to enable dhcp relay for the ports connected to dhcp clients 592

Dhcp relay option 82 is enabled 592

Enabling dhcp relay for ports 592

Existed option 82 field operation keep 592

Follow these steps to enable dhcp relay for ports 592

Switch config end 592

Switch config if ip dhcp relay enable 592

Switch config interface gigabitethernet 1 0 2 592

Switch config show ip dhcp relay 592

Switch configure 592

Switch copy running config startup config 592

The following example shows how to enable dhcp relay for port 1 0 2 592

Dhcp interface relay 593

Follow these steps to dhcp interface relay 593

Gi1 0 2 enable n a 593

Interface state lag 593

Specifying dhcp server for interface or vlan 593

Switch config if end 593

Switch config if show ip dhcp relay interface gigabitethernet 1 0 2 593

Switch copy running config startup config 593

You can specify dhcp server for an layer 3 interface or for a vlan the following respectively introduces how to configure dhcp interface relay and dhcp vlan relay 593

Dhcp l2 relay configuration 597

Enabling dhcp l2 relay 597

Using the gui 597

Configuring option 82 for ports 598

Follow these steps to enable dhcp relay and configure option 82 598

Option 82 config to load the following page 598

Select one or more ports to configure option 82 598

Click apply 599

Enabling dhcp l2 relay 599

Follow these steps to enable dhcp l2 relay 599

Switch config ip dhcp l2relay 599

Switch configure 599

The following example shows how to enable dhcp l2 relay globally and for vlan 2 599

Using the cli 599

Configuring option 82 for ports 600

Follow these steps to configure option 82 for ports 600

Global status enable 600

Switch config end 600

Switch config ip dhcp l2relay vlan 2 600

Switch config show ip dhcp l2relay 600

Switch copy running config startup config 600

Vlan id 2 600

Gi1 0 7 enable replace normal vlan20 host1 n a 601

Interface option 82 status operation strategy format circuit id remote id lag 601

Switch config if end 601

Switch config if ip dhcp l2relay information circuit id vlan20 601

Switch config if ip dhcp l2relay information format normal 601

Switch config if ip dhcp l2relay information option 601

Switch config if ip dhcp l2relay information remote id host1 601

Switch config if ip dhcp l2relay information strategy replace 601

Switch config if show ip dhcp l2relay interface gigabitethernet 1 0 7 601

Switch config interface gigabitethernet 1 0 7 601

Switch configure 601

Switch copy running config startup config 601

The following example shows how to enable option 82 on port 1 0 7 and configure the strategy as replace the format as normal the circuit id as vlan20 and the remote id as host1 601

Configuration examples 602

Configuration scheme 602

Example for dhcp server 602

Network requirements 602

Using the gui 602

Using the cli 605

Verify the configuration 605

Configuration scheme 606

Example for dhcp interface relay 606

Network requirements 606

Using the gui 607

Using the cli 608

Appendix default parameters 610

Default settings of dhcp server are listed in the following table 610

Default settings of dhcp relay are listed in the following table 611

Default setting of dhcp client is listed in the following table 612

Default settings of dhcp l2 relay are listed in the following table 612

Arp address resolution protocol is used to map ip addresses to mac addresses taking an ip address as input arp learns the associated mac address and stores the ip mac address association in an arp entry for rapid retrieval 614

Overview 614

Arp configurations 615

Using the gui 615

Viewing the arp entries 615

Adding static arp entries 616

Adding static arp entries manually 616

Configuring arp function 616

Follow these steps to add arp entries 616

Follow these steps to add static arp entries 616

In the arp config section enter the ip address and mac address and click create 616

Static arp to load the following page 616

Using the cli 616

You can add desired static arp entries by mannually specifying the ip addresses and mac addresses 616

Configuring the aging time of dynamic arp entries 617

Follow these steps to configure the aging time of dynamic arp entries 617

Interface address hardware addr type 617

Switch config arp 192 68 00 11 22 33 44 55 arpa 617

Switch config end 617

Switch config show arp 192 68 617

Switch configure 617

Switch copy running config startup config 617

This example shows how to create a static arp entry with the ip as 192 68 and the mac as 00 11 22 33 44 55 617

Vlan1 192 68 00 11 22 33 44 55 static 617

Clearing dynamic entries 618

On privileged exec mode or any other configuration mode you can use the following command to view arp entries 618

Switch config if arp timeout 1000 618

Switch config if end 618

Switch config interface vlan 2 618

Switch configure 618

Switch copy running config startup config 618

This example shows how to configure the aging time of dynamic arp entries as 1000 seconds for vlan interface 2 618

Viewing arp entries 618

Chapters 620

Configuring qos 620

Part 22 620

Bandwidth control 621

Diffserv 621

Overview 621

Supported features 621

802 p priority 622

Configuration guidelines 622

Diffserv configuration 622

Dscp priority 622

Port priority 622

Click apply 623

Configuring port priority 623

Configuring the trust mode and port to 802 p mapping 623

Follow these steps to configure the parameters of the port priority 623

Port priority to load the following page 623

Select the desired ports specify the 802 p priority and set the trust mode as untrust 623

Using the gui 623

Configuring 802 p priority 625

Configuring dscp priority 628

Click apply 630

Configuring the dscp to 802 p mapping and the dscp remap 630

Dscp priority to load the following page 630

Follow these steps to configure the dscp priority 630

Select the desired port configure the dscp to 802 p mapping and the dscp remap 630

Configure the schedule mode to control the forwarding sequence of different tc queues when congestion occurs 631

Configuring schedule mode 631

Follow these steps to configure the schedule mode 631

Schedule mode to load the following page 631

Select a schedule mode 631

Click apply 632

Configuring port priority 632

Configuring the trust mode and the port to 802 p mapping 632

Follow these steps to configure the trust mode and the port to 802 p mapping 632

Optional configure the weight value of the each tc queue if the schedule mode is wrr of sp wrr 632

Using cli 632

Configuring the 802 p to queue mapping 633

Follow these steps to configure the 802 p to queue mapping 633

Configuring 802 p priority 634

Configuring the 802 p to queue mapping and 802 p remap 635

Follow these steps to configure the 802 p to queue mapping and 802 p remap 635

Configuring dscp priority 637

Configuring the 802 p to queue mapping 637

Configuring the trust mode 637

Follow these steps to configure the 802 p to queue mapping 637

Follow these steps to configure the trust mode 637

Gi1 0 1 0 3 2 3 4 5 6 7 n a 637

Switch config if end 637

Switch copy running config startup config 637

Configuring the dscp to 802 p mapping and dscp remap 638

Follow these steps to configure the dscp to 802 p mapping and dscp remap 638

Configuring schedule mode 641

Bandwidth control configuration 644

Configuring rate limit 644

Using the gui 644

Click apply 645

Configuring storm control 645

Follow these steps to configure the storm control function 645

Select the port s and configure the upper rate limit for forwarding broadcast packets multicast packets and ul frames 645

Storm control to load the following page 645

Click apply 646

Configure the upper rate limit for the port to receive and send packets 647

Configuring rate limit on port 647

Gi1 0 5 5120 1024 n a 647

Port ingressrate kbps egressrate kbps lag 647

Switch config if bandwidth ingress 5120 egress 1024 647

Switch config if show bandwidth interface gigabitethernet 1 0 5 647

Switch config interface gigabitethernet 1 0 5 647

Switch configure 647

The following example shows how to configure the ingress rate as 5120 kbps and egress rate as 1024 kbps for port 1 0 5 647

Using the cli 647

Configure the upper rate limit on the port for forwarding broadcast packets multicast packets and unknown unicast frames 648

Configuring storm control 648

Switch config if end 648

Switch copy running config startup config 648

Configuration examples 651

Configuration scheme 651

Example for configuring sp mode 651

Network requirements 651

Using the gui 652

Using the cli 653

Verify the configuration 654

Both rd department and marketing department can access the local network server configure the switches to ensure the traffic from the two departments are forwarded based on the weight value ratio of 2 1 when congestion occurs 655

Configuration scheme 655

Configure switch a to add different vlan tags to the packets from the two departments respectively 655

Configure switch b to classify the incoming packets from the two departments according to the vlan tags and to map them into different tc queues configure the schedule mode as wrr mode to implement the qos feature 655

Example for configuring wrr mode 655

Network requirements 655

The network topology is shown as the following figure switch a is an access layer switch and switch b is a layer 3 switch with acl redirect feature rd department is connected to port 1 0 1 of switch a marketing department is connected to port 1 0 2 of switch a the server is connected to port 1 0 2 of switch b and port 1 0 3 of switch a is connected to port 1 0 1 of switch b 655

Using the gui 656

Using the cli 663

Verify the configuration 666

Appendix default parameters 668

Diffserv 668

Bandwidth control 669

Chapters 670

Configuring voice vlan 670

Part 23 670

Overview 671

Because the voice vlan in automatic mode supports only tagged voice traffic you need to make sure traffic from the voice device is tagged to do so there are mainly two ways 673

Before configuring voice vlan you need to create a vlan for voice traffic for details about vlan configuration please refer to configuring 802 q vlan 673

Configuration guidelines 673

Configure oui addresses 673

Configure voice vlan globally 673

Configure voice vlan mode on ports 673

Configuring lld 673

Create a vlan 673

If your switch provides the lldp med feature you can also configure it to instruct the voice device to send tagged voice traffic for details about lldp med please refer to 673

Only one vlan can be set as the voice vlan on the switch 673

To apply the voice vlan configuration you may need to further configure pvid port vlan id and the link type of the port which is connected to voice devices we recommend that you choose the mode according to your needs and configure the port as the following table shows 673

To complete the voice vlan configuration follow these steps 673

Vlan 1 is a default vlan and cannot be configured as the voice vlan 673

Voice vlan configuration 673

You can configure the voice device to forward traffic with a voice vlan tag 673

Click create to add an oui address to the table 674

Configuring oui addresses 674

Enter an oui address and the corresponding mask and give a description about the oui address 674

Follow these steps to add oui addresses 674

If the oui address of your voice device is not in the oui table you need to add the oui address to the table 674

Oui config to load the following page 674

Using the gui 674

Click apply 675

Configuring voice vlan globally 675

Enable the voice vlan feature and enter a vlan id 675

Follow these steps to configure the voice vlan globally 675

Global config to load the following page 675

Set the aging time for the voice vlan 675

Specify a priority for the voice vlan 675

Configuring voice vlan mode on ports 676

Follow these steps to configure voice vlan mode on ports 676

Port config to load the following page 676

Select your desired ports and choose the port mode 676

Set the security mode for selected ports 676

Click apply 677

Follow these steps to configure the voice vlan 677

Using the cli 677

Avoid attacks from malicious data flows 680

Configuration example 680

Configuration scheme 680

Ip phones share switch ports used by computers because no more ports are available for ip phones 680

Network requirements 680

Network topology 680

Transmit voice traffic in an exclusive path with high quality 680

Demonstrated with t2600g 28ts this chapter provides configuration procedures in two ways using the gui and using the cli 681

In the meeting room computers and ip phones are connected to different ports of switch b ports connected to ip phones use the voice vlan for voice traffic and ports connected to computers use the default vlan for data traffic 681

Internet 681

Voice traffics from switch a and switch b are forwarded to voice gateway and internet through switch c 681

Using the gui 682

Vlan config and edit vlan 10 to load the following page add port 1 0 2 to the voice vlan 684

Using the cli 692

Verify the configurations 695

Appendix default parameters 697

Default settings of voice vlan are listed in the following tables 697

Chapters 698

Configuring poe 698

Part 24 698

Overview 699

Poe power management 699

Supported features 699

Time range function 699

Configuring the poe parameters manually 700

Poe power management configurations 700

Using the gui 700

In the port config section select the port you want to configure and specify the parameters click apply 701

Click apply 702

Configuring the poe parameters using the profile 702

Creating a poe profile 702

Follow these steps to create a poe profile 702

In the create poe profile section specify the desired configurations of the profile 702

Poe profile to load the following page 702

Binding the profile to the corresponding ports 703

Follow these steps to bind the profile to the corresponding ports 703

In the global config section specify the system power limit and click apply 703

In the port config section select a profile and bind it to the corresponding ports click apply 703

Configuring the poe parameters manually 704

Follow these steps to configure the basic poe parameters 704

Using the cli 704

Gi1 0 5 enable middle class3 no limit none 705

Interface poe status poe prio power limit w time range poe profile 705

Switch config if power inline consumption class3 705

Switch config if power inline priority middle 705

Switch config if power inline supply enable 705

Switch config if show power inline 705

Switch config if show power inline configuration interface gigabitethernet 1 0 5 705

Switch config interface gigabitethernet 1 0 5 705

Switch config power inline consumption 160 705

Switch configure 705

System power consumption 0 w 705

System power limit 160 w 705

System power remain 160 w 705

The following example shows how to set the system power limit as 160w set the priority as middle and set the power limit as class3 in the port 1 0 5 705

Configuring the poe parameters using the profile 706

Follow these steps to configure the poe profile 706

Gi1 0 5 1 26 53 class 2 on 706

Interface power w current ma voltage v pd class power status 706

Switch config end 706

Switch config if show power inline information interface gigabitethernet 1 0 5 706

Switch copy running config startup config 706

Creating a time range 708

Time range function configurations 708

Using the gui 708

Click apply 709

In the add absolute or periodic section specify the parameters and click add 709

When the absolute mode is selected the following section will be shown 709

When the periodic mode is selected the following section will be shown 709

Configuring the holiday parameters 710

Viewing the time range table 710

Configuring a time range 711

Follow these steps to create a time range 711

Using the cli 711

01 00 to 23 00 on 5 712

09 08 2016 00 00 to 09 10 2016 24 00 712

Holiday include 712

Number of absolute time 1 712

Number of periodic time 1 712

Switch config power time range time range1 712

Switch config show power time range time range1 712

Switch config time range absolute from 09 08 2016 00 00 to 09 10 2016 24 00 712

Switch config time range exit 712

Switch config time range holiday include 712

Switch config time range periodic start 01 00 end 23 00 day of the week 5 712

Switch configure 712

The following example shows how to create a time range named time range1 select include to make the settings take affected on holiday set absolute mode from 2016 09 08 00 00 to 2016 09 10 24 00 set the periodic mode from 01 00 to 23 00 in friday bind the time range to the port 1 0 7 712

Time range entry time range1 active 712

Configuring the holiday parameters 713

Follow these steps to configure the holiday parameters 713

Holiday1 08 6 08 0 713

Index holiday name start end 713

Switch config end 713

Switch config if end 713

Switch config if power inline time range time range1 713

Switch config interface gigabitethernet 1 0 7 713

Switch config power holiday holiday1 start date 08 16 end date 08 20 713

Switch config show power holiday 713

Switch configure 713

Switch copy running config startup config 713

The following example shows how to create a holiday named holiday1 set the starting date as 08 16 set the ending date as 08 20 713

01 01 2000 00 00 to 12 31 2099 24 00 by default 714

08 30 to 18 00 on 1 2 3 4 5 714

Holiday include 714

Number of absolute time 0 714

Number of periodic time 1 714

On privileged exec mode or any other configuration mode you can use the following command to view the time range table 714

Switch copy running config startup config 714

Switch end 714

Switch show power time range 714

The following example shows how to view the time range table 714

Time range entry office time active 714

Viewing the time range table 714

Configuring scheme 715

Example for poe configurations 715

Network requirements 715

Using the gui 715

Using the cli 717

Verify the configuration 718

Appendix default parameters 719

Chapters 720

Configuring acl 720

Part 25 720

Introduction 721

Overview 721

Supported features 721

Acl configuration 722

Configuration guidelines 722

Click apply to make the settings effective 723

Configuring time range 723

Create time rang 723

Create time slic 723

Follow these steps to create the time range 723

Some acl based services or features may need to be limited to take effect only during a specified time period in this case you can configure time range for the acl 723

Time range create to load the following page 723

Using the gui 723

Creating an acl 724

Optional configuring holiday 724

Add rules to the acl for details refer to mac acl rule standard ip acl rule extend ip acl rule combined acl rule ipv6 acl rule and packet content acl rule 726

Configuring acl rules 726

Configuring the mac acl rule 726

Define the rule s packet matching criteria 726

Follow these steps to create the mac acl 726

Mac acl to load the following page 726

Select an mac acl id from the drop down list enter a rule id then specify the operation for the matched packets 726

Click apply to make the settings effective 727

Configuring the standard ip acl rule 727

Define the rule s packet matching criteria 727

Follow these steps to create the standard ip acl 727

Optional select a time range from the drop down list 727

Select a standard ip acl id from the drop down list enter a rule id then specify the operation for the matched packets 727

Standard i 727

Standard ip acl to load the following page 727

Configuring the extend ip acl rule 728

Define the rule s packet matching criteria 728

Extend ip acl to load the following page 728

Follow these steps to create the extend ip acl 728

Select an extend ip acl id from the drop down list enter a rule id then specify the operation for the matched packets 728

Optional select a time range from the drop down list 729

Combined acl to load the following page 730

Configuring the combined acl rule 730

Define the rule s packet matching criteria 730

Follow these steps to create the combined acl 730

Select a combined acl id from the drop down list enter a rule id then specify the operation for the matched packets 730

Configuring the ipv6 acl rule 731

Follow these steps to create the ipv6 acl 731

Ipv6 acl to load the following page 731

Optional select a time range from the drop down list 731

Select an ipv6 acl id from the drop down list enter a rule id then specify the operation for the rule 731

Define the rule s packet matching criteria 732

Optional select a time range from the drop down list 732

Configuring the packet content acl rule 733

Create packet conten 733

Follow these steps to create the packet content acl 733

Packet content acl to load the following page 733

Packet content offset profil 733

Rule id specify the operation for the rule and define the rule s packet matching criteria 733

Section 733

Section enter the offset of a chunk all the 4 chunks must be set at the same time 733

Select a packet content acl from the drop down list enter a 733

Acl summary to load the following page 734

Configure the action of the policy 734

Configuring policy 734

Create a policy 734

In the acl rule table you can view all the acls and their rules 734

Optional select a time range from the drop down list 734

Policy allows you to further process the matched packets through operations such as mirroring rate limiting redirecting or changing priority 734

The rules in an acl are listed in ascending order of configuration time regardless of their rule ids by default a rule configured earlier is listed before a rule configured later 734

The switch matches a received packet with the rules in order when a packet matches a rule the device stops the match process and performs the action defined in the rule 734

To configure the policy follow these steps 734

View the rule table 734

You can also delete an acl or an acl rule or change the matching order if needed 734

Creating a policy 735

Enter a policy name then click apply 735

Follow these steps to create a policy 735

Policy create to load the following page 735

Action create to load the following page 736

Apply an acl to the policy and specify the action to be taken for the matched packets 736

Configure the actions to be taken for the matched packets 736

Configuring the action of the policy 736

Follow these steps to configure the action of the policy 736

Select your preferred policy and acl 736

An acl or policy takes effect only after it is bound to a port or vlan 737

Click apply to make the settings effective 737

Configuring the acl binding and policy binding 737

You can select acl binding or policy binding according to your needs 737

Configuring the acl binding 738

Binding the acl to a vlan 739

Follow these steps to bind the acl to a vlan 739

Select the acl and enter the vlan id and click apply 739

Vlan binding to load the following page 739

Configuring the policy binding 740

Verifying the binding configuration 741

Binding table to load the following page 742

Configuring time range 742

Some services or features that use acl need to be limited to a specified time period in this case you can configure time range for the acl 742

Using the cli 742

Configuring acl 744

Switch config mac access list 50 745

Switch config mac acl exit 745

Switch config mac acl rule 5 permit smac 00 34 a2 d4 34 b5 smask ff ff ff ff ff ff 745

Switch config show access list 50 745

Switch configure 745

The following example shows how to create mac acl 50 and configure rule 5 to permit packets with source mac address 00 34 a2 d4 34 b5 745

Mac access list 50 746

Rule 5 permit smac 00 34 a2 d4 34 b5 smask ff ff ff ff ff ff 746

Standard ip acl 746

Switch config end 746

Switch configure 746

Switch copy running config startup config 746

The following example shows how to create standard ip acl 600 and configure rule 1 to permit packets with source ip address 192 68 00 746

Switch config access list create 1700 748

Switch config access list extended 1700 rule 7 deny sip 192 68 00 smask 255 55 55 55 protocol 6 d port 23 748

Switch config show access list 1700 748

Switch configure 748

The following example shows how to create extend ip acl 1700 and configure rule 7 to deny telnet packets with source ip192 68 00 748

Combined acl 749

Extended ip access list 1700 749

Rule 7 deny sip 192 68 00 smask 255 55 55 55 protocol 6 d port 23 749

Switch config end 749

Switch copy running config startup config 749

Switch config access list create 3600 751

Switch config access list ipv6 3600 rule 1 deny sip cdcd 910a 2222 5498 8475 1111 3900 2020 sip mask ffff ffff ffff ffff 751

Switch config show access list 3600 751

Switch configure 751

The following example shows how to create ipv6 acl 3600 and configure rule 1 to deny packets with source ipv6 address cdcd 910a 2222 5498 8475 1111 3900 2020 751

Ff ffff ffff 752

Ipv6 access list 3600 752

Packet content acl 752

Rule 1 deny sip cdcd 910a 2222 5498 8475 1111 3900 2020 sip mask ffff ff 752

Switch config end 752

Switch copy running config startup config 752

Configuring policy 753

Access list 600 redirect port gi1 0 4 754

Create policy rd apply acl 600 to policy rd and redirect the matched packets to port 1 0 4 754

Policy name rd 754

Switch config access list policy action rd 600 754

Switch config access list policy name rd 754

Switch config action exit 754

Switch config action redirect interface gigabitethernet 1 0 4 754

Switch config show access list policy rd 754

Switch configure 754

Acl binding and policy binding 755

Policy binding 755

Switch config end 755

Switch config if access list bind 1 755

Switch config if exit 755

Switch config interface gigabitethernet 1 0 2 755

Switch configure 755

Switch copy running config startup config 755

The following example shows how to bind policy 1 to port 2 and policy 2 to vlan 2 755

You can bind the policy to a port or a vlan then the received packets will be matched and operated based on the policy 755

You can select acl binding or policy binding according to your needs an acl rule and policy takes effect only after they are bound to a port or vlan 755

2 ingress vlan 756

Acl binding 756

Gi1 0 2 ingress port 756

Index acl id interface vid direction type 756

Index policy name interface vid direction type 756

Switch config end 756

Switch config if access list bind 2 756

Switch config if exit 756

Switch config interface vlan 2 756

Switch config show access list bind 756

Switch copy running config startup config 756

You can bind the acl to a port or a vlan the received packets will then be matched and processed according to the acl rules 756

A company s internal server group can provide different types of services it is required that 758

As is shown below computers in the marketing department are connected to the switch via port 1 0 1 and the internal server group is connected to the switch via port 1 0 2 758

Configuration example for acl 758

Configuration scheme 758

Network requirements 758

Network topology 758

The marketing department can only access internal server group in the intranet 758

The marketing department can only visit http and https websites on the internet 758

To meet the requirements above you can set up packet filtering by creating an extend ip acl and configuring rules for it 758

Using the gui 759

Extend ip acl to load the the following page configure rule 2 and rule 3 to permit packets with source ip 10 0 0 and destination port tcp 80 http service port and udp 443 https service port 760

Extend ip acl to load the following page configure rule 4 and rule 5 to permit packets with source ip 10 0 0 and with destination port tcp 53 or udp 53 dns service port 761

Using the cli 764

Verify the configurations 765

Appendix default parameters 766

For extend ip acl 766

For ipv6 acl 766

For mac acl 766

For standard ip acl 766

For combined acl 767

For packet content acl 767

Chapters 768

Configuring network security 768

Part 26 768

Dhcp snooping 769

Ip mac binding 769

Ipv6 mac binding 769

Network security 769

Overview 769

Supported features 769

Arp inspection 770

Dhcpv6 snooping 770

Nd detection 771

Dos defend 772

Ip source guard 772

Pppoe id insertion 773

Dhcp server filter 775

Netbios filtering 775

Binding entries manually 776

Ip mac binding configurations 776

Using the gui 776

Arp scanning 777

Binding entries dynamically 777

Click bind 777

Select protect type for the entry 777

Select the port that is connected to this host 777

The binding entries can be dynamically learned from arp scanning and dhcp snooping 777

With arp scanning the switch sends the arp request packets of the specified ip field to the hosts upon receiving the arp reply packet the switch can get the ip address mac address vlan id and the connected port number of the host you can bind these entries conveniently 777

Arp scanning to load the following page 778

Follow these steps to configure ip mac binding via arp scanning 778

In the scanning option section specify an ip address range and a vlan id then click scan to scan the entries in the specified ip address range and vlan 778

In the scanning result section select one or more entries and configure the relevant parameters then click apply 778

Binding table to load the following page 779

Dhcp snooping 779

For instructions on how to configure dhcp snooping refer to dhcp snooping configurations 779

In the search section specify the search criteria to search your desired entries 779

Viewing the binding entries 779

With dhcp snooping enabled the switch can monitor the ip address obtaining process of the host and record the ip address mac address vlan id and the connected port number of the host 779

With the binding table you can view and search the specified binding entries 779

Binding entries via arp scanning is not supported by the cli binding entries via dhcp snooping is introduced in dhcp snooping configurations the following sections introduce how to bind entries manually and view the binding entries 780

In the binding table section you can view the searched entries additionally you can configure the host name and protect type for one or more entries and click apply 780

Using the cli 780

Binding entries manually 781

Follow these steps to manually bind entries 781

Switch config ip source binding host1 192 68 5 aa bb cc dd ee ff vlan 10 interface gigabitethernet 1 0 5 arp detection 781

Switch configure 781

The following example shows how to bind an entry with the hostname host1 ip address 192 68 5 mac address aa bb cc dd ee ff vlan id 10 port number 1 0 5 and enable this entry for the arp detection feature 781

You can manually bind the ip address mac address vlan id and the port number together on the condition that you have got the related information of the hosts 781

Additionally you can search the specified entries in the binding table 782

Dynamical binding including nd snooping and dhcpv6 snooping 782

Host1 192 68 5 aa bb cc dd ee ff 10 gi1 0 5 arp d 782

Ipv6 mac binding configurations 782

Manual binding 782

On privileged exec mode or any other configuration mode you can use the following command to view binding entries 782

Switch config end 782

Switch config show ip source binding 782

Switch copy running config startup config 782

U no host ip addr mac addr vid port acl col 782

Viewing binding entries 782

You can complete ipv6 mac binding in two ways 782

Binding entries manually 783

Enter the following information to specify a host 783

In the manual binding option section follow these steps to configure ipv6 mac binding 783

Manual binding to load the following page 783

Select protect type for the entry 783

Using the gui 783

You can manually bind the ipv6 address mac address vlan id and the port number together on the condition that you have got the related information of the hosts on the network 783

Binding entries dynamically 784

Click bind 784

Nd snooping 784

Select the port that is connected to this host 784

The binding entries can be dynamically learned from nd snooping and dhcpv6 snooping 784

With nd snooping the switch monitors the nd packets and records the ipv6 addresses mac addresses vlan ids and the connected port numbers of the ipv6 hosts you can bind these entries conveniently 784

Binding table to load the following page 786

Configuratio 786

Dhcpv6 snooping 786

For instructions on how to configure dhcpv6 snooping refer to 786

In the port configure section select one or more ports and configure the maximum number of entries that can be learned on this port via nd snooping then click apply 786

In the search section specify the search criteria to search your desired entries 786

Viewing the binding entries 786

With dhcpv6 snooping enabled the switch can monitor the ipv6 address obtaining process of the host and record the ipv6 address mac address vlan id and the connected port number of the host 786

With the binding table you can view and search the specified binding entries 786

In the binding table section you can view the search results additionally you can configure the host name and protect type for one or more entries and click apply 787

Binding entries manually 788

Binding entries via dhcpv6 snooping is introduced in 788

Dhcpv6 snooping configuratio 788

Follow these steps to manually bind entries 788

The following example shows how to bind an entry with the hostname host1 ipv6 address 2001 0 9d38 90d5 34 mac address aa bb cc dd ee ff vlan id 10 port number 1 0 5 and enable this entry for nd detection 788

The following sections introduce how to bind entries manually and via nd snooping and how to view the binding entries 788

Using the cli 788

You can manually bind the ipv6 address mac address vlan id and the port number together on the condition that you have got the related information of the hosts 788

Binding entries via nd snooping 789

Follow these steps to bind entries via nd snooping 789

Host1 2001 0 9d38 90d5 34 aa bb cc dd ee ff 10 gi1 0 5 nd d nd d manual 789

Switch config end 789

Switch config ipv6 source binding host1 2001 0 9d38 90d5 34 aa bb cc dd ee ff vlan 10 interface gigabitethernet 1 0 5 nd detection 789

Switch config show ipv6 source binding 789

Switch configure 789

Switch copy running config startup config 789

U no host ip addr mac addr vid port acl active source col 789

Viewing binding entries 790

Dhcp snooping configuration 791

Enabling dhcp snooping on vlan 791

Using the gui 791

Click apply 792

Configure the illegal dhcp server trap feature 792

Enable dhcp snooping on a vlan or range of vlans 792

Follow these steps to enable dhcp snooping 792

Globally enable dhcp snooping 792

Configuring dhcp snooping on ports 793

Follow these steps to configure dhcp snooping on the specified port 793

Port config to load the following page 793

Select one or more ports and configure the parameters 793

Click apply 794

Enabling dhcp snooping on vlan 794

Follow these steps to globally configure dhcp snooping 794

Switch config ip dhcp snooping 794

Switch config ip dhcp snooping vlan 5 794

Switch configure 794

The following example shows how to enable dhcp snooping globally and on vlan 5 794

Using the cli 794

Configuring dhcp snooping on ports 795

Follow these steps to configure dhcp snooping on the specified ports 795

Global status enable 795

Switch config if end 795

Switch config show ip dhcp snooping 795

Switch copy running config startup config 795

Vlan id 5 795

Dhcpv6 snooping configuration 796

Gi1 0 1 enable enable 10 20 n a 796

Interface trusted mac verify limit rate dec rate lag 796

Switch config if end 796

Switch config if ip dhcp snooping decline rate 20 796

Switch config if ip dhcp snooping limit rate 10 796

Switch config if ip dhcp snooping mac verify 796

Switch config if ip dhcp snooping trust 796

Switch config if show ip dhcp snooping interface gigabitethernet 1 0 1 796

Switch config interface gigabitethernet 1 0 1 796

Switch configure 796

Switch copy running config startup config 796

The following example shows how to configure port 1 0 1 as a trusted port enable the mac verify feature and set the limit rate as 10 pps and decline rate as 20 pps on this port 796

Tips the switch can dynamically bind the entries via dhcpv6 snooping after dhcpv6 snooping is configured by default the binding entries are applied to both ip source guard and nd detection 796

Click apply 797

Dhcpv6 snooping to load the following page 797

Follow these steps to configure dhcpv6 snooping 797

In the dhcpv6 snooping section enable dhcpv6 snooping globally and specify one or more vlan ids to enable dhcpv6 snooping on the vlan s 797

In the trusted port section select 797

Using the cli 797

Using the gui 797

Global status enable 798

Switch config if ipv6 dhcp snooping trust 798

Switch config if show ipv6 dhcp snooping 798

Switch config interface gigabitethernet 1 0 1 798

Switch config ipv6 dhcp snooping 798

Switch config ipv6 dhcp snooping vlan 5 798

Switch configure 798

The following example shows how to enable dhcp snooping globally and on vlan 5 and configure port 1 0 1 as a trusted port 798

Vlan id 5 798

Arp inspection configurations 799

Configuring arp detection 799

Using the gui 799

Configuring arp defend 800

Arp defend to load the following page 801

Click apply 801

Follow these steps to configure arp defend 801

Select one or more ports and configure the parameters 801

Viewing arp statistics 802

Arp detection global status enabled 803

Configuring arp detection 803

Follow these steps to configure arp detection 803

Switch config if ip arp inspection trust 803

Switch config if show ip arp inspection 803

Switch config interface gigabitethernet 1 0 1 803

Switch config ip arp inspection 803

Switch configure 803

The arp detection feature allows the switch to detect the arp packets basing on the binding entries in the ip mac binding table and filter the illegal arp packets before configuring arp detection complete ip mac binding configuration for details refer to ip mac binding configurations 803

The following example shows how to globally enable arp detection and configure port 1 0 1 as a trusted port 803

Using the cli 803

Configuring arp defend 804

Follow these steps to configure arp defend 804

Gi1 0 1 yes 804

Gi1 0 2 no 804

Port trusted 804

Switch config if end 804

Switch copy running config startup config 804

With arp defend enabled the switch can terminate receiving the arp packets for 300 seconds when the transmission speed of the legal arp packet on the port exceeds the defined value so as to avoid arp attack flood 804

Nd detection configuration 806

Using the gui 806

Viewing arp statistics 806

Click apply 807

Follow these steps to configure nd detection 807

In the trusted port section select one or more ports to be configured as the trusted port s on which the nd packets will not be checked the specific ports such as up link ports and routing ports are suggested to be set as trusted 807

Ipv6 mac binding configurations 807

The nd detection feature allows the switch to detect the nd packets based on the binding entries in the ipv6 mac binding table and filter out the illegal nd packets before configuring nd detection complete ipv6 mac binding configuration for details refer to 807

Using the cli 807

Vlan ids to enable dhcpv6 snooping on the vlan s 807

Ip source guard configuration 808

Using the gui 808

Click apply 809

Follow these steps to configure ip source guard 809

Ip source guard to load the following page 809

Select one or more ports and configure ip source guard on the port s 809

Follow these steps to configure ip source guard 810

Ipv6 mac binding configurations 810

Switch configure 810

The following example shows how to enable ip source guard on port 1 0 1 for ipv6 packets 810

The ip source guard feature allows the switch to filter the packets that do not match the rules of ip mac binding table or ipv6 mac binding table before configuring ip source guard complete ip mac binding or ipv6 mac binding configurations for details refer to ip mac binding configurations an 810

Using the cli 810

Dos defend configuration 811

Using the gui 811

Click apply 812

Follow these steps to configure dos defend 812

Using the cli 812

Switch configure 813

The following example shows how to enable the dos defend type named land 813

Configuring the radius server 814

Using the gui 814

X configuration 814

Adding the radius server 815

Click apply 815

Follow these steps to create a protocol template 815

In the global config section enable aaa function on the switch and click apply 815

In the server config section configure the parameters of radius server 815

Radius config to load the following page 815

Configuring 802 x globally 818

Follow these steps to configure 802 x global parameters 818

Global config to load the following page 818

In the global config section enable 802 x globally and click apply 818

In the authentication config section enable quiet configure the quiet timer and click apply 819

Configure 802 x authentication on the desired port and click apply 820

Configuring 802 x on ports 820

Port config to load the following page 820

Configuring the radius server 821

Follow these steps to configure radius 821

Using the cli 821

The following example shows how to enable aaa add a radius server to the server group named radius1 and apply this server group to the 802 x authentication the ip address of 822

Configuring 802 x globally 823

Authentication method pap 825

Guest vlan id n a 825

Guest vlan state disabled 825

Handshake state enabled 825

Quiet period state disable 825

Quiet period timer 10 sec 825

Switch config dot1x auth method pap 825

Switch config dot1x system auth control 825

Switch config show dot1x global 825

Switch configure 825

The following example shows how to enable 802 x authentication configure pap as the authentication method and keep other parameters as default 825

X accounting state disabled 825

X state enabled 825

X vlan assignment state disabled 825

Configuring 802 x on ports 826

Follow these steps to configure the port 826

Max retry times for radius packet 3 826

Supplicant timeout 3 sec 826

Switch config end 826

Switch copy running config startup config 826

Gi1 0 2 enabled disabled disabled auto port based unauthorized n a 827

Port state mab state guestvlan portcontrol portmethod authorized lag 827

Switch config if dot1x 827

Switch config if dot1x port control auto 827

Switch config if dot1x port method port based 827

Switch config if end 827

Switch config if show dot1x interface gigabitethernet 1 0 2 827

Switch config interface gigabitethernet 1 0 2 827

Switch configure 827

Switch copy running config startup config 827

The following example shows how to enable 802 x authentication on port 1 0 2 configure the control type as port based and configure the control mode as auto 827

Pppoe id insertion configuration 828

Using the gui 828

Follow these steps to configure pppoe id insertion 829

Using the cli 829

Pppoe id insertion state enabled 830

Switch config if interface gigabitethernet 1 0 1 830

Switch config if pppoe circuit id 830

Switch config if pppoe circuit id type udf only 123 830

Switch config if pppoe remote id host1 830

Switch config if show pppoe id insertion global 830

Switch config pppoe id insertion 830

Switch configure 830

The following example shows how to enable pppoe id insertion globally and on port 1 0 1 and configure the circuit id as 123 without other information and remote id as host1 830

Aaa configuration 831

Configuration guidelines 831

Adding servers 832

Globally enabling aaa 832

Using the gui 832

Adding radius server 833

Click add to add the radius server on the switch 833

Follow these steps to add a radius server 833

In the server config section configure the following parameters 833

Radius conifg to load the following page 833

Adding tacacs server 834

Click add to add the tacacs server on the switch 834

Configuring server groups 834

Follow these steps to add a tacacs server 834

In the server config section configure the following parameters 834

Tacacs conifg to load the following page 834

The switch has two built in server groups one for radius servers and the other for tacacs servers the servers running the same protocol are automatically added to the default server group you can add new server groups as needed 834

Configuring the method list 836

Click add to add the new method 837

Click apply 837

Configuring the aaa application list 837

Follow these steps to configure the aaa application list 837

Global config to load the following page 837

In the aaa application list section select an access application and configure the login list and enable list 837

In the add method list section configure the parameters for the method to be added 837

Configuring login account and enable password 838

Aaa global status enable 839

Adding radius server 839

Adding servers 839

Follow these steps to add radius server on the switch 839

Follow these steps to globally enable aaa 839

Globally enabling aaa 839

Switch config aaa enable 839

Switch config end 839

Switch config show aaa global 839

Switch configure 839

Switch copy running config startup config 839

The following example shows how to globally enable aaa 839

Using the cli 839

You can add one or more radius tacacs servers on the switch for authentication if multiple servers are added the server with the highest priority authenticates the users trying to access the switch and the others act as backup servers in case the first one breaks down 839

Server ip auth port acct port timeout retransmit nas identifier shared key 840

Switch config radius server host 192 68 0 auth port 1812 timeout 8 retransmit 3 key 123456 840

Switch config show radius server 840

Switch configure 840

The following example shows how to add a radius server on the switch set the ip address of the server as 192 68 0 the authentication port as 1812 the shared key as 123456 the timeout as 8 seconds and the retransmit number as 3 840

68 0 1812 1813 5 2 000aeb132397 123456 841

Adding tacacs server 841

Follow these steps to add tacacs server on the switch 841

Switch config end 841

Switch config show tacacs server 841

Switch config tacacs server host 192 68 0 auth port 49 timeout 8 key 123456 841

Switch configure 841

Switch copy running config startup config 841

The following example shows how to add a tacacs server on the switch set the ip address of the server as 192 68 0 the authentication port as 49 the shared key as 123456 and the timeout as 8 seconds 841

68 0 49 8 123456 842

Configuring server groups 842

Server ip port timeout shared key 842

Switch aaa group server 192 68 0 842

Switch config aaa group radius radius1 842

Switch config end 842

Switch configure 842

Switch copy running config startup config 842

The following example shows how to create a radius server group named radius1 and add the existing two radius servers whose ip address is 192 68 0 and 192 68 0 to the group 842

The switch has two built in server groups one for radius and the other for tacacs the servers running the same protocol are automatically added to the default server group you can add new server groups as needed 842

The two default server groups cannot be deleted or edited follow these steps to add a server group 842

A method list describes the authentication methods and their sequence to authenticate the users the switch supports login method list for users of all types to gain access to the switch and enable method list for guests to get administrative privileges 843

Configuring the method list 843

Follow these steps to configure the method list 843

Switch aaa group end 843

Switch aaa group server 192 68 0 843

Switch aaa group show aaa group radius1 843

Switch copy running config startup config 843

Configuring the aaa application list 844

Console login1 enable1 845

Http default default 845

Module login list enable list 845

Ssh default default 845

Switch config line console 0 845

Switch config line enable authentication enable1 845

Switch config line end 845

Switch config line login authentication login1 845

Switch config line show aaa global 845

Switch configure 845

Switch copy running config startup config 845

Telnet default default 845

The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application console 845

Console default default 846

Follow these steps to apply the login and enable method lists for the application telnet 846

Module login list enable list 846

Ssh default default 846

Switch config line enable authentication enable1 846

Switch config line login authentication login1 846

Switch config line show aaa global 846

Switch config line telnet 846

Switch configure 846

Telnet 846

Telnet login1 enable1 846

The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application telnet 846

Follow these steps to apply the login and enable method lists for the application ssh 847

Http default default 847

Module login list enable list 847

Switch config line enable authentication enable1 847

Switch config line end 847

Switch config line login authentication login1 847

Switch config line show aaa global 847

Switch config line ssh 847

Switch configure 847

Switch copy running config startup config 847

The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application ssh 847

Console default default 848

Follow these steps to apply the login and enable method lists for the application http 848

Http default default 848

Module login list enable list 848

Ssh login1 enable1 848

Switch config ip http enable authentication enable1 848

Switch config ip http login authentication login1 848

Switch config line end 848

Switch config show aaa global 848

Switch configure 848

Switch copy running config startup config 848

Telnet default default 848

The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application http 848

Configuring login account and enable password 849

Console default default 849

Http login1 enable1 849

On the switch 849

Ssh default default 849

Switch config end 849

Switch copy running config startup config 849

Telnet default default 849

The local username and password for login can be configured in the user management feature for details refer to managing system 849

The login account and enable password can be configured locally on the switch or centrally on the radius tacacs server s 849

To configure the local enable password for getting administrative privileges follow these steps 849

Dhcp server filter configuration 851

Enabling dhcp server filter 851

Using the gui 851

Configuring the dhcp server permit entry 852

Dhcp server permit entry to load the following page 852

Follow these steps to configure the dhcp server permit entry 852

Follow these steps to enable dhcp server filter 852

In the global config section enable dhcp server filter enable dhcp server filter trap if needed click apply 852

In the manual binding option section bind server ip address client mac address and port manually 852

In the port config section enable dhcp server filter for the desired ports click apply 852

Click bind 853

Enabling dhcp server filter globally 853

Follow these steps to enable dhcp relay globally 853

Global status enable 853

Switch config end 853

Switch config ip dhcp filter 853

Switch config show ip dhcp filter 853

Switch configure 853

Switch copy running config startup config 853

The following example shows how to enable dhcp relay 853

Using the cli 853

Enabling dhcp server filter for ports 854

Follow these steps to enable dhcp server filter for ports 854

Gi1 0 2 enable n a 854

Interface state lag 854

Switch config end 854

Switch config if ip dhcp filter 854

Switch config if show ip dhcp filter interface gigabitethernet 1 0 2 854

Switch config interface gigabitethernet 1 0 2 854

Switch configure 854

Switch copy running config startup config 854

The following example shows how to enable dhcp server filter for port 1 0 2 854

68 0 aa aa aa aa aa aa gi1 0 2 855

Configuring the dhcp server permit entry 855

Follow these steps to configure dhcp server permit entry 855

Server ip client mac interface 855

Switch config end 855

Switch config ip dhcp filter server permit entry server ip 192 68 0 client mac aa aa aa aa aa aa interface gigabitethernet 1 0 2 855

Switch config show ip dhcp filter server permit entry 855

Switch configure 855

Switch copy running config startup config 855

The following example shows how to configure the dhcp server permit entry by binding dhcp server ip 192 68 0 mac address aa aa aa aa aa aa and port 1 0 2 manually 855

Follow these steps to configure netbios filtering 856

Netbios filtering configuration 856

Select the ports and enable netbios filtering over tcp ip for ports 856

Using the gui 856

Click apply 857

Follow these steps to configure netbios filtering 857

Gi1 0 2 enable n a 857

Interface netbios filtering over tcp ip lag 857

Switch config end 857

Switch config if netbios filter 857

Switch config if show netbios filter interface gigabitethernet 1 0 2 857

Switch config interface gigabitethernet 1 0 2 857

Switch configure 857

Switch copy running config startup config 857

The following example shows how to enable netbios filtering on port 1 0 2 857

Using the cli 857

Configuration examples 858

Configuration scheme 858

Example for dhcp snooping and arp detection 858

Network requirements 858

Using the gui 859

Using the cli 862

Example for dhcpv6 snooping and nd detection 864

Network requirements 864

Configuration scheme 865

Configure dhcpv6 snooping on switch a set port 1 0 4 that is connected to the illegal dhcpv6 server as the trusted port and other ports as untrusted ports so that the illegal dhcpv6 server on any other port cannot assign ipv6 addresses for the clients 865

Configure ipv6 mac binding on switch a the binding entries for user 1 and user 2 will be automatically learned via dhcpv6 snooping and you need to manually bind the entry for user 3 865

Demonstrated with t2600g 28ts the following sections provide configuration procedure in two ways using the gui and using the cli 865

Enable nd detection on switch a to prevent nd attacks 865

Global config to load the following page because all users are in the default vlan 1 enable dhcpv6 snooping on vlan 1 set port 1 0 4 as a trusted port click apply after that the ipv6 mac binding entries of the dhcpv6 clients will be automatically learned via dhcpv6 snooping 865

To meet these requirements you can configure dhcpv6 snooping to filter the untrusted dhcpv6 packets from the illegal dhcpv6 server and configure nd detection to prevent the network from nd attacks the overview of configuration is as follows 865

Using the gui 865

Using the cli 867

Verify the configuration 868

Configuration scheme 869

Example for ip source guard 869

Network requirements 869

Using the gui 870

Using the cli 871

Configuration scheme 872

Example for 802 x 872

Network requirements 872

Verify the configuration 872

Network topology 873

Using the gui 873

Using the cli 876

Verify the configurations 877

Example for aaa 878

Network requirements 878

Configuration scheme 879

Using the gui 879

Using the cli 882

Verify the configuration 883

Appendix default parameters 885

Default settings of network security are listed in the following tables 885

Chapters 896

Configuring lldp 896

Part 27 896

Overview 897

Supported features 897

Global config 898

Lldp configurations 898

Using the gui 898

Follow these steps to enable lldp and configure the lldp feature globally 899

In the global config section enable lldp you can also enable the switch to forward lldp messages when lldp function is disabled click apply 899

In the parameters config section configure the lldp parameters click apply 899

Follow these steps to configure the lldp feature for the interface 900

Policy config to load the following page 900

Port config 900

Select the desired port and set its admin status and notification mode 900

Select the tlvs type length value included in the lldp packets according to your needs 900

Enable the lldp feature on the switch and configure the lldp parameters 901

Global config 901

Optional configure the port s management address for identifying the devices 901

Using the cli 901

Lldp status enabled 902

Switch config lldp 902

Switch config lldp hold multiplier 4 902

Switch config lldp timer tx interval 30 tx delay 2 reinit delay 3 notify interval 5 fast count 3 902

Switch config show lldp 902

Switch configure 902

The following example shows how to configure the following parameters lldp timer 4 tx interval 30 seconds tx delay 2 seconds reinit delay 3 seconds notify iinterval 5 seconds fast count 3 902

Fast packet count 3 903

Initialization delay 2 seconds 903

Lldp forward message disabled 903

Lldp med fast start repeat count 4 903

Port config 903

Select the desired port and set its admin status notification mode and the tlvs included in the lldp packets 903

Switch config end 903

Switch copy running config startup config 903

Trap notification interval 5 seconds 903

Ttl multiplier 4 903

Tx delay 2 seconds 903

Tx interval 30 seconds 903

Global config 906

Lldp med configurations 906

Using the gui 906

Port config 907

Global config 909

Lldp status enabled 909

Switch config lldp 909

Switch config lldp med fast count 4 909

Switch config show lldp 909

Switch configure 909

The following example shows how to configure lldp med fast count as 4 909

Tx interval 30 seconds 909

Using the cli 909

Fast packet count 3 910

Initialization delay 2 seconds 910

Lldp med fast start repeat count 4 910

Port config 910

Select the desired port enable lldp med and select the tlvs type length value included in the outgoing lldp packets according to your needs 910

Switch config end 910

Switch copy running config startup config 910

Trap notification interval 5 seconds 910

Ttl multiplier 4 910

Tx delay 2 seconds 910

Using gui 913

Viewing lldp device info 913

Viewing lldp settings 913

Follow these steps to view the local information 914

In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 914

In the local info section select the desired port and view its associated local device information 914

Viewing lldp statistics 916

Using cli 917

Viewing lldp statistics 917

Viewing the local info 917

Viewing the neighbor info 917

Using gui 918

Viewing lldp med settings 918

Follow these steps to view lldp med neighgbor information 919

In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 919

In the lldp med neighbor info section select the desired port and view the lldp med settings 919

Viewing the neighbor info 919

Using cli 920

Viewing lldp statistics 920

Viewing the local info 920

Viewing the neighbor info 920

Configuration example 921

Configuration scheme 921

Example for configuring lldp 921

Network requirements 921

Network topology 921

Using the gui 921

Using cli 922

Verify the configurations 923

Configuration scheme 928

Example for configuring lldp med 928

Network requirements 928

Network topology 928

Using the gui 929

Using the cli 933

Verify the configurations 934

Appendix default parameters 940

Default lldp med settings 940

Default lldp settings 940

Default settings of lldp are listed in the following tables 940

Chapters 941

Configuring maintenance 941

Part 28 941

Device diagnose 942

Maintenance 942

Network diagnose 942

Overview 942

Supported features 942

System monitor 942

Monitoring the cpu 943

Monitoring the system 943

Using the gui 943

Monitoring the memory 944

Monitoring the cpu 945

Monitoring the memory 945

Using the cli 945

Configuring the sflow collector 946

Sflow configuration 946

Using the gui 946

Configuring the sflow sampler 947

In the collector config section select a collector to configure relevant parameters and click apply 947

Sflow sampler to load the following page 947

Click apply 948

Follow these steps to configure the sflow 948

Follow these steps to configure the sflow sampler 948

In the sampler config section set one or more ports to be a sampler and configure relevant parameters one port can be bound to only one collector 948

Using the cli 948

Switch config if sflow sampler collector id 1 949

Switch config interface gigabitethernet 1 0 1 949

Switch config sflow address 192 68 949

Switch config sflow collector collector id 1 ip 192 68 00 949

Switch config sflow collector collector id 1 port 6343 949

Switch config sflow enable 949

Switch configure 949

The following example shows how to configure the switch whose ip address is 192 68 to send sflow packets to the host whose ip address is 192 68 00 set the sflow agent ip address as 192 68 the sflow collector ip address 1 as 192 68 00 configure gigabit ethernet port 1 as the sflow sampler the collector id as 1 and the ingress rate as 1024 949

Backing up log files 951

Configuration guidelines 951

Configuring the local log 951

Configuring the remote log 951

Logs are classified into the following eight levels messages of levels 0 to 4 mean the functionality of the switch is affected please take actions according to the log message 951

System log configurations 951

System log configurations include 951

Viewing the log table 951

Click apply 952

Configuring the local log 952

Follow these steps to configure the local log 952

Local log to load the following page 952

Select your desired channel and configure the corresponding severity and status 952

Using the gui 952

Backing up the log file 953

Configuring the remote log 953

Configuring the local log 954

Follow these steps to configure the local log 954

Log table to load the following page 954

Select a module and a severity to view the corresponding log information 954

Using the cli 954

Viewing the log table 954

Switch config logging buffer 955

Switch config logging buffer level 5 955

Switch config logging file flash 955

Switch config logging file flash frequency periodic 10 955

Switch config logging file flash level 2 955

Switch config show logging local config 955

Switch configure 955

The following example shows how to configure the local log on the switch save logs of levels 0 to 5 to the log buffer and synchronize logs of levels 0 to 2 to the flash every 10 hours 955

Buffer 5 enable immediately 956

Channel level status sync periodic 956

Configuring the remote log 956

Flash 2 enable 10 hour s 956

Follow these steps to set the remote log 956

Monitor 5 enable immediately 956

Remote log enables the switch to send system logs to a host to display the logs the host should run a log server that complies with the syslog standard 956

Switch config end 956

Switch config logging host index 2 192 68 48 5 956

Switch configure 956

Switch copy running config startup config 956

The following example shows how to set the remote log on the switch enable log host 2 set its ip address as 192 68 48 and allow logs of levels 0 to 5 to be sent to the host 956

Cable test to load the following page 958

Diagnosing the device 958

In the port section select your desired port for the test 958

In the result section click apply and check the test results 958

Using the gui 958

Gi1 0 2 pair a normal 2 10m 959

On privileged exec mode or any other configuration mode you can use the following command to check the connection status of the cable that is connected to the switch 959

Pair b normal 2 10m 959

Pair c normal 0 10m 959

Pair d normal 2 10m 959

Port pair status length error 959

Switch show cable diagnostics interface gigabitehternet 1 0 2 959

The following example shows how to check the cable diagnostics of port 1 0 2 959

Using the cli 959

Configuring the ping test 960

Diagnosing the network 960

Using the gui 960

Configuring the tracert test 961

Follow these steps to test connectivity between the switch and routers along the path from the source to the destination 961

In the ping result section check the test results 961

In the tracert config section enter the ip address of the destination set the max hop and then click tracert to start the test 961

In the tracert result section check the test results 961

Tracert to load the following page 961

Approximate round trip times in milli seconds 962

Configuring the ping test 962

Minimum 0ms maximum 0ms average 0ms 962

On privileged exec mode or any other configuration mode you can use the following command to test the connectivity between the switch and one node of the network 962

Packets sent 3 received 3 lost 0 0 loss 962

Ping statistics for 192 68 0 962

Pinging 192 68 0 with 1000 bytes of data 962

Reply from 192 68 0 bytes 1000 time 16ms ttl 64 962

Switch ping ip 192 68 0 n 3 l 1000 i 500 962

The following example shows how to test the connectivity between the switch and the destination device with the ip address 192 68 0 specify the ping times as 3 the data size as 1000 bytes and the interval as 500 milliseconds 962

Using the cli 962

Configuring the tracert test 963

Ms 1 ms 2 ms 192 68 963

Ms 2 ms 2 ms 192 68 00 963

On privileged exec mode or any other configuration mode you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination 963

Switch tracert 192 68 00 2 963

The following example shows how to test the connectivity between the switch and the network device with the ip address 192 68 00 set the maxhops as 2 963

Trace complete 963

Tracing route to 192 68 00 over a maximum of 2 hops 963

Dldp configuration 964

Using the gui 964

In the port config section select one or more ports enable dldp and click apply then you can view the relevant dldp information in the table 965

Follow these steps to configure dldp 966

Using the cli 966

Configuration examples 968

Configuration scheme 968

Example for configuring sflow 968

Network requirements 968

Using the gui 968

Using the cli 969

Verify the configurations 970

Configuration scheme 971

Example for configuring remote log 971

Network requirements 971

Using the cli 971

Using the gui 971

Verify the configurations 972

Appendix default parameters 973

Default settings of maintenance are listed in the following tables 973

Chapters 975

Configuring snmp rmon 975

Part 29 975

Snmp overview 976

Snmp simple network management protocol is a standard network management protocol widely used on tcp ip networks it facilitates device management using nms network management system software with snmp network managers can view or modify network device information and troubleshoot according to notifications sent by those devices in a timely manner 976

The device supports three snmp versions snmpv1 snmpv2c and snmpv3 table 1 1 lists features supported by different snmp versions and table 1 2 shows corresponding application scenarios 976

Snmp configurations 977

Creating an snmp view 978

Enabling snmp 978

Using the gui 978

Create an snmp group and configure related parameters 979

Creating an snmp group 979

Set the view name and one mib variable that is related to the view choose the view type and click create to add the view entry 979

Follow these steps to create an snmp group 980

Set the group name and security model if you choose snmpv3 as the security model you need to further configure security level 980

Set the read write and notify view of the snmp group click create 980

Snmp group to load the following page 980

Creating snmp users 981

Follow these steps to create an snmp user 981

Snmp user to load the following page 981

Specify the user name user type and the group which the user belongs to set the security model according to the related parameters of the specified group if you choose snmpv3 you need to configure the security level 981

Click create 982

Creating snmp communities 982

If you have chosen authnopriv or authpriv as the security level you need to set corresponding auth mode or privacy mode if not skip the step 982

If you want to use snmpv1 or snmpv2c as the security model you can create snmp communities directly 982

Enabling snmp 983

Set the community name access rights and the related view click create 983

Snmp community to load the following page 983

Using the cli 983

Bad snmp version errors 984

Encoding errors 984

Get request pdus 984

Illegal operation for community name supplied 984

Number of altered variables 984

Number of requested variables 984

Snmp agent is enabled 984

Snmp packets input 984

Switch config show snmp server 984

Switch config snmp server 984

Switch config snmp server engineid remote 123456789a 984

Switch configure 984

The following example shows how to enable snmp and set 123456789a as the remote engine id 984

Unknown community name 984

Bad value errors 985

Creating an snmp view 985

General errors 985

Get next pdus 985

Local engine id 80002e5703000aeb132397 985

No such name errors 985

Remote engine id 123456789a 985

Response pdus 985

Set request pdus 985

Snmp packets output 985

Specify the oid object identifier of the view to determine objects to be managed 985

Switch config end 985

Switch config show snmp server engineid 985

Switch copy running config startup config 985

Too big errors maximum packet size 1500 985

Trap pdus 985

Creating an snmp group 986

No name sec mode sec lev read view write view notify view 1 nms monitor v3 authpriv view view 987

Switch config end 987

Switch config show snmp server group 987

Switch config snmp server group nms monitor smode v3 slev authpriv read view notify view 987

Switch configure 987

Switch copy running config startup config 987

The following example shows how to create an snmpv3 group name the group as nms monitor enable auth mode and privacy mode and set the view as read view and notify view 987

Configure users of the snmp group users belong to the group and use the same security level and access rights as the group 988

Creating snmp users 988

The following example shows how to create an snmp user on the switch name the user as admin and set the user as a remote user snmpv3 as the security mode authpriv as the 988

Admin remote nms monitor v3 authpriv sha des 989

Creating snmp communities 989

For snmpv1 and snmpv2c the community name is used for authentication functioning as the password 989

No u name u type g name s mode s lev a mode p mode 989

Security level sha as the authentication algorithm 1234 as the authentication password des as the privacy algorithm and 1234 as the privacy password 989

Switch config end 989

Switch config show snmp server user 989

Switch config snmp server user admin remote nms monitor smode v3 slev authpriv cmode sha cpwd 1234 emode des epwd 1234 989

Switch configure 989

Switch copy running config startup config 989

The following example shows how to set an snmp community name the community as the nms monitor and allow the nms to view and modify parameters of view 989

Configuration guidelines 991

Notification configurations 991

Using the gui 991

Choose a notification type based on the snmp version if you choose the inform type you need to set retry times and timeout interval 992

Click create 992

Specify the user name or community name used by the nms and configure the security model and security level based on the settings of the user or community 992

Configure parameters of the nms host and packet handling mechanism 993

Configuring the host 993

Using the cli 993

68 22 162 admin v3 authpriv inform 3 100 994

Enabling snmp notification 994

Enabling the snmp standard trap 994

No des ip udp name secmode seclev type retry timeout 994

Switch config end 994

Switch config show snmp server host 994

Switch config snmp server host 172 68 22 162 admin smode v3 slev authpriv type inform retries 3 timeout 100 994

Switch configure 994

Switch copy running config startup config 994

The following example shows how to set the nms host ip address as 172 68 22 udp port as port 162 name used by the nms as admin security model as snmpv3 security level as authpriv notification type as inform retry times as 3 and the timeout interval as 100 seconds 994

Optional enabling the snmp extended trap 995

Switch config end 995

Switch config snmp server traps snmp linkup 995

Switch configure 995

Switch copy running config startup config 995

The following example shows how to configure the switch to send linkup traps 995

Switch config end 996

Switch config snmp server traps bandwidth control 996

Switch configure 996

Switch copy running config startup config 996

The following example shows how to configure the switch to enable bandwidth control traps 996

Optional enabling the ddm trap 997

Switch config end 997

Switch config snmp server traps ddm create 997

Switch configure 997

Switch copy running config startup config 997

The following example shows how to configure the switch to enable ddm created trap 997

Optional enabling the illegal dhcp server trap 998

Optional enabling the link status trap 998

Switch config end 998

Switch config snmp server traps ddm 998

Switch config snmp server traps security dhcp snoop 998

Switch configure 998

Switch copy running config startup config 998

The following example shows how to configure the switch to enable all the snmp ddm trap 998

The following example shows how to configure the switch to enable illegal dhcp server trap 998

Switch config if end 999

Switch config if snmp server traps link status 999

Switch config interface gigabitethernet 1 0 1 999

Switch configure 999

Switch copy running config startup config 999

The following example shows how to configure the switch to enable link status trap 999

Rmon overview 1000

Configuring statistics 1001

Rmon configurations 1001

Using the gui 1001

Configuring history 1002

Follow these steps to configure history 1002

History to load the following page 1002

Select a history entry and specify a port to be monitored 1002

Set the sample interval and the maximum buckets of history entries 1002

Specify the entry id the port to be monitored and the owner name of the entry set the entry as valid or undercreation and click create 1002

Choose an event entry and set the snmp user of the entry 1003

Configuring event 1003

Enter the owner name and set the status of the entry click apply 1003

Event to load the following page 1003

Follow these steps to configure event 1003

Set the description and type of the event 1003

Alarm to load the following page 1004

Before you begin please complete configurations of statistics entries and event entries because the alarm entries must be associated with statistics and event entries 1004

Configuring alarm 1004

Enter the owner name and set the status of the entry click apply 1004

Follow these steps to configure alarm 1004

Select an alarm entry choose a variable to be monitored and associate the entry with a statistics entry 1004

Set the sample type the rising and falling threshold the corresponding event action and the alarm type of the entry 1005

Configuring statistics 1006

Enter the owner name and set the status of the entry click apply 1006

Using the cli 1006

Configuring history 1007

Gi1 0 1 monitor valid 1007

Gi1 0 2 monitor valid 1007

Index port owner state 1007

Switch config end 1007

Switch config rmon statistics 1 interface gigabitethernet 1 0 1 owner monitor status valid 1007

Switch config rmon statistics 2 interface gigabitethernet 1 0 2 owner monitor status valid 1007

Switch config show rmon statistics 1007

Switch configure 1007

Switch copy running config startup config 1007

The following example shows how to create two statistics entries on the switch to monitor port 1 0 1 and 1 0 2 respectively the owner of the entry is monitor and the entry is valid 1007

Configuring event 1008

Gi1 0 1 100 50 monitor enable 1008

Index port interval buckets owner state 1008

Switch config end 1008

Switch config rmon history 1 interface gigabitethernet 1 0 1 interval 100 owner monitor buckets 50 1008

Switch config show rmon history 1008

Switch configure 1008

Switch copy running config startup config 1008

The following example shows how to create a history entry on the switch to monitor port 1 0 1 set the sample interval as 100 seconds max buckets as 50 and the owner as monitor 1008

Admin rising notify notify monitor enable 1009

Index user description type owner state 1009

Switch config end 1009

Switch config rmon event 1 user admin description rising notify type notify owner monitor 1009

Switch config show rmon event 1009

Switch configure 1009

Switch copy running config startup config 1009

The following example shows how to create an event entry on the switch set the user name as admin the event type as notify set the switch to initiate notifications to the nms and the owner as monitor 1009

Configuring alarm 1010

Configuration example 1012

Configuration scheme 1012

Network requirements 1012

Network topology 1013

Using the gui 1013

Using the cli 1018

Verify the configurations 1020

Appendix default parameters 1024

Default settings of snmp are listed in the following table 1024

Default settings of notification are listed in the following table 1025

Tp-Link T2600G-28MPS V2 [773/1027] Pppoe id insertion

Содержание

Похожие устройства